[automerger skipped] Add policy for command line tool to control MTE boot state. am: 949e1d0a76 am: 069435505e -s ours
am skip reason: Merged-In I2e84193668dcdf24bde1c7e12b3cfd8a03954a16 with SHA-1 23173455ab is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1956657
Change-Id: I293aafe8554d6221caeabae5ad23a331906423c7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/Android.bp b/Android.bp
index 0590470..467f80e 100644
--- a/Android.bp
+++ b/Android.bp
@@ -44,599 +44,175 @@
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
-se_filegroup {
- name: "26.0.board.compat.map",
- srcs: [
- "compat/26.0/26.0.cil",
- ],
-}
-
-se_filegroup {
- name: "27.0.board.compat.map",
- srcs: [
- "compat/27.0/27.0.cil",
- ],
-}
-
-se_filegroup {
+se_build_files {
name: "28.0.board.compat.map",
srcs: [
"compat/28.0/28.0.cil",
],
}
-se_filegroup {
+se_build_files {
name: "29.0.board.compat.map",
srcs: [
"compat/29.0/29.0.cil",
],
}
-se_filegroup {
+se_build_files {
name: "30.0.board.compat.map",
srcs: [
"compat/30.0/30.0.cil",
],
}
-se_filegroup {
+se_build_files {
name: "31.0.board.compat.map",
srcs: [
"compat/31.0/31.0.cil",
],
}
-se_filegroup {
- name: "26.0.board.compat.cil",
+se_build_files {
+ name: "32.0.board.compat.map",
srcs: [
- "compat/26.0/26.0.compat.cil",
+ "compat/32.0/32.0.cil",
],
}
-se_filegroup {
- name: "27.0.board.compat.cil",
+se_build_files {
+ name: "33.0.board.compat.map",
srcs: [
- "compat/27.0/27.0.compat.cil",
+ "compat/33.0/33.0.cil",
],
}
-se_filegroup {
+se_build_files {
name: "28.0.board.compat.cil",
srcs: [
"compat/28.0/28.0.compat.cil",
],
}
-se_filegroup {
+se_build_files {
name: "29.0.board.compat.cil",
srcs: [
"compat/29.0/29.0.compat.cil",
],
}
-se_filegroup {
+se_build_files {
name: "30.0.board.compat.cil",
srcs: [
"compat/30.0/30.0.compat.cil",
],
}
-se_filegroup {
+se_build_files {
name: "31.0.board.compat.cil",
srcs: [
"compat/31.0/31.0.compat.cil",
],
}
-se_filegroup {
- name: "26.0.board.ignore.map",
+se_build_files {
+ name: "32.0.board.compat.cil",
srcs: [
- "compat/26.0/26.0.ignore.cil",
+ "compat/32.0/32.0.compat.cil",
],
}
-se_filegroup {
- name: "27.0.board.ignore.map",
+se_build_files {
+ name: "33.0.board.compat.cil",
srcs: [
- "compat/27.0/27.0.ignore.cil",
+ "compat/33.0/33.0.compat.cil",
],
}
-se_filegroup {
+se_build_files {
name: "28.0.board.ignore.map",
srcs: [
"compat/28.0/28.0.ignore.cil",
],
}
-se_filegroup {
+se_build_files {
name: "29.0.board.ignore.map",
srcs: [
"compat/29.0/29.0.ignore.cil",
],
}
-se_filegroup {
+se_build_files {
name: "30.0.board.ignore.map",
srcs: [
"compat/30.0/30.0.ignore.cil",
],
}
-se_filegroup {
+se_build_files {
name: "31.0.board.ignore.map",
srcs: [
"compat/31.0/31.0.ignore.cil",
],
}
-se_cil_compat_map {
- name: "plat_26.0.cil",
- stem: "26.0.cil",
- bottom_half: [":26.0.board.compat.map"],
- top_half: "plat_27.0.cil",
+se_build_files {
+ name: "32.0.board.ignore.map",
+ srcs: [
+ "compat/32.0/32.0.ignore.cil",
+ ],
}
-se_cil_compat_map {
- name: "plat_27.0.cil",
- stem: "27.0.cil",
- bottom_half: [":27.0.board.compat.map"],
- top_half: "plat_28.0.cil",
+se_build_files {
+ name: "33.0.board.ignore.map",
+ srcs: [
+ "compat/33.0/33.0.ignore.cil",
+ ],
}
-se_cil_compat_map {
- name: "plat_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "plat_29.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "plat_30.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "plat_31.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- // top_half: "plat_32.0.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_26.0.cil",
- stem: "26.0.cil",
- bottom_half: [":26.0.board.compat.map"],
- top_half: "system_ext_27.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_27.0.cil",
- stem: "27.0.cil",
- bottom_half: [":27.0.board.compat.map"],
- top_half: "system_ext_28.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "system_ext_29.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "system_ext_30.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "system_ext_31.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- // top_half: "system_ext_32.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_26.0.cil",
- stem: "26.0.cil",
- bottom_half: [":26.0.board.compat.map"],
- top_half: "product_27.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_27.0.cil",
- stem: "27.0.cil",
- bottom_half: [":27.0.board.compat.map"],
- top_half: "product_28.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "product_29.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "product_30.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "product_31.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- // top_half: "product_32.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "26.0.ignore.cil",
- bottom_half: [":26.0.board.ignore.map"],
- top_half: "27.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "27.0.ignore.cil",
- bottom_half: [":27.0.board.ignore.map"],
- top_half: "28.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "28.0.ignore.cil",
- bottom_half: [":28.0.board.ignore.map"],
- top_half: "29.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "29.0.ignore.cil",
- bottom_half: [":29.0.board.ignore.map"],
- top_half: "30.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "31.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- // top_half: "32.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "system_ext_31.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- // top_half: "system_ext_32.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "product_31.0.ignore.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- // top_half: "product_32.0.ignore.cil",
- product_specific: true,
-}
-
-se_compat_cil {
- name: "26.0.compat.cil",
- srcs: [":26.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "27.0.compat.cil",
- srcs: [":27.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "system_ext_26.0.compat.cil",
- srcs: [":26.0.board.compat.cil"],
- stem: "26.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_27.0.compat.cil",
- srcs: [":27.0.board.compat.cil"],
- stem: "27.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
- stem: "28.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
- stem: "29.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
- stem: "30.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
- stem: "31.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_filegroup {
+se_build_files {
name: "file_contexts_files",
srcs: ["file_contexts"],
}
-se_filegroup {
+se_build_files {
name: "file_contexts_asan_files",
srcs: ["file_contexts_asan"],
}
-se_filegroup {
+se_build_files {
name: "file_contexts_overlayfs_files",
srcs: ["file_contexts_overlayfs"],
}
-se_filegroup {
+se_build_files {
name: "hwservice_contexts_files",
srcs: ["hwservice_contexts"],
}
-se_filegroup {
+se_build_files {
name: "property_contexts_files",
srcs: ["property_contexts"],
}
-se_filegroup {
+se_build_files {
name: "service_contexts_files",
srcs: ["service_contexts"],
}
-se_filegroup {
+se_build_files {
name: "keystore2_key_contexts_files",
srcs: ["keystore2_key_contexts"],
}
-file_contexts {
- name: "plat_file_contexts",
- srcs: [":file_contexts_files"],
- product_variables: {
- address_sanitize: {
- srcs: [":file_contexts_asan_files"],
- },
- debuggable: {
- srcs: [":file_contexts_overlayfs_files"],
- },
- },
-
- flatten_apex: {
- srcs: ["apex/*-file_contexts"],
- },
-
- recovery_available: true,
+se_build_files {
+ name: "seapp_contexts_files",
+ srcs: ["seapp_contexts"],
}
-file_contexts {
- name: "vendor_file_contexts",
- srcs: [":file_contexts_files"],
- soc_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "system_ext_file_contexts",
- srcs: [":file_contexts_files"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "product_file_contexts",
- srcs: [":file_contexts_files"],
- product_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "odm_file_contexts",
- srcs: [":file_contexts_files"],
- device_specific: true,
- recovery_available: true,
-}
-
-hwservice_contexts {
- name: "plat_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
-}
-
-hwservice_contexts {
- name: "system_ext_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- system_ext_specific: true,
-}
-
-hwservice_contexts {
- name: "product_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- product_specific: true,
-}
-
-hwservice_contexts {
- name: "vendor_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
-}
-
-hwservice_contexts {
- name: "odm_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- device_specific: true,
-}
-
-property_contexts {
- name: "plat_property_contexts",
- srcs: [":property_contexts_files"],
- recovery_available: true,
-}
-
-property_contexts {
- name: "system_ext_property_contexts",
- srcs: [":property_contexts_files"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "product_property_contexts",
- srcs: [":property_contexts_files"],
- product_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "vendor_property_contexts",
- srcs: [":property_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "odm_property_contexts",
- srcs: [":property_contexts_files"],
- device_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "plat_service_contexts",
- srcs: [":service_contexts_files"],
-}
-
-service_contexts {
- name: "system_ext_service_contexts",
- srcs: [":service_contexts_files"],
- system_ext_specific: true,
-}
-
-service_contexts {
- name: "product_service_contexts",
- srcs: [":service_contexts_files"],
- product_specific: true,
-}
-
-service_contexts {
- name: "vendor_service_contexts",
- srcs: [":service_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
-}
-
-keystore2_key_contexts {
- name: "plat_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
-}
-
-keystore2_key_contexts {
- name: "system_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- system_ext_specific: true,
-}
-
-keystore2_key_contexts {
- name: "product_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- product_specific: true,
-}
-
-keystore2_key_contexts {
- name: "vendor_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
+se_build_files {
+ name: "vndservice_contexts_files",
+ srcs: ["vndservice_contexts"],
}
// For vts_treble_sys_prop_test
@@ -675,6 +251,19 @@
],
}
+se_build_files {
+ name: "sepolicy_technical_debt",
+ srcs: ["technical_debt.cil"],
+}
+
+reqd_mask_policy = [":se_build_files{.reqd_mask}"]
+plat_public_policy = [":se_build_files{.plat_public}"]
+plat_private_policy = [":se_build_files{.plat_private}"]
+system_ext_public_policy = [":se_build_files{.system_ext_public}"]
+system_ext_private_policy = [":se_build_files{.system_ext_private}"]
+product_public_policy = [":se_build_files{.product_public}"]
+product_private_policy = [":se_build_files{.product_private}"]
+
// reqd_policy_mask - a policy.conf file which contains only the bare minimum
// policy necessary to use checkpolicy.
//
@@ -685,7 +274,7 @@
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
- srcs: [":se_build_files{.reqd_mask}"],
+ srcs: reqd_mask_policy,
installable: false,
}
@@ -720,7 +309,10 @@
//
se_policy_conf {
name: "pub_policy.conf",
- srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy,
installable: false,
}
@@ -734,7 +326,9 @@
se_policy_conf {
name: "system_ext_pub_policy.conf",
- srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ reqd_mask_policy,
installable: false,
}
@@ -748,7 +342,8 @@
se_policy_conf {
name: "plat_pub_policy.conf",
- srcs: [":se_build_files{.plat_public}"],
+ srcs: plat_public_policy +
+ reqd_mask_policy,
installable: false,
}
@@ -767,20 +362,37 @@
// currently being attributized.
se_policy_conf {
name: "plat_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
+ srcs: plat_public_policy +
+ plat_private_policy,
installable: false,
}
se_policy_cil {
name: "plat_sepolicy.cil",
src: ":plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
+}
+
+
+se_policy_conf {
+ name: "apex_sepolicy-33.conf",
+ srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-33.cil",
+ src: ":apex_sepolicy-33.conf",
+ filter_out: [":plat_sepolicy.cil"],
+ installable: false,
+ stem: "apex_sepolicy.cil",
}
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
+ srcs: plat_public_policy +
+ plat_private_policy,
build_variant: "userdebug",
installable: false,
}
@@ -788,7 +400,7 @@
se_policy_cil {
name: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
debug_ramdisk: true,
dist: {
targets: ["droidcore"],
@@ -813,7 +425,7 @@
name: "system_ext_userdebug_plat_sepolicy.cil",
stem: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
system_ext_specific: true,
enabled: false,
installable: false,
@@ -829,7 +441,10 @@
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
name: "system_ext_sepolicy.conf",
- srcs: [":se_build_files{.system_ext}"],
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy,
installable: false,
}
@@ -845,7 +460,12 @@
// which will ship with the device. Product policy is not attributized
se_policy_conf {
name: "product_sepolicy.conf",
- srcs: [":se_build_files{.product}"],
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy,
installable: false,
}
@@ -888,24 +508,193 @@
product_specific: true,
}
+// vendor/odm sepolicy
+//
+// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
+// policy files of platform (system, system_ext, product) can't be mixed with
+// policy files of vendor (vendor, odm). If it's the case, platform policies and
+// vendor policies are separately built. More specifically,
+//
+// - Platform policy files needed to build vendor policies, such as plat_policy,
+// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
+// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
+//
+// - sepolicy_neverallows only checks platform policies, and a new module
+// sepolicy_neverallows_vendor checks vendor policies.
+//
+// - neverallow checks are turned off while compiling precompiled_sepolicy
+// module and sepolicy module.
+//
+// - Vendor policies are not checked on the compat test (compat.mk).
+//
+// In such scenario, we can grab platform policy files from the prebuilts/api
+// directory. But we need more than that: prebuilts of system_ext, product,
+// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
+// variables are introduced to specify such prebuilts.
+//
+// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
+// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
+// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
+// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
+// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
+// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
+//
+// Vendors are responsible for copying policy files from the old version of the
+// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
+// can be used to build vendor policies.
+//
+// To support both mixed build and normal build, platform policy files are
+// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
+// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
+// Otherwise, they will be equal to the Makefile variables above.
+
+plat_public_policies_for_vendor = [
+ ":se_build_files{.plat_public_for_vendor}",
+ ":se_build_files{.system_ext_public_for_vendor}",
+ ":se_build_files{.product_public_for_vendor}",
+ ":se_build_files{.reqd_mask_for_vendor}",
+]
+
+plat_policies_for_vendor = [
+ ":se_build_files{.plat_public_for_vendor}",
+ ":se_build_files{.plat_private_for_vendor}",
+ ":se_build_files{.system_ext_public_for_vendor}",
+ ":se_build_files{.system_ext_private_for_vendor}",
+ ":se_build_files{.product_public_for_vendor}",
+ ":se_build_files{.product_private_for_vendor}",
+]
+
+se_policy_conf {
+ name: "plat_policy_for_vendor.conf",
+ srcs: plat_policies_for_vendor,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_policy_for_vendor.cil",
+ src: ":plat_policy_for_vendor.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
+ installable: false,
+}
+
+se_policy_conf {
+ name: "reqd_policy_mask_for_vendor.conf",
+ srcs: [":se_build_files{.reqd_mask_for_vendor}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "reqd_policy_mask_for_vendor.cil",
+ src: ":reqd_policy_mask_for_vendor.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "pub_policy_for_vendor.conf",
+ srcs: plat_public_policies_for_vendor,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "pub_policy_for_vendor.cil",
+ src: ":pub_policy_for_vendor.conf",
+ filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "plat_mapping_file_for_vendor",
+ base: ":pub_policy_for_vendor.cil",
+ mapping: true,
+ version: "vendor",
+ installable: false,
+}
+
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy.cil",
- target_policy: ":pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":pub_policy_for_vendor.cil",
+ version: "vendor",
vendor: true,
}
+// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
+// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+// policy and the platform public policy files in order to use checkpolicy.
+se_policy_conf {
+ name: "vendor_sepolicy.conf",
+ srcs: plat_public_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "vendor_sepolicy.cil.raw",
+ src: ":vendor_sepolicy.conf",
+ filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "vendor_sepolicy.cil",
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":vendor_sepolicy.cil.raw",
+ version: "vendor",
+ dependent_cils: [
+ ":plat_policy_for_vendor.cil",
+ ":plat_pub_versioned.cil",
+ ":plat_mapping_file_for_vendor",
+ ],
+ filter_out: [":plat_pub_versioned.cil"],
+ vendor: true,
+}
+
+// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
+// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+// policy and the platform public policy files in order to use checkpolicy.
+se_policy_conf {
+ name: "odm_sepolicy.conf",
+ srcs: plat_public_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ":se_build_files{.odm}",
+ ],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "odm_sepolicy.cil.raw",
+ src: ":odm_sepolicy.conf",
+ filter_out: [
+ ":reqd_policy_mask_for_vendor.cil",
+ ":vendor_sepolicy.cil",
+ ],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "odm_sepolicy.cil",
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":odm_sepolicy.cil.raw",
+ version: "vendor",
+ dependent_cils: [
+ ":plat_policy_for_vendor.cil",
+ ":plat_pub_versioned.cil",
+ ":plat_mapping_file_for_vendor",
+ ":vendor_sepolicy.cil",
+ ],
+ filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
+ device_specific: true,
+}
+
//////////////////////////////////
// Precompiled sepolicy is loaded if and only if:
// - plat_sepolicy_and_mapping.sha256 equals
@@ -916,6 +705,9 @@
// AND
// - product_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// AND
+// - apex_sepolicy.sha256 equals
+// precompiled_sepolicy.apex_sepolicy.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
genrule {
@@ -933,6 +725,20 @@
}
genrule {
+ name: "apex_sepolicy.sha256_gen",
+ srcs: [":apex_sepolicy-33.cil"],
+ out: ["apex_sepolicy.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "apex_sepolicy.sha256",
+ filename: "apex_sepolicy.sha256",
+ src: ":apex_sepolicy.sha256_gen",
+ installable: false,
+}
+
+genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
out: ["system_ext_sepolicy_and_mapping.sha256"],
@@ -969,15 +775,15 @@
}
soong_config_module_type {
- name: "precompiled_sepolicy_defaults",
+ name: "precompiled_sepolicy_prebuilts_defaults",
module_type: "prebuilt_defaults",
config_namespace: "ANDROID",
bool_variables: ["BOARD_USES_ODMIMAGE"],
properties: ["vendor", "device_specific"],
}
-precompiled_sepolicy_defaults {
- name: "precompiled_sepolicy",
+precompiled_sepolicy_prebuilts_defaults {
+ name: "precompiled_sepolicy_prebuilts",
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
@@ -993,7 +799,7 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
src: ":plat_sepolicy_and_mapping.sha256_gen",
@@ -1001,11 +807,23 @@
}
//////////////////////////////////
+// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
+// was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy_prebuilts"],
+ name: "precompiled_sepolicy.apex_sepolicy.sha256",
+ filename: "precompiled_sepolicy.apex_sepolicy.sha256",
+ src: ":apex_sepolicy.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
src: ":system_ext_sepolicy_and_mapping.sha256_gen",
@@ -1017,13 +835,92 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
src: ":product_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
}
+soong_config_module_type {
+ name: "precompiled_se_policy_binary",
+ module_type: "se_policy_binary",
+ config_namespace: "ANDROID",
+ bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
+ value_variables: ["MIXED_SEPOLICY_VERSION"],
+ properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
+}
+
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":apex_sepolicy-33.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
+// policy for recovery
+se_policy_conf {
+ name: "recovery_sepolicy.conf",
+ srcs: plat_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ":se_build_files{.odm}",
+ ],
+ target_recovery: true,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "recovery_sepolicy.cil",
+ src: ":recovery_sepolicy.conf",
+ secilc_check: false, // will be done in se_policy_binary module
+ installable: false,
+}
+
+se_policy_binary {
+ name: "sepolicy.recovery",
+ srcs: [":recovery_sepolicy.cil"],
+ stem: "sepolicy",
+ recovery: true,
+}
//////////////////////////////////
// SELinux policy embedded into CTS.
@@ -1031,68 +928,230 @@
//////////////////////////////////
se_policy_conf {
name: "general_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
+ srcs: plat_public_policy +
+ plat_private_policy,
build_variant: "user",
cts: true,
exclude_build_test: true,
}
//////////////////////////////////
-// modules for microdroid
+// Base system policy for treble sepolicy tests.
+// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
+// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
+// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
+// See treble_sepolicy_tests_for_release.mk for more details.
//////////////////////////////////
-
-// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
-// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
-// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
-// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
-// host's files.
-se_versioned_policy {
- name: "microdroid_plat_pub_versioned.cil",
- stem: "plat_pub_versioned.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":plat_pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":plat_mapping_file",
- ],
- installable: false,
-}
-
-// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
-// contains system/sepolicy/public and system/sepolicy/vendor.
se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: [":se_build_files{.plat_vendor}"],
+ name: "base_plat_sepolicy.conf",
+ srcs: plat_public_policy +
+ plat_private_policy,
+ build_variant: "user",
installable: false,
}
se_policy_cil {
- name: "microdroid_vendor_sepolicy.cil.raw",
- src: ":microdroid_vendor_sepolicy.conf",
+ name: "base_plat_sepolicy.cil",
+ src: ":base_plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_plat_sepolicy",
+ srcs: [":base_plat_sepolicy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
+se_policy_conf {
+ name: "base_system_ext_sepolicy.conf",
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy,
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_system_ext_sepolicy.cil",
+ src: ":base_system_ext_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ system_ext_specific: true,
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_system_ext_sepolicy",
+ srcs: [":base_system_ext_sepolicy.cil"],
+ system_ext_specific: true,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_product_sepolicy.conf",
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy,
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_product_sepolicy.cil",
+ src: ":base_product_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ product_specific: true,
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_product_sepolicy",
+ srcs: [":base_product_sepolicy.cil"],
+ product_specific: true,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_plat_pub_policy.conf",
+ srcs: plat_public_policy +
+ reqd_mask_policy,
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_plat_pub_policy.cil",
+ src: ":base_plat_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
+ secilc_check: false,
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
+se_policy_conf {
+ name: "base_system_ext_pub_policy.conf",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ reqd_mask_policy,
+ build_variant: "user",
installable: false,
}
-se_versioned_policy {
- name: "microdroid_vendor_sepolicy.cil",
- stem: "vendor_sepolicy.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":microdroid_vendor_sepolicy.cil.raw",
- version: "current", // microdroid is bundled to system
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":microdroid_plat_pub_versioned.cil",
- ":plat_mapping_file",
+se_policy_cil {
+ name: "base_system_ext_pub_policy.cil",
+ src: ":base_system_ext_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_product_pub_policy.conf",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy,
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_product_pub_policy.cil",
+ src: ":base_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+// bug_map - Bug tracking information for selinux denials loaded by auditd.
+se_build_files {
+ name: "bug_map_files",
+ srcs: ["bug_map"],
+}
+
+se_bug_map {
+ name: "plat_bug_map",
+ srcs: [":bug_map_files{.plat_private}"],
+ stem: "bug_map",
+}
+
+se_bug_map {
+ name: "system_ext_bug_map",
+ srcs: [":bug_map_files{.system_ext_private}"],
+ stem: "bug_map",
+ system_ext_specific: true,
+}
+
+se_bug_map {
+ name: "vendor_bug_map",
+ srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
+ // Legacy file name of the vendor partition bug_map.
+ stem: "selinux_denial_metadata",
+ vendor: true,
+}
+
+se_neverallow_test {
+ name: "sepolicy_neverallows",
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy,
+}
+
+se_neverallow_test {
+ name: "sepolicy_neverallows_vendor",
+ srcs: plat_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ":se_build_files{.odm}",
],
- filter_out: [":microdroid_plat_pub_versioned.cil"],
- installable: false,
}
-sepolicy_vers {
- name: "microdroid_plat_sepolicy_vers.txt",
- version: "platform",
- stem: "plat_sepolicy_vers.txt",
- installable: false,
+//////////////////////////////////
+// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
+// Additional directories can be specified via Makefile variables:
+// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
+//////////////////////////////////
+se_freeze_test {
+ name: "sepolicy_freeze_test",
+}
+
+//////////////////////////////////
+// sepolicy_test checks various types of violations, which can't be easily done
+// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
+//////////////////////////////////
+genrule {
+ name: "sepolicy_test",
+ srcs: [
+ ":plat_file_contexts",
+ ":vendor_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ":odm_file_contexts",
+ ":precompiled_sepolicy",
+ ],
+ tools: ["sepolicy_tests"],
+ out: ["sepolicy_test"],
+ cmd: "$(location sepolicy_tests) " +
+ "-f $(location :plat_file_contexts) " +
+ "-f $(location :vendor_file_contexts) " +
+ "-f $(location :system_ext_file_contexts) " +
+ "-f $(location :product_file_contexts) " +
+ "-f $(location :odm_file_contexts) " +
+ "-p $(location :precompiled_sepolicy) && " +
+ "touch $(out)",
}
diff --git a/Android.mk b/Android.mk
index 4f595f5..c98de45 100644
--- a/Android.mk
+++ b/Android.mk
@@ -67,10 +67,6 @@
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
-# Extra sepolicy and prebuilts directories for sepolicy_freeze_test
-FREEZE_TEST_EXTRA_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_DIRS)
-FREEZE_TEST_EXTRA_PREBUILT_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS)
-
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
@@ -85,55 +81,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-# TODO: move to README when doing the README update and finalizing versioning.
-# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
-# version identifier corresponding to the sepolicy on which the non-platform
-# policy is to be based. If unspecified, this will build against the current
-# public platform policy in tree
-ifndef BOARD_SEPOLICY_VERS
-# The default platform policy version.
-BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
-endif
-
-# If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-# policy files of platform (system, system_ext, product) can't be mixed with
-# policy files of vendor (vendor, odm). If it's the case, platform policies and
-# vendor policies are separately built. More specifically,
-#
-# - Platform policy files needed to build vendor policies, such as plat_policy,
-# plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-# prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-#
-# - sepolicy_neverallows only checks platform policies, and a new module
-# sepolicy_neverallows_vendor checks vendor policies.
-#
-# - neverallow checks are turned off while compiling precompiled_sepolicy module
-# and sepolicy module.
-#
-# - Vendor policies are not checked on the compat test (compat.mk).
-#
-# In such scenario, we can grab platform policy files from the prebuilts/api
-# directory. But we need more than that: prebuilts of system_ext, product,
-# system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
-# are introduced to specify such prebuilts.
-#
-# - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-# - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-#
-# Vendors are responsible for copying policy files from the old version of the
-# source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
-# be used to build vendor policies. See prebuilt_policy.mk for more details.
-#
-# To support both mixed build and normal build, platform policy files are
-# indirectly referred by {partition}_{public|private}_policy_$(ver) variables
-# when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
-# for more details.
-#
-# sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
mixed_sepolicy_build := true
else
@@ -187,12 +134,12 @@
###########################################################
define build_policy
-$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
+$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
endef
# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
@@ -385,6 +332,7 @@
plat_service_contexts_test \
plat_hwservice_contexts \
plat_hwservice_contexts_test \
+ plat_bug_map \
searchpolicy \
# This conditional inclusion closely mimics the conditional logic
@@ -393,15 +341,18 @@
# The following files are only allowed for non-Treble devices.
LOCAL_REQUIRED_MODULES += \
sepolicy \
- vendor_service_contexts \
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
- sepolicy_tests \
- $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ sepolicy_compat_test \
+
+# HACK: sepolicy_test is implemented as genrule
+# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
+# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
@@ -413,13 +364,7 @@
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test \
-
-else
-ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-$(error SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS\
-cannot be set before system/sepolicy freezes.)
-endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+ sepolicy_freeze_test
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -465,6 +410,7 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
+ system_ext_bug_map \
$(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
endif
@@ -539,6 +485,7 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -557,9 +504,12 @@
vendor_property_contexts_test \
vendor_seapp_contexts \
vendor_service_contexts \
+ vendor_service_contexts_test \
vendor_hwservice_contexts \
vendor_hwservice_contexts_test \
+ vendor_bug_map \
vndservice_contexts \
+ vndservice_contexts_test \
ifdef BOARD_ODM_SEPOLICY_DIRS
LOCAL_REQUIRED_MODULES += \
@@ -577,435 +527,35 @@
LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
LOCAL_REQUIRED_MODULES += selinux_policy_product
-LOCAL_REQUIRED_MODULES += \
- selinux_denial_metadata \
-
# Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \
include $(BUILD_PHONY_PACKAGE)
-#################################
-
-ifeq ($(mixed_sepolicy_build),true)
-include $(LOCAL_PATH)/prebuilt_policy.mk
-else
-reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
-plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
-plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
-system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
-system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
-product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
-product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
-endif
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# sepolicy_policy.conf - All of the policy for the device. This is only used to
-# check neverallow rules.
-# In a mixed build target, vendor policies are checked separately, on the module
-# sepolicy_neverallows_vendor.
-
-all_plat_policy := $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)
-ifeq ($(mixed_sepolicy_build),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $(all_plat_policy))
-else
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(all_plat_policy) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-endif
-
-sepolicy_policy.conf := $(intermediates)/policy.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
-# check neverallow rules using sepolicy-analyze, similar to CTS.
-sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
-$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy_2.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
- $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
- ( echo "" 1>&2; \
- echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
- echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
- echo "the policy." 1>&2; \
- exit 1 )
-endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@.tmp
- $(hide) mv $@.tmp $@
-
-sepolicy_policy.conf :=
-sepolicy_policy_2.conf :=
-built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
-
-#################################
-# sepolicy_neverallows_vendor: neverallow check module for vendors in a mixed build target
-ifeq ($(mixed_sepolicy_build),true)
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy_neverallows_vendor
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Check neverallow with prebuilt policy files
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-
-# sepolicy_policy.conf - All of the policy for the device. This is only used to
-# check neverallow rules.
-sepolicy_policy.conf := $(intermediates)/policy_vendor.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
-# check neverallow rules using sepolicy-analyze, similar to CTS.
-sepolicy_policy_2.conf := $(intermediates)/policy_vendor_2.conf
-$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy_2.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
- $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
- ( echo "" 1>&2; \
- echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
- echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
- echo "the policy." 1>&2; \
- exit 1 )
-endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@.tmp
- $(hide) mv $@.tmp $@
-
-sepolicy_policy.conf :=
-sepolicy_policy_2.conf :=
-built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
-
-endif # ifeq ($(mixed_sepolicy_build),true)
-
##################################
-# plat policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of plat policy files.
+# Policy files are now built with Android.bp. Grab them from intermediate.
+# See Android.bp for details of policy files.
#
-reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
-reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
-
-pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
-pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
-
-system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
-system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
-
-plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
-plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
-
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
-built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
-built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
-built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
-built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
ifdef HAS_PRODUCT_SEPOLICY
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
-built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
-built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_SEPOLICY
-built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
-built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
+built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
+built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
#################################
+# sepolicy is also built with Android.bp.
+# This module is to keep compatibility with monolithic sepolicy devices.
include $(CLEAR_VARS)
-# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
-# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
-# policy and the platform public policy files in order to use checkpolicy.
-LOCAL_MODULE := vendor_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
-vendor_policy.conf := $(intermediates)/vendor_policy.conf
-$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(vendor_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
-$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
- $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
- -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
- -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
- -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
-
-built_vendor_cil := $(LOCAL_BUILT_MODULE)
-vendor_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
-# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
-# policy and the platform public policy files in order to use checkpolicy.
-LOCAL_MODULE := odm_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-odm_policy.conf := $(intermediates)/odm_policy.conf
-$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(odm_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_vendor_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
- $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_vendor_cil)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
- -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
- -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \
- -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
-
-built_odm_cil := $(LOCAL_BUILT_MODULE)
-odm_policy.conf :=
-odm_policy_raw :=
-endif
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := precompiled_sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_cil_files := \
- $(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_vendor_cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
- $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
-built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
-all_cil_files :=
-
-#################################
-# Precompiled sepolicy is loaded if and only if:
-# - plat_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-# AND
-# - system_ext_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-# AND
-# - product_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-# See system/core/init/selinux.cpp for details.
-#################################
-
-#################################
-include $(CLEAR_VARS)
-# build this target so that we can still perform neverallow checks
-
LOCAL_MODULE := sepolicy
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
@@ -1016,111 +566,8 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_cil_files := \
- $(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_vendor_cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
- echo "==========" 1>&2; \
- echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
- echo "List of invalid domains:" 1>&2; \
- cat $@.permissivedomains 1>&2; \
- exit 1; \
- fi
- $(hide) mv $@.tmp $@
-
-built_sepolicy := $(LOCAL_BUILT_MODULE)
-all_cil_files :=
-
-#################################
-include $(CLEAR_VARS)
-
-# keep concrete sepolicy for neverallow checks
-# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
-
-LOCAL_MODULE := sepolicy.recovery
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := sepolicy
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# We use vendor version's policy files because recovery partition is vendor-owned.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
-$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
-$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy.recovery.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow
- $(hide) mv $@.neverallow $@
-endif
-
-$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
- echo "==========" 1>&2; \
- echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
- echo "List of invalid domains:" 1>&2; \
- cat $@.permissivedomains 1>&2; \
- exit 1; \
- fi
- $(hide) mv $@.tmp $@
-
-sepolicy.recovery.conf :=
+$(LOCAL_BUILT_MODULE): $(built_sepolicy)
+ $(copy-file-to-target)
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
@@ -1222,76 +669,8 @@
file_contexts.modules.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_denial_metadata
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
-
-$(LOCAL_BUILT_MODULE) : $(bug_files)
- @mkdir -p $(dir $@)
- cat $^ > $@
-
-bug_files :=
-
-##################################
-include $(LOCAL_PATH)/seapp_contexts.mk
-
-##################################
-include $(LOCAL_PATH)/contexts_tests.mk
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vndservice_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
-$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
-$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
-
-vnd_svcfiles :=
-vndservice_contexts.tmp :=
-
-##################################
include $(LOCAL_PATH)/mac_permissions.mk
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_tests
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -1305,291 +684,35 @@
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
- $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
- $(hide) touch $@
-
##################################
-intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,)
-
-# plat_sepolicy - the current platform policy only, built into a policy binary.
-# TODO - this currently excludes partner extensions, but support should be added
-# to enable partners to add their own compatibility mapping
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
-$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
-$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
-$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_plat_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
-$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
-$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-
-#####################################################
-intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
-base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
-$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_system_ext_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
-$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
-$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
-$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
-$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-
-################################################################################
-intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
-base_product_policy.conf := $(intermediates)/base_product_policy.conf
-$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_product_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_product_sepolicy := $(intermediates)/built_product_sepolicy
-$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
-$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_product_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
-$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
-$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
-version_under_treble_tests := 26.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 27.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 28.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 29.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 30.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 31.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
+
+built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
+built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
+built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
+
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
+base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+
+$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
+ $(eval version_under_treble_tests := $(v)) \
+ $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
+)
endif # PRODUCT_SEPOLICY_SPLIT
-version_under_treble_tests := 26.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 27.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 28.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 29.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 30.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 31.0
-include $(LOCAL_PATH)/compat.mk
-
-base_plat_policy.conf :=
-base_plat_pub_policy.conf :=
-plat_sepolicy :=
+built_plat_sepolicy :=
+built_system_ext_sepolicy :=
+built_product_sepolicy :=
+base_plat_pub_policy.cil :=
+base_system_ext_pub_polcy.cil :=
+base_product_pub_policy.cil :=
all_fc_files :=
all_fc_args :=
#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_freeze_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-define ziplist
-$(if $(and $1,$2), "$(firstword $1) $(firstword $2)"\
- $(call ziplist,$(wordlist 2,$(words $1),$1),$(wordlist 2,$(words $2),$2)))
-endef
-
-base_plat_public := $(LOCAL_PATH)/public
-base_plat_private := $(LOCAL_PATH)/private
-base_plat_public_prebuilt := \
- $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
-base_plat_private_prebuilt := \
- $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
-
-all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
-$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA := $(sort $(FREEZE_TEST_EXTRA_DIRS))
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_PREBUILT := $(sort $(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-$(LOCAL_BUILT_MODULE): $(all_frozen_files)
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
- @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
- @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
-ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
- @for pair in $(call ziplist, $(PRIVATE_EXTRA_PREBUILT), $(PRIVATE_EXTRA)); \
- do diff -rq -x bug_map $$pair; done
-endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
- $(hide) touch $@
-
-base_plat_public :=
-base_plat_private :=
-base_plat_public_prebuilt :=
-base_plat_private_prebuilt :=
-all_frozen_files :=
-
-#################################
build_vendor_policy :=
@@ -1598,27 +721,14 @@
built_plat_cil :=
built_system_ext_cil :=
built_product_cil :=
-built_pub_vers_cil :=
-built_plat_mapping_cil :=
-built_system_ext_mapping_cil :=
-built_product_mapping_cil :=
-built_vendor_cil :=
-built_odm_cil :=
-built_precompiled_sepolicy :=
built_sepolicy :=
built_sepolicy_neverallows :=
built_plat_svc :=
built_vendor_svc :=
-built_plat_sepolicy :=
treble_sysprop_neverallow :=
enforce_sysprop_owner :=
enforce_debugfs_restriction :=
-mapping_policy :=
my_target_arch :=
-pub_policy.cil :=
-system_ext_pub_policy.cil :=
-plat_pub_policy.cil :=
-reqd_policy_mask.cil :=
sepolicy_build_files :=
sepolicy_build_cil_workaround_files :=
with_asan :=
diff --git a/METADATA b/METADATA
index cdcfa70..5a356a4 100644
--- a/METADATA
+++ b/METADATA
@@ -1,6 +1,4 @@
third_party {
- # would be UNENCUMBERED save for
- # tests/combine_maps.py
- # build/soong/
+ license_note: "would be UNENCUMBERED save for: tests/combine_maps.py and build/soong/"
license_type: NOTICE
}
diff --git a/OWNERS b/OWNERS
index 866b7b6..61eecb2 100644
--- a/OWNERS
+++ b/OWNERS
@@ -5,7 +5,7 @@
inseob@google.com
jbires@google.com
jeffv@google.com
-jgalenson@google.com
jiyong@google.com
smoreland@google.com
trong@google.com
+tweek@google.com
diff --git a/README b/README
deleted file mode 100644
index f14ac67..0000000
--- a/README
+++ /dev/null
@@ -1,114 +0,0 @@
-This directory contains the core Android SELinux policy configuration.
-It defines the domains and types for the AOSP services and apps common to
-all devices. Device-specific policy should be placed under a
-separate device/<vendor>/<board>/sepolicy subdirectory and linked
-into the policy build as described below.
-
-Policy Generation:
-
-Additional, per device, policy files can be added into the
-policy build. These files should have each line including the
-final line terminated by a newline character (0x0A). This
-will allow files to be concatenated and processed whenever
-the m4(1) macro processor is called by the build process.
-Adding the newline will also make the intermediate text files
-easier to read when debugging build failures. The sets of file,
-service and property contexts files will automatically have a
-newline inserted between each file as these are common failure
-points.
-
-These device policy files can be configured through the use of
-the BOARD_VENDOR_SEPOLICY_DIRS variable. This variable should be set
-in the BoardConfig.mk file in the device or vendor directories.
-
-BOARD_VENDOR_SEPOLICY_DIRS contains a list of directories to search
-for additional policy files. Order matters in this list.
-For example, if you have 2 instances of widget.te files in the
-BOARD_VENDOR_SEPOLICY_DIRS search path, then the first one found (at the
-first search dir containing the file) will be concatenated first.
-Reviewing out/target/product/<device>/obj/ETC/sepolicy_intermediates/policy.conf
-will help sort out ordering issues.
-
-Example BoardConfig.mk Usage:
-From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
-
-Alongside vendor sepolicy dirs, OEMs can also amend the public and private
-policy of the product and system_ext partitions:
-
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
-
-The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
-variables have been deprecated in favour of SYSTEM_EXT_*.
-
-Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
-definitions during the build. A definition consists of a string in the form
-of macro-name=value. Spaces must NOT be present. This is useful for building modular
-policies, policy generation, conditional file paths, etc. It is supported in
-the following file types:
- * All *.te and SE Linux policy files as passed to checkpolicy
- * file_contexts
- * service_contexts
- * property_contexts
- * keys.conf
-
-Example BoardConfig.mk Usage:
-BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
- btdevice=/dev/gps
-
-SPECIFIC POLICY FILE INFORMATION
-
-mac_permissions.xml:
- ABOUT:
- The mac_permissions.xml file is used for controlling the mmac solutions
- as well as mapping a public base16 signing key with an arbitrary seinfo
- string. Details of the files contents can be found in a comment at the
- top of that file. The seinfo string, previously mentioned, is the same string
- that is referenced in seapp_contexts.
-
- It is important to note the final processed version of this file
- is stripped of comments and whitespace. This is to preserve space on the
- system.img. If one wishes to view it in a more human friendly format,
- the "tidy" or "xmllint" command will assist you.
-
- TOOLING:
- insertkeys.py
- Is a helper script for mapping arbitrary tags in the signature stanzas of
- mac_permissions.xml to public keys found in pem files. This script takes
- a mac_permissions.xml file(s) and configuration file in order to operate.
- Details of the configuration file (keys.conf) can be found in the subsection
- keys.conf. This tool is also responsible for stripping the comments and
- whitespace during processing.
-
- keys.conf
- The keys.conf file is used for controlling the mapping of "tags" found in
- the mac_permissions.xml signature stanzas with actual public keys found in
- pem files. The configuration file is processed via m4.
-
- The script allows for mapping any string contained in TARGET_BUILD_VARIANT
- with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
- user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
- any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
- and all options are matched lowercase. The options are "tolowered" automatically
- for the user, it is convention to specify tags and options in all uppercase
- and tags start with @. The option arguments can also use environment variables
- via the familiar $VARIABLE syntax. This is often useful for setting a location
- to ones release keys.
-
- Often times, one will need to integrate an application that was signed by a separate
- organization and may need to extract the pem file for the insertkeys/keys.conf tools.
- Extraction of the public key in the pem format is possible via openssl. First you need
- to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
- openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
- On some occasions CERT.RSA has a different name, and you will need to adjust for that.
- After extracting the pem, you can rename it, and configure keys.conf and
- mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
- editor and strip out anything outside the opening and closing scissor lines. Failure to do
- so WILL cause a compile time issue thrown by insertkeys.py
-
- NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
- and setool all use base16 encodings.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..16d7e45
--- /dev/null
+++ b/README.md
@@ -0,0 +1,117 @@
+# Android SEPolicy
+
+This directory contains the core Android SELinux policy configuration.
+It defines the domains and types for the AOSP services and apps common to
+all devices. Device-specific policy should be placed under a
+separate `device/<vendor>/<board>/sepolicy` subdirectory and linked
+into the policy build as described below.
+
+## Policy Generation
+
+Additional, per device, policy files can be added into the
+policy build. These files should have each line including the
+final line terminated by a newline character (`0x0A`). This
+will allow files to be concatenated and processed whenever
+the `m4`(1) macro processor is called by the build process.
+Adding the newline will also make the intermediate text files
+easier to read when debugging build failures. The sets of file,
+service and property contexts files will automatically have a
+newline inserted between each file as these are common failure
+points.
+
+These device policy files can be configured through the use of
+the `BOARD_VENDOR_SEPOLICY_DIRS` variable. This variable should be set
+in the BoardConfig.mk file in the device or vendor directories.
+
+`BOARD_VENDOR_SEPOLICY_DIRS` contains a list of directories to search
+for additional policy files. Order matters in this list.
+For example, if you have 2 instances of widget.te files in the
+`BOARD_VENDOR_SEPOLICY_DIRS` search path, then the first one found (at the
+first search dir containing the file) will be concatenated first.
+Reviewing `out/target/product/<device>/obj/ETC/vendor_sepolicy.conf_intermediates/vendor_sepolicy.conf`
+will help sort out ordering issues.
+
+Example `BoardConfig.mk` Usage:
+From the Tuna device `BoardConfig.mk`, `device/samsung/tuna/BoardConfig.mk`
+
+ BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+
+Alongside vendor sepolicy dirs, OEMs can also amend the public and private
+policy of the product and system_ext partitions:
+
+ SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
+ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
+ PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
+ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
+
+The old `BOARD_PLAT_PUBLIC_SEPOLICY_DIR` and `BOARD_PLAT_PRIVATE_SEPOLICY_DIR`
+variables have been deprecated in favour of `SYSTEM_EXT_*`.
+
+Additionally, OEMs can specify `BOARD_SEPOLICY_M4DEFS` to pass arbitrary `m4`
+definitions during the build. A definition consists of a string in the form
+of `macro-name=value`. Spaces must **NOT** be present. This is useful for building modular
+policies, policy generation, conditional file paths, etc. It is supported in
+the following file types:
+* All `*.te` and SELinux policy files as passed to `checkpolicy`
+* `file_contexts`
+* `service_contexts`
+* `property_contexts`
+* `keys.conf`
+
+Example BoardConfig.mk Usage:
+
+ BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
+ btdevice=/dev/gps
+
+## SPECIFIC POLICY FILE INFORMATION
+
+### mac_permissions.xml
+The `mac_permissions.xml` file is used for controlling the mmac solutions
+as well as mapping a public base16 signing key with an arbitrary seinfo
+string. Details of the files contents can be found in a comment at the
+top of that file. The seinfo string, previously mentioned, is the same string
+that is referenced in seapp_contexts.
+
+It is important to note the final processed version of this file
+is stripped of comments and whitespace. This is to preserve space on the
+system.img. If one wishes to view it in a more human friendly format,
+the `tidy` or `xmllint` command will assist you.
+
+### insertkeys.py
+Is a helper script for mapping arbitrary tags in the signature stanzas of
+`mac_permissions.xml` to public keys found in pem files. This script takes
+a `mac_permissions.xml` file(s) and configuration file in order to operate.
+Details of the configuration file (`keys.conf`) can be found in the subsection
+keys.conf. This tool is also responsible for stripping the comments and
+whitespace during processing.
+
+### keys.conf
+The `keys.conf` file is used for controlling the mapping of "tags" found in
+the `mac_permissions.xml` signature stanzas with actual public keys found in
+pem files. The configuration file is processed via `m4`.
+
+The script allows for mapping any string contained in `TARGET_BUILD_VARIANT`
+with specific path to a pem file. Typically `TARGET_BUILD_VARIANT` is either
+user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
+any string specified in `TARGET_BUILD_VARIANT`. All tags are matched verbatim
+and all options are matched lowercase. The options are **tolowered** automatically
+for the user, it is convention to specify tags and options in all uppercase
+and tags start with @. The option arguments can also use environment variables
+via the familiar `$VARIABLE` syntax. This is often useful for setting a location
+to ones release keys.
+
+Often times, one will need to integrate an application that was signed by a separate
+organization and may need to extract the pem file for the `insertkeys/keys.conf` tools.
+Extraction of the public key in the pem format is possible via `openssl`. First you need
+to unzip the apk, once it is unzipped, `cd` into the `META_INF` directory and then execute
+
+ openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
+
+On some occasions `CERT.RSA` has a different name, and you will need to adjust for that.
+After extracting the pem, you can rename it, and configure `keys.conf` and
+`mac_permissions.xml` to pick up the change. You **MUST** open the generated pem file in a text
+editor and strip out anything outside the opening and closing scissor lines. Failure to do
+so **WILL** cause a compile time issue thrown by insertkeys.py
+
+**NOTE:** The pem files are base64 encoded and `PackageManagerService`, `mac_permissions.xml`
+ and `setool` all use base16 encodings.
diff --git a/TEST_MAPPING b/TEST_MAPPING
index db12ffe..cf99902 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -14,6 +14,12 @@
}
]
+ },
+ {
+ "name": "MicrodroidHostTestCases"
+ },
+ {
+ "name": "ComposHostTestCases"
}
]
}
diff --git a/apex/Android.bp b/apex/Android.bp
index b5199f0..5d61303 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -22,6 +22,11 @@
}
filegroup {
+ name: "apex_file_contexts_files",
+ srcs: ["*-file_contexts"],
+}
+
+filegroup {
name: "apex.test-file_contexts",
srcs: [
"apex.test-file_contexts",
@@ -183,6 +188,13 @@
}
filegroup {
+ name: "com.android.sepolicy-file_contexts",
+ srcs: [
+ "com.android.sepolicy-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
@@ -197,6 +209,13 @@
}
filegroup {
+ name: "com.android.uwb-file_contexts",
+ srcs: [
+ "com.android.uwb-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.virt-file_contexts",
srcs: [
"com.android.virt-file_contexts",
@@ -230,3 +249,24 @@
"com.android.extservices-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.adservices-file_contexts",
+ srcs: [
+ "com.android.adservices-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.car.framework-file_contexts",
+ srcs: [
+ "com.android.car.framework-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.ondevicepersonalization-file_contexts",
+ srcs: [
+ "com.android.ondevicepersonalization-file_contexts",
+ ],
+}
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index a14e14b..0623d9a 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,4 +1,2 @@
-/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
-/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
(/.*)? u:object_r:system_file:s0
/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.adservices-file_contexts b/apex/com.android.adservices-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.adservices-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index d2a8626..2533cac 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/apex/com.android.bluetooth.updatable-file_contexts b/apex/com.android.bluetooth-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth.updatable-file_contexts
rename to apex/com.android.bluetooth-file_contexts
diff --git a/apex/com.android.car.framework-file_contexts b/apex/com.android.car.framework-file_contexts
new file mode 100644
index 0000000..44527bc
--- /dev/null
+++ b/apex/com.android.car.framework-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index 83b4b58..799c2c4 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1 +1,5 @@
(/.*)? u:object_r:system_file:s0
+/bin/compos_key_helper u:object_r:compos_key_helper_exec:s0
+/bin/compos_verify u:object_r:compos_verify_exec:s0
+/bin/composd u:object_r:composd_exec:s0
+/bin/compsvc u:object_r:compos_exec:s0
diff --git a/apex/com.android.ondevicepersonalization-file_contexts b/apex/com.android.ondevicepersonalization-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.ondevicepersonalization-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.sepolicy-file_contexts b/apex/com.android.sepolicy-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.sepolicy-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 9398505..1b578ea 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/for-system/clatd u:object_r:clatd_exec:s0
diff --git a/apex/com.android.bluetooth.updatable-file_contexts b/apex/com.android.uwb-file_contexts
similarity index 100%
copy from apex/com.android.bluetooth.updatable-file_contexts
copy to apex/com.android.uwb-file_contexts
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 4703eba..cc712ff 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,3 +1,4 @@
-(/.*)? u:object_r:system_file:s0
-/bin/crosvm u:object_r:crosvm_exec:s0
-/bin/virtmanager u:object_r:virtmanager_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
+/bin/fd_server u:object_r:fd_server_exec:s0
+/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/Android.bp b/build/Android.bp
index 5298f71..a7d56f8 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -31,12 +31,4 @@
"secilc",
"version_policy",
],
- version: {
- py2: {
- enabled: true,
- },
- py3: {
- enabled: false,
- },
- },
}
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
old mode 100644
new mode 100755
index 285bfea..ce0548a
--- a/build/build_sepolicy.py
+++ b/build/build_sepolicy.py
@@ -1,3 +1,5 @@
+#!/usr/bin/env python3
+#
# Copyright 2018 - The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/build/file_utils.py b/build/file_utils.py
index 9f95f52..e3210ed 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -39,7 +39,7 @@
patterns.extend(open(f).readlines())
# Copy lines that are not in the pattern.
- tmp_output = tempfile.NamedTemporaryFile()
+ tmp_output = tempfile.NamedTemporaryFile(mode='w+')
with open(input_file, 'r') as in_file:
tmp_output.writelines(line for line in in_file.readlines()
if line not in patterns)
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 2282112..d1cead3 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -31,13 +31,15 @@
"soong-sysprop",
],
srcs: [
+ "bug_map.go",
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
- "filegroup.go",
"policy.go",
"selinux.go",
"selinux_contexts.go",
+ "sepolicy_freeze.go",
+ "sepolicy_neverallow.go",
"sepolicy_vers.go",
"versioned_policy.go",
],
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
new file mode 100644
index 0000000..e24a21b
--- /dev/null
+++ b/build/soong/bug_map.go
@@ -0,0 +1,88 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_bug_map", bugMapFactory)
+}
+
+// se_bug_map collects and installs selinux denial bug tracking information to be loaded by auditd.
+func bugMapFactory() android.Module {
+ c := &bugMap{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+type bugMap struct {
+ android.ModuleBase
+ properties bugMapProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type bugMapProperties struct {
+ // List of source files or se_build_files modules.
+ Srcs []string `android:"path"`
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+}
+
+func (b *bugMap) stem() string {
+ return proptools.StringDefault(b.properties.Stem, b.Name())
+}
+
+func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
+ return android.PathsForModuleSrc(ctx, b.properties.Srcs)
+}
+
+func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if !b.SocSpecific() && !b.SystemExtSpecific() && !b.Platform() {
+ ctx.ModuleErrorf("Selinux bug_map can only be installed in system, system_ext and vendor partitions")
+ }
+
+ srcPaths := b.expandSeSources(ctx)
+ out := android.PathForModuleGen(ctx, b.Name())
+ ctx.Build(pctx, android.BuildParams{
+ Rule: android.Cat,
+ Inputs: srcPaths,
+ Output: out,
+ Description: "Combining bug_map for " + b.Name(),
+ })
+
+ b.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ b.installSource = out
+ ctx.InstallFile(b.installPath, b.stem(), b.installSource)
+}
+
+func (b *bugMap) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(b.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", b.installPath)
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
+ },
+ },
+ }}
+}
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 5de6122..6cc40c6 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -17,7 +17,6 @@
import (
"fmt"
"path/filepath"
- "sort"
"strings"
"android/soong/android"
@@ -29,8 +28,8 @@
// se_build_files gathers policy files from sepolicy dirs, and acts like a filegroup. A tag with
// partition(plat, system_ext, product) and scope(public, private) is used to select directories.
-// Supported tags are: "plat", "plat_public", "system_ext", "system_ext_public", "product",
-// "product_public", and "reqd_mask".
+// Supported tags are: "plat_public", "plat_private", "system_ext_public", "system_ext_private",
+// "product_public", "product_private", and "reqd_mask".
func buildFilesFactory() android.Module {
module := &buildFiles{}
module.AddProperties(&module.properties)
@@ -86,114 +85,53 @@
var _ android.OutputFileProducer = (*buildFiles)(nil)
-type partition int
-
-const (
- system partition = iota
- system_ext
- product
-)
-
-type scope int
-
-const (
- public scope = iota
- private
-)
-
type sepolicyDir struct {
- partition partition
- scope scope
- paths []string
-}
-
-func (p partition) String() string {
- switch p {
- case system:
- return "plat"
- case system_ext:
- return "system_ext"
- case product:
- return "product"
- default:
- panic(fmt.Sprintf("Unknown partition %#v", p))
- }
+ tag string
+ paths []string
}
func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- // Sepolicy directories should be included in the following order.
- // - system_public
- // - system_private
- // - system_ext_public
- // - system_ext_private
- // - product_public
- // - product_private
- dirs := []sepolicyDir{
- sepolicyDir{partition: system, scope: public, paths: []string{filepath.Join(ctx.ModuleDir(), "public")}},
- sepolicyDir{partition: system, scope: private, paths: []string{filepath.Join(ctx.ModuleDir(), "private")}},
- sepolicyDir{partition: system_ext, scope: public, paths: ctx.DeviceConfig().SystemExtPublicSepolicyDirs()},
- sepolicyDir{partition: system_ext, scope: private, paths: ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()},
- sepolicyDir{partition: product, scope: public, paths: ctx.Config().ProductPublicSepolicyDirs()},
- sepolicyDir{partition: product, scope: private, paths: ctx.Config().ProductPrivateSepolicyDirs()},
- }
-
- if !sort.SliceIsSorted(dirs, func(i, j int) bool {
- if dirs[i].partition != dirs[j].partition {
- return dirs[i].partition < dirs[j].partition
- }
-
- return dirs[i].scope < dirs[j].scope
- }) {
- panic("dirs is not sorted")
- }
-
- // Exported cil policy files are built with the following policies.
- //
- // - plat_pub_policy.cil: exported 'system'
- // - system_ext_pub_policy.cil: exported 'system' and 'system_ext'
- // - pub_policy.cil: exported 'system', 'system_ext', and 'product'
- //
- // cil policy files are built with the following policies.
- //
- // - plat_policy.cil: 'system', including private
- // - system_ext_policy.cil: 'system_ext', including private
- // - product_sepolicy.cil: 'product', including private
- //
- // gatherDirsFor collects all needed directories for given partition and scope. For example,
- //
- // - gatherDirsFor(system_ext, private) will return system + system_ext (including private)
- // - gatherDirsFor(product, public) will return system + system_ext + product (public only)
- //
- // "dirs" should be sorted before calling this.
- gatherDirsFor := func(p partition, s scope) []string {
- var ret []string
-
- for _, d := range dirs {
- if d.partition <= p && d.scope <= s {
- ret = append(ret, d.paths...)
- }
- }
-
- return ret
- }
-
- reqdMaskDir := filepath.Join(ctx.ModuleDir(), "reqd_mask")
-
b.srcs = make(map[string]android.Paths)
- b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, reqdMaskDir)
+ b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
+ b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
+ b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
+ b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
+ b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
+ b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
+ b.srcs[".product_private"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs()...)
+ b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
+ b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
- for _, p := range []partition{system, system_ext, product} {
- b.srcs["."+p.String()] = b.findSrcsInDirs(ctx, gatherDirsFor(p, private)...)
-
- // reqd_mask is needed for public policies
- b.srcs["."+p.String()+"_public"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(p, public), reqdMaskDir)...)
+ if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
+ // vendor uses the same source with plat policy
+ b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
+ b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
+ b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
+ b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
+ b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
+ b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
+ b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
+ b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
+ } else {
+ // use vendor-supplied plat prebuilts
+ b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
+ b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
+ b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
+ b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
+ b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
+ b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
+ b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
+ b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
}
- // A special tag, "plat_vendor", includes minimized vendor policies required to boot.
- // - system/sepolicy/public
- // - system/sepolicy/reqd_mask
- // - system/sepolicy/vendor
- // This is for minimized vendor partition, e.g. microdroid's vendor
- platVendorDir := filepath.Join(ctx.ModuleDir(), "vendor")
- b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(system, public), reqdMaskDir, platVendorDir)...)
+ // directories used for compat tests and Treble tests
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
+ b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
+ b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
+ b.srcs[".system_ext_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
+ b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
+ b.srcs[".product_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
+ }
}
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index f304e62..c9daf7c 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -59,12 +59,12 @@
// se_cil_compat_map module representing a compatibility mapping file for
// platform versions (x->y). Bottom half represents a mapping (y->z).
// Together the halves are used to generate a (x->z) mapping.
- Top_half *string
+ Top_half *string `android:"path"`
// list of source (.cil) files used to build an the bottom half of sepolicy
// compatibility mapping file. bottom_half may reference the outputs of
// other modules that produce source files like genrule or filegroup using
// the syntax ":module". srcs has to be non-empty.
- Bottom_half []string
+ Bottom_half []string `android:"path"`
// name of the output
Stem *string
}
@@ -94,31 +94,7 @@
}
func expandSeSources(ctx android.ModuleContext, srcFiles []string) android.Paths {
- expandedSrcFiles := make(android.Paths, 0, len(srcFiles))
- for _, s := range srcFiles {
- if m := android.SrcIsModule(s); m != "" {
- module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
- if module == nil {
- // Error will have been handled by ExtractSourcesDeps
- continue
- }
- if fg, ok := module.(*fileGroup); ok {
- if ctx.ProductSpecific() {
- expandedSrcFiles = append(expandedSrcFiles, fg.ProductPrivateSrcs()...)
- } else if ctx.SystemExtSpecific() {
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
- } else {
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
- }
- } else {
- ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup", m)
- }
- } else {
- p := android.PathForModuleSrc(ctx, s)
- expandedSrcFiles = append(expandedSrcFiles, p)
- }
- }
- return expandedSrcFiles
+ return android.PathsForModuleSrc(ctx, srcFiles)
}
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
@@ -161,7 +137,6 @@
}
func (c *cilCompatMap) DepsMutator(ctx android.BottomUpMutatorContext) {
- android.ExtractSourcesDeps(ctx, c.properties.Bottom_half)
if c.properties.Top_half != nil {
ctx.AddDependency(c, TopHalfDepTag, String(c.properties.Top_half))
}
@@ -173,7 +148,7 @@
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
if c.properties.Stem != nil {
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
}
@@ -182,7 +157,15 @@
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
+var _ android.OutputFileProducer = (*cilCompatMap)(nil)
func (c *cilCompatMap) GeneratedMapFile() android.Path {
return c.installSource
}
+
+func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 230fdc3..afd2396 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -15,13 +15,21 @@
package selinux
import (
+ "fmt"
+
"github.com/google/blueprint/proptools"
"android/soong/android"
)
+var (
+ compatTestDepTag = dependencyTag{name: "compat_test"}
+)
+
func init() {
- android.RegisterModuleType("se_compat_cil", compatCilFactory)
+ ctx := android.InitRegistrationContext
+ ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
+ ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -40,8 +48,8 @@
}
type compatCilProperties struct {
- // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
- Srcs []string
+ // List of source files. Can reference se_build_files type modules with the ":module" syntax.
+ Srcs []string `android:"path"`
// Output file name. Defaults to module name if unspecified.
Stem *string
@@ -52,32 +60,7 @@
}
func (c *compatCil) expandSeSources(ctx android.ModuleContext) android.Paths {
- srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
- for _, src := range c.properties.Srcs {
- if m := android.SrcIsModule(src); m != "" {
- module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
- if module == nil {
- // Error would have been handled by ExtractSourcesDeps
- continue
- }
- if fg, ok := module.(*fileGroup); ok {
- if c.SystemExtSpecific() {
- srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
- } else {
- srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
- }
- } else {
- ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
- }
- } else {
- srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
- }
- }
- return srcPaths
-}
-
-func (c *compatCil) DepsMutator(ctx android.BottomUpMutatorContext) {
- android.ExtractSourcesDeps(ctx, c.properties.Srcs)
+ return android.PathsForModuleSrc(ctx, c.properties.Srcs)
}
func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
@@ -105,9 +88,162 @@
OutputFile: android.OptionalPathForPath(c.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
}}
}
+
+func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
+ switch tag {
+ case "":
+ return android.Paths{c.installSource}, nil
+ default:
+ return nil, fmt.Errorf("unsupported module reference tag %q", tag)
+ }
+}
+
+var _ android.OutputFileProducer = (*compatCil)(nil)
+
+// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
+// current policy.
+func compatTestFactory() android.SingletonModule {
+ f := &compatTestModule{}
+ android.InitAndroidModule(f)
+ android.AddLoadHook(f, func(ctx android.LoadHookContext) {
+ f.loadHook(ctx)
+ })
+ return f
+}
+
+type compatTestModule struct {
+ android.SingletonModuleBase
+
+ compatTestTimestamp android.ModuleOutPath
+}
+
+func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookContext, ver string) {
+ confName := fmt.Sprintf("pub_policy_%s.conf", ver)
+ cilName := fmt.Sprintf("pub_policy_%s.cil", ver)
+ platPubVersionedName := fmt.Sprintf("plat_pub_versioned_%s.cil", ver)
+
+ ctx.CreateModule(policyConfFactory, &nameProperties{
+ Name: proptools.StringPtr(confName),
+ }, &policyConfProperties{
+ Srcs: []string{
+ fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
+ fmt.Sprintf(":se_build_files{.system_ext_public_%s}", ver),
+ fmt.Sprintf(":se_build_files{.product_public_%s}", ver),
+ ":se_build_files{.reqd_mask}",
+ },
+ Installable: proptools.BoolPtr(false),
+ })
+
+ ctx.CreateModule(policyCilFactory, &nameProperties{
+ Name: proptools.StringPtr(cilName),
+ }, &policyCilProperties{
+ Src: proptools.StringPtr(":" + confName),
+ Filter_out: []string{":reqd_policy_mask.cil"},
+ Secilc_check: proptools.BoolPtr(false),
+ Installable: proptools.BoolPtr(false),
+ })
+
+ ctx.CreateModule(versionedPolicyFactory, &nameProperties{
+ Name: proptools.StringPtr(platPubVersionedName),
+ }, &versionedPolicyProperties{
+ Base: proptools.StringPtr(":" + cilName),
+ Target_policy: proptools.StringPtr(":" + cilName),
+ Version: proptools.StringPtr(ver),
+ Installable: proptools.BoolPtr(false),
+ })
+}
+
+func (f *compatTestModule) createCompatTestModule(ctx android.LoadHookContext, ver string) {
+ srcs := []string{
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ fmt.Sprintf(":plat_%s.cil", ver),
+ fmt.Sprintf(":%s.compat.cil", ver),
+ fmt.Sprintf(":system_ext_%s.cil", ver),
+ fmt.Sprintf(":system_ext_%s.compat.cil", ver),
+ fmt.Sprintf(":product_%s.cil", ver),
+ }
+
+ if ver == ctx.DeviceConfig().BoardSepolicyVers() {
+ srcs = append(srcs,
+ ":plat_pub_versioned.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ )
+ } else {
+ srcs = append(srcs, fmt.Sprintf(":plat_pub_versioned_%s.cil", ver))
+ }
+
+ compatTestName := fmt.Sprintf("%s_compat_test", ver)
+ ctx.CreateModule(policyBinaryFactory, &nameProperties{
+ Name: proptools.StringPtr(compatTestName),
+ }, &policyBinaryProperties{
+ Srcs: srcs,
+ Ignore_neverallow: proptools.BoolPtr(true),
+ Installable: proptools.BoolPtr(false),
+ })
+}
+
+func (f *compatTestModule) loadHook(ctx android.LoadHookContext) {
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ f.createPlatPubVersionedModule(ctx, ver)
+ f.createCompatTestModule(ctx, ver)
+ }
+}
+
+func (f *compatTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ ctx.AddDependency(f, compatTestDepTag, fmt.Sprintf("%s_compat_test", ver))
+ }
+}
+
+func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
+}
+
+func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ var inputs android.Paths
+ ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
+ o, ok := child.(android.OutputFileProducer)
+ if !ok {
+ panic(fmt.Errorf("Module %q should be an OutputFileProducer but it isn't", ctx.OtherModuleName(child)))
+ }
+
+ outputs, err := o.OutputFiles("")
+ if err != nil {
+ panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
+ }
+ if len(outputs) != 1 {
+ panic(fmt.Errorf("Module %q should produce exactly one output, but did %q", ctx.OtherModuleName(child), outputs.Strings()))
+ }
+
+ inputs = append(inputs, outputs[0])
+ })
+
+ f.compatTestTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("touch").Output(f.compatTestTimestamp).Implicits(inputs)
+ rule.Build("compat", "compat test timestamp for: "+f.Name())
+}
+
+func (f *compatTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "FAKE",
+ // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+ // Without OutputFile this module won't be exported to Makefile.
+ OutputFile: android.OptionalPathForPath(f.compatTestTimestamp),
+ Include: "$(BUILD_PHONY_PACKAGE)",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.compatTestTimestamp.String())
+ },
+ },
+ }}
+}
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
deleted file mode 100644
index 0d426af..0000000
--- a/build/soong/filegroup.go
+++ /dev/null
@@ -1,152 +0,0 @@
-// Copyright 2018 Google Inc. All rights reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "android/soong/android"
- "path/filepath"
-)
-
-func init() {
- android.RegisterModuleType("se_filegroup", FileGroupFactory)
-}
-
-func FileGroupFactory() android.Module {
- module := &fileGroup{}
- module.AddProperties(&module.properties)
- android.InitAndroidModule(module)
- return module
-}
-
-type fileGroupProperties struct {
- // list of source file suffixes used to collect selinux policy files.
- // Source files will be looked up in the following local directories:
- // system/sepolicy/{public, private, vendor, reqd_mask}
- // and directories specified by following config variables:
- // BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
- Srcs []string
-}
-
-type fileGroup struct {
- android.ModuleBase
- properties fileGroupProperties
-
- systemPublicSrcs android.Paths
- systemPrivateSrcs android.Paths
- systemVendorSrcs android.Paths
- systemReqdMaskSrcs android.Paths
-
- systemExtPublicSrcs android.Paths
- systemExtPrivateSrcs android.Paths
-
- productPublicSrcs android.Paths
- productPrivateSrcs android.Paths
-
- vendorSrcs android.Paths
- vendorReqdMaskSrcs android.Paths
- odmSrcs android.Paths
-}
-
-// Source files from system/sepolicy/public
-func (fg *fileGroup) SystemPublicSrcs() android.Paths {
- return fg.systemPublicSrcs
-}
-
-// Source files from system/sepolicy/private
-func (fg *fileGroup) SystemPrivateSrcs() android.Paths {
- return fg.systemPrivateSrcs
-}
-
-// Source files from system/sepolicy/vendor
-func (fg *fileGroup) SystemVendorSrcs() android.Paths {
- return fg.systemVendorSrcs
-}
-
-// Source files from system/sepolicy/reqd_mask
-func (fg *fileGroup) SystemReqdMaskSrcs() android.Paths {
- return fg.systemReqdMaskSrcs
-}
-
-// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
-func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
- return fg.systemExtPublicSrcs
-}
-
-// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
-func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
- return fg.systemExtPrivateSrcs
-}
-
-// Source files from PRODUCT_PUBLIC_SEPOLICY_DIRS
-func (fg *fileGroup) ProductPublicSrcs() android.Paths {
- return fg.productPublicSrcs
-}
-
-// Source files from PRODUCT_PRIVATE_SEPOLICY_DIRS
-func (fg *fileGroup) ProductPrivateSrcs() android.Paths {
- return fg.productPrivateSrcs
-}
-
-// Source files from BOARD_VENDOR_SEPOLICY_DIRS
-func (fg *fileGroup) VendorSrcs() android.Paths {
- return fg.vendorSrcs
-}
-
-func (fg *fileGroup) VendorReqdMaskSrcs() android.Paths {
- return fg.vendorReqdMaskSrcs
-}
-
-// Source files from BOARD_ODM_SEPOLICY_DIRS
-func (fg *fileGroup) OdmSrcs() android.Paths {
- return fg.odmSrcs
-}
-
-func (fg *fileGroup) findSrcsInDirs(ctx android.ModuleContext, dirs []string) android.Paths {
- result := android.Paths{}
- for _, f := range fg.properties.Srcs {
- for _, d := range dirs {
- path := filepath.Join(d, f)
- files, _ := ctx.GlobWithDeps(path, nil)
- for _, f := range files {
- result = append(result, android.PathForSource(ctx, f))
- }
- }
- }
- return result
-}
-
-func (fg *fileGroup) findSrcsInDir(ctx android.ModuleContext, dir string) android.Paths {
- return fg.findSrcsInDirs(ctx, []string{dir})
-}
-
-func (fg *fileGroup) DepsMutator(ctx android.BottomUpMutatorContext) {}
-
-func (fg *fileGroup) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- fg.systemPublicSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "public"))
- fg.systemPrivateSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "private"))
- fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
- fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
-
- fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
- fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs())
-
- fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
- fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
-
- fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
- fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
- fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
-}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 75fbdf1..b1840da 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -17,7 +17,9 @@
import (
"fmt"
"os"
+ "sort"
"strconv"
+ "strings"
"github.com/google/blueprint/proptools"
@@ -31,9 +33,35 @@
PolicyVers = 30
)
+// This order should be kept. checkpolicy syntax requires it.
+var policyConfOrder = []string{
+ "security_classes",
+ "initial_sids",
+ "access_vectors",
+ "global_macros",
+ "neverallow_macros",
+ "mls_macros",
+ "mls_decl",
+ "mls",
+ "policy_capabilities",
+ "te_macros",
+ "attributes",
+ "ioctl_defines",
+ "ioctl_macros",
+ "*.te",
+ "roles_decl",
+ "roles",
+ "users",
+ "initial_sid_contexts",
+ "fs_use",
+ "genfs_contexts",
+ "port_contexts",
+}
+
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
+ android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
type policyConfProperties struct {
@@ -55,8 +83,14 @@
// Whether to build CTS specific policy or not. Default is false
Cts *bool
+ // Whether to build recovery specific policy or not. Default is false
+ Target_recovery *bool
+
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
+
+ // Desired number of MLS categories. Defaults to 1024
+ Mls_cats *int64
}
type policyConf struct {
@@ -102,6 +136,10 @@
return proptools.Bool(c.properties.Cts)
}
+func (c *policyConf) isTargetRecovery() bool {
+ return proptools.Bool(c.properties.Target_recovery)
+}
+
func (c *policyConf) withAsan(ctx android.ModuleContext) string {
isAsanDevice := android.InList("address", ctx.Config().SanitizeDevice())
return strconv.FormatBool(proptools.BoolDefault(c.properties.With_asan, isAsanDevice))
@@ -111,6 +149,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
}
@@ -118,6 +159,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return "true"
}
@@ -125,6 +169,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenTrebleSyspropNeverallow())
}
@@ -132,6 +179,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
}
@@ -142,14 +192,34 @@
return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
}
+func (c *policyConf) mlsCats() int {
+ return proptools.IntDefault(c.properties.Mls_cats, MlsCats)
+}
+
+func findPolicyConfOrder(name string) int {
+ for idx, pattern := range policyConfOrder {
+ if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
+ return idx
+ }
+ }
+ // name is not matched
+ return len(policyConfOrder)
+}
+
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
- conf := android.PathForModuleOut(ctx, "conf").OutputPath
+ conf := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
+
+ srcs := android.PathsForModuleSrc(ctx, c.properties.Srcs)
+ sort.SliceStable(srcs, func(x, y int) bool {
+ return findPolicyConfOrder(srcs[x].Base()) < findPolicyConfOrder(srcs[y].Base())
+ })
+
rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
FlagWithArg("-D mls_num_sens=", strconv.Itoa(MlsSens)).
- FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
+ FlagWithArg("-D mls_num_cats=", strconv.Itoa(c.mlsCats())).
FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).
@@ -162,8 +232,9 @@
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
+ FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
Flag("-s").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
+ Inputs(srcs).
Text("> ").Output(conf)
rule.Build("conf", "Transform policy to conf: "+ctx.ModuleName())
@@ -175,13 +246,13 @@
}
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- c.installSource = c.transformPolicyToConf(ctx)
- c.installPath = android.PathForModuleInstall(ctx, "etc")
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
if !c.installable() {
c.SkipInstall()
}
+
+ c.installSource = c.transformPolicyToConf(ctx)
+ c.installPath = android.PathForModuleInstall(ctx, "etc")
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
}
func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
@@ -191,7 +262,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -325,6 +396,10 @@
conf := android.PathForModuleSrc(ctx, *c.properties.Src)
cil := c.compileConfToCil(ctx, conf)
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+
if c.InstallInDebugRamdisk() {
// for userdebug_plat_sepolicy.cil
c.installPath = android.PathForModuleInstall(ctx)
@@ -333,10 +408,6 @@
}
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
- if !c.Installable() {
- c.SkipInstall()
- }
}
func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
@@ -346,7 +417,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -361,3 +432,139 @@
}
var _ android.OutputFileProducer = (*policyCil)(nil)
+
+type policyBinaryProperties struct {
+ // Name of the output. Default is {module_name}
+ Stem *string
+
+ // Cil files to be compiled.
+ Srcs []string `android:"path"`
+
+ // Whether to ignore neverallow when running secilc check. Defaults to
+ // SELINUX_IGNORE_NEVERALLOWS.
+ Ignore_neverallow *bool
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+type policyBinary struct {
+ android.ModuleBase
+
+ properties policyBinaryProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_policy_binary compiles cil files to a binary sepolicy file with secilc. Usually sources of
+// se_policy_binary come from outputs of se_policy_cil modules.
+func policyBinaryFactory() android.Module {
+ c := &policyBinary{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+func (c *policyBinary) InstallInRoot() bool {
+ return c.InstallInRecovery()
+}
+
+func (c *policyBinary) Installable() bool {
+ return proptools.BoolDefault(c.properties.Installable, true)
+}
+
+func (c *policyBinary) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if len(c.properties.Srcs) == 0 {
+ ctx.PropertyErrorf("srcs", "must be specified")
+ return
+ }
+ bin := android.PathForModuleOut(ctx, c.stem()+"_policy")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ secilcCmd := rule.Command().BuiltTool("secilc").
+ Flag("-m"). // Multiple decls
+ FlagWithArg("-M ", "true"). // Enable MLS
+ Flag("-G"). // expand and remove auto generated attributes
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
+ FlagWithOutput("-o ", bin).
+ FlagWithArg("-f ", os.DevNull)
+
+ if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
+ secilcCmd.Flag("-N")
+ }
+ rule.Temporary(bin)
+
+ // permissive check is performed only in user build (not debuggable).
+ if !ctx.Config().Debuggable() {
+ permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
+ rule.Command().BuiltTool("sepolicy-analyze").
+ Input(bin).
+ Text("permissive").
+ Text(" > ").
+ Output(permissiveDomains)
+ rule.Temporary(permissiveDomains)
+
+ msg := `==========\n` +
+ `ERROR: permissive domains not allowed in user builds\n` +
+ `List of invalid domains:`
+
+ rule.Command().Text("if test").
+ FlagWithInput("-s ", permissiveDomains).
+ Text("; then echo").
+ Flag("-e").
+ Text(`"` + msg + `"`).
+ Text("&& cat ").
+ Input(permissiveDomains).
+ Text("; exit 1; fi")
+ }
+
+ out := android.PathForModuleOut(ctx, c.stem())
+ rule.Command().Text("cp").
+ Flag("-f").
+ Input(bin).
+ Output(out)
+
+ rule.DeleteTemporaryFiles()
+ rule.Build("secilc", "Compiling cil files for "+ctx.ModuleName())
+
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+
+ if c.InstallInRecovery() {
+ // install in root
+ c.installPath = android.PathForModuleInstall(ctx)
+ } else {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ }
+ c.installSource = out
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+}
+
+func (c *policyBinary) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
+
+func (c *policyBinary) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyBinary)(nil)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a9aed60..463a978 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,6 +17,7 @@
import (
"fmt"
"io"
+ "os"
"strings"
"github.com/google/blueprint"
@@ -30,19 +31,15 @@
// Filenames under sepolicy directories, which will be used to generate contexts file.
Srcs []string `android:"path"`
- Product_variables struct {
- Debuggable struct {
- Srcs []string
- }
+ // Output file name. Defaults to module name
+ Stem *string
+ Product_variables struct {
Address_sanitize struct {
- Srcs []string
+ Srcs []string `android:"path"`
}
}
- // Whether reqd_mask directory is included to sepolicy directories or not.
- Reqd_mask *bool
-
// Whether the comments in generated contexts file will be removed or not.
Remove_comment *bool
@@ -58,15 +55,24 @@
// Apex paths, /system/apex/{apex_name}, will be amended to the paths of file_contexts
// entries.
Flatten_apex struct {
- Srcs []string
+ Srcs []string `android:"path"`
}
}
+type seappProperties struct {
+ // Files containing neverallow rules.
+ Neverallow_files []string `android:"path"`
+
+ // Precompiled sepolicy binary file which will be fed to checkseapp.
+ Sepolicy *string `android:"path"`
+}
+
type selinuxContextsModule struct {
android.ModuleBase
properties selinuxContextsProperties
fileContextsProperties fileContextsProperties
+ seappProperties seappProperties
build func(ctx android.ModuleContext, inputs android.Paths) android.Path
deps func(ctx android.BottomUpMutatorContext)
outputPath android.Path
@@ -86,6 +92,14 @@
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
+ android.RegisterModuleType("seapp_contexts", seappFactory)
+ android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
+
+ android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
+ android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
+ android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory)
+ android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory)
+ android.RegisterModuleType("vndservice_contexts_test", vndServiceContextsTestFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -120,6 +134,10 @@
}
}
+func (m *selinuxContextsModule) stem() string {
+ return proptools.StringDefault(m.properties.Stem, m.Name())
+}
+
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if m.InRecovery() {
// Installing context files at the root of the recovery partition
@@ -133,61 +151,21 @@
if reuseDeps, ok := dep.(*selinuxContextsModule); ok {
m.outputPath = reuseDeps.outputPath
- ctx.InstallFile(m.installPath, m.Name(), m.outputPath)
+ ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
return
}
}
- var inputs android.Paths
-
- ctx.VisitDirectDepsWithTag(android.SourceDepTag, func(dep android.Module) {
- segroup, ok := dep.(*fileGroup)
- if !ok {
- ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup",
- ctx.OtherModuleName(dep))
- return
- }
-
- if ctx.ProductSpecific() {
- inputs = append(inputs, segroup.ProductPrivateSrcs()...)
- } else if ctx.SocSpecific() {
- if ctx.DeviceConfig().BoardSepolicyVers() == ctx.DeviceConfig().PlatformSepolicyVersion() {
- inputs = append(inputs, segroup.SystemVendorSrcs()...)
- }
- inputs = append(inputs, segroup.VendorSrcs()...)
- } else if ctx.DeviceSpecific() {
- inputs = append(inputs, segroup.OdmSrcs()...)
- } else if ctx.SystemExtSpecific() {
- inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
- } else {
- inputs = append(inputs, segroup.SystemPrivateSrcs()...)
- inputs = append(inputs, segroup.SystemPublicSrcs()...)
- }
-
- if proptools.Bool(m.properties.Reqd_mask) {
- if ctx.SocSpecific() || ctx.DeviceSpecific() {
- inputs = append(inputs, segroup.VendorReqdMaskSrcs()...)
- } else {
- inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
- }
- }
- })
-
- for _, src := range m.properties.Srcs {
- // Module sources are handled above with VisitDirectDepsWithTag
- if android.SrcIsModule(src) == "" {
- inputs = append(inputs, android.PathForModuleSrc(ctx, src))
- }
- }
-
- m.outputPath = m.build(ctx, inputs)
- ctx.InstallFile(m.installPath, ctx.ModuleName(), m.outputPath)
+ m.outputPath = m.build(ctx, android.PathsForModuleSrc(ctx, m.properties.Srcs))
+ ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
}
func newModule() *selinuxContextsModule {
m := &selinuxContextsModule{}
m.AddProperties(
&m.properties,
+ &m.fileContextsProperties,
+ &m.seappProperties,
)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
@@ -200,10 +178,6 @@
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
- if ctx.Config().Debuggable() {
- srcs = append(srcs, m.properties.Product_variables.Debuggable.Srcs...)
- }
-
for _, sanitize := range ctx.Config().SanitizeDevice() {
if sanitize == "address" {
srcs = append(srcs, m.properties.Product_variables.Address_sanitize.Srcs...)
@@ -215,38 +189,32 @@
}
func (m *selinuxContextsModule) AndroidMk() android.AndroidMkData {
+ nameSuffix := ""
+ if m.InRecovery() && !m.onlyInRecovery() {
+ nameSuffix = ".recovery"
+ }
return android.AndroidMkData{
- Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
- nameSuffix := ""
- if m.InRecovery() && !m.onlyInRecovery() {
- nameSuffix = ".recovery"
- }
- fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
- fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
- fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
- data.Entries.WriteLicenseVariables(w)
- fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
- if m.Owner() != "" {
- fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
- }
- fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
- fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
- fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(m.outputPath),
+ SubName: nameSuffix,
+ Extra: []android.AndroidMkExtraFunc{
+ func(w io.Writer, outputFile android.Path) {
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
+ },
},
}
}
func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
- if proptools.Bool(m.properties.Recovery_available) && m.InstallInRecovery() {
+ if proptools.Bool(m.properties.Recovery_available) && m.ModuleBase.InstallInRecovery() {
ctx.PropertyErrorf("recovery_available",
"doesn't make sense at the same time as `recovery: true`")
}
}
func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
- return !m.InstallInRecovery()
+ return !m.ModuleBase.InstallInRecovery()
}
func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
@@ -262,7 +230,7 @@
}
func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
- return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
+ return m.ModuleBase.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
}
func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
@@ -275,7 +243,7 @@
var _ android.ImageInterface = (*selinuxContextsModule)(nil)
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
+ builtContext := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
rule := android.NewRuleBuilder(pctx, ctx)
@@ -284,37 +252,40 @@
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
Inputs(inputs).
- FlagWithOutput("> ", ret)
+ FlagWithOutput("> ", builtContext)
if proptools.Bool(m.properties.Remove_comment) {
- rule.Temporary(ret)
+ rule.Temporary(builtContext)
remove_comment_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_remove_comment")
rule.Command().
Text("sed -e 's/#.*$//' -e '/^$/d'").
- Input(ret).
+ Input(builtContext).
FlagWithOutput("> ", remove_comment_output)
- ret = remove_comment_output
+ builtContext = remove_comment_output
}
if proptools.Bool(m.properties.Fc_sort) {
- rule.Temporary(ret)
+ rule.Temporary(builtContext)
sorted_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_sorted")
rule.Command().
Tool(ctx.Config().HostToolPath(ctx, "fc_sort")).
- FlagWithInput("-i ", ret).
+ FlagWithInput("-i ", builtContext).
FlagWithOutput("-o ", sorted_output)
- ret = sorted_output
+ builtContext = sorted_output
}
- rule.Build("selinux_contexts", "building contexts: "+m.Name())
+ ret := android.PathForModuleGen(ctx, m.stem())
+ rule.Temporary(builtContext)
+ rule.Command().Text("cp").Input(builtContext).Output(ret)
rule.DeleteTemporaryFiles()
+ rule.Build("selinux_contexts", "building contexts: "+m.Name())
return ret
}
@@ -327,25 +298,18 @@
rule := android.NewRuleBuilder(pctx, ctx)
if ctx.Config().FlattenApex() {
- for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
- if m := android.SrcIsModule(src); m != "" {
- ctx.ModuleErrorf(
- "Module srcs dependency %q is not supported for flatten_apex.srcs", m)
- return nil
- }
- for _, path := range android.PathsForModuleSrcExcludes(ctx, []string{src}, nil) {
- out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
- apex_path := "/system/apex/" + strings.Replace(
- strings.TrimSuffix(path.Base(), "-file_contexts"),
- ".", "\\\\.", -1)
+ for _, path := range android.PathsForModuleSrc(ctx, m.fileContextsProperties.Flatten_apex.Srcs) {
+ out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
+ apex_path := "/system/apex/" + strings.Replace(
+ strings.TrimSuffix(path.Base(), "-file_contexts"),
+ ".", "\\\\.", -1)
- rule.Command().
- Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
- Input(path).
- FlagWithOutput("> ", out)
+ rule.Command().
+ Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
+ Input(path).
+ FlagWithOutput("> ", out)
- inputs = append(inputs, out)
- }
+ inputs = append(inputs, out)
}
}
@@ -355,7 +319,6 @@
func fileFactory() android.Module {
m := newModule()
- m.AddProperties(&m.fileContextsProperties)
m.build = m.buildFileContexts
return m
}
@@ -478,6 +441,31 @@
return builtCtxFile
}
+func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ neverallowFile := android.PathForModuleGen(ctx, "neverallow")
+ ret := android.PathForModuleGen(ctx, m.stem())
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("(grep").
+ Flag("-ihe").
+ Text("'^neverallow'").
+ Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
+ Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
+ Text(">").
+ Output(neverallowFile).
+ Text("|| true)") // to make ninja happy even when result is empty
+
+ rule.Temporary(neverallowFile)
+ rule.Command().BuiltTool("checkseapp").
+ FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
+ FlagWithOutput("-o ", ret).
+ Inputs(inputs).
+ Input(neverallowFile)
+
+ rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
+ return ret
+}
+
func hwServiceFactory() android.Module {
m := newModule()
m.build = m.buildHwServiceContexts
@@ -502,3 +490,178 @@
m.build = m.buildGeneralContexts
return m
}
+
+func seappFactory() android.Module {
+ m := newModule()
+ m.build = m.buildSeappContexts
+ return m
+}
+
+func vndServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ android.AddLoadHook(m, func(ctx android.LoadHookContext) {
+ if !ctx.SocSpecific() {
+ ctx.ModuleErrorf(m.Name(), "must set vendor: true")
+ return
+ }
+ })
+ return m
+}
+
+var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
+
+// Implements android.OutputFileProducer
+func (m *selinuxContextsModule) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return []android.Path{m.outputPath}, nil
+ }
+ return nil, fmt.Errorf("unsupported module reference tag %q", tag)
+}
+
+type contextsTestProperties struct {
+ // Contexts files to be tested.
+ Srcs []string `android:"path"`
+
+ // Precompiled sepolicy binary to be tesed together.
+ Sepolicy *string `android:"path"`
+}
+
+type contextsTestModule struct {
+ android.ModuleBase
+
+ // Name of the test tool. "checkfc" or "property_info_checker"
+ tool string
+
+ // Additional flags to be passed to the tool.
+ flags []string
+
+ properties contextsTestProperties
+ testTimestamp android.ModuleOutPath
+}
+
+// checkfc parses a context file and checks for syntax errors.
+// If -s is specified, the service backend is used to verify binder services.
+// If -l is specified, the service backend is used to verify hwbinder services.
+// Otherwise, context_file is assumed to be a file_contexts file
+// If -e is specified, then the context_file is allowed to be empty.
+
+// file_contexts_test tests given file_contexts files with checkfc.
+func fileContextsTestFactory() android.Module {
+ m := &contextsTestModule{tool: "checkfc" /* no flags: file_contexts file check */}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+// property_contexts_test tests given property_contexts files with property_info_checker.
+func propertyContextsTestFactory() android.Module {
+ m := &contextsTestModule{tool: "property_info_checker"}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+// hwservice_contexts_test tests given hwservice_contexts files with checkfc.
+func hwserviceContextsTestFactory() android.Module {
+ m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-l" /* hwbinder services */}}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+// service_contexts_test tests given service_contexts files with checkfc.
+func serviceContextsTestFactory() android.Module {
+ // checkfc -s: service_contexts test
+ m := &contextsTestModule{tool: "checkfc", flags: []string{"-s" /* binder services */}}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
+func vndServiceContextsTestFactory() android.Module {
+ m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ tool := m.tool
+ if tool != "checkfc" && tool != "property_info_checker" {
+ panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
+ }
+
+ if len(m.properties.Srcs) == 0 {
+ ctx.PropertyErrorf("srcs", "can't be empty")
+ return
+ }
+
+ if proptools.String(m.properties.Sepolicy) == "" {
+ ctx.PropertyErrorf("sepolicy", "can't be empty")
+ return
+ }
+
+ srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
+ sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().BuiltTool(tool).
+ Flags(m.flags).
+ Input(sepolicy).
+ Inputs(srcs)
+
+ m.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ rule.Command().Text("touch").Output(m.testTimestamp)
+ rule.Build("contexts_test", "running contexts test: "+ctx.ModuleName())
+}
+
+func (m *contextsTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "FAKE",
+ // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+ // Without OutputFile this module won't be exported to Makefile.
+ OutputFile: android.OptionalPathForPath(m.testTimestamp),
+ Include: "$(BUILD_PHONY_PACKAGE)",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", m.testTimestamp.String())
+ },
+ },
+ }}
+}
+
+// contextsTestModule implements ImageInterface to be able to include recovery_available contexts
+// modules as its sources.
+func (m *contextsTestModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+}
+
+func (m *contextsTestModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+ return true
+}
+
+func (m *contextsTestModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *contextsTestModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *contextsTestModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *contextsTestModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *contextsTestModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+ return nil
+}
+
+func (m *contextsTestModule) SetImageVariation(ctx android.BaseModuleContext, variation string, module android.Module) {
+}
+
+var _ android.ImageInterface = (*contextsTestModule)(nil)
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
new file mode 100644
index 0000000..c5513d0
--- /dev/null
+++ b/build/soong/sepolicy_freeze.go
@@ -0,0 +1,121 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "path/filepath"
+ "sort"
+
+ "android/soong/android"
+)
+
+func init() {
+ ctx := android.InitRegistrationContext
+ ctx.RegisterSingletonModuleType("se_freeze_test", freezeTestFactory)
+}
+
+// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
+// be specified via Makefile variables: SEPOLICY_FREEZE_TEST_EXTRA_DIRS and
+// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
+func freezeTestFactory() android.SingletonModule {
+ f := &freezeTestModule{}
+ android.InitAndroidModule(f)
+ return f
+}
+
+type freezeTestModule struct {
+ android.SingletonModuleBase
+ freezeTestTimestamp android.ModuleOutPath
+}
+
+func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
+}
+
+func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
+ totVersion := ctx.DeviceConfig().TotSepolicyVersion()
+
+ extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
+ extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
+ f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
+
+ if platformVersion == totVersion {
+ if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
+ ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
+ return
+ }
+
+ // we still build a rule to prevent possible regression
+ android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
+ return
+ }
+
+ if len(extraDirs) != len(extraPrebuiltDirs) {
+ ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
+ return
+ }
+
+ platPublic := filepath.Join(ctx.ModuleDir(), "public")
+ platPrivate := filepath.Join(ctx.ModuleDir(), "private")
+ prebuiltPublic := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "public")
+ prebuiltPrivate := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "private")
+
+ sourceDirs := append(extraDirs, platPublic, platPrivate)
+ prebuiltDirs := append(extraPrebuiltDirs, prebuiltPublic, prebuiltPrivate)
+
+ var implicits []string
+ for _, dir := range append(sourceDirs, prebuiltDirs...) {
+ glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
+ if err != nil {
+ ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
+ return
+ }
+ implicits = append(implicits, glob...)
+ }
+ sort.Strings(implicits)
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ for idx, _ := range sourceDirs {
+ rule.Command().Text("diff").
+ Flag("-r").
+ Flag("-q").
+ FlagWithArg("-x ", "bug_map"). // exclude
+ Text(sourceDirs[idx]).
+ Text(prebuiltDirs[idx])
+ }
+
+ rule.Command().Text("touch").
+ Output(f.freezeTestTimestamp).
+ Implicits(android.PathsForSource(ctx, implicits))
+
+ rule.Build("sepolicy_freeze_test", "sepolicy_freeze_test")
+}
+
+func (f *freezeTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "FAKE",
+ // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+ // Without OutputFile this module won't be exported to Makefile.
+ OutputFile: android.OptionalPathForPath(f.freezeTestTimestamp),
+ Include: "$(BUILD_PHONY_PACKAGE)",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.freezeTestTimestamp.String())
+ },
+ },
+ }}
+}
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
new file mode 100644
index 0000000..98dd3cf
--- /dev/null
+++ b/build/soong/sepolicy_neverallow.go
@@ -0,0 +1,188 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "fmt"
+ "strconv"
+
+ "android/soong/android"
+)
+
+func init() {
+ ctx := android.InitRegistrationContext
+ ctx.RegisterModuleType("se_neverallow_test", neverallowTestFactory)
+}
+
+type neverallowTestProperties struct {
+ // Policy files to be tested.
+ Srcs []string `android:"path"`
+}
+
+type neverallowTestModule struct {
+ android.ModuleBase
+ properties neverallowTestProperties
+ testTimestamp android.ModuleOutPath
+}
+
+type nameProperties struct {
+ Name *string
+}
+
+var checkpolicyTag = dependencyTag{name: "checkpolicy"}
+var sepolicyAnalyzeTag = dependencyTag{name: "sepolicy_analyze"}
+
+// se_neverallow_test builds given policy files and checks whether any neverallow violations exist.
+// This module creates two conf files, one with build test and one without build test. Policy with
+// build test will be compiled with checkpolicy, and policy without build test will be tested with
+// sepolicy-analyze's neverallow tool. This module's check can be skipped by setting
+// SELINUX_IGNORE_NEVERALLOWS := true.
+func neverallowTestFactory() android.Module {
+ n := &neverallowTestModule{}
+ n.AddProperties(&n.properties)
+ android.InitAndroidModule(n)
+ android.AddLoadHook(n, func(ctx android.LoadHookContext) {
+ n.loadHook(ctx)
+ })
+ return n
+}
+
+// Child conf module name for checkpolicy test.
+func (n *neverallowTestModule) checkpolicyConfModuleName() string {
+ return n.Name() + ".checkpolicy.conf"
+}
+
+// Child conf module name for sepolicy-analyze test.
+func (n *neverallowTestModule) sepolicyAnalyzeConfModuleName() string {
+ return n.Name() + ".sepolicy_analyze.conf"
+}
+
+func (n *neverallowTestModule) loadHook(ctx android.LoadHookContext) {
+ checkpolicyConf := n.checkpolicyConfModuleName()
+ ctx.CreateModule(policyConfFactory, &nameProperties{
+ Name: proptools.StringPtr(checkpolicyConf),
+ }, &policyConfProperties{
+ Srcs: n.properties.Srcs,
+ Build_variant: proptools.StringPtr("user"),
+ Installable: proptools.BoolPtr(false),
+ })
+
+ sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
+ ctx.CreateModule(policyConfFactory, &nameProperties{
+ Name: proptools.StringPtr(sepolicyAnalyzeConf),
+ }, &policyConfProperties{
+ Srcs: n.properties.Srcs,
+ Build_variant: proptools.StringPtr("user"),
+ Exclude_build_test: proptools.BoolPtr(true),
+ Installable: proptools.BoolPtr(false),
+ })
+}
+
+func (n *neverallowTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ ctx.AddDependency(n, checkpolicyTag, n.checkpolicyConfModuleName())
+ ctx.AddDependency(n, sepolicyAnalyzeTag, n.sepolicyAnalyzeConfModuleName())
+}
+
+func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ n.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ if ctx.Config().SelinuxIgnoreNeverallows() {
+ // just touch
+ android.WriteFileRule(ctx, n.testTimestamp, "")
+ return
+ }
+
+ var checkpolicyConfPaths android.Paths
+ var sepolicyAnalyzeConfPaths android.Paths
+
+ ctx.VisitDirectDeps(func(child android.Module) {
+ depTag := ctx.OtherModuleDependencyTag(child)
+ if depTag != checkpolicyTag && depTag != sepolicyAnalyzeTag {
+ return
+ }
+
+ o, ok := child.(android.OutputFileProducer)
+ if !ok {
+ panic(fmt.Errorf("Module %q isn't an OutputFileProducer", ctx.OtherModuleName(child)))
+ }
+
+ outputs, err := o.OutputFiles("")
+ if err != nil {
+ panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
+ }
+
+ switch ctx.OtherModuleDependencyTag(child) {
+ case checkpolicyTag:
+ checkpolicyConfPaths = outputs
+ case sepolicyAnalyzeTag:
+ sepolicyAnalyzeConfPaths = outputs
+ }
+ })
+
+ if len(checkpolicyConfPaths) != 1 {
+ panic(fmt.Errorf("Module %q should produce exactly one output", n.checkpolicyConfModuleName()))
+ }
+
+ if len(sepolicyAnalyzeConfPaths) != 1 {
+ panic(fmt.Errorf("Module %q should produce exactly one output", n.sepolicyAnalyzeConfModuleName()))
+ }
+
+ checkpolicyConfPath := checkpolicyConfPaths[0]
+ sepolicyAnalyzeConfPath := sepolicyAnalyzeConfPaths[0]
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ // Step 1. Build a binary policy from the conf file including build test
+ binaryPolicy := android.PathForModuleOut(ctx, "policy")
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-M").
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", binaryPolicy).
+ Input(checkpolicyConfPath)
+ rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName())
+
+ // Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
+ // file from Step 1
+ rule = android.NewRuleBuilder(pctx, ctx)
+ msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
+ `of an expanded attribute in a neverallow assertion. Please fix\n` +
+ `the policy.`
+
+ rule.Command().BuiltTool("sepolicy-analyze").
+ Input(binaryPolicy).
+ Text("neverallow").
+ Flag("-w").
+ FlagWithInput("-f ", sepolicyAnalyzeConfPath).
+ Text("|| (echo").
+ Flag("-e").
+ Text(`"` + msg + `"`).
+ Text("; exit 1)")
+
+ rule.Command().Text("touch").Output(n.testTimestamp)
+ rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName())
+}
+
+func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(n.testTimestamp),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", true)
+ },
+ },
+ }}
+}
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index 0d938e7..ca40173 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -82,13 +82,13 @@
rule.Command().Text("echo").Text(ver).Text(">").Output(out)
rule.Build("sepolicy_vers", v.Name())
- v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- v.installSource = out
- ctx.InstallFile(v.installPath, v.stem(), v.installSource)
-
if !v.installable() {
v.SkipInstall()
}
+
+ v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ v.installSource = out
+ ctx.InstallFile(v.installPath, v.stem(), v.installSource)
}
func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
@@ -97,7 +97,7 @@
OutputFile: android.OptionalPathForPath(v.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", v.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
},
},
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index f25cd59..c316d2a 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -35,8 +35,8 @@
// Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
Stem *string
- // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
- // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
+ // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R), "current"
+ // (PLATFORM_SEPOLICY_VERSION), or "vendor" (BOARD_SEPOLICY_VERS). Defaults to "current"
Version *string
// If true, generate mapping file from given base cil file. Cannot be set with target_policy.
@@ -90,6 +90,8 @@
version := proptools.StringDefault(m.properties.Version, "current")
if version == "current" {
version = ctx.DeviceConfig().PlatformSepolicyVersion()
+ } else if version == "vendor" {
+ version = ctx.DeviceConfig().BoardSepolicyVers()
}
var stem string
@@ -151,16 +153,16 @@
rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
+ if !m.installable() {
+ m.SkipInstall()
+ }
+
m.installSource = out
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
m.installPath = m.installPath.Join(ctx, subdir)
}
ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
-
- if !m.installable() {
- m.SkipInstall()
- }
}
func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
@@ -170,7 +172,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
- entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
},
},
diff --git a/com.android.sepolicy/33/Android.bp b/com.android.sepolicy/33/Android.bp
new file mode 100644
index 0000000..f3387ac
--- /dev/null
+++ b/com.android.sepolicy/33/Android.bp
@@ -0,0 +1,56 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule {
+ name: "apex_file_contexts-33.gen",
+ defaults: ["sepolicy_file_contexts_gen_default"],
+ srcs: ["file_contexts"],
+ out: ["apex_file_contexts-33"],
+}
+
+prebuilt_etc {
+ name: "apex_file_contexts-33",
+ filename: "apex_file_contexts",
+ src: ":apex_file_contexts-33.gen",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_property_contexts-33",
+ filename: "apex_property_contexts",
+ src: "property_contexts",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_service_contexts-33",
+ filename: "apex_service_contexts",
+ src: "service_contexts",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_seapp_contexts-33",
+ filename: "apex_seapp_contexts",
+ src: "seapp_contexts",
+ installable: false,
+}
diff --git a/com.android.sepolicy/33/file_contexts b/com.android.sepolicy/33/file_contexts
new file mode 100644
index 0000000..14f99f9
--- /dev/null
+++ b/com.android.sepolicy/33/file_contexts
@@ -0,0 +1 @@
+/dev/selinux/apex_test u:object_r:sepolicy_test_file:s0
diff --git a/com.android.sepolicy/33/property_contexts b/com.android.sepolicy/33/property_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/property_contexts
diff --git a/com.android.sepolicy/33/seapp_contexts b/com.android.sepolicy/33/seapp_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/seapp_contexts
diff --git a/com.android.sepolicy/33/service_contexts b/com.android.sepolicy/33/service_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/service_contexts
diff --git a/com.android.sepolicy/33/shell.te b/com.android.sepolicy/33/shell.te
new file mode 100644
index 0000000..757328e
--- /dev/null
+++ b/com.android.sepolicy/33/shell.te
@@ -0,0 +1,2 @@
+allow shell sepolicy_test_file:file r_file_perms;
+
diff --git a/com.android.sepolicy/Android.bp b/com.android.sepolicy/Android.bp
new file mode 100644
index 0000000..1e042f3
--- /dev/null
+++ b/com.android.sepolicy/Android.bp
@@ -0,0 +1,28 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule_defaults {
+ name: "sepolicy_file_contexts_gen_default",
+ tools: ["fc_sort"],
+ cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+ "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
diff --git a/compat.mk b/compat.mk
deleted file mode 100644
index 4aed864..0000000
--- a/compat.mk
+++ /dev/null
@@ -1,56 +0,0 @@
-version := $(version_under_treble_tests)
-
-include $(CLEAR_VARS)
-#################################
-# build this target to ensure the compat permissions files all build against the current policy
-#
-LOCAL_MODULE := $(version)_compat_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_REQUIRED_MODULES := $(version).compat.cil
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_cil_files := \
- $(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
- $(ALL_MODULES.$(version).compat.cil.BUILT) \
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
-endif
-
-ifneq ($(mixed_sepolicy_build),true)
-
-all_cil_files += $(built_vendor_cil)
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-endif # ifneq ($(mixed_sepolicy_build),true)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
- @mkdir -p $(dir $@)
- $(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
-all_cil_files :=
-version :=
-version_under_treble_tests :=
diff --git a/compat/Android.bp b/compat/Android.bp
new file mode 100644
index 0000000..2370c7b
--- /dev/null
+++ b/compat/Android.bp
@@ -0,0 +1,330 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for compatibility files.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+se_cil_compat_map {
+ name: "plat_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map{.plat_private}"],
+ top_half: "plat_29.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map{.plat_private}"],
+ top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map{.plat_private}"],
+ top_half: "plat_31.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map{.plat_private}"],
+ top_half: "plat_32.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map{.plat_private}"],
+ top_half: "plat_33.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_33.0.cil",
+ stem: "33.0.cil",
+ bottom_half: [":33.0.board.compat.map{.plat_private}"],
+ // top_half: "plat_34.0.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map{.system_ext_private}"],
+ top_half: "system_ext_29.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map{.system_ext_private}"],
+ top_half: "system_ext_30.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map{.system_ext_private}"],
+ top_half: "system_ext_31.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map{.system_ext_private}"],
+ top_half: "system_ext_32.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map{.system_ext_private}"],
+ top_half: "system_ext_33.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_33.0.cil",
+ stem: "33.0.cil",
+ bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
+ // top_half: "system_ext_34.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map{.product_private}"],
+ top_half: "product_29.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map{.product_private}"],
+ top_half: "product_30.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map{.product_private}"],
+ top_half: "product_31.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map{.product_private}"],
+ top_half: "product_32.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map{.product_private}"],
+ top_half: "product_33.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_33.0.cil",
+ stem: "33.0.cil",
+ bottom_half: [":33.0.board.compat.map{.product_private}"],
+ // top_half: "product_34.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "28.0.ignore.cil",
+ bottom_half: [":28.0.board.ignore.map{.plat_private}"],
+ top_half: "29.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "29.0.ignore.cil",
+ bottom_half: [":29.0.board.ignore.map{.plat_private}"],
+ top_half: "30.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map{.plat_private}"],
+ top_half: "31.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map{.plat_private}"],
+ top_half: "32.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map{.plat_private}"],
+ top_half: "33.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "33.0.ignore.cil",
+ bottom_half: [":33.0.board.ignore.map{.plat_private}"],
+ // top_half: "34.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map{.system_ext_private}"],
+ top_half: "system_ext_31.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map{.system_ext_private}"],
+ top_half: "system_ext_32.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map{.system_ext_private}"],
+ top_half: "system_ext_33.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_33.0.ignore.cil",
+ bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
+ // top_half: "system_ext_34.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map{.product_private}"],
+ top_half: "product_31.0.ignore.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map{.product_private}"],
+ top_half: "product_32.0.ignore.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map{.product_private}"],
+ top_half: "product_33.0.ignore.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_33.0.ignore.cil",
+ bottom_half: [":33.0.board.ignore.map{.product_private}"],
+ // top_half: "product_34.0.ignore.cil",
+ product_specific: true,
+}
+
+se_compat_cil {
+ name: "28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil{.plat_private}"],
+}
+
+se_compat_cil {
+ name: "29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil{.plat_private}"],
+}
+
+se_compat_cil {
+ name: "30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil{.plat_private}"],
+}
+
+se_compat_cil {
+ name: "31.0.compat.cil",
+ srcs: [":31.0.board.compat.cil{.plat_private}"],
+}
+
+se_compat_cil {
+ name: "32.0.compat.cil",
+ srcs: [":32.0.board.compat.cil{.plat_private}"],
+}
+
+se_compat_cil {
+ name: "33.0.compat.cil",
+ srcs: [":33.0.board.compat.cil{.plat_private}"],
+}
+
+se_compat_cil {
+ name: "system_ext_28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil{.system_ext_private}"],
+ stem: "28.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil{.system_ext_private}"],
+ stem: "29.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil{.system_ext_private}"],
+ stem: "30.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_31.0.compat.cil",
+ srcs: [":31.0.board.compat.cil{.system_ext_private}"],
+ stem: "31.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_32.0.compat.cil",
+ srcs: [":32.0.board.compat.cil{.system_ext_private}"],
+ stem: "32.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_33.0.compat.cil",
+ srcs: [":33.0.board.compat.cil{.system_ext_private}"],
+ stem: "33.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_test {
+ name: "sepolicy_compat_test",
+}
diff --git a/contexts/Android.bp b/contexts/Android.bp
new file mode 100644
index 0000000..2a5a058
--- /dev/null
+++ b/contexts/Android.bp
@@ -0,0 +1,477 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for various contexts files.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+file_contexts {
+ name: "plat_file_contexts",
+ srcs: [":file_contexts_files{.plat_private}"],
+ product_variables: {
+ address_sanitize: {
+ srcs: [":file_contexts_asan_files{.plat_private}"],
+ },
+ debuggable: {
+ srcs: [":file_contexts_overlayfs_files{.plat_private}"],
+ },
+ },
+
+ flatten_apex: {
+ srcs: [":apex_file_contexts_files"],
+ },
+}
+
+file_contexts {
+ name: "plat_file_contexts.recovery",
+ srcs: [":file_contexts_files{.plat_private}"],
+ stem: "plat_file_contexts",
+ product_variables: {
+ address_sanitize: {
+ srcs: [":file_contexts_asan_files{.plat_private}"],
+ },
+ debuggable: {
+ srcs: [":file_contexts_overlayfs_files{.plat_private}"],
+ },
+ },
+
+ flatten_apex: {
+ srcs: [":apex_file_contexts_files"],
+ },
+
+ recovery: true,
+}
+
+file_contexts {
+ name: "vendor_file_contexts",
+ srcs: [
+ ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.vendor}",
+ ],
+ soc_specific: true,
+}
+
+file_contexts {
+ name: "vendor_file_contexts.recovery",
+ srcs: [
+ ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.vendor}",
+ ],
+ stem: "vendor_file_contexts",
+ recovery: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts",
+ srcs: [":file_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts.recovery",
+ srcs: [":file_contexts_files{.system_ext_private}"],
+ stem: "system_ext_file_contexts",
+ recovery: true,
+}
+
+file_contexts {
+ name: "product_file_contexts",
+ srcs: [":file_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+file_contexts {
+ name: "product_file_contexts.recovery",
+ srcs: [":file_contexts_files{.product_private}"],
+ stem: "product_file_contexts",
+ recovery: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts",
+ srcs: [":file_contexts_files{.odm}"],
+ device_specific: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts.recovery",
+ srcs: [":file_contexts_files{.odm}"],
+ stem: "odm_file_contexts",
+ recovery: true,
+}
+
+hwservice_contexts {
+ name: "plat_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.plat_private}"],
+}
+
+hwservice_contexts {
+ name: "system_ext_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+hwservice_contexts {
+ name: "product_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+hwservice_contexts {
+ name: "vendor_hwservice_contexts",
+ srcs: [
+ ":hwservice_contexts_files{.plat_vendor_for_vendor}",
+ ":hwservice_contexts_files{.vendor}",
+ ":hwservice_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
+hwservice_contexts {
+ name: "odm_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.odm}"],
+ device_specific: true,
+}
+
+property_contexts {
+ name: "plat_property_contexts",
+ srcs: [":property_contexts_files{.plat_private}"],
+}
+
+property_contexts {
+ name: "plat_property_contexts.recovery",
+ srcs: [":property_contexts_files{.plat_private}"],
+ stem: "plat_property_contexts",
+ recovery: true,
+}
+
+property_contexts {
+ name: "system_ext_property_contexts",
+ srcs: [":property_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "product_property_contexts",
+ srcs: [":property_contexts_files{.product_private}"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "vendor_property_contexts",
+ srcs: [
+ ":property_contexts_files{.plat_vendor_for_vendor}",
+ ":property_contexts_files{.vendor}",
+ ":property_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "odm_property_contexts",
+ srcs: [":property_contexts_files{.odm}"],
+ device_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "plat_service_contexts",
+ srcs: [":service_contexts_files{.plat_private}"],
+}
+
+service_contexts {
+ name: "plat_service_contexts.recovery",
+ srcs: [":service_contexts_files{.plat_private}"],
+ stem: "plat_service_contexts",
+ recovery: true,
+}
+
+service_contexts {
+ name: "system_ext_service_contexts",
+ srcs: [":service_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "product_service_contexts",
+ srcs: [":service_contexts_files{.product_private}"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "vendor_service_contexts",
+ srcs: [
+ ":service_contexts_files{.plat_vendor_for_vendor}",
+ ":service_contexts_files{.vendor}",
+ ":service_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+keystore2_key_contexts {
+ name: "plat_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.plat_private}"],
+}
+
+keystore2_key_contexts {
+ name: "system_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "product_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "vendor_keystore2_key_contexts",
+ srcs: [
+ ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
+ ":keystore2_key_contexts_files{.vendor}",
+ ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
+seapp_contexts {
+ name: "plat_seapp_contexts",
+ srcs: [":seapp_contexts_files{.plat_private}"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "system_ext_seapp_contexts",
+ srcs: [":seapp_contexts_files{.system_ext_private}"],
+ neverallow_files: [":seapp_contexts_files{.plat_private}"],
+ system_ext_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "product_seapp_contexts",
+ srcs: [":seapp_contexts_files{.product_private}"],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ],
+ product_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "vendor_seapp_contexts",
+ srcs: [
+ ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.vendor}",
+ ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private_for_vendor}",
+ ":seapp_contexts_files{.system_ext_private_for_vendor}",
+ ":seapp_contexts_files{.product_private_for_vendor}",
+ ],
+ soc_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "odm_seapp_contexts",
+ srcs: [
+ ":seapp_contexts_files{.odm}",
+ ],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private_for_vendor}",
+ ":seapp_contexts_files{.system_ext_private_for_vendor}",
+ ":seapp_contexts_files{.product_private_for_vendor}",
+ ],
+ device_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+vndservice_contexts {
+ name: "vndservice_contexts",
+ srcs: [
+ ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.vendor}",
+ ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
+// for CTS
+genrule {
+ name: "plat_seapp_neverallows",
+ srcs: [
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
+ ],
+ out: ["plat_seapp_neverallows"],
+ cmd: "grep -ihe '^neverallow' $(in) > $(out) || true",
+}
+
+//////////////////////////////////
+// Run host-side test with contexts files and the sepolicy file
+file_contexts_test {
+ name: "plat_file_contexts_test",
+ srcs: [":plat_file_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+file_contexts_test {
+ name: "system_ext_file_contexts_test",
+ srcs: [":system_ext_file_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+file_contexts_test {
+ name: "product_file_contexts_test",
+ srcs: [":product_file_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+file_contexts_test {
+ name: "vendor_file_contexts_test",
+ srcs: [":vendor_file_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+file_contexts_test {
+ name: "odm_file_contexts_test",
+ srcs: [":odm_file_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+hwservice_contexts_test {
+ name: "plat_hwservice_contexts_test",
+ srcs: [":plat_hwservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+hwservice_contexts_test {
+ name: "system_ext_hwservice_contexts_test",
+ srcs: [":system_ext_hwservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+hwservice_contexts_test {
+ name: "product_hwservice_contexts_test",
+ srcs: [":product_hwservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+hwservice_contexts_test {
+ name: "vendor_hwservice_contexts_test",
+ srcs: [":vendor_hwservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+hwservice_contexts_test {
+ name: "odm_hwservice_contexts_test",
+ srcs: [":odm_hwservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+property_contexts_test {
+ name: "plat_property_contexts_test",
+ srcs: [":plat_property_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+property_contexts_test {
+ name: "system_ext_property_contexts_test",
+ srcs: [
+ ":plat_property_contexts",
+ ":system_ext_property_contexts",
+ ],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+property_contexts_test {
+ name: "product_property_contexts_test",
+ srcs: [
+ ":plat_property_contexts",
+ ":system_ext_property_contexts",
+ ":product_property_contexts",
+ ],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+property_contexts_test {
+ name: "vendor_property_contexts_test",
+ srcs: [
+ ":plat_property_contexts",
+ ":system_ext_property_contexts",
+ ":product_property_contexts",
+ ":vendor_property_contexts",
+ ],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+property_contexts_test {
+ name: "odm_property_contexts_test",
+ srcs: [
+ ":plat_property_contexts",
+ ":system_ext_property_contexts",
+ ":product_property_contexts",
+ ":vendor_property_contexts",
+ ":odm_property_contexts",
+ ],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+service_contexts_test {
+ name: "plat_service_contexts_test",
+ srcs: [":plat_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+service_contexts_test {
+ name: "system_ext_service_contexts_test",
+ srcs: [":system_ext_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+service_contexts_test {
+ name: "product_service_contexts_test",
+ srcs: [":product_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+service_contexts_test {
+ name: "vendor_service_contexts_test",
+ srcs: [":vendor_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+vndservice_contexts_test {
+ name: "vndservice_contexts_test",
+ srcs: [":vndservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
diff --git a/contexts_tests.mk b/contexts_tests.mk
deleted file mode 100644
index 1189b83..0000000
--- a/contexts_tests.mk
+++ /dev/null
@@ -1,337 +0,0 @@
-# Copyright (C) 2019 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-include $(CLEAR_VARS)
-
-# TODO: move tests into Soong after refactoring sepolicy module (b/130693869)
-
-# Run host-side test with contexts files and the sepolicy file.
-# $(1): names of modules containing context files
-# $(2): path to the host tool
-# $(3): additional argument to be passed to the tool
-define run_contexts_test
-my_contexts := $(foreach m,$(1),$$(call intermediates-dir-for,ETC,$(m))/$(m))
-$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $$(my_contexts)
-$$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $$(built_sepolicy)
-$$(LOCAL_BUILT_MODULE): $(2) $$(my_contexts) $$(built_sepolicy)
- $$(hide) $$< $(3) $$(PRIVATE_SEPOLICY) $$(PRIVATE_CONTEXTS)
- $$(hide) mkdir -p $$(dir $$@)
- $$(hide) touch $$@
-my_contexts :=
-endef
-
-checkfc := $(HOST_OUT_EXECUTABLES)/checkfc
-property_info_checker := $(HOST_OUT_EXECUTABLES)/property_info_checker
-
-##################################
-LOCAL_MODULE := plat_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, plat_file_contexts, $(checkfc),))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, system_ext_file_contexts, $(checkfc),))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, product_file_contexts, $(checkfc),))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, vendor_file_contexts, $(checkfc),))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, odm_file_contexts, $(checkfc),))
-
-##################################
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, plat_hwservice_contexts, $(checkfc), -e -l))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, system_ext_hwservice_contexts, $(checkfc), -e -l))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, product_hwservice_contexts, $(checkfc), -e -l))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, vendor_hwservice_contexts, $(checkfc), -e -l))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, odm_hwservice_contexts, $(checkfc), -e -l))
-
-##################################
-
-pc_modules := plat_property_contexts
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
-
-##################################
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-pc_modules += system_ext_property_contexts
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
-
-endif
-
-##################################
-
-pc_modules += vendor_property_contexts
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
-
-##################################
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-
-pc_modules += odm_property_contexts
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
-
-endif
-
-##################################
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-pc_modules += product_property_contexts
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
-
-endif
-
-pc_modules :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_service_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, plat_service_contexts, $(checkfc), -s))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_service_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, system_ext_service_contexts, $(checkfc), -s))
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_service_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, product_service_contexts, $(checkfc), -s))
-
-##################################
-# nonplat_service_contexts is only allowed on non-full-treble devices
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_service_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, vendor_service_contexts, $(checkfc), -s))
-
-endif
-
-checkfc :=
-property_info_checker :=
-run_contexts_test :=
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 566c82b..43c98c9 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -22,16 +22,16 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
# Should be synced with keys.conf.
-all_plat_keys := platform media networkstack shared testkey
+all_plat_keys := platform media networkstack sdk_sandbox shared testkey
all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
$(all_plat_mac_perms_files) $(all_plat_keys)
@mkdir -p $(dir $@)
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
MAINLINE_SEPOLICY_DEV_CERTIFICATES="$(MAINLINE_SEPOLICY_DEV_CERTIFICATES)" \
- $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
all_plat_keys :=
all_plat_mac_perms_files :=
@@ -63,10 +63,10 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
$(all_system_ext_mac_perms_files)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
system_ext_mac_perms_keys.tmp :=
all_system_ext_mac_perms_files :=
@@ -97,10 +97,10 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
$(all_product_mac_perms_files)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
product_mac_perms_keys.tmp :=
all_product_mac_perms_files :=
@@ -119,8 +119,8 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
+all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
# Build keys.conf
vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
@@ -131,11 +131,11 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
$(all_vendor_mac_perms_files)
@mkdir -p $(dir $@)
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
vendor_mac_perms_keys.tmp :=
all_vendor_mac_perms_files :=
@@ -166,10 +166,10 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
$(all_odm_mac_perms_files)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
odm_mac_perms_keys.tmp :=
all_odm_mac_perms_files :=
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
new file mode 100644
index 0000000..0628a5b
--- /dev/null
+++ b/microdroid/Android.bp
@@ -0,0 +1,295 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+system_policy_files = [
+ "system/private/security_classes",
+ "system/private/initial_sids",
+ "system/private/access_vectors",
+ "system/public/global_macros",
+ "system/public/neverallow_macros",
+ "system/private/mls_macros",
+ "system/private/mls_decl",
+ "system/private/mls",
+ "system/private/policy_capabilities",
+ "system/public/te_macros",
+ "system/public/attributes",
+ "system/private/attributes",
+ "system/public/ioctl_defines",
+ "system/public/ioctl_macros",
+ "system/public/*.te",
+ "system/private/*.te",
+ "system/private/roles_decl",
+ "system/public/roles",
+ "system/private/users",
+ "system/private/initial_sid_contexts",
+ "system/private/fs_use",
+ "system/private/genfs_contexts",
+ "system/private/port_contexts",
+]
+
+reqd_mask_files = [
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "reqd_mask/reqd_mask.te",
+ "reqd_mask/roles_decl",
+ "reqd_mask/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+]
+
+system_public_policy_files = [
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "system/public/global_macros",
+ "system/public/neverallow_macros",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "system/public/te_macros",
+ "system/public/attributes",
+ "system/public/ioctl_defines",
+ "system/public/ioctl_macros",
+ "system/public/*.te",
+ "reqd_mask/reqd_mask.te",
+ "reqd_mask/roles_decl",
+ "reqd_mask/roles",
+ "system/public/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+]
+
+vendor_policy_files = [
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "system/public/global_macros",
+ "system/public/neverallow_macros",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "system/public/te_macros",
+ "system/public/attributes",
+ "system/public/ioctl_defines",
+ "system/public/ioctl_macros",
+ "system/public/*.te",
+ "reqd_mask/reqd_mask.te",
+ "vendor/*.te",
+ "reqd_mask/roles_decl",
+ "reqd_mask/roles",
+ "system/public/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+]
+
+se_policy_conf {
+ name: "microdroid_reqd_policy_mask.conf",
+ srcs: reqd_mask_files,
+ installable: false,
+ mls_cats: 1,
+}
+
+se_policy_cil {
+ name: "microdroid_reqd_policy_mask.cil",
+ src: ":microdroid_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "microdroid_plat_sepolicy.conf",
+ srcs: system_policy_files,
+ installable: false,
+ mls_cats: 1,
+}
+
+se_policy_cil {
+ name: "microdroid_plat_sepolicy.cil",
+ stem: "plat_sepolicy.cil",
+ src: ":microdroid_plat_sepolicy.conf",
+ installable: false,
+}
+
+se_policy_conf {
+ name: "microdroid_plat_pub_policy.conf",
+ srcs: system_public_policy_files,
+ installable: false,
+ mls_cats: 1,
+}
+
+se_policy_cil {
+ name: "microdroid_plat_pub_policy.cil",
+ src: ":microdroid_plat_pub_policy.conf",
+ filter_out: [":microdroid_reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_plat_mapping_file",
+ base: ":microdroid_plat_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_plat_pub_versioned.cil",
+ stem: "plat_pub_versioned.cil",
+ base: ":microdroid_plat_pub_policy.cil",
+ target_policy: ":microdroid_plat_pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":microdroid_plat_sepolicy.cil",
+ ":microdroid_plat_mapping_file",
+ ],
+ installable: false,
+}
+
+se_policy_conf {
+ name: "microdroid_vendor_sepolicy.conf",
+ srcs: vendor_policy_files,
+ installable: false,
+ mls_cats: 1,
+}
+
+se_policy_cil {
+ name: "microdroid_vendor_sepolicy.cil.raw",
+ src: ":microdroid_vendor_sepolicy.conf",
+ filter_out: [":microdroid_reqd_policy_mask.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_vendor_sepolicy.cil",
+ stem: "vendor_sepolicy.cil",
+ base: ":microdroid_plat_pub_policy.cil",
+ target_policy: ":microdroid_vendor_sepolicy.cil.raw",
+ version: "current", // microdroid is bundled to system
+ dependent_cils: [
+ ":microdroid_plat_sepolicy.cil",
+ ":microdroid_plat_pub_versioned.cil",
+ ":microdroid_plat_mapping_file",
+ ],
+ filter_out: [":microdroid_plat_pub_versioned.cil"],
+ installable: false,
+}
+
+sepolicy_vers {
+ name: "microdroid_plat_sepolicy_vers.txt",
+ version: "platform",
+ stem: "plat_sepolicy_vers.txt",
+ installable: false,
+}
+
+// sepolicy sha256 for vendor
+genrule {
+ name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
+ srcs: [":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file"],
+ out: ["microdroid_plat_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "microdroid_plat_sepolicy_and_mapping.sha256",
+ src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
+ filename: "plat_sepolicy_and_mapping.sha256",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
+ filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+se_policy_binary {
+ name: "microdroid_precompiled_sepolicy",
+ stem: "precompiled_sepolicy",
+ srcs: [
+ ":microdroid_plat_sepolicy.cil",
+ ":microdroid_plat_mapping_file",
+ ":microdroid_plat_pub_versioned.cil",
+ ":microdroid_vendor_sepolicy.cil",
+ ],
+ installable: false,
+}
+
+genrule {
+ name: "microdroid_file_contexts.gen",
+ srcs: ["system/private/file_contexts"],
+ tools: ["fc_sort"],
+ out: ["file_contexts"],
+ cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+ "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
+
+prebuilt_etc {
+ name: "microdroid_file_contexts",
+ filename: "plat_file_contexts",
+ src: ":microdroid_file_contexts.gen",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+genrule {
+ name: "microdroid_vendor_file_contexts.gen",
+ srcs: ["vendor/file_contexts"],
+ tools: ["fc_sort"],
+ out: ["file_contexts"],
+ cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+ "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
+
+prebuilt_etc {
+ name: "microdroid_property_contexts",
+ filename: "plat_property_contexts",
+ src: "system/private/property_contexts",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_service_contexts",
+ filename: "plat_service_contexts",
+ src: "system/private/service_contexts",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+// For CTS
+se_policy_conf {
+ name: "microdroid_general_sepolicy.conf",
+ srcs: system_policy_files,
+ exclude_build_test: true,
+ installable: false,
+ mls_cats: 1,
+}
diff --git a/microdroid/TEST_MAPPING b/microdroid/TEST_MAPPING
new file mode 100644
index 0000000..f6e1c4f
--- /dev/null
+++ b/microdroid/TEST_MAPPING
@@ -0,0 +1,7 @@
+{
+ "imports": [
+ {
+ "path": "packages/modules/Virtualization"
+ }
+ ]
+}
diff --git a/microdroid/reqd_mask/access_vectors b/microdroid/reqd_mask/access_vectors
new file mode 100644
index 0000000..22f2ffa
--- /dev/null
+++ b/microdroid/reqd_mask/access_vectors
@@ -0,0 +1,777 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+ unlink
+ link
+ rename
+ execute
+ quotaon
+ mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+ perfmon
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ associate
+ quotamod
+ quotaget
+ watch
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class anon_inode
+inherits file
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+ getrlimit
+}
+
+class process2
+{
+ nnp_transition
+ nosuid_transition
+}
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+ validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+ module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_readpriv
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+ attach_queue
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_endport
+{
+ manage_subnet
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+ association
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
+class property_service
+{
+ set
+}
+
+class service_manager
+{
+ add
+ find
+ list
+}
+
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class keystore_key
+{
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+ gen_unique_id
+}
+
+class keystore2
+{
+ add_auth
+ change_password
+ change_user
+ clear_ns
+ clear_uid
+ early_boot_ended
+ get_auth_token
+ get_state
+ list
+ lock
+ report_off_body
+ reset
+ unlock
+}
+
+class keystore2_key
+{
+ convert_storage_key_to_ephemeral
+ delete
+ gen_unique_id
+ get_info
+ grant
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+ use_dev_id
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
+
+class xdp_socket
+inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/microdroid/reqd_mask/initial_sid_contexts b/microdroid/reqd_mask/initial_sid_contexts
new file mode 100644
index 0000000..aa465cd
--- /dev/null
+++ b/microdroid/reqd_mask/initial_sid_contexts
@@ -0,0 +1 @@
+sid reqd_mask u:r:reqd_mask_type:s0
diff --git a/microdroid/reqd_mask/initial_sids b/microdroid/reqd_mask/initial_sids
new file mode 100644
index 0000000..366cfb1
--- /dev/null
+++ b/microdroid/reqd_mask/initial_sids
@@ -0,0 +1,3 @@
+sid reqd_mask
+
+# FLASK
diff --git a/microdroid/reqd_mask/keys.conf b/microdroid/reqd_mask/keys.conf
new file mode 100644
index 0000000..ce7166b
--- /dev/null
+++ b/microdroid/reqd_mask/keys.conf
@@ -0,0 +1,2 @@
+# empty keys.conf file - used to generate an empty nonplat_mac_permissions.xml
+# on devices without any keys.conf or mac_permissions additions.
diff --git a/microdroid/reqd_mask/mac_permissions.xml b/microdroid/reqd_mask/mac_permissions.xml
new file mode 100644
index 0000000..ef9c6dd
--- /dev/null
+++ b/microdroid/reqd_mask/mac_permissions.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+</policy>
diff --git a/microdroid/reqd_mask/mls b/microdroid/reqd_mask/mls
new file mode 100644
index 0000000..d276924
--- /dev/null
+++ b/microdroid/reqd_mask/mls
@@ -0,0 +1 @@
+mlsconstrain binder { set_context_mgr } (l1 eq l2);
diff --git a/prebuilts/api/26.0/private/mls_decl b/microdroid/reqd_mask/mls_decl
similarity index 100%
copy from prebuilts/api/26.0/private/mls_decl
copy to microdroid/reqd_mask/mls_decl
diff --git a/prebuilts/api/26.0/private/mls_macros b/microdroid/reqd_mask/mls_macros
similarity index 100%
copy from prebuilts/api/26.0/private/mls_macros
copy to microdroid/reqd_mask/mls_macros
diff --git a/microdroid/reqd_mask/property_contexts b/microdroid/reqd_mask/property_contexts
new file mode 100644
index 0000000..8e0bdbb
--- /dev/null
+++ b/microdroid/reqd_mask/property_contexts
@@ -0,0 +1,3 @@
+# empty property_contexts file - this file is used to generate an empty
+# non-platform property context for devices without any property_contexts
+# customizations.
diff --git a/microdroid/reqd_mask/reqd_mask.te b/microdroid/reqd_mask/reqd_mask.te
new file mode 100644
index 0000000..f77eef4
--- /dev/null
+++ b/microdroid/reqd_mask/reqd_mask.te
@@ -0,0 +1 @@
+type reqd_mask_type;
diff --git a/microdroid/reqd_mask/roles b/microdroid/reqd_mask/roles
new file mode 100644
index 0000000..926cb7a
--- /dev/null
+++ b/microdroid/reqd_mask/roles
@@ -0,0 +1 @@
+role r types reqd_mask_type;
diff --git a/prebuilts/api/26.0/private/roles_decl b/microdroid/reqd_mask/roles_decl
similarity index 100%
copy from prebuilts/api/26.0/private/roles_decl
copy to microdroid/reqd_mask/roles_decl
diff --git a/microdroid/reqd_mask/seapp_contexts b/microdroid/reqd_mask/seapp_contexts
new file mode 100644
index 0000000..0f4e0ad
--- /dev/null
+++ b/microdroid/reqd_mask/seapp_contexts
@@ -0,0 +1,2 @@
+# empty seapp_contexts file - used to generate an empty seapp_contexts for
+# devices without any non-platform seapp_contexts customizations.
diff --git a/microdroid/reqd_mask/security_classes b/microdroid/reqd_mask/security_classes
new file mode 100644
index 0000000..200b030
--- /dev/null
+++ b/microdroid/reqd_mask/security_classes
@@ -0,0 +1,167 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class anon_inode
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+class process2
+
+class bpf
+
+class xdp_socket
+
+class perf_event
+
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
+# Property service
+class property_service # userspace
+
+# Service manager
+class service_manager # userspace
+
+# hardware service manager # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key # userspace
+
+# Keystore 2.0 permissions
+class keystore2 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key # userspace
+
+class drmservice # userspace
+# FLASK
diff --git a/microdroid/reqd_mask/service_contexts b/microdroid/reqd_mask/service_contexts
new file mode 100644
index 0000000..481967b
--- /dev/null
+++ b/microdroid/reqd_mask/service_contexts
@@ -0,0 +1,3 @@
+# empty service_contexts file - this file is used to generate an empty
+# non-platform service_context for devices without any service_contexts
+# customizations.
diff --git a/prebuilts/api/26.0/private/users b/microdroid/reqd_mask/users
similarity index 100%
copy from prebuilts/api/26.0/private/users
copy to microdroid/reqd_mask/users
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
new file mode 100644
index 0000000..477f78f
--- /dev/null
+++ b/microdroid/system/private/access_vectors
@@ -0,0 +1,787 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+ unlink
+ link
+ rename
+ execute
+ quotaon
+ mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+ perfmon
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ associate
+ quotamod
+ quotaget
+ watch
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class anon_inode
+inherits file
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+ getrlimit
+}
+
+class process2
+{
+ nnp_transition
+ nosuid_transition
+}
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+ validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+ module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_readpriv
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+ attach_queue
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_endport
+{
+ manage_subnet
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+ association
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
+class property_service
+{
+ set
+}
+
+class service_manager
+{
+ add
+ find
+ list
+}
+
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class keystore_key
+{
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+ gen_unique_id
+}
+
+class keystore2
+{
+ add_auth
+ change_password
+ change_user
+ clear_ns
+ clear_uid
+ early_boot_ended
+ get_auth_token
+ get_state
+ list
+ lock
+ report_off_body
+ reset
+ unlock
+}
+
+class keystore2_key
+{
+ convert_storage_key_to_ephemeral
+ delete
+ gen_unique_id
+ get_info
+ grant
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+ use_dev_id
+}
+
+class diced
+{
+ demote
+ demote_self
+ derive
+ get_attestation_chain
+ use_seal
+ use_sign
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
+
+class xdp_socket
+inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
new file mode 100644
index 0000000..ed74ddd
--- /dev/null
+++ b/microdroid/system/private/adbd.te
@@ -0,0 +1,57 @@
+typeattribute adbd coredomain;
+
+init_daemon_domain(adbd)
+
+domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+ allow adbd self:process setcurrent;
+ allow adbd su:process dyntransition;
+')
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:global_capability_class_set { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:global_capability_class_set setpcap;
+
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit adbd self:{ socket vsock_socket } create;
+
+# Allow adbd inside vm to forward vm's vsock.
+allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+allow adbd tmpfs:dir search;
+
+allow adbd rootfs:dir r_dir_perms;
+
+# Connect to shell and use a socket transferred from it.
+# Used for e.g. abb.
+allow adbd shell:unix_stream_socket { read write shutdown };
+allow adbd shell:fd use;
+
+set_prop(adbd, shell_prop)
+
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
+set_prop(adbd, adbd_prop)
+
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+
+# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
+# TODO(b/200902288): patch adb and remove this rule
+dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
new file mode 100644
index 0000000..275a455
--- /dev/null
+++ b/microdroid/system/private/apexd.te
@@ -0,0 +1,102 @@
+typeattribute apexd coredomain;
+
+init_daemon_domain(apexd)
+
+# allow apexd to create loop devices with /dev/loop-control
+allow apexd loop_control_device:chr_file rw_file_perms;
+# allow apexd to access loop devices
+allow apexd loop_device:blk_file rw_file_perms;
+allowxperm apexd loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+ LOOP_CONFIGURE
+};
+# Allow apexd to access /dev/block
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
+
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
+# allow apexd to access /dev/block/dm-* (device-mapper entries)
+allow apexd dm_device:chr_file rw_file_perms;
+allow apexd dm_device:blk_file rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+# dac_override, chown, and fowner are needed for snapshot and restore
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
+
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for apexd to operate.
+dontaudit apexd self:global_capability_class_set fsetid;
+
+# allow apexd to create a mount point in /apex
+allow apexd apex_mnt_dir:dir create_dir_perms;
+# allow apexd to mount in /apex
+allow apexd apex_mnt_dir:filesystem { mount unmount };
+allow apexd apex_mnt_dir:dir mounton;
+# allow apexd to create symlinks in /apex
+allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
+allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
+allow apexd apex_info_file:file relabelto;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
+
+# Unmount and mount filesystems
+allow apexd labeledfs:filesystem { mount unmount };
+
+# /sys directory tree traversal
+allow apexd sysfs_type:dir search;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
+# Configure read-ahead of dm-verity and loop devices
+# for dm-X
+allow apexd sysfs_dm:dir r_dir_perms;
+allow apexd sysfs_dm:file rw_file_perms;
+# for loopX
+allow apexd sysfs_loop:dir r_dir_perms;
+allow apexd sysfs_loop:file rw_file_perms;
+
+# Allow apexd to log to the kernel.
+allow apexd kmsg_device:chr_file w_file_perms;
+
+# Apex pre- & post-install permission.
+
+# Allow self-execute for the fork mount helper.
+allow apexd apexd_exec:file execute_no_trans;
+
+# Unshare and make / private so that hooks cannot influence the
+# running system.
+allow apexd rootfs:dir mounton;
+
+# apexd is using bootstrap bionic
+use_bootstrap_libs(apexd)
+
+# Allow apexd to read file contexts when performing restorecon
+allow apexd file_contexts_file:file r_file_perms;
+
+#-------------------------------------------
+allow apexd kmsg_device:chr_file w_file_perms;
+
+# apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+
+# Allow apexd to stop itself
+set_prop(apexd, ctl_apexd_prop)
+
+# apexd uses it to decide whether it needs to keep retrying polling for loop device.
+get_prop(apexd, cold_boot_done_prop)
+
+# apexd uses this to determine where there metadata partition is.
+get_prop(apexd, apexd_payload_metadata_prop)
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
new file mode 100644
index 0000000..0545744
--- /dev/null
+++ b/microdroid/system/private/apkdmverity.te
@@ -0,0 +1,39 @@
+# apkdmverity is a program that protects a signed APK file using dm-verity.
+
+type apkdmverity, domain, coredomain;
+type apkdmverity_exec, exec_type, file_type, system_file_type;
+
+# apkdmverity is using bootstrap bionic
+use_bootstrap_libs(apkdmverity)
+
+# apkdmverity accesses "payload metadata disk" which points to
+# a /dev/vd* block device file.
+allow apkdmverity block_device:dir r_dir_perms;
+allow apkdmverity block_device:lnk_file r_file_perms;
+allow apkdmverity vd_device:blk_file r_file_perms;
+
+# allow apkdmverity to create dm-verity devices
+allow apkdmverity dm_device:{chr_file blk_file} rw_file_perms;
+# sys_admin is required to access the device-mapper and mount
+allow apkdmverity self:global_capability_class_set sys_admin;
+
+# allow apkdmverity to create loop devices with /dev/loop-control
+allow apkdmverity loop_control_device:chr_file rw_file_perms;
+
+# allow apkdmverity to read the roothash passed from microdroid_manager
+get_prop(apkdmverity, microdroid_manager_roothash_prop)
+
+# allow apkdmverity to access loop devices
+allow apkdmverity loop_device:blk_file rw_file_perms;
+allowxperm apkdmverity loop_device:blk_file ioctl {
+ LOOP_CONFIGURE
+};
+
+# allow apkdmverity to log to the kernel
+allow apkdmverity kmsg_device:chr_file w_file_perms;
+
+# apkdmverity is forked from microdroid_manager
+allow apkdmverity microdroid_manager:fd use;
+
+# Only microdroid_manager can run apkdmverity
+neverallow { domain -microdroid_manager } apkdmverity:process { transition dyntransition };
diff --git a/microdroid/system/private/attributes b/microdroid/system/private/attributes
new file mode 100644
index 0000000..792d600
--- /dev/null
+++ b/microdroid/system/private/attributes
@@ -0,0 +1 @@
+#
diff --git a/microdroid/system/private/authfs.te b/microdroid/system/private/authfs.te
new file mode 100644
index 0000000..23e881d
--- /dev/null
+++ b/microdroid/system/private/authfs.te
@@ -0,0 +1,25 @@
+# authfs is a FUSE-based filesystem to support "remote" file access normally
+# over vsock, backed by a file server backend on Android.
+
+type authfs, domain, coredomain;
+type authfs_exec, exec_type, file_type, system_file_type;
+
+allow authfs self:vsock_socket create_socket_perms_no_ioctl;
+
+# Allow basic rules to implement FUSE.
+# TODO(195554831): Move the privilege to authfs_service
+allow authfs fuse_device:chr_file rw_file_perms;
+allow authfs self:global_capability_class_set sys_admin;
+
+# Allow mounting authfs.
+# TODO(195554831): Move the privilege to authfs_service.
+allow authfs fuse:filesystem relabelfrom;
+allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
+allow authfs authfs_data_file:dir { mounton search };
+
+# Allow authfs to access extra APK mount.
+allow authfs extra_apk_file:file r_file_perms;
+allow authfs extra_apk_file:dir search;
+
+# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
+allow authfs authfs_service:fd use;
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
new file mode 100644
index 0000000..e7e9ef0
--- /dev/null
+++ b/microdroid/system/private/authfs_service.te
@@ -0,0 +1,33 @@
+# authfs_service is a binder service running on microdroid. It serves the
+# client's request and manages the mount/unmount of individual authfs instances
+# (a FUSE based filesystem). The service then can pass file descriptor on authfs
+# to the client for remote file access.
+
+type authfs_service, domain, coredomain;
+type authfs_service_exec, exec_type, file_type, system_file_type;
+
+# Allow domain transition from init.
+init_daemon_domain(authfs_service)
+
+# Allow running as a binder service.
+binder_call(authfs_service, servicemanager)
+add_service(authfs_service, authfs_binder_service)
+
+# Allow domain transition into authfs.
+domain_auto_trans(authfs_service, authfs_exec, authfs)
+
+# Allow mounting the FUSE filesystem.
+allow authfs_service self:global_capability_class_set sys_admin;
+
+# Allow creating/deleting mount directories.
+allow authfs_service authfs_data_file:dir create_dir_perms;
+
+# Allow opening a file from the FUSE mount.
+# Note: authfs_service doesn't really need to read and write the file, but the
+# check seems to happen on open anyway.
+allow authfs_service authfs_fuse:dir search;
+allow authfs_service authfs_fuse:file { open read write };
+
+# Allow killing the authfs process and unmount.
+allow authfs_service authfs:process sigkill;
+allow authfs_service authfs_fuse:filesystem unmount;
diff --git a/microdroid/system/private/bug_map b/microdroid/system/private/bug_map
new file mode 100644
index 0000000..5b042ae
--- /dev/null
+++ b/microdroid/system/private/bug_map
@@ -0,0 +1,35 @@
+dnsmasq netd fifo_file b/77868789
+dnsmasq netd unix_stream_socket b/77868789
+gmscore_app system_data_file dir b/146166941
+init app_data_file file b/77873135
+init cache_file blk_file b/77873135
+init logpersist file b/77873135
+init nativetest_data_file dir b/77873135
+init pstorefs dir b/77873135
+init shell_data_file dir b/77873135
+init shell_data_file file b/77873135
+init shell_data_file lnk_file b/77873135
+init shell_data_file sock_file b/77873135
+init system_data_file chr_file b/77873135
+isolated_app privapp_data_file dir b/119596573
+isolated_app app_data_file dir b/120394782
+mediaextractor app_data_file file b/77923736
+mediaextractor radio_data_file file b/77923736
+mediaprovider cache_file blk_file b/77925342
+mediaprovider mnt_media_rw_file dir b/77925342
+mediaprovider shell_data_file dir b/77925342
+mediaswcodec ashmem_device chr_file b/142679232
+netd priv_app unix_stream_socket b/77870037
+netd untrusted_app unix_stream_socket b/77870037
+netd untrusted_app_25 unix_stream_socket b/77870037
+netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
+platform_app nfc_data_file dir b/74331887
+system_server crash_dump process b/73128755
+system_server overlayfs_file file b/142390309
+system_server sdcardfs file b/77856826
+system_server zygote process b/77856826
+untrusted_app untrusted_app netlink_route_socket b/155595000
+vold system_data_file file b/124108085
+zygote untrusted_app_25 process b/77925912
+zygote labeledfs filesystem b/170748799
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
new file mode 100644
index 0000000..386f11e
--- /dev/null
+++ b/microdroid/system/private/compos.te
@@ -0,0 +1,38 @@
+# TODO(b/193504816): move this to compos APEX
+type compos, domain, coredomain, microdroid_payload;
+type compos_exec, exec_type, file_type, system_file_type;
+
+# Expose RPC Binder service over vsock
+allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow using various binder services
+binder_use(compos);
+allow compos authfs_binder_service:service_manager find;
+binder_call(compos, authfs_service);
+
+# Read artifacts created by odrefresh and create signature files.
+allow compos authfs_fuse:dir rw_dir_perms;
+allow compos authfs_fuse:file create_file_perms;
+
+# Allow locating the authfs mount directory.
+allow compos authfs_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow compos derive_classpath_exec:file rx_file_perms;
+allow compos apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit compos self:dir write;
+# See b/35323867#comment3
+dontaudit compos self:global_capability_class_set dac_override;
+
+# Allow settings system properties that ART expects.
+set_prop(compos, dalvik_config_prop)
+set_prop(compos, device_config_runtime_native_boot_prop)
+
+# Allow running odrefresh in its own domain
+domain_auto_trans(compos, odrefresh_exec, odrefresh)
+
+# Allow running compos_key_helper in its own domain
+domain_auto_trans(compos, compos_key_helper_exec, compos_key_helper)
+# And killing it on error
+allow compos compos_key_helper:process sigkill;
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
new file mode 100644
index 0000000..56f8d2a
--- /dev/null
+++ b/microdroid/system/private/compos_key_helper.te
@@ -0,0 +1,20 @@
+# Helper process for compos to perform key derivation & signing
+type compos_key_helper, domain, coredomain;
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
+# This domain has access to DICE secrets & the private signing key.
+# Block crash dumps to ensure the secrets are not leaked.
+typeattribute compos_key_helper no_crash_dump_domain;
+
+# Allow using DICE binder service
+binder_use(compos_key_helper);
+allow compos_key_helper dice_node_service:service_manager find;
+binder_call(compos_key_helper, diced);
+allow compos_key_helper diced:diced { get_attestation_chain derive };
+
+# Communicate with compos via stdin/stdout pipes
+allow compos_key_helper compos:fd use;
+allow compos_key_helper compos:fifo_file { getattr read write };
+
+# Write to /dev/kmsg.
+allow compos_key_helper kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
new file mode 100644
index 0000000..61dfa0b
--- /dev/null
+++ b/microdroid/system/private/crash_dump.te
@@ -0,0 +1,72 @@
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+allow crash_dump kmsg_debug_device:chr_file { open append };
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read all /vendor
+r_dir_file(crash_dump, vendor_file)
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
+
+# Crash dump is not intended to access the following files. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump property_type:file read;
+
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
+typeattribute crash_dump coredomain;
+
+# Crash dump does not need to access devices passed across exec().
+dontaudit crash_dump { devpts dev_type }:chr_file { read write };
+
+allow crash_dump {
+ domain
+ -apexd
+ -crash_dump
+ -init
+ -kernel
+ -logd
+ -no_crash_dump_domain
+ -ueventd
+ -vendor_init
+}:process { ptrace signal sigchld sigstop sigkill };
+
+userdebug_or_eng(`
+ allow crash_dump {
+ apexd
+ logd
+ }:process { ptrace signal sigchld sigstop sigkill };
+')
+
+neverallow crash_dump no_crash_dump_domain:process ptrace;
diff --git a/microdroid/system/private/derive_classpath.te b/microdroid/system/private/derive_classpath.te
new file mode 100644
index 0000000..e439692
--- /dev/null
+++ b/microdroid/system/private/derive_classpath.te
@@ -0,0 +1 @@
+type derive_classpath_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
new file mode 100644
index 0000000..d259e1c
--- /dev/null
+++ b/microdroid/system/private/dex2oat.te
@@ -0,0 +1,36 @@
+# dex2oat
+type dex2oat, domain, coredomain;
+type dex2oat_exec, system_file_type, exec_type, file_type;
+
+userfaultfd_use(dex2oat)
+
+allow dex2oat tmpfs:file { read getattr map };
+
+# Allow dex2oat to use FDs from authfs_service via compos.
+allow dex2oat authfs_service:fd use;
+allow dex2oat compos:fd use;
+allow dex2oat odrefresh:fd use;
+
+# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
+allow dex2oat authfs_fuse:file { read write getattr map };
+
+# Allow to search in authfs directories.
+allow dex2oat authfs_data_file:dir { search };
+allow dex2oat authfs_fuse:dir { search };
+
+# Minijail uses pipe for the parent process to signal the child (as a fallback
+# mechanism, since Android does not support minijail's preload).
+# TODO(196109647): We can probably remove this once the minijail preload is
+# supported on Android.
+allow dex2oat compos:fifo_file read;
+
+# Allow acquiring advisory lock on /system/framework/<arch>/*
+allow dex2oat system_file:file lock;
+
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;
+
+# Don't audit because we don't configure the compiler through system properties
+# in the VM.
+dontaudit dex2oat dalvik_config_prop:file { open read getattr map };
+dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map };
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
new file mode 100644
index 0000000..2dba244
--- /dev/null
+++ b/microdroid/system/private/diced.te
@@ -0,0 +1,23 @@
+type diced, domain, coredomain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute diced no_crash_dump_domain;
+
+# diced can be started by init
+init_daemon_domain(diced)
+
+# diced can talk to dice HAL
+hal_client_domain(diced, hal_dice)
+
+# diced hosts AIDL services
+binder_use(diced)
+binder_service(diced)
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# diced can check SELinux permissions.
+selinux_check_access(diced)
+
+# diced is using bootstrap bionic
+use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
new file mode 100644
index 0000000..d87df40
--- /dev/null
+++ b/microdroid/system/private/domain.te
@@ -0,0 +1,598 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net_type:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+# Root fs.
+allow domain tmpfs:dir { getattr search };
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+
+# /dev/binder can be accessed by ... everyone! :)
+allow domain binder_device:chr_file rw_file_perms;
+
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
+allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+allow domain property_contexts_file:file r_file_perms;
+
+dontaudit domain property_type:file audit_access;
+
+allow domain init:key search;
+
+# logd access
+unix_socket_send(domain, logdw, logd)
+
+# Directory/link file access for path resolution.
+allow domain {
+ system_file
+ system_lib_file
+ system_seccomp_policy_file
+ system_security_cacerts_file
+}:dir r_dir_perms;
+allow domain system_file:lnk_file { getattr read };
+
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
+
+allow coredomain system_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr map };
+
+# Allow all domains to be able to follow /system/vendor and/or
+# /vendor/odm symlinks.
+allow domain vendor_file_type:lnk_file { getattr open read };
+
+# This is required to be able to search & read /vendor/lib64
+# in order to lookup vendor libraries. The execute permission
+# for coredomains is granted *only* for same process HALs
+allow domain vendor_file:dir { getattr search };
+
+# Allow reading and executing out of /vendor to all vendor domains
+allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
+allow coredomain system_data_file:dir getattr;
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
+allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to an allowlist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this allowlist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default allowlist for unix sockets.
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# All domains must clearly enumerate what ioctls they use
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
+# Allow a process to make a determination whether a file descriptor
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this allowlist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir { getattr search };
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
+allow domain self:global_capability_class_set audit_control;
+allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+
+# globally readable properties
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, log_tag_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, property_service_version_prop)
+
+allow domain linkerconfig_file:dir search;
+allow domain linkerconfig_file:file r_file_perms;
+
+#-----------------------------------------
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain } cgroup:dir w_dir_perms;
+allow { domain } cgroup:file w_file_perms;
+
+allow domain cgroup_v2:dir search;
+allow { domain } cgroup_v2:dir w_dir_perms;
+allow { domain } cgroup_v2:file w_file_perms;
+
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
+
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
+
+#-----------------------------------------
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+domain_auto_trans({domain -no_crash_dump_domain}, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
+# Properties that microdroid doesn't have but some still want to read.
+dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
+
+# No executable memory unless backed by an unmodified file
+neverallow * self:process { execmem execheap execstack };
+neverallow * *:file execmod;
+
+# All ioctls on file-like objects (except chr_file and blk_file) and
+# sockets must be restricted to an allowlist.
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
+
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
+# Do not allow any domain other than init to create unlabeled files.
+neverallow { domain -init } unlabeled:dir_file_class_set create;
+
+# Limit device node creation to these allowed domains.
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+} self:global_capability_class_set mknod;
+
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow * self:memprotect mmap_zero;
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow * self:global_capability2_class_set mac_override;
+
+# Disallow attempts to set contexts not defined in current policy
+# This helps guarantee that unknown or dangerous contents will not ever
+# be set.
+neverallow * self:global_capability2_class_set mac_admin;
+
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow * kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
+
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow * kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
+# Only the kernel hwrng thread should be able to read from the HW RNG.
+neverallow {
+ domain
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
+} hw_random_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type.
+neverallow * { file_type -exec_type }:file entrypoint;
+
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
+
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
+neverallow * vendor_init:binder *;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init } block_device:blk_file { open read write };
+
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
+# Only the init property service should write to /data/property and /dev/__properties__
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+
+# Nobody should be doing writes to /system & /vendor
+# These partitions are intended to be read-only and must never be
+# modified. Doing so would violate important Android security guarantees
+# and invalidate dm-verity signatures.
+neverallow {
+ domain
+ with_asan(`-asan_extract')
+} {
+ system_file_type
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+
+# Don't allow mounting on top of /system files or directories
+neverallow * exec_type:dir_file_class_set mounton;
+
+# Nothing should be writing to files in the rootfs.
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
+ { create relabelfrom relabelto append link rename };
+neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
+
+# Do not allow service_manager add for default service labels.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
+neverallow * default_android_service:service_manager *;
+
+neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+
+neverallow { domain -init } build_prop:property_service set;
+
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+# The service managers are only allowed to access their own device node
+neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
+
+# system services cant add vendor services
+neverallow {
+ coredomain
+} vendor_service:service_manager add;
+
+# Never allow anyone to connect or write to
+# the tombstoned intercept socket.
+neverallow { domain } tombstoned_intercept_socket:sock_file write;
+neverallow { domain } tombstoned_intercept_socket:unix_stream_socket connectto;
+
+# Android does not support System V IPCs.
+#
+# The reason for this is due to the fact that, by design, they lead to global
+# kernel resource leakage.
+#
+# For example, there is no way to automatically release a SysV semaphore
+# allocated in the kernel when:
+#
+# - a buggy or malicious process exits
+# - a non-buggy and non-malicious process crashes or is explicitly killed.
+#
+# Killing processes automatically to make room for new ones is an
+# important part of Android's application lifecycle implementation. This means
+# that, even assuming only non-buggy and non-malicious code, it is very likely
+# that over time, the kernel global tables used to implement SysV IPCs will fill
+# up.
+neverallow * *:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
+
+neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
+ with_asan(`-asan_extract')
+} system_data_file:file no_w_file_perms;
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+} shell:process { transition dyntransition };
+
+# Minimize read access to shell-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -shell
+} shell_data_file:lnk_file read;
+
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+neverallow {
+ domain
+ -adbd
+ -init
+ -vendor_init
+ -shell
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -init
+ -vendor_init
+ -shell
+} shell_data_file:dir { open search };
+
+# servicemanager is the only process which handles the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ }:service_manager list;
+
+# only service_manager_types can be added to service_manager
+# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
+
+# Prevent assigning non property types to properties
+# TODO - rework this: neverallow * ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow * domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+neverallow { domain -init -vendor_init } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
+
+# Don't allow access to the FUSE control filesystem, except to init's
+neverallow { domain -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time. Runtime changes
+# to filesystem capabilities are not permitted.
+neverallow * self:global_capability_class_set setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
+
+# If an already existing file is opened with O_CREAT, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
+neverallow domain {
+ proc_type
+ sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+# Only apps targetting < Q are allowed to open /dev/ashmem directly.
+# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
+neverallow {
+ domain
+} ashmem_device:chr_file open;
+
+neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
+
+# These domains must not be crash dumped
+neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
+neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
new file mode 100644
index 0000000..d15f9ba
--- /dev/null
+++ b/microdroid/system/private/file.te
@@ -0,0 +1,19 @@
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow extra_apk_file zipfusefs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow proc_net proc:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow system_data_file tmpfs:filesystem associate;
+
+type authfs_fuse, fs_type, contextmount_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
new file mode 100644
index 0000000..83eceb0
--- /dev/null
+++ b/microdroid/system/private/file_contexts
@@ -0,0 +1,172 @@
+###########################################
+# Root
+/ u:object_r:rootfs:s0
+
+# Data files
+/build\.prop u:object_r:rootfs:s0
+/init\..* u:object_r:rootfs:s0
+
+# Executables
+/init u:object_r:init_exec:s0
+
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+
+# Empty directories
+/lost\+found u:object_r:rootfs:s0
+/debug_ramdisk u:object_r:tmpfs:s0
+/mnt u:object_r:tmpfs:s0
+/proc u:object_r:rootfs:s0
+/second_stage_resources u:object_r:tmpfs:s0
+/sys u:object_r:sysfs:s0
+/apex u:object_r:apex_mnt_dir:s0
+
+/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
+
+# Symlinks
+/bin u:object_r:rootfs:s0
+/d u:object_r:rootfs:s0
+/etc u:object_r:rootfs:s0
+
+##########################
+# Devices
+#
+/dev(/.*)? u:object_r:device:s0
+/dev/ashmem u:object_r:ashmem_device:s0
+/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
+/dev/binder u:object_r:binder_device:s0
+/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
+/dev/block/ram[0-9]* u:object_r:ram_device:s0
+/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/console u:object_r:console_device:s0
+/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
+/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
+/dev/device-mapper u:object_r:dm_device:s0
+/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
+/dev/fuse u:object_r:fuse_device:s0
+/dev/hvc0 u:object_r:serial_device:s0
+/dev/hvc1 u:object_r:serial_device:s0
+/dev/hvc2 u:object_r:serial_device:s0
+/dev/hw_random u:object_r:hw_random_device:s0
+/dev/hwbinder u:object_r:hwbinder_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
+/dev/ppp u:object_r:ppp_device:s0
+/dev/ptmx u:object_r:ptmx_device:s0
+/dev/kmsg u:object_r:kmsg_device:s0
+/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/kvm u:object_r:kvm_device:s0
+/dev/null u:object_r:null_device:s0
+/dev/open-dice0 u:object_r:open_dice_device:s0
+/dev/random u:object_r:random_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
+/dev/socket(/.*)? u:object_r:socket_device:s0
+/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/logd u:object_r:logd_socket:s0
+/dev/socket/logdr u:object_r:logdr_socket:s0
+/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
+/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
+/dev/tty u:object_r:owntty_device:s0
+/dev/tty[0-9]* u:object_r:tty_device:s0
+/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/tun u:object_r:tun_device:s0
+/dev/uhid u:object_r:uhid_device:s0
+/dev/uinput u:object_r:uhid_device:s0
+/dev/uio[0-9]* u:object_r:uio_device:s0
+/dev/urandom u:object_r:random_device:s0
+/dev/vhost-vsock u:object_r:kvm_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/vsock u:object_r:vsock_device:s0
+/dev/zero u:object_r:zero_device:s0
+/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/property_info u:object_r:property_info:s0
+#############################
+# Linker configuration
+#
+/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+#############################
+# System files
+#
+/system(/.*)? u:object_r:system_file:s0
+/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
+/system/bin/apexd u:object_r:apexd_exec:s0
+/system/bin/tombstone_transmit.microdroid u:object_r:tombstone_transmit_exec:s0
+/system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/diced.microdroid u:object_r:diced_exec:s0
+/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
+/system/bin/init u:object_r:init_exec:s0
+/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/sh -- u:object_r:shell_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/toolbox -- u:object_r:toolbox_exec:s0
+/system/bin/toybox -- u:object_r:toolbox_exec:s0
+/system/bin/zipfuse u:object_r:zipfuse_exec:s0
+/system/bin/microdroid_launcher u:object_r:microdroid_app_exec:s0
+/system/bin/microdroid_manager u:object_r:microdroid_manager_exec:s0
+/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
+/system/bin/authfs u:object_r:authfs_exec:s0
+/system/bin/authfs_service u:object_r:authfs_service_exec:s0
+/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
+/system/etc/group u:object_r:system_group_file:s0
+/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
+/system/etc/passwd u:object_r:system_passwd_file:s0
+/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
+/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+
+#############################
+# Vendor files
+#
+/vendor(/.*)? u:object_r:vendor_file:s0
+/vendor/etc(/.*)? u:object_r:vendor_configs_file:s0
+/vendor/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
+
+#############################
+# Data files
+#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
+/data u:object_r:system_data_root_file:s0
+/data/(.*)? u:object_r:system_data_file:s0
+/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
+/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
+/data/local/traces(/.*)? u:object_r:trace_data_file:s0
+/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
+/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+
+# microdroid doesn't use anr, but tombstoned tries to read this.
+# So marking /data/anr as tombstone_data_file
+/data/anr(/.*)? u:object_r:tombstone_data_file:s0
+
+#############################
+# Directory for extra apks
+/mnt/extra-apk u:object_r:extra_apk_file:s0
diff --git a/microdroid/system/private/fs_use b/microdroid/system/private/fs_use
new file mode 100644
index 0000000..93d7f1b
--- /dev/null
+++ b/microdroid/system/private/fs_use
@@ -0,0 +1,27 @@
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+fs_use_xattr f2fs u:object_r:labeledfs:s0;
+fs_use_xattr squashfs u:object_r:labeledfs:s0;
+fs_use_xattr overlay u:object_r:labeledfs:s0;
+fs_use_xattr erofs u:object_r:labeledfs:s0;
+fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
+fs_use_xattr virtiofs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
new file mode 100644
index 0000000..254dbe8
--- /dev/null
+++ b/microdroid/system/private/genfs_contexts
@@ -0,0 +1,380 @@
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
+genfscon proc /filesystems u:object_r:proc_filesystems:s0
+genfscon proc /interrupts u:object_r:proc_interrupts:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
+genfscon proc /keys u:object_r:proc_keys:s0
+genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
+genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /mounts u:object_r:proc_mounts:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
+genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
+genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
+genfscon proc /softirqs u:object_r:proc_timer:s0
+genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /swaps u:object_r:proc_swaps:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
+genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /timer_list u:object_r:proc_timer:s0
+genfscon proc /timer_stats u:object_r:proc_timer:s0
+genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
+genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+
+genfscon fusectl / u:object_r:fusectlfs:s0
+
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /class/net u:object_r:sysfs_net:s0
+genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
+genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
+genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0
+genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
+genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
+genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
+genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
+genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
+genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
+genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
+genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
+genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
+genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
+genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+
+genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
+genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
+genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
+genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
+genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
+genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
+genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+
+genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+
+genfscon securityfs / u:object_r:securityfs:s0
+
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
+genfscon exfat / u:object_r:exfat:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon esdfs / u:object_r:sdcardfs:s0
+genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
+genfscon usbfs / u:object_r:usbfs:s0
+genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
new file mode 100644
index 0000000..708d537
--- /dev/null
+++ b/microdroid/system/private/init.te
@@ -0,0 +1,437 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, vendor_init)
+
+# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
+# This is useful in case of remounting ext4 userdata into checkpointing mode,
+# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
+# that userdata is mounted onto.
+allow init sysfs_dm:file read;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+allow init self:perf_event { open cpu };
+allow init self:global_capability2_class_set perfmon;
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -kvm_device
+}:chr_file setattr;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device dm_user_device }:dir relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init {
+ rootfs
+ cgroup
+ linkerconfig_file
+ system_data_file
+ system_data_root_file
+ system_file
+ vendor_file
+}:dir mounton;
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
+
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set { dac_override dac_read_search };
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init {
+ fs_type
+}:filesystem ~relabelto;
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+ file_type
+ -exec_type
+ -system_file_type
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -exec_type
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -apex_info_file
+ -exec_type
+ -runtime_event_log_tags_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
+allow init {
+ file_type
+ -exec_type
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -apex_mnt_dir
+ -exec_type
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+}:dir_file_class_set relabelto;
+
+allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# chown/chmod on pseudo files.
+allow init {
+ fs_type
+ -contextmount_type
+ -proc_type
+ -fusefs_type
+ -sysfs_type
+ -rootfs
+}:file { open read setattr };
+allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
+
+allow init {
+ binder_device
+ console_device
+ devpts
+ dm_device
+ hwbinder_device
+ kmsg_device
+ null_device
+ owntty_device
+ ptmx_device
+ random_device
+ tty_device
+ zero_device
+}:chr_file { read open };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
+
+allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
+
+allow init {
+ proc_abi
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net_type
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_bootconfig
+ proc_kmsg
+ proc_net
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_dm_verity
+ sysfs_leds
+ sysfs_power
+ sysfs_fs_f2fs
+ sysfs_dm
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
+};
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+ sysfs_zram
+}:file setattr;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
+# init is using bootstrap bionic
+use_bootstrap_libs(init)
+
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
+set_prop(init, property_type)
diff --git a/prebuilts/api/26.0/private/initial_sid_contexts b/microdroid/system/private/initial_sid_contexts
similarity index 100%
copy from prebuilts/api/26.0/private/initial_sid_contexts
copy to microdroid/system/private/initial_sid_contexts
diff --git a/prebuilts/api/26.0/private/initial_sids b/microdroid/system/private/initial_sids
similarity index 100%
copy from prebuilts/api/26.0/private/initial_sids
copy to microdroid/system/private/initial_sids
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
new file mode 100644
index 0000000..e81173d
--- /dev/null
+++ b/microdroid/system/private/kernel.te
@@ -0,0 +1,96 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file write;
+allow kernel vd_device:blk_file read;
+
+allow kernel self:global_capability_class_set sys_nice;
+
+# Root fs.
+r_dir_file(kernel, rootfs)
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel { sdcard_type fuse }:file { read write };
+
+# Allow the kernel to read APEX file descriptors and (staged) data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+
+#-----------------------------------------
+allow kernel apkdmverity:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ property_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;
diff --git a/microdroid/system/private/keys.conf b/microdroid/system/private/keys.conf
new file mode 100644
index 0000000..362e73d
--- /dev/null
+++ b/microdroid/system/private/keys.conf
@@ -0,0 +1,28 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+
+[@MEDIA]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
+
+[@NETWORK_STACK]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+
+[@SHARED]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
+
+# Example of ALL TARGET_BUILD_VARIANTS
+[@RELEASE]
+ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+
diff --git a/microdroid/system/private/linkerconfig.te b/microdroid/system/private/linkerconfig.te
new file mode 100644
index 0000000..4d8db0c
--- /dev/null
+++ b/microdroid/system/private/linkerconfig.te
@@ -0,0 +1,21 @@
+type linkerconfig, domain, coredomain;
+type linkerconfig_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(linkerconfig)
+
+## Read and write linkerconfig subdirectory.
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
+allow linkerconfig linkerconfig_file:file create_file_perms;
+
+# Allow linkerconfig to log to the kernel.
+allow linkerconfig kmsg_device:chr_file w_file_perms;
+
+# Allow linkerconfig to be invoked with logwrapper from init.
+allow linkerconfig devpts:chr_file { read write };
+
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
+# Allow linkerconfig to read apex-info-list.xml
+allow linkerconfig apex_info_file:file r_file_perms;
+
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
new file mode 100644
index 0000000..a26cff3
--- /dev/null
+++ b/microdroid/system/private/logcat.te
@@ -0,0 +1,19 @@
+# logcat in Microdroid runs as a daemon process. It reads logs from logd and
+# emits the logs to the virtual serial console.
+typeattribute logcat coredomain;
+
+# logcat can be executed from init
+init_daemon_domain(logcat)
+
+# logcat can append to the virtual console devices
+allow logcat device:dir r_dir_perms;
+allow logcat serial_device:chr_file ra_file_perms;
+
+# logcat can get logs from logd
+read_logd(logcat)
+
+# Allow logcat to read ro.logd.ready so that it waits until logd is ready to
+# accept commands
+get_prop(logcat, logd_prop)
+
+allow logcat self:global_capability_class_set { sys_nice };
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
new file mode 100644
index 0000000..46cdb7d
--- /dev/null
+++ b/microdroid/system/private/logd.te
@@ -0,0 +1,44 @@
+typeattribute logd coredomain;
+
+init_daemon_domain(logd)
+
+allow logd adbd:dir search;
+allow logd adbd:file { getattr open read };
+allow logd device:dir search;
+allow logd init:dir search;
+allow logd init:fd use;
+allow logd init:file { getattr open read };
+allow logd kernel:dir search;
+allow logd kernel:file { getattr open read };
+allow logd kernel:system { syslog_mod syslog_read };
+allow logd linkerconfig_file:dir search;
+allow logd microdroid_manager:dir search;
+allow logd microdroid_manager:file { getattr open read };
+allow logd null_device:chr_file { open read };
+#allow logd proc_kmsg:file read;
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+allow logd self:fifo_file { read write };
+allow logd self:file { getattr open read };
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+#allow logd self:netlink_audit_socket getopt;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+r_dir_file(logd, domain)
+allow logd self:unix_stream_socket { accept getopt setopt shutdown };
+allow logd servicemanager:dir search;
+allow logd servicemanager:file { open read };
+allow logd tombstoned:dir search;
+allow logd tombstoned:file { getattr open read };
+allow logd ueventd:dir search;
+allow logd ueventd:file { getattr open read };
+control_logd(logd)
+read_runtime_log_tags(logd)
+
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
+
+dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/mac_permissions.xml b/microdroid/system/private/mac_permissions.xml
new file mode 100644
index 0000000..7fc37c1
--- /dev/null
+++ b/microdroid/system/private/mac_permissions.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag. The signature can
+ either appear as a set of attached cert child tags or as an attribute.
+ * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+ * Each signer/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process as well as the apps data directory.
+ * seinfo assignments are made according to the following rules:
+ - Stanzas with package name refinements will be checked first.
+ - Stanzas w/o package name refinements will be checked second.
+ - The "default" seinfo label is automatically applied.
+
+ * valid stanzas can take one of the following forms:
+
+ // single cert protecting seinfo
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ // multiple certs protecting seinfo (all contained certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <seinfo value="platform" />
+ </signer>
+
+ // single cert protecting explicitly named app
+ <signer signature="@PLATFORM" >
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+
+ // multiple certs protecting explicitly named app (all certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+-->
+
+ <!-- Platform dev key in AOSP -->
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ <!-- Media key in AOSP -->
+ <signer signature="@MEDIA" >
+ <seinfo value="media" />
+ </signer>
+
+ <signer signature="@NETWORK_STACK" >
+ <seinfo value="network_stack" />
+ </signer>
+</policy>
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
new file mode 100644
index 0000000..de58326
--- /dev/null
+++ b/microdroid/system/private/microdroid_app.te
@@ -0,0 +1,17 @@
+# microdroid_app is a domain for microdroid_launcher, which is a binary that
+# loads a shared library from an apk and executes it by calling an entry point
+# in the library. This can be considered as the native counterpart of
+# app_process for Java.
+#
+# Both microdroid_launcher and payload from the shared library run in the
+# context of microdroid_app.
+
+type microdroid_app, domain, coredomain, microdroid_payload;
+type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Talk to binder services (for diced)
+binder_use(microdroid_app);
+
+allow microdroid_app dice_node_service:service_manager find;
+binder_call(microdroid_app, diced);
+allow microdroid_app diced:diced { get_attestation_chain derive };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
new file mode 100644
index 0000000..432ab13
--- /dev/null
+++ b/microdroid/system/private/microdroid_manager.te
@@ -0,0 +1,89 @@
+# microdroid_manager is a daemon running in the microdroid.
+
+type microdroid_manager, domain, coredomain;
+type microdroid_manager_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(microdroid_manager)
+
+# Allow microdroid_manager to set boot status
+set_prop(microdroid_manager, boot_status_prop)
+
+# microdroid_manager accesses a virtual disk block device to read VM payload
+# It needs write access as it updates the instance image
+allow microdroid_manager block_device:dir r_dir_perms;
+allow microdroid_manager block_device:lnk_file r_file_perms;
+allow microdroid_manager vd_device:blk_file rw_file_perms;
+# microdroid_manager verifies DM-verity mounted APK payload
+allow microdroid_manager dm_device:blk_file r_file_perms;
+
+# microdroid_manager can query AVF flags in the device tree
+allow microdroid_manager sysfs_dt_avf:file r_file_perms;
+
+# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
+# requires sys_admin cap as well.
+allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
+allow microdroid_manager self:global_capability_class_set sys_admin;
+
+# Allow microdroid_manager to start payload tasks
+domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
+domain_auto_trans(microdroid_manager, compos_exec, compos)
+
+# Allow microdroid_manager to start apk verity binaries
+domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
+domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+
+# Let microdroid_manager kernel-log.
+allow microdroid_manager kmsg_device:chr_file w_file_perms;
+
+# Let microdroid_manager read a config file from /mnt/apk (fusefs)
+# TODO(b/188400186) remove the below rule
+userdebug_or_eng(`
+ r_dir_file(microdroid_manager, fuse)
+')
+
+# Let microdroid_manager to create a vsock connection back to the host VM
+allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+
+# microdroid_manager is using bootstrap bionic
+use_bootstrap_libs(microdroid_manager)
+
+# microdroid_manager can talk to diced over binder
+binder_use(microdroid_manager)
+binder_call(microdroid_manager, diced)
+allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
+allow microdroid_manager diced:diced { derive demote_self };
+
+# microdroid_manager create /apex/vm-payload-metadata for apexd
+# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
+allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
+allow microdroid_manager apex_mnt_dir:file create_file_perms;
+
+# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
+set_prop(microdroid_manager, ctl_apexd_vm_prop)
+set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_seriallogging_prop)
+set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
+set_prop(microdroid_manager, ctl_zipfuse_prop)
+
+# Allow microdroid_manager to wait for linkerconfig to be ready
+get_prop(microdroid_manager, apex_config_prop)
+
+# Allow microdroid_manager to pass the roothash to apkdmverity
+set_prop(microdroid_manager, microdroid_manager_roothash_prop)
+
+# Allow microdroid_manager to shutdown the device when verification fails
+set_prop(microdroid_manager, powerctl_prop)
+
+# Allow microdroid_manager to read bootconfig so that it can reject a bootconfig
+# that is different from what is recorded in the instance.img file.
+allow microdroid_manager proc_bootconfig:file r_file_perms;
+
+# Allow microdroid_manager to handle extra_apks
+allow microdroid_manager extra_apk_file:dir create_dir_perms;
+
+# Domains other than microdroid can't write extra_apks
+neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
+neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
+
+neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
new file mode 100644
index 0000000..fea0768
--- /dev/null
+++ b/microdroid/system/private/microdroid_payload.te
@@ -0,0 +1,37 @@
+# microdroid_payload is an attribute for microdroid payload processes.
+# Domains should have microdroid_payload to be run from microdroid_manager.
+
+# Allow to communicate use, read and write over the adb connection.
+allow microdroid_payload adbd:fd use;
+allow microdroid_payload adbd:unix_stream_socket { read write };
+
+# microdroid_launcher is launched by microdroid_manager with fork/execvp.
+allow microdroid_payload microdroid_manager:fd use;
+
+# Allow to use FDs inherited from the shell. This includes the FD opened for
+# the microdroid_launcher executable itself and the FD for adb connection.
+# TODO(b/186396070) remove this when this is executed from microdroid_manager
+userdebug_or_eng(`
+ allow microdroid_payload shell:fd use;
+')
+
+# Allow to use terminal
+allow microdroid_payload devpts:chr_file rw_file_perms;
+
+# Allow to set debug prop
+set_prop(microdroid_payload, debug_prop)
+
+# Allow microdroid_payload to use vsock inherited from microdroid_manager
+allow microdroid_payload microdroid_manager:vsock_socket { read write };
+
+# Write to /dev/kmsg.
+allow microdroid_payload kmsg_device:chr_file rw_file_perms;
+
+# Only microdroid_payload and apk verity binaries can be run by microdroid_manager
+neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
+
+# Allow microdroid_payload to open binder servers via vsock.
+allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Payload can read extra apks
+r_dir_file(microdroid_payload, extra_apk_file)
diff --git a/microdroid/system/private/mls b/microdroid/system/private/mls
new file mode 100644
index 0000000..cee6675
--- /dev/null
+++ b/microdroid/system/private/mls
@@ -0,0 +1,12 @@
+#################################################
+# MLS policy constraints
+#
+
+# We aren't using MLS in Microdroid. But the policy grammar requires
+# at least one MLS declaration, and checkpolicy enforces this. We
+# don't want to disable MLS, since we share some file labels with the
+# host (e.g. files in APEXes) which does have MLS. So we include this
+# fairly harmless constraint.
+
+# Process transition: Require equivalence.
+mlsconstrain process { transition dyntransition } (h1 eq h2 and l1 eq l2);
diff --git a/prebuilts/api/26.0/private/mls_decl b/microdroid/system/private/mls_decl
similarity index 100%
copy from prebuilts/api/26.0/private/mls_decl
copy to microdroid/system/private/mls_decl
diff --git a/prebuilts/api/26.0/private/mls_macros b/microdroid/system/private/mls_macros
similarity index 100%
copy from prebuilts/api/26.0/private/mls_macros
copy to microdroid/system/private/mls_macros
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
new file mode 100644
index 0000000..1b2fd41
--- /dev/null
+++ b/microdroid/system/private/net.te
@@ -0,0 +1,16 @@
+## Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+###
+### Domain with network access
+###
+
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+allow netdomain port_type:tcp_socket name_connect;
+allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
new file mode 100644
index 0000000..c083547
--- /dev/null
+++ b/microdroid/system/private/odrefresh.te
@@ -0,0 +1,41 @@
+# odrefresh
+type odrefresh, domain, coredomain;
+type odrefresh_exec, system_file_type, exec_type, file_type;
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
+userfaultfd_use(odrefresh)
+
+# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
+# the current APEXes.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# The policies above are mirrored from Android's, while the below are tailored for using in CompOS.
+
+# Allow odrefresh to read/write/lookup files/directories on authfs.
+allow odrefresh authfs_fuse:file create_file_perms;
+allow odrefresh authfs_fuse:dir create_dir_perms;
+
+# Allow odrefresh to check the parent directory exists.
+allow odrefresh authfs_data_file:dir { search getattr };
+
+# Minijail uses pipe for the parent process to signal the child (as a fallback
+# mechanism, since Android does not support minijail's preload).
+# TODO(196109647): We can probably remove this once the minijail preload is
+# supported on Android.
+allow odrefresh compos:fifo_file read;
+
+# Allow using FDs from the parent. It's possible that this could be avoided,
+# if we close fd 0-2 before execute. But minijial replaces them with /dev/null
+# (unless specified otherwise). Without allowing the use, the execution will
+# fail immediately. See b/210909688.
+allow odrefresh compos:fd use;
+
+# Silently ignore the access to properties. Unlike on Android, parameters
+# should be passed from command line to avoid global state.
+dontaudit odrefresh property_socket:sock_file write;
+dontaudit odrefresh dalvik_config_prop:file read;
diff --git a/microdroid/system/private/policy_capabilities b/microdroid/system/private/policy_capabilities
new file mode 100644
index 0000000..9290e3a
--- /dev/null
+++ b/microdroid/system/private/policy_capabilities
@@ -0,0 +1,20 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
+# Enable NoNewPrivileges support. Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
diff --git a/microdroid/system/private/port_contexts b/microdroid/system/private/port_contexts
new file mode 100644
index 0000000..2f40b38
--- /dev/null
+++ b/microdroid/system/private/port_contexts
@@ -0,0 +1 @@
+# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
new file mode 100644
index 0000000..28fb8e1
--- /dev/null
+++ b/microdroid/system/private/property.te
@@ -0,0 +1,39 @@
+system_restricted_prop(boot_status_prop)
+
+# Declare ART properties for CompOS
+system_public_prop(dalvik_config_prop)
+system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_console_prop
+ ctl_default_prop
+ ctl_fuse_prop
+}:property_service set;
+
+###
+### Neverallow rules
+###
+
+# microdroid_manager_roothash_prop can only be set by microdroid_manager
+# and read by apkdmverity
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+} microdroid_manager_roothash_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+ -apkdmverity
+} microdroid_manager_roothash_prop:file no_rw_file_perms;
+
+# apexd_payload_metadata_prop can only set by init
+neverallow {
+ domain
+ -init
+} apexd_payload_metadata_prop:property_service set;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
new file mode 100644
index 0000000..2b95520
--- /dev/null
+++ b/microdroid/system/private/property_contexts
@@ -0,0 +1,162 @@
+# property contexts for microdroid
+# microdroid only uses much fewer properties than normal Android, so every property is listed as
+# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
+# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
+
+debug. u:object_r:debug_prop:s0 prefix
+persist.debug. u:object_r:debug_prop:s0 prefix
+
+init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
+
+ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
+ctl.start$ u:object_r:ctl_start_prop:s0
+ctl.stop$ u:object_r:ctl_stop_prop:s0
+ctl.restart$ u:object_r:ctl_restart_prop:s0
+ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+
+ctl.start$adbd u:object_r:ctl_adbd_prop:s0
+ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
+ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
+
+ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+
+ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
+ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
+ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
+ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
+
+ctl.console u:object_r:ctl_console_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
+
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
+sys.powerctl u:object_r:powerctl_prop:s0
+
+service.adb.root u:object_r:shell_prop:s0 exact bool
+
+ro.logd.kernel u:object_r:logd_prop:s0 exact bool
+logd.ready u:object_r:logd_prop:s0 exact bool
+
+dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
+
+ro.config.low_ram u:object_r:build_prop:s0 exact bool
+
+ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
+ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
+ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
+ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
+ro.boottime.init u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
+ro.boottime.logd u:object_r:boottime_prop:s0 exact int
+ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
+ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
+ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
+ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
+ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
+ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
+
+ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
+
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
+
+ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
+
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+persist.sys.usb.config u:object_r:usb_control_prop:s0 exact string
+
+init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
+
+init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
+init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
+
+ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
+ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
+ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
+ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
+ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
+ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.hash_alg u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.invalidate_on_error u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.size u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
+
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
+
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
+ro.adb.secure u:object_r:build_prop:s0 exact bool
+
+ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
+
+apex_config.done u:object_r:apex_config_prop:s0 exact bool
+
+microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
+
+dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.vendor u:object_r:dev_mnt_prop:s0 exact string
+
+gsid.image_installed u:object_r:gsid_prop:s0 exact bool
+ro.gsid.image_running u:object_r:gsid_prop:s0 exact bool
+
+service.adb.listen_addrs u:object_r:adbd_prop:s0 exact string
+
+persist.adb.wifi.guid u:object_r:adbd_prop:s0 exact string
+
+log.tag u:object_r:log_tag_prop:s0 prefix
+persist.log.tag u:object_r:log_tag_prop:s0 prefix
+
+libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
+libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+
+persist.sys.timezone u:object_r:timezone_prop:s0 exact string
+
+ro.vndk.version u:object_r:build_prop:s0 exact string
+
+heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
+
+# ART properties for CompOS
+dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
+ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
+
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/prebuilts/api/26.0/private/roles_decl b/microdroid/system/private/roles_decl
similarity index 100%
copy from prebuilts/api/26.0/private/roles_decl
copy to microdroid/system/private/roles_decl
diff --git a/microdroid/system/private/seapp_contexts b/microdroid/system/private/seapp_contexts
new file mode 100644
index 0000000..2f40b38
--- /dev/null
+++ b/microdroid/system/private/seapp_contexts
@@ -0,0 +1 @@
+# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
new file mode 100644
index 0000000..0d3cc80
--- /dev/null
+++ b/microdroid/system/private/security_classes
@@ -0,0 +1,170 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class anon_inode
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+class process2
+
+class bpf
+
+class xdp_socket
+
+class perf_event
+
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
+# Property service
+class property_service # userspace
+
+# Service manager
+class service_manager # userspace
+
+# hardware service manager # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key # userspace
+
+# Keystore 2.0 permissions
+class keystore2 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key # userspace
+
+# Diced permissions
+class diced # userspace
+
+class drmservice # userspace
+# FLASK
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
new file mode 100644
index 0000000..9a27306
--- /dev/null
+++ b/microdroid/system/private/service_contexts
@@ -0,0 +1,9 @@
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
+
+adb u:object_r:adb_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
+apexservice u:object_r:apex_service:s0
+authfs_service u:object_r:authfs_binder_service:s0
+manager u:object_r:service_manager_service:s0
+* u:object_r:default_android_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
new file mode 100644
index 0000000..d51c827
--- /dev/null
+++ b/microdroid/system/private/servicemanager.te
@@ -0,0 +1,29 @@
+typeattribute servicemanager coredomain;
+
+init_daemon_domain(servicemanager)
+
+selinux_check_access(servicemanager)
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -vendor_init
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
+add_service(servicemanager, service_manager_service)
+
+set_prop(servicemanager, ctl_interface_start_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
new file mode 100644
index 0000000..d6c3c0d
--- /dev/null
+++ b/microdroid/system/private/shell.te
@@ -0,0 +1,42 @@
+typeattribute shell coredomain;
+
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
+
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
+# Allow shell to launch microdroid_launcher in its own domain
+# TODO(b/186396070) remove this when microdroid_manager can do this
+domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
+domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow shell adbd:unix_stream_socket connectto;
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# filesystem test for insecure chr_file's is done
+# via a host side test
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# filesystem test for insucre blk_file's is done
+# via hostside test
+allow shell dev_type:blk_file getattr;
+
+# Test tool automatically tries to access /sys/class/power_supply.
+# Suppressing it as we don't need power_supply in microdroid.
+dontaudit shell sysfs:dir r_dir_perms;
+
+# Test tool tries to read various service status properties.
+get_prop(shell, boot_status_prop)
+get_prop(shell, init_service_status_prop)
+get_prop(shell, init_service_status_private_prop)
+
+set_prop(shell, log_tag_prop)
diff --git a/microdroid/system/private/statsd.te b/microdroid/system/private/statsd.te
new file mode 100644
index 0000000..437f505
--- /dev/null
+++ b/microdroid/system/private/statsd.te
@@ -0,0 +1,3 @@
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
new file mode 100644
index 0000000..1196262
--- /dev/null
+++ b/microdroid/system/private/su.te
@@ -0,0 +1,9 @@
+userdebug_or_eng(`
+ typeattribute su coredomain;
+
+ domain_auto_trans(shell, su_exec, su)
+
+ # su is also permissive to permit setenforce.
+ permissive su;
+
+')
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
new file mode 100644
index 0000000..588ebff
--- /dev/null
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -0,0 +1,8 @@
+type tombstone_transmit, domain, coredomain;
+type tombstone_transmit_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(tombstone_transmit)
+
+r_dir_file(tombstone_transmit, tombstone_data_file)
+
+allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
diff --git a/microdroid/system/private/tombstoned.te b/microdroid/system/private/tombstoned.te
new file mode 100644
index 0000000..2567a23
--- /dev/null
+++ b/microdroid/system/private/tombstoned.te
@@ -0,0 +1,12 @@
+typeattribute tombstoned coredomain;
+
+init_daemon_domain(tombstoned)
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
diff --git a/prebuilts/api/26.0/private/toolbox.te b/microdroid/system/private/toolbox.te
similarity index 100%
copy from prebuilts/api/26.0/private/toolbox.te
copy to microdroid/system/private/toolbox.te
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
new file mode 100644
index 0000000..a855509
--- /dev/null
+++ b/microdroid/system/private/ueventd.te
@@ -0,0 +1,53 @@
+typeattribute ueventd coredomain;
+
+tmpfs_domain(ueventd)
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file_type)
+
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
+
+# ueventd loads modules in response to modalias events.
+allow ueventd self:global_capability_class_set sys_module;
+allow ueventd vendor_file:system module_load;
+allow ueventd kernel:key search;
+
+# ueventd is using bootstrap bionic
+use_bootstrap_libs(ueventd)
+
+# ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)
diff --git a/prebuilts/api/26.0/private/users b/microdroid/system/private/users
similarity index 100%
copy from prebuilts/api/26.0/private/users
copy to microdroid/system/private/users
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
new file mode 100644
index 0000000..6652e27
--- /dev/null
+++ b/microdroid/system/private/zipfuse.te
@@ -0,0 +1,50 @@
+# zipfuse is a FUSE daemon running in the microdroid. It mounts
+# /dev/block/by-name/microdroid-apk whose content is from an apk file on
+# /mnt/apk so that the entries in the apk file are seen as regular files. See
+# packages/modules/Virtualization/zipfuse.
+
+type zipfuse, domain, coredomain;
+type zipfuse_exec, exec_type, file_type, system_file_type;
+
+# zipfuse is using bootstrap bionic
+use_bootstrap_libs(zipfuse)
+
+# allow basic rules to implement FUSE
+allow zipfuse fuse_device:chr_file rw_file_perms;
+allow zipfuse self:global_capability_class_set sys_admin;
+
+# allow access to /dev/vd* block device files and also access to the symlinks
+# /dev/block/by-name/*
+allow zipfuse block_device:dir r_dir_perms;
+allow zipfuse block_device:lnk_file r_file_perms;
+
+# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
+allow zipfuse dm_device:blk_file r_file_perms;
+
+# allow mounting on /mnt/apk
+allow zipfuse tmpfs:dir mounton;
+
+# allow mounting with fscontext=u:object_r:zipfusefs:s0
+type zipfusefs, fs_type, contextmount_type;
+allow zipfuse fuse:filesystem relabelfrom;
+allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
+
+# allow mounting with context=u:object_r:system_file:s0 so that files provided
+# by zipfuse are treated the same as the other files in /system or /apex
+allow system_file zipfusefs:filesystem associate;
+
+# allow zipfuse to log to the kernel
+allow zipfuse kmsg_device:chr_file w_file_perms;
+
+# allow zipfuse to handle extra apks
+r_dir_file(zipfuse, extra_apk_file)
+allow zipfuse extra_apk_file:dir mounton;
+
+# zipfuse is forked from microdroid_manager
+allow zipfuse microdroid_manager:fd use;
+
+# Only microdroid_manager can run zipfuse
+neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
+
+# only zipfuse can mount on extra_apk_file
+neverallow { domain -zipfuse } extra_apk_file:dir mounton;
diff --git a/microdroid/system/public/adbd.te b/microdroid/system/public/adbd.te
new file mode 100644
index 0000000..a41d4a3
--- /dev/null
+++ b/microdroid/system/public/adbd.te
@@ -0,0 +1,2 @@
+type adbd, domain;
+type adbd_exec, exec_type, file_type, system_file_type;
diff --git a/microdroid/system/public/apexd.te b/microdroid/system/public/apexd.te
new file mode 100644
index 0000000..f80c1da
--- /dev/null
+++ b/microdroid/system/public/apexd.te
@@ -0,0 +1,5 @@
+type apexd, domain, coredomain;
+type apexd_exec, file_type, exec_type, system_file_type;
+
+binder_use(apexd)
+add_service(apexd, apex_service)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
new file mode 100644
index 0000000..00b5f2b
--- /dev/null
+++ b/microdroid/system/public/attributes
@@ -0,0 +1,172 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# in tools/checkfc.c
+attribute dev_type;
+
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
+attribute bdev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute fs_type;
+
+# All types used for context= mounts.
+attribute contextmount_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+expandattribute data_file_type false;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+expandattribute core_data_file_type false;
+
+# All types in /system
+attribute system_file_type;
+
+# All types in /vendor
+attribute vendor_file_type;
+
+# All types used for procfs files.
+attribute proc_type;
+expandattribute proc_type false;
+
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
+# All types used for sysfs files.
+attribute sysfs_type;
+
+# All types use for debugfs files.
+attribute debugfs_type;
+
+# All types used for tracefs files.
+attribute tracefs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+# On change, update CHECK_PC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute property_type;
+
+# Properties used for representing ownership. All properties should have one
+# of: system_property_type, product_property_type, or vendor_property_type.
+
+# All properties defined by /system.
+attribute system_property_type;
+expandattribute system_property_type false;
+
+# All /system-defined properties used only in /system.
+attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
+
+# All /system-defined properties which can't be written outside /system.
+attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
+
+# All /system-defined properties with no restrictions.
+attribute system_public_property_type;
+expandattribute system_public_property_type false;
+
+# All properties defined by /product.
+# Currently there are no enforcements between /system and /product, so for now
+# /product attributes are just replaced to /system attributes.
+define(`product_property_type', `system_property_type')
+define(`product_internal_property_type', `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type', `system_public_property_type')
+
+# All properties defined by /vendor.
+attribute vendor_property_type;
+expandattribute vendor_property_type false;
+
+# All /vendor-defined properties used only in /vendor.
+attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
+
+# All /vendor-defined properties which can't be written outside /vendor.
+attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
+
+# All /vendor-defined properties with no restrictions.
+attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
+
+# services which served by vendor and also using the copy of libbinder on
+# system (for instance via libbinder_ndk). services using a different copy
+# of libbinder currently need their own context manager (e.g.
+# vndservicemanager)
+attribute vendor_service;
+
+# All types used for services managed by servicemanager.
+# On change, update CHECK_SC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute service_manager_type;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+expandattribute coredomain_socket false;
+
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
+expandattribute halclientdomain true;
+
+# HALs
+hal_attribute(dice);
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
+
+attribute fusefs_type;
+
+# All types run from microdroid_manager as a payload
+attribute microdroid_payload;
+
+# Domains that are blocked from producing a crash dump
+attribute no_crash_dump_domain;
diff --git a/microdroid/system/public/crash_dump.te b/microdroid/system/public/crash_dump.te
new file mode 100644
index 0000000..d59b034
--- /dev/null
+++ b/microdroid/system/public/crash_dump.te
@@ -0,0 +1,2 @@
+type crash_dump, domain;
+type crash_dump_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
new file mode 100644
index 0000000..f99084c
--- /dev/null
+++ b/microdroid/system/public/device.te
@@ -0,0 +1,41 @@
+type ashmem_device, dev_type;
+type ashmem_libcutils_device, dev_type;
+type binder_device, dev_type;
+type block_device, dev_type;
+type console_device, dev_type;
+type device, dev_type, fs_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
+type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
+type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
+type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
+type fuse_device, dev_type;
+type hw_random_device, dev_type;
+type hwbinder_device, dev_type;
+type kmsg_debug_device, dev_type;
+type kmsg_device, dev_type;
+type kvm_device, dev_type;
+type loop_control_device, dev_type;
+type loop_device, dev_type;
+type null_device, dev_type;
+type open_dice_device, dev_type;
+type owntty_device, dev_type;
+type ppp_device, dev_type;
+type properties_device, dev_type;
+type properties_serial, dev_type;
+type property_info, dev_type;
+type ptmx_device, dev_type;
+type ram_device, dev_type;
+type random_device, dev_type;
+type rtc_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type tty_device, dev_type;
+type tun_device, dev_type;
+type uhid_device, dev_type;
+type uio_device, dev_type;
+type userdata_sysdev, dev_type;
+type vd_device, dev_type;
+type vndbinder_device, dev_type;
+type vsock_device, dev_type;
+type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
new file mode 100644
index 0000000..57be060
--- /dev/null
+++ b/microdroid/system/public/file.te
@@ -0,0 +1,200 @@
+type system_linker_exec, file_type, system_file_type;
+
+# file types
+type adbd_socket, file_type, coredomain_socket;
+type apex_info_file, file_type;
+type apex_mnt_dir, file_type;
+type authfs_data_file, file_type, data_file_type, core_data_file_type;
+type cgroup_desc_api_file, file_type, system_file_type;
+type cgroup_desc_file, file_type, system_file_type;
+type cgroup_rc_file, file_type;
+type extra_apk_file, file_type;
+type file_contexts_file, file_type, system_file_type;
+type linkerconfig_file, file_type;
+type logd_socket, file_type, coredomain_socket;
+type logdr_socket, file_type, coredomain_socket;
+type logdw_socket, file_type, coredomain_socket;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+type property_contexts_file, file_type, system_file_type;
+type property_socket, file_type, coredomain_socket;
+type runtime_event_log_tags_file, file_type;
+type sepolicy_file, file_type, system_file_type;
+type service_contexts_file, file_type, system_file_type;
+type shell_data_file, file_type, data_file_type, core_data_file_type;
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket;
+type system_bootstrap_lib_file, file_type, system_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
+type system_event_log_tags_file, file_type, system_file_type;
+type system_file, file_type, system_file_type;
+type system_group_file, file_type, system_file_type;
+type system_lib_file, file_type, system_file_type;
+type system_linker_config_file, file_type, system_file_type;
+type system_passwd_file, file_type, system_file_type;
+type system_seccomp_policy_file, file_type, system_file_type;
+type system_security_cacerts_file, file_type, system_file_type;
+type task_profiles_api_file, file_type, system_file_type;
+type task_profiles_file, file_type, system_file_type;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type;
+type tombstoned_crash_socket, file_type, coredomain_socket;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type tombstoned_java_trace_socket, file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type;
+type unlabeled, file_type;
+type vendor_configs_file, file_type, vendor_file_type;
+type vendor_data_file, file_type, data_file_type;
+type vendor_file, file_type, vendor_file_type;
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
+# file system types
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
+type binfmt_miscfs, fs_type;
+type cgroup, fs_type;
+type cgroup_v2, fs_type;
+type config_gz, fs_type, proc_type;
+type configfs, fs_type;
+type debugfs, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_kcov, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type devpts, fs_type;
+type devtmpfs;
+type exfat, fs_type, sdcard_type;
+type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
+type functionfs, fs_type;
+type fuse, fs_type, fusefs_type;
+type fusectlfs, fs_type;
+type inotify, fs_type;
+type labeledfs, fs_type;
+type mqueue, fs_type;
+type pipefs, fs_type;
+type proc, fs_type, proc_type;
+type proc_abi, fs_type, proc_type;
+type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
+type proc_buddyinfo, fs_type, proc_type;
+type proc_cmdline, fs_type, proc_type;
+type proc_cpuinfo, fs_type, proc_type;
+type proc_dirty, fs_type, proc_type;
+type proc_diskstats, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
+type proc_extra_free_kbytes, fs_type, proc_type;
+type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
+type proc_hostname, fs_type, proc_type;
+type proc_hung_task, fs_type, proc_type;
+type proc_interrupts, fs_type, proc_type;
+type proc_iomem, fs_type, proc_type;
+type proc_kallsyms, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
+type proc_kmsg, fs_type, proc_type;
+type proc_kpageflags, fs_type, proc_type;
+type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
+type proc_lowmemorykiller, fs_type, proc_type;
+type proc_max_map_count, fs_type, proc_type;
+type proc_meminfo, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
+type proc_misc, fs_type, proc_type;
+type proc_modules, fs_type, proc_type;
+type proc_mounts, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
+type proc_page_cluster, fs_type, proc_type;
+type proc_pagetypeinfo, fs_type, proc_type;
+type proc_panic, fs_type, proc_type;
+type proc_perf, fs_type, proc_type;
+type proc_pid_max, fs_type, proc_type;
+type proc_pipe_conf, fs_type, proc_type;
+type proc_pressure_cpu, fs_type, proc_type;
+type proc_pressure_io, fs_type, proc_type;
+type proc_pressure_mem, fs_type, proc_type;
+type proc_qtaguid_ctrl, fs_type, proc_type;
+type proc_qtaguid_stat, fs_type, proc_type;
+type proc_random, fs_type, proc_type;
+type proc_sched, fs_type, proc_type;
+type proc_security, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
+type proc_stat, fs_type, proc_type;
+type proc_swaps, fs_type, proc_type;
+type proc_sysrq, fs_type, proc_type;
+type proc_timer, fs_type, proc_type;
+type proc_tty_drivers, fs_type, proc_type;
+type proc_uid_concurrent_active_time, fs_type, proc_type;
+type proc_uid_concurrent_policy_time, fs_type, proc_type;
+type proc_uid_cpupower, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
+type proc_uptime, fs_type, proc_type;
+type proc_version, fs_type, proc_type;
+type proc_vmallocinfo, fs_type, proc_type;
+type proc_vmstat, fs_type, proc_type;
+type proc_zoneinfo, fs_type, proc_type;
+type pstorefs, fs_type;
+type rootfs, fs_type;
+type sdcardfs, fs_type, sdcard_type;
+type securityfs, fs_type;
+type selinuxfs, fs_type;
+type shm, fs_type;
+type sockfs, fs_type;
+type sysfs, fs_type, sysfs_type;
+type sysfs_android_usb, fs_type, sysfs_type;
+type sysfs_bluetooth_writable, fs_type, sysfs_type;
+type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
+type sysfs_dt_avf, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_extcon, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, fs_type, sysfs_type;
+type sysfs_fs_f2fs, fs_type, sysfs_type;
+type sysfs_fs_incfs_features, fs_type, sysfs_type;
+type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
+type sysfs_ion, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
+type sysfs_kernel_notes, fs_type, sysfs_type;
+type sysfs_leds, fs_type, sysfs_type;
+type sysfs_loop, fs_type, sysfs_type;
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_suspend_stats, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
+type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_uhid, fs_type, sysfs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_wakeup, fs_type, sysfs_type;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
+type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_zram_uevent, fs_type, sysfs_type;
+type tmpfs, fs_type;
+type usbfs, fs_type;
+type usermodehelper, fs_type, proc_type;
+type vfat, fs_type, sdcard_type;
diff --git a/microdroid/system/public/global_macros b/microdroid/system/public/global_macros
new file mode 100644
index 0000000..2c87fde
--- /dev/null
+++ b/microdroid/system/public/global_macros
@@ -0,0 +1,51 @@
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
+
+define(`devfile_class_set', `{ chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
+define(`dir_file_class_set', `{ dir file_class_set }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
+define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
+define(`w_file_perms', `{ open append write lock map }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
+define(`w_dir_perms', `{ open search write add_name remove_name lock }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/microdroid/system/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/init.te b/microdroid/system/public/init.te
new file mode 100644
index 0000000..b4def39
--- /dev/null
+++ b/microdroid/system/public/init.te
@@ -0,0 +1,8 @@
+# init is its own domain.
+type init, domain;
+type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
+
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { getattr write relabelto };
+allow init kmsg_debug_device:chr_file { open write relabelto };
diff --git a/microdroid/system/public/ioctl_defines b/microdroid/system/public/ioctl_defines
new file mode 100644
index 0000000..5ac4d94
--- /dev/null
+++ b/microdroid/system/public/ioctl_defines
@@ -0,0 +1,2751 @@
+define(`ADD_NEW_DISK', `0x40140921')
+define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
+define(`AGPIOC_ACQUIRE', `0x00004101')
+define(`AGPIOC_ALLOCATE', `0xc0084106')
+define(`AGPIOC_BIND', `0x40084108')
+define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
+define(`AGPIOC_DEALLOCATE', `0x40044107')
+define(`AGPIOC_INFO', `0x80084100')
+define(`AGPIOC_PROTECT', `0x40084105')
+define(`AGPIOC_RELEASE', `0x00004102')
+define(`AGPIOC_RESERVE', `0x40084104')
+define(`AGPIOC_SETUP', `0x40084103')
+define(`AGPIOC_UNBIND', `0x40084109')
+define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
+define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
+define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
+define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
+define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
+define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
+define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
+define(`ANDROID_ALARM_SET_RTC', `0x40106105')
+define(`ANDROID_ALARM_WAIT', `0x00006101')
+define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
+define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
+define(`APM_IOC_STANDBY', `0x00004101')
+define(`APM_IOC_SUSPEND', `0x00004102')
+define(`ASHMEM_GET_NAME', `0x81007702')
+define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
+define(`ASHMEM_GET_PROT_MASK', `0x00007706')
+define(`ASHMEM_GET_SIZE', `0x00007704')
+define(`ASHMEM_PIN', `0x40087707')
+define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
+define(`ASHMEM_SET_NAME', `0x41007701')
+define(`ASHMEM_SET_PROT_MASK', `0x40087705')
+define(`ASHMEM_SET_SIZE', `0x40087703')
+define(`ASHMEM_UNPIN', `0x40087708')
+define(`ATM_ADDADDR', `0x40106188')
+define(`ATM_ADDLECSADDR', `0x4010618e')
+define(`ATM_ADDPARTY', `0x401061f4')
+define(`ATMARPD_CTRL', `0x000061e1')
+define(`ATMARP_ENCAP', `0x000061e5')
+define(`ATMARP_MKIP', `0x000061e2')
+define(`ATMARP_SETENTRY', `0x000061e3')
+define(`ATM_DELADDR', `0x40106189')
+define(`ATM_DELLECSADDR', `0x4010618f')
+define(`ATM_DROPPARTY', `0x400461f5')
+define(`ATM_GETADDR', `0x40106186')
+define(`ATM_GETCIRANGE', `0x4010618a')
+define(`ATM_GETESI', `0x40106185')
+define(`ATM_GETLECSADDR', `0x40106190')
+define(`ATM_GETLINKRATE', `0x40106181')
+define(`ATM_GETLOOP', `0x40106152')
+define(`ATM_GETNAMES', `0x40106183')
+define(`ATM_GETSTAT', `0x40106150')
+define(`ATM_GETSTATZ', `0x40106151')
+define(`ATM_GETTYPE', `0x40106184')
+define(`ATMLEC_CTRL', `0x000061d0')
+define(`ATMLEC_DATA', `0x000061d1')
+define(`ATMLEC_MCAST', `0x000061d2')
+define(`ATMMPC_CTRL', `0x000061d8')
+define(`ATMMPC_DATA', `0x000061d9')
+define(`ATM_NEWBACKENDIF', `0x400261f3')
+define(`ATM_QUERYLOOP', `0x40106154')
+define(`ATM_RSTADDR', `0x40106187')
+define(`ATM_SETBACKEND', `0x400261f2')
+define(`ATM_SETCIRANGE', `0x4010618b')
+define(`ATM_SETESI', `0x4010618c')
+define(`ATM_SETESIF', `0x4010618d')
+define(`ATM_SETLOOP', `0x40106153')
+define(`ATM_SETSC', `0x400461f1')
+define(`ATMSIGD_CTRL', `0x000061f0')
+define(`ATMTCP_CREATE', `0x0000618e')
+define(`ATMTCP_REMOVE', `0x0000618f')
+define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
+define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
+define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
+define(`AUDIO_CONTINUE', `0x00006f04')
+define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
+define(`AUDIO_GET_PTS', `0x80086f13')
+define(`AUDIO_GET_STATUS', `0x80206f0a')
+define(`AUDIO_PAUSE', `0x00006f03')
+define(`AUDIO_PLAY', `0x00006f02')
+define(`AUDIO_SELECT_SOURCE', `0x00006f05')
+define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
+define(`AUDIO_SET_AV_SYNC', `0x00006f07')
+define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
+define(`AUDIO_SET_EXT_ID', `0x00006f10')
+define(`AUDIO_SET_ID', `0x00006f0d')
+define(`AUDIO_SET_KARAOKE', `0x400c6f12')
+define(`AUDIO_SET_MIXER', `0x40086f0e')
+define(`AUDIO_SET_MUTE', `0x00006f06')
+define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
+define(`AUDIO_STOP', `0x00006f01')
+define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
+define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
+define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
+define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
+define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
+define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
+define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
+define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
+define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
+define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
+define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
+define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
+define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
+define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
+define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
+define(`AUTOFS_IOC_CATATONIC', `0x00009362')
+define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
+define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
+define(`AUTOFS_IOC_FAIL', `0x00009361')
+define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
+define(`AUTOFS_IOC_PROTOVER', `0x80049363')
+define(`AUTOFS_IOC_READY', `0x00009360')
+define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
+define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
+define(`BC_ACQUIRE', `0x40046305')
+define(`BC_ACQUIRE_DONE', `0x40106309')
+define(`BC_ACQUIRE_RESULT', `0x40046302')
+define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
+define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
+define(`BC_DEAD_BINDER_DONE', `0x40086310')
+define(`BC_DECREFS', `0x40046307')
+define(`BC_ENTER_LOOPER', `0x0000630c')
+define(`BC_EXIT_LOOPER', `0x0000630d')
+define(`BC_FREE_BUFFER', `0x40086303')
+define(`BC_INCREFS', `0x40046304')
+define(`BC_INCREFS_DONE', `0x40106308')
+define(`BC_REGISTER_LOOPER', `0x0000630b')
+define(`BC_RELEASE', `0x40046306')
+define(`BC_REPLY', `0x40406301')
+define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
+define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
+define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
+define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
+define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
+define(`BINDER_SET_MAX_THREADS', `0x40046205')
+define(`BINDER_THREAD_EXIT', `0x40046208')
+define(`BINDER_VERSION', `0xc0046209')
+define(`BINDER_WRITE_READ', `0xc0306201')
+define(`BLKALIGNOFF', `0x0000127a')
+define(`BLKBSZGET', `0x80081270')
+define(`BLKBSZSET', `0x40081271')
+define(`BLKDISCARD', `0x00001277')
+define(`BLKDISCARDZEROES', `0x0000127c')
+define(`BLKFLSBUF', `0x00001261')
+define(`BLKFRAGET', `0x00001265')
+define(`BLKFRASET', `0x00001264')
+define(`BLKGETSIZE', `0x00001260')
+define(`BLKGETSIZE64', `0x80081272')
+define(`BLKI2OGRSTRAT', `0x80043201')
+define(`BLKI2OGWSTRAT', `0x80043202')
+define(`BLKI2OSRSTRAT', `0x40043203')
+define(`BLKI2OSWSTRAT', `0x40043204')
+define(`BLKIOMIN', `0x00001278')
+define(`BLKIOOPT', `0x00001279')
+define(`BLKPBSZGET', `0x0000127b')
+define(`BLKPG', `0x00001269')
+define(`BLKRAGET', `0x00001263')
+define(`BLKRASET', `0x00001262')
+define(`BLKROGET', `0x0000125e')
+define(`BLKROSET', `0x0000125d')
+define(`BLKROTATIONAL', `0x0000127e')
+define(`BLKRRPART', `0x0000125f')
+define(`BLKSECDISCARD', `0x0000127d')
+define(`BLKSECTGET', `0x00001267')
+define(`BLKSECTSET', `0x00001266')
+define(`BLKSSZGET', `0x00001268')
+define(`BLKTRACESETUP', `0xc0481273')
+define(`BLKTRACESTART', `0x00001274')
+define(`BLKTRACESTOP', `0x00001275')
+define(`BLKTRACETEARDOWN', `0x00001276')
+define(`BLKZEROOUT', `0x0000127f')
+define(`BR2684_SETFILT', `0x401c6190')
+define(`BR_ACQUIRE', `0x80107208')
+define(`BR_ACQUIRE_RESULT', `0x80047204')
+define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
+define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
+define(`BR_DEAD_BINDER', `0x8008720f')
+define(`BR_DEAD_REPLY', `0x00007205')
+define(`BR_DECREFS', `0x8010720a')
+define(`BR_ERROR', `0x80047200')
+define(`BR_FAILED_REPLY', `0x00007211')
+define(`BR_FINISHED', `0x0000720e')
+define(`BR_INCREFS', `0x80107207')
+define(`BR_NOOP', `0x0000720c')
+define(`BR_OK', `0x00007201')
+define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
+define(`BR_RELEASE', `0x80107209')
+define(`BR_REPLY', `0x80407203')
+define(`BR_SPAWN_LOOPER', `0x0000720d')
+define(`BR_TRANSACTION', `0x80407202')
+define(`BR_TRANSACTION_COMPLETE', `0x00007206')
+define(`BT819_FIFO_RESET_HIGH', `0x00006201')
+define(`BT819_FIFO_RESET_LOW', `0x00006200')
+define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
+define(`BTRFS_IOC_BALANCE', `0x5000940c')
+define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
+define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
+define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
+define(`BTRFS_IOC_CLONE', `0x40049409')
+define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
+define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
+define(`BTRFS_IOC_DEFRAG', `0x50009402')
+define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
+define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
+define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
+define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
+define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
+define(`BTRFS_IOC_FS_INFO', `0x8400941f')
+define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
+define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
+define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
+define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
+define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
+define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
+define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
+define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
+define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
+define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
+define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
+define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
+define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
+define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
+define(`BTRFS_IOC_RESIZE', `0x50009403')
+define(`BTRFS_IOC_RM_DEV', `0x5000940b')
+define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
+define(`BTRFS_IOC_SCRUB', `0xc400941b')
+define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
+define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
+define(`BTRFS_IOC_SEND', `0x40489426')
+define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
+define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
+define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
+define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
+define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
+define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
+define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
+define(`BTRFS_IOC_START_SYNC', `0x80089418')
+define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
+define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
+define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
+define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
+define(`BTRFS_IOC_SYNC', `0x00009408')
+define(`BTRFS_IOC_TRANS_END', `0x00009407')
+define(`BTRFS_IOC_TRANS_START', `0x00009406')
+define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
+define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
+define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
+define(`CA_GET_CAP', `0x80106f81')
+define(`CA_GET_DESCR_INFO', `0x80086f83')
+define(`CA_GET_MSG', `0x810c6f84')
+define(`CA_GET_SLOT_INFO', `0x800c6f82')
+define(`CAPI_CLR_FLAGS', `0x80044325')
+define(`CAPI_GET_ERRCODE', `0x80024321')
+define(`CAPI_GET_FLAGS', `0x80044323')
+define(`CAPI_GET_MANUFACTURER', `0xc0044306')
+define(`CAPI_GET_PROFILE', `0xc0404309')
+define(`CAPI_GET_SERIAL', `0xc0044308')
+define(`CAPI_GET_VERSION', `0xc0104307')
+define(`CAPI_INSTALLED', `0x80024322')
+define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
+define(`CAPI_NCCI_GETUNIT', `0x80044327')
+define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
+define(`CAPI_REGISTER', `0x400c4301')
+define(`CAPI_SET_FLAGS', `0x80044324')
+define(`CA_RESET', `0x00006f80')
+define(`CA_SEND_MSG', `0x410c6f85')
+define(`CA_SET_DESCR', `0x40106f86')
+define(`CA_SET_PID', `0x40086f87')
+define(`CCISS_BIG_PASSTHRU', `0xc0604212')
+define(`CCISS_DEREGDISK', `0x0000420c')
+define(`CCISS_GETBUSTYPES', `0x80044207')
+define(`CCISS_GETDRIVVER', `0x80044209')
+define(`CCISS_GETFIRMVER', `0x80044208')
+define(`CCISS_GETHEARTBEAT', `0x80044206')
+define(`CCISS_GETINTINFO', `0x80084202')
+define(`CCISS_GETLUNINFO', `0x800c4211')
+define(`CCISS_GETNODENAME', `0x80104204')
+define(`CCISS_GETPCIINFO', `0x80084201')
+define(`CCISS_PASSTHRU', `0xc058420b')
+define(`CCISS_REGNEWD', `0x0000420e')
+define(`CCISS_REGNEWDISK', `0x4004420d')
+define(`CCISS_RESCANDISK', `0x00004210')
+define(`CCISS_REVALIDVOLS', `0x0000420a')
+define(`CCISS_SETINTINFO', `0x40084203')
+define(`CCISS_SETNODENAME', `0x40104205')
+define(`CDROMAUDIOBUFSIZ', `0x00005382')
+define(`CDROM_CHANGER_NSLOTS', `0x00005328')
+define(`CDROM_CLEAR_OPTIONS', `0x00005321')
+define(`CDROMCLOSETRAY', `0x00005319')
+define(`CDROM_DEBUG', `0x00005330')
+define(`CDROM_DISC_STATUS', `0x00005327')
+define(`CDROM_DRIVE_STATUS', `0x00005326')
+define(`CDROMEJECT', `0x00005309')
+define(`CDROMEJECT_SW', `0x0000530f')
+define(`CDROM_GET_CAPABILITY', `0x00005331')
+define(`CDROM_GET_MCN', `0x00005311')
+define(`CDROMGETSPINDOWN', `0x0000531d')
+define(`CDROM_LAST_WRITTEN', `0x00005395')
+define(`CDROM_LOCKDOOR', `0x00005329')
+define(`CDROM_MEDIA_CHANGED', `0x00005325')
+define(`CDROMMULTISESSION', `0x00005310')
+define(`CDROM_NEXT_WRITABLE', `0x00005394')
+define(`CDROMPAUSE', `0x00005301')
+define(`CDROMPLAYBLK', `0x00005317')
+define(`CDROMPLAYMSF', `0x00005303')
+define(`CDROMPLAYTRKIND', `0x00005304')
+define(`CDROMREADALL', `0x00005318')
+define(`CDROMREADAUDIO', `0x0000530e')
+define(`CDROMREADCOOKED', `0x00005315')
+define(`CDROMREADMODE1', `0x0000530d')
+define(`CDROMREADMODE2', `0x0000530c')
+define(`CDROMREADRAW', `0x00005314')
+define(`CDROMREADTOCENTRY', `0x00005306')
+define(`CDROMREADTOCHDR', `0x00005305')
+define(`CDROMRESET', `0x00005312')
+define(`CDROMRESUME', `0x00005302')
+define(`CDROMSEEK', `0x00005316')
+define(`CDROM_SELECT_DISC', `0x00005323')
+define(`CDROM_SELECT_SPEED', `0x00005322')
+define(`CDROM_SEND_PACKET', `0x00005393')
+define(`CDROM_SET_OPTIONS', `0x00005320')
+define(`CDROMSETSPINDOWN', `0x0000531e')
+define(`CDROMSTART', `0x00005308')
+define(`CDROMSTOP', `0x00005307')
+define(`CDROMSUBCHNL', `0x0000530b')
+define(`CDROMVOLCTRL', `0x0000530a')
+define(`CDROMVOLREAD', `0x00005313')
+define(`CHIOEXCHANGE', `0x401c6302')
+define(`CHIOGELEM', `0x406c6310')
+define(`CHIOGPARAMS', `0x80146306')
+define(`CHIOGPICKER', `0x80046304')
+define(`CHIOGSTATUS', `0x40106308')
+define(`CHIOGVPARAMS', `0x80706313')
+define(`CHIOINITELEM', `0x00006311')
+define(`CHIOMOVE', `0x40146301')
+define(`CHIOPOSITION', `0x400c6303')
+define(`CHIOSPICKER', `0x40046305')
+define(`CHIOSVOLTAG', `0x40306312')
+define(`CIOC_KERNEL_VERSION', `0xc008630a')
+define(`CLEAR_ARRAY', `0x00000920')
+define(`CM_IOCARDOFF', `0x00006304')
+define(`CM_IOCGATR', `0xc0086301')
+define(`CM_IOCGSTATUS', `0x80086300')
+define(`CM_IOCSPTS', `0x40086302')
+define(`CM_IOCSRDR', `0x00006303')
+define(`CM_IOSDBGLVL', `0x400863fa')
+define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
+define(`CXL_IOCTL_START_WORK', `0x4040ca00')
+define(`DM_DEV_CREATE', `0xc138fd03')
+define(`DM_DEV_REMOVE', `0xc138fd04')
+define(`DM_DEV_RENAME', `0xc138fd05')
+define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
+define(`DM_DEV_STATUS', `0xc138fd07')
+define(`DM_DEV_SUSPEND', `0xc138fd06')
+define(`DM_DEV_WAIT', `0xc138fd08')
+define(`DM_LIST_DEVICES', `0xc138fd02')
+define(`DM_LIST_VERSIONS', `0xc138fd0d')
+define(`DM_REMOVE_ALL', `0xc138fd01')
+define(`DM_TABLE_CLEAR', `0xc138fd0a')
+define(`DM_TABLE_DEPS', `0xc138fd0b')
+define(`DM_TABLE_LOAD', `0xc138fd09')
+define(`DM_TABLE_STATUS', `0xc138fd0c')
+define(`DM_TARGET_MSG', `0xc138fd0e')
+define(`DM_VERSION', `0xc138fd00')
+define(`DMX_ADD_PID', `0x40026f33')
+define(`DMX_GET_CAPS', `0x80086f30')
+define(`DMX_GET_PES_PIDS', `0x800a6f2f')
+define(`DMX_GET_STC', `0xc0106f32')
+define(`DMX_REMOVE_PID', `0x40026f34')
+define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
+define(`DMX_SET_FILTER', `0x403c6f2b')
+define(`DMX_SET_PES_FILTER', `0x40146f2c')
+define(`DMX_SET_SOURCE', `0x40046f31')
+define(`DMX_START', `0x00006f29')
+define(`DMX_STOP', `0x00006f2a')
+define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
+define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
+define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
+define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
+define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
+define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
+define(`DRM_IOCTL_AGP_BIND', `0x40106436')
+define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
+define(`DRM_IOCTL_AGP_FREE', `0x40206435')
+define(`DRM_IOCTL_AGP_INFO', `0x80386433')
+define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
+define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
+define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
+define(`DRM_IOCTL_BLOCK', `0xc0046412')
+define(`DRM_IOCTL_CONTROL', `0x40086414')
+define(`DRM_IOCTL_DMA', `0xc0406429')
+define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
+define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
+define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
+define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
+define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
+define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
+define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
+define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
+define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
+define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
+define(`DRM_IOCTL_FINISH', `0x4008642c')
+define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
+define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
+define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
+define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
+define(`DRM_IOCTL_GET_CAP', `0xc010640c')
+define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
+define(`DRM_IOCTL_GET_CTX', `0xc0086423')
+define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
+define(`DRM_IOCTL_GET_MAP', `0xc0286404')
+define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
+define(`DRM_IOCTL_GET_STATS', `0x80f86406')
+define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
+define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
+define(`DRM_IOCTL_I810_COPY', `0x40106447')
+define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
+define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
+define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
+define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
+define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
+define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
+define(`DRM_IOCTL_I810_INIT', `0x40406440')
+define(`DRM_IOCTL_I810_MC', `0x4020644c')
+define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
+define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
+define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
+define(`DRM_IOCTL_I810_SWAP', `0x00006446')
+define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
+define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
+define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
+define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
+define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
+define(`DRM_IOCTL_I915_FLIP', `0x00006442')
+define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
+define(`DRM_IOCTL_I915_FREE', `0x40086449')
+define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
+define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
+define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
+define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
+define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
+define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
+define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
+define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
+define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
+define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
+define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
+define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
+define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
+define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
+define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
+define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
+define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
+define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
+define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
+define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
+define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
+define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
+define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
+define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
+define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
+define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
+define(`DRM_IOCTL_I915_INIT', `0x40446440')
+define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
+define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
+define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
+define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
+define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
+define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
+define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
+define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
+define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
+define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
+define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
+define(`DRM_IOCTL_LOCK', `0x4008642a')
+define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
+define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
+define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
+define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
+define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
+define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
+define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
+define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
+define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
+define(`DRM_IOCTL_MGA_INIT', `0x40806440')
+define(`DRM_IOCTL_MGA_RESET', `0x00006442')
+define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
+define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
+define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
+define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
+define(`DRM_IOCTL_MOD_CTX', `0x40086422')
+define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
+define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
+define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
+define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
+define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
+define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
+define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
+define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
+define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
+define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
+define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
+define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
+define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
+define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
+define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
+define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
+define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
+define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
+define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
+define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
+define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
+define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
+define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
+define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
+define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
+define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
+define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
+define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
+define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
+define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
+define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
+define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
+define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
+define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
+define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
+define(`DRM_IOCTL_NEW_CTX', `0x40086425')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
+define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
+define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
+define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
+define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
+define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
+define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
+define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
+define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
+define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
+define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
+define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
+define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
+define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
+define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
+define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
+define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
+define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
+define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
+define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
+define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
+define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
+define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
+define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
+define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
+define(`DRM_IOCTL_R128_FLIP', `0x00006453')
+define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
+define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
+define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
+define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
+define(`DRM_IOCTL_R128_INIT', `0x40786440')
+define(`DRM_IOCTL_R128_RESET', `0x00006446')
+define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
+define(`DRM_IOCTL_R128_SWAP', `0x00006447')
+define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
+define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
+define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
+define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
+define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
+define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
+define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
+define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
+define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
+define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
+define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
+define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
+define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
+define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
+define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
+define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
+define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
+define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
+define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
+define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
+define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
+define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
+define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
+define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
+define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
+define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
+define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
+define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
+define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
+define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
+define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
+define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
+define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
+define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
+define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
+define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
+define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
+define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
+define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
+define(`DRM_IOCTL_RES_CTX', `0xc0106426')
+define(`DRM_IOCTL_RM_CTX', `0xc0086421')
+define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
+define(`DRM_IOCTL_RM_MAP', `0x4028641b')
+define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
+define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
+define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
+define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
+define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
+define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
+define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
+define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
+define(`DRM_IOCTL_SG_FREE', `0x40106439')
+define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
+define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
+define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
+define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
+define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
+define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
+define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
+define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
+define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
+define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
+define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
+define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
+define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
+define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
+define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
+define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
+define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
+define(`DRM_IOCTL_UNLOCK', `0x4008642b')
+define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
+define(`DRM_IOCTL_VERSION', `0xc0406400')
+define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
+define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
+define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
+define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
+define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
+define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
+define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
+define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
+define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
+define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
+define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
+define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
+define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
+define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
+define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
+define(`DVD_AUTH', `0x00005392')
+define(`DVD_READ_STRUCT', `0x00005390')
+define(`DVD_WRITE_STRUCT', `0x00005391')
+define(`ECCGETLAYOUT', `0x81484d11')
+define(`ECCGETSTATS', `0x80104d12')
+define(`ENI_MEMDUMP', `0x40106160')
+define(`ENI_SETMULT', `0x40106167')
+define(`EVIOCGEFFECTS', `0x80044584')
+define(`EVIOCGID', `0x80084502')
+define(`EVIOCGKEYCODE', `0x80084504')
+define(`EVIOCGKEYCODE_V2', `0x80284504')
+define(`EVIOCGRAB', `0x40044590')
+define(`EVIOCGREP', `0x80084503')
+define(`EVIOCGVERSION', `0x80044501')
+define(`EVIOCREVOKE', `0x40044591')
+define(`EVIOCRMFF', `0x40044581')
+define(`EVIOCSCLOCKID', `0x400445a0')
+define(`EVIOCSFF', `0x40304580')
+define(`EVIOCSKEYCODE', `0x40084504')
+define(`EVIOCSKEYCODE_V2', `0x40284504')
+define(`EVIOCSREP', `0x40084503')
+define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
+define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
+define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
+define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
+define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
+define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
+define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
+define(`F2FS_IOC_DEFRAGMENT', `0xf508')
+define(`F2FS_IOC_MOVE_RANGE', `0xf509')
+define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
+define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
+define(`F2FS_IOC_GET_FEATURES', `0xf50c')
+define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
+define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
+define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
+define(`F2FS_IOC_RESIZE_FS', `0xf510')
+define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
+define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
+define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
+define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
+define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
+define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
+define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
+define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
+define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
+define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
+define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
+define(`FBIGET_BRIGHTNESS', `0x80044603')
+define(`FBIGET_COLOR', `0x80044605')
+define(`FBIO_ALLOC', `0x00004613')
+define(`FBIOBLANK', `0x00004611')
+define(`FBIO_CURSOR', `0xc0684608')
+define(`FBIO_FREE', `0x00004614')
+define(`FBIOGETCMAP', `0x00004604')
+define(`FBIOGET_CON2FBMAP', `0x0000460f')
+define(`FBIOGET_CONTRAST', `0x80044601')
+define(`FBIO_GETCONTROL2', `0x80084689')
+define(`FBIOGET_DISPINFO', `0x00004618')
+define(`FBIOGET_FSCREENINFO', `0x00004602')
+define(`FBIOGET_GLYPH', `0x00004615')
+define(`FBIOGET_HWCINFO', `0x00004616')
+define(`FBIOGET_VBLANK', `0x80204612')
+define(`FBIOGET_VSCREENINFO', `0x00004600')
+define(`FBIOPAN_DISPLAY', `0x00004606')
+define(`FBIOPUTCMAP', `0x00004605')
+define(`FBIOPUT_CON2FBMAP', `0x00004610')
+define(`FBIOPUT_CONTRAST', `0x40044602')
+define(`FBIOPUT_MODEINFO', `0x00004617')
+define(`FBIOPUT_VSCREENINFO', `0x00004601')
+define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
+define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
+define(`FBIO_WAITEVENT', `0x00004688')
+define(`FBIO_WAITFORVSYNC', `0x40044620')
+define(`FBIPUT_BRIGHTNESS', `0x40044603')
+define(`FBIPUT_COLOR', `0x40044606')
+define(`FBIPUT_HSYNC', `0x40044609')
+define(`FBIPUT_VSYNC', `0x4004460a')
+define(`FDCLRPRM', `0x00000241')
+define(`FDDEFPRM', `0x40200243')
+define(`FDEJECT', `0x0000025a')
+define(`FDFLUSH', `0x0000024b')
+define(`FDFMTBEG', `0x00000247')
+define(`FDFMTEND', `0x00000249')
+define(`FDFMTTRK', `0x400c0248')
+define(`FDGETDRVPRM', `0x80800211')
+define(`FDGETDRVSTAT', `0x80500212')
+define(`FDGETDRVTYP', `0x8010020f')
+define(`FDGETFDCSTAT', `0x80280215')
+define(`FDGETMAXERRS', `0x8014020e')
+define(`FDGETPRM', `0x80200204')
+define(`FDMSGOFF', `0x00000246')
+define(`FDMSGON', `0x00000245')
+define(`FDPOLLDRVSTAT', `0x80500213')
+define(`FDRAWCMD', `0x00000258')
+define(`FDRESET', `0x00000254')
+define(`FDSETDRVPRM', `0x40800290')
+define(`FDSETEMSGTRESH', `0x0000024a')
+define(`FDSETMAXERRS', `0x4014024c')
+define(`FDSETPRM', `0x40200242')
+define(`FDTWADDLE', `0x00000259')
+define(`FDWERRORCLR', `0x00000256')
+define(`FDWERRORGET', `0x80280217')
+define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
+define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
+define(`FE_DISEQC_SEND_BURST', `0x00006f41')
+define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
+define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
+define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
+define(`FE_GET_EVENT', `0x80286f4e')
+define(`FE_GET_FRONTEND', `0x80246f4d')
+define(`FE_GET_INFO', `0x80a86f3d')
+define(`FE_GET_PROPERTY', `0x80106f53')
+define(`FE_READ_BER', `0x80046f46')
+define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
+define(`FE_READ_SNR', `0x80026f48')
+define(`FE_READ_STATUS', `0x80046f45')
+define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
+define(`FE_SET_FRONTEND', `0x40246f4c')
+define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
+define(`FE_SET_PROPERTY', `0x40106f52')
+define(`FE_SET_TONE', `0x00006f42')
+define(`FE_SET_VOLTAGE', `0x00006f43')
+define(`FIBMAP', `0x00000001')
+define(`FIFREEZE', `0xc0045877')
+define(`FIGETBSZ', `0x00000002')
+define(`FIOASYNC', `0x00005452')
+define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
+define(`FIOGETOWN', `0x00008903')
+define(`FIONBIO', `0x00005421')
+define(`FIONCLEX', ifelse(target_arch, mips, 0x00006602, 0x00005450))
+define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
+define(`FIOQSIZE', `0x00005460')
+define(`FIOSETOWN', `0x00008901')
+define(`FITHAW', `0xc0045878')
+define(`FITRIM', `0xc0185879')
+define(`FS_IOC32_GETFLAGS', `0x80046601')
+define(`FS_IOC32_GETVERSION', `0x80047601')
+define(`FS_IOC32_SETFLAGS', `0x40046602')
+define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
+define(`FS_IOC_ENABLE_VERITY', `0x6685')
+define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`FS_IOC_FSGETXATTR', `0x801c581f')
+define(`FS_IOC_FSSETXATTR', `0x401c5820')
+define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
+define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
+define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
+define(`FS_IOC_GETFLAGS', `0x80086601')
+define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
+define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
+define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
+define(`FS_IOC_SETFLAGS', `0x40086602')
+define(`FS_IOC_SETVERSION', `0x40087602')
+define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
+define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
+define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
+define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
+define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
+define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
+define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
+define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
+define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
+define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
+define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
+define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
+define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
+define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
+define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
+define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
+define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
+define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
+define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
+define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
+define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
+define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
+define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
+define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
+define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
+define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
+define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
+define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
+define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
+define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
+define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
+define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
+define(`GADGETFS_CLEAR_HALT', `0x00006703')
+define(`GADGETFS_FIFO_FLUSH', `0x00006702')
+define(`GADGETFS_FIFO_STATUS', `0x00006701')
+define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
+define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
+define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
+define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
+define(`GENWQE_GET_CARD_STATE', `0x8004a524')
+define(`GENWQE_PIN_MEM', `0xc020a528')
+define(`GENWQE_READ_REG16', `0x8010a522')
+define(`GENWQE_READ_REG32', `0x8010a520')
+define(`GENWQE_READ_REG64', `0x8010a51e')
+define(`GENWQE_SLU_READ', `0xc038a551')
+define(`GENWQE_SLU_UPDATE', `0xc038a550')
+define(`GENWQE_UNPIN_MEM', `0xc020a529')
+define(`GENWQE_WRITE_REG16', `0x4010a523')
+define(`GENWQE_WRITE_REG32', `0x4010a521')
+define(`GENWQE_WRITE_REG64', `0x4010a51f')
+define(`GET_ARRAY_INFO', `0x80480911')
+define(`GET_BITMAP_FILE', `0x90000915')
+define(`GET_DISK_INFO', `0x80140912')
+define(`GIGASET_BRKCHARS', `0x40064702')
+define(`GIGASET_CONFIG', `0xc0044701')
+define(`GIGASET_REDIR', `0xc0044700')
+define(`GIGASET_VERSION', `0xc0104703')
+define(`GIO_CMAP', `0x00004b70')
+define(`GIO_FONT', `0x00004b60')
+define(`GIO_FONTX', `0x00004b6b')
+define(`GIO_SCRNMAP', `0x00004b40')
+define(`GIO_UNIMAP', `0x00004b66')
+define(`GIO_UNISCRNMAP', `0x00004b69')
+define(`GSMIOC_DISABLE_NET', `0x00004703')
+define(`GSMIOC_ENABLE_NET', `0x40344702')
+define(`GSMIOC_GETCONF', `0x804c4700')
+define(`GSMIOC_SETCONF', `0x404c4701')
+define(`HCIBLOCKADDR', `0x400448e6')
+define(`HCIDEVDOWN', `0x400448ca')
+define(`HCIDEVRESET', `0x400448cb')
+define(`HCIDEVRESTAT', `0x400448cc')
+define(`HCIDEVUP', `0x400448c9')
+define(`HCIGETAUTHINFO', `0x800448d7')
+define(`HCIGETCONNINFO', `0x800448d5')
+define(`HCIGETCONNLIST', `0x800448d4')
+define(`HCIGETDEVINFO', `0x800448d3')
+define(`HCIGETDEVLIST', `0x800448d2')
+define(`HCIINQUIRY', `0x800448f0')
+define(`HCISETACLMTU', `0x400448e3')
+define(`HCISETAUTH', `0x400448de')
+define(`HCISETENCRYPT', `0x400448df')
+define(`HCISETLINKMODE', `0x400448e2')
+define(`HCISETLINKPOL', `0x400448e1')
+define(`HCISETPTYPE', `0x400448e0')
+define(`HCISETRAW', `0x400448dc')
+define(`HCISETSCAN', `0x400448dd')
+define(`HCISETSCOMTU', `0x400448e4')
+define(`HCIUNBLOCKADDR', `0x400448e7')
+define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
+define(`HDA_IOCTL_PVERSION', `0x80044810')
+define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
+define(`HDIO_DRIVE_CMD', `0x0000031f')
+define(`HDIO_DRIVE_RESET', `0x0000031c')
+define(`HDIO_DRIVE_TASK', `0x0000031e')
+define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
+define(`HDIO_GET_32BIT', `0x00000309')
+define(`HDIO_GET_ACOUSTIC', `0x0000030f')
+define(`HDIO_GET_ADDRESS', `0x00000310')
+define(`HDIO_GET_BUSSTATE', `0x0000031a')
+define(`HDIO_GET_DMA', `0x0000030b')
+define(`HDIO_GETGEO', `0x00000301')
+define(`HDIO_GET_IDENTITY', `0x0000030d')
+define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
+define(`HDIO_GET_MULTCOUNT', `0x00000304')
+define(`HDIO_GET_NICE', `0x0000030c')
+define(`HDIO_GET_NOWERR', `0x0000030a')
+define(`HDIO_GET_QDMA', `0x00000305')
+define(`HDIO_GET_UNMASKINTR', `0x00000302')
+define(`HDIO_GET_WCACHE', `0x0000030e')
+define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
+define(`HDIO_SCAN_HWIF', `0x00000328')
+define(`HDIO_SET_32BIT', `0x00000324')
+define(`HDIO_SET_ACOUSTIC', `0x0000032c')
+define(`HDIO_SET_ADDRESS', `0x0000032f')
+define(`HDIO_SET_BUSSTATE', `0x0000032d')
+define(`HDIO_SET_DMA', `0x00000326')
+define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
+define(`HDIO_SET_MULTCOUNT', `0x00000321')
+define(`HDIO_SET_NICE', `0x00000329')
+define(`HDIO_SET_NOWERR', `0x00000325')
+define(`HDIO_SET_PIO_MODE', `0x00000327')
+define(`HDIO_SET_QDMA', `0x0000032e')
+define(`HDIO_SET_UNMASKINTR', `0x00000322')
+define(`HDIO_SET_WCACHE', `0x0000032b')
+define(`HDIO_SET_XFER', `0x00000306')
+define(`HDIO_TRISTATE_HWIF', `0x0000031b')
+define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
+define(`HE_GET_REG', `0x40106160')
+define(`HIDIOCAPPLICATION', `0x00004802')
+define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
+define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
+define(`HIDIOCGDEVINFO', `0x801c4803')
+define(`HIDIOCGFIELDINFO', `0xc038480a')
+define(`HIDIOCGFLAG', `0x8004480e')
+define(`HIDIOCGRAWINFO', `0x80084803')
+define(`HIDIOCGRDESC', `0x90044802')
+define(`HIDIOCGRDESCSIZE', `0x80044801')
+define(`HIDIOCGREPORT', `0x400c4807')
+define(`HIDIOCGREPORTINFO', `0xc00c4809')
+define(`HIDIOCGSTRING', `0x81044804')
+define(`HIDIOCGUCODE', `0xc018480d')
+define(`HIDIOCGUSAGE', `0xc018480b')
+define(`HIDIOCGUSAGES', `0xd01c4813')
+define(`HIDIOCGVERSION', `0x80044801')
+define(`HIDIOCINITREPORT', `0x00004805')
+define(`HIDIOCSFLAG', `0x4004480f')
+define(`HIDIOCSREPORT', `0x400c4808')
+define(`HIDIOCSUSAGE', `0x4018480c')
+define(`HIDIOCSUSAGES', `0x501c4814')
+define(`HOT_ADD_DISK', `0x00000928')
+define(`HOT_GENERATE_ERROR', `0x0000092a')
+define(`HOT_REMOVE_DISK', `0x00000922')
+define(`HPET_DPI', `0x00006805')
+define(`HPET_EPI', `0x00006804')
+define(`HPET_IE_OFF', `0x00006802')
+define(`HPET_IE_ON', `0x00006801')
+define(`HPET_INFO', `0x80186803')
+define(`HPET_IRQFREQ', `0x40086806')
+define(`HSC_GET_RX', `0x400c6b14')
+define(`HSC_GET_TX', `0x40106b16')
+define(`HSC_RESET', `0x00006b10')
+define(`HSC_SEND_BREAK', `0x00006b12')
+define(`HSC_SET_PM', `0x00006b11')
+define(`HSC_SET_RX', `0x400c6b13')
+define(`HSC_SET_TX', `0x40106b15')
+define(`I2OEVTGET', `0x8068690b')
+define(`I2OEVTREG', `0x400c690a')
+define(`I2OGETIOPS', `0x80206900')
+define(`I2OHRTGET', `0xc0186901')
+define(`I2OHTML', `0xc0306909')
+define(`I2OLCTGET', `0xc0186902')
+define(`I2OPARMGET', `0xc0286904')
+define(`I2OPARMSET', `0xc0286903')
+define(`I2OPASSTHRU', `0x8010690c')
+define(`I2OPASSTHRU32', `0x8008690c')
+define(`I2OSWDEL', `0xc0306907')
+define(`I2OSWDL', `0xc0306905')
+define(`I2OSWUL', `0xc0306906')
+define(`I2OVALIDATE', `0x80046908')
+define(`I8K_BIOS_VERSION', `0x80046980')
+define(`I8K_FN_STATUS', `0x80086983')
+define(`I8K_GET_FAN', `0xc0086986')
+define(`I8K_GET_SPEED', `0xc0086985')
+define(`I8K_GET_TEMP', `0x80086984')
+define(`I8K_MACHINE_ID', `0x80046981')
+define(`I8K_POWER_STATUS', `0x80086982')
+define(`I8K_SET_FAN', `0xc0086987')
+define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
+define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
+define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
+define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
+define(`IDT77105_GETSTAT', `0x40106132')
+define(`IDT77105_GETSTATZ', `0x40106133')
+define(`IIOCDBGVAR', `0x0000497f')
+define(`IIOCDRVCTL', `0x00004980')
+define(`IIOCGETCPS', `0x00004915')
+define(`IIOCGETDVR', `0x00004916')
+define(`IIOCGETMAP', `0x00004911')
+define(`IIOCGETPRF', `0x0000490f')
+define(`IIOCGETSET', `0x00004908')
+define(`IIOCNETAIF', `0x00004901')
+define(`IIOCNETALN', `0x00004920')
+define(`IIOCNETANM', `0x00004905')
+define(`IIOCNETASL', `0x00004913')
+define(`IIOCNETDIF', `0x00004902')
+define(`IIOCNETDIL', `0x00004914')
+define(`IIOCNETDLN', `0x00004921')
+define(`IIOCNETDNM', `0x00004906')
+define(`IIOCNETDWRSET', `0x00004918')
+define(`IIOCNETGCF', `0x00004904')
+define(`IIOCNETGNM', `0x00004907')
+define(`IIOCNETGPN', `0x00004922')
+define(`IIOCNETHUP', `0x0000490b')
+define(`IIOCNETLCR', `0x00004917')
+define(`IIOCNETSCF', `0x00004903')
+define(`IIOCSETBRJ', `0x0000490d')
+define(`IIOCSETGST', `0x0000490c')
+define(`IIOCSETMAP', `0x00004912')
+define(`IIOCSETPRF', `0x00004910')
+define(`IIOCSETSET', `0x00004909')
+define(`IIOCSETVER', `0x0000490a')
+define(`IIOCSIGPRF', `0x0000490e')
+define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
+define(`IMADDTIMER', `0x80044940')
+define(`IMCLEAR_L2', `0x80044946')
+define(`IMCTRLREQ', `0x80044945')
+define(`IMDELTIMER', `0x80044941')
+define(`IMGETCOUNT', `0x80044943')
+define(`IMGETDEVINFO', `0x80044944')
+define(`IMGETVERSION', `0x80044942')
+define(`IMHOLD_L1', `0x80044948')
+define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
+define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
+define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
+define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
+define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
+define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
+define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
+define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
+define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
+define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
+define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
+define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
+define(`IOCTL_EVTCHN_RESET', `0x00004505')
+define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
+define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
+define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
+define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
+define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
+define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
+define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
+define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
+define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
+define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
+define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
+define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
+define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
+define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
+define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
+define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
+define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
+define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
+define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
+define(`IOCTL_VMCI_VERSION', `0x0000079f')
+define(`IOCTL_VMCI_VERSION2', `0x000007a7')
+define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
+define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
+define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
+define(`ION_IOC_ALLOC', `0xc0204900')
+define(`ION_IOC_CUSTOM', `0xc0104906')
+define(`ION_IOC_FREE', `0xc0044901')
+define(`ION_IOC_IMPORT', `0xc0084905')
+define(`ION_IOC_MAP', `0xc0084902')
+define(`ION_IOC_SHARE', `0xc0084904')
+define(`ION_IOC_SYNC', `0xc0084907')
+define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
+define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
+define(`ION_IOC_TEST_SET_FD', `0x000049f0')
+define(`IOW_GETINFO', `0x8028c003')
+define(`IOW_READ', `0x4008c002')
+define(`IOW_WRITE', `0x4008c001')
+define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
+define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
+define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
+define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
+define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
+define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
+define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
+define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
+define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
+define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
+define(`IPMICTL_SEND_COMMAND', `0x8028690d')
+define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
+define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
+define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
+define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
+define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
+define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
+define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
+define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
+define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
+define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
+define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
+define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
+define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
+define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
+define(`IXJCTL_AEC_START', `0x400471cb')
+define(`IXJCTL_AEC_STOP', `0x000071cc')
+define(`IXJCTL_CARDTYPE', `0x800471c1')
+define(`IXJCTL_CID', `0x800871d4')
+define(`IXJCTL_CIDCW', `0x400871d9')
+define(`IXJCTL_DAA_AGAIN', `0x400471d2')
+define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
+define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
+define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
+define(`IXJCTL_DSP_IDLE', `0x000071c5')
+define(`IXJCTL_DSP_RESET', `0x000071c0')
+define(`IXJCTL_DSP_TYPE', `0x800471c3')
+define(`IXJCTL_DSP_VERSION', `0x800471c4')
+define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
+define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
+define(`IXJCTL_FRAMES_READ', `0x800871e2')
+define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
+define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
+define(`IXJCTL_HZ', `0x400471e0')
+define(`IXJCTL_INIT_TONE', `0x400871c9')
+define(`IXJCTL_INTERCOM_START', `0x400471fd')
+define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
+define(`IXJCTL_MIXER', `0x400471cf')
+define(`IXJCTL_PLAY_CID', `0x000071d7')
+define(`IXJCTL_PORT', `0x400471d1')
+define(`IXJCTL_POTS_PSTN', `0x400471d5')
+define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
+define(`IXJCTL_RATE', `0x400471e1')
+define(`IXJCTL_READ_WAIT', `0x800871e4')
+define(`IXJCTL_SC_RXG', `0x400471ea')
+define(`IXJCTL_SC_TXG', `0x400471eb')
+define(`IXJCTL_SERIAL', `0x800471c2')
+define(`IXJCTL_SET_FILTER', `0x400871c7')
+define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
+define(`IXJCTL_SET_LED', `0x400471ce')
+define(`IXJCTL_SIGCTL', `0x400871e9')
+define(`IXJCTL_TESTRAM', `0x000071c6')
+define(`IXJCTL_TONE_CADENCE', `0x400871ca')
+define(`IXJCTL_VERSION', `0x800871da')
+define(`IXJCTL_VMWI', `0x800471d8')
+define(`IXJCTL_WRITE_WAIT', `0x800871e5')
+define(`JSIOCGAXES', `0x80016a11')
+define(`JSIOCGAXMAP', `0x80406a32')
+define(`JSIOCGBTNMAP', `0x84006a34')
+define(`JSIOCGBUTTONS', `0x80016a12')
+define(`JSIOCGCORR', `0x80246a22')
+define(`JSIOCGVERSION', `0x80046a01')
+define(`JSIOCSAXMAP', `0x40406a31')
+define(`JSIOCSBTNMAP', `0x44006a33')
+define(`JSIOCSCORR', `0x40246a21')
+define(`KCOV_DISABLE', `0x00006365')
+define(`KCOV_ENABLE', `0x00006364')
+define(`KCOV_INIT_TRACE', `0x80086301')
+define(`KDADDIO', `0x00004b34')
+define(`KDDELIO', `0x00004b35')
+define(`KDDISABIO', `0x00004b37')
+define(`KDENABIO', `0x00004b36')
+define(`KDFONTOP', `0x00004b72')
+define(`KDGETKEYCODE', `0x00004b4c')
+define(`KDGETLED', `0x00004b31')
+define(`KDGETMODE', `0x00004b3b')
+define(`KDGKBDIACR', `0x00004b4a')
+define(`KDGKBDIACRUC', `0x00004bfa')
+define(`KDGKBENT', `0x00004b46')
+define(`KDGKBLED', `0x00004b64')
+define(`KDGKBMETA', `0x00004b62')
+define(`KDGKBMODE', `0x00004b44')
+define(`KDGKBSENT', `0x00004b48')
+define(`KDGKBTYPE', `0x00004b33')
+define(`KDKBDREP', `0x00004b52')
+define(`KDMAPDISP', `0x00004b3c')
+define(`KDMKTONE', `0x00004b30')
+define(`KDSETKEYCODE', `0x00004b4d')
+define(`KDSETLED', `0x00004b32')
+define(`KDSETMODE', `0x00004b3a')
+define(`KDSIGACCEPT', `0x00004b4e')
+define(`KDSKBDIACR', `0x00004b4b')
+define(`KDSKBDIACRUC', `0x00004bfb')
+define(`KDSKBENT', `0x00004b47')
+define(`KDSKBLED', `0x00004b65')
+define(`KDSKBMETA', `0x00004b63')
+define(`KDSKBMODE', `0x00004b45')
+define(`KDSKBSENT', `0x00004b49')
+define(`KDUNMAPDISP', `0x00004b3d')
+define(`KIOCSOUND', `0x00004b2f')
+define(`KVM_ALLOCATE_RMA', `0x8008aea9')
+define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
+define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
+define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
+define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
+define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
+define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
+define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
+define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
+define(`KVM_CHECK_EXTENSION', `0x0000ae03')
+define(`KVM_CREATE_DEVICE', `0xc00caee0')
+define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
+define(`KVM_CREATE_PIT', `0x0000ae64')
+define(`KVM_CREATE_PIT2', `0x4040ae77')
+define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
+define(`KVM_CREATE_VCPU', `0x0000ae41')
+define(`KVM_CREATE_VM', `0x0000ae01')
+define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
+define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
+define(`KVM_DIRTY_TLB', `0x4010aeaa')
+define(`KVM_ENABLE_CAP', `0x4068aea3')
+define(`KVM_GET_API_VERSION', `0x0000ae00')
+define(`KVM_GET_CLOCK', `0x8030ae7c')
+define(`KVM_GET_CPUID2', `0xc008ae91')
+define(`KVM_GET_DEBUGREGS', `0x8080aea1')
+define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
+define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
+define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
+define(`KVM_GET_FPU', `0x81a0ae8c')
+define(`KVM_GET_IRQCHIP', `0xc208ae62')
+define(`KVM_GET_LAPIC', `0x8400ae8e')
+define(`KVM_GET_MP_STATE', `0x8004ae98')
+define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
+define(`KVM_GET_MSRS', `0xc008ae88')
+define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
+define(`KVM_GET_ONE_REG', `0x4010aeab')
+define(`KVM_GET_PIT', `0xc048ae65')
+define(`KVM_GET_PIT2', `0x8070ae9f')
+define(`KVM_GET_REG_LIST', `0xc008aeb0')
+define(`KVM_GET_REGS', `0x8090ae81')
+define(`KVM_GET_SREGS', `0x8138ae83')
+define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
+define(`KVM_GET_TSC_KHZ', `0x0000aea3')
+define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
+define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
+define(`KVM_GET_XCRS', `0x8188aea6')
+define(`KVM_GET_XSAVE', `0x9000aea4')
+define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
+define(`KVM_INTERRUPT', `0x4004ae86')
+define(`KVM_IOEVENTFD', `0x4040ae79')
+define(`KVM_IRQFD', `0x4020ae76')
+define(`KVM_IRQ_LINE', `0x4008ae61')
+define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
+define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
+define(`KVM_NMI', `0x0000ae9a')
+define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
+define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
+define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
+define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
+define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
+define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
+define(`KVM_REINJECT_CONTROL', `0x0000ae71')
+define(`KVM_RUN', `0x0000ae80')
+define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
+define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
+define(`KVM_S390_INTERRUPT', `0x4010ae94')
+define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
+define(`KVM_S390_STORE_STATUS', `0x4008ae95')
+define(`KVM_S390_UCAS_MAP', `0x4018ae50')
+define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
+define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
+define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
+define(`KVM_SET_CLOCK', `0x4030ae7b')
+define(`KVM_SET_CPUID', `0x4008ae8a')
+define(`KVM_SET_CPUID2', `0x4008ae90')
+define(`KVM_SET_DEBUGREGS', `0x4080aea2')
+define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
+define(`KVM_SET_FPU', `0x41a0ae8d')
+define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
+define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
+define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
+define(`KVM_SET_IRQCHIP', `0x8208ae63')
+define(`KVM_SET_LAPIC', `0x4400ae8f')
+define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
+define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
+define(`KVM_SET_MP_STATE', `0x4004ae99')
+define(`KVM_SET_MSRS', `0x4008ae89')
+define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
+define(`KVM_SET_ONE_REG', `0x4010aeac')
+define(`KVM_SET_PIT', `0x8048ae66')
+define(`KVM_SET_PIT2', `0x4070aea0')
+define(`KVM_SET_REGS', `0x4090ae82')
+define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
+define(`KVM_SET_SREGS', `0x4138ae84')
+define(`KVM_SET_TSC_KHZ', `0x0000aea2')
+define(`KVM_SET_TSS_ADDR', `0x0000ae47')
+define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
+define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
+define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
+define(`KVM_SET_XCRS', `0x4188aea7')
+define(`KVM_SET_XSAVE', `0x5000aea5')
+define(`KVM_SIGNAL_MSI', `0x4020aea5')
+define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
+define(`KVM_TRANSLATE', `0xc018ae85')
+define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
+define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
+define(`KVM_X86_SET_MCE', `0x4040ae9e')
+define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
+define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
+define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
+define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
+define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
+define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
+define(`KYRO_IOCTL_STRIDE', `0x00006b05')
+define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
+define(`LIRC_GET_FEATURES', `0x80046900')
+define(`LIRC_GET_LENGTH', `0x8004690f')
+define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
+define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
+define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
+define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
+define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
+define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
+define(`LIRC_GET_REC_CARRIER', `0x80046904')
+define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
+define(`LIRC_GET_REC_MODE', `0x80046902')
+define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
+define(`LIRC_GET_SEND_CARRIER', `0x80046903')
+define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
+define(`LIRC_GET_SEND_MODE', `0x80046901')
+define(`LIRC_NOTIFY_DECODE', `0x00006920')
+define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
+define(`LIRC_SET_REC_CARRIER', `0x40046914')
+define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
+define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
+define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
+define(`LIRC_SET_REC_FILTER', `0x4004691c')
+define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
+define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
+define(`LIRC_SET_REC_MODE', `0x40046912')
+define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
+define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
+define(`LIRC_SET_SEND_CARRIER', `0x40046913')
+define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
+define(`LIRC_SET_SEND_MODE', `0x40046911')
+define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
+define(`LIRC_SETUP_END', `0x00006922')
+define(`LIRC_SETUP_START', `0x00006921')
+define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
+define(`LOGGER_FLUSH_LOG', `0x0000ae04')
+define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
+define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
+define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
+define(`LOGGER_GET_VERSION', `0x0000ae05')
+define(`LOGGER_SET_VERSION', `0x0000ae06')
+define(`LOOP_CHANGE_FD', `0x00004c06')
+define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
+define(`LOOP_CTL_ADD', `0x00004c80')
+define(`LOOP_CTL_GET_FREE', `0x00004c82')
+define(`LOOP_CTL_REMOVE', `0x00004c81')
+define(`LOOP_GET_STATUS', `0x00004c03')
+define(`LOOP_GET_STATUS64', `0x00004c05')
+define(`LOOP_SET_BLOCK_SIZE', `0x00004c09')
+define(`LOOP_SET_CAPACITY', `0x00004c07')
+define(`LOOP_SET_DIRECT_IO', `0x00004c08')
+define(`LOOP_SET_FD', `0x00004c00')
+define(`LOOP_SET_STATUS', `0x00004c02')
+define(`LOOP_SET_STATUS64', `0x00004c04')
+define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
+define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
+define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
+define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
+define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
+define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
+define(`MBXFB_IOCG_ALPHA', `0x8018f401')
+define(`MBXFB_IOCS_ALPHA', `0x4018f402')
+define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
+define(`MBXFB_IOCS_REG', `0x400cf404')
+define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
+define(`MBXFB_IOCX_REG', `0xc00cf405')
+define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
+define(`MCE_GET_LOG_LEN', `0x80044d02')
+define(`MCE_GET_RECORD_LEN', `0x80044d01')
+define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
+define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
+define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
+define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
+define(`MEMERASE', `0x40084d02')
+define(`MEMERASE64', `0x40104d14')
+define(`MEMGETBADBLOCK', `0x40084d0b')
+define(`MEMGETINFO', `0x80204d01')
+define(`MEMGETOOBSEL', `0x80c84d0a')
+define(`MEMGETREGIONCOUNT', `0x80044d07')
+define(`MEMGETREGIONINFO', `0xc0104d08')
+define(`MEMISLOCKED', `0x80084d17')
+define(`MEMLOCK', `0x40084d05')
+define(`MEMREADOOB', `0xc0104d04')
+define(`MEMREADOOB64', `0xc0184d16')
+define(`MEMSETBADBLOCK', `0x40084d0c')
+define(`MEMUNLOCK', `0x40084d06')
+define(`MEMWRITE', `0xc0304d18')
+define(`MEMWRITEOOB', `0xc0104d03')
+define(`MEMWRITEOOB64', `0xc0184d15')
+define(`MEYEIOC_G_PARAMS', `0x800676c0')
+define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
+define(`MEYEIOC_S_PARAMS', `0x400676c1')
+define(`MEYEIOC_STILLCAPT', `0x000076c4')
+define(`MEYEIOC_STILLJCAPT', `0x800476c5')
+define(`MEYEIOC_SYNC', `0xc00476c3')
+define(`MFB_GET_ALPHA', `0x80014d00')
+define(`MFB_GET_AOID', `0x80084d04')
+define(`MFB_GET_GAMMA', `0x80014d01')
+define(`MFB_GET_PIXFMT', `0x80044d08')
+define(`MFB_SET_ALPHA', `0x40014d00')
+define(`MFB_SET_AOID', `0x40084d04')
+define(`MFB_SET_BRIGHTNESS', `0x40014d03')
+define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
+define(`MFB_SET_GAMMA', `0x40014d01')
+define(`MFB_SET_PIXFMT', `0x40044d08')
+define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
+define(`MGSL_IOCGGPIO', `0x80106d11')
+define(`MGSL_IOCGIF', `0x00006d0b')
+define(`MGSL_IOCGPARAMS', `0x80306d01')
+define(`MGSL_IOCGSTATS', `0x00006d07')
+define(`MGSL_IOCGTXIDLE', `0x00006d03')
+define(`MGSL_IOCGXCTRL', `0x00006d16')
+define(`MGSL_IOCGXSYNC', `0x00006d14')
+define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
+define(`MGSL_IOCRXENABLE', `0x00006d05')
+define(`MGSL_IOCSGPIO', `0x40106d10')
+define(`MGSL_IOCSIF', `0x00006d0a')
+define(`MGSL_IOCSPARAMS', `0x40306d00')
+define(`MGSL_IOCSTXIDLE', `0x00006d02')
+define(`MGSL_IOCSXCTRL', `0x00006d15')
+define(`MGSL_IOCSXSYNC', `0x00006d13')
+define(`MGSL_IOCTXABORT', `0x00006d06')
+define(`MGSL_IOCTXENABLE', `0x00006d04')
+define(`MGSL_IOCWAITEVENT', `0xc0046d08')
+define(`MGSL_IOCWAITGPIO', `0xc0106d12')
+define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
+define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
+define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
+define(`MMC_IOC_CMD', `0xc048b300')
+define(`MMTIMER_GETBITS', `0x00006d04')
+define(`MMTIMER_GETCOUNTER', `0x80086d09')
+define(`MMTIMER_GETFREQ', `0x80086d02')
+define(`MMTIMER_GETOFFSET', `0x00006d00')
+define(`MMTIMER_GETRES', `0x80086d01')
+define(`MMTIMER_MMAPAVAIL', `0x00006d06')
+define(`MSMFB_BLIT', `0x40046d02')
+define(`MSMFB_GRP_DISP', `0x40046d01')
+define(`MTDFILEMODE', `0x00004d13')
+define(`MTIOCGET', `0x80306d02')
+define(`MTIOCPOS', `0x80086d03')
+define(`MTIOCTOP', `0x40086d01')
+define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
+define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
+define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
+define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
+define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
+define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
+define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
+define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
+define(`MTRRIOC_SET_ENTRY', `0x40104d01')
+define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
+define(`NBD_CLEAR_QUE', `0x0000ab05')
+define(`NBD_CLEAR_SOCK', `0x0000ab04')
+define(`NBD_DISCONNECT', `0x0000ab08')
+define(`NBD_DO_IT', `0x0000ab03')
+define(`NBD_PRINT_DEBUG', `0x0000ab06')
+define(`NBD_SET_BLKSIZE', `0x0000ab01')
+define(`NBD_SET_FLAGS', `0x0000ab0a')
+define(`NBD_SET_SIZE', `0x0000ab02')
+define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
+define(`NBD_SET_SOCK', `0x0000ab00')
+define(`NBD_SET_TIMEOUT', `0x0000ab09')
+define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
+define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
+define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
+define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
+define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
+define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
+define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
+define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
+define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
+define(`NCP_IOC_GETROOT', `0x400c6e08')
+define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
+define(`NCP_IOC_NCPREQUEST', `0x80106e01')
+define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
+define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
+define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
+define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
+define(`NCP_IOC_SETROOT', `0x800c6e08')
+define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
+define(`NCP_IOC_SIGN_INIT', `0x80186e05')
+define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
+define(`NET_ADD_IF', `0xc0066f34')
+define(`NET_GET_IF', `0xc0066f36')
+define(`NET_REMOVE_IF', `0x00006f35')
+define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
+define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
+define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
+define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
+define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
+define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
+define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
+define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
+define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
+define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
+define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
+define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
+define(`NILFS_IOCTL_SYNC', `0x80086e8a')
+define(`NS_ADJBUFLEV', `0x00006163')
+define(`NS_GETPSTAT', `0xc0106161')
+define(`NS_SETBUFLEV', `0x40106162')
+define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
+define(`NVME_IOCTL_ID', `0x00004e40')
+define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
+define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
+define(`NVRAM_INIT', `0x00007040')
+define(`NVRAM_SETCKS', `0x00007041')
+define(`OLD_PHONE_RING_START', `0x00007187')
+define(`OMAPFB_CTRL_TEST', `0x40044f2e')
+define(`OMAPFB_GET_CAPS', `0x800c4f2a')
+define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
+define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
+define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
+define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
+define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
+define(`OMAPFB_LCD_TEST', `0x40044f2d')
+define(`OMAPFB_MEMORY_READ', `0x80184f3a')
+define(`OMAPFB_MIRROR', `0x40044f1f')
+define(`OMAPFB_QUERY_MEM', `0x40084f38')
+define(`OMAPFB_QUERY_PLANE', `0x40444f35')
+define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
+define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
+define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
+define(`OMAPFB_SETUP_MEM', `0x40084f37')
+define(`OMAPFB_SETUP_PLANE', `0x40444f34')
+define(`OMAPFB_SYNC_GFX', `0x00004f25')
+define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
+define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
+define(`OMAPFB_VSYNC', `0x00004f26')
+define(`OMAPFB_WAITFORGO', `0x00004f3c')
+define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
+define(`OSD_GET_CAPABILITY', `0x80106fa1')
+define(`OSD_SEND_CMD', `0x40206fa0')
+define(`OSIOCGNETADDR', `0x800489e1')
+define(`OSIOCSNETADDR', `0x400489e0')
+define(`OSS_GETVERSION', `0x80044d76')
+define(`OTPGETREGIONCOUNT', `0x40044d0e')
+define(`OTPGETREGIONINFO', `0x400c4d0f')
+define(`OTPLOCK', `0x800c4d10')
+define(`OTPSELECT', `0x80044d0d')
+define(`PACKET_CTRL_CMD', `0xc0185801')
+define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
+define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
+define(`PERF_EVENT_IOC_ID', `0x80082407')
+define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
+define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
+define(`PERF_EVENT_IOC_RESET', `0x00002403')
+define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
+define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
+define(`PHN_GET_REG', `0xc0087000')
+define(`PHN_GETREG', `0xc0087005')
+define(`PHN_GET_REGS', `0xc0087002')
+define(`PHN_GETREGS', `0xc0287007')
+define(`PHN_NOT_OH', `0x00007004')
+define(`PHN_SET_REG', `0x40087001')
+define(`PHN_SETREG', `0x40087006')
+define(`PHN_SET_REGS', `0x40087003')
+define(`PHN_SETREGS', `0x40287008')
+define(`PHONE_BUSY', `0x000071a1')
+define(`PHONE_CAPABILITIES', `0x00007180')
+define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
+define(`PHONE_CAPABILITIES_LIST', `0x80087181')
+define(`PHONE_CPT_STOP', `0x000071a4')
+define(`PHONE_DIALTONE', `0x000071a3')
+define(`PHONE_DTMF_OOB', `0x40047199')
+define(`PHONE_DTMF_READY', `0x80047196')
+define(`PHONE_EXCEPTION', `0x8004719a')
+define(`PHONE_FRAME', `0x4004718d')
+define(`PHONE_GET_DTMF', `0x80047197')
+define(`PHONE_GET_DTMF_ASCII', `0x80047198')
+define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
+define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
+define(`PHONE_GET_TONE_STATE', `0x000071a0')
+define(`PHONE_HOOKSTATE', `0x00007184')
+define(`PHONE_MAXRINGS', `0x40017185')
+define(`PHONE_PLAY_CODEC', `0x40047190')
+define(`PHONE_PLAY_DEPTH', `0x40047193')
+define(`PHONE_PLAY_LEVEL', `0x00007195')
+define(`PHONE_PLAY_START', `0x00007191')
+define(`PHONE_PLAY_STOP', `0x00007192')
+define(`PHONE_PLAY_TONE', `0x4001719b')
+define(`PHONE_PLAY_VOLUME', `0x40047194')
+define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
+define(`PHONE_PSTN_GET_STATE', `0x000071a5')
+define(`PHONE_PSTN_LINETEST', `0x000071a8')
+define(`PHONE_PSTN_SET_STATE', `0x400471a4')
+define(`PHONE_QUERY_CODEC', `0xc00871a7')
+define(`PHONE_REC_CODEC', `0x40047189')
+define(`PHONE_REC_DEPTH', `0x4004718c')
+define(`PHONE_REC_LEVEL', `0x0000718f')
+define(`PHONE_REC_START', `0x0000718a')
+define(`PHONE_REC_STOP', `0x0000718b')
+define(`PHONE_REC_VOLUME', `0x4004718e')
+define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
+define(`PHONE_RING', `0x00007183')
+define(`PHONE_RINGBACK', `0x000071a2')
+define(`PHONE_RING_CADENCE', `0x40027186')
+define(`PHONE_RING_START', `0x40087187')
+define(`PHONE_RING_STOP', `0x00007188')
+define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
+define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
+define(`PHONE_VAD', `0x400471a9')
+define(`PHONE_WINK', `0x400471aa')
+define(`PHONE_WINK_DURATION', `0x400471a6')
+define(`PIO_CMAP', `0x00004b71')
+define(`PIO_FONT', `0x00004b61')
+define(`PIO_FONTRESET', `0x00004b6d')
+define(`PIO_FONTX', `0x00004b6c')
+define(`PIO_SCRNMAP', `0x00004b41')
+define(`PIO_UNIMAP', `0x00004b67')
+define(`PIO_UNIMAPCLR', `0x00004b68')
+define(`PIO_UNISCRNMAP', `0x00004b6a')
+define(`PMU_IOC_CAN_SLEEP', `0x80084205')
+define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
+define(`PMU_IOC_GET_MODEL', `0x80084203')
+define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
+define(`PMU_IOC_HAS_ADB', `0x80084204')
+define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
+define(`PMU_IOC_SLEEP', `0x00004200')
+define(`PPCLAIM', `0x0000708b')
+define(`PPCLRIRQ', `0x80047093')
+define(`PPDATADIR', `0x40047090')
+define(`PPEXCL', `0x0000708f')
+define(`PPFCONTROL', `0x4002708e')
+define(`PPGETFLAGS', `0x8004709a')
+define(`PPGETMODE', `0x80047098')
+define(`PPGETMODES', `0x80047097')
+define(`PPGETPHASE', `0x80047099')
+define(`PPGETTIME', `0x80107095')
+define(`PPNEGOT', `0x40047091')
+define(`PPPIOCATTACH', `0x743d')
+define(`PPPIOCATTCHAN', `0x7438')
+define(`PPPIOCBUNDLE', `0x7481')
+define(`PPPIOCCONNECT', `0x743a')
+define(`PPPIOCDETACH', `0x743c')
+define(`PPPIOCDISCONN', `0x7439')
+define(`PPPIOCGASYNCMAP', `0x7458')
+define(`PPPIOCGCALLINFO', `0x7480')
+define(`PPPIOCGCHAN', `0x7437')
+define(`PPPIOCGCOMPRESSORS', `0x7486')
+define(`PPPIOCGDEBUG', `0x7441')
+define(`PPPIOCGFLAGS', `0x745a')
+define(`PPPIOCGIDLE', `0x743f')
+define(`PPPIOCGIFNAME', `0x7488')
+define(`PPPIOCGL2TPSTATS', `0x7436')
+define(`PPPIOCGMPFLAGS', `0x7482')
+define(`PPPIOCGMRU', `0x7453')
+define(`PPPIOCGNPMODE', `0x744c')
+define(`PPPIOCGRASYNCMAP', `0x7455')
+define(`PPPIOCGUNIT', `0x7456')
+define(`PPPIOCGXASYNCMAP', `0x7450')
+define(`PPPIOCNEWUNIT', `0x743e')
+define(`PPPIOCSACTIVE', `0x7446')
+define(`PPPIOCSASYNCMAP', `0x7457')
+define(`PPPIOCSCOMPRESS', `0x744d')
+define(`PPPIOCSCOMPRESSOR', `0x7487')
+define(`PPPIOCSDEBUG', `0x7440')
+define(`PPPIOCSFLAGS', `0x7459')
+define(`PPPIOCSMAXCID', `0x7451')
+define(`PPPIOCSMPFLAGS', `0x7483')
+define(`PPPIOCSMPMRU', `0x7485')
+define(`PPPIOCSMPMTU', `0x7484')
+define(`PPPIOCSMRRU', `0x743b')
+define(`PPPIOCSMRU', `0x7452')
+define(`PPPIOCSNPMODE', `0x744b')
+define(`PPPIOCSPASS', `0x7447')
+define(`PPPIOCSRASYNCMAP', `0x7454')
+define(`PPPIOCSXASYNCMAP', `0x744f')
+define(`PPPIOCXFERUNIT', `0x744e')
+define(`PPPOEIOCDFWD', `0x0000b101')
+define(`PPPOEIOCSFWD', `0x4008b100')
+define(`PPRCONTROL', `0x80017083')
+define(`PPRDATA', `0x80017085')
+define(`PPRELEASE', `0x0000708c')
+define(`PPRSTATUS', `0x80017081')
+define(`PPSETFLAGS', `0x4004709b')
+define(`PPSETMODE', `0x40047080')
+define(`PPSETPHASE', `0x40047094')
+define(`PPSETTIME', `0x40107096')
+define(`PPS_FETCH', `0xc00870a4')
+define(`PPS_GETCAP', `0x800870a3')
+define(`PPS_GETPARAMS', `0x800870a1')
+define(`PPS_KC_BIND', `0x400870a5')
+define(`PPS_SETPARAMS', `0x400870a2')
+define(`PPWCONTROL', `0x40017084')
+define(`PPWCTLONIRQ', `0x40017092')
+define(`PPWDATA', `0x40017086')
+define(`PPYIELD', `0x0000708d')
+define(`PROTECT_ARRAY', `0x00000927')
+define(`PTP_CLOCK_GETCAPS', `0x80503d01')
+define(`PTP_ENABLE_PPS', `0x40043d04')
+define(`PTP_EXTTS_REQUEST', `0x40103d02')
+define(`PTP_PEROUT_REQUEST', `0x40383d03')
+define(`PTP_PIN_GETFUNC', `0xc0603d06')
+define(`PTP_PIN_SETFUNC', `0x40603d07')
+define(`PTP_SYS_OFFSET', `0x43403d05')
+define(`RAID_AUTORUN', `0x00000914')
+define(`RAID_VERSION', `0x800c0910')
+define(`RAW_GETBIND', `0x0000ac01')
+define(`RAW_SETBIND', `0x0000ac00')
+define(`REISERFS_IOC_UNPACK', `0x4008cd01')
+define(`RESTART_ARRAY_RW', `0x00000934')
+define(`RFCOMMCREATEDEV', `0x400452c8')
+define(`RFCOMMGETDEVINFO', `0x800452d3')
+define(`RFCOMMGETDEVLIST', `0x800452d2')
+define(`RFCOMMRELEASEDEV', `0x400452c9')
+define(`RFCOMMSTEALDLC', `0x400452dc')
+define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
+define(`RNDADDENTROPY', `0x40085203')
+define(`RNDADDTOENTCNT', `0x40045201')
+define(`RNDCLEARPOOL', `0x00005206')
+define(`RNDGETENTCNT', `0x80045200')
+define(`RNDGETPOOL', `0x80085202')
+define(`RNDZAPENTCNT', `0x00005204')
+define(`ROCCATIOCGREPSIZE', `0x800448f1')
+define(`RTC_AIE_OFF', `0x00007002')
+define(`RTC_AIE_ON', `0x00007001')
+define(`RTC_ALM_READ', `0x80247008')
+define(`RTC_ALM_SET', `0x40247007')
+define(`RTC_EPOCH_READ', `0x8008700d')
+define(`RTC_EPOCH_SET', `0x4008700e')
+define(`RTC_IRQP_READ', `0x8008700b')
+define(`RTC_IRQP_SET', `0x4008700c')
+define(`RTC_PIE_OFF', `0x00007006')
+define(`RTC_PIE_ON', `0x00007005')
+define(`RTC_PLL_GET', `0x80207011')
+define(`RTC_PLL_SET', `0x40207012')
+define(`RTC_RD_TIME', `0x80247009')
+define(`RTC_SET_TIME', `0x4024700a')
+define(`RTC_UIE_OFF', `0x00007004')
+define(`RTC_UIE_ON', `0x00007003')
+define(`RTC_VL_CLR', `0x00007014')
+define(`RTC_VL_READ', `0x80047013')
+define(`RTC_WIE_OFF', `0x00007010')
+define(`RTC_WIE_ON', `0x0000700f')
+define(`RTC_WKALM_RD', `0x80287010')
+define(`RTC_WKALM_SET', `0x4028700f')
+define(`RUN_ARRAY', `0x400c0930')
+define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
+define(`SAA6588_CMD_CLOSE', `0x40045202')
+define(`SAA6588_CMD_POLL', `0x80045204')
+define(`SAA6588_CMD_READ', `0x80045203')
+define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
+define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
+define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
+define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
+define(`SCSI_IOCTL_GET_PCI', `0x00005387')
+define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
+define(`SET_ARRAY_INFO', `0x40480923')
+define(`SET_BITMAP_FILE', `0x4004092b')
+define(`SET_DISK_FAULTY', `0x00000929')
+define(`SET_DISK_INFO', `0x00000924')
+define(`SG_EMULATED_HOST', `0x00002203')
+define(`SG_GET_ACCESS_COUNT', `0x00002289')
+define(`SG_GET_COMMAND_Q', `0x00002270')
+define(`SG_GET_KEEP_ORPHAN', `0x00002288')
+define(`SG_GET_LOW_DMA', `0x0000227a')
+define(`SG_GET_NUM_WAITING', `0x0000227d')
+define(`SG_GET_PACK_ID', `0x0000227c')
+define(`SG_GET_REQUEST_TABLE', `0x00002286')
+define(`SG_GET_RESERVED_SIZE', `0x00002272')
+define(`SG_GET_SCSI_ID', `0x00002276')
+define(`SG_GET_SG_TABLESIZE', `0x0000227f')
+define(`SG_GET_TIMEOUT', `0x00002202')
+define(`SG_GET_TRANSFORM', `0x00002205')
+define(`SG_GET_VERSION_NUM', `0x00002282')
+define(`SG_IO', `0x00002285')
+define(`SG_NEXT_CMD_LEN', `0x00002283')
+define(`SG_SCSI_RESET', `0x00002284')
+define(`SG_SET_COMMAND_Q', `0x00002271')
+define(`SG_SET_DEBUG', `0x0000227e')
+define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
+define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
+define(`SG_SET_KEEP_ORPHAN', `0x00002287')
+define(`SG_SET_RESERVED_SIZE', `0x00002275')
+define(`SG_SET_TIMEOUT', `0x00002201')
+define(`SG_SET_TRANSFORM', `0x00002204')
+define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
+define(`SIOCADDDLCI', `0x00008980')
+define(`SIOCADDMULTI', `0x00008931')
+define(`SIOCADDRT', `0x0000890b')
+define(`SIOCATMARK', `0x00008905')
+define(`SIOCBONDCHANGEACTIVE', `0x00008995')
+define(`SIOCBONDENSLAVE', `0x00008990')
+define(`SIOCBONDINFOQUERY', `0x00008994')
+define(`SIOCBONDRELEASE', `0x00008991')
+define(`SIOCBONDSETHWADDR', `0x00008992')
+define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
+define(`SIOCBRADDBR', `0x000089a0')
+define(`SIOCBRADDIF', `0x000089a2')
+define(`SIOCBRDELBR', `0x000089a1')
+define(`SIOCBRDELIF', `0x000089a3')
+define(`SIOCDARP', `0x00008953')
+define(`SIOCDELDLCI', `0x00008981')
+define(`SIOCDELMULTI', `0x00008932')
+define(`SIOCDELRT', `0x0000890c')
+define(`SIOCDEVPRIVATE', `0x000089f0')
+define(`SIOCDEVPRIVATE_1', `0x000089f1')
+define(`SIOCDEVPRIVATE_2', `0x000089f2')
+define(`SIOCDEVPRIVATE_3', `0x000089f3')
+define(`SIOCDEVPRIVATE_4', `0x000089f4')
+define(`SIOCDEVPRIVATE_5', `0x000089f5')
+define(`SIOCDEVPRIVATE_6', `0x000089f6')
+define(`SIOCDEVPRIVATE_7', `0x000089f7')
+define(`SIOCDEVPRIVATE_8', `0x000089f8')
+define(`SIOCDEVPRIVATE_9', `0x000089f9')
+define(`SIOCDEVPRIVATE_A', `0x000089fa')
+define(`SIOCDEVPRIVATE_B', `0x000089fb')
+define(`SIOCDEVPRIVATE_C', `0x000089fc')
+define(`SIOCDEVPRIVATE_D', `0x000089fd')
+define(`SIOCDEVPRIVATE_E', `0x000089fe')
+define(`SIOCDEVPRIVLAST', `0x000089ff')
+define(`SIOCDIFADDR', `0x00008936')
+define(`SIOCDRARP', `0x00008960')
+define(`SIOCETHTOOL', `0x00008946')
+define(`SIOCGARP', `0x00008954')
+define(`SIOCGHWTSTAMP', `0x000089b1')
+define(`SIOCGIFADDR', `0x00008915')
+define(`SIOCGIFBR', `0x00008940')
+define(`SIOCGIFBRDADDR', `0x00008919')
+define(`SIOCGIFCONF', `0x00008912')
+define(`SIOCGIFCOUNT', `0x00008938')
+define(`SIOCGIFDSTADDR', `0x00008917')
+define(`SIOCGIFENCAP', `0x00008925')
+define(`SIOCGIFFLAGS', `0x00008913')
+define(`SIOCGIFHWADDR', `0x00008927')
+define(`SIOCGIFINDEX', `0x00008933')
+define(`SIOCGIFMAP', `0x00008970')
+define(`SIOCGIFMEM', `0x0000891f')
+define(`SIOCGIFMETRIC', `0x0000891d')
+define(`SIOCGIFMTU', `0x00008921')
+define(`SIOCGIFNAME', `0x00008910')
+define(`SIOCGIFNETMASK', `0x0000891b')
+define(`SIOCGIFPFLAGS', `0x00008935')
+define(`SIOCGIFSLAVE', `0x00008929')
+define(`SIOCGIFTXQLEN', `0x00008942')
+define(`SIOCGIFVLAN', `0x00008982')
+define(`SIOCGIWAP', `0x00008b15')
+define(`SIOCGIWAPLIST', `0x00008b17')
+define(`SIOCGIWAUTH', `0x00008b33')
+define(`SIOCGIWENCODE', `0x00008b2b')
+define(`SIOCGIWENCODEEXT', `0x00008b35')
+define(`SIOCGIWESSID', `0x00008b1b')
+define(`SIOCGIWFRAG', `0x00008b25')
+define(`SIOCGIWFREQ', `0x00008b05')
+define(`SIOCGIWGENIE', `0x00008b31')
+define(`SIOCGIWMODE', `0x00008b07')
+define(`SIOCGIWNAME', `0x00008b01')
+define(`SIOCGIWNICKN', `0x00008b1d')
+define(`SIOCGIWNWID', `0x00008b03')
+define(`SIOCGIWPOWER', `0x00008b2d')
+define(`SIOCGIWPRIV', `0x00008b0d')
+define(`SIOCGIWRANGE', `0x00008b0b')
+define(`SIOCGIWRATE', `0x00008b21')
+define(`SIOCGIWRETRY', `0x00008b29')
+define(`SIOCGIWRTS', `0x00008b23')
+define(`SIOCGIWSCAN', `0x00008b19')
+define(`SIOCGIWSENS', `0x00008b09')
+define(`SIOCGIWSPY', `0x00008b11')
+define(`SIOCGIWSTATS', `0x00008b0f')
+define(`SIOCGIWTHRSPY', `0x00008b13')
+define(`SIOCGIWTXPOW', `0x00008b27')
+define(`SIOCGMIIPHY', `0x00008947')
+define(`SIOCGMIIREG', `0x00008948')
+define(`SIOCGNETADDR', `0x800489e1')
+define(`SIOCGPGRP', `0x00008904')
+define(`SIOCGRARP', `0x00008961')
+define(`SIOCGSTAMP', `0x00008906')
+define(`SIOCGSTAMPNS', `0x00008907')
+define(`SIOCIWFIRST', `0x00008b00')
+define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
+define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
+define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
+define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
+define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
+define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
+define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
+define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
+define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
+define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
+define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
+define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
+define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
+define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
+define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
+define(`SIOCIWFIRSTPRIV', `0x00008be0')
+define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
+define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
+define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
+define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
+define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
+define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
+define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
+define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
+define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
+define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
+define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
+define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
+define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
+define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
+define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
+define(`SIOCIWLASTPRIV', `0x00008bff')
+define(`SIOCKILLADDR', `0x00008939')
+define(`SIOCMKCLIP', `0x000061e0')
+define(`SIOCOUTQNSD', `0x0000894b')
+define(`SIOCPROTOPRIVATE', `0x000089e0')
+define(`SIOCPROTOPRIVATE_1', `0x000089e1')
+define(`SIOCPROTOPRIVATE_2', `0x000089e2')
+define(`SIOCPROTOPRIVATE_3', `0x000089e3')
+define(`SIOCPROTOPRIVATE_4', `0x000089e4')
+define(`SIOCPROTOPRIVATE_5', `0x000089e5')
+define(`SIOCPROTOPRIVATE_6', `0x000089e6')
+define(`SIOCPROTOPRIVATE_7', `0x000089e7')
+define(`SIOCPROTOPRIVATE_8', `0x000089e8')
+define(`SIOCPROTOPRIVATE_9', `0x000089e9')
+define(`SIOCPROTOPRIVATE_A', `0x000089ea')
+define(`SIOCPROTOPRIVATE_B', `0x000089eb')
+define(`SIOCPROTOPRIVATE_C', `0x000089ec')
+define(`SIOCPROTOPRIVATE_D', `0x000089ed')
+define(`SIOCPROTOPRIVATE_E', `0x000089ee')
+define(`SIOCPROTOPRIVLAST', `0x000089ef')
+define(`SIOCRTMSG', `0x0000890d')
+define(`SIOCSARP', `0x00008955')
+define(`SIOCSHWTSTAMP', `0x000089b0')
+define(`SIOCSIFADDR', `0x00008916')
+define(`SIOCSIFATMTCP', `0x00006180')
+define(`SIOCSIFBR', `0x00008941')
+define(`SIOCSIFBRDADDR', `0x0000891a')
+define(`SIOCSIFDSTADDR', `0x00008918')
+define(`SIOCSIFENCAP', `0x00008926')
+define(`SIOCSIFFLAGS', `0x00008914')
+define(`SIOCSIFHWADDR', `0x00008924')
+define(`SIOCSIFHWBROADCAST', `0x00008937')
+define(`SIOCSIFLINK', `0x00008911')
+define(`SIOCSIFMAP', `0x00008971')
+define(`SIOCSIFMEM', `0x00008920')
+define(`SIOCSIFMETRIC', `0x0000891e')
+define(`SIOCSIFMTU', `0x00008922')
+define(`SIOCSIFNAME', `0x00008923')
+define(`SIOCSIFNETMASK', `0x0000891c')
+define(`SIOCSIFPFLAGS', `0x00008934')
+define(`SIOCSIFSLAVE', `0x00008930')
+define(`SIOCSIFTXQLEN', `0x00008943')
+define(`SIOCSIFVLAN', `0x00008983')
+define(`SIOCSIWAP', `0x00008b14')
+define(`SIOCSIWAUTH', `0x00008b32')
+define(`SIOCSIWCOMMIT', `0x00008b00')
+define(`SIOCSIWENCODE', `0x00008b2a')
+define(`SIOCSIWENCODEEXT', `0x00008b34')
+define(`SIOCSIWESSID', `0x00008b1a')
+define(`SIOCSIWFRAG', `0x00008b24')
+define(`SIOCSIWFREQ', `0x00008b04')
+define(`SIOCSIWGENIE', `0x00008b30')
+define(`SIOCSIWMLME', `0x00008b16')
+define(`SIOCSIWMODE', `0x00008b06')
+define(`SIOCSIWNICKN', `0x00008b1c')
+define(`SIOCSIWNWID', `0x00008b02')
+define(`SIOCSIWPMKSA', `0x00008b36')
+define(`SIOCSIWPOWER', `0x00008b2c')
+define(`SIOCSIWPRIV', `0x00008b0c')
+define(`SIOCSIWRANGE', `0x00008b0a')
+define(`SIOCSIWRATE', `0x00008b20')
+define(`SIOCSIWRETRY', `0x00008b28')
+define(`SIOCSIWRTS', `0x00008b22')
+define(`SIOCSIWSCAN', `0x00008b18')
+define(`SIOCSIWSENS', `0x00008b08')
+define(`SIOCSIWSPY', `0x00008b10')
+define(`SIOCSIWSTATS', `0x00008b0e')
+define(`SIOCSIWTHRSPY', `0x00008b12')
+define(`SIOCSIWTXPOW', `0x00008b26')
+define(`SIOCSMIIREG', `0x00008949')
+define(`SIOCSNETADDR', `0x400489e0')
+define(`SIOCSPGRP', `0x00008902')
+define(`SIOCSRARP', `0x00008962')
+define(`SIOCWANDEV', `0x0000894a')
+define(`SISFB_COMMAND', `0xc054f305')
+define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
+define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
+define(`SISFB_GET_INFO', `0x811cf301')
+define(`SISFB_GET_INFO_OLD', `0x80046ef8')
+define(`SISFB_GET_INFO_SIZE', `0x8004f300')
+define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
+define(`SISFB_GET_VBRSTATUS', `0x8004f302')
+define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
+define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
+define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
+define(`SISFB_SET_LOCK', `0x4004f306')
+define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
+define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
+define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
+define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
+define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
+define(`SNAPSHOT_FREE', `0x00003305')
+define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
+define(`SNAPSHOT_FREEZE', `0x00003301')
+define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
+define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
+define(`SNAPSHOT_POWER_OFF', `0x00003310')
+define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
+define(`SNAPSHOT_S2RAM', `0x0000330b')
+define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
+define(`SNAPSHOT_UNFREEZE', `0x00003302')
+define(`SNDCTL_COPR_HALT', `0xc0144307')
+define(`SNDCTL_COPR_LOAD', `0xcfb04301')
+define(`SNDCTL_COPR_RCODE', `0xc0144303')
+define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
+define(`SNDCTL_COPR_RDATA', `0xc0144302')
+define(`SNDCTL_COPR_RESET', `0x00004300')
+define(`SNDCTL_COPR_RUN', `0xc0144306')
+define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
+define(`SNDCTL_COPR_WCODE', `0x40144305')
+define(`SNDCTL_COPR_WDATA', `0x40144304')
+define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
+define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
+define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
+define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
+define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
+define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
+define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
+define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
+define(`SNDCTL_DSP_GETODELAY', `0x80045017')
+define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
+define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
+define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
+define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
+define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
+define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
+define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
+define(`SNDCTL_DSP_POST', `0x00005008')
+define(`SNDCTL_DSP_PROFILE', `0x40045017')
+define(`SNDCTL_DSP_RESET', `0x00005000')
+define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
+define(`SNDCTL_DSP_SETFMT', `0xc0045005')
+define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
+define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
+define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
+define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
+define(`SNDCTL_DSP_SPEED', `0xc0045002')
+define(`SNDCTL_DSP_STEREO', `0xc0045003')
+define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
+define(`SNDCTL_DSP_SYNC', `0x00005001')
+define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
+define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
+define(`SNDCTL_MIDI_INFO', `0xc074510c')
+define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
+define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
+define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
+define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
+define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
+define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
+define(`SNDCTL_SEQ_GETTIME', `0x80045113')
+define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
+define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
+define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
+define(`SNDCTL_SEQ_PANIC', `0x00005111')
+define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
+define(`SNDCTL_SEQ_RESET', `0x00005100')
+define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
+define(`SNDCTL_SEQ_SYNC', `0x00005101')
+define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
+define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
+define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
+define(`SNDCTL_SYNTH_ID', `0xc08c5114')
+define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
+define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
+define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
+define(`SNDCTL_TMR_CONTINUE', `0x00005404')
+define(`SNDCTL_TMR_METRONOME', `0x40045407')
+define(`SNDCTL_TMR_SELECT', `0x40045408')
+define(`SNDCTL_TMR_SOURCE', `0xc0045406')
+define(`SNDCTL_TMR_START', `0x00005402')
+define(`SNDCTL_TMR_STOP', `0x00005403')
+define(`SNDCTL_TMR_TEMPO', `0xc0045405')
+define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
+define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
+define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
+define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
+define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
+define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
+define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
+define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
+define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
+define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
+define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
+define(`SNDRV_COMPRESS_RESUME', `0x00004331')
+define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
+define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
+define(`SNDRV_COMPRESS_START', `0x00004332')
+define(`SNDRV_COMPRESS_STOP', `0x00004333')
+define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
+define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
+define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
+define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
+define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
+define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
+define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
+define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
+define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
+define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
+define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
+define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
+define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
+define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
+define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
+define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
+define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
+define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
+define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
+define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
+define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
+define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
+define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
+define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
+define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
+define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
+define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
+define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
+define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
+define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
+define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
+define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
+define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
+define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
+define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
+define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
+define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
+define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
+define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
+define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
+define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
+define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
+define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
+define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
+define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
+define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
+define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
+define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
+define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
+define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
+define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
+define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
+define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
+define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
+define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
+define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
+define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
+define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
+define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
+define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
+define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
+define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
+define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
+define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
+define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
+define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
+define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
+define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
+define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
+define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
+define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
+define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
+define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
+define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
+define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
+define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
+define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
+define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
+define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
+define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
+define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
+define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
+define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
+define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
+define(`SNDRV_PCM_IOCTL_START', `0x00004142')
+define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
+define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
+define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
+define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
+define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
+define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
+define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
+define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
+define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
+define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
+define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
+define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
+define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
+define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
+define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
+define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
+define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
+define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
+define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
+define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
+define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
+define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
+define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
+define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
+define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
+define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
+define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
+define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
+define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
+define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
+define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
+define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
+define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
+define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
+define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
+define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
+define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
+define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
+define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
+define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
+define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
+define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
+define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
+define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
+define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
+define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
+define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
+define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
+define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
+define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
+define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
+define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
+define(`SONET_CLRDIAG', `0xc0046113')
+define(`SONET_GETDIAG', `0x80046114')
+define(`SONET_GETFRAMING', `0x80046116')
+define(`SONET_GETFRSENSE', `0x80066117')
+define(`SONET_GETSTAT', `0x80246110')
+define(`SONET_GETSTATZ', `0x80246111')
+define(`SONET_SETDIAG', `0xc0046112')
+define(`SONET_SETFRAMING', `0x40046115')
+define(`SONYPI_IOCGBAT1CAP', `0x80027602')
+define(`SONYPI_IOCGBAT1REM', `0x80027603')
+define(`SONYPI_IOCGBAT2CAP', `0x80027604')
+define(`SONYPI_IOCGBAT2REM', `0x80027605')
+define(`SONYPI_IOCGBATFLAGS', `0x80017607')
+define(`SONYPI_IOCGBLUE', `0x80017608')
+define(`SONYPI_IOCGBRT', `0x80017600')
+define(`SONYPI_IOCGFAN', `0x8001760a')
+define(`SONYPI_IOCGTEMP', `0x8001760c')
+define(`SONYPI_IOCSBLUE', `0x40017609')
+define(`SONYPI_IOCSBRT', `0x40017600')
+define(`SONYPI_IOCSFAN', `0x4001760b')
+define(`SOUND_MIXER_3DSE', `0xc0044d68')
+define(`SOUND_MIXER_ACCESS', `0xc0804d66')
+define(`SOUND_MIXER_AGC', `0xc0044d67')
+define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
+define(`SOUND_MIXER_INFO', `0x805c4d65')
+define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
+define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
+define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
+define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
+define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
+define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
+define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
+define(`SOUND_PCM_READ_BITS', `0x80045005')
+define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
+define(`SOUND_PCM_READ_FILTER', `0x80045007')
+define(`SOUND_PCM_READ_RATE', `0x80045002')
+define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
+define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
+define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
+define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
+define(`SPI_IOC_RD_MODE', `0x80016b01')
+define(`SPI_IOC_RD_MODE32', `0x80046b05')
+define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
+define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
+define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
+define(`SPI_IOC_WR_MODE', `0x40016b01')
+define(`SPI_IOC_WR_MODE32', `0x40046b05')
+define(`SPIOCSTYPE', `0x40087101')
+define(`SSTFB_GET_VGAPASS', `0x800446dd')
+define(`SSTFB_SET_VGAPASS', `0x400446dd')
+define(`STOP_ARRAY', `0x00000932')
+define(`STOP_ARRAY_RO', `0x00000933')
+define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
+define(`SW_SYNC_IOC_INC', `0x40045701')
+define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
+define(`SYNC_IOC_MERGE', `0xc0283e01')
+define(`SYNC_IOC_WAIT', `0x40043e00')
+define(`TCFLSH', `0x0000540b')
+define(`TCGETA', `0x00005405')
+define(`TCGETS2', `0x802c542a')
+define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
+define(`TCGETX', `0x00005432')
+define(`TCSBRK', `0x00005409')
+define(`TCSBRKP', `0x00005425')
+define(`TCSETA', `0x00005406')
+define(`TCSETAF', `0x00005408')
+define(`TCSETAW', `0x00005407')
+define(`TCSETS', `0x00005402')
+define(`TCSETS2', `0x402c542b')
+define(`TCSETSF', `0x00005404')
+define(`TCSETSF2', `0x402c542d')
+define(`TCSETSW', `0x00005403')
+define(`TCSETSW2', `0x402c542c')
+define(`TCSETX', `0x00005433')
+define(`TCSETXF', `0x00005434')
+define(`TCSETXW', `0x00005435')
+define(`TCXONC', `0x0000540a')
+define(`TFD_IOC_SET_TICKS', `0x40085400')
+define(`TIOCCBRK', `0x00005428')
+define(`TIOCCONS', `0x0000541d')
+define(`TIOCEXCL', `0x0000540c')
+define(`TIOCGDEV', `0x80045432')
+define(`TIOCGETD', `0x00005424')
+define(`TIOCGEXCL', `0x80045440')
+define(`TIOCGICOUNT', `0x0000545d')
+define(`TIOCGLCKTRMIOS', `0x00005456')
+define(`TIOCGPGRP', `0x0000540f')
+define(`TIOCGPKT', `0x80045438')
+define(`TIOCGPTLCK', `0x80045439')
+define(`TIOCGPTN', `0x80045430')
+define(`TIOCGRS485', `0x0000542e')
+define(`TIOCGSERIAL', `0x0000541e')
+define(`TIOCGSID', `0x00005429')
+define(`TIOCGSOFTCAR', `0x00005419')
+define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
+define(`TIOCLINUX', `0x0000541c')
+define(`TIOCMBIC', `0x00005417')
+define(`TIOCMBIS', `0x00005416')
+define(`TIOCMGET', `0x00005415')
+define(`TIOCMIWAIT', `0x0000545c')
+define(`TIOCMSET', `0x00005418')
+define(`TIOCNOTTY', `0x00005422')
+define(`TIOCNXCL', `0x0000540d')
+define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
+define(`TIOCPKT', `0x00005420')
+define(`TIOCSBRK', `0x00005427')
+define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
+define(`TIOCSERCONFIG', `0x00005453')
+define(`TIOCSERGETLSR', `0x00005459')
+define(`TIOCSERGETMULTI', `0x0000545a')
+define(`TIOCSERGSTRUCT', `0x00005458')
+define(`TIOCSERGWILD', `0x00005454')
+define(`TIOCSERSETMULTI', `0x0000545b')
+define(`TIOCSERSWILD', `0x00005455')
+define(`TIOCSETD', `0x00005423')
+define(`TIOCSIG', `0x40045436')
+define(`TIOCSLCKTRMIOS', `0x00005457')
+define(`TIOCSPGRP', `0x00005410')
+define(`TIOCSPTLCK', `0x40045431')
+define(`TIOCSRS485', `0x0000542f')
+define(`TIOCSSERIAL', `0x0000541f')
+define(`TIOCSSOFTCAR', `0x0000541a')
+define(`TIOCSTI', `0x00005412')
+define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
+define(`TIOCVHANGUP', `0x00005437')
+define(`TOSH_SMM', `0xc0047490')
+define(`TUNATTACHFILTER', `0x401054d5')
+define(`TUNDETACHFILTER', `0x401054d6')
+define(`TUNER_SET_CONFIG', `0x4010645c')
+define(`TUNGETFEATURES', `0x800454cf')
+define(`TUNGETFILTER', `0x801054db')
+define(`TUNGETIFF', `0x800454d2')
+define(`TUNGETSNDBUF', `0x800454d3')
+define(`TUNGETVNETHDRSZ', `0x800454d7')
+define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETDEBUG', `0x400454c9')
+define(`TUNSETGROUP', `0x400454ce')
+define(`TUNSETIFF', `0x400454ca')
+define(`TUNSETIFINDEX', `0x400454da')
+define(`TUNSETLINK', `0x400454cd')
+define(`TUNSETNOCSUM', `0x400454c8')
+define(`TUNSETOFFLOAD', `0x400454d0')
+define(`TUNSETOWNER', `0x400454cc')
+define(`TUNSETPERSIST', `0x400454cb')
+define(`TUNSETQUEUE', `0x400454d9')
+define(`TUNSETSNDBUF', `0x400454d4')
+define(`TUNSETTXFILTER', `0x400454d1')
+define(`TUNSETVNETHDRSZ', `0x400454d8')
+define(`TUNSETVNETLE', `0x400454dc')
+define(`UBI_IOCATT', `0x40186f40')
+define(`UBI_IOCDET', `0x40046f41')
+define(`UBI_IOCEBCH', `0x40044f02')
+define(`UBI_IOCEBER', `0x40044f01')
+define(`UBI_IOCEBISMAP', `0x80044f05')
+define(`UBI_IOCEBMAP', `0x40084f03')
+define(`UBI_IOCEBUNMAP', `0x40044f04')
+define(`UBI_IOCMKVOL', `0x40986f00')
+define(`UBI_IOCRMVOL', `0x40046f01')
+define(`UBI_IOCRNVOL', `0x51106f03')
+define(`UBI_IOCRSVOL', `0x400c6f02')
+define(`UBI_IOCSETVOLPROP', `0x40104f06')
+define(`UBI_IOCVOLCRBLK', `0x40804f07')
+define(`UBI_IOCVOLRMBLK', `0x00004f08')
+define(`UBI_IOCVOLUP', `0x40084f00')
+define(`UDF_GETEABLOCK', `0x80086c41')
+define(`UDF_GETEASIZE', `0x80046c40')
+define(`UDF_GETVOLIDENT', `0x80086c42')
+define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
+define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
+define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
+define(`UI_DEV_CREATE', `0x00005501')
+define(`UI_DEV_DESTROY', `0x00005502')
+define(`UI_END_FF_ERASE', `0x400c55cb')
+define(`UI_END_FF_UPLOAD', `0x406855c9')
+define(`UI_GET_VERSION', `0x8004552d')
+define(`UI_SET_ABSBIT', `0x40045567')
+define(`UI_SET_EVBIT', `0x40045564')
+define(`UI_SET_FFBIT', `0x4004556b')
+define(`UI_SET_KEYBIT', `0x40045565')
+define(`UI_SET_LEDBIT', `0x40045569')
+define(`UI_SET_MSCBIT', `0x40045568')
+define(`UI_SET_PHYS', `0x4008556c')
+define(`UI_SET_PROPBIT', `0x4004556e')
+define(`UI_SET_RELBIT', `0x40045566')
+define(`UI_SET_SNDBIT', `0x4004556a')
+define(`UI_SET_SWBIT', `0x4004556d')
+define(`UNPROTECT_ARRAY', `0x00000926')
+define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
+define(`USBDEVFS_BULK', `0xc0185502')
+define(`USBDEVFS_BULK32', `0xc0105502')
+define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
+define(`USBDEVFS_CLAIM_PORT', `0x80045518')
+define(`USBDEVFS_CLEAR_HALT', `0x80045515')
+define(`USBDEVFS_CONNECT', `0x00005517')
+define(`USBDEVFS_CONNECTINFO', `0x40085511')
+define(`USBDEVFS_CONTROL', `0xc0185500')
+define(`USBDEVFS_CONTROL32', `0xc0105500')
+define(`USBDEVFS_DISCARDURB', `0x0000550b')
+define(`USBDEVFS_DISCONNECT', `0x00005516')
+define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
+define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
+define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
+define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
+define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
+define(`USBDEVFS_GETDRIVER', `0x41045508')
+define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
+define(`USBDEVFS_IOCTL', `0xc0105512')
+define(`USBDEVFS_IOCTL32', `0xc00c5512')
+define(`USBDEVFS_REAPURB', `0x4008550c')
+define(`USBDEVFS_REAPURB32', `0x4004550c')
+define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
+define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
+define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
+define(`USBDEVFS_RELEASE_PORT', `0x80045519')
+define(`USBDEVFS_RESET', `0x00005514')
+define(`USBDEVFS_RESETEP', `0x80045503')
+define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
+define(`USBDEVFS_SETINTERFACE', `0x80085504')
+define(`USBDEVFS_SUBMITURB', `0x8038550a')
+define(`USBDEVFS_SUBMITURB32', `0x802a550a')
+define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
+define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
+define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
+define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
+define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
+define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
+define(`UVCIOC_CTRL_MAP', `0xc0607520')
+define(`UVCIOC_CTRL_QUERY', `0xc0107521')
+define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
+define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
+define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
+define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
+define(`VFIO_CHECK_EXTENSION', `0x00003b65')
+define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
+define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
+define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
+define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
+define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
+define(`VFIO_DEVICE_RESET', `0x00003b6f')
+define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
+define(`VFIO_EEH_PE_OP', `0x00003b79')
+define(`VFIO_GET_API_VERSION', `0x00003b64')
+define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
+define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
+define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
+define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
+define(`VFIO_IOMMU_DISABLE', `0x00003b74')
+define(`VFIO_IOMMU_ENABLE', `0x00003b73')
+define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
+define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
+define(`VFIO_SET_IOMMU', `0x00003b66')
+define(`VHOST_GET_FEATURES', `0x8008af00')
+define(`VHOST_GET_VRING_BASE', `0xc008af12')
+define(`VHOST_NET_SET_BACKEND', `0x4008af30')
+define(`VHOST_RESET_OWNER', `0x0000af02')
+define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
+define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
+define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
+define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
+define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
+define(`VHOST_SET_FEATURES', `0x4008af00')
+define(`VHOST_SET_LOG_BASE', `0x4008af04')
+define(`VHOST_SET_LOG_FD', `0x4004af07')
+define(`VHOST_SET_MEM_TABLE', `0x4008af03')
+define(`VHOST_SET_OWNER', `0x0000af01')
+define(`VHOST_SET_VRING_ADDR', `0x4028af11')
+define(`VHOST_SET_VRING_BASE', `0x4008af12')
+define(`VHOST_SET_VRING_CALL', `0x4008af21')
+define(`VHOST_SET_VRING_ERR', `0x4008af22')
+define(`VHOST_SET_VRING_KICK', `0x4008af20')
+define(`VHOST_SET_VRING_NUM', `0x4008af10')
+define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
+define(`VIDEO_COMMAND', `0xc0486f3b')
+define(`VIDEO_CONTINUE', `0x00006f18')
+define(`VIDEO_FAST_FORWARD', `0x00006f1f')
+define(`VIDEO_FREEZE', `0x00006f17')
+define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
+define(`VIDEO_GET_EVENT', `0x80206f1c')
+define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
+define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
+define(`VIDEO_GET_NAVI', `0x84046f34')
+define(`VIDEO_GET_PTS', `0x80086f39')
+define(`VIDEO_GET_SIZE', `0x800c6f37')
+define(`VIDEO_GET_STATUS', `0x80146f1b')
+define(`VIDEO_PLAY', `0x00006f16')
+define(`VIDEO_SELECT_SOURCE', `0x00006f19')
+define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
+define(`VIDEO_SET_BLANK', `0x00006f1a')
+define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
+define(`VIDEO_SET_FORMAT', `0x00006f25')
+define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
+define(`VIDEO_SET_ID', `0x00006f23')
+define(`VIDEO_SET_SPU', `0x40086f32')
+define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
+define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
+define(`VIDEO_SET_SYSTEM', `0x00006f26')
+define(`VIDEO_SLOWMOTION', `0x00006f20')
+define(`VIDEO_STILLPICTURE', `0x40106f1e')
+define(`VIDEO_STOP', `0x00006f15')
+define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
+define(`VIDIOC_CREATE_BUFS', `0xc100565c')
+define(`VIDIOC_CROPCAP', `0xc02c563a')
+define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
+define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
+define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
+define(`VIDIOC_DECODER_CMD', `0xc0485660')
+define(`VIDIOC_DQBUF', `0xc0585611')
+define(`VIDIOC_DQEVENT', `0x80885659')
+define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_ENCODER_CMD', `0xc028564d')
+define(`VIDIOC_ENUMAUDIO', `0xc0345641')
+define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
+define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_ENUM_FMT', `0xc0405602')
+define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
+define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
+define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
+define(`VIDIOC_ENUMINPUT', `0xc050561a')
+define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
+define(`VIDIOC_ENUMSTD', `0xc0485619')
+define(`VIDIOC_EXPBUF', `0xc0405610')
+define(`VIDIOC_G_AUDIO', `0x80345621')
+define(`VIDIOC_G_AUDOUT', `0x80345631')
+define(`VIDIOC_G_CROP', `0xc014563b')
+define(`VIDIOC_G_CTRL', `0xc008561b')
+define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_G_EDID', `0xc0285628')
+define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
+define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
+define(`VIDIOC_G_FBUF', `0x8030560a')
+define(`VIDIOC_G_FMT', `0xc0d05604')
+define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
+define(`VIDIOC_G_INPUT', `0x80045626')
+define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
+define(`VIDIOC_G_MODULATOR', `0xc0445636')
+define(`VIDIOC_G_OUTPUT', `0x8004562e')
+define(`VIDIOC_G_PARM', `0xc0cc5615')
+define(`VIDIOC_G_PRIORITY', `0x80045643')
+define(`VIDIOC_G_SELECTION', `0xc040565e')
+define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
+define(`VIDIOC_G_STD', `0x80085617')
+define(`VIDIOC_G_TUNER', `0xc054561d')
+define(`VIDIOC_INT_RESET', `0x40046466')
+define(`VIDIOC_LOG_STATUS', `0x00005646')
+define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
+define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
+define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
+define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
+define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
+define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
+define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
+define(`VIDIOC_OVERLAY', `0x4004560e')
+define(`VIDIOC_PREPARE_BUF', `0xc058565d')
+define(`VIDIOC_QBUF', `0xc058560f')
+define(`VIDIOC_QUERYBUF', `0xc0585609')
+define(`VIDIOC_QUERYCAP', `0x80685600')
+define(`VIDIOC_QUERYCTRL', `0xc0445624')
+define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
+define(`VIDIOC_QUERYMENU', `0xc02c5625')
+define(`VIDIOC_QUERYSTD', `0x8008563f')
+define(`VIDIOC_REQBUFS', `0xc0145608')
+define(`VIDIOC_RESERVED', `0x00005601')
+define(`VIDIOC_S_AUDIO', `0x40345622')
+define(`VIDIOC_S_AUDOUT', `0x40345632')
+define(`VIDIOC_S_CROP', `0x4014563c')
+define(`VIDIOC_S_CTRL', `0xc008561c')
+define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_S_EDID', `0xc0285629')
+define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
+define(`VIDIOC_S_FBUF', `0x4030560b')
+define(`VIDIOC_S_FMT', `0xc0d05605')
+define(`VIDIOC_S_FREQUENCY', `0x402c5639')
+define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
+define(`VIDIOC_S_INPUT', `0xc0045627')
+define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
+define(`VIDIOC_S_MODULATOR', `0x40445637')
+define(`VIDIOC_S_OUTPUT', `0xc004562f')
+define(`VIDIOC_S_PARM', `0xc0cc5616')
+define(`VIDIOC_S_PRIORITY', `0x40045644')
+define(`VIDIOC_S_SELECTION', `0xc040565f')
+define(`VIDIOC_S_STD', `0x40085618')
+define(`VIDIOC_STREAMOFF', `0x40045613')
+define(`VIDIOC_STREAMON', `0x40045612')
+define(`VIDIOC_S_TUNER', `0x4054561e')
+define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
+define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
+define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
+define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
+define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
+define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
+define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
+define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
+define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
+define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
+define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
+define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
+define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
+define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
+define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
+define(`VIDIOC_TRY_FMT', `0xc0d05640')
+define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
+define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
+define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
+define(`VT_ACTIVATE', `0x00005606')
+define(`VT_DISALLOCATE', `0x00005608')
+define(`VT_GETHIFONTMASK', `0x0000560d')
+define(`VT_GETMODE', `0x00005601')
+define(`VT_GETSTATE', `0x00005603')
+define(`VT_LOCKSWITCH', `0x0000560b')
+define(`VT_OPENQRY', `0x00005600')
+define(`VT_RELDISP', `0x00005605')
+define(`VT_RESIZE', `0x00005609')
+define(`VT_RESIZEX', `0x0000560a')
+define(`VT_SENDSIG', `0x00005604')
+define(`VT_SETACTIVATE', `0x0000560f')
+define(`VT_SETMODE', `0x00005602')
+define(`VT_UNLOCKSWITCH', `0x0000560c')
+define(`VT_WAITACTIVE', `0x00005607')
+define(`VT_WAITEVENT', `0x0000560e')
+define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
+define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
+define(`WDIOC_GETBOOTSTATUS', `0x80045702')
+define(`WDIOC_GETPRETIMEOUT', `0x80045709')
+define(`WDIOC_GETSTATUS', `0x80045701')
+define(`WDIOC_GETSUPPORT', `0x80285700')
+define(`WDIOC_GETTEMP', `0x80045703')
+define(`WDIOC_GETTIMELEFT', `0x8004570a')
+define(`WDIOC_GETTIMEOUT', `0x80045707')
+define(`WDIOC_KEEPALIVE', `0x80045705')
+define(`WDIOC_SETOPTIONS', `0x80045704')
+define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
+define(`WDIOC_SETTIMEOUT', `0xc0045706')
+define(`WRITE_RAID_INFO', `0x00000925')
+define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
+define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
+define(`ZATM_GETPOOL', `0x40106161')
+define(`ZATM_GETPOOLZ', `0x40106162')
+define(`ZATM_SETPOOL', `0x40106163')
diff --git a/microdroid/system/public/ioctl_macros b/microdroid/system/public/ioctl_macros
new file mode 100644
index 0000000..47a5157
--- /dev/null
+++ b/microdroid/system/public/ioctl_macros
@@ -0,0 +1,76 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# Socket ioctls for gathering information about the interface
+SIOCGSTAMP SIOCGSTAMPNS
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
+SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
+# Wireless extension ioctls. Primarily get functions.
+SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
+SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
+SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
+}')
+
+# socket ioctls never allowed to unprivileged apps
+define(`priv_sock_ioctls', `
+{
+# qualcomm rmnet ioctls
+WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
+# socket ioctls
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
+SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
+SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
+SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
+SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
+SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
+SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
+SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
+SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
+# device and protocol specific ioctls
+SIOCDEVPRIVATE-SIOCDEVPRIVLAST
+SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
+# Wireless extension ioctls
+SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
+SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
+SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
+SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
+SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
+SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
+# Dev private ioctl i.e. hardware specific ioctls
+SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
+}')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
+
+# commonly used TTY ioctls
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+ TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
+}')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+}')
diff --git a/microdroid/system/public/kernel.te b/microdroid/system/public/kernel.te
new file mode 100644
index 0000000..9ea35c1
--- /dev/null
+++ b/microdroid/system/public/kernel.te
@@ -0,0 +1,2 @@
+# Life begins with the kernel.
+type kernel, domain;
diff --git a/microdroid/system/public/logcat.te b/microdroid/system/public/logcat.te
new file mode 100644
index 0000000..cf2bb7e
--- /dev/null
+++ b/microdroid/system/public/logcat.te
@@ -0,0 +1,2 @@
+type logcat, domain;
+type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/logd.te b/microdroid/system/public/logd.te
new file mode 100644
index 0000000..67f601c
--- /dev/null
+++ b/microdroid/system/public/logd.te
@@ -0,0 +1,2 @@
+type logd, domain;
+type logd_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/neverallow_macros b/microdroid/system/public/neverallow_macros
new file mode 100644
index 0000000..59fa441
--- /dev/null
+++ b/microdroid/system/public/neverallow_macros
@@ -0,0 +1,15 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
new file mode 100644
index 0000000..f85ba76
--- /dev/null
+++ b/microdroid/system/public/property.te
@@ -0,0 +1,55 @@
+type adbd_prop, property_type;
+type apex_config_prop, property_type;
+type apexd_payload_metadata_prop, property_type;
+type apexd_prop, property_type;
+type arm64_memtag_prop, property_type;
+type bootloader_prop, property_type;
+type boottime_prop, property_type;
+type build_prop, property_type;
+type cold_boot_done_prop, property_type;
+type ctl_adbd_prop, property_type;
+type ctl_apexd_prop, property_type;
+type ctl_apexd_vm_prop, property_type;
+type ctl_apkdmverity_prop, property_type;
+type ctl_console_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
+type ctl_restart_prop, property_type;
+type ctl_seriallogging_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
+type ctl_tombstone_transmit_prop, property_type;
+type ctl_zipfuse_prop, property_type;
+type debug_prop, property_type;
+type default_prop, property_type;
+type dev_mnt_prop, property_type;
+type fingerprint_prop, property_type;
+type gsid_prop, property_type;
+type heapprofd_prop, property_type;
+type init_perf_lsm_hooks_prop, property_type;
+type init_service_status_private_prop, property_type;
+type init_service_status_prop, property_type;
+type init_svc_debug_prop, property_type;
+type libc_debug_prop, property_type;
+type log_tag_prop, property_type;
+type logd_prop, property_type;
+type microdroid_manager_roothash_prop, property_type;
+type property_service_version_prop, property_type;
+type shell_prop, property_type;
+type timezone_prop, property_type;
+type usb_control_prop, property_type;
+type vendor_default_prop, property_type;
+type powerctl_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;
+
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
diff --git a/prebuilts/api/26.0/public/roles b/microdroid/system/public/roles
similarity index 100%
copy from prebuilts/api/26.0/public/roles
copy to microdroid/system/public/roles
diff --git a/microdroid/system/public/servicemanager.te b/microdroid/system/public/servicemanager.te
new file mode 100644
index 0000000..41a1096
--- /dev/null
+++ b/microdroid/system/public/servicemanager.te
@@ -0,0 +1,2 @@
+type servicemanager, domain;
+type servicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
new file mode 100644
index 0000000..00c2d0b
--- /dev/null
+++ b/microdroid/system/public/shell.te
@@ -0,0 +1,81 @@
+# Domain for shell processes spawned by ADB or console service.
+type shell, domain;
+type shell_exec, system_file_type, exec_type, file_type;
+
+# Create and use network sockets.
+net_domain(shell)
+
+# logcat
+read_logd(shell)
+control_logd(shell)
+
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
+r_dir_file(shell, proc_net_type)
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_loadavg # b/124024827
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_slabinfo
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_vmstat
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
new file mode 100644
index 0000000..ea8ffa0
--- /dev/null
+++ b/microdroid/system/public/statsd.te
@@ -0,0 +1,27 @@
+type statsd, domain;
+
+type statsd_exec, system_file_type, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read write };
+
+unix_socket_send(statsd, statsdw, statsd)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
new file mode 100644
index 0000000..aded9ae
--- /dev/null
+++ b/microdroid/system/public/su.te
@@ -0,0 +1,46 @@
+# Domain used for su processes, as well as for adbd and adb shell
+# after performing an adb root command.
+
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
+# File types must be defined for file_contexts.
+type su_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # Add su to various domains
+ net_domain(su)
+
+ dontaudit su self:capability_class_set *;
+ dontaudit su self:capability2 *;
+ dontaudit su kernel:security *;
+ dontaudit su { kernel file_type }:system *;
+ dontaudit su self:memprotect *;
+ dontaudit su domain:{ process process2 } *;
+ dontaudit su domain:fd *;
+ dontaudit su domain:dir *;
+ dontaudit su domain:lnk_file *;
+ dontaudit su domain:{ fifo_file file } *;
+ dontaudit su domain:socket_class_set *;
+ dontaudit su domain:ipc_class_set *;
+ dontaudit su domain:key *;
+ dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit su node_type:node *;
+ dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit su netif_type:netif *;
+ dontaudit su port_type:socket_class_set *;
+ dontaudit su port_type:{ tcp_socket dccp_socket } *;
+ dontaudit su domain:peer *;
+ dontaudit su domain:binder *;
+ dontaudit su property_type:property_service *;
+ dontaudit su property_type:file *;
+ dontaudit su service_manager_type:service_manager *;
+ dontaudit su servicemanager:service_manager list;
+ dontaudit su domain:drmservice *;
+ dontaudit su unlabeled:filesystem *;
+ dontaudit su domain:bpf *;
+ dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
+')
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
new file mode 100644
index 0000000..6db0d70
--- /dev/null
+++ b/microdroid/system/public/te_macros
@@ -0,0 +1,997 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute map };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint open read execute getattr map };
+# New domain can send SIGCHLD to its caller.
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
+define(`tmpfs_domain', `
+type_transition $1 tmpfs:file $1_tmpfs;
+allow $1 $1_tmpfs:file { read write getattr map };
+')
+
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
+')
+
+#####################################
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+')
+
+####################################
+# userfaultfd_use(domain)
+# Allow domain to create/use userfaultfd.
+define(`userfaultfd_use', `
+# Set up a type_transition to "userfaultfd" named anonymous inode object.
+type $1_userfaultfd;
+type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
+# Allow domain to create/use userfaultfd anon_inode.
+allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Other domains may not use userfaultfd anon_inodes created by this domain.
+neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
+# This domain may not use userfaultfd anon_inodes created by other domains.
+neverallow $1 ~$1_userfaultfd:anon_inode *;
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label tmpfs objects for all apps.
+type_transition $1 tmpfs:file appdomain_tmpfs;
+userfaultfd_use($1)
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
+')
+
+#####################################
+# untrusted_app_domain(domain)
+# Allow a base set of permissions required for all untrusted apps.
+define(`untrusted_app_domain', `
+typeattribute $1 untrusted_app_all;
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+# hal_*_client and halclientdomain attributes are always expanded for
+# performance reasons. Neverallow rules targeting expanded attributes can not be
+# verified by CTS since these attributes are already expanded by that time.
+build_test_only(`
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
+')
+')
+
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+# type hal_foo_default, domain;
+# hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+# hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+')
+
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+# passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
+define(`unix_socket_connect', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+get_prop($1, $2)
+')
+
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file { getattr open read map };
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
+# Allow servicemanager to send out callbacks
+allow servicemanager $1:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open map };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open map };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:global_capability2_class_set block_suspend;
+# system_suspend permissions
+binder_call($1, system_suspend_server)
+allow $1 system_suspend_hwservice:hwservice_manager find;
+# halclientdomain permissions
+hwbinder_use($1)
+get_prop($1, hwservicemanager_prop)
+allow $1 hidl_manager_hwservice:hwservice_manager find;
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Recovery only
+# SELinux rules which apply only to recovery mode
+#
+define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+
+#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
+#####################################
+# Compatible property only
+# SELinux rules which apply only to devices with compatible property
+#
+define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
+ifelse(target_compatible_property, `cts',
+# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not compatible property
+# SELinux rules which apply only to devices without compatible property
+#
+define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# Build-time-only test
+# SELinux rules which are verified during build, but not as part of *TS testing.
+#
+define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+ allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
+# TODO: Figure out why write is needed.
+allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned:fd use;
+allow $1 tombstoned_crash_socket:sock_file write;
+allow $1 tombstone_data_file:file append;
+')
+
+#####################################
+# WITH_DEXPREOPT builds
+# SELinux rules which apply only when pre-opting.
+#
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+unix_socket_send($1, logdw, logd)
+allow $1 pmsg_device:chr_file w_file_perms;
+')
+
+#####################################
+# read_logd(domain)
+# Ability to run logcat and read from android
+# log daemon via sockets
+define(`read_logd', `
+allow $1 logcat_exec:file rx_file_perms;
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# read_runtime_log_tags(domain)
+# ability to directly map the runtime event log tags
+define(`read_runtime_log_tags', `
+allow $1 runtime_event_log_tags_file:file r_file_perms;
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
+ allow $1 keystore_service:service_manager find;
+ allow $1 legacykeystore_service:service_manager find;
+ binder_call($1, keystore)
+ binder_call(keystore, $1)
+')
+
+#####################################
+# use_credstore(domain)
+# Ability to use credstore.
+define(`use_credstore', `
+ allow credstore $1:dir search;
+ allow credstore $1:file { read open };
+ allow credstore $1:process getattr;
+ allow $1 credstore_service:service_manager find;
+ binder_call($1, credstore)
+ binder_call(credstore, $1)
+')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')
+
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+ allow $1 $2:service_manager { add find };
+ neverallow { domain -$1 } $2:service_manager add;
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
+ neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
+###########################################
+# hal_attribute_hwservice(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_hwservice', `
+ allow $1_client $2:hwservice_manager find;
+ add_hwservice($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+ ')
+')
+
+###########################################
+# hal_attribute_service(attribute, service)
+# Ability for domain to get a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_service
+define(`hal_attribute_service', `
+ allow $1_client $2:service_manager find;
+ add_service($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow {
+ domain
+ -$1_client
+ -$1_server
+ -shell
+ } $2:service_manager find;
+ ')
+')
+
+###################################
+# can_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by central
+# heapprofd.
+define(`can_profile_heap', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # Allow daemon to use the passed fds.
+ allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
+
+ # To read and write from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ # We need to write to /proc/$PID/page_idle to find idle allocations.
+ # The client only opens /proc/self/page_idle with RDWR, everything else
+ # with RDONLY.
+ # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+ # sys_ptrace.
+ allow heapprofd $1:file rw_file_perms;
+ # Allow searching the /proc/[pid] directory for cmdline.
+ allow heapprofd $1:dir r_dir_perms;
+')
+
+###################################
+# never_profile_heap(domain)
+# Opt out of heap profiling by heapprofd.
+define(`never_profile_heap', `
+ neverallow heapprofd $1:file read;
+ neverallow heapprofd $1:process signal;
+')
+
+###################################
+# can_profile_perf(domain)
+# Allow processes within the domain to be profiled, and have their stacks
+# sampled, by traced_perf.
+define(`can_profile_perf', `
+ # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
+ # reads /proc/[pid]/cmdline.
+ allow traced_perf $1:file r_file_perms;
+ allow traced_perf $1:dir r_dir_perms;
+
+ # Allow central daemon to send signal to request /proc/[pid]/maps and
+ # /proc/[pid]/mem fds from this process.
+ allow traced_perf $1:process signal;
+
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, traced_perf, traced_perf)
+ # Allow daemon to use the passed fds.
+ allow traced_perf $1:fd use;
+')
+
+###################################
+# never_profile_perf(domain)
+# Opt out of profiling by traced_perf.
+define(`never_profile_perf', `
+ neverallow traced_perf $1:file read;
+ neverallow traced_perf $1:process signal;
+')
+
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+# When applying this macro, you might need to also allow traced to use the
+# producer tmpfs domain, if the producer will be the one creating the shared
+# memory.
+define(`perfetto_producer', `
+ allow $1 traced:fd use;
+ allow $1 traced_tmpfs:file { read write getattr map };
+ unix_socket_connect($1, traced_producer, traced)
+
+ # Also allow the service to use the producer file descriptors. This is
+ # necessary when the producer is creating the shared memory, as it will be
+ # passed to the service as a file descriptor (obtained from memfd_create).
+ allow traced $1:fd use;
+')
+
+###########################################
+# dump_hal(hal_type)
+# Ability to dump the hal debug info
+#
+define(`dump_hal', `
+ hal_client_domain(dumpstate, $1);
+ allow $1_server dumpstate:fifo_file write;
+ allow $1_server dumpstate:fd use;
+')
+
+#####################################
+# treble_sysprop_neverallow(rules)
+# SELinux neverallow rules which enforces the accessibility of each property
+# outside the owner.
+#
+# For devices launching with R or later, exported properties must be explicitly marked as
+# "restricted" or "public", depending on the accessibility outside the owner.
+# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these rules only for devices launching with R or later.
+#
+# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
+#
+define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
+ifelse(target_treble_sysprop_neverallow, `cts',
+# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# enforce_sysprop_owner(rules)
+# SELinux neverallow rules which enforces the owner of each property.
+#
+# For devices launching with S or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these ules only for devices launching with S or later.
+#
+define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
+ifelse(target_enforce_sysprop_owner, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+###########################################
+# define_prop(name, owner, scope)
+# Define a property with given owner and scope
+#
+define(`define_prop', `
+ type $1, property_type, $2_property_type, $2_$3_property_type;
+')
+
+###########################################
+# system_internal_prop(name)
+# Define a /system-owned property used only in /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_internal_prop', `
+ define_prop($1, system, internal)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# system_restricted_prop(name)
+# Define a /system-owned property which can't be written outside /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_restricted_prop', `
+ define_prop($1, system, restricted)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:property_service set;
+ ')
+')
+
+###########################################
+# system_public_prop(name)
+# Define a /system-owned property with no restrictions
+#
+define(`system_public_prop', `define_prop($1, system, public)')
+
+###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+ system_public_prop($1)
+ set_prop(vendor_init, $1)
+ neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
+# product_internal_prop(name)
+# Define a /product-owned property used only in /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_internal_prop', `
+ define_prop($1, product, internal)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# product_restricted_prop(name)
+# Define a /product-owned property which can't be written outside /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_restricted_prop', `
+ define_prop($1, product, restricted)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:property_service set;
+ ')
+')
+
+###########################################
+# product_public_prop(name)
+# Define a /product-owned property with no restrictions
+#
+define(`product_public_prop', `define_prop($1, product, public)')
+
+###########################################
+# vendor_internal_prop(name)
+# Define a /vendor-owned property used only in /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_internal_prop', `
+ define_prop($1, vendor, internal)
+ treble_sysprop_neverallow(`
+# init and dumpstate are in coredomain, but should be able to read all props.
+ neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# vendor_restricted_prop(name)
+# Define a /vendor-owned property which can't be written outside /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_restricted_prop', `
+ define_prop($1, vendor, restricted)
+ treble_sysprop_neverallow(`
+# init is in coredomain, but should be able to write all props.
+ neverallow { coredomain -init } $1:property_service set;
+ ')
+')
+
+###########################################
+# vendor_public_prop(name)
+# Define a /vendor-owned property with no restrictions
+#
+define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 proc_bootconfig:file r_file_perms;
+')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/microdroid/system/public/tombstoned.te b/microdroid/system/public/tombstoned.te
new file mode 100644
index 0000000..bd1626d
--- /dev/null
+++ b/microdroid/system/public/tombstoned.te
@@ -0,0 +1,2 @@
+type tombstoned, domain;
+type tombstoned_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/toolbox.te b/microdroid/system/public/toolbox.te
new file mode 100644
index 0000000..0a6e649
--- /dev/null
+++ b/microdroid/system/public/toolbox.te
@@ -0,0 +1,2 @@
+type toolbox, domain;
+type toolbox_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
new file mode 100644
index 0000000..b21b2dd
--- /dev/null
+++ b/microdroid/system/public/type.te
@@ -0,0 +1,11 @@
+# Miscellaneous types
+type adb_service, service_manager_type;
+type apex_service, service_manager_type;
+type authfs_binder_service, service_manager_type;
+type default_android_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
+type hal_dice_service, vendor_service, service_manager_type;
+type service_manager_service, service_manager_type;
+type system_linker;
+type vm_payload_key;
diff --git a/microdroid/system/public/ueventd.te b/microdroid/system/public/ueventd.te
new file mode 100644
index 0000000..7bf7888
--- /dev/null
+++ b/microdroid/system/public/ueventd.te
@@ -0,0 +1,4 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+type ueventd_tmpfs, file_type;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
new file mode 100644
index 0000000..fa5db03
--- /dev/null
+++ b/microdroid/system/public/vendor_init.te
@@ -0,0 +1,149 @@
+# vendor_init is its own domain.
+type vendor_init, domain;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open getattr write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -runtime_event_log_tags_file
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -apex_info_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -apex_mnt_dir
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -vendor_file_type
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr map };
+
+allow vendor_init tracefs_type:file { open read setattr map };
+
+allow vendor_init {
+ fs_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# vendor_init is using bootstrap bionic
+use_bootstrap_libs(vendor_init)
+
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -kvm_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
new file mode 100644
index 0000000..002fb14
--- /dev/null
+++ b/microdroid/vendor/file_contexts
@@ -0,0 +1,8 @@
+#############################
+# Vendor files
+#
+(/.*)? u:object_r:vendor_file:s0
+/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+# HAL location
+/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
new file mode 100644
index 0000000..9fbf90d
--- /dev/null
+++ b/microdroid/vendor/hal_dice_default.te
@@ -0,0 +1,14 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute hal_dice_default no_crash_dump_domain;
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)
+
+# hal_dice_default is using bootstrap bionic
+use_bootstrap_libs(hal_dice_default)
+
+allow hal_dice_default sysfs_dt_avf:file r_file_perms;
+allow hal_dice_default open_dice_device:chr_file rw_file_perms;
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
deleted file mode 100644
index e46f92a..0000000
--- a/prebuilt_policy.mk
+++ /dev/null
@@ -1,321 +0,0 @@
-# Copyright (C) 2020 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
-# The policy files will only be used to compile vendor and odm policies.
-#
-# Specifically, the following prebuilts are used...
-# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
-# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release)
-# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release)
-# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release)
-# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
-# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release)
-# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release)
-#
-# ... to generate following policy files.
-#
-# - reqd policy mask
-# - plat, system_ext, product public policy
-# - plat, system_ext, product policy
-# - plat, system_ext, product versioned policy
-#
-# These generated policy files will be used only when building vendor policies.
-# They are not installed to system, system_ext, or product partition.
-ver := $(BOARD_SEPOLICY_VERS)
-prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
-plat_public_policy_$(ver) := $(prebuilt_dir)/public
-plat_private_policy_$(ver) := $(prebuilt_dir)/private
-system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
-system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
-product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
-product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
-
-##################################
-# policy-to-conf-rule: a helper macro to transform policy files to conf file.
-#
-# This expands to a set of rules which assign variables for transform-policy-to-conf and then call
-# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
-#
-# $(1): output path (.conf file)
-define policy-to-conf-rule
-$(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
-$(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
-$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
-$(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
-$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
-$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
-$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
-$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
-$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
-$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
-$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
-$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
-$(1): PRIVATE_POLICY_FILES := $$(policy_files)
-$(1): $$(policy_files) $$(M4)
- $$(transform-policy-to-conf)
-endef
-
-##################################
-# reqd_policy_mask_$(ver).cil
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
-reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
-
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
-$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
- $(POLICYVERS) -o $@ $<
-
-reqd_policy_mask_$(ver).conf :=
-
-reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
-
-##################################
-# plat_pub_policy_$(ver).cil: exported plat policies
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
-plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
-
-plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
-$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
-$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-plat_pub_policy_$(ver).conf :=
-
-##################################
-# plat_mapping_cil_$(ver).cil: versioned exported system policy
-#
-plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
-$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
-
-##################################
-# plat_policy_$(ver).cil: system policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
-plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
-
-plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
-$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
-$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-plat_policy_$(ver).conf :=
-
-built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-##################################
-# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
-system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
-
-system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
-$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
-$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-system_ext_pub_policy_$(ver).conf :=
-
-##################################
-# system_ext_policy_$(ver).cil: system_ext policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
- $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
-system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
-
-system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
-$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
-$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
-
-system_ext_policy_$(ver).conf :=
-
-built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
-
-##################################
-# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
-#
-system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
-$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
-$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
-$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
-
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# product_policy_$(ver).cil: product policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
- $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
- $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
-product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
-
-product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
-$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
-$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL_FILES) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
- # make sure that the latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-product_policy_$(ver).conf :=
-
-built_product_cil_$(ver) := $(product_policy_$(ver).cil)
-
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# pub_policy_$(ver).cil: exported plat, system_ext, and product policies
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
- $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
-pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
-
-pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
-$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
-$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-pub_policy_$(ver).conf :=
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# product_mapping_cil_$(ver).cil: versioned exported product policy
-#
-product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
-$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
-$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
-$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
-$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
-
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# plat_pub_versioned_$(ver).cil - the exported platform policy
-#
-plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
-$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
-$(built_product_mapping_cil_$(ver))
-$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
- $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)
diff --git a/prebuilts/api/26.0/nonplat_sepolicy.cil b/prebuilts/api/26.0/nonplat_sepolicy.cil
deleted file mode 100644
index 2ed4efa..0000000
--- a/prebuilts/api/26.0/nonplat_sepolicy.cil
+++ /dev/null
@@ -1,6109 +0,0 @@
-(roletype r domain)
-(typeattributeset dev_type (device_26_0 alarm_device_26_0 ashmem_device_26_0 audio_device_26_0 audio_timer_device_26_0 audio_seq_device_26_0 binder_device_26_0 hwbinder_device_26_0 vndbinder_device_26_0 block_device_26_0 camera_device_26_0 dm_device_26_0 keychord_device_26_0 loop_control_device_26_0 loop_device_26_0 pmsg_device_26_0 radio_device_26_0 ram_device_26_0 rtc_device_26_0 vold_device_26_0 console_device_26_0 cpuctl_device_26_0 fscklogs_26_0 full_device_26_0 gpu_device_26_0 graphics_device_26_0 hw_random_device_26_0 input_device_26_0 kmem_device_26_0 port_device_26_0 log_device_26_0 mtd_device_26_0 mtp_device_26_0 nfc_device_26_0 ptmx_device_26_0 kmsg_device_26_0 null_device_26_0 random_device_26_0 sensors_device_26_0 serial_device_26_0 socket_device_26_0 owntty_device_26_0 tty_device_26_0 video_device_26_0 vcs_device_26_0 zero_device_26_0 fuse_device_26_0 iio_device_26_0 ion_device_26_0 qtaguid_device_26_0 watchdog_device_26_0 uhid_device_26_0 uio_device_26_0 tun_device_26_0 usbaccessory_device_26_0 usb_device_26_0 properties_device_26_0 properties_serial_26_0 i2c_device_26_0 hci_attach_dev_26_0 rpmsg_device_26_0 root_block_device_26_0 frp_block_device_26_0 system_block_device_26_0 recovery_block_device_26_0 boot_block_device_26_0 userdata_block_device_26_0 cache_block_device_26_0 swap_block_device_26_0 metadata_block_device_26_0 misc_block_device_26_0 ppp_device_26_0 tee_device_26_0))
-(typeattributeset domain (adbd_26_0 audioserver_26_0 blkid_26_0 blkid_untrusted_26_0 bluetooth_26_0 bootanim_26_0 bootstat_26_0 bufferhubd_26_0 cameraserver_26_0 charger_26_0 clatd_26_0 cppreopts_26_0 crash_dump_26_0 dex2oat_26_0 dhcp_26_0 dnsmasq_26_0 drmserver_26_0 dumpstate_26_0 ephemeral_app_26_0 fingerprintd_26_0 fsck_26_0 fsck_untrusted_26_0 gatekeeperd_26_0 healthd_26_0 hwservicemanager_26_0 idmap_26_0 incident_26_0 incidentd_26_0 init_26_0 inputflinger_26_0 install_recovery_26_0 installd_26_0 isolated_app_26_0 kernel_26_0 keystore_26_0 lmkd_26_0 logd_26_0 logpersist_26_0 mdnsd_26_0 mediacodec_26_0 mediadrmserver_26_0 mediaextractor_26_0 mediametrics_26_0 mediaserver_26_0 modprobe_26_0 mtp_26_0 netd_26_0 netutils_wrapper_26_0 nfc_26_0 otapreopt_chroot_26_0 otapreopt_slot_26_0 performanced_26_0 perfprofd_26_0 platform_app_26_0 postinstall_26_0 postinstall_dexopt_26_0 ppp_26_0 preopt2cachename_26_0 priv_app_26_0 profman_26_0 racoon_26_0 radio_26_0 recovery_26_0 recovery_persist_26_0 recovery_refresh_26_0 rild_26_0 runas_26_0 sdcardd_26_0 servicemanager_26_0 sgdisk_26_0 shared_relro_26_0 shell_26_0 slideshow_26_0 su_26_0 surfaceflinger_26_0 system_app_26_0 system_server_26_0 tee_26_0 tombstoned_26_0 toolbox_26_0 tzdatacheck_26_0 ueventd_26_0 uncrypt_26_0 untrusted_app_26_0 untrusted_app_25_26_0 untrusted_v2_app_26_0 update_engine_26_0 update_verifier_26_0 vdc_26_0 virtual_touchpad_26_0 vndservicemanager_26_0 vold_26_0 vr_hwc_26_0 watchdogd_26_0 webview_zygote_26_0 wificond_26_0 zygote_26_0 hal_audio_default hal_bluetooth_default hal_bootctl_default hal_camera_default hal_configstore_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_memtrack_default hal_nfc_default hal_power_default hal_sensors_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_offload_default hal_wifi_supplicant_default hostapd vendor_modprobe))
-(typeattributeset fs_type (device_26_0 labeledfs_26_0 pipefs_26_0 sockfs_26_0 rootfs_26_0 proc_26_0 proc_security_26_0 proc_drop_caches_26_0 proc_overcommit_memory_26_0 usermodehelper_26_0 qtaguid_proc_26_0 proc_bluetooth_writable_26_0 proc_cpuinfo_26_0 proc_interrupts_26_0 proc_iomem_26_0 proc_meminfo_26_0 proc_misc_26_0 proc_modules_26_0 proc_net_26_0 proc_perf_26_0 proc_stat_26_0 proc_sysrq_26_0 proc_timer_26_0 proc_tty_drivers_26_0 proc_uid_cputime_showstat_26_0 proc_uid_cputime_removeuid_26_0 proc_uid_io_stats_26_0 proc_uid_procstat_set_26_0 proc_zoneinfo_26_0 selinuxfs_26_0 cgroup_26_0 sysfs_26_0 sysfs_uio_26_0 sysfs_batteryinfo_26_0 sysfs_bluetooth_writable_26_0 sysfs_leds_26_0 sysfs_hwrandom_26_0 sysfs_nfc_power_writable_26_0 sysfs_wake_lock_26_0 sysfs_mac_address_26_0 configfs_26_0 sysfs_devices_system_cpu_26_0 sysfs_lowmemorykiller_26_0 sysfs_wlan_fwpath_26_0 sysfs_vibrator_26_0 sysfs_thermal_26_0 sysfs_zram_26_0 sysfs_zram_uevent_26_0 inotify_26_0 devpts_26_0 tmpfs_26_0 shm_26_0 mqueue_26_0 fuse_26_0 sdcardfs_26_0 vfat_26_0 debugfs_26_0 debugfs_mmc_26_0 debugfs_trace_marker_26_0 debugfs_tracing_26_0 debugfs_tracing_instances_26_0 debugfs_wifi_tracing_26_0 tracing_shell_writable_26_0 tracing_shell_writable_debug_26_0 pstorefs_26_0 functionfs_26_0 oemfs_26_0 usbfs_26_0 binfmt_miscfs_26_0 app_fusefs_26_0))
-(typeattributeset contextmount_type (oemfs_26_0 app_fusefs_26_0))
-(typeattributeset file_type (bootanim_exec_26_0 bootstat_exec_26_0 bufferhubd_exec_26_0 cameraserver_exec_26_0 clatd_exec_26_0 cppreopts_exec_26_0 crash_dump_exec_26_0 dex2oat_exec_26_0 dhcp_exec_26_0 dnsmasq_exec_26_0 drmserver_exec_26_0 drmserver_socket_26_0 dumpstate_exec_26_0 sysfs_usb_26_0 unlabeled_26_0 system_file_26_0 vendor_hal_file_26_0 vendor_file_26_0 vendor_app_file_26_0 vendor_configs_file_26_0 same_process_hal_file_26_0 vndk_sp_file_26_0 vendor_framework_file_26_0 vendor_overlay_file_26_0 runtime_event_log_tags_file_26_0 logcat_exec_26_0 coredump_file_26_0 system_data_file_26_0 unencrypted_data_file_26_0 install_data_file_26_0 drm_data_file_26_0 adb_data_file_26_0 anr_data_file_26_0 tombstone_data_file_26_0 apk_data_file_26_0 apk_tmp_file_26_0 apk_private_data_file_26_0 apk_private_tmp_file_26_0 dalvikcache_data_file_26_0 ota_data_file_26_0 ota_package_file_26_0 user_profile_data_file_26_0 profman_dump_data_file_26_0 resourcecache_data_file_26_0 shell_data_file_26_0 property_data_file_26_0 bootchart_data_file_26_0 heapdump_data_file_26_0 nativetest_data_file_26_0 ringtone_file_26_0 preloads_data_file_26_0 preloads_media_file_26_0 dhcp_data_file_26_0 mnt_media_rw_file_26_0 mnt_user_file_26_0 mnt_expand_file_26_0 storage_file_26_0 mnt_media_rw_stub_file_26_0 storage_stub_file_26_0 postinstall_mnt_dir_26_0 postinstall_file_26_0 adb_keys_file_26_0 audio_data_file_26_0 audiohal_data_file_26_0 audioserver_data_file_26_0 bluetooth_data_file_26_0 bluetooth_logs_data_file_26_0 bootstat_data_file_26_0 boottrace_data_file_26_0 camera_data_file_26_0 gatekeeper_data_file_26_0 incident_data_file_26_0 keychain_data_file_26_0 keystore_data_file_26_0 media_data_file_26_0 media_rw_data_file_26_0 misc_user_data_file_26_0 net_data_file_26_0 nfc_data_file_26_0 radio_data_file_26_0 reboot_data_file_26_0 recovery_data_file_26_0 shared_relro_file_26_0 systemkeys_data_file_26_0 textclassifier_data_file_26_0 vpn_data_file_26_0 wifi_data_file_26_0 zoneinfo_data_file_26_0 vold_data_file_26_0 perfprofd_data_file_26_0 tee_data_file_26_0 update_engine_data_file_26_0 method_trace_data_file_26_0 app_data_file_26_0 system_app_data_file_26_0 cache_file_26_0 cache_backup_file_26_0 cache_private_backup_file_26_0 cache_recovery_file_26_0 efs_file_26_0 wallpaper_file_26_0 shortcut_manager_icons_26_0 icon_file_26_0 asec_apk_file_26_0 asec_public_file_26_0 asec_image_file_26_0 backup_data_file_26_0 bluetooth_efs_file_26_0 fingerprintd_data_file_26_0 app_fuse_file_26_0 adbd_socket_26_0 bluetooth_socket_26_0 dnsproxyd_socket_26_0 dumpstate_socket_26_0 fwmarkd_socket_26_0 lmkd_socket_26_0 logd_socket_26_0 logdr_socket_26_0 logdw_socket_26_0 mdns_socket_26_0 mdnsd_socket_26_0 misc_logd_file_26_0 mtpd_socket_26_0 netd_socket_26_0 property_socket_26_0 racoon_socket_26_0 rild_socket_26_0 rild_debug_socket_26_0 system_wpa_socket_26_0 system_ndebug_socket_26_0 tombstoned_crash_socket_26_0 tombstoned_intercept_socket_26_0 uncrypt_socket_26_0 vold_socket_26_0 webview_zygote_socket_26_0 wpa_socket_26_0 zygote_socket_26_0 gps_control_26_0 pdx_display_dir_26_0 pdx_performance_dir_26_0 pdx_bufferhub_dir_26_0 pdx_display_client_endpoint_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0 file_contexts_file_26_0 mac_perms_file_26_0 property_contexts_file_26_0 seapp_contexts_file_26_0 sepolicy_file_26_0 service_contexts_file_26_0 hwservice_contexts_file_26_0 vndservice_contexts_file_26_0 fingerprintd_exec_26_0 fsck_exec_26_0 gatekeeperd_exec_26_0 healthd_exec_26_0 hwservicemanager_exec_26_0 idmap_exec_26_0 init_exec_26_0 inputflinger_exec_26_0 install_recovery_exec_26_0 installd_exec_26_0 keystore_exec_26_0 lmkd_exec_26_0 logd_exec_26_0 mediacodec_exec_26_0 mediadrmserver_exec_26_0 mediaextractor_exec_26_0 mediametrics_exec_26_0 mediaserver_exec_26_0 mtp_exec_26_0 netd_exec_26_0 netutils_wrapper_exec_26_0 otapreopt_chroot_exec_26_0 otapreopt_slot_exec_26_0 performanced_exec_26_0 perfprofd_exec_26_0 ppp_exec_26_0 preopt2cachename_exec_26_0 profman_exec_26_0 racoon_exec_26_0 recovery_persist_exec_26_0 recovery_refresh_exec_26_0 runas_exec_26_0 sdcardd_exec_26_0 servicemanager_exec_26_0 sgdisk_exec_26_0 shell_exec_26_0 su_exec_26_0 tombstoned_exec_26_0 toolbox_exec_26_0 tzdatacheck_exec_26_0 uncrypt_exec_26_0 update_engine_exec_26_0 update_verifier_exec_26_0 vdc_exec_26_0 vendor_shell_exec_26_0 vendor_toolbox_exec_26_0 virtual_touchpad_exec_26_0 vold_exec_26_0 vr_hwc_exec_26_0 webview_zygote_exec_26_0 wificond_exec_26_0 zygote_exec_26_0 hostapd_socket hal_audio_default_exec hal_audio_default_tmpfs hal_bluetooth_default_exec hal_bluetooth_default_tmpfs hal_bootctl_default_exec hal_bootctl_default_tmpfs hal_camera_default_exec hal_camera_default_tmpfs hal_configstore_default_exec hal_configstore_default_tmpfs hal_contexthub_default_exec hal_contexthub_default_tmpfs hal_drm_default_exec hal_drm_default_tmpfs hal_dumpstate_default_exec hal_dumpstate_default_tmpfs hal_fingerprint_default_exec hal_fingerprint_default_tmpfs hal_gatekeeper_default_exec hal_gatekeeper_default_tmpfs hal_gnss_default_exec hal_gnss_default_tmpfs hal_graphics_allocator_default_exec hal_graphics_allocator_default_tmpfs hal_graphics_composer_default_exec hal_graphics_composer_default_tmpfs hal_health_default_exec hal_health_default_tmpfs hal_ir_default_exec hal_ir_default_tmpfs hal_keymaster_default_exec hal_keymaster_default_tmpfs hal_light_default_exec hal_light_default_tmpfs hal_memtrack_default_exec hal_memtrack_default_tmpfs hal_nfc_default_exec hal_nfc_default_tmpfs mediacodec_tmpfs hal_power_default_exec hal_power_default_tmpfs hal_sensors_default_exec hal_sensors_default_tmpfs hal_thermal_default_exec hal_thermal_default_tmpfs hal_tv_cec_default_exec hal_tv_cec_default_tmpfs hal_tv_input_default_exec hal_tv_input_default_tmpfs hal_usb_default_exec hal_usb_default_tmpfs hal_vibrator_default_exec hal_vibrator_default_tmpfs hal_vr_default_exec hal_vr_default_tmpfs hal_wifi_default_exec hal_wifi_default_tmpfs hal_wifi_offload_default_exec hal_wifi_offload_default_tmpfs hal_wifi_supplicant_default_exec hal_wifi_supplicant_default_tmpfs hostapd_exec hostapd_tmpfs rild_exec rild_tmpfs tee_exec tee_tmpfs vndservicemanager_exec vndservicemanager_tmpfs))
-(typeattributeset exec_type (bootanim_exec_26_0 bootstat_exec_26_0 bufferhubd_exec_26_0 cameraserver_exec_26_0 clatd_exec_26_0 cppreopts_exec_26_0 crash_dump_exec_26_0 dex2oat_exec_26_0 dhcp_exec_26_0 dnsmasq_exec_26_0 drmserver_exec_26_0 dumpstate_exec_26_0 logcat_exec_26_0 fingerprintd_exec_26_0 fsck_exec_26_0 gatekeeperd_exec_26_0 healthd_exec_26_0 hwservicemanager_exec_26_0 idmap_exec_26_0 init_exec_26_0 inputflinger_exec_26_0 install_recovery_exec_26_0 installd_exec_26_0 keystore_exec_26_0 lmkd_exec_26_0 logd_exec_26_0 mediacodec_exec_26_0 mediadrmserver_exec_26_0 mediaextractor_exec_26_0 mediametrics_exec_26_0 mediaserver_exec_26_0 mtp_exec_26_0 netd_exec_26_0 netutils_wrapper_exec_26_0 otapreopt_chroot_exec_26_0 otapreopt_slot_exec_26_0 performanced_exec_26_0 perfprofd_exec_26_0 ppp_exec_26_0 preopt2cachename_exec_26_0 profman_exec_26_0 racoon_exec_26_0 recovery_persist_exec_26_0 recovery_refresh_exec_26_0 runas_exec_26_0 sdcardd_exec_26_0 servicemanager_exec_26_0 sgdisk_exec_26_0 shell_exec_26_0 su_exec_26_0 tombstoned_exec_26_0 toolbox_exec_26_0 tzdatacheck_exec_26_0 uncrypt_exec_26_0 update_engine_exec_26_0 update_verifier_exec_26_0 vdc_exec_26_0 vendor_shell_exec_26_0 vendor_toolbox_exec_26_0 virtual_touchpad_exec_26_0 vold_exec_26_0 vr_hwc_exec_26_0 webview_zygote_exec_26_0 wificond_exec_26_0 zygote_exec_26_0 hal_audio_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_camera_default_exec hal_configstore_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_sensors_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec hostapd_exec rild_exec tee_exec vndservicemanager_exec))
-(typeattributeset data_file_type (system_data_file_26_0 unencrypted_data_file_26_0 install_data_file_26_0 drm_data_file_26_0 adb_data_file_26_0 anr_data_file_26_0 tombstone_data_file_26_0 apk_data_file_26_0 apk_tmp_file_26_0 apk_private_data_file_26_0 apk_private_tmp_file_26_0 dalvikcache_data_file_26_0 ota_data_file_26_0 ota_package_file_26_0 user_profile_data_file_26_0 profman_dump_data_file_26_0 resourcecache_data_file_26_0 shell_data_file_26_0 property_data_file_26_0 bootchart_data_file_26_0 heapdump_data_file_26_0 nativetest_data_file_26_0 ringtone_file_26_0 preloads_data_file_26_0 preloads_media_file_26_0 dhcp_data_file_26_0 adb_keys_file_26_0 audio_data_file_26_0 audiohal_data_file_26_0 audioserver_data_file_26_0 bluetooth_data_file_26_0 bluetooth_logs_data_file_26_0 bootstat_data_file_26_0 boottrace_data_file_26_0 camera_data_file_26_0 gatekeeper_data_file_26_0 incident_data_file_26_0 keychain_data_file_26_0 keystore_data_file_26_0 media_data_file_26_0 media_rw_data_file_26_0 misc_user_data_file_26_0 net_data_file_26_0 nfc_data_file_26_0 radio_data_file_26_0 reboot_data_file_26_0 recovery_data_file_26_0 shared_relro_file_26_0 systemkeys_data_file_26_0 textclassifier_data_file_26_0 vpn_data_file_26_0 wifi_data_file_26_0 zoneinfo_data_file_26_0 vold_data_file_26_0 perfprofd_data_file_26_0 tee_data_file_26_0 update_engine_data_file_26_0 method_trace_data_file_26_0 app_data_file_26_0 system_app_data_file_26_0 wallpaper_file_26_0 shortcut_manager_icons_26_0 icon_file_26_0 asec_apk_file_26_0 asec_public_file_26_0 asec_image_file_26_0 backup_data_file_26_0 fingerprintd_data_file_26_0 app_fuse_file_26_0))
-(typeattributeset core_data_file_type (system_data_file_26_0 unencrypted_data_file_26_0 install_data_file_26_0 drm_data_file_26_0 adb_data_file_26_0 anr_data_file_26_0 tombstone_data_file_26_0 apk_data_file_26_0 apk_tmp_file_26_0 apk_private_data_file_26_0 apk_private_tmp_file_26_0 dalvikcache_data_file_26_0 ota_data_file_26_0 ota_package_file_26_0 user_profile_data_file_26_0 profman_dump_data_file_26_0 resourcecache_data_file_26_0 shell_data_file_26_0 property_data_file_26_0 bootchart_data_file_26_0 heapdump_data_file_26_0 nativetest_data_file_26_0 ringtone_file_26_0 preloads_data_file_26_0 preloads_media_file_26_0 dhcp_data_file_26_0 adb_keys_file_26_0 audio_data_file_26_0 audiohal_data_file_26_0 audioserver_data_file_26_0 bluetooth_data_file_26_0 bluetooth_logs_data_file_26_0 bootstat_data_file_26_0 boottrace_data_file_26_0 camera_data_file_26_0 gatekeeper_data_file_26_0 incident_data_file_26_0 keychain_data_file_26_0 keystore_data_file_26_0 media_data_file_26_0 media_rw_data_file_26_0 misc_user_data_file_26_0 net_data_file_26_0 nfc_data_file_26_0 radio_data_file_26_0 reboot_data_file_26_0 recovery_data_file_26_0 shared_relro_file_26_0 systemkeys_data_file_26_0 textclassifier_data_file_26_0 vpn_data_file_26_0 wifi_data_file_26_0 zoneinfo_data_file_26_0 vold_data_file_26_0 perfprofd_data_file_26_0 update_engine_data_file_26_0 method_trace_data_file_26_0 app_data_file_26_0 system_app_data_file_26_0 wallpaper_file_26_0 shortcut_manager_icons_26_0 icon_file_26_0 asec_apk_file_26_0 asec_public_file_26_0 asec_image_file_26_0 backup_data_file_26_0 fingerprintd_data_file_26_0 app_fuse_file_26_0))
-(typeattributeset vendor_file_type (vendor_hal_file_26_0 vendor_file_26_0 vendor_app_file_26_0 vendor_configs_file_26_0 same_process_hal_file_26_0 vndk_sp_file_26_0 vendor_framework_file_26_0 vendor_overlay_file_26_0 mediacodec_exec_26_0 vendor_shell_exec_26_0 vendor_toolbox_exec_26_0 hal_audio_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_camera_default_exec hal_configstore_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_sensors_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec hostapd_exec rild_exec tee_exec vndservicemanager_exec))
-(typeattributeset sysfs_type (usermodehelper_26_0 sysfs_26_0 sysfs_uio_26_0 sysfs_batteryinfo_26_0 sysfs_bluetooth_writable_26_0 sysfs_leds_26_0 sysfs_hwrandom_26_0 sysfs_nfc_power_writable_26_0 sysfs_wake_lock_26_0 sysfs_mac_address_26_0 sysfs_usb_26_0 sysfs_devices_system_cpu_26_0 sysfs_lowmemorykiller_26_0 sysfs_wlan_fwpath_26_0 sysfs_vibrator_26_0 sysfs_thermal_26_0 sysfs_zram_26_0 sysfs_zram_uevent_26_0))
-(typeattributeset debugfs_type (debugfs_mmc_26_0 debugfs_trace_marker_26_0 debugfs_tracing_26_0 debugfs_tracing_instances_26_0 debugfs_wifi_tracing_26_0 tracing_shell_writable_26_0 tracing_shell_writable_debug_26_0))
-(typeattributeset sdcard_type (fuse_26_0 sdcardfs_26_0 vfat_26_0))
-(typeattributeset node_type (node_26_0))
-(typeattributeset netif_type (netif_26_0))
-(typeattributeset port_type (port_26_0))
-(typeattributeset property_type (asan_reboot_prop_26_0 audio_prop_26_0 boottime_prop_26_0 bluetooth_prop_26_0 config_prop_26_0 cppreopt_prop_26_0 ctl_bootanim_prop_26_0 ctl_bugreport_prop_26_0 ctl_console_prop_26_0 ctl_default_prop_26_0 ctl_dumpstate_prop_26_0 ctl_fuse_prop_26_0 ctl_mdnsd_prop_26_0 ctl_rildaemon_prop_26_0 dalvik_prop_26_0 debuggerd_prop_26_0 debug_prop_26_0 default_prop_26_0 device_logging_prop_26_0 dhcp_prop_26_0 dumpstate_options_prop_26_0 dumpstate_prop_26_0 ffs_prop_26_0 fingerprint_prop_26_0 firstboot_prop_26_0 hwservicemanager_prop_26_0 logd_prop_26_0 logpersistd_logging_prop_26_0 log_prop_26_0 log_tag_prop_26_0 mmc_prop_26_0 net_dns_prop_26_0 net_radio_prop_26_0 nfc_prop_26_0 overlay_prop_26_0 pan_result_prop_26_0 persist_debug_prop_26_0 persistent_properties_ready_prop_26_0 powerctl_prop_26_0 radio_prop_26_0 restorecon_prop_26_0 safemode_prop_26_0 serialno_prop_26_0 shell_prop_26_0 system_prop_26_0 system_radio_prop_26_0 vold_prop_26_0 wifi_log_prop_26_0 wifi_prop_26_0))
-(typeattributeset core_property_type (audio_prop_26_0 config_prop_26_0 cppreopt_prop_26_0 dalvik_prop_26_0 debuggerd_prop_26_0 debug_prop_26_0 default_prop_26_0 dhcp_prop_26_0 dumpstate_prop_26_0 ffs_prop_26_0 fingerprint_prop_26_0 logd_prop_26_0 net_radio_prop_26_0 nfc_prop_26_0 pan_result_prop_26_0 persist_debug_prop_26_0 powerctl_prop_26_0 radio_prop_26_0 restorecon_prop_26_0 shell_prop_26_0 system_prop_26_0 system_radio_prop_26_0 vold_prop_26_0))
-(typeattributeset log_property_type (log_prop_26_0 log_tag_prop_26_0 wifi_log_prop_26_0))
-(typeattributeset system_server_service (accessibility_service_26_0 account_service_26_0 activity_service_26_0 alarm_service_26_0 appops_service_26_0 appwidget_service_26_0 assetatlas_service_26_0 audio_service_26_0 autofill_service_26_0 backup_service_26_0 batterystats_service_26_0 battery_service_26_0 bluetooth_manager_service_26_0 cameraproxy_service_26_0 clipboard_service_26_0 contexthub_service_26_0 IProxyService_service_26_0 commontime_management_service_26_0 companion_device_service_26_0 connectivity_service_26_0 connmetrics_service_26_0 consumer_ir_service_26_0 content_service_26_0 country_detector_service_26_0 coverage_service_26_0 cpuinfo_service_26_0 dbinfo_service_26_0 device_policy_service_26_0 deviceidle_service_26_0 device_identifiers_service_26_0 devicestoragemonitor_service_26_0 diskstats_service_26_0 display_service_26_0 font_service_26_0 netd_listener_service_26_0 DockObserver_service_26_0 dreams_service_26_0 dropbox_service_26_0 ethernet_service_26_0 fingerprint_service_26_0 gfxinfo_service_26_0 graphicsstats_service_26_0 hardware_service_26_0 hardware_properties_service_26_0 hdmi_control_service_26_0 input_method_service_26_0 input_service_26_0 imms_service_26_0 ipsec_service_26_0 jobscheduler_service_26_0 launcherapps_service_26_0 location_service_26_0 lock_settings_service_26_0 media_projection_service_26_0 media_router_service_26_0 media_session_service_26_0 meminfo_service_26_0 midi_service_26_0 mount_service_26_0 netpolicy_service_26_0 netstats_service_26_0 network_management_service_26_0 network_score_service_26_0 network_time_update_service_26_0 notification_service_26_0 oem_lock_service_26_0 otadexopt_service_26_0 overlay_service_26_0 package_service_26_0 permission_service_26_0 persistent_data_block_service_26_0 pinner_service_26_0 power_service_26_0 print_service_26_0 processinfo_service_26_0 procstats_service_26_0 recovery_service_26_0 registry_service_26_0 restrictions_service_26_0 rttmanager_service_26_0 samplingprofiler_service_26_0 scheduling_policy_service_26_0 search_service_26_0 sec_key_att_app_id_provider_service_26_0 sensorservice_service_26_0 serial_service_26_0 servicediscovery_service_26_0 settings_service_26_0 shortcut_service_26_0 statusbar_service_26_0 storagestats_service_26_0 task_service_26_0 textclassification_service_26_0 textservices_service_26_0 telecom_service_26_0 trust_service_26_0 tv_input_service_26_0 uimode_service_26_0 updatelock_service_26_0 usagestats_service_26_0 usb_service_26_0 user_service_26_0 vibrator_service_26_0 voiceinteraction_service_26_0 vr_manager_service_26_0 wallpaper_service_26_0 webviewupdate_service_26_0 wifip2p_service_26_0 wifiscanner_service_26_0 wifi_service_26_0 wifiaware_service_26_0 window_service_26_0))
-(typeattributeset app_api_service (batteryproperties_service_26_0 gatekeeper_service_26_0 accessibility_service_26_0 account_service_26_0 activity_service_26_0 alarm_service_26_0 appops_service_26_0 appwidget_service_26_0 assetatlas_service_26_0 audio_service_26_0 autofill_service_26_0 backup_service_26_0 batterystats_service_26_0 bluetooth_manager_service_26_0 clipboard_service_26_0 contexthub_service_26_0 IProxyService_service_26_0 companion_device_service_26_0 connectivity_service_26_0 connmetrics_service_26_0 consumer_ir_service_26_0 content_service_26_0 country_detector_service_26_0 device_policy_service_26_0 deviceidle_service_26_0 device_identifiers_service_26_0 display_service_26_0 font_service_26_0 dreams_service_26_0 dropbox_service_26_0 ethernet_service_26_0 fingerprint_service_26_0 graphicsstats_service_26_0 hardware_properties_service_26_0 input_method_service_26_0 input_service_26_0 imms_service_26_0 ipsec_service_26_0 jobscheduler_service_26_0 launcherapps_service_26_0 location_service_26_0 media_projection_service_26_0 media_router_service_26_0 media_session_service_26_0 midi_service_26_0 mount_service_26_0 netpolicy_service_26_0 netstats_service_26_0 network_management_service_26_0 notification_service_26_0 package_service_26_0 permission_service_26_0 power_service_26_0 print_service_26_0 procstats_service_26_0 registry_service_26_0 restrictions_service_26_0 rttmanager_service_26_0 search_service_26_0 sec_key_att_app_id_provider_service_26_0 sensorservice_service_26_0 servicediscovery_service_26_0 settings_service_26_0 shortcut_service_26_0 statusbar_service_26_0 storagestats_service_26_0 textclassification_service_26_0 textservices_service_26_0 telecom_service_26_0 trust_service_26_0 tv_input_service_26_0 uimode_service_26_0 usagestats_service_26_0 usb_service_26_0 user_service_26_0 vibrator_service_26_0 voiceinteraction_service_26_0 wallpaper_service_26_0 webviewupdate_service_26_0 wifip2p_service_26_0 wifi_service_26_0 wifiaware_service_26_0))
-(typeattributeset ephemeral_app_api_service (batteryproperties_service_26_0 accessibility_service_26_0 account_service_26_0 activity_service_26_0 alarm_service_26_0 appops_service_26_0 appwidget_service_26_0 assetatlas_service_26_0 audio_service_26_0 autofill_service_26_0 backup_service_26_0 batterystats_service_26_0 bluetooth_manager_service_26_0 clipboard_service_26_0 IProxyService_service_26_0 companion_device_service_26_0 connectivity_service_26_0 connmetrics_service_26_0 consumer_ir_service_26_0 content_service_26_0 country_detector_service_26_0 deviceidle_service_26_0 device_identifiers_service_26_0 display_service_26_0 font_service_26_0 dreams_service_26_0 dropbox_service_26_0 graphicsstats_service_26_0 hardware_properties_service_26_0 input_method_service_26_0 input_service_26_0 imms_service_26_0 ipsec_service_26_0 jobscheduler_service_26_0 launcherapps_service_26_0 location_service_26_0 media_projection_service_26_0 media_router_service_26_0 media_session_service_26_0 midi_service_26_0 mount_service_26_0 netpolicy_service_26_0 netstats_service_26_0 network_management_service_26_0 notification_service_26_0 package_service_26_0 permission_service_26_0 power_service_26_0 print_service_26_0 procstats_service_26_0 registry_service_26_0 restrictions_service_26_0 rttmanager_service_26_0 search_service_26_0 sensorservice_service_26_0 servicediscovery_service_26_0 settings_service_26_0 statusbar_service_26_0 storagestats_service_26_0 textclassification_service_26_0 textservices_service_26_0 telecom_service_26_0 tv_input_service_26_0 uimode_service_26_0 usagestats_service_26_0 user_service_26_0 vibrator_service_26_0 voiceinteraction_service_26_0 webviewupdate_service_26_0))
-(typeattributeset system_api_service (cpuinfo_service_26_0 dbinfo_service_26_0 diskstats_service_26_0 gfxinfo_service_26_0 hdmi_control_service_26_0 lock_settings_service_26_0 meminfo_service_26_0 network_score_service_26_0 oem_lock_service_26_0 persistent_data_block_service_26_0 serial_service_26_0 updatelock_service_26_0 wifiscanner_service_26_0 window_service_26_0))
-(typeattributeset service_manager_type (audioserver_service_26_0 batteryproperties_service_26_0 bluetooth_service_26_0 cameraserver_service_26_0 default_android_service_26_0 drmserver_service_26_0 dumpstate_service_26_0 fingerprintd_service_26_0 hal_fingerprint_service_26_0 gatekeeper_service_26_0 gpu_service_26_0 inputflinger_service_26_0 incident_service_26_0 installd_service_26_0 keystore_service_26_0 mediaserver_service_26_0 mediametrics_service_26_0 mediaextractor_service_26_0 mediacodec_service_26_0 mediadrmserver_service_26_0 mediacasserver_service_26_0 netd_service_26_0 nfc_service_26_0 radio_service_26_0 storaged_service_26_0 surfaceflinger_service_26_0 system_app_service_26_0 update_engine_service_26_0 virtual_touchpad_service_26_0 vr_hwc_service_26_0 accessibility_service_26_0 account_service_26_0 activity_service_26_0 alarm_service_26_0 appops_service_26_0 appwidget_service_26_0 assetatlas_service_26_0 audio_service_26_0 autofill_service_26_0 backup_service_26_0 batterystats_service_26_0 battery_service_26_0 bluetooth_manager_service_26_0 cameraproxy_service_26_0 clipboard_service_26_0 contexthub_service_26_0 IProxyService_service_26_0 commontime_management_service_26_0 companion_device_service_26_0 connectivity_service_26_0 connmetrics_service_26_0 consumer_ir_service_26_0 content_service_26_0 country_detector_service_26_0 coverage_service_26_0 cpuinfo_service_26_0 dbinfo_service_26_0 device_policy_service_26_0 deviceidle_service_26_0 device_identifiers_service_26_0 devicestoragemonitor_service_26_0 diskstats_service_26_0 display_service_26_0 font_service_26_0 netd_listener_service_26_0 DockObserver_service_26_0 dreams_service_26_0 dropbox_service_26_0 ethernet_service_26_0 fingerprint_service_26_0 gfxinfo_service_26_0 graphicsstats_service_26_0 hardware_service_26_0 hardware_properties_service_26_0 hdmi_control_service_26_0 input_method_service_26_0 input_service_26_0 imms_service_26_0 ipsec_service_26_0 jobscheduler_service_26_0 launcherapps_service_26_0 location_service_26_0 lock_settings_service_26_0 media_projection_service_26_0 media_router_service_26_0 media_session_service_26_0 meminfo_service_26_0 midi_service_26_0 mount_service_26_0 netpolicy_service_26_0 netstats_service_26_0 network_management_service_26_0 network_score_service_26_0 network_time_update_service_26_0 notification_service_26_0 oem_lock_service_26_0 otadexopt_service_26_0 overlay_service_26_0 package_service_26_0 permission_service_26_0 persistent_data_block_service_26_0 pinner_service_26_0 power_service_26_0 print_service_26_0 processinfo_service_26_0 procstats_service_26_0 recovery_service_26_0 registry_service_26_0 restrictions_service_26_0 rttmanager_service_26_0 samplingprofiler_service_26_0 scheduling_policy_service_26_0 search_service_26_0 sec_key_att_app_id_provider_service_26_0 sensorservice_service_26_0 serial_service_26_0 servicediscovery_service_26_0 settings_service_26_0 shortcut_service_26_0 statusbar_service_26_0 storagestats_service_26_0 task_service_26_0 textclassification_service_26_0 textservices_service_26_0 telecom_service_26_0 trust_service_26_0 tv_input_service_26_0 uimode_service_26_0 updatelock_service_26_0 usagestats_service_26_0 usb_service_26_0 user_service_26_0 vibrator_service_26_0 voiceinteraction_service_26_0 vr_manager_service_26_0 wallpaper_service_26_0 webviewupdate_service_26_0 wifip2p_service_26_0 wifiscanner_service_26_0 wifi_service_26_0 wificond_service_26_0 wifiaware_service_26_0 window_service_26_0))
-(typeattributeset hwservice_manager_type (default_android_hwservice_26_0 fwk_display_hwservice_26_0 fwk_scheduler_hwservice_26_0 fwk_sensor_hwservice_26_0 hal_audio_hwservice_26_0 hal_bluetooth_hwservice_26_0 hal_bootctl_hwservice_26_0 hal_camera_hwservice_26_0 hal_configstore_ISurfaceFlingerConfigs_26_0 hal_contexthub_hwservice_26_0 hal_drm_hwservice_26_0 hal_dumpstate_hwservice_26_0 hal_fingerprint_hwservice_26_0 hal_gatekeeper_hwservice_26_0 hal_gnss_hwservice_26_0 hal_graphics_allocator_hwservice_26_0 hal_graphics_composer_hwservice_26_0 hal_graphics_mapper_hwservice_26_0 hal_health_hwservice_26_0 hal_ir_hwservice_26_0 hal_keymaster_hwservice_26_0 hal_light_hwservice_26_0 hal_memtrack_hwservice_26_0 hal_nfc_hwservice_26_0 hal_oemlock_hwservice_26_0 hal_omx_hwservice_26_0 hal_power_hwservice_26_0 hal_renderscript_hwservice_26_0 hal_sensors_hwservice_26_0 hal_telephony_hwservice_26_0 hal_thermal_hwservice_26_0 hal_tv_cec_hwservice_26_0 hal_tv_input_hwservice_26_0 hal_usb_hwservice_26_0 hal_vibrator_hwservice_26_0 hal_vr_hwservice_26_0 hal_weaver_hwservice_26_0 hal_wifi_hwservice_26_0 hal_wifi_supplicant_hwservice_26_0 hidl_allocator_hwservice_26_0 hidl_base_hwservice_26_0 hidl_manager_hwservice_26_0 hidl_memory_hwservice_26_0 hidl_token_hwservice_26_0 system_wifi_keystore_hwservice_26_0))
-(typeattributeset same_process_hwservice (hal_graphics_mapper_hwservice_26_0 hal_renderscript_hwservice_26_0))
-(typeattributeset coredomain_hwservice (fwk_display_hwservice_26_0 fwk_scheduler_hwservice_26_0 fwk_sensor_hwservice_26_0 hidl_allocator_hwservice_26_0 hidl_manager_hwservice_26_0 hidl_memory_hwservice_26_0 hidl_token_hwservice_26_0 system_wifi_keystore_hwservice_26_0))
-(typeattributeset vndservice_manager_type (default_android_vndservice_26_0))
-(typeattributeset mlstrustedsubject (bufferhubd_26_0 cppreopts_26_0 drmserver_26_0 dumpstate_26_0 pdx_display_client_endpoint_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0 hwservicemanager_26_0 init_26_0 installd_26_0 kernel_26_0 keystore_26_0 lmkd_26_0 logd_26_0 mediacodec_26_0 mediadrmserver_26_0 mediaextractor_26_0 mediaserver_26_0 netd_26_0 otapreopt_slot_26_0 performanced_26_0 perfprofd_26_0 racoon_26_0 radio_26_0 runas_26_0 servicemanager_26_0 shell_26_0 su_26_0 tombstoned_26_0 uncrypt_26_0 vold_26_0))
-(typeattributeset mlstrustedobject (alarm_device_26_0 ashmem_device_26_0 binder_device_26_0 hwbinder_device_26_0 pmsg_device_26_0 gpu_device_26_0 log_device_26_0 mtp_device_26_0 ptmx_device_26_0 null_device_26_0 random_device_26_0 owntty_device_26_0 zero_device_26_0 fuse_device_26_0 ion_device_26_0 tun_device_26_0 usbaccessory_device_26_0 usb_device_26_0 qtaguid_proc_26_0 selinuxfs_26_0 cgroup_26_0 sysfs_26_0 sysfs_bluetooth_writable_26_0 sysfs_nfc_power_writable_26_0 sysfs_usb_26_0 inotify_26_0 devpts_26_0 fuse_26_0 sdcardfs_26_0 vfat_26_0 debugfs_trace_marker_26_0 functionfs_26_0 anr_data_file_26_0 tombstone_data_file_26_0 apk_tmp_file_26_0 apk_private_tmp_file_26_0 ota_package_file_26_0 user_profile_data_file_26_0 shell_data_file_26_0 heapdump_data_file_26_0 ringtone_file_26_0 media_rw_data_file_26_0 radio_data_file_26_0 perfprofd_data_file_26_0 method_trace_data_file_26_0 system_app_data_file_26_0 cache_file_26_0 cache_backup_file_26_0 cache_recovery_file_26_0 wallpaper_file_26_0 shortcut_manager_icons_26_0 asec_apk_file_26_0 backup_data_file_26_0 app_fuse_file_26_0 dnsproxyd_socket_26_0 fwmarkd_socket_26_0 logd_socket_26_0 logdr_socket_26_0 logdw_socket_26_0 mdnsd_socket_26_0 property_socket_26_0 system_ndebug_socket_26_0 tombstoned_crash_socket_26_0 pdx_display_client_endpoint_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0))
-(typeattributeset netdomain (clatd_26_0 dhcp_26_0 dnsmasq_26_0 drmserver_26_0 dumpstate_26_0 mediadrmserver_26_0 mediaserver_26_0 mtp_26_0 netd_26_0 ppp_26_0 racoon_26_0 radio_26_0 rild_26_0 shell_26_0 su_26_0 update_engine_26_0 hal_wifi_supplicant_default hostapd))
-(typeattributeset bluetoothdomain (radio_26_0))
-(typeattributeset binderservicedomain (cameraserver_26_0 drmserver_26_0 gatekeeperd_26_0 healthd_26_0 inputflinger_26_0 keystore_26_0 mediadrmserver_26_0 mediaextractor_26_0 mediametrics_26_0 mediaserver_26_0 radio_26_0 virtual_touchpad_26_0 vr_hwc_26_0))
-(typeattributeset update_engine_common (update_engine_26_0))
-(typeattributeset coredomain (perfprofd_26_0))
-(typeattributeset coredomain_socket (adbd_socket_26_0 bluetooth_socket_26_0 dnsproxyd_socket_26_0 dumpstate_socket_26_0 fwmarkd_socket_26_0 lmkd_socket_26_0 logd_socket_26_0 logdr_socket_26_0 logdw_socket_26_0 mdns_socket_26_0 mdnsd_socket_26_0 misc_logd_file_26_0 mtpd_socket_26_0 netd_socket_26_0 property_socket_26_0 racoon_socket_26_0 system_wpa_socket_26_0 system_ndebug_socket_26_0 tombstoned_crash_socket_26_0 tombstoned_intercept_socket_26_0 uncrypt_socket_26_0 vold_socket_26_0 webview_zygote_socket_26_0 zygote_socket_26_0 pdx_display_client_endpoint_socket_26_0 pdx_display_client_channel_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_manager_channel_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_screenshot_channel_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_display_vsync_channel_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_performance_client_channel_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0 pdx_bufferhub_client_channel_socket_26_0))
-(typeattributeset pdx_endpoint_dir_type (pdx_display_dir_26_0 pdx_performance_dir_26_0 pdx_bufferhub_dir_26_0))
-(typeattributeset pdx_endpoint_socket_type (pdx_display_client_endpoint_socket_26_0 pdx_display_manager_endpoint_socket_26_0 pdx_display_screenshot_endpoint_socket_26_0 pdx_display_vsync_endpoint_socket_26_0 pdx_performance_client_endpoint_socket_26_0 pdx_bufferhub_client_endpoint_socket_26_0))
-(typeattributeset pdx_channel_socket_type (pdx_display_client_channel_socket_26_0 pdx_display_manager_channel_socket_26_0 pdx_display_screenshot_channel_socket_26_0 pdx_display_vsync_channel_socket_26_0 pdx_performance_client_channel_socket_26_0 pdx_bufferhub_client_channel_socket_26_0))
-(typeattributeset pdx_display_client_endpoint_dir_type (pdx_display_dir_26_0))
-(typeattributeset pdx_display_client_endpoint_socket_type (pdx_display_client_endpoint_socket_26_0))
-(typeattributeset pdx_display_client_channel_socket_type (pdx_display_client_channel_socket_26_0))
-(typeattributeset pdx_display_manager_endpoint_dir_type (pdx_display_dir_26_0))
-(typeattributeset pdx_display_manager_endpoint_socket_type (pdx_display_manager_endpoint_socket_26_0))
-(typeattributeset pdx_display_manager_channel_socket_type (pdx_display_manager_channel_socket_26_0))
-(typeattributeset pdx_display_screenshot_endpoint_dir_type (pdx_display_dir_26_0))
-(typeattributeset pdx_display_screenshot_endpoint_socket_type (pdx_display_screenshot_endpoint_socket_26_0))
-(typeattributeset pdx_display_screenshot_channel_socket_type (pdx_display_screenshot_channel_socket_26_0))
-(typeattributeset pdx_display_vsync_endpoint_dir_type (pdx_display_dir_26_0))
-(typeattributeset pdx_display_vsync_endpoint_socket_type (pdx_display_vsync_endpoint_socket_26_0))
-(typeattributeset pdx_display_vsync_channel_socket_type (pdx_display_vsync_channel_socket_26_0))
-(typeattributeset pdx_performance_client_endpoint_dir_type (pdx_performance_dir_26_0))
-(typeattributeset pdx_performance_client_endpoint_socket_type (pdx_performance_client_endpoint_socket_26_0))
-(typeattributeset pdx_performance_client_channel_socket_type (pdx_performance_client_channel_socket_26_0))
-(typeattributeset pdx_performance_client_server_type (performanced_26_0))
-(typeattributeset pdx_bufferhub_client_endpoint_dir_type (pdx_bufferhub_dir_26_0))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_type (pdx_bufferhub_client_endpoint_socket_26_0))
-(typeattributeset pdx_bufferhub_client_channel_socket_type (pdx_bufferhub_client_channel_socket_26_0))
-(typeattributeset pdx_bufferhub_client_server_type (bufferhubd_26_0))
-(typeattributeset halserverdomain (rild_26_0 hal_audio_default hal_bluetooth_default hal_bootctl_default hal_camera_default hal_configstore_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_memtrack_default hal_nfc_default hal_power_default hal_sensors_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_offload_default hal_wifi_supplicant_default))
-(typeattributeset halclientdomain (bootanim_26_0 bufferhubd_26_0 cameraserver_26_0 dumpstate_26_0 gatekeeperd_26_0 healthd_26_0 mediacodec_26_0 mediadrmserver_26_0 mediaserver_26_0 radio_26_0 update_engine_26_0 update_verifier_26_0 vold_26_0 vr_hwc_26_0 hal_audio_default))
-(typeattributeset hal_allocator_client (mediacodec_26_0 mediaserver_26_0 hal_audio_default))
-(typeattributeset hal_audio (hal_audio_default))
-(typeattributeset hal_audio_server (hal_audio_default))
-(typeattributeset hal_bluetooth (hal_bluetooth_default))
-(typeattributeset hal_bluetooth_server (hal_bluetooth_default))
-(typeattributeset hal_bootctl (hal_bootctl_default))
-(typeattributeset hal_bootctl_client (update_engine_26_0 update_verifier_26_0))
-(typeattributeset hal_bootctl_server (hal_bootctl_default))
-(typeattributeset hal_camera (hal_camera_default))
-(typeattributeset hal_camera_client (cameraserver_26_0))
-(typeattributeset hal_camera_server (hal_camera_default))
-(typeattributeset hal_configstore (hal_configstore_default))
-(typeattributeset hal_configstore_server (hal_configstore_default))
-(typeattributeset hal_contexthub (hal_contexthub_default))
-(typeattributeset hal_contexthub_server (hal_contexthub_default))
-(typeattributeset hal_drm (hal_drm_default))
-(typeattributeset hal_drm_client (mediadrmserver_26_0))
-(typeattributeset hal_drm_server (hal_drm_default))
-(typeattributeset hal_dumpstate (hal_dumpstate_default))
-(typeattributeset hal_dumpstate_client (dumpstate_26_0))
-(typeattributeset hal_dumpstate_server (hal_dumpstate_default))
-(typeattributeset hal_fingerprint (hal_fingerprint_default))
-(typeattributeset hal_fingerprint_server (hal_fingerprint_default))
-(typeattributeset hal_gatekeeper (hal_gatekeeper_default))
-(typeattributeset hal_gatekeeper_client (gatekeeperd_26_0))
-(typeattributeset hal_gatekeeper_server (hal_gatekeeper_default))
-(typeattributeset hal_gnss (hal_gnss_default))
-(typeattributeset hal_gnss_server (hal_gnss_default))
-(typeattributeset hal_graphics_allocator (hal_graphics_allocator_default))
-(typeattributeset hal_graphics_allocator_client (bootanim_26_0 bufferhubd_26_0 cameraserver_26_0 dumpstate_26_0 mediacodec_26_0 vr_hwc_26_0))
-(typeattributeset hal_graphics_allocator_server (hal_graphics_allocator_default))
-(typeattributeset hal_graphics_composer (hal_graphics_composer_default))
-(typeattributeset hal_graphics_composer_client (bootanim_26_0))
-(typeattributeset hal_graphics_composer_server (hal_graphics_composer_default))
-(typeattributeset hal_health (hal_health_default))
-(typeattributeset hal_health_client (healthd_26_0))
-(typeattributeset hal_health_server (hal_health_default))
-(typeattributeset hal_ir (hal_ir_default))
-(typeattributeset hal_ir_server (hal_ir_default))
-(typeattributeset hal_keymaster (hal_keymaster_default))
-(typeattributeset hal_keymaster_client (vold_26_0))
-(typeattributeset hal_keymaster_server (hal_keymaster_default))
-(typeattributeset hal_light (hal_light_default))
-(typeattributeset hal_light_server (hal_light_default))
-(typeattributeset hal_memtrack (hal_memtrack_default))
-(typeattributeset hal_memtrack_server (hal_memtrack_default))
-(typeattributeset hal_nfc (hal_nfc_default))
-(typeattributeset hal_nfc_server (hal_nfc_default))
-(typeattributeset hal_power (hal_power_default))
-(typeattributeset hal_power_server (hal_power_default))
-(typeattributeset hal_sensors (hal_sensors_default))
-(typeattributeset hal_sensors_server (hal_sensors_default))
-(typeattributeset hal_telephony (rild_26_0))
-(typeattributeset hal_telephony_client (radio_26_0))
-(typeattributeset hal_telephony_server (rild_26_0))
-(typeattributeset hal_thermal (hal_thermal_default))
-(typeattributeset hal_thermal_server (hal_thermal_default))
-(typeattributeset hal_tv_cec (hal_tv_cec_default))
-(typeattributeset hal_tv_cec_server (hal_tv_cec_default))
-(typeattributeset hal_tv_input (hal_tv_input_default))
-(typeattributeset hal_tv_input_server (hal_tv_input_default))
-(typeattributeset hal_usb (hal_usb_default))
-(typeattributeset hal_usb_server (hal_usb_default))
-(typeattributeset hal_vibrator (hal_vibrator_default))
-(typeattributeset hal_vibrator_client (dumpstate_26_0))
-(typeattributeset hal_vibrator_server (hal_vibrator_default))
-(typeattributeset hal_vr (hal_vr_default))
-(typeattributeset hal_vr_server (hal_vr_default))
-(typeattributeset hal_wifi (hal_wifi_default))
-(typeattributeset hal_wifi_server (hal_wifi_default))
-(typeattributeset hal_wifi_offload (hal_wifi_offload_default))
-(typeattributeset hal_wifi_offload_server (hal_wifi_offload_default))
-(typeattributeset hal_wifi_supplicant (hal_wifi_supplicant_default))
-(typeattributeset hal_wifi_supplicant_server (hal_wifi_supplicant_default))
-(typeattribute adbd_26_0)
-(roletype object_r adbd_26_0)
-(typeattribute audioserver_26_0)
-(roletype object_r audioserver_26_0)
-(typeattribute blkid_26_0)
-(roletype object_r blkid_26_0)
-(typeattribute blkid_untrusted_26_0)
-(roletype object_r blkid_untrusted_26_0)
-(typeattribute bluetooth_26_0)
-(roletype object_r bluetooth_26_0)
-(typeattribute bootanim_26_0)
-(roletype object_r bootanim_26_0)
-(typeattribute bootanim_exec_26_0)
-(roletype object_r bootanim_exec_26_0)
-(typeattribute bootstat_26_0)
-(roletype object_r bootstat_26_0)
-(typeattribute bootstat_exec_26_0)
-(roletype object_r bootstat_exec_26_0)
-(typeattribute bufferhubd_26_0)
-(roletype object_r bufferhubd_26_0)
-(typeattribute bufferhubd_exec_26_0)
-(roletype object_r bufferhubd_exec_26_0)
-(typeattribute cameraserver_26_0)
-(roletype object_r cameraserver_26_0)
-(typeattribute cameraserver_exec_26_0)
-(roletype object_r cameraserver_exec_26_0)
-(typeattribute charger_26_0)
-(roletype object_r charger_26_0)
-(typeattribute clatd_26_0)
-(roletype object_r clatd_26_0)
-(typeattribute clatd_exec_26_0)
-(roletype object_r clatd_exec_26_0)
-(typeattribute cppreopts_26_0)
-(roletype object_r cppreopts_26_0)
-(typeattribute cppreopts_exec_26_0)
-(roletype object_r cppreopts_exec_26_0)
-(typeattribute crash_dump_26_0)
-(roletype object_r crash_dump_26_0)
-(typeattribute crash_dump_exec_26_0)
-(roletype object_r crash_dump_exec_26_0)
-(typeattribute device_26_0)
-(roletype object_r device_26_0)
-(typeattribute alarm_device_26_0)
-(roletype object_r alarm_device_26_0)
-(typeattribute ashmem_device_26_0)
-(roletype object_r ashmem_device_26_0)
-(typeattribute audio_device_26_0)
-(roletype object_r audio_device_26_0)
-(typeattribute audio_timer_device_26_0)
-(roletype object_r audio_timer_device_26_0)
-(typeattribute audio_seq_device_26_0)
-(roletype object_r audio_seq_device_26_0)
-(typeattribute binder_device_26_0)
-(roletype object_r binder_device_26_0)
-(typeattribute hwbinder_device_26_0)
-(roletype object_r hwbinder_device_26_0)
-(typeattribute vndbinder_device_26_0)
-(roletype object_r vndbinder_device_26_0)
-(typeattribute block_device_26_0)
-(roletype object_r block_device_26_0)
-(typeattribute camera_device_26_0)
-(roletype object_r camera_device_26_0)
-(typeattribute dm_device_26_0)
-(roletype object_r dm_device_26_0)
-(typeattribute keychord_device_26_0)
-(roletype object_r keychord_device_26_0)
-(typeattribute loop_control_device_26_0)
-(roletype object_r loop_control_device_26_0)
-(typeattribute loop_device_26_0)
-(roletype object_r loop_device_26_0)
-(typeattribute pmsg_device_26_0)
-(roletype object_r pmsg_device_26_0)
-(typeattribute radio_device_26_0)
-(roletype object_r radio_device_26_0)
-(typeattribute ram_device_26_0)
-(roletype object_r ram_device_26_0)
-(typeattribute rtc_device_26_0)
-(roletype object_r rtc_device_26_0)
-(typeattribute vold_device_26_0)
-(roletype object_r vold_device_26_0)
-(typeattribute console_device_26_0)
-(roletype object_r console_device_26_0)
-(typeattribute cpuctl_device_26_0)
-(roletype object_r cpuctl_device_26_0)
-(typeattribute fscklogs_26_0)
-(roletype object_r fscklogs_26_0)
-(typeattribute full_device_26_0)
-(roletype object_r full_device_26_0)
-(typeattribute gpu_device_26_0)
-(roletype object_r gpu_device_26_0)
-(typeattribute graphics_device_26_0)
-(roletype object_r graphics_device_26_0)
-(typeattribute hw_random_device_26_0)
-(roletype object_r hw_random_device_26_0)
-(typeattribute input_device_26_0)
-(roletype object_r input_device_26_0)
-(typeattribute kmem_device_26_0)
-(roletype object_r kmem_device_26_0)
-(typeattribute port_device_26_0)
-(roletype object_r port_device_26_0)
-(typeattribute log_device_26_0)
-(roletype object_r log_device_26_0)
-(typeattribute mtd_device_26_0)
-(roletype object_r mtd_device_26_0)
-(typeattribute mtp_device_26_0)
-(roletype object_r mtp_device_26_0)
-(typeattribute nfc_device_26_0)
-(roletype object_r nfc_device_26_0)
-(typeattribute ptmx_device_26_0)
-(roletype object_r ptmx_device_26_0)
-(typeattribute kmsg_device_26_0)
-(roletype object_r kmsg_device_26_0)
-(typeattribute null_device_26_0)
-(roletype object_r null_device_26_0)
-(typeattribute random_device_26_0)
-(roletype object_r random_device_26_0)
-(typeattribute sensors_device_26_0)
-(roletype object_r sensors_device_26_0)
-(typeattribute serial_device_26_0)
-(roletype object_r serial_device_26_0)
-(typeattribute socket_device_26_0)
-(roletype object_r socket_device_26_0)
-(typeattribute owntty_device_26_0)
-(roletype object_r owntty_device_26_0)
-(typeattribute tty_device_26_0)
-(roletype object_r tty_device_26_0)
-(typeattribute video_device_26_0)
-(roletype object_r video_device_26_0)
-(typeattribute vcs_device_26_0)
-(roletype object_r vcs_device_26_0)
-(typeattribute zero_device_26_0)
-(roletype object_r zero_device_26_0)
-(typeattribute fuse_device_26_0)
-(roletype object_r fuse_device_26_0)
-(typeattribute iio_device_26_0)
-(roletype object_r iio_device_26_0)
-(typeattribute ion_device_26_0)
-(roletype object_r ion_device_26_0)
-(typeattribute qtaguid_device_26_0)
-(roletype object_r qtaguid_device_26_0)
-(typeattribute watchdog_device_26_0)
-(roletype object_r watchdog_device_26_0)
-(typeattribute uhid_device_26_0)
-(roletype object_r uhid_device_26_0)
-(typeattribute uio_device_26_0)
-(roletype object_r uio_device_26_0)
-(typeattribute tun_device_26_0)
-(roletype object_r tun_device_26_0)
-(typeattribute usbaccessory_device_26_0)
-(roletype object_r usbaccessory_device_26_0)
-(typeattribute usb_device_26_0)
-(roletype object_r usb_device_26_0)
-(typeattribute properties_device_26_0)
-(roletype object_r properties_device_26_0)
-(typeattribute properties_serial_26_0)
-(roletype object_r properties_serial_26_0)
-(typeattribute i2c_device_26_0)
-(roletype object_r i2c_device_26_0)
-(typeattribute hci_attach_dev_26_0)
-(roletype object_r hci_attach_dev_26_0)
-(typeattribute rpmsg_device_26_0)
-(roletype object_r rpmsg_device_26_0)
-(typeattribute root_block_device_26_0)
-(roletype object_r root_block_device_26_0)
-(typeattribute frp_block_device_26_0)
-(roletype object_r frp_block_device_26_0)
-(typeattribute system_block_device_26_0)
-(roletype object_r system_block_device_26_0)
-(typeattribute recovery_block_device_26_0)
-(roletype object_r recovery_block_device_26_0)
-(typeattribute boot_block_device_26_0)
-(roletype object_r boot_block_device_26_0)
-(typeattribute userdata_block_device_26_0)
-(roletype object_r userdata_block_device_26_0)
-(typeattribute cache_block_device_26_0)
-(roletype object_r cache_block_device_26_0)
-(typeattribute swap_block_device_26_0)
-(roletype object_r swap_block_device_26_0)
-(typeattribute metadata_block_device_26_0)
-(roletype object_r metadata_block_device_26_0)
-(typeattribute misc_block_device_26_0)
-(roletype object_r misc_block_device_26_0)
-(typeattribute dex2oat_26_0)
-(roletype object_r dex2oat_26_0)
-(typeattribute dex2oat_exec_26_0)
-(roletype object_r dex2oat_exec_26_0)
-(typeattribute dhcp_26_0)
-(roletype object_r dhcp_26_0)
-(typeattribute dhcp_exec_26_0)
-(roletype object_r dhcp_exec_26_0)
-(typeattribute dnsmasq_26_0)
-(roletype object_r dnsmasq_26_0)
-(typeattribute dnsmasq_exec_26_0)
-(roletype object_r dnsmasq_exec_26_0)
-(typeattribute drmserver_26_0)
-(roletype object_r drmserver_26_0)
-(typeattribute drmserver_exec_26_0)
-(roletype object_r drmserver_exec_26_0)
-(typeattribute drmserver_socket_26_0)
-(roletype object_r drmserver_socket_26_0)
-(typeattribute dumpstate_26_0)
-(roletype object_r dumpstate_26_0)
-(typeattribute dumpstate_exec_26_0)
-(roletype object_r dumpstate_exec_26_0)
-(typeattribute ephemeral_app_26_0)
-(roletype object_r ephemeral_app_26_0)
-(typeattribute labeledfs_26_0)
-(roletype object_r labeledfs_26_0)
-(typeattribute pipefs_26_0)
-(roletype object_r pipefs_26_0)
-(typeattribute sockfs_26_0)
-(roletype object_r sockfs_26_0)
-(typeattribute rootfs_26_0)
-(roletype object_r rootfs_26_0)
-(typeattribute proc_26_0)
-(roletype object_r proc_26_0)
-(typeattribute proc_security_26_0)
-(roletype object_r proc_security_26_0)
-(typeattribute proc_drop_caches_26_0)
-(roletype object_r proc_drop_caches_26_0)
-(typeattribute proc_overcommit_memory_26_0)
-(roletype object_r proc_overcommit_memory_26_0)
-(typeattribute usermodehelper_26_0)
-(roletype object_r usermodehelper_26_0)
-(typeattribute qtaguid_proc_26_0)
-(roletype object_r qtaguid_proc_26_0)
-(typeattribute proc_bluetooth_writable_26_0)
-(roletype object_r proc_bluetooth_writable_26_0)
-(typeattribute proc_cpuinfo_26_0)
-(roletype object_r proc_cpuinfo_26_0)
-(typeattribute proc_interrupts_26_0)
-(roletype object_r proc_interrupts_26_0)
-(typeattribute proc_iomem_26_0)
-(roletype object_r proc_iomem_26_0)
-(typeattribute proc_meminfo_26_0)
-(roletype object_r proc_meminfo_26_0)
-(typeattribute proc_misc_26_0)
-(roletype object_r proc_misc_26_0)
-(typeattribute proc_modules_26_0)
-(roletype object_r proc_modules_26_0)
-(typeattribute proc_net_26_0)
-(roletype object_r proc_net_26_0)
-(typeattribute proc_perf_26_0)
-(roletype object_r proc_perf_26_0)
-(typeattribute proc_stat_26_0)
-(roletype object_r proc_stat_26_0)
-(typeattribute proc_sysrq_26_0)
-(roletype object_r proc_sysrq_26_0)
-(typeattribute proc_timer_26_0)
-(roletype object_r proc_timer_26_0)
-(typeattribute proc_tty_drivers_26_0)
-(roletype object_r proc_tty_drivers_26_0)
-(typeattribute proc_uid_cputime_showstat_26_0)
-(roletype object_r proc_uid_cputime_showstat_26_0)
-(typeattribute proc_uid_cputime_removeuid_26_0)
-(roletype object_r proc_uid_cputime_removeuid_26_0)
-(typeattribute proc_uid_io_stats_26_0)
-(roletype object_r proc_uid_io_stats_26_0)
-(typeattribute proc_uid_procstat_set_26_0)
-(roletype object_r proc_uid_procstat_set_26_0)
-(typeattribute proc_zoneinfo_26_0)
-(roletype object_r proc_zoneinfo_26_0)
-(typeattribute selinuxfs_26_0)
-(roletype object_r selinuxfs_26_0)
-(typeattribute cgroup_26_0)
-(roletype object_r cgroup_26_0)
-(typeattribute sysfs_26_0)
-(roletype object_r sysfs_26_0)
-(typeattribute sysfs_uio_26_0)
-(roletype object_r sysfs_uio_26_0)
-(typeattribute sysfs_batteryinfo_26_0)
-(roletype object_r sysfs_batteryinfo_26_0)
-(typeattribute sysfs_bluetooth_writable_26_0)
-(roletype object_r sysfs_bluetooth_writable_26_0)
-(typeattribute sysfs_leds_26_0)
-(roletype object_r sysfs_leds_26_0)
-(typeattribute sysfs_hwrandom_26_0)
-(roletype object_r sysfs_hwrandom_26_0)
-(typeattribute sysfs_nfc_power_writable_26_0)
-(roletype object_r sysfs_nfc_power_writable_26_0)
-(typeattribute sysfs_wake_lock_26_0)
-(roletype object_r sysfs_wake_lock_26_0)
-(typeattribute sysfs_mac_address_26_0)
-(roletype object_r sysfs_mac_address_26_0)
-(typeattribute sysfs_usb_26_0)
-(roletype object_r sysfs_usb_26_0)
-(typeattribute configfs_26_0)
-(roletype object_r configfs_26_0)
-(typeattribute sysfs_devices_system_cpu_26_0)
-(roletype object_r sysfs_devices_system_cpu_26_0)
-(typeattribute sysfs_lowmemorykiller_26_0)
-(roletype object_r sysfs_lowmemorykiller_26_0)
-(typeattribute sysfs_wlan_fwpath_26_0)
-(roletype object_r sysfs_wlan_fwpath_26_0)
-(typeattribute sysfs_vibrator_26_0)
-(roletype object_r sysfs_vibrator_26_0)
-(typeattribute sysfs_thermal_26_0)
-(roletype object_r sysfs_thermal_26_0)
-(typeattribute sysfs_zram_26_0)
-(roletype object_r sysfs_zram_26_0)
-(typeattribute sysfs_zram_uevent_26_0)
-(roletype object_r sysfs_zram_uevent_26_0)
-(typeattribute inotify_26_0)
-(roletype object_r inotify_26_0)
-(typeattribute devpts_26_0)
-(roletype object_r devpts_26_0)
-(typeattribute tmpfs_26_0)
-(roletype object_r tmpfs_26_0)
-(typeattribute shm_26_0)
-(roletype object_r shm_26_0)
-(typeattribute mqueue_26_0)
-(roletype object_r mqueue_26_0)
-(typeattribute fuse_26_0)
-(roletype object_r fuse_26_0)
-(typeattribute sdcardfs_26_0)
-(roletype object_r sdcardfs_26_0)
-(typeattribute vfat_26_0)
-(roletype object_r vfat_26_0)
-(typeattribute debugfs_26_0)
-(roletype object_r debugfs_26_0)
-(typeattribute debugfs_mmc_26_0)
-(roletype object_r debugfs_mmc_26_0)
-(typeattribute debugfs_trace_marker_26_0)
-(roletype object_r debugfs_trace_marker_26_0)
-(typeattribute debugfs_tracing_26_0)
-(roletype object_r debugfs_tracing_26_0)
-(typeattribute debugfs_tracing_instances_26_0)
-(roletype object_r debugfs_tracing_instances_26_0)
-(typeattribute debugfs_wifi_tracing_26_0)
-(roletype object_r debugfs_wifi_tracing_26_0)
-(typeattribute tracing_shell_writable_26_0)
-(roletype object_r tracing_shell_writable_26_0)
-(typeattribute tracing_shell_writable_debug_26_0)
-(roletype object_r tracing_shell_writable_debug_26_0)
-(typeattribute pstorefs_26_0)
-(roletype object_r pstorefs_26_0)
-(typeattribute functionfs_26_0)
-(roletype object_r functionfs_26_0)
-(typeattribute oemfs_26_0)
-(roletype object_r oemfs_26_0)
-(typeattribute usbfs_26_0)
-(roletype object_r usbfs_26_0)
-(typeattribute binfmt_miscfs_26_0)
-(roletype object_r binfmt_miscfs_26_0)
-(typeattribute app_fusefs_26_0)
-(roletype object_r app_fusefs_26_0)
-(typeattribute unlabeled_26_0)
-(roletype object_r unlabeled_26_0)
-(typeattribute system_file_26_0)
-(roletype object_r system_file_26_0)
-(typeattribute vendor_hal_file_26_0)
-(roletype object_r vendor_hal_file_26_0)
-(typeattribute vendor_file_26_0)
-(roletype object_r vendor_file_26_0)
-(typeattribute vendor_app_file_26_0)
-(roletype object_r vendor_app_file_26_0)
-(typeattribute vendor_configs_file_26_0)
-(roletype object_r vendor_configs_file_26_0)
-(typeattribute same_process_hal_file_26_0)
-(roletype object_r same_process_hal_file_26_0)
-(typeattribute vndk_sp_file_26_0)
-(roletype object_r vndk_sp_file_26_0)
-(typeattribute vendor_framework_file_26_0)
-(roletype object_r vendor_framework_file_26_0)
-(typeattribute vendor_overlay_file_26_0)
-(roletype object_r vendor_overlay_file_26_0)
-(typeattribute runtime_event_log_tags_file_26_0)
-(roletype object_r runtime_event_log_tags_file_26_0)
-(typeattribute logcat_exec_26_0)
-(roletype object_r logcat_exec_26_0)
-(typeattribute coredump_file_26_0)
-(roletype object_r coredump_file_26_0)
-(typeattribute system_data_file_26_0)
-(roletype object_r system_data_file_26_0)
-(typeattribute unencrypted_data_file_26_0)
-(roletype object_r unencrypted_data_file_26_0)
-(typeattribute install_data_file_26_0)
-(roletype object_r install_data_file_26_0)
-(typeattribute drm_data_file_26_0)
-(roletype object_r drm_data_file_26_0)
-(typeattribute adb_data_file_26_0)
-(roletype object_r adb_data_file_26_0)
-(typeattribute anr_data_file_26_0)
-(roletype object_r anr_data_file_26_0)
-(typeattribute tombstone_data_file_26_0)
-(roletype object_r tombstone_data_file_26_0)
-(typeattribute apk_data_file_26_0)
-(roletype object_r apk_data_file_26_0)
-(typeattribute apk_tmp_file_26_0)
-(roletype object_r apk_tmp_file_26_0)
-(typeattribute apk_private_data_file_26_0)
-(roletype object_r apk_private_data_file_26_0)
-(typeattribute apk_private_tmp_file_26_0)
-(roletype object_r apk_private_tmp_file_26_0)
-(typeattribute dalvikcache_data_file_26_0)
-(roletype object_r dalvikcache_data_file_26_0)
-(typeattribute ota_data_file_26_0)
-(roletype object_r ota_data_file_26_0)
-(typeattribute ota_package_file_26_0)
-(roletype object_r ota_package_file_26_0)
-(typeattribute user_profile_data_file_26_0)
-(roletype object_r user_profile_data_file_26_0)
-(typeattribute profman_dump_data_file_26_0)
-(roletype object_r profman_dump_data_file_26_0)
-(typeattribute resourcecache_data_file_26_0)
-(roletype object_r resourcecache_data_file_26_0)
-(typeattribute shell_data_file_26_0)
-(roletype object_r shell_data_file_26_0)
-(typeattribute property_data_file_26_0)
-(roletype object_r property_data_file_26_0)
-(typeattribute bootchart_data_file_26_0)
-(roletype object_r bootchart_data_file_26_0)
-(typeattribute heapdump_data_file_26_0)
-(roletype object_r heapdump_data_file_26_0)
-(typeattribute nativetest_data_file_26_0)
-(roletype object_r nativetest_data_file_26_0)
-(typeattribute ringtone_file_26_0)
-(roletype object_r ringtone_file_26_0)
-(typeattribute preloads_data_file_26_0)
-(roletype object_r preloads_data_file_26_0)
-(typeattribute preloads_media_file_26_0)
-(roletype object_r preloads_media_file_26_0)
-(typeattribute dhcp_data_file_26_0)
-(roletype object_r dhcp_data_file_26_0)
-(typeattribute mnt_media_rw_file_26_0)
-(roletype object_r mnt_media_rw_file_26_0)
-(typeattribute mnt_user_file_26_0)
-(roletype object_r mnt_user_file_26_0)
-(typeattribute mnt_expand_file_26_0)
-(roletype object_r mnt_expand_file_26_0)
-(typeattribute storage_file_26_0)
-(roletype object_r storage_file_26_0)
-(typeattribute mnt_media_rw_stub_file_26_0)
-(roletype object_r mnt_media_rw_stub_file_26_0)
-(typeattribute storage_stub_file_26_0)
-(roletype object_r storage_stub_file_26_0)
-(typeattribute postinstall_mnt_dir_26_0)
-(roletype object_r postinstall_mnt_dir_26_0)
-(typeattribute postinstall_file_26_0)
-(roletype object_r postinstall_file_26_0)
-(typeattribute adb_keys_file_26_0)
-(roletype object_r adb_keys_file_26_0)
-(typeattribute audio_data_file_26_0)
-(roletype object_r audio_data_file_26_0)
-(typeattribute audiohal_data_file_26_0)
-(roletype object_r audiohal_data_file_26_0)
-(typeattribute audioserver_data_file_26_0)
-(roletype object_r audioserver_data_file_26_0)
-(typeattribute bluetooth_data_file_26_0)
-(roletype object_r bluetooth_data_file_26_0)
-(typeattribute bluetooth_logs_data_file_26_0)
-(roletype object_r bluetooth_logs_data_file_26_0)
-(typeattribute bootstat_data_file_26_0)
-(roletype object_r bootstat_data_file_26_0)
-(typeattribute boottrace_data_file_26_0)
-(roletype object_r boottrace_data_file_26_0)
-(typeattribute camera_data_file_26_0)
-(roletype object_r camera_data_file_26_0)
-(typeattribute gatekeeper_data_file_26_0)
-(roletype object_r gatekeeper_data_file_26_0)
-(typeattribute incident_data_file_26_0)
-(roletype object_r incident_data_file_26_0)
-(typeattribute keychain_data_file_26_0)
-(roletype object_r keychain_data_file_26_0)
-(typeattribute keystore_data_file_26_0)
-(roletype object_r keystore_data_file_26_0)
-(typeattribute media_data_file_26_0)
-(roletype object_r media_data_file_26_0)
-(typeattribute media_rw_data_file_26_0)
-(roletype object_r media_rw_data_file_26_0)
-(typeattribute misc_user_data_file_26_0)
-(roletype object_r misc_user_data_file_26_0)
-(typeattribute net_data_file_26_0)
-(roletype object_r net_data_file_26_0)
-(typeattribute nfc_data_file_26_0)
-(roletype object_r nfc_data_file_26_0)
-(typeattribute radio_data_file_26_0)
-(roletype object_r radio_data_file_26_0)
-(typeattribute reboot_data_file_26_0)
-(roletype object_r reboot_data_file_26_0)
-(typeattribute recovery_data_file_26_0)
-(roletype object_r recovery_data_file_26_0)
-(typeattribute shared_relro_file_26_0)
-(roletype object_r shared_relro_file_26_0)
-(typeattribute systemkeys_data_file_26_0)
-(roletype object_r systemkeys_data_file_26_0)
-(typeattribute textclassifier_data_file_26_0)
-(roletype object_r textclassifier_data_file_26_0)
-(typeattribute vpn_data_file_26_0)
-(roletype object_r vpn_data_file_26_0)
-(typeattribute wifi_data_file_26_0)
-(roletype object_r wifi_data_file_26_0)
-(typeattribute zoneinfo_data_file_26_0)
-(roletype object_r zoneinfo_data_file_26_0)
-(typeattribute vold_data_file_26_0)
-(roletype object_r vold_data_file_26_0)
-(typeattribute perfprofd_data_file_26_0)
-(roletype object_r perfprofd_data_file_26_0)
-(typeattribute tee_data_file_26_0)
-(roletype object_r tee_data_file_26_0)
-(typeattribute update_engine_data_file_26_0)
-(roletype object_r update_engine_data_file_26_0)
-(typeattribute method_trace_data_file_26_0)
-(roletype object_r method_trace_data_file_26_0)
-(typeattribute app_data_file_26_0)
-(roletype object_r app_data_file_26_0)
-(typeattribute system_app_data_file_26_0)
-(roletype object_r system_app_data_file_26_0)
-(typeattribute cache_file_26_0)
-(roletype object_r cache_file_26_0)
-(typeattribute cache_backup_file_26_0)
-(roletype object_r cache_backup_file_26_0)
-(typeattribute cache_private_backup_file_26_0)
-(roletype object_r cache_private_backup_file_26_0)
-(typeattribute cache_recovery_file_26_0)
-(roletype object_r cache_recovery_file_26_0)
-(typeattribute efs_file_26_0)
-(roletype object_r efs_file_26_0)
-(typeattribute wallpaper_file_26_0)
-(roletype object_r wallpaper_file_26_0)
-(typeattribute shortcut_manager_icons_26_0)
-(roletype object_r shortcut_manager_icons_26_0)
-(typeattribute icon_file_26_0)
-(roletype object_r icon_file_26_0)
-(typeattribute asec_apk_file_26_0)
-(roletype object_r asec_apk_file_26_0)
-(typeattribute asec_public_file_26_0)
-(roletype object_r asec_public_file_26_0)
-(typeattribute asec_image_file_26_0)
-(roletype object_r asec_image_file_26_0)
-(typeattribute backup_data_file_26_0)
-(roletype object_r backup_data_file_26_0)
-(typeattribute bluetooth_efs_file_26_0)
-(roletype object_r bluetooth_efs_file_26_0)
-(typeattribute fingerprintd_data_file_26_0)
-(roletype object_r fingerprintd_data_file_26_0)
-(typeattribute app_fuse_file_26_0)
-(roletype object_r app_fuse_file_26_0)
-(typeattribute adbd_socket_26_0)
-(roletype object_r adbd_socket_26_0)
-(typeattribute bluetooth_socket_26_0)
-(roletype object_r bluetooth_socket_26_0)
-(typeattribute dnsproxyd_socket_26_0)
-(roletype object_r dnsproxyd_socket_26_0)
-(typeattribute dumpstate_socket_26_0)
-(roletype object_r dumpstate_socket_26_0)
-(typeattribute fwmarkd_socket_26_0)
-(roletype object_r fwmarkd_socket_26_0)
-(typeattribute lmkd_socket_26_0)
-(roletype object_r lmkd_socket_26_0)
-(typeattribute logd_socket_26_0)
-(roletype object_r logd_socket_26_0)
-(typeattribute logdr_socket_26_0)
-(roletype object_r logdr_socket_26_0)
-(typeattribute logdw_socket_26_0)
-(roletype object_r logdw_socket_26_0)
-(typeattribute mdns_socket_26_0)
-(roletype object_r mdns_socket_26_0)
-(typeattribute mdnsd_socket_26_0)
-(roletype object_r mdnsd_socket_26_0)
-(typeattribute misc_logd_file_26_0)
-(roletype object_r misc_logd_file_26_0)
-(typeattribute mtpd_socket_26_0)
-(roletype object_r mtpd_socket_26_0)
-(typeattribute netd_socket_26_0)
-(roletype object_r netd_socket_26_0)
-(typeattribute property_socket_26_0)
-(roletype object_r property_socket_26_0)
-(typeattribute racoon_socket_26_0)
-(roletype object_r racoon_socket_26_0)
-(typeattribute rild_socket_26_0)
-(roletype object_r rild_socket_26_0)
-(typeattribute rild_debug_socket_26_0)
-(roletype object_r rild_debug_socket_26_0)
-(typeattribute system_wpa_socket_26_0)
-(roletype object_r system_wpa_socket_26_0)
-(typeattribute system_ndebug_socket_26_0)
-(roletype object_r system_ndebug_socket_26_0)
-(typeattribute tombstoned_crash_socket_26_0)
-(roletype object_r tombstoned_crash_socket_26_0)
-(typeattribute tombstoned_intercept_socket_26_0)
-(roletype object_r tombstoned_intercept_socket_26_0)
-(typeattribute uncrypt_socket_26_0)
-(roletype object_r uncrypt_socket_26_0)
-(typeattribute vold_socket_26_0)
-(roletype object_r vold_socket_26_0)
-(typeattribute webview_zygote_socket_26_0)
-(roletype object_r webview_zygote_socket_26_0)
-(typeattribute wpa_socket_26_0)
-(roletype object_r wpa_socket_26_0)
-(typeattribute zygote_socket_26_0)
-(roletype object_r zygote_socket_26_0)
-(typeattribute gps_control_26_0)
-(roletype object_r gps_control_26_0)
-(typeattribute pdx_display_dir_26_0)
-(roletype object_r pdx_display_dir_26_0)
-(typeattribute pdx_performance_dir_26_0)
-(roletype object_r pdx_performance_dir_26_0)
-(typeattribute pdx_bufferhub_dir_26_0)
-(roletype object_r pdx_bufferhub_dir_26_0)
-(typeattribute pdx_display_client_endpoint_socket_26_0)
-(roletype object_r pdx_display_client_endpoint_socket_26_0)
-(typeattribute pdx_display_client_channel_socket_26_0)
-(roletype object_r pdx_display_client_channel_socket_26_0)
-(typeattribute pdx_display_manager_endpoint_socket_26_0)
-(roletype object_r pdx_display_manager_endpoint_socket_26_0)
-(typeattribute pdx_display_manager_channel_socket_26_0)
-(roletype object_r pdx_display_manager_channel_socket_26_0)
-(typeattribute pdx_display_screenshot_endpoint_socket_26_0)
-(roletype object_r pdx_display_screenshot_endpoint_socket_26_0)
-(typeattribute pdx_display_screenshot_channel_socket_26_0)
-(roletype object_r pdx_display_screenshot_channel_socket_26_0)
-(typeattribute pdx_display_vsync_endpoint_socket_26_0)
-(roletype object_r pdx_display_vsync_endpoint_socket_26_0)
-(typeattribute pdx_display_vsync_channel_socket_26_0)
-(roletype object_r pdx_display_vsync_channel_socket_26_0)
-(typeattribute pdx_performance_client_endpoint_socket_26_0)
-(roletype object_r pdx_performance_client_endpoint_socket_26_0)
-(typeattribute pdx_performance_client_channel_socket_26_0)
-(roletype object_r pdx_performance_client_channel_socket_26_0)
-(typeattribute pdx_bufferhub_client_endpoint_socket_26_0)
-(roletype object_r pdx_bufferhub_client_endpoint_socket_26_0)
-(typeattribute pdx_bufferhub_client_channel_socket_26_0)
-(roletype object_r pdx_bufferhub_client_channel_socket_26_0)
-(typeattribute file_contexts_file_26_0)
-(roletype object_r file_contexts_file_26_0)
-(typeattribute mac_perms_file_26_0)
-(roletype object_r mac_perms_file_26_0)
-(typeattribute property_contexts_file_26_0)
-(roletype object_r property_contexts_file_26_0)
-(typeattribute seapp_contexts_file_26_0)
-(roletype object_r seapp_contexts_file_26_0)
-(typeattribute sepolicy_file_26_0)
-(roletype object_r sepolicy_file_26_0)
-(typeattribute service_contexts_file_26_0)
-(roletype object_r service_contexts_file_26_0)
-(typeattribute hwservice_contexts_file_26_0)
-(roletype object_r hwservice_contexts_file_26_0)
-(typeattribute vndservice_contexts_file_26_0)
-(roletype object_r vndservice_contexts_file_26_0)
-(typeattribute fingerprintd_26_0)
-(roletype object_r fingerprintd_26_0)
-(typeattribute fingerprintd_exec_26_0)
-(roletype object_r fingerprintd_exec_26_0)
-(typeattribute fsck_26_0)
-(roletype object_r fsck_26_0)
-(typeattribute fsck_exec_26_0)
-(roletype object_r fsck_exec_26_0)
-(typeattribute fsck_untrusted_26_0)
-(roletype object_r fsck_untrusted_26_0)
-(typeattribute gatekeeperd_26_0)
-(roletype object_r gatekeeperd_26_0)
-(typeattribute gatekeeperd_exec_26_0)
-(roletype object_r gatekeeperd_exec_26_0)
-(typeattribute healthd_26_0)
-(roletype object_r healthd_26_0)
-(typeattribute healthd_exec_26_0)
-(roletype object_r healthd_exec_26_0)
-(typeattribute default_android_hwservice_26_0)
-(roletype object_r default_android_hwservice_26_0)
-(typeattribute fwk_display_hwservice_26_0)
-(roletype object_r fwk_display_hwservice_26_0)
-(typeattribute fwk_scheduler_hwservice_26_0)
-(roletype object_r fwk_scheduler_hwservice_26_0)
-(typeattribute fwk_sensor_hwservice_26_0)
-(roletype object_r fwk_sensor_hwservice_26_0)
-(typeattribute hal_audio_hwservice_26_0)
-(roletype object_r hal_audio_hwservice_26_0)
-(typeattribute hal_bluetooth_hwservice_26_0)
-(roletype object_r hal_bluetooth_hwservice_26_0)
-(typeattribute hal_bootctl_hwservice_26_0)
-(roletype object_r hal_bootctl_hwservice_26_0)
-(typeattribute hal_camera_hwservice_26_0)
-(roletype object_r hal_camera_hwservice_26_0)
-(typeattribute hal_configstore_ISurfaceFlingerConfigs_26_0)
-(roletype object_r hal_configstore_ISurfaceFlingerConfigs_26_0)
-(typeattribute hal_contexthub_hwservice_26_0)
-(roletype object_r hal_contexthub_hwservice_26_0)
-(typeattribute hal_drm_hwservice_26_0)
-(roletype object_r hal_drm_hwservice_26_0)
-(typeattribute hal_dumpstate_hwservice_26_0)
-(roletype object_r hal_dumpstate_hwservice_26_0)
-(typeattribute hal_fingerprint_hwservice_26_0)
-(roletype object_r hal_fingerprint_hwservice_26_0)
-(typeattribute hal_gatekeeper_hwservice_26_0)
-(roletype object_r hal_gatekeeper_hwservice_26_0)
-(typeattribute hal_gnss_hwservice_26_0)
-(roletype object_r hal_gnss_hwservice_26_0)
-(typeattribute hal_graphics_allocator_hwservice_26_0)
-(roletype object_r hal_graphics_allocator_hwservice_26_0)
-(typeattribute hal_graphics_composer_hwservice_26_0)
-(roletype object_r hal_graphics_composer_hwservice_26_0)
-(typeattribute hal_graphics_mapper_hwservice_26_0)
-(roletype object_r hal_graphics_mapper_hwservice_26_0)
-(typeattribute hal_health_hwservice_26_0)
-(roletype object_r hal_health_hwservice_26_0)
-(typeattribute hal_ir_hwservice_26_0)
-(roletype object_r hal_ir_hwservice_26_0)
-(typeattribute hal_keymaster_hwservice_26_0)
-(roletype object_r hal_keymaster_hwservice_26_0)
-(typeattribute hal_light_hwservice_26_0)
-(roletype object_r hal_light_hwservice_26_0)
-(typeattribute hal_memtrack_hwservice_26_0)
-(roletype object_r hal_memtrack_hwservice_26_0)
-(typeattribute hal_nfc_hwservice_26_0)
-(roletype object_r hal_nfc_hwservice_26_0)
-(typeattribute hal_oemlock_hwservice_26_0)
-(roletype object_r hal_oemlock_hwservice_26_0)
-(typeattribute hal_omx_hwservice_26_0)
-(roletype object_r hal_omx_hwservice_26_0)
-(typeattribute hal_power_hwservice_26_0)
-(roletype object_r hal_power_hwservice_26_0)
-(typeattribute hal_renderscript_hwservice_26_0)
-(roletype object_r hal_renderscript_hwservice_26_0)
-(typeattribute hal_sensors_hwservice_26_0)
-(roletype object_r hal_sensors_hwservice_26_0)
-(typeattribute hal_telephony_hwservice_26_0)
-(roletype object_r hal_telephony_hwservice_26_0)
-(typeattribute hal_thermal_hwservice_26_0)
-(roletype object_r hal_thermal_hwservice_26_0)
-(typeattribute hal_tv_cec_hwservice_26_0)
-(roletype object_r hal_tv_cec_hwservice_26_0)
-(typeattribute hal_tv_input_hwservice_26_0)
-(roletype object_r hal_tv_input_hwservice_26_0)
-(typeattribute hal_usb_hwservice_26_0)
-(roletype object_r hal_usb_hwservice_26_0)
-(typeattribute hal_vibrator_hwservice_26_0)
-(roletype object_r hal_vibrator_hwservice_26_0)
-(typeattribute hal_vr_hwservice_26_0)
-(roletype object_r hal_vr_hwservice_26_0)
-(typeattribute hal_weaver_hwservice_26_0)
-(roletype object_r hal_weaver_hwservice_26_0)
-(typeattribute hal_wifi_hwservice_26_0)
-(roletype object_r hal_wifi_hwservice_26_0)
-(typeattribute hal_wifi_supplicant_hwservice_26_0)
-(roletype object_r hal_wifi_supplicant_hwservice_26_0)
-(typeattribute hidl_allocator_hwservice_26_0)
-(roletype object_r hidl_allocator_hwservice_26_0)
-(typeattribute hidl_base_hwservice_26_0)
-(roletype object_r hidl_base_hwservice_26_0)
-(typeattribute hidl_manager_hwservice_26_0)
-(roletype object_r hidl_manager_hwservice_26_0)
-(typeattribute hidl_memory_hwservice_26_0)
-(roletype object_r hidl_memory_hwservice_26_0)
-(typeattribute hidl_token_hwservice_26_0)
-(roletype object_r hidl_token_hwservice_26_0)
-(typeattribute system_wifi_keystore_hwservice_26_0)
-(roletype object_r system_wifi_keystore_hwservice_26_0)
-(typeattribute hwservicemanager_26_0)
-(roletype object_r hwservicemanager_26_0)
-(typeattribute hwservicemanager_exec_26_0)
-(roletype object_r hwservicemanager_exec_26_0)
-(typeattribute idmap_26_0)
-(roletype object_r idmap_26_0)
-(typeattribute idmap_exec_26_0)
-(roletype object_r idmap_exec_26_0)
-(typeattribute incident_26_0)
-(roletype object_r incident_26_0)
-(typeattribute incidentd_26_0)
-(roletype object_r incidentd_26_0)
-(typeattribute init_26_0)
-(roletype object_r init_26_0)
-(typeattribute init_exec_26_0)
-(roletype object_r init_exec_26_0)
-(typeattribute inputflinger_26_0)
-(roletype object_r inputflinger_26_0)
-(typeattribute inputflinger_exec_26_0)
-(roletype object_r inputflinger_exec_26_0)
-(typeattribute install_recovery_26_0)
-(roletype object_r install_recovery_26_0)
-(typeattribute install_recovery_exec_26_0)
-(roletype object_r install_recovery_exec_26_0)
-(typeattribute installd_26_0)
-(roletype object_r installd_26_0)
-(typeattribute installd_exec_26_0)
-(roletype object_r installd_exec_26_0)
-(typeattribute isolated_app_26_0)
-(roletype object_r isolated_app_26_0)
-(typeattribute kernel_26_0)
-(roletype object_r kernel_26_0)
-(typeattribute keystore_26_0)
-(roletype object_r keystore_26_0)
-(typeattribute keystore_exec_26_0)
-(roletype object_r keystore_exec_26_0)
-(typeattribute lmkd_26_0)
-(roletype object_r lmkd_26_0)
-(typeattribute lmkd_exec_26_0)
-(roletype object_r lmkd_exec_26_0)
-(typeattribute logd_26_0)
-(roletype object_r logd_26_0)
-(typeattribute logd_exec_26_0)
-(roletype object_r logd_exec_26_0)
-(typeattribute logpersist_26_0)
-(roletype object_r logpersist_26_0)
-(typeattribute mdnsd_26_0)
-(roletype object_r mdnsd_26_0)
-(typeattribute mediacodec_26_0)
-(roletype object_r mediacodec_26_0)
-(typeattribute mediacodec_exec_26_0)
-(roletype object_r mediacodec_exec_26_0)
-(typeattribute mediadrmserver_26_0)
-(roletype object_r mediadrmserver_26_0)
-(typeattribute mediadrmserver_exec_26_0)
-(roletype object_r mediadrmserver_exec_26_0)
-(typeattribute mediaextractor_26_0)
-(roletype object_r mediaextractor_26_0)
-(typeattribute mediaextractor_exec_26_0)
-(roletype object_r mediaextractor_exec_26_0)
-(typeattribute mediametrics_26_0)
-(roletype object_r mediametrics_26_0)
-(typeattribute mediametrics_exec_26_0)
-(roletype object_r mediametrics_exec_26_0)
-(typeattribute mediaserver_26_0)
-(roletype object_r mediaserver_26_0)
-(typeattribute mediaserver_exec_26_0)
-(roletype object_r mediaserver_exec_26_0)
-(typeattribute modprobe_26_0)
-(roletype object_r modprobe_26_0)
-(typeattribute mtp_26_0)
-(roletype object_r mtp_26_0)
-(typeattribute mtp_exec_26_0)
-(roletype object_r mtp_exec_26_0)
-(typeattribute node_26_0)
-(roletype object_r node_26_0)
-(typeattribute netif_26_0)
-(roletype object_r netif_26_0)
-(typeattribute port_26_0)
-(roletype object_r port_26_0)
-(typeattribute netd_26_0)
-(roletype object_r netd_26_0)
-(typeattribute netd_exec_26_0)
-(roletype object_r netd_exec_26_0)
-(typeattribute netutils_wrapper_26_0)
-(roletype object_r netutils_wrapper_26_0)
-(typeattribute netutils_wrapper_exec_26_0)
-(roletype object_r netutils_wrapper_exec_26_0)
-(typeattribute nfc_26_0)
-(roletype object_r nfc_26_0)
-(typeattribute otapreopt_chroot_26_0)
-(roletype object_r otapreopt_chroot_26_0)
-(typeattribute otapreopt_chroot_exec_26_0)
-(roletype object_r otapreopt_chroot_exec_26_0)
-(typeattribute otapreopt_slot_26_0)
-(roletype object_r otapreopt_slot_26_0)
-(typeattribute otapreopt_slot_exec_26_0)
-(roletype object_r otapreopt_slot_exec_26_0)
-(typeattribute performanced_26_0)
-(roletype object_r performanced_26_0)
-(typeattribute performanced_exec_26_0)
-(roletype object_r performanced_exec_26_0)
-(typeattribute perfprofd_26_0)
-(roletype object_r perfprofd_26_0)
-(typeattribute perfprofd_exec_26_0)
-(roletype object_r perfprofd_exec_26_0)
-(typeattribute platform_app_26_0)
-(roletype object_r platform_app_26_0)
-(typeattribute postinstall_26_0)
-(roletype object_r postinstall_26_0)
-(typeattribute postinstall_dexopt_26_0)
-(roletype object_r postinstall_dexopt_26_0)
-(typeattribute ppp_26_0)
-(roletype object_r ppp_26_0)
-(typeattribute ppp_device_26_0)
-(roletype object_r ppp_device_26_0)
-(typeattribute ppp_exec_26_0)
-(roletype object_r ppp_exec_26_0)
-(typeattribute preopt2cachename_26_0)
-(roletype object_r preopt2cachename_26_0)
-(typeattribute preopt2cachename_exec_26_0)
-(roletype object_r preopt2cachename_exec_26_0)
-(typeattribute priv_app_26_0)
-(roletype object_r priv_app_26_0)
-(typeattribute profman_26_0)
-(roletype object_r profman_26_0)
-(typeattribute profman_exec_26_0)
-(roletype object_r profman_exec_26_0)
-(typeattribute asan_reboot_prop_26_0)
-(roletype object_r asan_reboot_prop_26_0)
-(typeattribute audio_prop_26_0)
-(roletype object_r audio_prop_26_0)
-(typeattribute boottime_prop_26_0)
-(roletype object_r boottime_prop_26_0)
-(typeattribute bluetooth_prop_26_0)
-(roletype object_r bluetooth_prop_26_0)
-(typeattribute config_prop_26_0)
-(roletype object_r config_prop_26_0)
-(typeattribute cppreopt_prop_26_0)
-(roletype object_r cppreopt_prop_26_0)
-(typeattribute ctl_bootanim_prop_26_0)
-(roletype object_r ctl_bootanim_prop_26_0)
-(typeattribute ctl_bugreport_prop_26_0)
-(roletype object_r ctl_bugreport_prop_26_0)
-(typeattribute ctl_console_prop_26_0)
-(roletype object_r ctl_console_prop_26_0)
-(typeattribute ctl_default_prop_26_0)
-(roletype object_r ctl_default_prop_26_0)
-(typeattribute ctl_dumpstate_prop_26_0)
-(roletype object_r ctl_dumpstate_prop_26_0)
-(typeattribute ctl_fuse_prop_26_0)
-(roletype object_r ctl_fuse_prop_26_0)
-(typeattribute ctl_mdnsd_prop_26_0)
-(roletype object_r ctl_mdnsd_prop_26_0)
-(typeattribute ctl_rildaemon_prop_26_0)
-(roletype object_r ctl_rildaemon_prop_26_0)
-(typeattribute dalvik_prop_26_0)
-(roletype object_r dalvik_prop_26_0)
-(typeattribute debuggerd_prop_26_0)
-(roletype object_r debuggerd_prop_26_0)
-(typeattribute debug_prop_26_0)
-(roletype object_r debug_prop_26_0)
-(typeattribute default_prop_26_0)
-(roletype object_r default_prop_26_0)
-(typeattribute device_logging_prop_26_0)
-(roletype object_r device_logging_prop_26_0)
-(typeattribute dhcp_prop_26_0)
-(roletype object_r dhcp_prop_26_0)
-(typeattribute dumpstate_options_prop_26_0)
-(roletype object_r dumpstate_options_prop_26_0)
-(typeattribute dumpstate_prop_26_0)
-(roletype object_r dumpstate_prop_26_0)
-(typeattribute ffs_prop_26_0)
-(roletype object_r ffs_prop_26_0)
-(typeattribute fingerprint_prop_26_0)
-(roletype object_r fingerprint_prop_26_0)
-(typeattribute firstboot_prop_26_0)
-(roletype object_r firstboot_prop_26_0)
-(typeattribute hwservicemanager_prop_26_0)
-(roletype object_r hwservicemanager_prop_26_0)
-(typeattribute logd_prop_26_0)
-(roletype object_r logd_prop_26_0)
-(typeattribute logpersistd_logging_prop_26_0)
-(roletype object_r logpersistd_logging_prop_26_0)
-(typeattribute log_prop_26_0)
-(roletype object_r log_prop_26_0)
-(typeattribute log_tag_prop_26_0)
-(roletype object_r log_tag_prop_26_0)
-(typeattribute mmc_prop_26_0)
-(roletype object_r mmc_prop_26_0)
-(typeattribute net_dns_prop_26_0)
-(roletype object_r net_dns_prop_26_0)
-(typeattribute net_radio_prop_26_0)
-(roletype object_r net_radio_prop_26_0)
-(typeattribute nfc_prop_26_0)
-(roletype object_r nfc_prop_26_0)
-(typeattribute overlay_prop_26_0)
-(roletype object_r overlay_prop_26_0)
-(typeattribute pan_result_prop_26_0)
-(roletype object_r pan_result_prop_26_0)
-(typeattribute persist_debug_prop_26_0)
-(roletype object_r persist_debug_prop_26_0)
-(typeattribute persistent_properties_ready_prop_26_0)
-(roletype object_r persistent_properties_ready_prop_26_0)
-(typeattribute powerctl_prop_26_0)
-(roletype object_r powerctl_prop_26_0)
-(typeattribute radio_prop_26_0)
-(roletype object_r radio_prop_26_0)
-(typeattribute restorecon_prop_26_0)
-(roletype object_r restorecon_prop_26_0)
-(typeattribute safemode_prop_26_0)
-(roletype object_r safemode_prop_26_0)
-(typeattribute serialno_prop_26_0)
-(roletype object_r serialno_prop_26_0)
-(typeattribute shell_prop_26_0)
-(roletype object_r shell_prop_26_0)
-(typeattribute system_prop_26_0)
-(roletype object_r system_prop_26_0)
-(typeattribute system_radio_prop_26_0)
-(roletype object_r system_radio_prop_26_0)
-(typeattribute vold_prop_26_0)
-(roletype object_r vold_prop_26_0)
-(typeattribute wifi_log_prop_26_0)
-(roletype object_r wifi_log_prop_26_0)
-(typeattribute wifi_prop_26_0)
-(roletype object_r wifi_prop_26_0)
-(typeattribute racoon_26_0)
-(roletype object_r racoon_26_0)
-(typeattribute racoon_exec_26_0)
-(roletype object_r racoon_exec_26_0)
-(typeattribute radio_26_0)
-(roletype object_r radio_26_0)
-(typeattribute recovery_26_0)
-(roletype object_r recovery_26_0)
-(typeattribute recovery_persist_26_0)
-(roletype object_r recovery_persist_26_0)
-(typeattribute recovery_persist_exec_26_0)
-(roletype object_r recovery_persist_exec_26_0)
-(typeattribute recovery_refresh_26_0)
-(roletype object_r recovery_refresh_26_0)
-(typeattribute recovery_refresh_exec_26_0)
-(roletype object_r recovery_refresh_exec_26_0)
-(typeattribute rild_26_0)
-(roletype object_r rild_26_0)
-(typeattribute runas_26_0)
-(roletype object_r runas_26_0)
-(typeattribute runas_exec_26_0)
-(roletype object_r runas_exec_26_0)
-(typeattribute sdcardd_26_0)
-(roletype object_r sdcardd_26_0)
-(typeattribute sdcardd_exec_26_0)
-(roletype object_r sdcardd_exec_26_0)
-(typeattribute audioserver_service_26_0)
-(roletype object_r audioserver_service_26_0)
-(typeattribute batteryproperties_service_26_0)
-(roletype object_r batteryproperties_service_26_0)
-(typeattribute bluetooth_service_26_0)
-(roletype object_r bluetooth_service_26_0)
-(typeattribute cameraserver_service_26_0)
-(roletype object_r cameraserver_service_26_0)
-(typeattribute default_android_service_26_0)
-(roletype object_r default_android_service_26_0)
-(typeattribute drmserver_service_26_0)
-(roletype object_r drmserver_service_26_0)
-(typeattribute dumpstate_service_26_0)
-(roletype object_r dumpstate_service_26_0)
-(typeattribute fingerprintd_service_26_0)
-(roletype object_r fingerprintd_service_26_0)
-(typeattribute hal_fingerprint_service_26_0)
-(roletype object_r hal_fingerprint_service_26_0)
-(typeattribute gatekeeper_service_26_0)
-(roletype object_r gatekeeper_service_26_0)
-(typeattribute gpu_service_26_0)
-(roletype object_r gpu_service_26_0)
-(typeattribute inputflinger_service_26_0)
-(roletype object_r inputflinger_service_26_0)
-(typeattribute incident_service_26_0)
-(roletype object_r incident_service_26_0)
-(typeattribute installd_service_26_0)
-(roletype object_r installd_service_26_0)
-(typeattribute keystore_service_26_0)
-(roletype object_r keystore_service_26_0)
-(typeattribute mediaserver_service_26_0)
-(roletype object_r mediaserver_service_26_0)
-(typeattribute mediametrics_service_26_0)
-(roletype object_r mediametrics_service_26_0)
-(typeattribute mediaextractor_service_26_0)
-(roletype object_r mediaextractor_service_26_0)
-(typeattribute mediacodec_service_26_0)
-(roletype object_r mediacodec_service_26_0)
-(typeattribute mediadrmserver_service_26_0)
-(roletype object_r mediadrmserver_service_26_0)
-(typeattribute mediacasserver_service_26_0)
-(roletype object_r mediacasserver_service_26_0)
-(typeattribute netd_service_26_0)
-(roletype object_r netd_service_26_0)
-(typeattribute nfc_service_26_0)
-(roletype object_r nfc_service_26_0)
-(typeattribute radio_service_26_0)
-(roletype object_r radio_service_26_0)
-(typeattribute storaged_service_26_0)
-(roletype object_r storaged_service_26_0)
-(typeattribute surfaceflinger_service_26_0)
-(roletype object_r surfaceflinger_service_26_0)
-(typeattribute system_app_service_26_0)
-(roletype object_r system_app_service_26_0)
-(typeattribute update_engine_service_26_0)
-(roletype object_r update_engine_service_26_0)
-(typeattribute virtual_touchpad_service_26_0)
-(roletype object_r virtual_touchpad_service_26_0)
-(typeattribute vr_hwc_service_26_0)
-(roletype object_r vr_hwc_service_26_0)
-(typeattribute accessibility_service_26_0)
-(roletype object_r accessibility_service_26_0)
-(typeattribute account_service_26_0)
-(roletype object_r account_service_26_0)
-(typeattribute activity_service_26_0)
-(roletype object_r activity_service_26_0)
-(typeattribute alarm_service_26_0)
-(roletype object_r alarm_service_26_0)
-(typeattribute appops_service_26_0)
-(roletype object_r appops_service_26_0)
-(typeattribute appwidget_service_26_0)
-(roletype object_r appwidget_service_26_0)
-(typeattribute assetatlas_service_26_0)
-(roletype object_r assetatlas_service_26_0)
-(typeattribute audio_service_26_0)
-(roletype object_r audio_service_26_0)
-(typeattribute autofill_service_26_0)
-(roletype object_r autofill_service_26_0)
-(typeattribute backup_service_26_0)
-(roletype object_r backup_service_26_0)
-(typeattribute batterystats_service_26_0)
-(roletype object_r batterystats_service_26_0)
-(typeattribute battery_service_26_0)
-(roletype object_r battery_service_26_0)
-(typeattribute bluetooth_manager_service_26_0)
-(roletype object_r bluetooth_manager_service_26_0)
-(typeattribute cameraproxy_service_26_0)
-(roletype object_r cameraproxy_service_26_0)
-(typeattribute clipboard_service_26_0)
-(roletype object_r clipboard_service_26_0)
-(typeattribute contexthub_service_26_0)
-(roletype object_r contexthub_service_26_0)
-(typeattribute IProxyService_service_26_0)
-(roletype object_r IProxyService_service_26_0)
-(typeattribute commontime_management_service_26_0)
-(roletype object_r commontime_management_service_26_0)
-(typeattribute companion_device_service_26_0)
-(roletype object_r companion_device_service_26_0)
-(typeattribute connectivity_service_26_0)
-(roletype object_r connectivity_service_26_0)
-(typeattribute connmetrics_service_26_0)
-(roletype object_r connmetrics_service_26_0)
-(typeattribute consumer_ir_service_26_0)
-(roletype object_r consumer_ir_service_26_0)
-(typeattribute content_service_26_0)
-(roletype object_r content_service_26_0)
-(typeattribute country_detector_service_26_0)
-(roletype object_r country_detector_service_26_0)
-(typeattribute coverage_service_26_0)
-(roletype object_r coverage_service_26_0)
-(typeattribute cpuinfo_service_26_0)
-(roletype object_r cpuinfo_service_26_0)
-(typeattribute dbinfo_service_26_0)
-(roletype object_r dbinfo_service_26_0)
-(typeattribute device_policy_service_26_0)
-(roletype object_r device_policy_service_26_0)
-(typeattribute deviceidle_service_26_0)
-(roletype object_r deviceidle_service_26_0)
-(typeattribute device_identifiers_service_26_0)
-(roletype object_r device_identifiers_service_26_0)
-(typeattribute devicestoragemonitor_service_26_0)
-(roletype object_r devicestoragemonitor_service_26_0)
-(typeattribute diskstats_service_26_0)
-(roletype object_r diskstats_service_26_0)
-(typeattribute display_service_26_0)
-(roletype object_r display_service_26_0)
-(typeattribute font_service_26_0)
-(roletype object_r font_service_26_0)
-(typeattribute netd_listener_service_26_0)
-(roletype object_r netd_listener_service_26_0)
-(typeattribute DockObserver_service_26_0)
-(roletype object_r DockObserver_service_26_0)
-(typeattribute dreams_service_26_0)
-(roletype object_r dreams_service_26_0)
-(typeattribute dropbox_service_26_0)
-(roletype object_r dropbox_service_26_0)
-(typeattribute ethernet_service_26_0)
-(roletype object_r ethernet_service_26_0)
-(typeattribute fingerprint_service_26_0)
-(roletype object_r fingerprint_service_26_0)
-(typeattribute gfxinfo_service_26_0)
-(roletype object_r gfxinfo_service_26_0)
-(typeattribute graphicsstats_service_26_0)
-(roletype object_r graphicsstats_service_26_0)
-(typeattribute hardware_service_26_0)
-(roletype object_r hardware_service_26_0)
-(typeattribute hardware_properties_service_26_0)
-(roletype object_r hardware_properties_service_26_0)
-(typeattribute hdmi_control_service_26_0)
-(roletype object_r hdmi_control_service_26_0)
-(typeattribute input_method_service_26_0)
-(roletype object_r input_method_service_26_0)
-(typeattribute input_service_26_0)
-(roletype object_r input_service_26_0)
-(typeattribute imms_service_26_0)
-(roletype object_r imms_service_26_0)
-(typeattribute ipsec_service_26_0)
-(roletype object_r ipsec_service_26_0)
-(typeattribute jobscheduler_service_26_0)
-(roletype object_r jobscheduler_service_26_0)
-(typeattribute launcherapps_service_26_0)
-(roletype object_r launcherapps_service_26_0)
-(typeattribute location_service_26_0)
-(roletype object_r location_service_26_0)
-(typeattribute lock_settings_service_26_0)
-(roletype object_r lock_settings_service_26_0)
-(typeattribute media_projection_service_26_0)
-(roletype object_r media_projection_service_26_0)
-(typeattribute media_router_service_26_0)
-(roletype object_r media_router_service_26_0)
-(typeattribute media_session_service_26_0)
-(roletype object_r media_session_service_26_0)
-(typeattribute meminfo_service_26_0)
-(roletype object_r meminfo_service_26_0)
-(typeattribute midi_service_26_0)
-(roletype object_r midi_service_26_0)
-(typeattribute mount_service_26_0)
-(roletype object_r mount_service_26_0)
-(typeattribute netpolicy_service_26_0)
-(roletype object_r netpolicy_service_26_0)
-(typeattribute netstats_service_26_0)
-(roletype object_r netstats_service_26_0)
-(typeattribute network_management_service_26_0)
-(roletype object_r network_management_service_26_0)
-(typeattribute network_score_service_26_0)
-(roletype object_r network_score_service_26_0)
-(typeattribute network_time_update_service_26_0)
-(roletype object_r network_time_update_service_26_0)
-(typeattribute notification_service_26_0)
-(roletype object_r notification_service_26_0)
-(typeattribute oem_lock_service_26_0)
-(roletype object_r oem_lock_service_26_0)
-(typeattribute otadexopt_service_26_0)
-(roletype object_r otadexopt_service_26_0)
-(typeattribute overlay_service_26_0)
-(roletype object_r overlay_service_26_0)
-(typeattribute package_service_26_0)
-(roletype object_r package_service_26_0)
-(typeattribute permission_service_26_0)
-(roletype object_r permission_service_26_0)
-(typeattribute persistent_data_block_service_26_0)
-(roletype object_r persistent_data_block_service_26_0)
-(typeattribute pinner_service_26_0)
-(roletype object_r pinner_service_26_0)
-(typeattribute power_service_26_0)
-(roletype object_r power_service_26_0)
-(typeattribute print_service_26_0)
-(roletype object_r print_service_26_0)
-(typeattribute processinfo_service_26_0)
-(roletype object_r processinfo_service_26_0)
-(typeattribute procstats_service_26_0)
-(roletype object_r procstats_service_26_0)
-(typeattribute recovery_service_26_0)
-(roletype object_r recovery_service_26_0)
-(typeattribute registry_service_26_0)
-(roletype object_r registry_service_26_0)
-(typeattribute restrictions_service_26_0)
-(roletype object_r restrictions_service_26_0)
-(typeattribute rttmanager_service_26_0)
-(roletype object_r rttmanager_service_26_0)
-(typeattribute samplingprofiler_service_26_0)
-(roletype object_r samplingprofiler_service_26_0)
-(typeattribute scheduling_policy_service_26_0)
-(roletype object_r scheduling_policy_service_26_0)
-(typeattribute search_service_26_0)
-(roletype object_r search_service_26_0)
-(typeattribute sec_key_att_app_id_provider_service_26_0)
-(roletype object_r sec_key_att_app_id_provider_service_26_0)
-(typeattribute sensorservice_service_26_0)
-(roletype object_r sensorservice_service_26_0)
-(typeattribute serial_service_26_0)
-(roletype object_r serial_service_26_0)
-(typeattribute servicediscovery_service_26_0)
-(roletype object_r servicediscovery_service_26_0)
-(typeattribute settings_service_26_0)
-(roletype object_r settings_service_26_0)
-(typeattribute shortcut_service_26_0)
-(roletype object_r shortcut_service_26_0)
-(typeattribute statusbar_service_26_0)
-(roletype object_r statusbar_service_26_0)
-(typeattribute storagestats_service_26_0)
-(roletype object_r storagestats_service_26_0)
-(typeattribute task_service_26_0)
-(roletype object_r task_service_26_0)
-(typeattribute textclassification_service_26_0)
-(roletype object_r textclassification_service_26_0)
-(typeattribute textservices_service_26_0)
-(roletype object_r textservices_service_26_0)
-(typeattribute telecom_service_26_0)
-(roletype object_r telecom_service_26_0)
-(typeattribute trust_service_26_0)
-(roletype object_r trust_service_26_0)
-(typeattribute tv_input_service_26_0)
-(roletype object_r tv_input_service_26_0)
-(typeattribute uimode_service_26_0)
-(roletype object_r uimode_service_26_0)
-(typeattribute updatelock_service_26_0)
-(roletype object_r updatelock_service_26_0)
-(typeattribute usagestats_service_26_0)
-(roletype object_r usagestats_service_26_0)
-(typeattribute usb_service_26_0)
-(roletype object_r usb_service_26_0)
-(typeattribute user_service_26_0)
-(roletype object_r user_service_26_0)
-(typeattribute vibrator_service_26_0)
-(roletype object_r vibrator_service_26_0)
-(typeattribute voiceinteraction_service_26_0)
-(roletype object_r voiceinteraction_service_26_0)
-(typeattribute vr_manager_service_26_0)
-(roletype object_r vr_manager_service_26_0)
-(typeattribute wallpaper_service_26_0)
-(roletype object_r wallpaper_service_26_0)
-(typeattribute webviewupdate_service_26_0)
-(roletype object_r webviewupdate_service_26_0)
-(typeattribute wifip2p_service_26_0)
-(roletype object_r wifip2p_service_26_0)
-(typeattribute wifiscanner_service_26_0)
-(roletype object_r wifiscanner_service_26_0)
-(typeattribute wifi_service_26_0)
-(roletype object_r wifi_service_26_0)
-(typeattribute wificond_service_26_0)
-(roletype object_r wificond_service_26_0)
-(typeattribute wifiaware_service_26_0)
-(roletype object_r wifiaware_service_26_0)
-(typeattribute window_service_26_0)
-(roletype object_r window_service_26_0)
-(typeattribute servicemanager_26_0)
-(roletype object_r servicemanager_26_0)
-(typeattribute servicemanager_exec_26_0)
-(roletype object_r servicemanager_exec_26_0)
-(typeattribute sgdisk_26_0)
-(roletype object_r sgdisk_26_0)
-(typeattribute sgdisk_exec_26_0)
-(roletype object_r sgdisk_exec_26_0)
-(typeattribute shared_relro_26_0)
-(roletype object_r shared_relro_26_0)
-(typeattribute shell_26_0)
-(roletype object_r shell_26_0)
-(typeattribute shell_exec_26_0)
-(roletype object_r shell_exec_26_0)
-(typeattribute slideshow_26_0)
-(roletype object_r slideshow_26_0)
-(typeattribute su_26_0)
-(roletype object_r su_26_0)
-(typeattribute su_exec_26_0)
-(roletype object_r su_exec_26_0)
-(typeattribute surfaceflinger_26_0)
-(roletype object_r surfaceflinger_26_0)
-(typeattribute system_app_26_0)
-(roletype object_r system_app_26_0)
-(typeattribute system_server_26_0)
-(roletype object_r system_server_26_0)
-(typeattribute tee_26_0)
-(roletype object_r tee_26_0)
-(typeattribute tee_device_26_0)
-(roletype object_r tee_device_26_0)
-(typeattribute tombstoned_26_0)
-(roletype object_r tombstoned_26_0)
-(typeattribute tombstoned_exec_26_0)
-(roletype object_r tombstoned_exec_26_0)
-(typeattribute toolbox_26_0)
-(roletype object_r toolbox_26_0)
-(typeattribute toolbox_exec_26_0)
-(roletype object_r toolbox_exec_26_0)
-(typeattribute tzdatacheck_26_0)
-(roletype object_r tzdatacheck_26_0)
-(typeattribute tzdatacheck_exec_26_0)
-(roletype object_r tzdatacheck_exec_26_0)
-(typeattribute ueventd_26_0)
-(roletype object_r ueventd_26_0)
-(typeattribute uncrypt_26_0)
-(roletype object_r uncrypt_26_0)
-(typeattribute uncrypt_exec_26_0)
-(roletype object_r uncrypt_exec_26_0)
-(typeattribute untrusted_app_26_0)
-(roletype object_r untrusted_app_26_0)
-(typeattribute untrusted_app_25_26_0)
-(roletype object_r untrusted_app_25_26_0)
-(typeattribute untrusted_v2_app_26_0)
-(roletype object_r untrusted_v2_app_26_0)
-(typeattribute update_engine_26_0)
-(roletype object_r update_engine_26_0)
-(typeattribute update_engine_exec_26_0)
-(roletype object_r update_engine_exec_26_0)
-(typeattribute update_verifier_26_0)
-(roletype object_r update_verifier_26_0)
-(typeattribute update_verifier_exec_26_0)
-(roletype object_r update_verifier_exec_26_0)
-(typeattribute vdc_26_0)
-(roletype object_r vdc_26_0)
-(typeattribute vdc_exec_26_0)
-(roletype object_r vdc_exec_26_0)
-(typeattribute vendor_shell_exec_26_0)
-(roletype object_r vendor_shell_exec_26_0)
-(typeattribute vendor_toolbox_exec_26_0)
-(roletype object_r vendor_toolbox_exec_26_0)
-(typeattribute virtual_touchpad_26_0)
-(roletype object_r virtual_touchpad_26_0)
-(typeattribute virtual_touchpad_exec_26_0)
-(roletype object_r virtual_touchpad_exec_26_0)
-(typeattribute default_android_vndservice_26_0)
-(roletype object_r default_android_vndservice_26_0)
-(typeattribute vndservicemanager_26_0)
-(roletype object_r vndservicemanager_26_0)
-(typeattribute vold_26_0)
-(roletype object_r vold_26_0)
-(typeattribute vold_exec_26_0)
-(roletype object_r vold_exec_26_0)
-(typeattribute vr_hwc_26_0)
-(roletype object_r vr_hwc_26_0)
-(typeattribute vr_hwc_exec_26_0)
-(roletype object_r vr_hwc_exec_26_0)
-(typeattribute watchdogd_26_0)
-(roletype object_r watchdogd_26_0)
-(typeattribute webview_zygote_26_0)
-(roletype object_r webview_zygote_26_0)
-(typeattribute webview_zygote_exec_26_0)
-(roletype object_r webview_zygote_exec_26_0)
-(typeattribute wificond_26_0)
-(roletype object_r wificond_26_0)
-(typeattribute wificond_exec_26_0)
-(roletype object_r wificond_exec_26_0)
-(typeattribute zygote_26_0)
-(roletype object_r zygote_26_0)
-(typeattribute zygote_exec_26_0)
-(roletype object_r zygote_exec_26_0)
-(type hostapd_socket)
-(roletype object_r hostapd_socket)
-(type hal_audio_default)
-(roletype object_r hal_audio_default)
-(type hal_audio_default_exec)
-(roletype object_r hal_audio_default_exec)
-(type hal_audio_default_tmpfs)
-(roletype object_r hal_audio_default_tmpfs)
-(type hal_bluetooth_default)
-(roletype object_r hal_bluetooth_default)
-(type hal_bluetooth_default_exec)
-(roletype object_r hal_bluetooth_default_exec)
-(type hal_bluetooth_default_tmpfs)
-(roletype object_r hal_bluetooth_default_tmpfs)
-(type hal_bootctl_default)
-(roletype object_r hal_bootctl_default)
-(type hal_bootctl_default_exec)
-(roletype object_r hal_bootctl_default_exec)
-(type hal_bootctl_default_tmpfs)
-(roletype object_r hal_bootctl_default_tmpfs)
-(type hal_camera_default)
-(roletype object_r hal_camera_default)
-(type hal_camera_default_exec)
-(roletype object_r hal_camera_default_exec)
-(type hal_camera_default_tmpfs)
-(roletype object_r hal_camera_default_tmpfs)
-(type hal_configstore_default)
-(roletype object_r hal_configstore_default)
-(type hal_configstore_default_exec)
-(roletype object_r hal_configstore_default_exec)
-(type hal_configstore_default_tmpfs)
-(roletype object_r hal_configstore_default_tmpfs)
-(type hal_contexthub_default)
-(roletype object_r hal_contexthub_default)
-(type hal_contexthub_default_exec)
-(roletype object_r hal_contexthub_default_exec)
-(type hal_contexthub_default_tmpfs)
-(roletype object_r hal_contexthub_default_tmpfs)
-(type hal_drm_default)
-(roletype object_r hal_drm_default)
-(type hal_drm_default_exec)
-(roletype object_r hal_drm_default_exec)
-(type hal_drm_default_tmpfs)
-(roletype object_r hal_drm_default_tmpfs)
-(type hal_dumpstate_default)
-(roletype object_r hal_dumpstate_default)
-(type hal_dumpstate_default_exec)
-(roletype object_r hal_dumpstate_default_exec)
-(type hal_dumpstate_default_tmpfs)
-(roletype object_r hal_dumpstate_default_tmpfs)
-(type hal_fingerprint_default)
-(roletype object_r hal_fingerprint_default)
-(type hal_fingerprint_default_exec)
-(roletype object_r hal_fingerprint_default_exec)
-(type hal_fingerprint_default_tmpfs)
-(roletype object_r hal_fingerprint_default_tmpfs)
-(type hal_gatekeeper_default)
-(roletype object_r hal_gatekeeper_default)
-(type hal_gatekeeper_default_exec)
-(roletype object_r hal_gatekeeper_default_exec)
-(type hal_gatekeeper_default_tmpfs)
-(roletype object_r hal_gatekeeper_default_tmpfs)
-(type hal_gnss_default)
-(roletype object_r hal_gnss_default)
-(type hal_gnss_default_exec)
-(roletype object_r hal_gnss_default_exec)
-(type hal_gnss_default_tmpfs)
-(roletype object_r hal_gnss_default_tmpfs)
-(type hal_graphics_allocator_default)
-(roletype object_r hal_graphics_allocator_default)
-(type hal_graphics_allocator_default_exec)
-(roletype object_r hal_graphics_allocator_default_exec)
-(type hal_graphics_allocator_default_tmpfs)
-(roletype object_r hal_graphics_allocator_default_tmpfs)
-(type hal_graphics_composer_default)
-(roletype object_r hal_graphics_composer_default)
-(type hal_graphics_composer_default_exec)
-(roletype object_r hal_graphics_composer_default_exec)
-(type hal_graphics_composer_default_tmpfs)
-(roletype object_r hal_graphics_composer_default_tmpfs)
-(type hal_health_default)
-(roletype object_r hal_health_default)
-(type hal_health_default_exec)
-(roletype object_r hal_health_default_exec)
-(type hal_health_default_tmpfs)
-(roletype object_r hal_health_default_tmpfs)
-(type hal_ir_default)
-(roletype object_r hal_ir_default)
-(type hal_ir_default_exec)
-(roletype object_r hal_ir_default_exec)
-(type hal_ir_default_tmpfs)
-(roletype object_r hal_ir_default_tmpfs)
-(type hal_keymaster_default)
-(roletype object_r hal_keymaster_default)
-(type hal_keymaster_default_exec)
-(roletype object_r hal_keymaster_default_exec)
-(type hal_keymaster_default_tmpfs)
-(roletype object_r hal_keymaster_default_tmpfs)
-(type hal_light_default)
-(roletype object_r hal_light_default)
-(type hal_light_default_exec)
-(roletype object_r hal_light_default_exec)
-(type hal_light_default_tmpfs)
-(roletype object_r hal_light_default_tmpfs)
-(type hal_memtrack_default)
-(roletype object_r hal_memtrack_default)
-(type hal_memtrack_default_exec)
-(roletype object_r hal_memtrack_default_exec)
-(type hal_memtrack_default_tmpfs)
-(roletype object_r hal_memtrack_default_tmpfs)
-(type hal_nfc_default)
-(roletype object_r hal_nfc_default)
-(type hal_nfc_default_exec)
-(roletype object_r hal_nfc_default_exec)
-(type hal_nfc_default_tmpfs)
-(roletype object_r hal_nfc_default_tmpfs)
-(type mediacodec_tmpfs)
-(roletype object_r mediacodec_tmpfs)
-(type hal_power_default)
-(roletype object_r hal_power_default)
-(type hal_power_default_exec)
-(roletype object_r hal_power_default_exec)
-(type hal_power_default_tmpfs)
-(roletype object_r hal_power_default_tmpfs)
-(type hal_sensors_default)
-(roletype object_r hal_sensors_default)
-(type hal_sensors_default_exec)
-(roletype object_r hal_sensors_default_exec)
-(type hal_sensors_default_tmpfs)
-(roletype object_r hal_sensors_default_tmpfs)
-(type hal_thermal_default)
-(roletype object_r hal_thermal_default)
-(type hal_thermal_default_exec)
-(roletype object_r hal_thermal_default_exec)
-(type hal_thermal_default_tmpfs)
-(roletype object_r hal_thermal_default_tmpfs)
-(type hal_tv_cec_default)
-(roletype object_r hal_tv_cec_default)
-(type hal_tv_cec_default_exec)
-(roletype object_r hal_tv_cec_default_exec)
-(type hal_tv_cec_default_tmpfs)
-(roletype object_r hal_tv_cec_default_tmpfs)
-(type hal_tv_input_default)
-(roletype object_r hal_tv_input_default)
-(type hal_tv_input_default_exec)
-(roletype object_r hal_tv_input_default_exec)
-(type hal_tv_input_default_tmpfs)
-(roletype object_r hal_tv_input_default_tmpfs)
-(type hal_usb_default)
-(roletype object_r hal_usb_default)
-(type hal_usb_default_exec)
-(roletype object_r hal_usb_default_exec)
-(type hal_usb_default_tmpfs)
-(roletype object_r hal_usb_default_tmpfs)
-(type hal_vibrator_default)
-(roletype object_r hal_vibrator_default)
-(type hal_vibrator_default_exec)
-(roletype object_r hal_vibrator_default_exec)
-(type hal_vibrator_default_tmpfs)
-(roletype object_r hal_vibrator_default_tmpfs)
-(type hal_vr_default)
-(roletype object_r hal_vr_default)
-(type hal_vr_default_exec)
-(roletype object_r hal_vr_default_exec)
-(type hal_vr_default_tmpfs)
-(roletype object_r hal_vr_default_tmpfs)
-(type hal_wifi_default)
-(roletype object_r hal_wifi_default)
-(type hal_wifi_default_exec)
-(roletype object_r hal_wifi_default_exec)
-(type hal_wifi_default_tmpfs)
-(roletype object_r hal_wifi_default_tmpfs)
-(type hal_wifi_offload_default)
-(roletype object_r hal_wifi_offload_default)
-(type hal_wifi_offload_default_exec)
-(roletype object_r hal_wifi_offload_default_exec)
-(type hal_wifi_offload_default_tmpfs)
-(roletype object_r hal_wifi_offload_default_tmpfs)
-(type hal_wifi_supplicant_default)
-(roletype object_r hal_wifi_supplicant_default)
-(type hal_wifi_supplicant_default_exec)
-(roletype object_r hal_wifi_supplicant_default_exec)
-(type hal_wifi_supplicant_default_tmpfs)
-(roletype object_r hal_wifi_supplicant_default_tmpfs)
-(type hostapd)
-(roletype object_r hostapd)
-(type hostapd_exec)
-(roletype object_r hostapd_exec)
-(type hostapd_tmpfs)
-(roletype object_r hostapd_tmpfs)
-(type rild_exec)
-(roletype object_r rild_exec)
-(type rild_tmpfs)
-(roletype object_r rild_tmpfs)
-(type tee_exec)
-(roletype object_r tee_exec)
-(type tee_tmpfs)
-(roletype object_r tee_tmpfs)
-(type vendor_modprobe)
-(roletype object_r vendor_modprobe)
-(type vndservicemanager_exec)
-(roletype object_r vndservicemanager_exec)
-(type vndservicemanager_tmpfs)
-(roletype object_r vndservicemanager_tmpfs)
-(allow bootanim_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 bootanim_26_0 (dir (search)))
-(allow servicemanager_26_0 bootanim_26_0 (file (read open)))
-(allow servicemanager_26_0 bootanim_26_0 (process (getattr)))
-(allow bootanim_26_0 surfaceflinger_26_0 (binder (call transfer)))
-(allow surfaceflinger_26_0 bootanim_26_0 (binder (transfer)))
-(allow bootanim_26_0 surfaceflinger_26_0 (fd (use)))
-(allow bootanim_26_0 audioserver_26_0 (binder (call transfer)))
-(allow audioserver_26_0 bootanim_26_0 (binder (transfer)))
-(allow bootanim_26_0 audioserver_26_0 (fd (use)))
-(allow bootanim_26_0 hwservicemanager_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 bootanim_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 bootanim_26_0 (dir (search)))
-(allow hwservicemanager_26_0 bootanim_26_0 (file (read open)))
-(allow hwservicemanager_26_0 bootanim_26_0 (process (getattr)))
-(allow bootanim_26_0 gpu_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow bootanim_26_0 oemfs_26_0 (dir (search)))
-(allow bootanim_26_0 oemfs_26_0 (file (ioctl read getattr lock open)))
-(allow bootanim_26_0 audio_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_26_0 audio_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow bootanim_26_0 audioserver_service_26_0 (service_manager (find)))
-(allow bootanim_26_0 surfaceflinger_service_26_0 (service_manager (find)))
-(allow bootanim_26_0 ion_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow bootanim_26_0 hal_graphics_allocator (fd (use)))
-(allow bootanim_26_0 hal_graphics_composer (fd (use)))
-(allow bootanim_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow bootanim_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow bootanim_26_0 proc_meminfo_26_0 (file (ioctl read getattr lock open)))
-(allow bootanim_26_0 sysfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_26_0 sysfs_26_0 (file (ioctl read getattr lock open)))
-(allow bootanim_26_0 sysfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow bootanim_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow bootanim_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow bootanim_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow bootstat_26_0 runtime_event_log_tags_file_26_0 (file (ioctl read getattr lock open)))
-(allow bootstat_26_0 bootstat_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow bootstat_26_0 bootstat_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow bootstat_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow bootstat_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow bootstat_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow bootstat_26_0 boottime_prop_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (create bind)))
-(allow bufferhubd_26_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (read write getattr setattr lock append listen accept getopt setopt shutdown)))
-(allow bufferhubd_26_0 self (process (setsockcreate)))
-(allow bufferhubd_26_0 pdx_bufferhub_client_channel_socket_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
-(neverallow base_typeattr_1_26_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (listen accept)))
-(allow bufferhubd_26_0 pdx_performance_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow bufferhubd_26_0 pdx_performance_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append open)))
-(allow bufferhubd_26_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow bufferhubd_26_0 pdx_performance_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow bufferhubd_26_0 pdx_performance_client_server_type (fd (use)))
-(allow pdx_performance_client_server_type bufferhubd_26_0 (fd (use)))
-(allow bufferhubd_26_0 gpu_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow bufferhubd_26_0 ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow bufferhubd_26_0 mediacodec_26_0 (fd (use)))
-(allow cameraserver_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 cameraserver_26_0 (dir (search)))
-(allow servicemanager_26_0 cameraserver_26_0 (file (read open)))
-(allow servicemanager_26_0 cameraserver_26_0 (process (getattr)))
-(allow cameraserver_26_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain cameraserver_26_0 (binder (transfer)))
-(allow cameraserver_26_0 binderservicedomain (fd (use)))
-(allow cameraserver_26_0 appdomain (binder (call transfer)))
-(allow appdomain cameraserver_26_0 (binder (transfer)))
-(allow cameraserver_26_0 appdomain (fd (use)))
-(allow cameraserver_26_0 ion_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow cameraserver_26_0 hal_graphics_composer (fd (use)))
-(allow cameraserver_26_0 cameraserver_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_2_26_0 cameraserver_service_26_0 (service_manager (add)))
-(neverallow cameraserver_26_0 unlabeled_26_0 (service_manager (add)))
-(allow cameraserver_26_0 appops_service_26_0 (service_manager (find)))
-(allow cameraserver_26_0 audioserver_service_26_0 (service_manager (find)))
-(allow cameraserver_26_0 batterystats_service_26_0 (service_manager (find)))
-(allow cameraserver_26_0 cameraproxy_service_26_0 (service_manager (find)))
-(allow cameraserver_26_0 mediaserver_service_26_0 (service_manager (find)))
-(allow cameraserver_26_0 processinfo_service_26_0 (service_manager (find)))
-(allow cameraserver_26_0 scheduling_policy_service_26_0 (service_manager (find)))
-(allow cameraserver_26_0 surfaceflinger_service_26_0 (service_manager (find)))
-(allow cameraserver_26_0 hidl_token_hwservice_26_0 (hwservice_manager (find)))
-(neverallow cameraserver_26_0 fs_type (file (execute_no_trans)))
-(neverallow cameraserver_26_0 file_type (file (execute_no_trans)))
-(neverallow cameraserver_26_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow cameraserver_26_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow cameraserver_26_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow charger_26_0 kmsg_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow charger_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow charger_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow charger_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow charger_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow charger_26_0 rootfs_26_0 (file (ioctl read getattr lock open)))
-(allow charger_26_0 rootfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow charger_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow charger_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow charger_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow charger_26_0 self (capability (sys_tty_config)))
-(allow charger_26_0 self (capability (sys_boot)))
-(allow charger_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow charger_26_0 self (capability2 (block_suspend)))
-(allow charger_26_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow charger_26_0 sysfs_26_0 (file (write)))
-(allow charger_26_0 sysfs_batteryinfo_26_0 (file (ioctl read getattr lock open)))
-(allow charger_26_0 pstorefs_26_0 (dir (ioctl read getattr lock search open)))
-(allow charger_26_0 pstorefs_26_0 (file (ioctl read getattr lock open)))
-(allow charger_26_0 graphics_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow charger_26_0 graphics_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow charger_26_0 input_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow charger_26_0 input_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow charger_26_0 tty_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow charger_26_0 proc_sysrq_26_0 (file (ioctl read write getattr lock append open)))
-(allow charger_26_0 property_socket_26_0 (sock_file (write)))
-(allow charger_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow charger_26_0 system_prop_26_0 (property_service (set)))
-(allow charger_26_0 system_prop_26_0 (file (ioctl read getattr lock open)))
-(allow clatd_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow clatd_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow clatd_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow clatd_26_0 netd_26_0 (fd (use)))
-(allow clatd_26_0 netd_26_0 (fifo_file (read write)))
-(allow clatd_26_0 netd_26_0 (netlink_kobject_uevent_socket (read write)))
-(allow clatd_26_0 netd_26_0 (netlink_nflog_socket (read write)))
-(allow clatd_26_0 netd_26_0 (netlink_route_socket (read write)))
-(allow clatd_26_0 netd_26_0 (udp_socket (read write)))
-(allow clatd_26_0 netd_26_0 (unix_stream_socket (read write)))
-(allow clatd_26_0 netd_26_0 (unix_dgram_socket (read write)))
-(allow clatd_26_0 self (capability (setgid setuid net_admin net_raw)))
-(allow clatd_26_0 self (capability (ipc_lock)))
-(allow clatd_26_0 self (netlink_route_socket (nlmsg_write)))
-(allow clatd_26_0 self (rawip_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_26_0 self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_26_0 self (tun_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_26_0 tun_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow cppreopts_26_0 dalvikcache_data_file_26_0 (dir (write add_name remove_name search)))
-(allow cppreopts_26_0 dalvikcache_data_file_26_0 (file (read write create getattr rename open)))
-(allow cppreopts_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow cppreopts_26_0 system_file_26_0 (dir (read open)))
-(allow cppreopts_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow crash_dump_26_0 base_typeattr_3_26_0 (process (sigchld sigkill sigstop signal ptrace)))
-(dontaudit crash_dump_26_0 self (capability (sys_ptrace)))
-(allow crash_dump_26_0 logd_26_0 (process (sigchld sigkill sigstop signal ptrace)))
-(allow crash_dump_26_0 domain (fd (use)))
-(allow crash_dump_26_0 domain (fifo_file (write append)))
-(allow crash_dump_26_0 domain (dir (ioctl read getattr lock search open)))
-(allow crash_dump_26_0 domain (file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 domain (lnk_file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 exec_type (file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 dalvikcache_data_file_26_0 (dir (getattr search)))
-(allow crash_dump_26_0 dalvikcache_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 apk_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_26_0 apk_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 apk_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 vendor_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_26_0 same_process_hal_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_26_0 vendor_file_26_0 (file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 vendor_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 same_process_hal_file_26_0 (file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 same_process_hal_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow crash_dump_26_0 tombstoned_crash_socket_26_0 (sock_file (write)))
-(allow crash_dump_26_0 tombstoned_26_0 (unix_stream_socket (connectto)))
-(allow crash_dump_26_0 system_ndebug_socket_26_0 (sock_file (write)))
-(allow crash_dump_26_0 system_server_26_0 (unix_stream_socket (connectto)))
-(allow crash_dump_26_0 anr_data_file_26_0 (file (getattr append)))
-(allow crash_dump_26_0 tombstone_data_file_26_0 (file (getattr append)))
-(allow crash_dump_26_0 logcat_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow crash_dump_26_0 logdr_socket_26_0 (sock_file (write)))
-(allow crash_dump_26_0 logd_26_0 (unix_stream_socket (connectto)))
-(neverallow domain crash_dump_exec_26_0 (file (execute_no_trans)))
-(allow dex2oat_26_0 apk_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_26_0 apk_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dex2oat_26_0 apk_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow dex2oat_26_0 vendor_app_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_26_0 vendor_app_file_26_0 (file (ioctl read getattr lock open)))
-(allow dex2oat_26_0 vendor_app_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow dex2oat_26_0 vendor_framework_file_26_0 (dir (getattr search)))
-(allow dex2oat_26_0 vendor_framework_file_26_0 (file (read getattr open)))
-(allow dex2oat_26_0 tmpfs_26_0 (file (read getattr)))
-(allow dex2oat_26_0 dalvikcache_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_26_0 dalvikcache_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dex2oat_26_0 dalvikcache_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow dex2oat_26_0 dalvikcache_data_file_26_0 (file (write)))
-(allow dex2oat_26_0 dalvikcache_data_file_26_0 (lnk_file (read)))
-(allow dex2oat_26_0 installd_26_0 (fd (use)))
-(allow dex2oat_26_0 system_file_26_0 (file (lock)))
-(allow dex2oat_26_0 asec_apk_file_26_0 (file (read)))
-(allow dex2oat_26_0 unlabeled_26_0 (file (read)))
-(allow dex2oat_26_0 oemfs_26_0 (file (read)))
-(allow dex2oat_26_0 apk_tmp_file_26_0 (dir (search)))
-(allow dex2oat_26_0 apk_tmp_file_26_0 (file (ioctl read getattr lock open)))
-(allow dex2oat_26_0 user_profile_data_file_26_0 (file (read getattr lock)))
-(allow dex2oat_26_0 app_data_file_26_0 (file (read write getattr lock)))
-(allow dex2oat_26_0 postinstall_dexopt_26_0 (fd (use)))
-(allow dex2oat_26_0 postinstall_file_26_0 (dir (getattr search)))
-(allow dex2oat_26_0 postinstall_file_26_0 (filesystem (getattr)))
-(allow dex2oat_26_0 postinstall_file_26_0 (lnk_file (read)))
-(allow dex2oat_26_0 ota_data_file_26_0 (dir (ioctl read write getattr lock add_name search open)))
-(allow dex2oat_26_0 ota_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dex2oat_26_0 ota_data_file_26_0 (lnk_file (read create)))
-(allow dex2oat_26_0 ota_data_file_26_0 (file (write create setattr lock append open)))
-(neverallow dex2oat_26_0 app_data_file_26_0 (file (open)))
-(neverallow dex2oat_26_0 app_data_file_26_0 (lnk_file (open)))
-(neverallow dex2oat_26_0 app_data_file_26_0 (sock_file (open)))
-(neverallow dex2oat_26_0 app_data_file_26_0 (fifo_file (open)))
-(allow dhcp_26_0 cgroup_26_0 (dir (write create add_name)))
-(allow dhcp_26_0 self (capability (setgid setuid net_bind_service net_admin net_raw)))
-(allow dhcp_26_0 self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow dhcp_26_0 self (netlink_route_socket (nlmsg_write)))
-(allow dhcp_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow dhcp_26_0 system_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow dhcp_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow dhcp_26_0 proc_net_26_0 (file (write)))
-(allow dhcp_26_0 property_socket_26_0 (sock_file (write)))
-(allow dhcp_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow dhcp_26_0 dhcp_prop_26_0 (property_service (set)))
-(allow dhcp_26_0 dhcp_prop_26_0 (file (ioctl read getattr lock open)))
-(allow dhcp_26_0 property_socket_26_0 (sock_file (write)))
-(allow dhcp_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow dhcp_26_0 pan_result_prop_26_0 (property_service (set)))
-(allow dhcp_26_0 pan_result_prop_26_0 (file (ioctl read getattr lock open)))
-(allow dhcp_26_0 dhcp_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow dhcp_26_0 dhcp_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow dhcp_26_0 netd_26_0 (fd (use)))
-(allow dhcp_26_0 netd_26_0 (fifo_file (ioctl read write getattr lock append open)))
-(allow dhcp_26_0 netd_26_0 (udp_socket (read write)))
-(allow dhcp_26_0 netd_26_0 (unix_stream_socket (read write)))
-(allow dhcp_26_0 netd_26_0 (unix_dgram_socket (read write)))
-(allow dhcp_26_0 netd_26_0 (netlink_route_socket (read write)))
-(allow dhcp_26_0 netd_26_0 (netlink_nflog_socket (read write)))
-(allow dhcp_26_0 netd_26_0 (netlink_kobject_uevent_socket (read write)))
-(allow display_service_server fwk_display_hwservice_26_0 (hwservice_manager (add find)))
-(allow display_service_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_4_26_0 fwk_display_hwservice_26_0 (hwservice_manager (add)))
-(neverallow display_service_server unlabeled_26_0 (hwservice_manager (add)))
-(allowx dnsmasq_26_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx dnsmasq_26_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx dnsmasq_26_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow dnsmasq_26_0 self (capability (dac_override)))
-(allow dnsmasq_26_0 self (capability (setgid setuid net_bind_service net_admin net_raw)))
-(allow dnsmasq_26_0 dhcp_data_file_26_0 (dir (write lock add_name remove_name search open)))
-(allow dnsmasq_26_0 dhcp_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow dnsmasq_26_0 netd_26_0 (fd (use)))
-(allow dnsmasq_26_0 netd_26_0 (fifo_file (read write)))
-(allow dnsmasq_26_0 netd_26_0 (netlink_kobject_uevent_socket (read write)))
-(allow dnsmasq_26_0 netd_26_0 (netlink_nflog_socket (read write)))
-(allow dnsmasq_26_0 netd_26_0 (netlink_route_socket (read write)))
-(allow dnsmasq_26_0 netd_26_0 (unix_stream_socket (read write)))
-(allow dnsmasq_26_0 netd_26_0 (unix_dgram_socket (read write)))
-(allow dnsmasq_26_0 netd_26_0 (udp_socket (read write)))
-(allow domain init_26_0 (process (sigchld)))
-(allow domain self (process (fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit)))
-(allow domain self (fd (use)))
-(allow domain proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain proc_net_26_0 (dir (search)))
-(allow domain self (dir (ioctl read getattr lock search open)))
-(allow domain self (file (ioctl read getattr lock open)))
-(allow domain self (lnk_file (ioctl read getattr lock open)))
-(allow domain self (file (ioctl read write getattr lock append open)))
-(allow domain self (fifo_file (ioctl read write getattr lock append open)))
-(allow domain self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown sendto)))
-(allow domain self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
-(allow domain init_26_0 (fd (use)))
-(allow domain su_26_0 (unix_stream_socket (connectto)))
-(allow domain su_26_0 (fd (use)))
-(allow domain su_26_0 (unix_stream_socket (read write getattr getopt shutdown)))
-(allow base_typeattr_5_26_0 su_26_0 (binder (call transfer)))
-(allow base_typeattr_5_26_0 su_26_0 (fd (use)))
-(allow domain su_26_0 (fifo_file (write getattr)))
-(allow domain su_26_0 (process (sigchld)))
-(allow domain coredump_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow domain coredump_file_26_0 (dir (ioctl read write getattr lock add_name search open)))
-(allow domain rootfs_26_0 (dir (search)))
-(allow domain rootfs_26_0 (lnk_file (read getattr)))
-(allow domain device_26_0 (dir (search)))
-(allow domain dev_type (lnk_file (ioctl read getattr lock open)))
-(allow domain devpts_26_0 (dir (search)))
-(allow domain socket_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain owntty_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow domain null_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow domain zero_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow domain ashmem_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow base_typeattr_6_26_0 binder_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow base_typeattr_7_26_0 hwbinder_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow domain ptmx_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow domain alarm_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow domain random_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow domain properties_device_26_0 (dir (getattr search)))
-(allow domain properties_serial_26_0 (file (ioctl read getattr lock open)))
-(allow domain core_property_type (file (ioctl read getattr lock open)))
-(allow domain log_property_type (file (ioctl read getattr lock open)))
-(dontaudit domain property_type (file (audit_access)))
-(allow domain property_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow domain init_26_0 (key (search)))
-(allow domain vold_26_0 (key (search)))
-(allow domain logdw_socket_26_0 (sock_file (write)))
-(allow domain logd_26_0 (unix_dgram_socket (sendto)))
-(allow domain pmsg_device_26_0 (chr_file (write lock append open)))
-(allow domain system_file_26_0 (dir (getattr search)))
-(allow domain system_file_26_0 (file (read getattr execute open)))
-(allow domain system_file_26_0 (lnk_file (read getattr)))
-(allow domain vendor_hal_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain same_process_hal_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain same_process_hal_file_26_0 (file (read getattr execute open)))
-(allow domain vndk_sp_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain vndk_sp_file_26_0 (file (read getattr execute open)))
-(allow domain vendor_configs_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain vendor_configs_file_26_0 (file (read getattr open)))
-(allow domain vendor_file_26_0 (lnk_file (read getattr open)))
-(allow domain vendor_file_26_0 (dir (getattr search)))
-(allow base_typeattr_8_26_0 vendor_file_type (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_8_26_0 vendor_file_type (file (read getattr execute open)))
-(allow base_typeattr_8_26_0 vendor_file_type (lnk_file (read getattr)))
-(allow domain sysfs_26_0 (lnk_file (read)))
-(allow domain zoneinfo_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain zoneinfo_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow domain zoneinfo_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow domain sysfs_devices_system_cpu_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain sysfs_devices_system_cpu_26_0 (file (ioctl read getattr lock open)))
-(allow domain sysfs_devices_system_cpu_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow domain sysfs_usb_26_0 (dir (ioctl read getattr lock search open)))
-(allow domain sysfs_usb_26_0 (file (ioctl read getattr lock open)))
-(allow domain sysfs_usb_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow appdomain system_data_file_26_0 (dir (getattr)))
-(allow coredomain system_data_file_26_0 (dir (getattr)))
-(allow domain system_data_file_26_0 (dir (search)))
-(allow domain proc_26_0 (lnk_file (read getattr)))
-(allow domain proc_cpuinfo_26_0 (file (ioctl read getattr lock open)))
-(allow domain proc_overcommit_memory_26_0 (file (ioctl read getattr lock open)))
-(allow domain proc_perf_26_0 (file (ioctl read getattr lock open)))
-(allow domain selinuxfs_26_0 (dir (search)))
-(allow domain selinuxfs_26_0 (file (getattr)))
-(allow domain sysfs_26_0 (dir (search)))
-(allow domain selinuxfs_26_0 (filesystem (getattr)))
-(allow domain cgroup_26_0 (dir (write search)))
-(allow domain cgroup_26_0 (file (write lock append open)))
-(allow domain debugfs_26_0 (dir (search)))
-(allow domain debugfs_tracing_26_0 (dir (search)))
-(allow domain debugfs_trace_marker_26_0 (file (write lock append open)))
-(allow domain fs_type (filesystem (getattr)))
-(allow domain fs_type (dir (getattr)))
-(allowx domain domain (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl unix_stream_socket (0x5401 0x5411 ((range 0x5413 0x5414)) 0x541b 0x5451)))
-(allowx domain domain (ioctl unix_dgram_socket (0x5401 0x5411 ((range 0x5413 0x5414)) 0x541b 0x5451)))
-(allowx domain devpts_26_0 (ioctl chr_file (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allow base_typeattr_9_26_0 hwservice_manager_type (hwservice_manager (add find)))
-(allow base_typeattr_9_26_0 vndservice_manager_type (service_manager (add find)))
-(neverallowx domain domain (ioctl socket (0x0)))
-(neverallowx domain domain (ioctl tcp_socket (0x0)))
-(neverallowx domain domain (ioctl udp_socket (0x0)))
-(neverallowx domain domain (ioctl rawip_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_socket (0x0)))
-(neverallowx domain domain (ioctl packet_socket (0x0)))
-(neverallowx domain domain (ioctl key_socket (0x0)))
-(neverallowx domain domain (ioctl unix_stream_socket (0x0)))
-(neverallowx domain domain (ioctl unix_dgram_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_route_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_tcpdiag_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_nflog_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_xfrm_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_selinux_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_audit_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_dnrt_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_kobject_uevent_socket (0x0)))
-(neverallowx domain domain (ioctl appletalk_socket (0x0)))
-(neverallowx domain domain (ioctl tun_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_iscsi_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_fib_lookup_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_connector_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_netfilter_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_generic_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_scsitransport_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_rdma_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_crypto_socket (0x0)))
-(neverallowx domain domain (ioctl sctp_socket (0x0)))
-(neverallowx domain domain (ioctl icmp_socket (0x0)))
-(neverallowx domain domain (ioctl ax25_socket (0x0)))
-(neverallowx domain domain (ioctl ipx_socket (0x0)))
-(neverallowx domain domain (ioctl netrom_socket (0x0)))
-(neverallowx domain domain (ioctl atmpvc_socket (0x0)))
-(neverallowx domain domain (ioctl x25_socket (0x0)))
-(neverallowx domain domain (ioctl rose_socket (0x0)))
-(neverallowx domain domain (ioctl decnet_socket (0x0)))
-(neverallowx domain domain (ioctl atmsvc_socket (0x0)))
-(neverallowx domain domain (ioctl rds_socket (0x0)))
-(neverallowx domain domain (ioctl irda_socket (0x0)))
-(neverallowx domain domain (ioctl pppox_socket (0x0)))
-(neverallowx domain domain (ioctl llc_socket (0x0)))
-(neverallowx domain domain (ioctl can_socket (0x0)))
-(neverallowx domain domain (ioctl tipc_socket (0x0)))
-(neverallowx domain domain (ioctl bluetooth_socket (0x0)))
-(neverallowx domain domain (ioctl iucv_socket (0x0)))
-(neverallowx domain domain (ioctl rxrpc_socket (0x0)))
-(neverallowx domain domain (ioctl isdn_socket (0x0)))
-(neverallowx domain domain (ioctl phonet_socket (0x0)))
-(neverallowx domain domain (ioctl ieee802154_socket (0x0)))
-(neverallowx domain domain (ioctl caif_socket (0x0)))
-(neverallowx domain domain (ioctl alg_socket (0x0)))
-(neverallowx domain domain (ioctl nfc_socket (0x0)))
-(neverallowx domain domain (ioctl vsock_socket (0x0)))
-(neverallowx domain domain (ioctl kcm_socket (0x0)))
-(neverallowx domain domain (ioctl qipcrtr_socket (0x0)))
-(neverallowx base_typeattr_10_26_0 devpts_26_0 (ioctl chr_file (0x5412)))
-(neverallow base_typeattr_11_26_0 unlabeled_26_0 (file (create)))
-(neverallow base_typeattr_11_26_0 unlabeled_26_0 (dir (create)))
-(neverallow base_typeattr_11_26_0 unlabeled_26_0 (lnk_file (create)))
-(neverallow base_typeattr_11_26_0 unlabeled_26_0 (chr_file (create)))
-(neverallow base_typeattr_11_26_0 unlabeled_26_0 (blk_file (create)))
-(neverallow base_typeattr_11_26_0 unlabeled_26_0 (sock_file (create)))
-(neverallow base_typeattr_11_26_0 unlabeled_26_0 (fifo_file (create)))
-(neverallow base_typeattr_12_26_0 self (capability (mknod)))
-(neverallow base_typeattr_13_26_0 self (capability (sys_rawio)))
-(neverallow base_typeattr_10_26_0 self (memprotect (mmap_zero)))
-(neverallow base_typeattr_10_26_0 self (capability2 (mac_override)))
-(neverallow base_typeattr_14_26_0 self (capability2 (mac_admin)))
-(neverallow base_typeattr_10_26_0 kernel_26_0 (security (load_policy)))
-(neverallow base_typeattr_10_26_0 kernel_26_0 (security (setenforce)))
-(neverallow base_typeattr_15_26_0 kernel_26_0 (security (setcheckreqprot)))
-(neverallow base_typeattr_10_26_0 kernel_26_0 (security (setbool)))
-(neverallow base_typeattr_5_26_0 kernel_26_0 (security (setsecparam)))
-(neverallow base_typeattr_16_26_0 hw_random_device_26_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_10_26_0 base_typeattr_17_26_0 (file (entrypoint)))
-(neverallow base_typeattr_18_26_0 kmem_device_26_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_10_26_0 kmem_device_26_0 (chr_file (ioctl read write lock relabelfrom append link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_18_26_0 port_device_26_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_10_26_0 port_device_26_0 (chr_file (ioctl read write lock relabelfrom append link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_5_26_0 usermodehelper_26_0 (file (write append)))
-(neverallow base_typeattr_5_26_0 proc_security_26_0 (file (read write append open)))
-(neverallow base_typeattr_10_26_0 init_26_0 (process (ptrace)))
-(neverallow base_typeattr_10_26_0 init_26_0 (binder (impersonate call set_context_mgr transfer)))
-(neverallow base_typeattr_19_26_0 block_device_26_0 (blk_file (read write open)))
-(neverallow base_typeattr_10_26_0 base_typeattr_10_26_0 (chr_file (rename)))
-(neverallow base_typeattr_10_26_0 base_typeattr_10_26_0 (blk_file (rename)))
-(neverallow domain device_26_0 (chr_file (read write open)))
-(neverallow base_typeattr_20_26_0 base_typeattr_21_26_0 (filesystem (mount remount relabelfrom relabelto)))
-(neverallow base_typeattr_22_26_0 base_typeattr_23_26_0 (file (execute)))
-(neverallow base_typeattr_24_26_0 base_typeattr_25_26_0 (file (execute)))
-(neverallow domain cache_file_26_0 (file (execute)))
-(neverallow domain cache_backup_file_26_0 (file (execute)))
-(neverallow domain cache_private_backup_file_26_0 (file (execute)))
-(neverallow domain cache_recovery_file_26_0 (file (execute)))
-(neverallow base_typeattr_26_26_0 base_typeattr_27_26_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_28_26_0 nativetest_data_file_26_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_5_26_0 property_data_file_26_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_5_26_0 property_data_file_26_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_5_26_0 property_type (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_5_26_0 properties_device_26_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_5_26_0 properties_serial_26_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_14_26_0 exec_type (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 exec_type (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 exec_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 exec_type (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 exec_type (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 exec_type (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 exec_type (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 vendor_file_type (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 vendor_file_type (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 vendor_file_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 vendor_file_type (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 vendor_file_type (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 vendor_file_type (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 vendor_file_type (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 system_file_26_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 system_file_26_0 (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 system_file_26_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 system_file_26_0 (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 system_file_26_0 (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 system_file_26_0 (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_26_0 system_file_26_0 (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_29_26_0 exec_type (file (relabelto)))
-(neverallow base_typeattr_29_26_0 exec_type (dir (relabelto)))
-(neverallow base_typeattr_29_26_0 exec_type (lnk_file (relabelto)))
-(neverallow base_typeattr_29_26_0 exec_type (chr_file (relabelto)))
-(neverallow base_typeattr_29_26_0 exec_type (blk_file (relabelto)))
-(neverallow base_typeattr_29_26_0 exec_type (sock_file (relabelto)))
-(neverallow base_typeattr_29_26_0 exec_type (fifo_file (relabelto)))
-(neverallow base_typeattr_29_26_0 vendor_file_type (file (relabelto)))
-(neverallow base_typeattr_29_26_0 vendor_file_type (dir (relabelto)))
-(neverallow base_typeattr_29_26_0 vendor_file_type (lnk_file (relabelto)))
-(neverallow base_typeattr_29_26_0 vendor_file_type (chr_file (relabelto)))
-(neverallow base_typeattr_29_26_0 vendor_file_type (blk_file (relabelto)))
-(neverallow base_typeattr_29_26_0 vendor_file_type (sock_file (relabelto)))
-(neverallow base_typeattr_29_26_0 vendor_file_type (fifo_file (relabelto)))
-(neverallow base_typeattr_29_26_0 system_file_26_0 (file (relabelto)))
-(neverallow base_typeattr_29_26_0 system_file_26_0 (dir (relabelto)))
-(neverallow base_typeattr_29_26_0 system_file_26_0 (lnk_file (relabelto)))
-(neverallow base_typeattr_29_26_0 system_file_26_0 (chr_file (relabelto)))
-(neverallow base_typeattr_29_26_0 system_file_26_0 (blk_file (relabelto)))
-(neverallow base_typeattr_29_26_0 system_file_26_0 (sock_file (relabelto)))
-(neverallow base_typeattr_29_26_0 system_file_26_0 (fifo_file (relabelto)))
-(neverallow base_typeattr_10_26_0 exec_type (file (mounton)))
-(neverallow base_typeattr_10_26_0 exec_type (dir (mounton)))
-(neverallow base_typeattr_10_26_0 exec_type (lnk_file (mounton)))
-(neverallow base_typeattr_10_26_0 exec_type (chr_file (mounton)))
-(neverallow base_typeattr_10_26_0 exec_type (blk_file (mounton)))
-(neverallow base_typeattr_10_26_0 exec_type (sock_file (mounton)))
-(neverallow base_typeattr_10_26_0 exec_type (fifo_file (mounton)))
-(neverallow base_typeattr_5_26_0 vendor_file_type (file (mounton)))
-(neverallow base_typeattr_5_26_0 vendor_file_type (dir (mounton)))
-(neverallow base_typeattr_5_26_0 vendor_file_type (lnk_file (mounton)))
-(neverallow base_typeattr_5_26_0 vendor_file_type (chr_file (mounton)))
-(neverallow base_typeattr_5_26_0 vendor_file_type (blk_file (mounton)))
-(neverallow base_typeattr_5_26_0 vendor_file_type (sock_file (mounton)))
-(neverallow base_typeattr_5_26_0 vendor_file_type (fifo_file (mounton)))
-(neverallow base_typeattr_5_26_0 system_file_26_0 (file (mounton)))
-(neverallow base_typeattr_5_26_0 system_file_26_0 (dir (mounton)))
-(neverallow base_typeattr_5_26_0 system_file_26_0 (lnk_file (mounton)))
-(neverallow base_typeattr_5_26_0 system_file_26_0 (chr_file (mounton)))
-(neverallow base_typeattr_5_26_0 system_file_26_0 (blk_file (mounton)))
-(neverallow base_typeattr_5_26_0 system_file_26_0 (sock_file (mounton)))
-(neverallow base_typeattr_5_26_0 system_file_26_0 (fifo_file (mounton)))
-(neverallow base_typeattr_10_26_0 rootfs_26_0 (file (write create setattr relabelto append unlink link rename)))
-(neverallow base_typeattr_10_26_0 base_typeattr_30_26_0 (filesystem (relabelto)))
-(neverallow base_typeattr_14_26_0 contextmount_type (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_26_0 contextmount_type (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_26_0 contextmount_type (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_26_0 contextmount_type (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_26_0 contextmount_type (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_26_0 contextmount_type (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_26_0 contextmount_type (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_10_26_0 default_android_service_26_0 (service_manager (add)))
-(neverallow base_typeattr_10_26_0 default_android_vndservice_26_0 (service_manager (add find)))
-(neverallow base_typeattr_10_26_0 default_android_hwservice_26_0 (hwservice_manager (add find)))
-(neverallow base_typeattr_10_26_0 hidl_base_hwservice_26_0 (hwservice_manager (find)))
-(neverallow base_typeattr_5_26_0 default_prop_26_0 (property_service (set)))
-(neverallow base_typeattr_5_26_0 mmc_prop_26_0 (property_service (set)))
-(neverallow base_typeattr_31_26_0 serialno_prop_26_0 (file (ioctl read getattr lock open)))
-(neverallow base_typeattr_32_26_0 firstboot_prop_26_0 (file (ioctl read getattr lock open)))
-(neverallow base_typeattr_33_26_0 frp_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_34_26_0 metadata_block_device_26_0 (blk_file (ioctl read write lock append link rename open)))
-(neverallow base_typeattr_35_26_0 system_block_device_26_0 (blk_file (write)))
-(neverallow base_typeattr_36_26_0 recovery_block_device_26_0 (blk_file (write)))
-(neverallow base_typeattr_37_26_0 misc_block_device_26_0 (blk_file (ioctl read write lock relabelfrom append link rename open)))
-(neverallow hal_bootctl unlabeled_26_0 (service_manager (list)))
-(neverallow base_typeattr_38_26_0 base_typeattr_10_26_0 (binder (set_context_mgr)))
-(neverallow servicemanager_26_0 hwbinder_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow servicemanager_26_0 vndbinder_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow hwservicemanager_26_0 binder_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow hwservicemanager_26_0 vndbinder_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow vndservicemanager_26_0 binder_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow vndservicemanager_26_0 hwbinder_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_39_26_0 binder_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(neverallow base_typeattr_39_26_0 service_manager_type (service_manager (find)))
-(neverallow base_typeattr_40_26_0 base_typeattr_41_26_0 (service_manager (find)))
-(neverallow base_typeattr_39_26_0 servicemanager_26_0 (binder (call transfer)))
-(neverallow binder_in_vendor_violators unlabeled_26_0 (service_manager (list)))
-(neverallow base_typeattr_42_26_0 vndbinder_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(neverallow ueventd_26_0 vndbinder_device_26_0 (chr_file (ioctl read write append)))
-(neverallow base_typeattr_43_26_0 vndservice_manager_type (service_manager (add find list)))
-(neverallow base_typeattr_43_26_0 vndservicemanager_26_0 (binder (impersonate call set_context_mgr transfer)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_44_26_0 base_typeattr_45_26_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_46_26_0 base_typeattr_47_26_0 (unix_stream_socket (connectto)))
-(neverallow socket_between_core_and_vendor_violators unlabeled_26_0 (service_manager (list)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_48_26_0 netd_26_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_46_26_0 core_data_file_type (sock_file (create setattr lock relabelfrom relabelto unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_46_26_0 coredomain_socket (sock_file (create setattr lock relabelfrom relabelto unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_46_26_0 unlabeled_26_0 (sock_file (create setattr lock relabelfrom relabelto unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_40_26_0 base_typeattr_49_26_0 (sock_file (create setattr lock relabelfrom relabelto unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow pdx_endpoint_socket_type unlabeled_26_0 (service_manager (list)))
-(neverallow pdx_channel_socket_type unlabeled_26_0 (service_manager (list)))
-(neverallow base_typeattr_50_26_0 base_typeattr_51_26_0 (sock_file (create setattr lock relabelfrom relabelto unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_52_26_0 vendor_app_file_26_0 (dir (read getattr search open)))
-(neverallow base_typeattr_52_26_0 vendor_app_file_26_0 (file (ioctl read getattr lock open)))
-(neverallow base_typeattr_52_26_0 vendor_app_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(neverallow base_typeattr_53_26_0 vendor_overlay_file_26_0 (dir (read getattr search open)))
-(neverallow base_typeattr_53_26_0 vendor_overlay_file_26_0 (file (ioctl read getattr lock open)))
-(neverallow base_typeattr_53_26_0 vendor_overlay_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(neverallow base_typeattr_54_26_0 vendor_shell_exec_26_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_55_26_0 base_typeattr_56_26_0 (file (execute execute_no_trans entrypoint)))
-(neverallow vendor_executes_system_violators unlabeled_26_0 (service_manager (list)))
-(neverallow base_typeattr_57_26_0 dalvikcache_data_file_26_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_57_26_0 dalvikcache_data_file_26_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_58_26_0 zygote_26_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_59_26_0 zygote_socket_26_0 (sock_file (write)))
-(neverallow base_typeattr_60_26_0 webview_zygote_26_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_59_26_0 webview_zygote_socket_26_0 (sock_file (write)))
-(neverallow base_typeattr_61_26_0 tombstoned_26_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_62_26_0 tombstoned_crash_socket_26_0 (sock_file (write)))
-(neverallow base_typeattr_63_26_0 tombstoned_intercept_socket_26_0 (sock_file (write)))
-(neverallow base_typeattr_10_26_0 base_typeattr_10_26_0 (sem (create destroy getattr setattr read write associate unix_read unix_write)))
-(neverallow base_typeattr_10_26_0 base_typeattr_10_26_0 (msg (send receive)))
-(neverallow base_typeattr_10_26_0 base_typeattr_10_26_0 (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
-(neverallow base_typeattr_10_26_0 base_typeattr_10_26_0 (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
-(neverallow base_typeattr_10_26_0 dev_type (lnk_file (mounton)))
-(neverallow base_typeattr_10_26_0 dev_type (sock_file (mounton)))
-(neverallow base_typeattr_10_26_0 dev_type (fifo_file (mounton)))
-(neverallow base_typeattr_10_26_0 fs_type (lnk_file (mounton)))
-(neverallow base_typeattr_10_26_0 fs_type (sock_file (mounton)))
-(neverallow base_typeattr_10_26_0 fs_type (fifo_file (mounton)))
-(neverallow base_typeattr_10_26_0 file_type (lnk_file (mounton)))
-(neverallow base_typeattr_10_26_0 file_type (sock_file (mounton)))
-(neverallow base_typeattr_10_26_0 file_type (fifo_file (mounton)))
-(neverallow base_typeattr_64_26_0 su_exec_26_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_10_26_0 base_typeattr_65_26_0 (file (execmod)))
-(neverallow base_typeattr_10_26_0 self (process (execstack execheap)))
-(neverallow base_typeattr_66_26_0 file_type (file (execmod)))
-(neverallow base_typeattr_5_26_0 proc_26_0 (file (mounton)))
-(neverallow base_typeattr_5_26_0 proc_26_0 (dir (mounton)))
-(neverallow base_typeattr_67_26_0 domain (process (transition dyntransition)))
-(neverallow base_typeattr_68_26_0 system_data_file_26_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow installd_26_0 system_data_file_26_0 (file (write create setattr relabelto append link rename execute quotaon mounton execute_no_trans entrypoint execmod audit_access)))
-(neverallow base_typeattr_69_26_0 system_app_data_file_26_0 (file (create unlink open)))
-(neverallow base_typeattr_69_26_0 system_app_data_file_26_0 (dir (create unlink open)))
-(neverallow base_typeattr_69_26_0 system_app_data_file_26_0 (lnk_file (create unlink open)))
-(neverallow base_typeattr_69_26_0 system_app_data_file_26_0 (chr_file (create unlink open)))
-(neverallow base_typeattr_69_26_0 system_app_data_file_26_0 (blk_file (create unlink open)))
-(neverallow base_typeattr_69_26_0 system_app_data_file_26_0 (sock_file (create unlink open)))
-(neverallow base_typeattr_69_26_0 system_app_data_file_26_0 (fifo_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_26_0 (file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_26_0 (dir (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_26_0 (lnk_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_26_0 (chr_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_26_0 (blk_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_26_0 (sock_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_26_0 (fifo_file (create unlink open)))
-(neverallow ephemeral_app_26_0 system_app_data_file_26_0 (file (create unlink open)))
-(neverallow ephemeral_app_26_0 system_app_data_file_26_0 (dir (create unlink open)))
-(neverallow ephemeral_app_26_0 system_app_data_file_26_0 (lnk_file (create unlink open)))
-(neverallow ephemeral_app_26_0 system_app_data_file_26_0 (chr_file (create unlink open)))
-(neverallow ephemeral_app_26_0 system_app_data_file_26_0 (blk_file (create unlink open)))
-(neverallow ephemeral_app_26_0 system_app_data_file_26_0 (sock_file (create unlink open)))
-(neverallow ephemeral_app_26_0 system_app_data_file_26_0 (fifo_file (create unlink open)))
-(neverallow isolated_app_26_0 system_app_data_file_26_0 (file (create unlink open)))
-(neverallow isolated_app_26_0 system_app_data_file_26_0 (dir (create unlink open)))
-(neverallow isolated_app_26_0 system_app_data_file_26_0 (lnk_file (create unlink open)))
-(neverallow isolated_app_26_0 system_app_data_file_26_0 (chr_file (create unlink open)))
-(neverallow isolated_app_26_0 system_app_data_file_26_0 (blk_file (create unlink open)))
-(neverallow isolated_app_26_0 system_app_data_file_26_0 (sock_file (create unlink open)))
-(neverallow isolated_app_26_0 system_app_data_file_26_0 (fifo_file (create unlink open)))
-(neverallow priv_app_26_0 system_app_data_file_26_0 (file (create unlink open)))
-(neverallow priv_app_26_0 system_app_data_file_26_0 (dir (create unlink open)))
-(neverallow priv_app_26_0 system_app_data_file_26_0 (lnk_file (create unlink open)))
-(neverallow priv_app_26_0 system_app_data_file_26_0 (chr_file (create unlink open)))
-(neverallow priv_app_26_0 system_app_data_file_26_0 (blk_file (create unlink open)))
-(neverallow priv_app_26_0 system_app_data_file_26_0 (sock_file (create unlink open)))
-(neverallow priv_app_26_0 system_app_data_file_26_0 (fifo_file (create unlink open)))
-(neverallow base_typeattr_70_26_0 app_data_file_26_0 (file (create unlink)))
-(neverallow base_typeattr_70_26_0 app_data_file_26_0 (dir (create unlink)))
-(neverallow base_typeattr_70_26_0 app_data_file_26_0 (lnk_file (create unlink)))
-(neverallow base_typeattr_70_26_0 app_data_file_26_0 (chr_file (create unlink)))
-(neverallow base_typeattr_70_26_0 app_data_file_26_0 (blk_file (create unlink)))
-(neverallow base_typeattr_70_26_0 app_data_file_26_0 (sock_file (create unlink)))
-(neverallow base_typeattr_70_26_0 app_data_file_26_0 (fifo_file (create unlink)))
-(neverallow base_typeattr_71_26_0 shell_26_0 (process (transition dyntransition)))
-(neverallow base_typeattr_72_26_0 base_typeattr_73_26_0 (process (transition dyntransition)))
-(neverallow base_typeattr_74_26_0 app_data_file_26_0 (lnk_file (read)))
-(neverallow base_typeattr_75_26_0 shell_data_file_26_0 (lnk_file (read)))
-(neverallow base_typeattr_76_26_0 shell_data_file_26_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_77_26_0 shell_data_file_26_0 (dir (search open)))
-(neverallow base_typeattr_78_26_0 shell_data_file_26_0 (file (open)))
-(neverallow base_typeattr_10_26_0 base_typeattr_79_26_0 (service_manager (list)))
-(neverallow base_typeattr_10_26_0 base_typeattr_80_26_0 (hwservice_manager (list)))
-(neverallow base_typeattr_10_26_0 domain (file (execute execute_no_trans entrypoint)))
-(neverallow base_typeattr_81_26_0 debugfs_26_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_82_26_0 profman_exec_26_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_10_26_0 base_typeattr_83_26_0 (system (module_load)))
-(neverallow base_typeattr_14_26_0 self (capability (setfcap)))
-(neverallow domain crash_dump_26_0 (process (noatsecure)))
-(neverallow base_typeattr_84_26_0 coredomain_hwservice (hwservice_manager (add)))
-(neverallow base_typeattr_10_26_0 same_process_hwservice (hwservice_manager (add)))
-(allow drmserver_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 drmserver_26_0 (dir (search)))
-(allow servicemanager_26_0 drmserver_26_0 (file (read open)))
-(allow servicemanager_26_0 drmserver_26_0 (process (getattr)))
-(allow drmserver_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 drmserver_26_0 (binder (transfer)))
-(allow drmserver_26_0 system_server_26_0 (fd (use)))
-(allow drmserver_26_0 appdomain (binder (call transfer)))
-(allow appdomain drmserver_26_0 (binder (transfer)))
-(allow drmserver_26_0 appdomain (fd (use)))
-(allow drmserver_26_0 system_server_26_0 (fd (use)))
-(allow drmserver_26_0 mediaserver_26_0 (binder (call transfer)))
-(allow mediaserver_26_0 drmserver_26_0 (binder (transfer)))
-(allow drmserver_26_0 mediaserver_26_0 (fd (use)))
-(allow drmserver_26_0 sdcard_type (dir (search)))
-(allow drmserver_26_0 drm_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow drmserver_26_0 drm_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow drmserver_26_0 tee_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow drmserver_26_0 app_data_file_26_0 (file (read write getattr)))
-(allow drmserver_26_0 sdcard_type (file (read write getattr)))
-(allow drmserver_26_0 efs_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_26_0 efs_file_26_0 (file (ioctl read getattr lock open)))
-(allow drmserver_26_0 efs_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow drmserver_26_0 apk_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow drmserver_26_0 drmserver_socket_26_0 (sock_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow drmserver_26_0 apk_data_file_26_0 (sock_file (unlink)))
-(allow drmserver_26_0 media_rw_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_26_0 media_rw_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow drmserver_26_0 media_rw_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow drmserver_26_0 apk_data_file_26_0 (file (read getattr)))
-(allow drmserver_26_0 asec_apk_file_26_0 (file (read getattr)))
-(allow drmserver_26_0 ringtone_file_26_0 (file (read getattr)))
-(allow drmserver_26_0 radio_data_file_26_0 (file (read getattr)))
-(allow drmserver_26_0 oemfs_26_0 (dir (search)))
-(allow drmserver_26_0 oemfs_26_0 (file (ioctl read getattr lock open)))
-(allow drmserver_26_0 drmserver_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_85_26_0 drmserver_service_26_0 (service_manager (add)))
-(neverallow drmserver_26_0 unlabeled_26_0 (service_manager (add)))
-(allow drmserver_26_0 permission_service_26_0 (service_manager (find)))
-(allow drmserver_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow drmserver_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow drmserver_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow drmserver_26_0 kernel_26_0 (security (compute_av)))
-(allow drmserver_26_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow drmserver_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow drmserver_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow drmserver_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_26_0 system_file_26_0 (file (ioctl read getattr lock open)))
-(allow drmserver_26_0 system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 dumpstate_26_0 (dir (search)))
-(allow servicemanager_26_0 dumpstate_26_0 (file (read open)))
-(allow servicemanager_26_0 dumpstate_26_0 (process (getattr)))
-(allow dumpstate_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow dumpstate_26_0 self (capability2 (block_suspend)))
-(allow dumpstate_26_0 self (capability (setgid setuid sys_resource)))
-(allow dumpstate_26_0 domain (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 domain (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 domain (lnk_file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 self (capability (kill net_admin net_raw)))
-(allow dumpstate_26_0 system_file_26_0 (file (execute_no_trans)))
-(allow dumpstate_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow dumpstate_26_0 self (capability (chown dac_override fowner fsetid)))
-(allow dumpstate_26_0 anr_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow dumpstate_26_0 anr_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow dumpstate_26_0 system_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 self (capability2 (syslog)))
-(allow dumpstate_26_0 kernel_26_0 (system (syslog_read)))
-(allow dumpstate_26_0 pstorefs_26_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 pstorefs_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 domain (process (getattr)))
-(allow dumpstate_26_0 appdomain (process (signal)))
-(allow dumpstate_26_0 system_server_26_0 (process (signal)))
-(allow dumpstate_26_0 hal_audio_server (process (signal)))
-(allow dumpstate_26_0 hal_bluetooth_server (process (signal)))
-(allow dumpstate_26_0 hal_camera_server (process (signal)))
-(allow dumpstate_26_0 hal_graphics_composer_server (process (signal)))
-(allow dumpstate_26_0 hal_vr_server (process (signal)))
-(allow dumpstate_26_0 audioserver_26_0 (process (signal)))
-(allow dumpstate_26_0 cameraserver_26_0 (process (signal)))
-(allow dumpstate_26_0 drmserver_26_0 (process (signal)))
-(allow dumpstate_26_0 inputflinger_26_0 (process (signal)))
-(allow dumpstate_26_0 mediacodec_26_0 (process (signal)))
-(allow dumpstate_26_0 mediadrmserver_26_0 (process (signal)))
-(allow dumpstate_26_0 mediaextractor_26_0 (process (signal)))
-(allow dumpstate_26_0 mediaserver_26_0 (process (signal)))
-(allow dumpstate_26_0 sdcardd_26_0 (process (signal)))
-(allow dumpstate_26_0 surfaceflinger_26_0 (process (signal)))
-(allow dumpstate_26_0 tombstoned_intercept_socket_26_0 (sock_file (write)))
-(allow dumpstate_26_0 tombstoned_26_0 (unix_stream_socket (connectto)))
-(allow dumpstate_26_0 sysfs_usb_26_0 (file (write lock append open)))
-(allow dumpstate_26_0 qtaguid_proc_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 debugfs_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 block_device_26_0 (dir (getattr search)))
-(allow dumpstate_26_0 storage_file_26_0 (dir (getattr search)))
-(allow dumpstate_26_0 fuse_device_26_0 (chr_file (getattr)))
-(allow dumpstate_26_0 dm_device_26_0 (blk_file (getattr)))
-(allow dumpstate_26_0 cache_block_device_26_0 (blk_file (getattr)))
-(allow dumpstate_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain dumpstate_26_0 (binder (transfer)))
-(allow dumpstate_26_0 binderservicedomain (fd (use)))
-(allow dumpstate_26_0 appdomain (binder (call transfer)))
-(allow dumpstate_26_0 netd_26_0 (binder (call transfer)))
-(allow dumpstate_26_0 wificond_26_0 (binder (call transfer)))
-(allow appdomain dumpstate_26_0 (binder (transfer)))
-(allow netd_26_0 dumpstate_26_0 (binder (transfer)))
-(allow wificond_26_0 dumpstate_26_0 (binder (transfer)))
-(allow dumpstate_26_0 appdomain (fd (use)))
-(allow dumpstate_26_0 netd_26_0 (fd (use)))
-(allow dumpstate_26_0 wificond_26_0 (fd (use)))
-(allow dumpstate_26_0 sysfs_vibrator_26_0 (file (ioctl read write getattr lock append open)))
-(allow dumpstate_26_0 self (capability (sys_ptrace)))
-(allow dumpstate_26_0 shell_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow dumpstate_26_0 shell_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow dumpstate_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow dumpstate_26_0 zygote_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow dumpstate_26_0 ashmem_device_26_0 (chr_file (execute)))
-(allow dumpstate_26_0 self (process (execmem)))
-(allow dumpstate_26_0 dalvikcache_data_file_26_0 (dir (getattr search)))
-(allow dumpstate_26_0 dalvikcache_data_file_26_0 (file (ioctl read getattr lock execute open)))
-(allow dumpstate_26_0 dalvikcache_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 bluetooth_data_file_26_0 (dir (search)))
-(allow dumpstate_26_0 bluetooth_logs_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 bluetooth_logs_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 gpu_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow dumpstate_26_0 logcat_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow dumpstate_26_0 logdr_socket_26_0 (sock_file (write)))
-(allow dumpstate_26_0 logd_26_0 (unix_stream_socket (connectto)))
-(allow dumpstate_26_0 logd_socket_26_0 (sock_file (write)))
-(allow dumpstate_26_0 logd_26_0 (unix_stream_socket (connectto)))
-(allow dumpstate_26_0 runtime_event_log_tags_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 net_data_file_26_0 (dir (search)))
-(allow dumpstate_26_0 net_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 self (netlink_tcpdiag_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read)))
-(allow dumpstate_26_0 tombstone_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 tombstone_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 cache_recovery_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 cache_recovery_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 recovery_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 recovery_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 user_profile_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 user_profile_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 misc_logd_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_26_0 misc_logd_file_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 base_typeattr_86_26_0 (service_manager (find)))
-(allow dumpstate_26_0 servicemanager_26_0 (service_manager (list)))
-(allow dumpstate_26_0 hwservicemanager_26_0 (hwservice_manager (list)))
-(allow dumpstate_26_0 devpts_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow dumpstate_26_0 property_socket_26_0 (sock_file (write)))
-(allow dumpstate_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow dumpstate_26_0 dumpstate_prop_26_0 (property_service (set)))
-(allow dumpstate_26_0 dumpstate_prop_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 property_socket_26_0 (sock_file (write)))
-(allow dumpstate_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow dumpstate_26_0 dumpstate_options_prop_26_0 (property_service (set)))
-(allow dumpstate_26_0 dumpstate_options_prop_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 serialno_prop_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 device_logging_prop_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 media_rw_data_file_26_0 (dir (getattr)))
-(allow dumpstate_26_0 proc_interrupts_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 proc_zoneinfo_26_0 (file (ioctl read getattr lock open)))
-(allow dumpstate_26_0 dumpstate_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_87_26_0 dumpstate_service_26_0 (service_manager (add)))
-(neverallow dumpstate_26_0 unlabeled_26_0 (service_manager (add)))
-(neverallow dumpstate_26_0 base_typeattr_10_26_0 (process (ptrace)))
-(neverallow base_typeattr_88_26_0 dumpstate_service_26_0 (service_manager (find)))
-(neverallow dumpstate_26_0 sysfs_26_0 (file (write create setattr relabelfrom append unlink link rename)))
-(allow fs_type self (filesystem (associate)))
-(allow sysfs_type sysfs_26_0 (filesystem (associate)))
-(allow debugfs_type debugfs_26_0 (filesystem (associate)))
-(allow debugfs_type debugfs_tracing_26_0 (filesystem (associate)))
-(allow file_type labeledfs_26_0 (filesystem (associate)))
-(allow file_type tmpfs_26_0 (filesystem (associate)))
-(allow file_type rootfs_26_0 (filesystem (associate)))
-(allow dev_type tmpfs_26_0 (filesystem (associate)))
-(allow app_fuse_file_26_0 app_fusefs_26_0 (filesystem (associate)))
-(allow postinstall_file_26_0 self (filesystem (associate)))
-(neverallow fs_type file_type (filesystem (associate)))
-(allow fingerprintd_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 fingerprintd_26_0 (dir (search)))
-(allow servicemanager_26_0 fingerprintd_26_0 (file (read open)))
-(allow servicemanager_26_0 fingerprintd_26_0 (process (getattr)))
-(allow fingerprintd_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow fingerprintd_26_0 fingerprintd_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_89_26_0 fingerprintd_service_26_0 (service_manager (add)))
-(neverallow fingerprintd_26_0 unlabeled_26_0 (service_manager (add)))
-(allow fingerprintd_26_0 fingerprintd_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow fingerprintd_26_0 fingerprintd_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow keystore_26_0 fingerprintd_26_0 (dir (search)))
-(allow keystore_26_0 fingerprintd_26_0 (file (read open)))
-(allow keystore_26_0 fingerprintd_26_0 (process (getattr)))
-(allow fingerprintd_26_0 keystore_service_26_0 (service_manager (find)))
-(allow fingerprintd_26_0 keystore_26_0 (binder (call transfer)))
-(allow keystore_26_0 fingerprintd_26_0 (binder (transfer)))
-(allow fingerprintd_26_0 keystore_26_0 (fd (use)))
-(allow fingerprintd_26_0 keystore_26_0 (keystore_key (add_auth)))
-(allow fingerprintd_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 fingerprintd_26_0 (binder (transfer)))
-(allow fingerprintd_26_0 system_server_26_0 (fd (use)))
-(allow fingerprintd_26_0 permission_service_26_0 (service_manager (find)))
-(allow fingerprintd_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow fingerprintd_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow fingerprintd_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow fingerprintd_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow fingerprintd_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow fingerprintd_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow fingerprintd_26_0 ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow fsck_26_0 tmpfs_26_0 (chr_file (ioctl read write)))
-(allow fsck_26_0 devpts_26_0 (chr_file (ioctl read write getattr)))
-(allow fsck_26_0 vold_26_0 (fd (use)))
-(allow fsck_26_0 vold_26_0 (fifo_file (read write getattr)))
-(allow fsck_26_0 block_device_26_0 (dir (search)))
-(allow fsck_26_0 userdata_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow fsck_26_0 cache_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow fsck_26_0 dm_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow fsck_26_0 dev_type (blk_file (getattr)))
-(allow fsck_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow fsck_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow fsck_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow fsck_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(neverallow fsck_26_0 vold_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_26_0 root_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_26_0 frp_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_26_0 system_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_26_0 recovery_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_26_0 boot_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_26_0 swap_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_26_0 metadata_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_90_26_0 fsck_26_0 (process (transition)))
-(neverallow base_typeattr_10_26_0 fsck_26_0 (process (dyntransition)))
-(neverallow fsck_26_0 base_typeattr_91_26_0 (file (entrypoint)))
-(allow fsck_untrusted_26_0 devpts_26_0 (chr_file (ioctl read write getattr)))
-(allow fsck_untrusted_26_0 vold_26_0 (fd (use)))
-(allow fsck_untrusted_26_0 vold_26_0 (fifo_file (read write getattr)))
-(allow fsck_untrusted_26_0 block_device_26_0 (dir (search)))
-(allow fsck_untrusted_26_0 vold_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow fsck_untrusted_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow fsck_untrusted_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow fsck_untrusted_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow fsck_untrusted_26_0 dev_type (blk_file (getattr)))
-(neverallow fsck_untrusted_26_0 dm_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 root_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 frp_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 system_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 recovery_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 boot_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 userdata_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 cache_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 swap_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_26_0 metadata_block_device_26_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_92_26_0 fsck_untrusted_26_0 (process (transition)))
-(neverallow base_typeattr_10_26_0 fsck_untrusted_26_0 (process (dyntransition)))
-(neverallow fsck_untrusted_26_0 base_typeattr_91_26_0 (file (entrypoint)))
-(allow gatekeeperd_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 gatekeeperd_26_0 (dir (search)))
-(allow servicemanager_26_0 gatekeeperd_26_0 (file (read open)))
-(allow servicemanager_26_0 gatekeeperd_26_0 (process (getattr)))
-(allow gatekeeperd_26_0 tee_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow gatekeeperd_26_0 ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow gatekeeperd_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow gatekeeperd_26_0 gatekeeper_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_93_26_0 gatekeeper_service_26_0 (service_manager (add)))
-(neverallow gatekeeperd_26_0 unlabeled_26_0 (service_manager (add)))
-(allow keystore_26_0 gatekeeperd_26_0 (dir (search)))
-(allow keystore_26_0 gatekeeperd_26_0 (file (read open)))
-(allow keystore_26_0 gatekeeperd_26_0 (process (getattr)))
-(allow gatekeeperd_26_0 keystore_service_26_0 (service_manager (find)))
-(allow gatekeeperd_26_0 keystore_26_0 (binder (call transfer)))
-(allow keystore_26_0 gatekeeperd_26_0 (binder (transfer)))
-(allow gatekeeperd_26_0 keystore_26_0 (fd (use)))
-(allow gatekeeperd_26_0 keystore_26_0 (keystore_key (add_auth)))
-(allow gatekeeperd_26_0 system_server_26_0 (binder (call)))
-(allow gatekeeperd_26_0 permission_service_26_0 (service_manager (find)))
-(allow gatekeeperd_26_0 user_service_26_0 (service_manager (find)))
-(allow gatekeeperd_26_0 gatekeeper_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow gatekeeperd_26_0 gatekeeper_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow gatekeeperd_26_0 hardware_properties_service_26_0 (service_manager (find)))
-(allow gatekeeperd_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow gatekeeperd_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow gatekeeperd_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_allocator_client hal_allocator_server (binder (call transfer)))
-(allow hal_allocator_server hal_allocator_client (binder (transfer)))
-(allow hal_allocator_client hal_allocator_server (fd (use)))
-(allow hal_allocator_server hidl_allocator_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_allocator_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_94_26_0 hidl_allocator_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_allocator_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_allocator_client hidl_allocator_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_allocator_client hidl_memory_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_audio_client hal_audio_server (binder (call transfer)))
-(allow hal_audio_server hal_audio_client (binder (transfer)))
-(allow hal_audio_client hal_audio_server (fd (use)))
-(allow hal_audio_server hal_audio_client (binder (call transfer)))
-(allow hal_audio_client hal_audio_server (binder (transfer)))
-(allow hal_audio_server hal_audio_client (fd (use)))
-(allow hal_audio_server hal_audio_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_audio_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_95_26_0 hal_audio_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_audio_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_audio_client hal_audio_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_audio ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow hal_audio audiohal_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_audio audiohal_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_audio proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_audio proc_26_0 (file (ioctl read getattr lock open)))
-(allow hal_audio proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_audio audio_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_audio audio_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_audio shell_26_0 (fd (use)))
-(allow hal_audio shell_26_0 (fifo_file (write)))
-(allow hal_audio dumpstate_26_0 (fd (use)))
-(allow hal_audio dumpstate_26_0 (fifo_file (write)))
-(neverallow hal_audio fs_type (file (execute_no_trans)))
-(neverallow hal_audio file_type (file (execute_no_trans)))
-(neverallow hal_audio domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow hal_audio domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_audio domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_96_26_0 audio_device_26_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow hal_bluetooth_client hal_bluetooth_server (binder (call transfer)))
-(allow hal_bluetooth_server hal_bluetooth_client (binder (transfer)))
-(allow hal_bluetooth_client hal_bluetooth_server (fd (use)))
-(allow hal_bluetooth_server hal_bluetooth_client (binder (call transfer)))
-(allow hal_bluetooth_client hal_bluetooth_server (binder (transfer)))
-(allow hal_bluetooth_server hal_bluetooth_client (fd (use)))
-(allow hal_bluetooth_server hal_bluetooth_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_bluetooth_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_97_26_0 hal_bluetooth_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_bluetooth_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_bluetooth_client hal_bluetooth_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_bluetooth sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow hal_bluetooth self (capability2 (block_suspend)))
-(allow hal_bluetooth self (capability (net_admin)))
-(allow hal_bluetooth bluetooth_efs_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_bluetooth bluetooth_efs_file_26_0 (file (ioctl read getattr lock open)))
-(allow hal_bluetooth bluetooth_efs_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_bluetooth uhid_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_bluetooth hci_attach_dev_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_bluetooth sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_bluetooth sysfs_type (file (ioctl read getattr lock open)))
-(allow hal_bluetooth sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow hal_bluetooth sysfs_bluetooth_writable_26_0 (file (ioctl read write getattr lock append open)))
-(allow hal_bluetooth self (capability2 (wake_alarm)))
-(allow hal_bluetooth property_socket_26_0 (sock_file (write)))
-(allow hal_bluetooth init_26_0 (unix_stream_socket (connectto)))
-(allow hal_bluetooth bluetooth_prop_26_0 (property_service (set)))
-(allow hal_bluetooth bluetooth_prop_26_0 (file (ioctl read getattr lock open)))
-(allow hal_bluetooth proc_bluetooth_writable_26_0 (file (ioctl read write getattr lock append open)))
-(allow hal_bluetooth self (capability (sys_nice)))
-(allow hal_bootctl_client hal_bootctl_server (binder (call transfer)))
-(allow hal_bootctl_server hal_bootctl_client (binder (transfer)))
-(allow hal_bootctl_client hal_bootctl_server (fd (use)))
-(allow hal_bootctl_server hal_bootctl_client (binder (call transfer)))
-(allow hal_bootctl_client hal_bootctl_server (binder (transfer)))
-(allow hal_bootctl_server hal_bootctl_client (fd (use)))
-(allow hal_bootctl_server hal_bootctl_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_bootctl_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_98_26_0 hal_bootctl_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_bootctl_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_bootctl_client hal_bootctl_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_camera_client hal_camera_server (binder (call transfer)))
-(allow hal_camera_server hal_camera_client (binder (transfer)))
-(allow hal_camera_client hal_camera_server (fd (use)))
-(allow hal_camera_server hal_camera_client (binder (call transfer)))
-(allow hal_camera_client hal_camera_server (binder (transfer)))
-(allow hal_camera_server hal_camera_client (fd (use)))
-(allow hal_camera_server hal_camera_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_camera_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_99_26_0 hal_camera_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_camera_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_camera_client hal_camera_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_camera camera_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_camera camera_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_camera video_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_camera video_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_camera camera_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_camera ion_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_camera_client hal_graphics_allocator (fd (use)))
-(allow hal_camera_server hal_graphics_allocator (fd (use)))
-(allow hal_camera base_typeattr_100_26_0 (fd (use)))
-(allow hal_camera surfaceflinger_26_0 (fd (use)))
-(allow hal_camera hal_allocator_server (fd (use)))
-(neverallow hal_camera fs_type (file (execute_no_trans)))
-(neverallow hal_camera file_type (file (execute_no_trans)))
-(neverallow hal_camera domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow hal_camera domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_camera domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_101_26_0 camera_device_26_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow hal_configstore_client hal_configstore_server (binder (call transfer)))
-(allow hal_configstore_server hal_configstore_client (binder (transfer)))
-(allow hal_configstore_client hal_configstore_server (fd (use)))
-(allow hal_configstore_server hal_configstore_ISurfaceFlingerConfigs_26_0 (hwservice_manager (add find)))
-(allow hal_configstore_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_102_26_0 hal_configstore_ISurfaceFlingerConfigs_26_0 (hwservice_manager (add)))
-(neverallow hal_configstore_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_contexthub_client hal_contexthub_server (binder (call transfer)))
-(allow hal_contexthub_server hal_contexthub_client (binder (transfer)))
-(allow hal_contexthub_client hal_contexthub_server (fd (use)))
-(allow hal_contexthub_server hal_contexthub_client (binder (call transfer)))
-(allow hal_contexthub_client hal_contexthub_server (binder (transfer)))
-(allow hal_contexthub_server hal_contexthub_client (fd (use)))
-(allow hal_contexthub_server hal_contexthub_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_contexthub_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_103_26_0 hal_contexthub_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_contexthub_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_contexthub_client hal_contexthub_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_drm_client hal_drm_server (binder (call transfer)))
-(allow hal_drm_server hal_drm_client (binder (transfer)))
-(allow hal_drm_client hal_drm_server (fd (use)))
-(allow hal_drm_server hal_drm_client (binder (call transfer)))
-(allow hal_drm_client hal_drm_server (binder (transfer)))
-(allow hal_drm_server hal_drm_client (fd (use)))
-(allow hal_drm_server hal_drm_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_drm_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_104_26_0 hal_drm_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_drm_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_drm_client hal_drm_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_drm hidl_memory_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_drm self (process (execmem)))
-(allow hal_drm serialno_prop_26_0 (file (ioctl read getattr lock open)))
-(allow hal_drm system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_drm system_file_26_0 (file (ioctl read getattr lock open)))
-(allow hal_drm system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_drm system_data_file_26_0 (dir (getattr search)))
-(allow hal_drm system_data_file_26_0 (file (read getattr)))
-(allow hal_drm system_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_drm cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_drm cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow hal_drm cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_drm cgroup_26_0 (dir (write search)))
-(allow hal_drm cgroup_26_0 (file (write lock append open)))
-(allow hal_drm ion_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_drm hal_graphics_allocator (fd (use)))
-(allow hal_drm mediaserver_26_0 (fd (use)))
-(allow hal_drm media_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_drm media_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_drm media_data_file_26_0 (file (read getattr)))
-(allow hal_drm sysfs_26_0 (file (ioctl read getattr lock open)))
-(allow hal_drm tee_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allowx hal_drm self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx hal_drm self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx hal_drm self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(neverallow hal_drm fs_type (file (execute_no_trans)))
-(neverallow hal_drm file_type (file (execute_no_trans)))
-(neverallowx hal_drm domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx hal_drm domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx hal_drm domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx hal_drm domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_drm domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_drm domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_dumpstate_client hal_dumpstate_server (binder (call transfer)))
-(allow hal_dumpstate_server hal_dumpstate_client (binder (transfer)))
-(allow hal_dumpstate_client hal_dumpstate_server (fd (use)))
-(allow hal_dumpstate_server hal_dumpstate_client (binder (call transfer)))
-(allow hal_dumpstate_client hal_dumpstate_server (binder (transfer)))
-(allow hal_dumpstate_server hal_dumpstate_client (fd (use)))
-(allow hal_dumpstate_server hal_dumpstate_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_dumpstate_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_105_26_0 hal_dumpstate_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_dumpstate_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_dumpstate_client hal_dumpstate_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_dumpstate shell_data_file_26_0 (file (write)))
-(allow hal_dumpstate proc_interrupts_26_0 (file (ioctl read getattr lock open)))
-(allow hal_fingerprint_client hal_fingerprint_server (binder (call transfer)))
-(allow hal_fingerprint_server hal_fingerprint_client (binder (transfer)))
-(allow hal_fingerprint_client hal_fingerprint_server (fd (use)))
-(allow hal_fingerprint_server hal_fingerprint_client (binder (call transfer)))
-(allow hal_fingerprint_client hal_fingerprint_server (binder (transfer)))
-(allow hal_fingerprint_server hal_fingerprint_client (fd (use)))
-(allow hal_fingerprint_server hal_fingerprint_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_fingerprint_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_106_26_0 hal_fingerprint_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_fingerprint_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_fingerprint_client hal_fingerprint_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_fingerprint fingerprintd_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_fingerprint fingerprintd_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow hal_fingerprint ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow hal_fingerprint cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_fingerprint cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow hal_fingerprint cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_fingerprint sysfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_fingerprint sysfs_26_0 (file (ioctl read getattr lock open)))
-(allow hal_fingerprint sysfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_gatekeeper_client hal_gatekeeper_server (binder (call transfer)))
-(allow hal_gatekeeper_server hal_gatekeeper_client (binder (transfer)))
-(allow hal_gatekeeper_client hal_gatekeeper_server (fd (use)))
-(allow hal_gatekeeper_server hal_gatekeeper_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_gatekeeper_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_107_26_0 hal_gatekeeper_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_gatekeeper_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_gatekeeper_client hal_gatekeeper_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_gatekeeper tee_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_gatekeeper ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow hal_gnss_client hal_gnss_server (binder (call transfer)))
-(allow hal_gnss_server hal_gnss_client (binder (transfer)))
-(allow hal_gnss_client hal_gnss_server (fd (use)))
-(allow hal_gnss_server hal_gnss_client (binder (call transfer)))
-(allow hal_gnss_client hal_gnss_server (binder (transfer)))
-(allow hal_gnss_server hal_gnss_client (fd (use)))
-(allow hal_gnss_server hal_gnss_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_gnss_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_108_26_0 hal_gnss_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_gnss_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_gnss_client hal_gnss_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_server (binder (call transfer)))
-(allow hal_graphics_allocator_server hal_graphics_allocator_client (binder (transfer)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_server (fd (use)))
-(allow hal_graphics_allocator_server hal_graphics_allocator_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_graphics_allocator_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_109_26_0 hal_graphics_allocator_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_graphics_allocator_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator_client hal_graphics_mapper_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator gpu_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_graphics_allocator ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow hal_graphics_allocator self (capability (sys_nice)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (binder (call transfer)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (binder (transfer)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (fd (use)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (binder (call transfer)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (binder (transfer)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (fd (use)))
-(allow hal_graphics_composer_server hal_graphics_composer_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_graphics_composer_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_110_26_0 hal_graphics_composer_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_graphics_composer_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_graphics_composer_client hal_graphics_composer_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_graphics_composer_server hal_graphics_mapper_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_graphics_composer gpu_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_graphics_composer ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow hal_graphics_composer hal_graphics_allocator (fd (use)))
-(allow hal_graphics_composer graphics_device_26_0 (dir (search)))
-(allow hal_graphics_composer graphics_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_graphics_composer system_server_26_0 (fd (use)))
-(allow hal_graphics_composer bootanim_26_0 (fd (use)))
-(allow hal_graphics_composer appdomain (fd (use)))
-(allow hal_graphics_composer self (capability (sys_nice)))
-(allow hal_health_client hal_health_server (binder (call transfer)))
-(allow hal_health_server hal_health_client (binder (transfer)))
-(allow hal_health_client hal_health_server (fd (use)))
-(allow hal_health_server hal_health_client (binder (call transfer)))
-(allow hal_health_client hal_health_server (binder (transfer)))
-(allow hal_health_server hal_health_client (fd (use)))
-(allow hal_health_server hal_health_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_health_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_111_26_0 hal_health_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_health_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_health_client hal_health_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_health system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_health system_file_26_0 (file (ioctl read getattr lock open)))
-(allow hal_health system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_ir_client hal_ir_server (binder (call transfer)))
-(allow hal_ir_server hal_ir_client (binder (transfer)))
-(allow hal_ir_client hal_ir_server (fd (use)))
-(allow hal_ir_server hal_ir_client (binder (call transfer)))
-(allow hal_ir_client hal_ir_server (binder (transfer)))
-(allow hal_ir_server hal_ir_client (fd (use)))
-(allow hal_ir_server hal_ir_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_ir_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_112_26_0 hal_ir_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_ir_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_ir_client hal_ir_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_keymaster_client hal_keymaster_server (binder (call transfer)))
-(allow hal_keymaster_server hal_keymaster_client (binder (transfer)))
-(allow hal_keymaster_client hal_keymaster_server (fd (use)))
-(allow hal_keymaster_server hal_keymaster_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_keymaster_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_113_26_0 hal_keymaster_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_keymaster_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_keymaster_client hal_keymaster_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_keymaster tee_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_keymaster ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow hal_light_client hal_light_server (binder (call transfer)))
-(allow hal_light_server hal_light_client (binder (transfer)))
-(allow hal_light_client hal_light_server (fd (use)))
-(allow hal_light_server hal_light_client (binder (call transfer)))
-(allow hal_light_client hal_light_server (binder (transfer)))
-(allow hal_light_server hal_light_client (fd (use)))
-(allow hal_light_server hal_light_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_light_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_114_26_0 hal_light_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_light_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_light_client hal_light_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_light sysfs_leds_26_0 (lnk_file (read)))
-(allow hal_light sysfs_leds_26_0 (file (ioctl read write getattr lock append open)))
-(allow hal_light sysfs_leds_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_memtrack_client hal_memtrack_server (binder (call transfer)))
-(allow hal_memtrack_server hal_memtrack_client (binder (transfer)))
-(allow hal_memtrack_client hal_memtrack_server (fd (use)))
-(allow hal_memtrack_server hal_memtrack_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_memtrack_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_115_26_0 hal_memtrack_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_memtrack_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_memtrack_client hal_memtrack_hwservice_26_0 (hwservice_manager (find)))
-(neverallow base_typeattr_116_26_0 self (capability (net_admin net_raw)))
-(neverallow base_typeattr_117_26_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow base_typeattr_117_26_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_117_26_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_tetheroffload_server unlabeled_26_0 (service_manager (list)))
-(neverallow base_typeattr_118_26_0 fs_type (file (execute_no_trans)))
-(neverallow base_typeattr_118_26_0 file_type (file (execute_no_trans)))
-(neverallow base_typeattr_5_26_0 halserverdomain (process (transition)))
-(neverallow base_typeattr_10_26_0 halserverdomain (process (dyntransition)))
-(allow hal_nfc_client hal_nfc_server (binder (call transfer)))
-(allow hal_nfc_server hal_nfc_client (binder (transfer)))
-(allow hal_nfc_client hal_nfc_server (fd (use)))
-(allow hal_nfc_server hal_nfc_client (binder (call transfer)))
-(allow hal_nfc_client hal_nfc_server (binder (transfer)))
-(allow hal_nfc_server hal_nfc_client (fd (use)))
-(allow hal_nfc_server hal_nfc_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_nfc_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_119_26_0 hal_nfc_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_nfc_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_nfc_client hal_nfc_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_nfc property_socket_26_0 (sock_file (write)))
-(allow hal_nfc init_26_0 (unix_stream_socket (connectto)))
-(allow hal_nfc nfc_prop_26_0 (property_service (set)))
-(allow hal_nfc nfc_prop_26_0 (file (ioctl read getattr lock open)))
-(allow hal_nfc nfc_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow hal_nfc nfc_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_nfc nfc_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_nfc nfc_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_nfc nfc_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_oemlock_client hal_oemlock_server (binder (call transfer)))
-(allow hal_oemlock_server hal_oemlock_client (binder (transfer)))
-(allow hal_oemlock_client hal_oemlock_server (fd (use)))
-(allow hal_oemlock_server hal_oemlock_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_oemlock_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_120_26_0 hal_oemlock_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_oemlock_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_oemlock_client hal_oemlock_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_power_client hal_power_server (binder (call transfer)))
-(allow hal_power_server hal_power_client (binder (transfer)))
-(allow hal_power_client hal_power_server (fd (use)))
-(allow hal_power_server hal_power_client (binder (call transfer)))
-(allow hal_power_client hal_power_server (binder (transfer)))
-(allow hal_power_server hal_power_client (fd (use)))
-(allow hal_power_server hal_power_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_power_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_121_26_0 hal_power_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_power_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_power_client hal_power_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_sensors_client hal_sensors_server (binder (call transfer)))
-(allow hal_sensors_server hal_sensors_client (binder (transfer)))
-(allow hal_sensors_client hal_sensors_server (fd (use)))
-(allow hal_sensors_server hal_sensors_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_sensors_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_122_26_0 hal_sensors_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_sensors_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_sensors_client hal_sensors_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_sensors base_typeattr_100_26_0 (fd (use)))
-(allow hal_sensors hal_allocator (fd (use)))
-(allow hal_sensors self (capability (sys_nice)))
-(allow hal_telephony_client hal_telephony_server (binder (call transfer)))
-(allow hal_telephony_server hal_telephony_client (binder (transfer)))
-(allow hal_telephony_client hal_telephony_server (fd (use)))
-(allow hal_telephony_server hal_telephony_client (binder (call transfer)))
-(allow hal_telephony_client hal_telephony_server (binder (transfer)))
-(allow hal_telephony_server hal_telephony_client (fd (use)))
-(allow hal_telephony_server hal_telephony_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_telephony_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_123_26_0 hal_telephony_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_telephony_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_telephony_client hal_telephony_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (binder (call transfer)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (binder (transfer)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (fd (use)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (binder (call transfer)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (binder (transfer)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (fd (use)))
-(allow hal_thermal_client hal_thermal_server (binder (call transfer)))
-(allow hal_thermal_server hal_thermal_client (binder (transfer)))
-(allow hal_thermal_client hal_thermal_server (fd (use)))
-(allow hal_thermal_server hal_thermal_client (binder (call transfer)))
-(allow hal_thermal_client hal_thermal_server (binder (transfer)))
-(allow hal_thermal_server hal_thermal_client (fd (use)))
-(allow hal_thermal_server hal_thermal_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_thermal_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_124_26_0 hal_thermal_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_thermal_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_thermal_client hal_thermal_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_tv_cec_client hal_tv_cec_server (binder (call transfer)))
-(allow hal_tv_cec_server hal_tv_cec_client (binder (transfer)))
-(allow hal_tv_cec_client hal_tv_cec_server (fd (use)))
-(allow hal_tv_cec_server hal_tv_cec_client (binder (call transfer)))
-(allow hal_tv_cec_client hal_tv_cec_server (binder (transfer)))
-(allow hal_tv_cec_server hal_tv_cec_client (fd (use)))
-(allow hal_tv_cec_server hal_tv_cec_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_tv_cec_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_125_26_0 hal_tv_cec_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_tv_cec_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_tv_cec_client hal_tv_cec_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_tv_input_client hal_tv_input_server (binder (call transfer)))
-(allow hal_tv_input_server hal_tv_input_client (binder (transfer)))
-(allow hal_tv_input_client hal_tv_input_server (fd (use)))
-(allow hal_tv_input_server hal_tv_input_client (binder (call transfer)))
-(allow hal_tv_input_client hal_tv_input_server (binder (transfer)))
-(allow hal_tv_input_server hal_tv_input_client (fd (use)))
-(allow hal_tv_input_server hal_tv_input_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_tv_input_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_126_26_0 hal_tv_input_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_tv_input_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_tv_input_client hal_tv_input_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_usb_client hal_usb_server (binder (call transfer)))
-(allow hal_usb_server hal_usb_client (binder (transfer)))
-(allow hal_usb_client hal_usb_server (fd (use)))
-(allow hal_usb_server hal_usb_client (binder (call transfer)))
-(allow hal_usb_client hal_usb_server (binder (transfer)))
-(allow hal_usb_server hal_usb_client (fd (use)))
-(allow hal_usb_server hal_usb_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_usb_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_127_26_0 hal_usb_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_usb_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_usb_client hal_usb_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_usb self (netlink_kobject_uevent_socket (create)))
-(allow hal_usb self (netlink_kobject_uevent_socket (setopt)))
-(allow hal_usb self (netlink_kobject_uevent_socket (bind)))
-(allow hal_usb self (netlink_kobject_uevent_socket (read)))
-(allow hal_usb sysfs_26_0 (dir (open)))
-(allow hal_usb sysfs_26_0 (dir (read)))
-(allow hal_usb sysfs_26_0 (file (read)))
-(allow hal_usb sysfs_26_0 (file (open)))
-(allow hal_usb sysfs_26_0 (file (write)))
-(allow hal_usb sysfs_26_0 (file (getattr)))
-(allow hal_vibrator_client hal_vibrator_server (binder (call transfer)))
-(allow hal_vibrator_server hal_vibrator_client (binder (transfer)))
-(allow hal_vibrator_client hal_vibrator_server (fd (use)))
-(allow hal_vibrator_server hal_vibrator_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_vibrator_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_128_26_0 hal_vibrator_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_vibrator_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_vibrator_client hal_vibrator_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_vibrator sysfs_vibrator_26_0 (file (ioctl read write getattr lock append open)))
-(allow hal_vr_client hal_vr_server (binder (call transfer)))
-(allow hal_vr_server hal_vr_client (binder (transfer)))
-(allow hal_vr_client hal_vr_server (fd (use)))
-(allow hal_vr_server hal_vr_client (binder (call transfer)))
-(allow hal_vr_client hal_vr_server (binder (transfer)))
-(allow hal_vr_server hal_vr_client (fd (use)))
-(allow hal_vr_server hal_vr_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_vr_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_129_26_0 hal_vr_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_vr_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_vr_client hal_vr_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_weaver_client hal_weaver_server (binder (call transfer)))
-(allow hal_weaver_server hal_weaver_client (binder (transfer)))
-(allow hal_weaver_client hal_weaver_server (fd (use)))
-(allow hal_weaver_server hal_weaver_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_weaver_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_130_26_0 hal_weaver_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_weaver_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_weaver_client hal_weaver_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_wifi_client hal_wifi_server (binder (call transfer)))
-(allow hal_wifi_server hal_wifi_client (binder (transfer)))
-(allow hal_wifi_client hal_wifi_server (fd (use)))
-(allow hal_wifi_server hal_wifi_client (binder (call transfer)))
-(allow hal_wifi_client hal_wifi_server (binder (transfer)))
-(allow hal_wifi_server hal_wifi_client (fd (use)))
-(allow hal_wifi_server hal_wifi_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_wifi_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_131_26_0 hal_wifi_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_wifi_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_wifi_client hal_wifi_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_wifi proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow hal_wifi proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_wifi sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi sysfs_type (file (ioctl read getattr lock open)))
-(allow hal_wifi sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow hal_wifi property_socket_26_0 (sock_file (write)))
-(allow hal_wifi init_26_0 (unix_stream_socket (connectto)))
-(allow hal_wifi wifi_prop_26_0 (property_service (set)))
-(allow hal_wifi wifi_prop_26_0 (file (ioctl read getattr lock open)))
-(allow hal_wifi self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx hal_wifi self (ioctl udp_socket (0x8914)))
-(allow hal_wifi self (capability (net_admin net_raw)))
-(allow hal_wifi self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi sysfs_wlan_fwpath_26_0 (file (write lock append open)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (binder (call transfer)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (binder (transfer)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (fd (use)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (binder (call transfer)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (binder (transfer)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (fd (use)))
-(allow hal_wifi_offload proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_offload proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow hal_wifi_offload proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_wifi_offload sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_offload sysfs_type (file (ioctl read getattr lock open)))
-(allow hal_wifi_offload sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (binder (call transfer)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (binder (transfer)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (fd (use)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (binder (call transfer)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (binder (transfer)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (fd (use)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_hwservice_26_0 (hwservice_manager (add find)))
-(allow hal_wifi_supplicant_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_132_26_0 hal_wifi_supplicant_hwservice_26_0 (hwservice_manager (add)))
-(neverallow hal_wifi_supplicant_server unlabeled_26_0 (hwservice_manager (add)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice_26_0 (hwservice_manager (find)))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (0x6900 0x6902)))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_wifi_supplicant sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_supplicant sysfs_type (file (ioctl read getattr lock open)))
-(allow hal_wifi_supplicant sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow hal_wifi_supplicant proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_supplicant proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow hal_wifi_supplicant proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hal_wifi_supplicant kernel_26_0 (system (module_request)))
-(allow hal_wifi_supplicant self (capability (setgid setuid net_admin net_raw)))
-(allow hal_wifi_supplicant cgroup_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_supplicant self (netlink_route_socket (nlmsg_write)))
-(allow hal_wifi_supplicant self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_supplicant self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_supplicant self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (0x6900 0x6902)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x8906 0x8907)) ((range 0x890b 0x890d)) ((range 0x8910 0x8927)) 0x8929 ((range 0x8930 0x8939)) ((range 0x8940 0x8943)) ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x8b00 0x8b02)) ((range 0x8b04 0x8b1d)) ((range 0x8b20 0x8b2d)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_wifi_supplicant wifi_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_supplicant wifi_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_wifi_supplicant wpa_socket_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_supplicant wpa_socket_26_0 (sock_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow hal_wifi_supplicant wpa_socket_26_0 (sock_file (write)))
-(allow hal_wifi_supplicant su_26_0 (unix_dgram_socket (sendto)))
-(neverallow hal_wifi_supplicant_server sdcard_type (dir (ioctl read write create setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_wifi_supplicant_server sdcard_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow healthd_26_0 kmsg_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow healthd_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow healthd_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow healthd_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow healthd_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_26_0 rootfs_26_0 (file (ioctl read getattr lock open)))
-(allow healthd_26_0 rootfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow healthd_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow healthd_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow healthd_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_26_0 system_file_26_0 (file (ioctl read getattr lock open)))
-(allow healthd_26_0 system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow healthd_26_0 self (capability (sys_tty_config)))
-(allow healthd_26_0 self (capability (sys_boot)))
-(allow healthd_26_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow healthd_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow healthd_26_0 self (capability2 (block_suspend)))
-(allow healthd_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 healthd_26_0 (dir (search)))
-(allow servicemanager_26_0 healthd_26_0 (file (read open)))
-(allow servicemanager_26_0 healthd_26_0 (process (getattr)))
-(allow healthd_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 healthd_26_0 (binder (transfer)))
-(allow healthd_26_0 system_server_26_0 (fd (use)))
-(allow healthd_26_0 sysfs_26_0 (file (write)))
-(allow healthd_26_0 sysfs_usb_26_0 (file (write)))
-(allow healthd_26_0 sysfs_batteryinfo_26_0 (file (ioctl read getattr lock open)))
-(allow healthd_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow healthd_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow healthd_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow healthd_26_0 pstorefs_26_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_26_0 pstorefs_26_0 (file (ioctl read getattr lock open)))
-(allow healthd_26_0 graphics_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_26_0 graphics_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow healthd_26_0 input_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_26_0 input_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow healthd_26_0 tty_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow healthd_26_0 ashmem_device_26_0 (chr_file (execute)))
-(allow healthd_26_0 self (process (execmem)))
-(allow healthd_26_0 proc_sysrq_26_0 (file (ioctl read write getattr lock append open)))
-(allow healthd_26_0 batteryproperties_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_133_26_0 batteryproperties_service_26_0 (service_manager (add)))
-(neverallow healthd_26_0 unlabeled_26_0 (service_manager (add)))
-(allow healthd_26_0 property_socket_26_0 (sock_file (write)))
-(allow healthd_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow healthd_26_0 system_prop_26_0 (property_service (set)))
-(allow healthd_26_0 system_prop_26_0 (file (ioctl read getattr lock open)))
-(allow hwservicemanager_26_0 self (binder (set_context_mgr)))
-(allow hwservicemanager_26_0 property_socket_26_0 (sock_file (write)))
-(allow hwservicemanager_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow hwservicemanager_26_0 hwservicemanager_prop_26_0 (property_service (set)))
-(allow hwservicemanager_26_0 hwservicemanager_prop_26_0 (file (ioctl read getattr lock open)))
-(allow hwservicemanager_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow hwservicemanager_26_0 hwservice_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow hwservicemanager_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow hwservicemanager_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow hwservicemanager_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hwservicemanager_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow hwservicemanager_26_0 kernel_26_0 (security (compute_av)))
-(allow hwservicemanager_26_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow idmap_26_0 installd_26_0 (fd (use)))
-(allow idmap_26_0 resourcecache_data_file_26_0 (file (read write getattr)))
-(allow idmap_26_0 apk_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow idmap_26_0 apk_data_file_26_0 (dir (search)))
-(allow idmap_26_0 vendor_app_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow idmap_26_0 vendor_app_file_26_0 (file (ioctl read getattr lock open)))
-(allow idmap_26_0 vendor_app_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow idmap_26_0 vendor_overlay_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow idmap_26_0 vendor_overlay_file_26_0 (file (ioctl read getattr lock open)))
-(allow idmap_26_0 vendor_overlay_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 tmpfs_26_0 (chr_file (ioctl read write create getattr setattr lock append unlink open)))
-(allow init_26_0 tmpfs_26_0 (chr_file (relabelfrom)))
-(allow init_26_0 kmsg_device_26_0 (chr_file (write relabelto)))
-(allow init_26_0 properties_device_26_0 (dir (relabelto)))
-(allow init_26_0 properties_serial_26_0 (file (write relabelto)))
-(allow init_26_0 property_type (file (ioctl read write create getattr setattr lock relabelto append unlink rename open)))
-(allow init_26_0 device_26_0 (file (relabelfrom)))
-(allow init_26_0 runtime_event_log_tags_file_26_0 (file (write setattr relabelto open)))
-(allow init_26_0 device_26_0 (dir (relabelto)))
-(allow init_26_0 socket_device_26_0 (dir (relabelto)))
-(allow init_26_0 random_device_26_0 (chr_file (relabelto)))
-(allow init_26_0 tmpfs_26_0 (chr_file (relabelfrom)))
-(allow init_26_0 tmpfs_26_0 (blk_file (relabelfrom)))
-(allow init_26_0 tmpfs_26_0 (blk_file (getattr)))
-(allow init_26_0 block_device_26_0 (dir (relabelto)))
-(allow init_26_0 block_device_26_0 (lnk_file (relabelto)))
-(allow init_26_0 block_device_26_0 (blk_file (relabelto)))
-(allow init_26_0 dm_device_26_0 (chr_file (relabelto)))
-(allow init_26_0 dm_device_26_0 (blk_file (relabelto)))
-(allow init_26_0 kernel_26_0 (fd (use)))
-(allow init_26_0 tmpfs_26_0 (lnk_file (read getattr relabelfrom)))
-(allow init_26_0 system_block_device_26_0 (lnk_file (relabelto)))
-(allow init_26_0 system_block_device_26_0 (blk_file (relabelto)))
-(allow init_26_0 self (capability (sys_resource)))
-(allow init_26_0 tmpfs_26_0 (file (unlink)))
-(allow init_26_0 devpts_26_0 (chr_file (read write open)))
-(allow init_26_0 fscklogs_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow init_26_0 tmpfs_26_0 (chr_file (write)))
-(allow init_26_0 console_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow init_26_0 tty_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow init_26_0 self (capability (sys_admin)))
-(allow init_26_0 rootfs_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 rootfs_26_0 (dir (mounton)))
-(allow init_26_0 cgroup_26_0 (dir (mounton)))
-(allow init_26_0 system_file_26_0 (dir (mounton)))
-(allow init_26_0 vendor_file_26_0 (dir (mounton)))
-(allow init_26_0 system_data_file_26_0 (dir (mounton)))
-(allow init_26_0 storage_file_26_0 (dir (mounton)))
-(allow init_26_0 postinstall_mnt_dir_26_0 (dir (mounton)))
-(allow init_26_0 cache_file_26_0 (dir (mounton)))
-(allow init_26_0 device_26_0 (dir (mounton)))
-(allow init_26_0 rootfs_26_0 (lnk_file (create unlink)))
-(allow init_26_0 sysfs_26_0 (dir (mounton)))
-(allow init_26_0 tmpfs_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 tmpfs_26_0 (dir (mounton)))
-(allow init_26_0 cgroup_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow init_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 cpuctl_device_26_0 (dir (create mounton)))
-(allow init_26_0 configfs_26_0 (dir (mounton)))
-(allow init_26_0 configfs_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 tmpfs_26_0 (dir (relabelfrom)))
-(allow init_26_0 self (capability (dac_override)))
-(allow init_26_0 self (capability (sys_time)))
-(allow init_26_0 self (capability (sys_rawio mknod)))
-(allow init_26_0 dev_type (blk_file (ioctl read getattr lock open)))
-(allow init_26_0 fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget)))
-(allow init_26_0 unlabeled_26_0 (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget)))
-(allow init_26_0 contextmount_type (filesystem (relabelto)))
-(allow init_26_0 contextmount_type (dir (ioctl read getattr lock search open)))
-(allow init_26_0 contextmount_type (file (ioctl read getattr lock open)))
-(allow init_26_0 contextmount_type (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 contextmount_type (sock_file (ioctl read getattr lock open)))
-(allow init_26_0 contextmount_type (fifo_file (ioctl read getattr lock open)))
-(allow init_26_0 rootfs_26_0 (file (relabelfrom)))
-(allow init_26_0 rootfs_26_0 (dir (relabelfrom)))
-(allow init_26_0 self (capability (chown fowner fsetid)))
-(allow init_26_0 base_typeattr_134_26_0 (dir (ioctl read create getattr setattr search open)))
-(allow init_26_0 base_typeattr_135_26_0 (dir (write relabelfrom add_name remove_name rmdir)))
-(allow init_26_0 base_typeattr_136_26_0 (file (read write create getattr setattr relabelfrom unlink open)))
-(allow init_26_0 base_typeattr_135_26_0 (sock_file (read create getattr setattr relabelfrom unlink open)))
-(allow init_26_0 base_typeattr_135_26_0 (fifo_file (read create getattr setattr relabelfrom unlink open)))
-(allow init_26_0 base_typeattr_135_26_0 (lnk_file (create getattr setattr relabelfrom unlink)))
-(allow init_26_0 cache_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 base_typeattr_137_26_0 (file (relabelto)))
-(allow init_26_0 base_typeattr_137_26_0 (dir (relabelto)))
-(allow init_26_0 base_typeattr_137_26_0 (lnk_file (relabelto)))
-(allow init_26_0 base_typeattr_137_26_0 (chr_file (relabelto)))
-(allow init_26_0 base_typeattr_137_26_0 (blk_file (relabelto)))
-(allow init_26_0 base_typeattr_137_26_0 (sock_file (relabelto)))
-(allow init_26_0 base_typeattr_137_26_0 (fifo_file (relabelto)))
-(allow init_26_0 sysfs_26_0 (file (getattr relabelfrom)))
-(allow init_26_0 sysfs_26_0 (dir (getattr relabelfrom)))
-(allow init_26_0 sysfs_26_0 (lnk_file (getattr relabelfrom)))
-(allow init_26_0 debugfs_26_0 (file (getattr relabelfrom)))
-(allow init_26_0 debugfs_26_0 (dir (getattr relabelfrom)))
-(allow init_26_0 debugfs_26_0 (lnk_file (getattr relabelfrom)))
-(allow init_26_0 debugfs_tracing_26_0 (file (getattr relabelfrom)))
-(allow init_26_0 debugfs_tracing_26_0 (dir (getattr relabelfrom)))
-(allow init_26_0 debugfs_tracing_26_0 (lnk_file (getattr relabelfrom)))
-(allow init_26_0 sysfs_type (file (getattr relabelto)))
-(allow init_26_0 sysfs_type (dir (getattr relabelto)))
-(allow init_26_0 sysfs_type (lnk_file (getattr relabelto)))
-(allow init_26_0 debugfs_type (file (getattr relabelto)))
-(allow init_26_0 debugfs_type (dir (getattr relabelto)))
-(allow init_26_0 debugfs_type (lnk_file (getattr relabelto)))
-(allow init_26_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 dev_type (lnk_file (create)))
-(allow init_26_0 tracing_shell_writable_26_0 (file (write lock append open)))
-(allow init_26_0 debugfs_tracing_instances_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 debugfs_tracing_instances_26_0 (file (write lock append open)))
-(allow init_26_0 debugfs_wifi_tracing_26_0 (file (write lock append open)))
-(allow init_26_0 base_typeattr_138_26_0 (file (read setattr open)))
-(allow init_26_0 base_typeattr_138_26_0 (dir (read setattr search open)))
-(allow init_26_0 base_typeattr_139_26_0 (chr_file (read open)))
-(auditallow init_26_0 base_typeattr_140_26_0 (chr_file (read open)))
-(allow init_26_0 base_typeattr_141_26_0 (chr_file (setattr)))
-(allow init_26_0 unlabeled_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 unlabeled_26_0 (file (ioctl read write create getattr setattr lock relabelfrom append unlink rename open)))
-(allow init_26_0 unlabeled_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom append unlink rename open)))
-(allow init_26_0 unlabeled_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom append unlink rename open)))
-(allow init_26_0 unlabeled_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom append unlink rename open)))
-(allow init_26_0 kernel_26_0 (system (syslog_mod)))
-(allow init_26_0 self (capability2 (syslog)))
-(allow init_26_0 usermodehelper_26_0 (file (ioctl read write getattr lock append open)))
-(allow init_26_0 proc_security_26_0 (file (ioctl read write getattr lock append open)))
-(allow init_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow init_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 proc_26_0 (file (write lock append open)))
-(allow init_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow init_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 proc_net_26_0 (file (write lock append open)))
-(allow init_26_0 self (capability (net_admin)))
-(allow init_26_0 proc_sysrq_26_0 (file (write lock append open)))
-(allow init_26_0 proc_stat_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 self (capability (sys_boot)))
-(allow init_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow init_26_0 sysfs_type (lnk_file (read)))
-(allow init_26_0 sysfs_type (file (ioctl read write getattr lock append open)))
-(allow init_26_0 misc_logd_file_26_0 (dir (read write create getattr setattr add_name search open)))
-(allow init_26_0 misc_logd_file_26_0 (file (write create getattr setattr open)))
-(allow init_26_0 self (capability (kill)))
-(allow init_26_0 domain (process (sigkill signal)))
-(allow init_26_0 keystore_data_file_26_0 (dir (read create getattr setattr search open)))
-(allow init_26_0 keystore_data_file_26_0 (file (getattr)))
-(allow init_26_0 vold_data_file_26_0 (dir (read create getattr setattr search open)))
-(allow init_26_0 vold_data_file_26_0 (file (getattr)))
-(allow init_26_0 shell_data_file_26_0 (dir (read create getattr setattr search open)))
-(allow init_26_0 shell_data_file_26_0 (file (getattr)))
-(allow init_26_0 self (capability (setgid setuid setpcap)))
-(allow init_26_0 domain (dir (ioctl read getattr lock search open)))
-(allow init_26_0 domain (file (ioctl read getattr lock open)))
-(allow init_26_0 domain (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 self (process (setexec setfscreate setsockcreate)))
-(allow init_26_0 file_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 sepolicy_file_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow init_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow init_26_0 kernel_26_0 (security (compute_av)))
-(allow init_26_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow init_26_0 kernel_26_0 (security (compute_create)))
-(allow init_26_0 domain (unix_stream_socket (create bind)))
-(allow init_26_0 domain (unix_dgram_socket (create bind)))
-(allow init_26_0 property_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 property_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow init_26_0 property_type (property_service (set)))
-(allow init_26_0 self (netlink_audit_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_relay)))
-(allow init_26_0 self (capability (audit_write)))
-(allow init_26_0 self (udp_socket (ioctl create)))
-(allowx init_26_0 self (ioctl udp_socket (0x8914)))
-(allow init_26_0 self (capability (net_raw)))
-(allow init_26_0 kernel_26_0 (process (setsched)))
-(allow init_26_0 swap_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow init_26_0 hw_random_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow init_26_0 device_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow init_26_0 self (capability (sys_tty_config)))
-(allow init_26_0 keychord_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow init_26_0 dm_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow init_26_0 dm_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow init_26_0 metadata_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow init_26_0 pstorefs_26_0 (dir (search)))
-(allow init_26_0 pstorefs_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 kernel_26_0 (system (syslog_read)))
-(allow init_26_0 init_26_0 (key (write search setattr)))
-(allow init_26_0 unencrypted_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_26_0 proc_overcommit_memory_26_0 (file (write)))
-(allow init_26_0 vold_socket_26_0 (sock_file (write)))
-(allow init_26_0 vold_26_0 (unix_stream_socket (connectto)))
-(allow init_26_0 misc_block_device_26_0 (blk_file (write lock append open)))
-(allow init_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow init_26_0 system_file_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 vendor_file_type (dir (ioctl read getattr lock search open)))
-(allow init_26_0 vendor_file_type (file (ioctl read getattr lock open)))
-(allow init_26_0 vendor_file_type (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 proc_meminfo_26_0 (file (ioctl read getattr lock open)))
-(allow init_26_0 system_data_file_26_0 (file (read getattr)))
-(allow init_26_0 system_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 vendor_shell_exec_26_0 (file (execute)))
-(neverallow domain init_26_0 (process (dyntransition)))
-(neverallow base_typeattr_15_26_0 init_26_0 (process (transition)))
-(neverallow init_26_0 base_typeattr_142_26_0 (file (entrypoint)))
-(neverallow init_26_0 shell_data_file_26_0 (lnk_file (read)))
-(neverallow init_26_0 app_data_file_26_0 (lnk_file (read)))
-(neverallow init_26_0 fs_type (file (execute_no_trans)))
-(neverallow init_26_0 file_type (file (execute_no_trans)))
-(neverallow init_26_0 service_manager_type (service_manager (add find)))
-(neverallow init_26_0 servicemanager_26_0 (service_manager (list)))
-(neverallow init_26_0 shell_data_file_26_0 (dir (write add_name remove_name)))
-(allow inputflinger_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 inputflinger_26_0 (dir (search)))
-(allow servicemanager_26_0 inputflinger_26_0 (file (read open)))
-(allow servicemanager_26_0 inputflinger_26_0 (process (getattr)))
-(allow inputflinger_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 inputflinger_26_0 (binder (transfer)))
-(allow inputflinger_26_0 system_server_26_0 (fd (use)))
-(allow inputflinger_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow inputflinger_26_0 self (capability2 (block_suspend)))
-(allow inputflinger_26_0 inputflinger_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_143_26_0 inputflinger_service_26_0 (service_manager (add)))
-(neverallow inputflinger_26_0 unlabeled_26_0 (service_manager (add)))
-(allow inputflinger_26_0 input_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow inputflinger_26_0 input_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow inputflinger_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow inputflinger_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow inputflinger_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow install_recovery_26_0 self (capability (dac_override)))
-(allow install_recovery_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow install_recovery_26_0 system_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow install_recovery_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow install_recovery_26_0 block_device_26_0 (dir (search)))
-(allow install_recovery_26_0 boot_block_device_26_0 (blk_file (ioctl read getattr lock open)))
-(allow install_recovery_26_0 recovery_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow install_recovery_26_0 cache_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow install_recovery_26_0 cache_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow install_recovery_26_0 proc_drop_caches_26_0 (file (write lock append open)))
-(allow installd_26_0 self (capability (chown dac_override fowner fsetid setgid setuid sys_admin)))
-(allow installd_26_0 dalvikcache_data_file_26_0 (dir (relabelto)))
-(allow installd_26_0 dalvikcache_data_file_26_0 (file (relabelto link)))
-(allow installd_26_0 apk_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 apk_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom append unlink link rename open)))
-(allow installd_26_0 apk_data_file_26_0 (lnk_file (ioctl read create getattr lock unlink open)))
-(allow installd_26_0 asec_apk_file_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 apk_tmp_file_26_0 (file (ioctl read getattr lock unlink open)))
-(allow installd_26_0 apk_tmp_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 oemfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow installd_26_0 oemfs_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 cgroup_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 cgroup_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow installd_26_0 cgroup_26_0 (lnk_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow installd_26_0 mnt_expand_file_26_0 (dir (getattr search)))
-(allow installd_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow installd_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow installd_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow installd_26_0 kernel_26_0 (security (check_context)))
-(allow installd_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow installd_26_0 rootfs_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 rootfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow installd_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow installd_26_0 system_file_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow installd_26_0 vendor_app_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow installd_26_0 vendor_app_file_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 vendor_app_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow installd_26_0 vendor_overlay_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow installd_26_0 vendor_overlay_file_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 vendor_overlay_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow installd_26_0 file_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 seapp_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 asec_image_file_26_0 (dir (search)))
-(allow installd_26_0 asec_image_file_26_0 (file (getattr)))
-(allow installd_26_0 system_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 system_data_file_26_0 (lnk_file (create setattr unlink)))
-(allow installd_26_0 media_rw_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 media_rw_data_file_26_0 (file (getattr unlink)))
-(allow installd_26_0 system_data_file_26_0 (dir (relabelfrom)))
-(allow installd_26_0 media_rw_data_file_26_0 (dir (relabelto)))
-(allow installd_26_0 tmpfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow installd_26_0 storage_file_26_0 (dir (search)))
-(allow installd_26_0 sdcardfs_26_0 (dir (read write getattr remove_name search rmdir open)))
-(allow installd_26_0 sdcardfs_26_0 (file (getattr unlink)))
-(allow installd_26_0 misc_user_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 misc_user_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow installd_26_0 keychain_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 keychain_data_file_26_0 (file (ioctl read getattr lock unlink open)))
-(allow installd_26_0 install_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow installd_26_0 dalvikcache_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 dalvikcache_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow installd_26_0 dalvikcache_data_file_26_0 (lnk_file (getattr)))
-(allow installd_26_0 resourcecache_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow installd_26_0 resourcecache_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow installd_26_0 unlabeled_26_0 (dir (ioctl read write getattr lock relabelfrom add_name remove_name search rmdir open)))
-(allow installd_26_0 unlabeled_26_0 (file (getattr setattr relabelfrom unlink rename)))
-(allow installd_26_0 unlabeled_26_0 (lnk_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_26_0 unlabeled_26_0 (sock_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_26_0 unlabeled_26_0 (fifo_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_26_0 unlabeled_26_0 (file (ioctl read getattr lock open)))
-(allow installd_26_0 system_data_file_26_0 (file (getattr relabelfrom unlink)))
-(allow installd_26_0 system_data_file_26_0 (lnk_file (getattr relabelfrom unlink)))
-(allow installd_26_0 system_data_file_26_0 (sock_file (getattr relabelfrom unlink)))
-(allow installd_26_0 system_data_file_26_0 (fifo_file (getattr relabelfrom unlink)))
-(allow installd_26_0 shell_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 bluetooth_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 nfc_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 radio_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 app_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 system_app_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 shell_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 shell_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 shell_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 shell_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 bluetooth_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 bluetooth_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 bluetooth_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 bluetooth_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 nfc_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 nfc_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 nfc_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 nfc_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 radio_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 radio_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 radio_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 radio_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 app_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 app_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 app_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 app_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 system_app_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 system_app_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 system_app_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 system_app_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink rename open)))
-(allow installd_26_0 user_profile_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_26_0 user_profile_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow installd_26_0 user_profile_data_file_26_0 (dir (rmdir)))
-(allow installd_26_0 user_profile_data_file_26_0 (file (unlink)))
-(allow installd_26_0 profman_dump_data_file_26_0 (dir (write add_name search)))
-(allow installd_26_0 profman_dump_data_file_26_0 (file (write create setattr open)))
-(allow installd_26_0 devpts_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow installd_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow installd_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 installd_26_0 (dir (search)))
-(allow servicemanager_26_0 installd_26_0 (file (read open)))
-(allow servicemanager_26_0 installd_26_0 (process (getattr)))
-(allow installd_26_0 installd_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_144_26_0 installd_service_26_0 (service_manager (add)))
-(neverallow installd_26_0 unlabeled_26_0 (service_manager (add)))
-(allow installd_26_0 dumpstate_26_0 (fifo_file (write getattr)))
-(allow installd_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 installd_26_0 (binder (transfer)))
-(allow installd_26_0 system_server_26_0 (fd (use)))
-(allow installd_26_0 permission_service_26_0 (service_manager (find)))
-(allow installd_26_0 block_device_26_0 (dir (search)))
-(allow installd_26_0 labeledfs_26_0 (filesystem (quotamod quotaget)))
-(allow installd_26_0 preloads_data_file_26_0 (file (ioctl read getattr lock unlink open)))
-(allow installd_26_0 preloads_data_file_26_0 (dir (ioctl read write getattr lock remove_name search rmdir open)))
-(allow installd_26_0 preloads_media_file_26_0 (file (ioctl read getattr lock unlink open)))
-(allow installd_26_0 preloads_media_file_26_0 (dir (ioctl read write getattr lock remove_name search rmdir open)))
-(neverallow base_typeattr_145_26_0 installd_service_26_0 (service_manager (find)))
-(neverallow base_typeattr_63_26_0 installd_26_0 (binder (call)))
-(neverallow installd_26_0 base_typeattr_146_26_0 (binder (call)))
-(allow kernel_26_0 self (capability (sys_nice)))
-(allow kernel_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow kernel_26_0 rootfs_26_0 (file (ioctl read getattr lock open)))
-(allow kernel_26_0 rootfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow kernel_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow kernel_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow kernel_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow kernel_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow kernel_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow kernel_26_0 file_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow kernel_26_0 rootfs_26_0 (file (relabelfrom)))
-(allow kernel_26_0 init_exec_26_0 (file (relabelto)))
-(allow kernel_26_0 init_26_0 (process (share)))
-(allow kernel_26_0 unlabeled_26_0 (dir (search)))
-(allow kernel_26_0 usbfs_26_0 (filesystem (mount)))
-(allow kernel_26_0 usbfs_26_0 (dir (search)))
-(dontaudit kernel_26_0 self (security (setenforce)))
-(allow kernel_26_0 self (capability (sys_resource)))
-(allow kernel_26_0 self (capability (sys_boot)))
-(allow kernel_26_0 proc_sysrq_26_0 (file (write lock append open)))
-(allow kernel_26_0 tmpfs_26_0 (chr_file (write)))
-(allow kernel_26_0 selinuxfs_26_0 (file (write)))
-(allow kernel_26_0 self (security (setcheckreqprot)))
-(allow kernel_26_0 priv_app_26_0 (fd (use)))
-(allow kernel_26_0 sdcard_type (file (read write)))
-(allow kernel_26_0 vold_26_0 (fd (use)))
-(allow kernel_26_0 app_data_file_26_0 (file (read)))
-(allow kernel_26_0 asec_image_file_26_0 (file (read)))
-(allow kernel_26_0 update_engine_data_file_26_0 (file (read)))
-(allow kernel_26_0 nativetest_data_file_26_0 (file (read)))
-(allow kernel_26_0 media_rw_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow kernel_26_0 media_rw_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow kernel_26_0 vold_data_file_26_0 (file (read)))
-(neverallow base_typeattr_10_26_0 kernel_26_0 (process (transition dyntransition)))
-(neverallow kernel_26_0 base_typeattr_10_26_0 (file (execute_no_trans entrypoint)))
-(neverallow kernel_26_0 self (capability (dac_override dac_read_search)))
-(allow keystore_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 keystore_26_0 (dir (search)))
-(allow servicemanager_26_0 keystore_26_0 (file (read open)))
-(allow servicemanager_26_0 keystore_26_0 (process (getattr)))
-(allow keystore_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 keystore_26_0 (binder (transfer)))
-(allow keystore_26_0 system_server_26_0 (fd (use)))
-(allow keystore_26_0 keystore_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow keystore_26_0 keystore_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow keystore_26_0 keystore_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow keystore_26_0 keystore_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow keystore_26_0 keystore_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow keystore_26_0 keystore_exec_26_0 (file (getattr)))
-(allow keystore_26_0 keystore_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_147_26_0 keystore_service_26_0 (service_manager (add)))
-(neverallow keystore_26_0 unlabeled_26_0 (service_manager (add)))
-(allow keystore_26_0 sec_key_att_app_id_provider_service_26_0 (service_manager (find)))
-(allow keystore_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow keystore_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow keystore_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow keystore_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow keystore_26_0 kernel_26_0 (security (compute_av)))
-(allow keystore_26_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow keystore_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow keystore_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow keystore_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(neverallow base_typeattr_147_26_0 keystore_data_file_26_0 (dir (write lock relabelfrom append unlink link rename execute quotaon mounton add_name remove_name reparent rmdir audit_access execmod)))
-(neverallow base_typeattr_147_26_0 keystore_data_file_26_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_147_26_0 keystore_data_file_26_0 (lnk_file (ioctl read write create setattr lock relabelfrom append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_147_26_0 keystore_data_file_26_0 (sock_file (ioctl read write create setattr lock relabelfrom append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_147_26_0 keystore_data_file_26_0 (fifo_file (ioctl read write create setattr lock relabelfrom append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_148_26_0 keystore_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_148_26_0 keystore_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_148_26_0 keystore_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_148_26_0 keystore_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_148_26_0 keystore_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_10_26_0 keystore_26_0 (process (ptrace)))
-(allow lmkd_26_0 self (capability (dac_override kill sys_resource)))
-(allow lmkd_26_0 self (capability (ipc_lock)))
-(allow lmkd_26_0 appdomain (dir (ioctl read getattr lock search open)))
-(allow lmkd_26_0 appdomain (file (ioctl read getattr lock open)))
-(allow lmkd_26_0 appdomain (lnk_file (ioctl read getattr lock open)))
-(allow lmkd_26_0 appdomain (file (write)))
-(allow lmkd_26_0 system_server_26_0 (dir (ioctl read getattr lock search open)))
-(allow lmkd_26_0 system_server_26_0 (file (ioctl read getattr lock open)))
-(allow lmkd_26_0 system_server_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow lmkd_26_0 system_server_26_0 (file (write)))
-(allow lmkd_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow lmkd_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow lmkd_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow lmkd_26_0 sysfs_lowmemorykiller_26_0 (file (write lock append open)))
-(allow lmkd_26_0 appdomain (process (sigkill)))
-(allow lmkd_26_0 cgroup_26_0 (dir (remove_name rmdir)))
-(allow lmkd_26_0 self (capability (sys_nice)))
-(allow lmkd_26_0 proc_zoneinfo_26_0 (file (ioctl read getattr lock open)))
-(neverallow base_typeattr_10_26_0 lmkd_26_0 (process (noatsecure)))
-(allow logd_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow logd_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow logd_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow logd_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow logd_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow logd_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow logd_26_0 proc_meminfo_26_0 (dir (ioctl read getattr lock search open)))
-(allow logd_26_0 proc_meminfo_26_0 (file (ioctl read getattr lock open)))
-(allow logd_26_0 proc_meminfo_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow logd_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow logd_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow logd_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow logd_26_0 self (capability (setgid setuid setpcap sys_nice audit_control)))
-(allow logd_26_0 self (capability2 (syslog)))
-(allow logd_26_0 self (netlink_audit_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_write)))
-(allow logd_26_0 kernel_26_0 (system (syslog_read)))
-(allow logd_26_0 kmsg_device_26_0 (chr_file (write lock append open)))
-(allow logd_26_0 system_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow logd_26_0 system_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow logd_26_0 pstorefs_26_0 (dir (search)))
-(allow logd_26_0 pstorefs_26_0 (file (ioctl read getattr lock open)))
-(allow logd_26_0 misc_logd_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow logd_26_0 misc_logd_file_26_0 (file (ioctl read write getattr lock append open)))
-(allow logd_26_0 runtime_event_log_tags_file_26_0 (file (ioctl read write getattr lock append open)))
-(allow logd_26_0 device_logging_prop_26_0 (file (ioctl read getattr lock open)))
-(allow logd_26_0 domain (dir (ioctl read getattr lock search open)))
-(allow logd_26_0 domain (file (ioctl read getattr lock open)))
-(allow logd_26_0 domain (lnk_file (ioctl read getattr lock open)))
-(allow logd_26_0 kernel_26_0 (system (syslog_mod)))
-(allow logd_26_0 logd_socket_26_0 (sock_file (write)))
-(allow logd_26_0 logd_26_0 (unix_stream_socket (connectto)))
-(allow logd_26_0 runtime_event_log_tags_file_26_0 (file (ioctl read getattr lock open)))
-(allow runtime_event_log_tags_file_26_0 tmpfs_26_0 (filesystem (associate)))
-(dontaudit domain runtime_event_log_tags_file_26_0 (file (read open)))
-(neverallow logd_26_0 dev_type (blk_file (read write)))
-(neverallow logd_26_0 domain (process (ptrace)))
-(neverallow base_typeattr_149_26_0 logd_26_0 (process (ptrace)))
-(neverallow logd_26_0 system_file_26_0 (file (write)))
-(neverallow logd_26_0 system_file_26_0 (dir (write)))
-(neverallow logd_26_0 system_file_26_0 (lnk_file (write)))
-(neverallow logd_26_0 system_file_26_0 (chr_file (write)))
-(neverallow logd_26_0 system_file_26_0 (blk_file (write)))
-(neverallow logd_26_0 system_file_26_0 (sock_file (write)))
-(neverallow logd_26_0 system_file_26_0 (fifo_file (write)))
-(neverallow logd_26_0 system_data_file_26_0 (file (write)))
-(neverallow logd_26_0 system_data_file_26_0 (dir (write)))
-(neverallow logd_26_0 system_data_file_26_0 (lnk_file (write)))
-(neverallow logd_26_0 system_data_file_26_0 (chr_file (write)))
-(neverallow logd_26_0 system_data_file_26_0 (blk_file (write)))
-(neverallow logd_26_0 system_data_file_26_0 (sock_file (write)))
-(neverallow logd_26_0 system_data_file_26_0 (fifo_file (write)))
-(neverallow logd_26_0 app_data_file_26_0 (file (write)))
-(neverallow logd_26_0 app_data_file_26_0 (dir (write)))
-(neverallow logd_26_0 app_data_file_26_0 (lnk_file (write)))
-(neverallow logd_26_0 app_data_file_26_0 (chr_file (write)))
-(neverallow logd_26_0 app_data_file_26_0 (blk_file (write)))
-(neverallow logd_26_0 app_data_file_26_0 (sock_file (write)))
-(neverallow logd_26_0 app_data_file_26_0 (fifo_file (write)))
-(neverallow base_typeattr_5_26_0 logd_26_0 (process (transition)))
-(neverallow base_typeattr_10_26_0 logd_26_0 (process (dyntransition)))
-(neverallow base_typeattr_150_26_0 runtime_event_log_tags_file_26_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow logpersist_26_0 dev_type (blk_file (read write)))
-(neverallow logpersist_26_0 domain (process (ptrace)))
-(neverallow logpersist_26_0 system_data_file_26_0 (file (write)))
-(neverallow logpersist_26_0 system_data_file_26_0 (dir (write)))
-(neverallow logpersist_26_0 system_data_file_26_0 (lnk_file (write)))
-(neverallow logpersist_26_0 system_data_file_26_0 (chr_file (write)))
-(neverallow logpersist_26_0 system_data_file_26_0 (blk_file (write)))
-(neverallow logpersist_26_0 system_data_file_26_0 (sock_file (write)))
-(neverallow logpersist_26_0 system_data_file_26_0 (fifo_file (write)))
-(neverallow logpersist_26_0 app_data_file_26_0 (file (write)))
-(neverallow logpersist_26_0 app_data_file_26_0 (dir (write)))
-(neverallow logpersist_26_0 app_data_file_26_0 (lnk_file (write)))
-(neverallow logpersist_26_0 app_data_file_26_0 (chr_file (write)))
-(neverallow logpersist_26_0 app_data_file_26_0 (blk_file (write)))
-(neverallow logpersist_26_0 app_data_file_26_0 (sock_file (write)))
-(neverallow logpersist_26_0 app_data_file_26_0 (fifo_file (write)))
-(neverallow base_typeattr_10_26_0 logpersist_26_0 (process (dyntransition)))
-(allow mediacodec_26_0 hwservicemanager_prop_26_0 (file (ioctl read getattr lock open)))
-(allow mediacodec_26_0 vndbinder_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow mediacodec_26_0 vndservicemanager_26_0 (binder (call transfer)))
-(allow vndservicemanager_26_0 mediacodec_26_0 (dir (search)))
-(allow vndservicemanager_26_0 mediacodec_26_0 (file (read open)))
-(allow vndservicemanager_26_0 mediacodec_26_0 (process (getattr)))
-(allow mediacodec_26_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediacodec_26_0 (binder (transfer)))
-(allow mediacodec_26_0 binderservicedomain (fd (use)))
-(allow mediacodec_26_0 appdomain (binder (call transfer)))
-(allow appdomain mediacodec_26_0 (binder (transfer)))
-(allow mediacodec_26_0 appdomain (fd (use)))
-(allow mediacodec_26_0 hal_graphics_composer (fd (use)))
-(allow mediacodec_26_0 gpu_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow mediacodec_26_0 video_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow mediacodec_26_0 video_device_26_0 (dir (search)))
-(allow mediacodec_26_0 ion_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow mediacodec_26_0 hal_camera (fd (use)))
-(allow mediacodec_26_0 su_26_0 (fifo_file (append)))
-(allow mediacodec_26_0 anr_data_file_26_0 (file (append)))
-(allow mediacodec_26_0 dumpstate_26_0 (fd (use)))
-(allow mediacodec_26_0 dumpstate_26_0 (fifo_file (write append)))
-(allow mediacodec_26_0 tombstoned_26_0 (unix_stream_socket (connectto)))
-(allow mediacodec_26_0 tombstoned_26_0 (fd (use)))
-(allow mediacodec_26_0 tombstoned_crash_socket_26_0 (sock_file (write)))
-(allow mediacodec_26_0 tombstone_data_file_26_0 (file (append)))
-(allow mediacodec_26_0 hal_omx_hwservice_26_0 (hwservice_manager (add find)))
-(allow mediacodec_26_0 hidl_base_hwservice_26_0 (hwservice_manager (add)))
-(neverallow base_typeattr_151_26_0 hal_omx_hwservice_26_0 (hwservice_manager (add)))
-(neverallow mediacodec_26_0 unlabeled_26_0 (hwservice_manager (add)))
-(allow mediacodec_26_0 bufferhubd_26_0 (fd (use)))
-(neverallow mediacodec_26_0 fs_type (file (execute_no_trans)))
-(neverallow mediacodec_26_0 file_type (file (execute_no_trans)))
-(neverallow mediacodec_26_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediacodec_26_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediacodec_26_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow mediadrmserver_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 mediadrmserver_26_0 (dir (search)))
-(allow servicemanager_26_0 mediadrmserver_26_0 (file (read open)))
-(allow servicemanager_26_0 mediadrmserver_26_0 (process (getattr)))
-(allow mediadrmserver_26_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediadrmserver_26_0 (binder (transfer)))
-(allow mediadrmserver_26_0 binderservicedomain (fd (use)))
-(allow mediadrmserver_26_0 appdomain (binder (call transfer)))
-(allow appdomain mediadrmserver_26_0 (binder (transfer)))
-(allow mediadrmserver_26_0 appdomain (fd (use)))
-(allow mediadrmserver_26_0 mediadrmserver_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_152_26_0 mediadrmserver_service_26_0 (service_manager (add)))
-(neverallow mediadrmserver_26_0 unlabeled_26_0 (service_manager (add)))
-(allow mediadrmserver_26_0 mediaserver_service_26_0 (service_manager (find)))
-(allow mediadrmserver_26_0 mediametrics_service_26_0 (service_manager (find)))
-(allow mediadrmserver_26_0 processinfo_service_26_0 (service_manager (find)))
-(allow mediadrmserver_26_0 surfaceflinger_service_26_0 (service_manager (find)))
-(allow mediadrmserver_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow mediadrmserver_26_0 mediacasserver_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_152_26_0 mediacasserver_service_26_0 (service_manager (add)))
-(neverallow mediadrmserver_26_0 unlabeled_26_0 (service_manager (add)))
-(allow mediadrmserver_26_0 mediacodec_26_0 (binder (call transfer)))
-(allow mediacodec_26_0 mediadrmserver_26_0 (binder (transfer)))
-(allow mediadrmserver_26_0 mediacodec_26_0 (fd (use)))
-(neverallow mediadrmserver_26_0 fs_type (file (execute_no_trans)))
-(neverallow mediadrmserver_26_0 file_type (file (execute_no_trans)))
-(neverallowx mediadrmserver_26_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_26_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_26_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_26_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_26_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_26_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_26_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediadrmserver_26_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediadrmserver_26_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow mediaextractor_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 mediaextractor_26_0 (dir (search)))
-(allow servicemanager_26_0 mediaextractor_26_0 (file (read open)))
-(allow servicemanager_26_0 mediaextractor_26_0 (process (getattr)))
-(allow mediaextractor_26_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediaextractor_26_0 (binder (transfer)))
-(allow mediaextractor_26_0 binderservicedomain (fd (use)))
-(allow mediaextractor_26_0 appdomain (binder (call transfer)))
-(allow appdomain mediaextractor_26_0 (binder (transfer)))
-(allow mediaextractor_26_0 appdomain (fd (use)))
-(allow mediaextractor_26_0 mediaextractor_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_153_26_0 mediaextractor_service_26_0 (service_manager (add)))
-(neverallow mediaextractor_26_0 unlabeled_26_0 (service_manager (add)))
-(allow mediaextractor_26_0 mediametrics_service_26_0 (service_manager (find)))
-(allow mediaextractor_26_0 mediacasserver_service_26_0 (service_manager (find)))
-(allow mediaextractor_26_0 system_server_26_0 (fd (use)))
-(allow mediaextractor_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow mediaextractor_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow mediaextractor_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow mediaextractor_26_0 proc_meminfo_26_0 (file (ioctl read getattr lock open)))
-(allow mediaextractor_26_0 su_26_0 (fifo_file (append)))
-(allow mediaextractor_26_0 anr_data_file_26_0 (file (append)))
-(allow mediaextractor_26_0 dumpstate_26_0 (fd (use)))
-(allow mediaextractor_26_0 dumpstate_26_0 (fifo_file (write append)))
-(allow mediaextractor_26_0 tombstoned_26_0 (unix_stream_socket (connectto)))
-(allow mediaextractor_26_0 tombstoned_26_0 (fd (use)))
-(allow mediaextractor_26_0 tombstoned_crash_socket_26_0 (sock_file (write)))
-(allow mediaextractor_26_0 tombstone_data_file_26_0 (file (append)))
-(allow mediaextractor_26_0 media_rw_data_file_26_0 (file (read getattr)))
-(allow mediaextractor_26_0 app_data_file_26_0 (file (read getattr)))
-(allow mediaextractor_26_0 apk_data_file_26_0 (file (read getattr)))
-(allow mediaextractor_26_0 asec_apk_file_26_0 (file (read getattr)))
-(allow mediaextractor_26_0 ringtone_file_26_0 (file (read getattr)))
-(neverallow mediaextractor_26_0 fs_type (file (execute_no_trans)))
-(neverallow mediaextractor_26_0 file_type (file (execute_no_trans)))
-(neverallow mediaextractor_26_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediaextractor_26_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediaextractor_26_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow mediametrics_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 mediametrics_26_0 (dir (search)))
-(allow servicemanager_26_0 mediametrics_26_0 (file (read open)))
-(allow servicemanager_26_0 mediametrics_26_0 (process (getattr)))
-(allow mediametrics_26_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediametrics_26_0 (binder (transfer)))
-(allow mediametrics_26_0 binderservicedomain (fd (use)))
-(allow mediametrics_26_0 mediametrics_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_154_26_0 mediametrics_service_26_0 (service_manager (add)))
-(neverallow mediametrics_26_0 unlabeled_26_0 (service_manager (add)))
-(allow mediametrics_26_0 system_server_26_0 (fd (use)))
-(allow mediametrics_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow mediametrics_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow mediametrics_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow mediametrics_26_0 proc_meminfo_26_0 (file (ioctl read getattr lock open)))
-(allow mediametrics_26_0 app_data_file_26_0 (file (write)))
-(neverallow mediametrics_26_0 fs_type (file (execute_no_trans)))
-(neverallow mediametrics_26_0 file_type (file (execute_no_trans)))
-(neverallow mediametrics_26_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediametrics_26_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediametrics_26_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow mediaserver_26_0 sdcard_type (dir (ioctl read getattr lock search open)))
-(allow mediaserver_26_0 sdcard_type (file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 sdcard_type (lnk_file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 proc_26_0 (lnk_file (getattr)))
-(allow mediaserver_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_26_0 self (process (ptrace)))
-(allow mediaserver_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 mediaserver_26_0 (dir (search)))
-(allow servicemanager_26_0 mediaserver_26_0 (file (read open)))
-(allow servicemanager_26_0 mediaserver_26_0 (process (getattr)))
-(allow mediaserver_26_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediaserver_26_0 (binder (transfer)))
-(allow mediaserver_26_0 binderservicedomain (fd (use)))
-(allow mediaserver_26_0 appdomain (binder (call transfer)))
-(allow appdomain mediaserver_26_0 (binder (transfer)))
-(allow mediaserver_26_0 appdomain (fd (use)))
-(allow mediaserver_26_0 media_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow mediaserver_26_0 media_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow mediaserver_26_0 app_data_file_26_0 (dir (search)))
-(allow mediaserver_26_0 app_data_file_26_0 (file (ioctl read write getattr lock append open)))
-(allow mediaserver_26_0 sdcard_type (file (write)))
-(allow mediaserver_26_0 gpu_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow mediaserver_26_0 video_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_26_0 video_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow mediaserver_26_0 property_socket_26_0 (sock_file (write)))
-(allow mediaserver_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow mediaserver_26_0 audio_prop_26_0 (property_service (set)))
-(allow mediaserver_26_0 audio_prop_26_0 (file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 sysfs_26_0 (file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 apk_data_file_26_0 (file (read getattr)))
-(allow mediaserver_26_0 asec_apk_file_26_0 (file (read getattr)))
-(allow mediaserver_26_0 ringtone_file_26_0 (file (read getattr)))
-(allow mediaserver_26_0 radio_data_file_26_0 (file (read getattr)))
-(allow mediaserver_26_0 appdomain (fifo_file (read write getattr)))
-(allow mediaserver_26_0 rpmsg_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow mediaserver_26_0 system_server_26_0 (fifo_file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 media_rw_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_26_0 media_rw_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 media_rw_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 app_fuse_file_26_0 (file (read getattr)))
-(allow mediaserver_26_0 qtaguid_proc_26_0 (file (ioctl read write getattr lock append open)))
-(allow mediaserver_26_0 qtaguid_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 drmserver_socket_26_0 (sock_file (write)))
-(allow mediaserver_26_0 drmserver_26_0 (unix_stream_socket (connectto)))
-(allow mediaserver_26_0 bluetooth_socket_26_0 (sock_file (write)))
-(allow mediaserver_26_0 bluetooth_26_0 (unix_stream_socket (connectto)))
-(allow mediaserver_26_0 mediaserver_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_155_26_0 mediaserver_service_26_0 (service_manager (add)))
-(neverallow mediaserver_26_0 unlabeled_26_0 (service_manager (add)))
-(allow mediaserver_26_0 activity_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 appops_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 audioserver_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 cameraserver_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 batterystats_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 drmserver_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 mediaextractor_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 mediacodec_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 mediametrics_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 media_session_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 permission_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 power_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 processinfo_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 scheduling_policy_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 surfaceflinger_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 mediadrmserver_service_26_0 (service_manager (find)))
-(allow mediaserver_26_0 hidl_token_hwservice_26_0 (hwservice_manager (find)))
-(allow mediaserver_26_0 oemfs_26_0 (dir (search)))
-(allow mediaserver_26_0 oemfs_26_0 (file (ioctl read getattr lock open)))
-(allow drmserver_26_0 mediaserver_26_0 (dir (search)))
-(allow drmserver_26_0 mediaserver_26_0 (file (read open)))
-(allow drmserver_26_0 mediaserver_26_0 (process (getattr)))
-(allow mediaserver_26_0 drmserver_26_0 (drmservice (consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread)))
-(allowx mediaserver_26_0 self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_26_0 self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_26_0 self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_26_0 self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_26_0 self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_26_0 self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_26_0 self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx mediaserver_26_0 self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx mediaserver_26_0 self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allow mediaserver_26_0 media_rw_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow mediaserver_26_0 media_rw_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow mediaserver_26_0 preloads_media_file_26_0 (file (ioctl read getattr)))
-(allow mediaserver_26_0 ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 hal_graphics_allocator (fd (use)))
-(allow mediaserver_26_0 hal_graphics_composer (fd (use)))
-(allow mediaserver_26_0 hal_camera (fd (use)))
-(allow mediaserver_26_0 system_server_26_0 (fd (use)))
-(allow mediaserver_26_0 mediacodec_26_0 (binder (call transfer)))
-(allow mediacodec_26_0 mediaserver_26_0 (binder (transfer)))
-(allow mediaserver_26_0 mediacodec_26_0 (fd (use)))
-(neverallow mediaserver_26_0 fs_type (file (execute_no_trans)))
-(neverallow mediaserver_26_0 file_type (file (execute_no_trans)))
-(neverallowx mediaserver_26_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx mediaserver_26_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx mediaserver_26_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx mediaserver_26_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_26_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_26_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_26_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediaserver_26_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediaserver_26_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow modprobe_26_0 proc_modules_26_0 (file (ioctl read getattr lock open)))
-(allow modprobe_26_0 self (capability (sys_module)))
-(allow modprobe_26_0 kernel_26_0 (key (search)))
-(allow modprobe_26_0 system_file_26_0 (system (module_load)))
-(allow modprobe_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow modprobe_26_0 system_file_26_0 (file (ioctl read getattr lock open)))
-(allow modprobe_26_0 system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow mtp_26_0 self (socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow mtp_26_0 self (capability (net_raw)))
-(allow mtp_26_0 ppp_26_0 (process (signal)))
-(allow mtp_26_0 vpn_data_file_26_0 (dir (search)))
-(allowx netd_26_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx netd_26_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx netd_26_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow netd_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow netd_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow netd_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow netd_26_0 system_server_26_0 (fd (use)))
-(allow netd_26_0 self (capability (kill net_admin net_raw)))
-(dontaudit netd_26_0 self (capability (fsetid)))
-(allow netd_26_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_26_0 self (netlink_route_socket (nlmsg_write)))
-(allow netd_26_0 self (netlink_nflog_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_26_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_26_0 self (netlink_tcpdiag_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write)))
-(allow netd_26_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_26_0 self (netlink_netfilter_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow netd_26_0 system_file_26_0 (file (getattr execute execute_no_trans)))
-(allow netd_26_0 devpts_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow netd_26_0 system_file_26_0 (file (lock)))
-(allow netd_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow netd_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow netd_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow netd_26_0 proc_net_26_0 (file (ioctl read write getattr lock append open)))
-(allow netd_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow netd_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow netd_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow netd_26_0 sysfs_26_0 (file (write)))
-(allow netd_26_0 sysfs_usb_26_0 (file (write)))
-(allow netd_26_0 self (capability (chown dac_override)))
-(allow netd_26_0 net_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow netd_26_0 net_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow netd_26_0 self (capability (fowner)))
-(allow netd_26_0 dnsmasq_26_0 (process (signal)))
-(allow netd_26_0 clatd_26_0 (process (signal)))
-(allow netd_26_0 property_socket_26_0 (sock_file (write)))
-(allow netd_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow netd_26_0 ctl_mdnsd_prop_26_0 (property_service (set)))
-(allow netd_26_0 ctl_mdnsd_prop_26_0 (file (ioctl read getattr lock open)))
-(allow netd_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 netd_26_0 (dir (search)))
-(allow servicemanager_26_0 netd_26_0 (file (read open)))
-(allow servicemanager_26_0 netd_26_0 (process (getattr)))
-(allow netd_26_0 netd_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_156_26_0 netd_service_26_0 (service_manager (add)))
-(neverallow netd_26_0 unlabeled_26_0 (service_manager (add)))
-(allow netd_26_0 dumpstate_26_0 (fifo_file (write getattr)))
-(allow netd_26_0 system_server_26_0 (binder (call)))
-(allow netd_26_0 permission_service_26_0 (service_manager (find)))
-(allow netd_26_0 netd_listener_service_26_0 (service_manager (find)))
-(allow netd_26_0 netdomain (tcp_socket (read write getattr setattr getopt setopt)))
-(allow netd_26_0 netdomain (udp_socket (read write getattr setattr getopt setopt)))
-(allow netd_26_0 netdomain (rawip_socket (read write getattr setattr getopt setopt)))
-(allow netd_26_0 netdomain (tun_socket (read write getattr setattr getopt setopt)))
-(allow netd_26_0 netdomain (fd (use)))
-(allow netd_26_0 self (netlink_xfrm_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write)))
-(neverallow netd_26_0 dev_type (blk_file (read write)))
-(neverallow netd_26_0 domain (process (ptrace)))
-(neverallow netd_26_0 system_file_26_0 (file (write)))
-(neverallow netd_26_0 system_file_26_0 (dir (write)))
-(neverallow netd_26_0 system_file_26_0 (lnk_file (write)))
-(neverallow netd_26_0 system_file_26_0 (chr_file (write)))
-(neverallow netd_26_0 system_file_26_0 (blk_file (write)))
-(neverallow netd_26_0 system_file_26_0 (sock_file (write)))
-(neverallow netd_26_0 system_file_26_0 (fifo_file (write)))
-(neverallow netd_26_0 system_data_file_26_0 (file (write)))
-(neverallow netd_26_0 system_data_file_26_0 (dir (write)))
-(neverallow netd_26_0 system_data_file_26_0 (lnk_file (write)))
-(neverallow netd_26_0 system_data_file_26_0 (chr_file (write)))
-(neverallow netd_26_0 system_data_file_26_0 (blk_file (write)))
-(neverallow netd_26_0 system_data_file_26_0 (sock_file (write)))
-(neverallow netd_26_0 system_data_file_26_0 (fifo_file (write)))
-(neverallow netd_26_0 app_data_file_26_0 (file (write)))
-(neverallow netd_26_0 app_data_file_26_0 (dir (write)))
-(neverallow netd_26_0 app_data_file_26_0 (lnk_file (write)))
-(neverallow netd_26_0 app_data_file_26_0 (chr_file (write)))
-(neverallow netd_26_0 app_data_file_26_0 (blk_file (write)))
-(neverallow netd_26_0 app_data_file_26_0 (sock_file (write)))
-(neverallow netd_26_0 app_data_file_26_0 (fifo_file (write)))
-(neverallow base_typeattr_157_26_0 netd_service_26_0 (service_manager (find)))
-(neverallow base_typeattr_63_26_0 netd_26_0 (binder (call)))
-(neverallow netd_26_0 base_typeattr_146_26_0 (binder (call)))
-(neverallow domain netutils_wrapper_exec_26_0 (file (execute_no_trans)))
-(allow otapreopt_chroot_26_0 postinstall_file_26_0 (dir (mounton search)))
-(allow otapreopt_chroot_26_0 self (capability (sys_chroot sys_admin)))
-(allow otapreopt_chroot_26_0 block_device_26_0 (dir (search)))
-(allow otapreopt_chroot_26_0 labeledfs_26_0 (filesystem (mount)))
-(dontaudit otapreopt_chroot_26_0 kernel_26_0 (process (setsched)))
-(allow otapreopt_chroot_26_0 postinstall_26_0 (fd (use)))
-(allow otapreopt_chroot_26_0 update_engine_26_0 (fd (use)))
-(allow otapreopt_chroot_26_0 update_engine_26_0 (fifo_file (write)))
-(allow otapreopt_slot_26_0 ota_data_file_26_0 (dir (ioctl read write getattr lock rename add_name remove_name reparent search rmdir open)))
-(allow otapreopt_slot_26_0 ota_data_file_26_0 (file (getattr)))
-(allow otapreopt_slot_26_0 ota_data_file_26_0 (lnk_file (getattr)))
-(allow otapreopt_slot_26_0 ota_data_file_26_0 (lnk_file (read)))
-(allow otapreopt_slot_26_0 dalvikcache_data_file_26_0 (dir (read write getattr add_name remove_name search rmdir open)))
-(allow otapreopt_slot_26_0 dalvikcache_data_file_26_0 (file (getattr unlink)))
-(allow otapreopt_slot_26_0 dalvikcache_data_file_26_0 (lnk_file (read getattr unlink)))
-(allow otapreopt_slot_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow otapreopt_slot_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow init_26_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (create bind)))
-(allow performanced_26_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write getattr setattr lock append listen accept getopt setopt shutdown)))
-(allow performanced_26_0 self (process (setsockcreate)))
-(allow performanced_26_0 pdx_performance_client_channel_socket_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
-(neverallow base_typeattr_158_26_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (listen accept)))
-(allow performanced_26_0 self (capability (setgid setuid sys_nice)))
-(allow performanced_26_0 appdomain (dir (ioctl read getattr lock search open)))
-(allow performanced_26_0 bufferhubd_26_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_26_0 kernel_26_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_26_0 surfaceflinger_26_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_26_0 appdomain (file (ioctl read getattr lock open)))
-(allow performanced_26_0 appdomain (lnk_file (ioctl read getattr lock open)))
-(allow performanced_26_0 bufferhubd_26_0 (file (ioctl read getattr lock open)))
-(allow performanced_26_0 bufferhubd_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow performanced_26_0 kernel_26_0 (file (ioctl read getattr lock open)))
-(allow performanced_26_0 kernel_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow performanced_26_0 surfaceflinger_26_0 (file (ioctl read getattr lock open)))
-(allow performanced_26_0 surfaceflinger_26_0 (lnk_file (ioctl read getattr lock open)))
-(dontaudit performanced_26_0 domain (dir (read)))
-(allow performanced_26_0 appdomain (process (setsched)))
-(allow performanced_26_0 bufferhubd_26_0 (process (setsched)))
-(allow performanced_26_0 kernel_26_0 (process (setsched)))
-(allow performanced_26_0 surfaceflinger_26_0 (process (setsched)))
-(allow performanced_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow performanced_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow perfprofd_26_0 sysfs_devices_system_cpu_26_0 (file (ioctl read write getattr lock append open)))
-(allow perfprofd_26_0 system_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow perfprofd_26_0 app_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow perfprofd_26_0 app_data_file_26_0 (dir (search)))
-(allow perfprofd_26_0 self (capability (dac_override)))
-(allow perfprofd_26_0 perfprofd_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow perfprofd_26_0 perfprofd_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow perfprofd_26_0 logcat_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow perfprofd_26_0 logdr_socket_26_0 (sock_file (write)))
-(allow perfprofd_26_0 logd_26_0 (unix_stream_socket (connectto)))
-(allow perfprofd_26_0 logdw_socket_26_0 (sock_file (write)))
-(allow perfprofd_26_0 logd_26_0 (unix_dgram_socket (sendto)))
-(allow perfprofd_26_0 pmsg_device_26_0 (chr_file (write lock append open)))
-(allow perfprofd_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow perfprofd_26_0 self (capability2 (block_suspend)))
-(allow perfprofd_26_0 self (capability (sys_admin)))
-(allow perfprofd_26_0 domain (dir (ioctl read getattr lock search open)))
-(allow perfprofd_26_0 domain (file (ioctl read getattr lock open)))
-(allow perfprofd_26_0 domain (lnk_file (ioctl read getattr lock open)))
-(allow perfprofd_26_0 self (capability (sys_ptrace sys_resource)))
-(neverallow perfprofd_26_0 domain (process (ptrace)))
-(allow perfprofd_26_0 exec_type (file (ioctl read getattr lock open)))
-(allow perfprofd_26_0 debugfs_tracing_26_0 (file (ioctl read getattr lock open)))
-(allow perfprofd_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow perfprofd_26_0 self (capability (ipc_lock)))
-(allow postinstall_26_0 update_engine_common (fd (use)))
-(allow postinstall_26_0 update_engine_common (fifo_file (ioctl read write getattr lock append open)))
-(allow postinstall_26_0 postinstall_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow postinstall_26_0 postinstall_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow postinstall_26_0 postinstall_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow postinstall_26_0 system_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow postinstall_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow postinstall_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 postinstall_26_0 (dir (search)))
-(allow servicemanager_26_0 postinstall_26_0 (file (read open)))
-(allow servicemanager_26_0 postinstall_26_0 (process (getattr)))
-(allow postinstall_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 postinstall_26_0 (binder (transfer)))
-(allow postinstall_26_0 system_server_26_0 (fd (use)))
-(allow postinstall_26_0 otadexopt_service_26_0 (service_manager (find)))
-(neverallow base_typeattr_35_26_0 postinstall_26_0 (process (transition dyntransition)))
-(allow postinstall_dexopt_26_0 self (capability (chown dac_override fowner setgid setuid)))
-(allow postinstall_dexopt_26_0 postinstall_file_26_0 (filesystem (getattr)))
-(allow postinstall_dexopt_26_0 postinstall_file_26_0 (dir (getattr search)))
-(allow postinstall_dexopt_26_0 postinstall_file_26_0 (lnk_file (read)))
-(allow postinstall_dexopt_26_0 proc_26_0 (file (read getattr open)))
-(allow postinstall_dexopt_26_0 tmpfs_26_0 (file (read)))
-(allow postinstall_dexopt_26_0 apk_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_26_0 apk_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 apk_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 vendor_app_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_26_0 vendor_app_file_26_0 (file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 vendor_app_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 dalvikcache_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_26_0 dalvikcache_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 dalvikcache_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 user_profile_data_file_26_0 (dir (getattr search)))
-(allow postinstall_dexopt_26_0 user_profile_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 ota_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow postinstall_dexopt_26_0 ota_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow postinstall_dexopt_26_0 ota_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow postinstall_dexopt_26_0 dalvikcache_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow postinstall_dexopt_26_0 dalvikcache_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow postinstall_dexopt_26_0 dalvikcache_data_file_26_0 (dir (relabelto)))
-(allow postinstall_dexopt_26_0 dalvikcache_data_file_26_0 (file (relabelto link)))
-(allow postinstall_dexopt_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow postinstall_dexopt_26_0 kernel_26_0 (security (check_context)))
-(allow postinstall_dexopt_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow postinstall_dexopt_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow postinstall_dexopt_26_0 kernel_26_0 (security (compute_av)))
-(allow postinstall_dexopt_26_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow postinstall_dexopt_26_0 postinstall_26_0 (process (sigchld)))
-(allow postinstall_dexopt_26_0 otapreopt_chroot_26_0 (fd (use)))
-(allow postinstall_dexopt_26_0 cpuctl_device_26_0 (dir (search)))
-(allow ppp_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow ppp_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow ppp_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow ppp_26_0 mtp_26_0 (socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx ppp_26_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx ppp_26_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx ppp_26_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allowx ppp_26_0 mtp_26_0 (ioctl socket (((range 0x7436 0x7441)) ((range 0x7446 0x7447)) ((range 0x744b 0x745a)) ((range 0x7480 0x7488)))))
-(allow ppp_26_0 mtp_26_0 (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow ppp_26_0 ppp_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow ppp_26_0 self (capability (net_admin)))
-(allow ppp_26_0 system_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow ppp_26_0 vpn_data_file_26_0 (dir (write lock add_name remove_name search open)))
-(allow ppp_26_0 vpn_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow ppp_26_0 mtp_26_0 (fd (use)))
-(allow preopt2cachename_26_0 cppreopts_26_0 (fd (use)))
-(allow preopt2cachename_26_0 cppreopts_26_0 (fifo_file (read write getattr)))
-(allow preopt2cachename_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow profman_26_0 user_profile_data_file_26_0 (file (read write getattr lock)))
-(allow profman_26_0 asec_apk_file_26_0 (file (read)))
-(allow profman_26_0 apk_data_file_26_0 (file (read)))
-(allow profman_26_0 oemfs_26_0 (file (read)))
-(allow profman_26_0 tmpfs_26_0 (file (read)))
-(allow profman_26_0 profman_dump_data_file_26_0 (file (write)))
-(allow profman_26_0 installd_26_0 (fd (use)))
-(allow profman_26_0 app_data_file_26_0 (file (read write getattr lock)))
-(neverallow profman_26_0 app_data_file_26_0 (file (open)))
-(neverallow profman_26_0 app_data_file_26_0 (lnk_file (open)))
-(neverallow profman_26_0 app_data_file_26_0 (sock_file (open)))
-(neverallow profman_26_0 app_data_file_26_0 (fifo_file (open)))
-(allow property_type tmpfs_26_0 (filesystem (associate)))
-(neverallow base_typeattr_10_26_0 base_typeattr_159_26_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(allowx racoon_26_0 self (ioctl udp_socket (0x8914 0x8916 0x891c)))
-(allow racoon_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 racoon_26_0 (dir (search)))
-(allow servicemanager_26_0 racoon_26_0 (file (read open)))
-(allow servicemanager_26_0 racoon_26_0 (process (getattr)))
-(allow racoon_26_0 tun_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow racoon_26_0 cgroup_26_0 (dir (create add_name)))
-(allow racoon_26_0 kernel_26_0 (system (module_request)))
-(allow racoon_26_0 self (key_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow racoon_26_0 self (tun_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow racoon_26_0 self (capability (net_bind_service net_admin net_raw)))
-(allow racoon_26_0 system_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow racoon_26_0 vpn_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow racoon_26_0 vpn_data_file_26_0 (dir (write lock add_name remove_name search open)))
-(allow keystore_26_0 racoon_26_0 (dir (search)))
-(allow keystore_26_0 racoon_26_0 (file (read open)))
-(allow keystore_26_0 racoon_26_0 (process (getattr)))
-(allow racoon_26_0 keystore_service_26_0 (service_manager (find)))
-(allow racoon_26_0 keystore_26_0 (binder (call transfer)))
-(allow keystore_26_0 racoon_26_0 (binder (transfer)))
-(allow racoon_26_0 keystore_26_0 (fd (use)))
-(allow racoon_26_0 keystore_26_0 (keystore_key (get sign verify)))
-(allow radio_26_0 radio_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow radio_26_0 radio_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow radio_26_0 radio_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow radio_26_0 radio_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow radio_26_0 radio_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow radio_26_0 alarm_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow radio_26_0 net_data_file_26_0 (dir (search)))
-(allow radio_26_0 net_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow radio_26_0 property_socket_26_0 (sock_file (write)))
-(allow radio_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow radio_26_0 radio_prop_26_0 (property_service (set)))
-(allow radio_26_0 radio_prop_26_0 (file (ioctl read getattr lock open)))
-(allow radio_26_0 property_socket_26_0 (sock_file (write)))
-(allow radio_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow radio_26_0 net_radio_prop_26_0 (property_service (set)))
-(allow radio_26_0 net_radio_prop_26_0 (file (ioctl read getattr lock open)))
-(allow radio_26_0 property_socket_26_0 (sock_file (write)))
-(allow radio_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow radio_26_0 ctl_rildaemon_prop_26_0 (property_service (set)))
-(allow radio_26_0 ctl_rildaemon_prop_26_0 (file (ioctl read getattr lock open)))
-(allow radio_26_0 radio_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_160_26_0 radio_service_26_0 (service_manager (add)))
-(neverallow radio_26_0 unlabeled_26_0 (service_manager (add)))
-(allow radio_26_0 audioserver_service_26_0 (service_manager (find)))
-(allow radio_26_0 cameraserver_service_26_0 (service_manager (find)))
-(allow radio_26_0 drmserver_service_26_0 (service_manager (find)))
-(allow radio_26_0 mediaserver_service_26_0 (service_manager (find)))
-(allow radio_26_0 nfc_service_26_0 (service_manager (find)))
-(allow radio_26_0 surfaceflinger_service_26_0 (service_manager (find)))
-(allow radio_26_0 app_api_service (service_manager (find)))
-(allow radio_26_0 system_api_service (service_manager (find)))
-(allow radio_26_0 hwservicemanager_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 radio_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 radio_26_0 (dir (search)))
-(allow hwservicemanager_26_0 radio_26_0 (file (read open)))
-(allow hwservicemanager_26_0 radio_26_0 (process (getattr)))
-(neverallow recovery_26_0 data_file_type (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow recovery_26_0 data_file_type (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(allow recovery_persist_26_0 pstorefs_26_0 (dir (search)))
-(allow recovery_persist_26_0 pstorefs_26_0 (file (ioctl read getattr lock open)))
-(allow recovery_persist_26_0 recovery_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow recovery_persist_26_0 recovery_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(neverallow recovery_persist_26_0 dev_type (blk_file (read write)))
-(neverallow recovery_persist_26_0 domain (process (ptrace)))
-(neverallow recovery_persist_26_0 system_file_26_0 (file (write)))
-(neverallow recovery_persist_26_0 system_file_26_0 (dir (write)))
-(neverallow recovery_persist_26_0 system_file_26_0 (lnk_file (write)))
-(neverallow recovery_persist_26_0 system_file_26_0 (chr_file (write)))
-(neverallow recovery_persist_26_0 system_file_26_0 (blk_file (write)))
-(neverallow recovery_persist_26_0 system_file_26_0 (sock_file (write)))
-(neverallow recovery_persist_26_0 system_file_26_0 (fifo_file (write)))
-(neverallow recovery_persist_26_0 system_data_file_26_0 (file (write)))
-(neverallow recovery_persist_26_0 system_data_file_26_0 (dir (write)))
-(neverallow recovery_persist_26_0 system_data_file_26_0 (lnk_file (write)))
-(neverallow recovery_persist_26_0 system_data_file_26_0 (chr_file (write)))
-(neverallow recovery_persist_26_0 system_data_file_26_0 (blk_file (write)))
-(neverallow recovery_persist_26_0 system_data_file_26_0 (sock_file (write)))
-(neverallow recovery_persist_26_0 system_data_file_26_0 (fifo_file (write)))
-(neverallow recovery_persist_26_0 app_data_file_26_0 (file (write)))
-(neverallow recovery_persist_26_0 app_data_file_26_0 (dir (write)))
-(neverallow recovery_persist_26_0 app_data_file_26_0 (lnk_file (write)))
-(neverallow recovery_persist_26_0 app_data_file_26_0 (chr_file (write)))
-(neverallow recovery_persist_26_0 app_data_file_26_0 (blk_file (write)))
-(neverallow recovery_persist_26_0 app_data_file_26_0 (sock_file (write)))
-(neverallow recovery_persist_26_0 app_data_file_26_0 (fifo_file (write)))
-(allow recovery_refresh_26_0 pstorefs_26_0 (dir (search)))
-(allow recovery_refresh_26_0 pstorefs_26_0 (file (ioctl read getattr lock open)))
-(neverallow recovery_refresh_26_0 dev_type (blk_file (read write)))
-(neverallow recovery_refresh_26_0 domain (process (ptrace)))
-(neverallow recovery_refresh_26_0 system_file_26_0 (file (write)))
-(neverallow recovery_refresh_26_0 system_file_26_0 (dir (write)))
-(neverallow recovery_refresh_26_0 system_file_26_0 (lnk_file (write)))
-(neverallow recovery_refresh_26_0 system_file_26_0 (chr_file (write)))
-(neverallow recovery_refresh_26_0 system_file_26_0 (blk_file (write)))
-(neverallow recovery_refresh_26_0 system_file_26_0 (sock_file (write)))
-(neverallow recovery_refresh_26_0 system_file_26_0 (fifo_file (write)))
-(neverallow recovery_refresh_26_0 system_data_file_26_0 (file (write)))
-(neverallow recovery_refresh_26_0 system_data_file_26_0 (dir (write)))
-(neverallow recovery_refresh_26_0 system_data_file_26_0 (lnk_file (write)))
-(neverallow recovery_refresh_26_0 system_data_file_26_0 (chr_file (write)))
-(neverallow recovery_refresh_26_0 system_data_file_26_0 (blk_file (write)))
-(neverallow recovery_refresh_26_0 system_data_file_26_0 (sock_file (write)))
-(neverallow recovery_refresh_26_0 system_data_file_26_0 (fifo_file (write)))
-(neverallow recovery_refresh_26_0 app_data_file_26_0 (file (write)))
-(neverallow recovery_refresh_26_0 app_data_file_26_0 (dir (write)))
-(neverallow recovery_refresh_26_0 app_data_file_26_0 (lnk_file (write)))
-(neverallow recovery_refresh_26_0 app_data_file_26_0 (chr_file (write)))
-(neverallow recovery_refresh_26_0 app_data_file_26_0 (blk_file (write)))
-(neverallow recovery_refresh_26_0 app_data_file_26_0 (sock_file (write)))
-(neverallow recovery_refresh_26_0 app_data_file_26_0 (fifo_file (write)))
-(allowx rild_26_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx rild_26_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx rild_26_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow rild_26_0 self (netlink_route_socket (nlmsg_write)))
-(allow rild_26_0 kernel_26_0 (system (module_request)))
-(allow rild_26_0 self (capability (setgid setuid setpcap net_admin net_raw)))
-(allow rild_26_0 alarm_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow rild_26_0 cgroup_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow rild_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow rild_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow rild_26_0 radio_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow rild_26_0 radio_device_26_0 (blk_file (ioctl read getattr lock open)))
-(allow rild_26_0 mtd_device_26_0 (dir (search)))
-(allow rild_26_0 efs_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow rild_26_0 efs_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow rild_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow rild_26_0 bluetooth_efs_file_26_0 (file (ioctl read getattr lock open)))
-(allow rild_26_0 bluetooth_efs_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow rild_26_0 radio_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow rild_26_0 radio_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow rild_26_0 sdcard_type (dir (ioctl read getattr lock search open)))
-(allow rild_26_0 system_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow rild_26_0 system_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow rild_26_0 system_file_26_0 (file (getattr execute execute_no_trans)))
-(allow rild_26_0 property_socket_26_0 (sock_file (write)))
-(allow rild_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow rild_26_0 radio_prop_26_0 (property_service (set)))
-(allow rild_26_0 radio_prop_26_0 (file (ioctl read getattr lock open)))
-(allow rild_26_0 tty_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow rild_26_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow rild_26_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow rild_26_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow rild_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow rild_26_0 self (capability2 (block_suspend)))
-(allow rild_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow rild_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow rild_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow rild_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow rild_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow rild_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow rild_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow rild_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow rild_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow rild_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow rild_26_0 system_file_26_0 (file (ioctl read getattr lock open)))
-(allow rild_26_0 system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow rild_26_0 self (socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow runas_26_0 adbd_26_0 (process (sigchld)))
-(allow runas_26_0 adbd_26_0 (unix_stream_socket (read write)))
-(allow runas_26_0 shell_26_0 (fd (use)))
-(allow runas_26_0 shell_26_0 (fifo_file (read write)))
-(allow runas_26_0 shell_26_0 (unix_stream_socket (read write)))
-(allow runas_26_0 devpts_26_0 (chr_file (ioctl read write)))
-(allow runas_26_0 shell_data_file_26_0 (file (read write)))
-(allow runas_26_0 system_data_file_26_0 (file (ioctl read getattr lock open)))
-(dontaudit runas_26_0 self (capability (dac_override)))
-(allow runas_26_0 app_data_file_26_0 (dir (getattr search)))
-(allow runas_26_0 self (capability (setgid setuid)))
-(allow runas_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow runas_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow runas_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow runas_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow runas_26_0 kernel_26_0 (security (check_context)))
-(allow runas_26_0 self (process (setcurrent)))
-(allow runas_26_0 base_typeattr_161_26_0 (process (dyntransition)))
-(allow runas_26_0 seapp_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(neverallow runas_26_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow runas_26_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(allow sdcardd_26_0 cgroup_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_26_0 fuse_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow sdcardd_26_0 rootfs_26_0 (dir (mounton)))
-(allow sdcardd_26_0 sdcardfs_26_0 (filesystem (remount)))
-(allow sdcardd_26_0 tmpfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow sdcardd_26_0 mnt_media_rw_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow sdcardd_26_0 storage_file_26_0 (dir (search)))
-(allow sdcardd_26_0 storage_stub_file_26_0 (dir (mounton search)))
-(allow sdcardd_26_0 sdcard_type (filesystem (mount unmount)))
-(allow sdcardd_26_0 self (capability (dac_override setgid setuid sys_admin sys_resource)))
-(allow sdcardd_26_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_26_0 sdcard_type (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow sdcardd_26_0 media_rw_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_26_0 media_rw_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow sdcardd_26_0 system_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow sdcardd_26_0 install_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow sdcardd_26_0 vold_26_0 (fd (use)))
-(allow sdcardd_26_0 vold_26_0 (fifo_file (read write getattr)))
-(allow sdcardd_26_0 mnt_expand_file_26_0 (dir (search)))
-(allow sdcardd_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(neverallow init_26_0 sdcardd_exec_26_0 (file (execute)))
-(neverallow init_26_0 sdcardd_26_0 (process (transition dyntransition)))
-(allow servicemanager_26_0 self (binder (set_context_mgr)))
-(allow servicemanager_26_0 base_typeattr_162_26_0 (binder (transfer)))
-(allow servicemanager_26_0 service_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow servicemanager_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow servicemanager_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow servicemanager_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow servicemanager_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow servicemanager_26_0 kernel_26_0 (security (compute_av)))
-(allow servicemanager_26_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow sgdisk_26_0 block_device_26_0 (dir (search)))
-(allow sgdisk_26_0 vold_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow sgdisk_26_0 devpts_26_0 (chr_file (ioctl read write getattr)))
-(allow sgdisk_26_0 vold_26_0 (fd (use)))
-(allow sgdisk_26_0 vold_26_0 (fifo_file (read write getattr)))
-(allow sgdisk_26_0 self (capability (sys_admin)))
-(neverallow base_typeattr_92_26_0 sgdisk_26_0 (process (transition)))
-(neverallow base_typeattr_10_26_0 sgdisk_26_0 (process (dyntransition)))
-(neverallow sgdisk_26_0 base_typeattr_163_26_0 (file (entrypoint)))
-(allow shared_relro_26_0 shared_relro_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shared_relro_26_0 shared_relro_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow shared_relro_26_0 webviewupdate_service_26_0 (service_manager (find)))
-(allow shell_26_0 logcat_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow shell_26_0 logdr_socket_26_0 (sock_file (write)))
-(allow shell_26_0 logd_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 logd_socket_26_0 (sock_file (write)))
-(allow shell_26_0 logd_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 pstorefs_26_0 (dir (search)))
-(allow shell_26_0 pstorefs_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 anr_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 anr_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 shell_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow shell_26_0 shell_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow shell_26_0 shell_data_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow shell_26_0 shell_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow shell_26_0 profman_dump_data_file_26_0 (dir (write getattr remove_name search)))
-(allow shell_26_0 profman_dump_data_file_26_0 (file (getattr unlink)))
-(allow shell_26_0 nativetest_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 nativetest_data_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow shell_26_0 dumpstate_socket_26_0 (sock_file (write)))
-(allow shell_26_0 dumpstate_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 devpts_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow shell_26_0 tty_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow shell_26_0 console_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow shell_26_0 input_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 input_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow shell_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 system_file_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow shell_26_0 system_file_26_0 (file (getattr execute execute_no_trans)))
-(allow shell_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow shell_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow shell_26_0 zygote_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow shell_26_0 apk_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 apk_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 apk_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 shell_prop_26_0 (property_service (set)))
-(allow shell_26_0 shell_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 ctl_bugreport_prop_26_0 (property_service (set)))
-(allow shell_26_0 ctl_bugreport_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 ctl_dumpstate_prop_26_0 (property_service (set)))
-(allow shell_26_0 ctl_dumpstate_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 dumpstate_prop_26_0 (property_service (set)))
-(allow shell_26_0 dumpstate_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 debug_prop_26_0 (property_service (set)))
-(allow shell_26_0 debug_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 powerctl_prop_26_0 (property_service (set)))
-(allow shell_26_0 powerctl_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 log_tag_prop_26_0 (property_service (set)))
-(allow shell_26_0 log_tag_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 wifi_log_prop_26_0 (property_service (set)))
-(allow shell_26_0 wifi_log_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 log_prop_26_0 (property_service (set)))
-(allow shell_26_0 log_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 logpersistd_logging_prop_26_0 (property_service (set)))
-(allow shell_26_0 logpersistd_logging_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 boottrace_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shell_26_0 boottrace_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow shell_26_0 property_socket_26_0 (sock_file (write)))
-(allow shell_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow shell_26_0 persist_debug_prop_26_0 (property_service (set)))
-(allow shell_26_0 persist_debug_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 serialno_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 device_logging_prop_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 servicemanager_26_0 (service_manager (list)))
-(allow shell_26_0 base_typeattr_164_26_0 (service_manager (find)))
-(allow shell_26_0 dumpstate_26_0 (binder (call)))
-(allow shell_26_0 hwservicemanager_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 shell_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 shell_26_0 (dir (search)))
-(allow hwservicemanager_26_0 shell_26_0 (file (read open)))
-(allow hwservicemanager_26_0 shell_26_0 (process (getattr)))
-(allow shell_26_0 hwservicemanager_26_0 (hwservice_manager (list)))
-(allow shell_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow shell_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow shell_26_0 proc_interrupts_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 proc_meminfo_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 proc_stat_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 proc_timer_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 proc_zoneinfo_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 cgroup_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 cgroup_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 cgroup_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow shell_26_0 domain (dir (read getattr search open)))
-(allow shell_26_0 domain (file (read getattr open)))
-(allow shell_26_0 domain (lnk_file (read getattr open)))
-(allow shell_26_0 labeledfs_26_0 (filesystem (getattr)))
-(allow shell_26_0 proc_26_0 (filesystem (getattr)))
-(allow shell_26_0 device_26_0 (dir (getattr)))
-(allow shell_26_0 domain (process (getattr)))
-(allow shell_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 bootchart_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shell_26_0 bootchart_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow shell_26_0 self (process (ptrace)))
-(allow shell_26_0 sysfs_batteryinfo_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 sysfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 ion_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow shell_26_0 dev_type (dir (ioctl read getattr lock search open)))
-(allow shell_26_0 dev_type (chr_file (getattr)))
-(allow shell_26_0 proc_26_0 (lnk_file (getattr)))
-(allow shell_26_0 dev_type (blk_file (getattr)))
-(allow shell_26_0 file_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 property_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 seapp_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 service_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow shell_26_0 sepolicy_file_26_0 (file (ioctl read getattr lock open)))
-(neverallow shell_26_0 file_type (file (link)))
-(neverallowx shell_26_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx shell_26_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx shell_26_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx shell_26_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_26_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_26_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_26_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx shell_26_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx shell_26_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallow shell_26_0 hw_random_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_26_0 kmem_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_26_0 port_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_26_0 fuse_device_26_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_26_0 dev_type (blk_file (ioctl read write create setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(allow slideshow_26_0 kmsg_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow slideshow_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow slideshow_26_0 self (capability2 (block_suspend)))
-(allow slideshow_26_0 device_26_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_26_0 self (capability (sys_tty_config)))
-(allow slideshow_26_0 graphics_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_26_0 graphics_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow slideshow_26_0 input_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_26_0 input_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow slideshow_26_0 tty_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow su_26_0 vndbinder_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow su_26_0 vndservicemanager_26_0 (binder (call transfer)))
-(allow vndservicemanager_26_0 su_26_0 (dir (search)))
-(allow vndservicemanager_26_0 su_26_0 (file (read open)))
-(allow vndservicemanager_26_0 su_26_0 (process (getattr)))
-(dontaudit su_26_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(dontaudit su_26_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(dontaudit su_26_0 kernel_26_0 (security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy)))
-(dontaudit su_26_0 kernel_26_0 (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load)))
-(dontaudit su_26_0 self (memprotect (mmap_zero)))
-(dontaudit su_26_0 domain (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate)))
-(dontaudit su_26_0 domain (fd (use)))
-(dontaudit su_26_0 domain (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_26_0 domain (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 domain (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_26_0 domain (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 domain (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_26_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 domain (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_26_0 domain (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_26_0 domain (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_26_0 domain (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_26_0 domain (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(dontaudit su_26_0 domain (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
-(dontaudit su_26_0 domain (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 domain (icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 domain (ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 domain (sem (create destroy getattr setattr read write associate unix_read unix_write)))
-(dontaudit su_26_0 domain (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
-(dontaudit su_26_0 domain (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
-(dontaudit su_26_0 domain (ipc (create destroy getattr setattr read write associate unix_read unix_write)))
-(dontaudit su_26_0 domain (key (view read write search link setattr create)))
-(dontaudit su_26_0 fs_type (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(dontaudit su_26_0 dev_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_26_0 dev_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_26_0 dev_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 dev_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_26_0 dev_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 dev_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 dev_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 fs_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_26_0 fs_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_26_0 fs_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 fs_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_26_0 fs_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 fs_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 fs_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 file_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_26_0 file_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_26_0 file_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 file_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_26_0 file_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 file_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 file_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_26_0 node_type (node (recvfrom sendto)))
-(dontaudit su_26_0 node_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_26_0 node_type (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 node_type (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 netif_type (netif (ingress egress)))
-(dontaudit su_26_0 port_type (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_26_0 port_type (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 port_type (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 port_type (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_26_0 port_type (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_26_0 port_type (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_26_0 port_type (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_26_0 port_type (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(dontaudit su_26_0 port_type (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
-(dontaudit su_26_0 port_type (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 port_type (icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_26_0 port_type (ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_26_0 port_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_26_0 port_type (dccp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_26_0 domain (peer (recv)))
-(dontaudit su_26_0 domain (binder (impersonate call set_context_mgr transfer)))
-(dontaudit su_26_0 property_type (property_service (set)))
-(dontaudit su_26_0 property_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_26_0 service_manager_type (service_manager (add find list)))
-(dontaudit su_26_0 hwservice_manager_type (hwservice_manager (add find list)))
-(dontaudit su_26_0 vndservice_manager_type (service_manager (add find list)))
-(dontaudit su_26_0 servicemanager_26_0 (service_manager (list)))
-(dontaudit su_26_0 hwservicemanager_26_0 (hwservice_manager (list)))
-(dontaudit su_26_0 vndservicemanager_26_0 (service_manager (list)))
-(dontaudit su_26_0 keystore_26_0 (keystore_key (get_state get insert delete exist list reset password lock unlock is_empty sign verify grant duplicate clear_uid add_auth user_changed gen_unique_id)))
-(dontaudit su_26_0 domain (drmservice (consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread)))
-(dontaudit su_26_0 unlabeled_26_0 (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(dontaudit su_26_0 postinstall_file_26_0 (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(allow tombstoned_26_0 domain (fd (use)))
-(allow tombstoned_26_0 domain (fifo_file (write)))
-(allow tombstoned_26_0 domain (dir (ioctl read getattr lock search open)))
-(allow tombstoned_26_0 domain (file (ioctl read getattr lock open)))
-(allow tombstoned_26_0 tombstone_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tombstoned_26_0 tombstone_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow tombstoned_26_0 anr_data_file_26_0 (file (getattr append)))
-(allow tombstoned_26_0 anr_data_file_26_0 (file (write)))
-(auditallow tombstoned_26_0 anr_data_file_26_0 (file (write)))
-(allow toolbox_26_0 tmpfs_26_0 (chr_file (ioctl read write)))
-(allow toolbox_26_0 devpts_26_0 (chr_file (ioctl read write getattr)))
-(allow toolbox_26_0 block_device_26_0 (dir (search)))
-(allow toolbox_26_0 swap_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(neverallow base_typeattr_5_26_0 toolbox_26_0 (process (transition)))
-(neverallow base_typeattr_10_26_0 toolbox_26_0 (process (dyntransition)))
-(neverallow toolbox_26_0 base_typeattr_165_26_0 (file (entrypoint)))
-(allow tzdatacheck_26_0 zoneinfo_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow tzdatacheck_26_0 zoneinfo_data_file_26_0 (file (unlink)))
-(allow ueventd_26_0 kmsg_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow ueventd_26_0 self (capability (chown dac_override fowner fsetid setgid net_admin sys_rawio mknod)))
-(allow ueventd_26_0 device_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow ueventd_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow ueventd_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow ueventd_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow ueventd_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_26_0 rootfs_26_0 (file (ioctl read getattr lock open)))
-(allow ueventd_26_0 rootfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow ueventd_26_0 sysfs_26_0 (file (write lock append open)))
-(allow ueventd_26_0 sysfs_usb_26_0 (file (write lock append open)))
-(allow ueventd_26_0 sysfs_hwrandom_26_0 (file (write lock append open)))
-(allow ueventd_26_0 sysfs_zram_uevent_26_0 (file (write lock append open)))
-(allow ueventd_26_0 sysfs_type (file (getattr setattr relabelfrom relabelto)))
-(allow ueventd_26_0 sysfs_type (lnk_file (getattr setattr relabelfrom relabelto)))
-(allow ueventd_26_0 sysfs_type (dir (ioctl read getattr setattr lock relabelfrom relabelto search open)))
-(allow ueventd_26_0 sysfs_devices_system_cpu_26_0 (file (ioctl read write getattr lock append open)))
-(allow ueventd_26_0 tmpfs_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow ueventd_26_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow ueventd_26_0 dev_type (lnk_file (create unlink)))
-(allow ueventd_26_0 dev_type (chr_file (create getattr setattr unlink)))
-(allow ueventd_26_0 dev_type (blk_file (create getattr setattr relabelfrom relabelto unlink)))
-(allow ueventd_26_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow ueventd_26_0 efs_file_26_0 (dir (search)))
-(allow ueventd_26_0 efs_file_26_0 (file (ioctl read getattr lock open)))
-(allow ueventd_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow ueventd_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow ueventd_26_0 vendor_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_26_0 vendor_file_26_0 (file (ioctl read getattr lock open)))
-(allow ueventd_26_0 vendor_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow ueventd_26_0 file_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow ueventd_26_0 self (process (setfscreate)))
-(neverallow ueventd_26_0 property_socket_26_0 (sock_file (write)))
-(neverallow ueventd_26_0 init_26_0 (unix_stream_socket (connectto)))
-(neverallow ueventd_26_0 property_type (property_service (set)))
-(neverallow ueventd_26_0 dev_type (blk_file (ioctl read write lock append link rename execute quotaon mounton open audit_access execmod)))
-(neverallow ueventd_26_0 kmem_device_26_0 (chr_file (ioctl read write lock relabelfrom append link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow ueventd_26_0 port_device_26_0 (chr_file (ioctl read write lock relabelfrom append link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow uncrypt_26_0 self (capability (dac_override)))
-(allow uncrypt_26_0 app_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_26_0 app_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow uncrypt_26_0 app_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow uncrypt_26_0 shell_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_26_0 shell_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow uncrypt_26_0 shell_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow uncrypt_26_0 cache_recovery_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow uncrypt_26_0 cache_recovery_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow uncrypt_26_0 ota_package_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_26_0 ota_package_file_26_0 (file (ioctl read getattr lock open)))
-(allow uncrypt_26_0 uncrypt_socket_26_0 (sock_file (write)))
-(allow uncrypt_26_0 uncrypt_26_0 (unix_stream_socket (connectto)))
-(allow uncrypt_26_0 property_socket_26_0 (sock_file (write)))
-(allow uncrypt_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow uncrypt_26_0 powerctl_prop_26_0 (property_service (set)))
-(allow uncrypt_26_0 powerctl_prop_26_0 (file (ioctl read getattr lock open)))
-(allow uncrypt_26_0 self (capability (sys_rawio)))
-(allow uncrypt_26_0 misc_block_device_26_0 (blk_file (write lock append open)))
-(allow uncrypt_26_0 block_device_26_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_26_0 userdata_block_device_26_0 (blk_file (write lock append open)))
-(allow uncrypt_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_26_0 rootfs_26_0 (file (ioctl read getattr lock open)))
-(allow uncrypt_26_0 rootfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow update_engine_26_0 qtaguid_proc_26_0 (file (ioctl read write getattr lock append open)))
-(allow update_engine_26_0 qtaguid_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow update_engine_26_0 self (process (setsched)))
-(allow update_engine_26_0 self (capability (fowner sys_admin)))
-(allow update_engine_26_0 kmsg_device_26_0 (chr_file (write lock append open)))
-(allow update_engine_26_0 update_engine_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow update_engine_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow update_engine_26_0 self (capability2 (block_suspend)))
-(dontaudit update_engine_26_0 kernel_26_0 (process (setsched)))
-(allow update_engine_26_0 update_engine_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow update_engine_26_0 update_engine_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(dontaudit update_engine_26_0 kernel_26_0 (system (module_request)))
-(allow update_engine_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 update_engine_26_0 (dir (search)))
-(allow servicemanager_26_0 update_engine_26_0 (file (read open)))
-(allow servicemanager_26_0 update_engine_26_0 (process (getattr)))
-(allow update_engine_26_0 update_engine_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_166_26_0 update_engine_service_26_0 (service_manager (add)))
-(neverallow update_engine_26_0 unlabeled_26_0 (service_manager (add)))
-(allow update_engine_26_0 priv_app_26_0 (binder (call transfer)))
-(allow priv_app_26_0 update_engine_26_0 (binder (transfer)))
-(allow update_engine_26_0 priv_app_26_0 (fd (use)))
-(allow update_engine_26_0 ota_package_file_26_0 (file (ioctl read getattr lock open)))
-(allow update_engine_26_0 ota_package_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common block_device_26_0 (dir (search)))
-(allow update_engine_common boot_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow update_engine_common system_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow update_engine_common misc_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow update_engine_common postinstall_mnt_dir_26_0 (dir (mounton)))
-(allow update_engine_common postinstall_file_26_0 (filesystem (mount unmount relabelfrom relabelto)))
-(allow update_engine_common labeledfs_26_0 (filesystem (relabelfrom)))
-(allow update_engine_common postinstall_file_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow update_engine_common postinstall_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow update_engine_common postinstall_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow update_engine_common postinstall_26_0 (process (sigkill sigstop signal)))
-(allow update_engine_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow update_engine_26_0 proc_misc_26_0 (file (ioctl read getattr lock open)))
-(allow update_engine_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow update_verifier_26_0 block_device_26_0 (dir (search)))
-(allow update_verifier_26_0 ota_package_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow update_verifier_26_0 ota_package_file_26_0 (file (ioctl read getattr lock open)))
-(allow update_verifier_26_0 dm_device_26_0 (blk_file (ioctl read getattr lock open)))
-(allow update_verifier_26_0 property_socket_26_0 (sock_file (write)))
-(allow update_verifier_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow update_verifier_26_0 powerctl_prop_26_0 (property_service (set)))
-(allow update_verifier_26_0 powerctl_prop_26_0 (file (ioctl read getattr lock open)))
-(allow vdc_26_0 vold_socket_26_0 (sock_file (write)))
-(allow vdc_26_0 vold_26_0 (unix_stream_socket (connectto)))
-(allow vdc_26_0 dumpstate_26_0 (fd (use)))
-(allow vdc_26_0 dumpstate_26_0 (unix_stream_socket (read write getattr)))
-(allow vdc_26_0 shell_data_file_26_0 (file (write getattr)))
-(allow vdc_26_0 dumpstate_26_0 (unix_dgram_socket (read write)))
-(allow vdc_26_0 devpts_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow vdc_26_0 kmsg_device_26_0 (chr_file (write lock append open)))
-(neverallow base_typeattr_167_26_0 vendor_toolbox_exec_26_0 (file (execute execute_no_trans entrypoint)))
-(allow virtual_touchpad_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 virtual_touchpad_26_0 (dir (search)))
-(allow servicemanager_26_0 virtual_touchpad_26_0 (file (read open)))
-(allow servicemanager_26_0 virtual_touchpad_26_0 (process (getattr)))
-(allow virtual_touchpad_26_0 virtual_touchpad_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_168_26_0 virtual_touchpad_service_26_0 (service_manager (add)))
-(neverallow virtual_touchpad_26_0 unlabeled_26_0 (service_manager (add)))
-(allow virtual_touchpad_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 virtual_touchpad_26_0 (binder (transfer)))
-(allow virtual_touchpad_26_0 system_server_26_0 (fd (use)))
-(allow virtual_touchpad_26_0 uhid_device_26_0 (chr_file (ioctl write lock append open)))
-(allow virtual_touchpad_26_0 permission_service_26_0 (service_manager (find)))
-(allow vold_26_0 cache_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow vold_26_0 cache_file_26_0 (file (read getattr)))
-(allow vold_26_0 cache_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow vold_26_0 proc_26_0 (dir (ioctl read getattr lock search open)))
-(allow vold_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 proc_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow vold_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow vold_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow vold_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow vold_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow vold_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow vold_26_0 sysfs_26_0 (file (write lock append open)))
-(allow vold_26_0 sysfs_usb_26_0 (file (write lock append open)))
-(allow vold_26_0 sysfs_zram_uevent_26_0 (file (write lock append open)))
-(allow vold_26_0 rootfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow vold_26_0 rootfs_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 rootfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow vold_26_0 proc_meminfo_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 file_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 self (process (setexec)))
-(allow vold_26_0 shell_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow vold_26_0 self (process (setfscreate)))
-(allow vold_26_0 system_file_26_0 (file (getattr execute execute_no_trans)))
-(allow vold_26_0 block_device_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 device_26_0 (dir (write)))
-(allow vold_26_0 devpts_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow vold_26_0 rootfs_26_0 (dir (mounton)))
-(allow vold_26_0 sdcard_type (dir (mounton)))
-(allow vold_26_0 sdcard_type (filesystem (mount remount unmount)))
-(allow vold_26_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 sdcard_type (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 mnt_media_rw_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 storage_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 sdcard_type (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 mnt_media_rw_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 storage_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 media_rw_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 media_rw_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 mnt_media_rw_stub_file_26_0 (dir (create getattr setattr mounton rmdir)))
-(allow vold_26_0 storage_stub_file_26_0 (dir (create getattr setattr mounton rmdir)))
-(allow vold_26_0 mnt_user_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 mnt_user_file_26_0 (lnk_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 mnt_expand_file_26_0 (dir (ioctl read write create getattr setattr lock rename mounton add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 apk_data_file_26_0 (dir (create getattr setattr)))
-(allow vold_26_0 shell_data_file_26_0 (dir (create getattr setattr)))
-(allow vold_26_0 tmpfs_26_0 (filesystem (mount unmount)))
-(allow vold_26_0 tmpfs_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 tmpfs_26_0 (dir (mounton)))
-(allow vold_26_0 self (capability (chown dac_override fowner fsetid net_admin sys_admin mknod)))
-(allow vold_26_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow vold_26_0 app_data_file_26_0 (dir (search)))
-(allow vold_26_0 app_data_file_26_0 (file (ioctl read write getattr lock append open)))
-(allow vold_26_0 loop_control_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow vold_26_0 loop_device_26_0 (blk_file (ioctl read write create getattr setattr lock append unlink open)))
-(allow vold_26_0 vold_device_26_0 (blk_file (ioctl read write create getattr setattr lock append unlink open)))
-(allow vold_26_0 dm_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow vold_26_0 dm_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow vold_26_0 domain (dir (ioctl read getattr lock search open)))
-(allow vold_26_0 domain (file (ioctl read getattr lock open)))
-(allow vold_26_0 domain (lnk_file (ioctl read getattr lock open)))
-(allow vold_26_0 domain (process (sigkill signal)))
-(allow vold_26_0 self (capability (kill sys_ptrace)))
-(allow vold_26_0 sysfs_26_0 (file (ioctl read write getattr lock append open)))
-(allow vold_26_0 kmsg_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow vold_26_0 fsck_exec_26_0 (file (ioctl read getattr lock execute open)))
-(allow vold_26_0 fscklogs_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow vold_26_0 fscklogs_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 labeledfs_26_0 (filesystem (mount unmount)))
-(allow vold_26_0 efs_file_26_0 (file (ioctl read write getattr lock append open)))
-(allow vold_26_0 system_data_file_26_0 (dir (ioctl read write create getattr setattr lock mounton add_name remove_name search rmdir open)))
-(allow vold_26_0 kernel_26_0 (process (setsched)))
-(allow vold_26_0 property_socket_26_0 (sock_file (write)))
-(allow vold_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow vold_26_0 vold_prop_26_0 (property_service (set)))
-(allow vold_26_0 vold_prop_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 property_socket_26_0 (sock_file (write)))
-(allow vold_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow vold_26_0 powerctl_prop_26_0 (property_service (set)))
-(allow vold_26_0 powerctl_prop_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 property_socket_26_0 (sock_file (write)))
-(allow vold_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow vold_26_0 ctl_fuse_prop_26_0 (property_service (set)))
-(allow vold_26_0 ctl_fuse_prop_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 property_socket_26_0 (sock_file (write)))
-(allow vold_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow vold_26_0 restorecon_prop_26_0 (property_service (set)))
-(allow vold_26_0 restorecon_prop_26_0 (file (ioctl read getattr lock open)))
-(allow vold_26_0 asec_image_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 asec_image_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow vold_26_0 asec_apk_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename mounton add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 asec_public_file_26_0 (dir (setattr relabelto)))
-(allow vold_26_0 asec_apk_file_26_0 (file (ioctl read getattr setattr lock relabelfrom relabelto open)))
-(allow vold_26_0 asec_public_file_26_0 (file (setattr relabelto)))
-(allow vold_26_0 unlabeled_26_0 (dir (ioctl read getattr setattr lock relabelfrom search open)))
-(allow vold_26_0 unlabeled_26_0 (file (ioctl read getattr setattr lock relabelfrom open)))
-(allow vold_26_0 sysfs_wake_lock_26_0 (file (ioctl read write getattr lock append open)))
-(allow vold_26_0 self (capability2 (block_suspend)))
-(allow vold_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 vold_26_0 (dir (search)))
-(allow servicemanager_26_0 vold_26_0 (file (read open)))
-(allow servicemanager_26_0 vold_26_0 (process (getattr)))
-(allow vold_26_0 healthd_26_0 (binder (call transfer)))
-(allow healthd_26_0 vold_26_0 (binder (transfer)))
-(allow vold_26_0 healthd_26_0 (fd (use)))
-(allow vold_26_0 userdata_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow vold_26_0 metadata_block_device_26_0 (blk_file (ioctl read write getattr lock append open)))
-(allow vold_26_0 unencrypted_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 unencrypted_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 proc_drop_caches_26_0 (file (write lock append open)))
-(allow vold_26_0 vold_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 vold_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow vold_26_0 init_26_0 (key (write search setattr)))
-(allow vold_26_0 vold_26_0 (key (write search setattr)))
-(allow vold_26_0 self (capability (sys_nice)))
-(allow vold_26_0 self (capability (sys_chroot)))
-(allow vold_26_0 storage_file_26_0 (dir (mounton)))
-(allow vold_26_0 fuse_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow vold_26_0 fuse_26_0 (filesystem (relabelfrom)))
-(allow vold_26_0 app_fusefs_26_0 (filesystem (relabelfrom relabelto)))
-(allow vold_26_0 app_fusefs_26_0 (filesystem (mount unmount)))
-(allow vold_26_0 toolbox_exec_26_0 (file (ioctl read getattr lock execute execute_no_trans open)))
-(allow vold_26_0 user_profile_data_file_26_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_26_0 misc_block_device_26_0 (blk_file (write lock append open)))
-(neverallow base_typeattr_92_26_0 vold_data_file_26_0 (dir (write lock relabelfrom append unlink link rename execute quotaon mounton add_name remove_name reparent rmdir audit_access execmod)))
-(neverallow base_typeattr_169_26_0 vold_data_file_26_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_169_26_0 vold_data_file_26_0 (lnk_file (ioctl read write create setattr lock relabelfrom append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_169_26_0 vold_data_file_26_0 (sock_file (ioctl read write create setattr lock relabelfrom append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_169_26_0 vold_data_file_26_0 (fifo_file (ioctl read write create setattr lock relabelfrom append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_90_26_0 vold_data_file_26_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_170_26_0 vold_data_file_26_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_170_26_0 vold_data_file_26_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_170_26_0 vold_data_file_26_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_170_26_0 vold_data_file_26_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_90_26_0 restorecon_prop_26_0 (property_service (set)))
-(neverallow vold_26_0 fsck_exec_26_0 (file (execute_no_trans)))
-(allow vr_hwc_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 vr_hwc_26_0 (dir (search)))
-(allow servicemanager_26_0 vr_hwc_26_0 (file (read open)))
-(allow servicemanager_26_0 vr_hwc_26_0 (process (getattr)))
-(allow vr_hwc_26_0 surfaceflinger_26_0 (binder (call transfer)))
-(allow surfaceflinger_26_0 vr_hwc_26_0 (binder (transfer)))
-(allow vr_hwc_26_0 surfaceflinger_26_0 (fd (use)))
-(allow vr_hwc_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 vr_hwc_26_0 (binder (transfer)))
-(allow vr_hwc_26_0 system_server_26_0 (fd (use)))
-(allow vr_hwc_26_0 vr_hwc_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_171_26_0 vr_hwc_service_26_0 (service_manager (add)))
-(neverallow vr_hwc_26_0 unlabeled_26_0 (service_manager (add)))
-(allow vr_hwc_26_0 hwservicemanager_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 vr_hwc_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 vr_hwc_26_0 (dir (search)))
-(allow hwservicemanager_26_0 vr_hwc_26_0 (file (read open)))
-(allow hwservicemanager_26_0 vr_hwc_26_0 (process (getattr)))
-(allow vr_hwc_26_0 system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow vr_hwc_26_0 ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow vr_hwc_26_0 pdx_display_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow vr_hwc_26_0 pdx_display_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append open)))
-(allow vr_hwc_26_0 pdx_display_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow vr_hwc_26_0 pdx_display_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow vr_hwc_26_0 pdx_display_client_server_type (fd (use)))
-(allow pdx_display_client_server_type vr_hwc_26_0 (fd (use)))
-(allow vr_hwc_26_0 permission_service_26_0 (service_manager (find)))
-(allow watchdogd_26_0 watchdog_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow watchdogd_26_0 kmsg_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow wificond_26_0 servicemanager_26_0 (binder (call transfer)))
-(allow servicemanager_26_0 wificond_26_0 (dir (search)))
-(allow servicemanager_26_0 wificond_26_0 (file (read open)))
-(allow servicemanager_26_0 wificond_26_0 (process (getattr)))
-(allow wificond_26_0 system_server_26_0 (binder (call transfer)))
-(allow system_server_26_0 wificond_26_0 (binder (transfer)))
-(allow wificond_26_0 system_server_26_0 (fd (use)))
-(allow wificond_26_0 wificond_service_26_0 (service_manager (add find)))
-(neverallow base_typeattr_172_26_0 wificond_service_26_0 (service_manager (add)))
-(neverallow wificond_26_0 unlabeled_26_0 (service_manager (add)))
-(allow wificond_26_0 property_socket_26_0 (sock_file (write)))
-(allow wificond_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow wificond_26_0 wifi_prop_26_0 (property_service (set)))
-(allow wificond_26_0 wifi_prop_26_0 (file (ioctl read getattr lock open)))
-(allow wificond_26_0 property_socket_26_0 (sock_file (write)))
-(allow wificond_26_0 init_26_0 (unix_stream_socket (connectto)))
-(allow wificond_26_0 ctl_default_prop_26_0 (property_service (set)))
-(allow wificond_26_0 ctl_default_prop_26_0 (file (ioctl read getattr lock open)))
-(allow wificond_26_0 self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx wificond_26_0 self (ioctl udp_socket (0x8914)))
-(allow wificond_26_0 self (capability (net_admin net_raw)))
-(allow wificond_26_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow wificond_26_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow wificond_26_0 proc_net_26_0 (dir (ioctl read getattr lock search open)))
-(allow wificond_26_0 proc_net_26_0 (file (ioctl read getattr lock open)))
-(allow wificond_26_0 proc_net_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow wificond_26_0 wifi_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow wificond_26_0 wifi_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow wificond_26_0 permission_service_26_0 (service_manager (find)))
-(allow wificond_26_0 dumpstate_26_0 (fd (use)))
-(allow wificond_26_0 dumpstate_26_0 (fifo_file (write)))
-(allow init_26_0 hal_audio_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_audio_default (process (transition)))
-(allow hal_audio_default hal_audio_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_audio_default (process (noatsecure)))
-(allow init_26_0 hal_audio_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_audio_default_exec process hal_audio_default)
-(typetransition hal_audio_default tmpfs_26_0 file hal_audio_default_tmpfs)
-(allow hal_audio_default hal_audio_default_tmpfs (file (read write getattr)))
-(allow hal_audio_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_bluetooth_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_bluetooth_default (process (transition)))
-(allow hal_bluetooth_default hal_bluetooth_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_bluetooth_default (process (noatsecure)))
-(allow init_26_0 hal_bluetooth_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_bluetooth_default_exec process hal_bluetooth_default)
-(typetransition hal_bluetooth_default tmpfs_26_0 file hal_bluetooth_default_tmpfs)
-(allow hal_bluetooth_default hal_bluetooth_default_tmpfs (file (read write getattr)))
-(allow hal_bluetooth_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_bootctl_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_bootctl_default (process (transition)))
-(allow hal_bootctl_default hal_bootctl_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_bootctl_default (process (noatsecure)))
-(allow init_26_0 hal_bootctl_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_bootctl_default_exec process hal_bootctl_default)
-(typetransition hal_bootctl_default tmpfs_26_0 file hal_bootctl_default_tmpfs)
-(allow hal_bootctl_default hal_bootctl_default_tmpfs (file (read write getattr)))
-(allow hal_bootctl_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_camera_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_camera_default (process (transition)))
-(allow hal_camera_default hal_camera_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_camera_default (process (noatsecure)))
-(allow init_26_0 hal_camera_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_camera_default_exec process hal_camera_default)
-(typetransition hal_camera_default tmpfs_26_0 file hal_camera_default_tmpfs)
-(allow hal_camera_default hal_camera_default_tmpfs (file (read write getattr)))
-(allow hal_camera_default tmpfs_26_0 (dir (getattr search)))
-(allow hal_camera_default fwk_sensor_hwservice_26_0 (hwservice_manager (find)))
-(allow init_26_0 hal_configstore_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_configstore_default (process (transition)))
-(allow hal_configstore_default hal_configstore_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_configstore_default (process (noatsecure)))
-(allow init_26_0 hal_configstore_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_configstore_default_exec process hal_configstore_default)
-(typetransition hal_configstore_default tmpfs_26_0 file hal_configstore_default_tmpfs)
-(allow hal_configstore_default hal_configstore_default_tmpfs (file (read write getattr)))
-(allow hal_configstore_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_contexthub_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_contexthub_default (process (transition)))
-(allow hal_contexthub_default hal_contexthub_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_contexthub_default (process (noatsecure)))
-(allow init_26_0 hal_contexthub_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_contexthub_default_exec process hal_contexthub_default)
-(typetransition hal_contexthub_default tmpfs_26_0 file hal_contexthub_default_tmpfs)
-(allow hal_contexthub_default hal_contexthub_default_tmpfs (file (read write getattr)))
-(allow hal_contexthub_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_drm_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_drm_default (process (transition)))
-(allow hal_drm_default hal_drm_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_drm_default (process (noatsecure)))
-(allow init_26_0 hal_drm_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_drm_default_exec process hal_drm_default)
-(typetransition hal_drm_default tmpfs_26_0 file hal_drm_default_tmpfs)
-(allow hal_drm_default hal_drm_default_tmpfs (file (read write getattr)))
-(allow hal_drm_default tmpfs_26_0 (dir (getattr search)))
-(allow hal_drm_default mediacodec_26_0 (fd (use)))
-(allow hal_drm_default base_typeattr_100_26_0 (fd (use)))
-(allow init_26_0 hal_dumpstate_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_dumpstate_default (process (transition)))
-(allow hal_dumpstate_default hal_dumpstate_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_dumpstate_default (process (noatsecure)))
-(allow init_26_0 hal_dumpstate_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_dumpstate_default_exec process hal_dumpstate_default)
-(typetransition hal_dumpstate_default tmpfs_26_0 file hal_dumpstate_default_tmpfs)
-(allow hal_dumpstate_default hal_dumpstate_default_tmpfs (file (read write getattr)))
-(allow hal_dumpstate_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_fingerprint_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_fingerprint_default (process (transition)))
-(allow hal_fingerprint_default hal_fingerprint_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_fingerprint_default (process (noatsecure)))
-(allow init_26_0 hal_fingerprint_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_fingerprint_default_exec process hal_fingerprint_default)
-(typetransition hal_fingerprint_default tmpfs_26_0 file hal_fingerprint_default_tmpfs)
-(allow hal_fingerprint_default hal_fingerprint_default_tmpfs (file (read write getattr)))
-(allow hal_fingerprint_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_gatekeeper_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_gatekeeper_default (process (transition)))
-(allow hal_gatekeeper_default hal_gatekeeper_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_gatekeeper_default (process (noatsecure)))
-(allow init_26_0 hal_gatekeeper_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_gatekeeper_default_exec process hal_gatekeeper_default)
-(typetransition hal_gatekeeper_default tmpfs_26_0 file hal_gatekeeper_default_tmpfs)
-(allow hal_gatekeeper_default hal_gatekeeper_default_tmpfs (file (read write getattr)))
-(allow hal_gatekeeper_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_gnss_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_gnss_default (process (transition)))
-(allow hal_gnss_default hal_gnss_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_gnss_default (process (noatsecure)))
-(allow init_26_0 hal_gnss_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_gnss_default_exec process hal_gnss_default)
-(typetransition hal_gnss_default tmpfs_26_0 file hal_gnss_default_tmpfs)
-(allow hal_gnss_default hal_gnss_default_tmpfs (file (read write getattr)))
-(allow hal_gnss_default tmpfs_26_0 (dir (getattr search)))
-(allow hal_gnss system_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow hal_gnss system_file_26_0 (file (ioctl read getattr lock open)))
-(allow hal_gnss system_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 hal_graphics_allocator_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_graphics_allocator_default (process (transition)))
-(allow hal_graphics_allocator_default hal_graphics_allocator_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_graphics_allocator_default (process (noatsecure)))
-(allow init_26_0 hal_graphics_allocator_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_graphics_allocator_default_exec process hal_graphics_allocator_default)
-(typetransition hal_graphics_allocator_default tmpfs_26_0 file hal_graphics_allocator_default_tmpfs)
-(allow hal_graphics_allocator_default hal_graphics_allocator_default_tmpfs (file (read write getattr)))
-(allow hal_graphics_allocator_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_graphics_composer_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_graphics_composer_default (process (transition)))
-(allow hal_graphics_composer_default hal_graphics_composer_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_graphics_composer_default (process (noatsecure)))
-(allow init_26_0 hal_graphics_composer_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_graphics_composer_default_exec process hal_graphics_composer_default)
-(typetransition hal_graphics_composer_default tmpfs_26_0 file hal_graphics_composer_default_tmpfs)
-(allow hal_graphics_composer_default hal_graphics_composer_default_tmpfs (file (read write getattr)))
-(allow hal_graphics_composer_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_health_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_health_default (process (transition)))
-(allow hal_health_default hal_health_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_health_default (process (noatsecure)))
-(allow init_26_0 hal_health_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_health_default_exec process hal_health_default)
-(typetransition hal_health_default tmpfs_26_0 file hal_health_default_tmpfs)
-(allow hal_health_default hal_health_default_tmpfs (file (read write getattr)))
-(allow hal_health_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_ir_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_ir_default (process (transition)))
-(allow hal_ir_default hal_ir_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_ir_default (process (noatsecure)))
-(allow init_26_0 hal_ir_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_ir_default_exec process hal_ir_default)
-(typetransition hal_ir_default tmpfs_26_0 file hal_ir_default_tmpfs)
-(allow hal_ir_default hal_ir_default_tmpfs (file (read write getattr)))
-(allow hal_ir_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_keymaster_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_keymaster_default (process (transition)))
-(allow hal_keymaster_default hal_keymaster_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_keymaster_default (process (noatsecure)))
-(allow init_26_0 hal_keymaster_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_keymaster_default_exec process hal_keymaster_default)
-(typetransition hal_keymaster_default tmpfs_26_0 file hal_keymaster_default_tmpfs)
-(allow hal_keymaster_default hal_keymaster_default_tmpfs (file (read write getattr)))
-(allow hal_keymaster_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_light_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_light_default (process (transition)))
-(allow hal_light_default hal_light_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_light_default (process (noatsecure)))
-(allow init_26_0 hal_light_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_light_default_exec process hal_light_default)
-(typetransition hal_light_default tmpfs_26_0 file hal_light_default_tmpfs)
-(allow hal_light_default hal_light_default_tmpfs (file (read write getattr)))
-(allow hal_light_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_memtrack_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_memtrack_default (process (transition)))
-(allow hal_memtrack_default hal_memtrack_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_memtrack_default (process (noatsecure)))
-(allow init_26_0 hal_memtrack_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_memtrack_default_exec process hal_memtrack_default)
-(typetransition hal_memtrack_default tmpfs_26_0 file hal_memtrack_default_tmpfs)
-(allow hal_memtrack_default hal_memtrack_default_tmpfs (file (read write getattr)))
-(allow hal_memtrack_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_nfc_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_nfc_default (process (transition)))
-(allow hal_nfc_default hal_nfc_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_nfc_default (process (noatsecure)))
-(allow init_26_0 hal_nfc_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_nfc_default_exec process hal_nfc_default)
-(typetransition hal_nfc_default tmpfs_26_0 file hal_nfc_default_tmpfs)
-(allow hal_nfc_default hal_nfc_default_tmpfs (file (read write getattr)))
-(allow hal_nfc_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 mediacodec_exec_26_0 (file (read getattr execute open)))
-(allow init_26_0 mediacodec_26_0 (process (transition)))
-(allow mediacodec_26_0 mediacodec_exec_26_0 (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 mediacodec_26_0 (process (noatsecure)))
-(allow init_26_0 mediacodec_26_0 (process (siginh rlimitinh)))
-(typetransition init_26_0 mediacodec_exec_26_0 process mediacodec)
-(typetransition mediacodec_26_0 tmpfs_26_0 file mediacodec_tmpfs)
-(allow mediacodec_26_0 mediacodec_tmpfs (file (read write getattr)))
-(allow mediacodec_26_0 tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_power_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_power_default (process (transition)))
-(allow hal_power_default hal_power_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_power_default (process (noatsecure)))
-(allow init_26_0 hal_power_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_power_default_exec process hal_power_default)
-(typetransition hal_power_default tmpfs_26_0 file hal_power_default_tmpfs)
-(allow hal_power_default hal_power_default_tmpfs (file (read write getattr)))
-(allow hal_power_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_sensors_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_sensors_default (process (transition)))
-(allow hal_sensors_default hal_sensors_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_sensors_default (process (noatsecure)))
-(allow init_26_0 hal_sensors_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_sensors_default_exec process hal_sensors_default)
-(typetransition hal_sensors_default tmpfs_26_0 file hal_sensors_default_tmpfs)
-(allow hal_sensors_default hal_sensors_default_tmpfs (file (read write getattr)))
-(allow hal_sensors_default tmpfs_26_0 (dir (getattr search)))
-(allow hal_sensors_default fwk_scheduler_hwservice_26_0 (hwservice_manager (find)))
-(allow init_26_0 hal_thermal_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_thermal_default (process (transition)))
-(allow hal_thermal_default hal_thermal_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_thermal_default (process (noatsecure)))
-(allow init_26_0 hal_thermal_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_thermal_default_exec process hal_thermal_default)
-(typetransition hal_thermal_default tmpfs_26_0 file hal_thermal_default_tmpfs)
-(allow hal_thermal_default hal_thermal_default_tmpfs (file (read write getattr)))
-(allow hal_thermal_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_tv_cec_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_tv_cec_default (process (transition)))
-(allow hal_tv_cec_default hal_tv_cec_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_tv_cec_default (process (noatsecure)))
-(allow init_26_0 hal_tv_cec_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_tv_cec_default_exec process hal_tv_cec_default)
-(typetransition hal_tv_cec_default tmpfs_26_0 file hal_tv_cec_default_tmpfs)
-(allow hal_tv_cec_default hal_tv_cec_default_tmpfs (file (read write getattr)))
-(allow hal_tv_cec_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_tv_input_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_tv_input_default (process (transition)))
-(allow hal_tv_input_default hal_tv_input_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_tv_input_default (process (noatsecure)))
-(allow init_26_0 hal_tv_input_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_tv_input_default_exec process hal_tv_input_default)
-(typetransition hal_tv_input_default tmpfs_26_0 file hal_tv_input_default_tmpfs)
-(allow hal_tv_input_default hal_tv_input_default_tmpfs (file (read write getattr)))
-(allow hal_tv_input_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_usb_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_usb_default (process (transition)))
-(allow hal_usb_default hal_usb_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_usb_default (process (noatsecure)))
-(allow init_26_0 hal_usb_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_usb_default_exec process hal_usb_default)
-(typetransition hal_usb_default tmpfs_26_0 file hal_usb_default_tmpfs)
-(allow hal_usb_default hal_usb_default_tmpfs (file (read write getattr)))
-(allow hal_usb_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_vibrator_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_vibrator_default (process (transition)))
-(allow hal_vibrator_default hal_vibrator_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_vibrator_default (process (noatsecure)))
-(allow init_26_0 hal_vibrator_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_vibrator_default_exec process hal_vibrator_default)
-(typetransition hal_vibrator_default tmpfs_26_0 file hal_vibrator_default_tmpfs)
-(allow hal_vibrator_default hal_vibrator_default_tmpfs (file (read write getattr)))
-(allow hal_vibrator_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_vr_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_vr_default (process (transition)))
-(allow hal_vr_default hal_vr_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_vr_default (process (noatsecure)))
-(allow init_26_0 hal_vr_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_vr_default_exec process hal_vr_default)
-(typetransition hal_vr_default tmpfs_26_0 file hal_vr_default_tmpfs)
-(allow hal_vr_default hal_vr_default_tmpfs (file (read write getattr)))
-(allow hal_vr_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_wifi_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_wifi_default (process (transition)))
-(allow hal_wifi_default hal_wifi_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_wifi_default (process (noatsecure)))
-(allow init_26_0 hal_wifi_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_wifi_default_exec process hal_wifi_default)
-(typetransition hal_wifi_default tmpfs_26_0 file hal_wifi_default_tmpfs)
-(allow hal_wifi_default hal_wifi_default_tmpfs (file (read write getattr)))
-(allow hal_wifi_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_wifi_offload_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_wifi_offload_default (process (transition)))
-(allow hal_wifi_offload_default hal_wifi_offload_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_wifi_offload_default (process (noatsecure)))
-(allow init_26_0 hal_wifi_offload_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_wifi_offload_default_exec process hal_wifi_offload_default)
-(typetransition hal_wifi_offload_default tmpfs_26_0 file hal_wifi_offload_default_tmpfs)
-(allow hal_wifi_offload_default hal_wifi_offload_default_tmpfs (file (read write getattr)))
-(allow hal_wifi_offload_default tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 hal_wifi_supplicant_default_exec (file (read getattr execute open)))
-(allow init_26_0 hal_wifi_supplicant_default (process (transition)))
-(allow hal_wifi_supplicant_default hal_wifi_supplicant_default_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hal_wifi_supplicant_default (process (noatsecure)))
-(allow init_26_0 hal_wifi_supplicant_default (process (siginh rlimitinh)))
-(typetransition init_26_0 hal_wifi_supplicant_default_exec process hal_wifi_supplicant_default)
-(typetransition hal_wifi_supplicant_default tmpfs_26_0 file hal_wifi_supplicant_default_tmpfs)
-(allow hal_wifi_supplicant_default hal_wifi_supplicant_default_tmpfs (file (read write getattr)))
-(allow hal_wifi_supplicant_default tmpfs_26_0 (dir (getattr search)))
-(allow hal_wifi_supplicant_default hwservicemanager_26_0 (binder (call transfer)))
-(allow hwservicemanager_26_0 hal_wifi_supplicant_default (binder (call transfer)))
-(allow hwservicemanager_26_0 hal_wifi_supplicant_default (dir (search)))
-(allow hwservicemanager_26_0 hal_wifi_supplicant_default (file (read open)))
-(allow hwservicemanager_26_0 hal_wifi_supplicant_default (process (getattr)))
-(allow hal_wifi_supplicant_default system_wifi_keystore_hwservice_26_0 (hwservice_manager (find)))
-(allow hal_wifi_supplicant_default wifi_keystore_service_server (binder (call transfer)))
-(allow wifi_keystore_service_server hal_wifi_supplicant_default (binder (transfer)))
-(allow hal_wifi_supplicant_default wifi_keystore_service_server (fd (use)))
-(allow init_26_0 hostapd_exec (file (read getattr execute open)))
-(allow init_26_0 hostapd (process (transition)))
-(allow hostapd hostapd_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 hostapd (process (noatsecure)))
-(allow init_26_0 hostapd (process (siginh rlimitinh)))
-(typetransition init_26_0 hostapd_exec process hostapd)
-(typetransition hostapd tmpfs_26_0 file hostapd_tmpfs)
-(allow hostapd hostapd_tmpfs (file (read write getattr)))
-(allow hostapd tmpfs_26_0 (dir (getattr search)))
-(allow hostapd self (capability (net_admin net_raw)))
-(allow hostapd sysfs_26_0 (file (ioctl read getattr lock open)))
-(allow hostapd sysfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hostapd proc_net_26_0 (file (read getattr open)))
-(allowx hostapd self (ioctl udp_socket (0x6900 0x6902)))
-(allowx hostapd self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hostapd self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hostapd self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hostapd self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hostapd self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hostapd self (netlink_route_socket (nlmsg_write)))
-(allow hostapd wifi_data_file_26_0 (file (ioctl read write getattr lock append open)))
-(allow hostapd wifi_data_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow hostapd wifi_data_file_26_0 (file (ioctl read getattr lock open)))
-(allow hostapd wifi_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow hostapd hostapd_socket (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hostapd hostapd_socket (sock_file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow init_26_0 rild_exec (file (read getattr execute open)))
-(allow init_26_0 rild_26_0 (process (transition)))
-(allow rild_26_0 rild_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 rild_26_0 (process (noatsecure)))
-(allow init_26_0 rild_26_0 (process (siginh rlimitinh)))
-(typetransition init_26_0 rild_exec process rild)
-(typetransition rild_26_0 tmpfs_26_0 file rild_tmpfs)
-(allow rild_26_0 rild_tmpfs (file (read write getattr)))
-(allow rild_26_0 tmpfs_26_0 (dir (getattr search)))
-(allow init_26_0 tee_exec (file (read getattr execute open)))
-(allow init_26_0 tee_26_0 (process (transition)))
-(allow tee_26_0 tee_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 tee_26_0 (process (noatsecure)))
-(allow init_26_0 tee_26_0 (process (siginh rlimitinh)))
-(typetransition init_26_0 tee_exec process tee)
-(typetransition tee_26_0 tmpfs_26_0 file tee_tmpfs)
-(allow tee_26_0 tee_tmpfs (file (read write getattr)))
-(allow tee_26_0 tmpfs_26_0 (dir (getattr search)))
-(allow tee_26_0 self (capability (dac_override)))
-(allow tee_26_0 tee_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow tee_26_0 tee_data_file_26_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tee_26_0 tee_data_file_26_0 (file (ioctl read write create getattr setattr lock append unlink rename open)))
-(allow tee_26_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow tee_26_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow tee_26_0 ion_device_26_0 (chr_file (ioctl read getattr lock open)))
-(allow tee_26_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow tee_26_0 sysfs_type (file (ioctl read getattr lock open)))
-(allow tee_26_0 sysfs_type (lnk_file (ioctl read getattr lock open)))
-(allow tee_26_0 system_data_file_26_0 (file (read getattr)))
-(allow tee_26_0 system_data_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 vendor_toolbox_exec_26_0 (file (read getattr execute open)))
-(allow init_26_0 vendor_modprobe (process (transition)))
-(allow vendor_modprobe vendor_toolbox_exec_26_0 (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 vendor_modprobe (process (noatsecure)))
-(allow init_26_0 vendor_modprobe (process (siginh rlimitinh)))
-(allow vendor_modprobe proc_modules_26_0 (file (ioctl read getattr lock open)))
-(allow vendor_modprobe self (capability (sys_module)))
-(allow vendor_modprobe kernel_26_0 (key (search)))
-(allow vendor_modprobe vendor_file_26_0 (system (module_load)))
-(allow vendor_modprobe vendor_file_26_0 (dir (ioctl read getattr lock search open)))
-(allow vendor_modprobe vendor_file_26_0 (file (ioctl read getattr lock open)))
-(allow vendor_modprobe vendor_file_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow init_26_0 vndservicemanager_exec (file (read getattr execute open)))
-(allow init_26_0 vndservicemanager_26_0 (process (transition)))
-(allow vndservicemanager_26_0 vndservicemanager_exec (file (read getattr execute entrypoint open)))
-(dontaudit init_26_0 vndservicemanager_26_0 (process (noatsecure)))
-(allow init_26_0 vndservicemanager_26_0 (process (siginh rlimitinh)))
-(typetransition init_26_0 vndservicemanager_exec process vndservicemanager)
-(typetransition vndservicemanager_26_0 tmpfs_26_0 file vndservicemanager_tmpfs)
-(allow vndservicemanager_26_0 vndservicemanager_tmpfs (file (read write getattr)))
-(allow vndservicemanager_26_0 tmpfs_26_0 (dir (getattr search)))
-(allow vndservicemanager_26_0 self (binder (set_context_mgr)))
-(allow vndservicemanager_26_0 base_typeattr_173_26_0 (binder (transfer)))
-(allow vndservicemanager_26_0 vndbinder_device_26_0 (chr_file (ioctl read write getattr lock append open)))
-(allow vndservicemanager_26_0 vndservice_contexts_file_26_0 (file (ioctl read getattr lock open)))
-(allow vndservicemanager_26_0 selinuxfs_26_0 (dir (ioctl read getattr lock search open)))
-(allow vndservicemanager_26_0 selinuxfs_26_0 (file (ioctl read getattr lock open)))
-(allow vndservicemanager_26_0 selinuxfs_26_0 (lnk_file (ioctl read getattr lock open)))
-(allow vndservicemanager_26_0 selinuxfs_26_0 (file (write lock append open)))
-(allow vndservicemanager_26_0 kernel_26_0 (security (compute_av)))
-(allow vndservicemanager_26_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(typetransition hal_wifi_supplicant_default wifi_data_file_26_0 dir "sockets" wpa_socket)
-(typeattribute base_typeattr_173_26_0)
-(typeattributeset base_typeattr_173_26_0 ((and (domain) ((not (coredomain init_26_0))))))
-(typeattribute base_typeattr_172_26_0)
-(typeattributeset base_typeattr_172_26_0 ((and (domain) ((not (wificond_26_0))))))
-(typeattribute base_typeattr_171_26_0)
-(typeattributeset base_typeattr_171_26_0 ((and (domain) ((not (vr_hwc_26_0))))))
-(typeattribute base_typeattr_170_26_0)
-(typeattributeset base_typeattr_170_26_0 ((and (domain) ((not (init_26_0 kernel_26_0 vold_26_0))))))
-(typeattribute base_typeattr_169_26_0)
-(typeattributeset base_typeattr_169_26_0 ((and (domain) ((not (kernel_26_0 vold_26_0))))))
-(typeattribute base_typeattr_168_26_0)
-(typeattributeset base_typeattr_168_26_0 ((and (domain) ((not (virtual_touchpad_26_0))))))
-(typeattribute base_typeattr_167_26_0)
-(typeattributeset base_typeattr_167_26_0 ((and (coredomain) ((not (init_26_0 modprobe_26_0))))))
-(typeattribute base_typeattr_166_26_0)
-(typeattributeset base_typeattr_166_26_0 ((and (domain) ((not (update_engine_26_0))))))
-(typeattribute base_typeattr_165_26_0)
-(typeattributeset base_typeattr_165_26_0 ((and (fs_type file_type) ((not (toolbox_exec_26_0))))))
-(typeattribute base_typeattr_164_26_0)
-(typeattributeset base_typeattr_164_26_0 ((and (service_manager_type) ((not (gatekeeper_service_26_0 incident_service_26_0 installd_service_26_0 netd_service_26_0 virtual_touchpad_service_26_0 vr_hwc_service_26_0))))))
-(typeattribute base_typeattr_163_26_0)
-(typeattributeset base_typeattr_163_26_0 ((and (fs_type file_type) ((not (sgdisk_exec_26_0))))))
-(typeattribute base_typeattr_162_26_0)
-(typeattributeset base_typeattr_162_26_0 ((and (domain) ((not (hwservicemanager_26_0 init_26_0 vndservicemanager_26_0))))))
-(typeattribute base_typeattr_161_26_0)
-(typeattributeset base_typeattr_161_26_0 ((and (appdomain) ((not (system_app_26_0))))))
-(typeattribute base_typeattr_160_26_0)
-(typeattributeset base_typeattr_160_26_0 ((and (domain) ((not (radio_26_0))))))
-(typeattribute base_typeattr_159_26_0)
-(typeattributeset base_typeattr_159_26_0 ((and (core_property_type) ((not (audio_prop_26_0 config_prop_26_0 cppreopt_prop_26_0 dalvik_prop_26_0 debuggerd_prop_26_0 debug_prop_26_0 default_prop_26_0 dhcp_prop_26_0 dumpstate_prop_26_0 ffs_prop_26_0 fingerprint_prop_26_0 logd_prop_26_0 net_radio_prop_26_0 nfc_prop_26_0 pan_result_prop_26_0 persist_debug_prop_26_0 powerctl_prop_26_0 radio_prop_26_0 restorecon_prop_26_0 shell_prop_26_0 system_prop_26_0 system_radio_prop_26_0 vold_prop_26_0))))))
-(typeattribute base_typeattr_158_26_0)
-(typeattributeset base_typeattr_158_26_0 ((and (domain) ((not (performanced_26_0))))))
-(typeattribute base_typeattr_157_26_0)
-(typeattributeset base_typeattr_157_26_0 ((and (domain) ((not (dumpstate_26_0 netd_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_156_26_0)
-(typeattributeset base_typeattr_156_26_0 ((and (domain) ((not (netd_26_0))))))
-(typeattribute base_typeattr_155_26_0)
-(typeattributeset base_typeattr_155_26_0 ((and (domain) ((not (mediaserver_26_0))))))
-(typeattribute base_typeattr_154_26_0)
-(typeattributeset base_typeattr_154_26_0 ((and (domain) ((not (mediametrics_26_0))))))
-(typeattribute base_typeattr_153_26_0)
-(typeattributeset base_typeattr_153_26_0 ((and (domain) ((not (mediaextractor_26_0))))))
-(typeattribute base_typeattr_152_26_0)
-(typeattributeset base_typeattr_152_26_0 ((and (domain) ((not (mediadrmserver_26_0))))))
-(typeattribute base_typeattr_151_26_0)
-(typeattributeset base_typeattr_151_26_0 ((and (domain) ((not (mediacodec_26_0))))))
-(typeattribute base_typeattr_150_26_0)
-(typeattributeset base_typeattr_150_26_0 ((and (domain) ((not (init_26_0 logd_26_0))))))
-(typeattribute base_typeattr_149_26_0)
-(typeattributeset base_typeattr_149_26_0 ((and (domain) ((not (crash_dump_26_0))))))
-(typeattribute base_typeattr_148_26_0)
-(typeattributeset base_typeattr_148_26_0 ((and (domain) ((not (init_26_0 keystore_26_0))))))
-(typeattribute base_typeattr_147_26_0)
-(typeattributeset base_typeattr_147_26_0 ((and (domain) ((not (keystore_26_0))))))
-(typeattribute base_typeattr_146_26_0)
-(typeattributeset base_typeattr_146_26_0 ((and (domain) ((not (servicemanager_26_0 su_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_145_26_0)
-(typeattributeset base_typeattr_145_26_0 ((and (domain) ((not (dumpstate_26_0 installd_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_144_26_0)
-(typeattributeset base_typeattr_144_26_0 ((and (domain) ((not (installd_26_0))))))
-(typeattribute base_typeattr_143_26_0)
-(typeattributeset base_typeattr_143_26_0 ((and (domain) ((not (inputflinger_26_0))))))
-(typeattribute base_typeattr_142_26_0)
-(typeattributeset base_typeattr_142_26_0 ((and (fs_type file_type) ((not (init_exec_26_0))))))
-(typeattribute base_typeattr_141_26_0)
-(typeattributeset base_typeattr_141_26_0 ((and (dev_type) ((not (kmem_device_26_0 port_device_26_0))))))
-(typeattribute base_typeattr_140_26_0)
-(typeattributeset base_typeattr_140_26_0 ((and (dev_type) ((not (device_26_0 alarm_device_26_0 ashmem_device_26_0 binder_device_26_0 hwbinder_device_26_0 dm_device_26_0 keychord_device_26_0 console_device_26_0 hw_random_device_26_0 kmem_device_26_0 port_device_26_0 ptmx_device_26_0 kmsg_device_26_0 null_device_26_0 random_device_26_0 owntty_device_26_0 zero_device_26_0 devpts_26_0))))))
-(typeattribute base_typeattr_139_26_0)
-(typeattributeset base_typeattr_139_26_0 ((and (dev_type) ((not (device_26_0 vndbinder_device_26_0 kmem_device_26_0 port_device_26_0))))))
-(typeattribute base_typeattr_138_26_0)
-(typeattributeset base_typeattr_138_26_0 ((and (fs_type) ((not (contextmount_type sdcard_type rootfs_26_0))))))
-(typeattribute base_typeattr_137_26_0)
-(typeattributeset base_typeattr_137_26_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_26_0))))))
-(typeattribute base_typeattr_136_26_0)
-(typeattributeset base_typeattr_136_26_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_26_0 runtime_event_log_tags_file_26_0 shell_data_file_26_0 keystore_data_file_26_0 vold_data_file_26_0 app_data_file_26_0 system_app_data_file_26_0 misc_logd_file_26_0))))))
-(typeattribute base_typeattr_135_26_0)
-(typeattributeset base_typeattr_135_26_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_26_0 shell_data_file_26_0 keystore_data_file_26_0 vold_data_file_26_0 app_data_file_26_0 system_app_data_file_26_0 misc_logd_file_26_0))))))
-(typeattribute base_typeattr_134_26_0)
-(typeattributeset base_typeattr_134_26_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_26_0 app_data_file_26_0 system_app_data_file_26_0 misc_logd_file_26_0))))))
-(typeattribute base_typeattr_133_26_0)
-(typeattributeset base_typeattr_133_26_0 ((and (domain) ((not (healthd_26_0))))))
-(typeattribute base_typeattr_132_26_0)
-(typeattributeset base_typeattr_132_26_0 ((and (domain) ((not (hal_wifi_supplicant_server))))))
-(typeattribute base_typeattr_131_26_0)
-(typeattributeset base_typeattr_131_26_0 ((and (domain) ((not (hal_wifi_server))))))
-(typeattribute base_typeattr_130_26_0)
-(typeattributeset base_typeattr_130_26_0 ((and (domain) ((not (hal_weaver_server))))))
-(typeattribute base_typeattr_129_26_0)
-(typeattributeset base_typeattr_129_26_0 ((and (domain) ((not (hal_vr_server))))))
-(typeattribute base_typeattr_128_26_0)
-(typeattributeset base_typeattr_128_26_0 ((and (domain) ((not (hal_vibrator_server))))))
-(typeattribute base_typeattr_127_26_0)
-(typeattributeset base_typeattr_127_26_0 ((and (domain) ((not (hal_usb_server))))))
-(typeattribute base_typeattr_126_26_0)
-(typeattributeset base_typeattr_126_26_0 ((and (domain) ((not (hal_tv_input_server))))))
-(typeattribute base_typeattr_125_26_0)
-(typeattributeset base_typeattr_125_26_0 ((and (domain) ((not (hal_tv_cec_server))))))
-(typeattribute base_typeattr_124_26_0)
-(typeattributeset base_typeattr_124_26_0 ((and (domain) ((not (hal_thermal_server))))))
-(typeattribute base_typeattr_123_26_0)
-(typeattributeset base_typeattr_123_26_0 ((and (domain) ((not (hal_telephony_server))))))
-(typeattribute base_typeattr_122_26_0)
-(typeattributeset base_typeattr_122_26_0 ((and (domain) ((not (hal_sensors_server))))))
-(typeattribute base_typeattr_121_26_0)
-(typeattributeset base_typeattr_121_26_0 ((and (domain) ((not (hal_power_server))))))
-(typeattribute base_typeattr_120_26_0)
-(typeattributeset base_typeattr_120_26_0 ((and (domain) ((not (hal_oemlock_server))))))
-(typeattribute base_typeattr_119_26_0)
-(typeattributeset base_typeattr_119_26_0 ((and (domain) ((not (hal_nfc_server))))))
-(typeattribute base_typeattr_118_26_0)
-(typeattributeset base_typeattr_118_26_0 ((and (halserverdomain) ((not (hal_dumpstate_server rild_26_0))))))
-(typeattribute base_typeattr_117_26_0)
-(typeattributeset base_typeattr_117_26_0 ((and (halserverdomain) ((not (hal_tetheroffload_server hal_wifi_server hal_wifi_supplicant_server rild_26_0))))))
-(typeattribute base_typeattr_116_26_0)
-(typeattributeset base_typeattr_116_26_0 ((and (halserverdomain) ((not (hal_bluetooth_server hal_wifi_server hal_wifi_supplicant_server rild_26_0))))))
-(typeattribute base_typeattr_115_26_0)
-(typeattributeset base_typeattr_115_26_0 ((and (domain) ((not (hal_memtrack_server))))))
-(typeattribute base_typeattr_114_26_0)
-(typeattributeset base_typeattr_114_26_0 ((and (domain) ((not (hal_light_server))))))
-(typeattribute base_typeattr_113_26_0)
-(typeattributeset base_typeattr_113_26_0 ((and (domain) ((not (hal_keymaster_server))))))
-(typeattribute base_typeattr_112_26_0)
-(typeattributeset base_typeattr_112_26_0 ((and (domain) ((not (hal_ir_server))))))
-(typeattribute base_typeattr_111_26_0)
-(typeattributeset base_typeattr_111_26_0 ((and (domain) ((not (hal_health_server))))))
-(typeattribute base_typeattr_110_26_0)
-(typeattributeset base_typeattr_110_26_0 ((and (domain) ((not (hal_graphics_composer_server))))))
-(typeattribute base_typeattr_109_26_0)
-(typeattributeset base_typeattr_109_26_0 ((and (domain) ((not (hal_graphics_allocator_server))))))
-(typeattribute base_typeattr_108_26_0)
-(typeattributeset base_typeattr_108_26_0 ((and (domain) ((not (hal_gnss_server))))))
-(typeattribute base_typeattr_107_26_0)
-(typeattributeset base_typeattr_107_26_0 ((and (domain) ((not (hal_gatekeeper_server))))))
-(typeattribute base_typeattr_106_26_0)
-(typeattributeset base_typeattr_106_26_0 ((and (domain) ((not (hal_fingerprint_server))))))
-(typeattribute base_typeattr_105_26_0)
-(typeattributeset base_typeattr_105_26_0 ((and (domain) ((not (hal_dumpstate_server))))))
-(typeattribute base_typeattr_104_26_0)
-(typeattributeset base_typeattr_104_26_0 ((and (domain) ((not (hal_drm_server))))))
-(typeattribute base_typeattr_103_26_0)
-(typeattributeset base_typeattr_103_26_0 ((and (domain) ((not (hal_contexthub_server))))))
-(typeattribute base_typeattr_102_26_0)
-(typeattributeset base_typeattr_102_26_0 ((and (domain) ((not (hal_configstore_server))))))
-(typeattribute base_typeattr_101_26_0)
-(typeattributeset base_typeattr_101_26_0 ((and (halserverdomain) ((not (hal_camera_server))))))
-(typeattribute base_typeattr_100_26_0)
-(typeattributeset base_typeattr_100_26_0 ((and (appdomain) ((not (isolated_app_26_0))))))
-(typeattribute base_typeattr_99_26_0)
-(typeattributeset base_typeattr_99_26_0 ((and (domain) ((not (hal_camera_server))))))
-(typeattribute base_typeattr_98_26_0)
-(typeattributeset base_typeattr_98_26_0 ((and (domain) ((not (hal_bootctl_server))))))
-(typeattribute base_typeattr_97_26_0)
-(typeattributeset base_typeattr_97_26_0 ((and (domain) ((not (hal_bluetooth_server))))))
-(typeattribute base_typeattr_96_26_0)
-(typeattributeset base_typeattr_96_26_0 ((and (halserverdomain) ((not (hal_audio_server))))))
-(typeattribute base_typeattr_95_26_0)
-(typeattributeset base_typeattr_95_26_0 ((and (domain) ((not (hal_audio_server))))))
-(typeattribute base_typeattr_94_26_0)
-(typeattributeset base_typeattr_94_26_0 ((and (domain) ((not (hal_allocator_server))))))
-(typeattribute base_typeattr_93_26_0)
-(typeattributeset base_typeattr_93_26_0 ((and (domain) ((not (gatekeeperd_26_0))))))
-(typeattribute base_typeattr_92_26_0)
-(typeattributeset base_typeattr_92_26_0 ((and (domain) ((not (vold_26_0))))))
-(typeattribute base_typeattr_91_26_0)
-(typeattributeset base_typeattr_91_26_0 ((and (fs_type file_type) ((not (fsck_exec_26_0))))))
-(typeattribute base_typeattr_90_26_0)
-(typeattributeset base_typeattr_90_26_0 ((and (domain) ((not (init_26_0 vold_26_0))))))
-(typeattribute base_typeattr_89_26_0)
-(typeattributeset base_typeattr_89_26_0 ((and (domain) ((not (fingerprintd_26_0))))))
-(typeattribute base_typeattr_88_26_0)
-(typeattributeset base_typeattr_88_26_0 ((and (domain) ((not (dumpstate_26_0 shell_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_87_26_0)
-(typeattributeset base_typeattr_87_26_0 ((and (domain) ((not (dumpstate_26_0))))))
-(typeattribute base_typeattr_86_26_0)
-(typeattributeset base_typeattr_86_26_0 ((and (service_manager_type) ((not (dumpstate_service_26_0 gatekeeper_service_26_0 incident_service_26_0 virtual_touchpad_service_26_0 vr_hwc_service_26_0))))))
-(typeattribute base_typeattr_85_26_0)
-(typeattributeset base_typeattr_85_26_0 ((and (domain) ((not (drmserver_26_0))))))
-(typeattribute base_typeattr_84_26_0)
-(typeattributeset base_typeattr_84_26_0 ((not (coredomain))))
-(typeattribute base_typeattr_83_26_0)
-(typeattributeset base_typeattr_83_26_0 ((not (rootfs_26_0 system_file_26_0 vendor_file_26_0))))
-(typeattribute base_typeattr_82_26_0)
-(typeattributeset base_typeattr_82_26_0 ((and (domain) ((not (installd_26_0 profman_26_0))))))
-(typeattribute base_typeattr_81_26_0)
-(typeattributeset base_typeattr_81_26_0 ((and (domain) ((not (dumpstate_26_0 init_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_80_26_0)
-(typeattributeset base_typeattr_80_26_0 ((not (hwservicemanager_26_0))))
-(typeattribute base_typeattr_79_26_0)
-(typeattributeset base_typeattr_79_26_0 ((not (servicemanager_26_0 vndservicemanager_26_0))))
-(typeattribute base_typeattr_78_26_0)
-(typeattributeset base_typeattr_78_26_0 ((and (domain) ((not (appdomain adbd_26_0 dumpstate_26_0 installd_26_0 uncrypt_26_0))))))
-(typeattribute base_typeattr_77_26_0)
-(typeattributeset base_typeattr_77_26_0 ((and (domain) ((not (appdomain adbd_26_0 dumpstate_26_0 init_26_0 installd_26_0 system_server_26_0 uncrypt_26_0))))))
-(typeattribute base_typeattr_76_26_0)
-(typeattributeset base_typeattr_76_26_0 ((and (domain) ((not (adbd_26_0 dumpstate_26_0 init_26_0 installd_26_0 shell_26_0 vold_26_0))))))
-(typeattribute base_typeattr_75_26_0)
-(typeattributeset base_typeattr_75_26_0 ((and (domain) ((not (installd_26_0 shell_26_0 uncrypt_26_0))))))
-(typeattribute base_typeattr_74_26_0)
-(typeattributeset base_typeattr_74_26_0 ((and (domain) ((not (appdomain installd_26_0 uncrypt_26_0))))))
-(typeattribute base_typeattr_73_26_0)
-(typeattributeset base_typeattr_73_26_0 ((and (appdomain) ((not (bluetooth_26_0 shell_26_0 su_26_0))))))
-(typeattribute base_typeattr_72_26_0)
-(typeattributeset base_typeattr_72_26_0 ((and (domain) ((not (runas_26_0 webview_zygote_26_0 zygote_26_0))))))
-(typeattribute base_typeattr_71_26_0)
-(typeattributeset base_typeattr_71_26_0 ((and (domain) ((not (adbd_26_0 init_26_0 runas_26_0 zygote_26_0))))))
-(typeattribute base_typeattr_70_26_0)
-(typeattributeset base_typeattr_70_26_0 ((and (domain) ((not (appdomain installd_26_0))))))
-(typeattribute base_typeattr_69_26_0)
-(typeattributeset base_typeattr_69_26_0 ((and (domain) ((not (appdomain installd_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_68_26_0)
-(typeattributeset base_typeattr_68_26_0 ((and (domain) ((not (init_26_0 installd_26_0 system_app_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_67_26_0)
-(typeattributeset base_typeattr_67_26_0 ((not (domain))))
-(typeattribute base_typeattr_66_26_0)
-(typeattributeset base_typeattr_66_26_0 ((and (domain) ((not (untrusted_app_all))))))
-(typeattribute base_typeattr_65_26_0)
-(typeattributeset base_typeattr_65_26_0 ((and (file_type) ((not (apk_data_file_26_0 app_data_file_26_0 asec_public_file_26_0))))))
-(typeattribute base_typeattr_64_26_0)
-(typeattributeset base_typeattr_64_26_0 ((and (domain) ((not (dumpstate_26_0 shell_26_0 su_26_0))))))
-(typeattribute base_typeattr_63_26_0)
-(typeattributeset base_typeattr_63_26_0 ((and (domain) ((not (dumpstate_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_62_26_0)
-(typeattributeset base_typeattr_62_26_0 ((and (domain) ((not (crash_dump_26_0 mediacodec_26_0 mediaextractor_26_0))))))
-(typeattribute base_typeattr_61_26_0)
-(typeattributeset base_typeattr_61_26_0 ((and (domain) ((not (crash_dump_26_0 dumpstate_26_0 mediacodec_26_0 mediaextractor_26_0 system_server_26_0 tombstoned_26_0))))))
-(typeattribute base_typeattr_60_26_0)
-(typeattributeset base_typeattr_60_26_0 ((and (domain) ((not (system_server_26_0 webview_zygote_26_0))))))
-(typeattribute base_typeattr_59_26_0)
-(typeattributeset base_typeattr_59_26_0 ((and (domain) ((not (system_server_26_0))))))
-(typeattribute base_typeattr_58_26_0)
-(typeattributeset base_typeattr_58_26_0 ((and (domain) ((not (system_server_26_0 zygote_26_0))))))
-(typeattribute base_typeattr_57_26_0)
-(typeattributeset base_typeattr_57_26_0 ((and (domain) ((not (cppreopts_26_0 dex2oat_26_0 init_26_0 installd_26_0 otapreopt_slot_26_0 postinstall_dexopt_26_0 zygote_26_0))))))
-(typeattribute base_typeattr_56_26_0)
-(typeattributeset base_typeattr_56_26_0 ((and (exec_type) ((not (vendor_file_type crash_dump_exec_26_0 netutils_wrapper_exec_26_0))))))
-(typeattribute base_typeattr_55_26_0)
-(typeattributeset base_typeattr_55_26_0 ((and (domain) ((not (appdomain coredomain vendor_executes_system_violators rild_26_0))))))
-(typeattribute base_typeattr_54_26_0)
-(typeattributeset base_typeattr_54_26_0 ((and (coredomain) ((not (init_26_0))))))
-(typeattribute base_typeattr_53_26_0)
-(typeattributeset base_typeattr_53_26_0 ((and (coredomain) ((not (appdomain idmap_26_0 init_26_0 installd_26_0 system_server_26_0 zygote_26_0))))))
-(typeattribute base_typeattr_52_26_0)
-(typeattributeset base_typeattr_52_26_0 ((and (coredomain) ((not (appdomain dex2oat_26_0 idmap_26_0 init_26_0 installd_26_0 postinstall_dexopt_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_51_26_0)
-(typeattributeset base_typeattr_51_26_0 ((and (dev_type file_type) ((not (core_data_file_type coredomain_socket unlabeled_26_0))))))
-(typeattribute base_typeattr_50_26_0)
-(typeattributeset base_typeattr_50_26_0 ((and (coredomain) ((not (socket_between_core_and_vendor_violators init_26_0 ueventd_26_0))))))
-(typeattribute base_typeattr_49_26_0)
-(typeattributeset base_typeattr_49_26_0 ((and (core_data_file_type coredomain_socket unlabeled_26_0) ((not (pdx_endpoint_socket_type pdx_channel_socket_type app_data_file_26_0))))))
-(typeattribute base_typeattr_48_26_0)
-(typeattributeset base_typeattr_48_26_0 ((and (domain) ((not (netdomain coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_47_26_0)
-(typeattributeset base_typeattr_47_26_0 ((and (coredomain) ((not (incidentd_26_0 init_26_0 logd_26_0 mdnsd_26_0 netd_26_0 su_26_0 tombstoned_26_0))))))
-(typeattribute base_typeattr_46_26_0)
-(typeattributeset base_typeattr_46_26_0 ((and (domain) ((not (appdomain coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_45_26_0)
-(typeattributeset base_typeattr_45_26_0 ((and (domain) ((not (coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_44_26_0)
-(typeattributeset base_typeattr_44_26_0 ((and (coredomain) ((not (adbd_26_0 init_26_0))))))
-(typeattribute base_typeattr_43_26_0)
-(typeattributeset base_typeattr_43_26_0 ((and (coredomain) ((not (shell_26_0 su_26_0))))))
-(typeattribute base_typeattr_42_26_0)
-(typeattributeset base_typeattr_42_26_0 ((and (coredomain) ((not (shell_26_0 su_26_0 ueventd_26_0))))))
-(typeattribute base_typeattr_41_26_0)
-(typeattributeset base_typeattr_41_26_0 ((and (service_manager_type) ((not (app_api_service ephemeral_app_api_service audioserver_service_26_0 cameraserver_service_26_0 drmserver_service_26_0 keystore_service_26_0 mediaserver_service_26_0 mediametrics_service_26_0 mediaextractor_service_26_0 mediadrmserver_service_26_0 mediacasserver_service_26_0 nfc_service_26_0 radio_service_26_0 surfaceflinger_service_26_0 virtual_touchpad_service_26_0 vr_hwc_service_26_0 vr_manager_service_26_0))))))
-(typeattribute base_typeattr_40_26_0)
-(typeattributeset base_typeattr_40_26_0 ((and (appdomain) ((not (coredomain))))))
-(typeattribute base_typeattr_39_26_0)
-(typeattributeset base_typeattr_39_26_0 ((and (domain) ((not (appdomain coredomain binder_in_vendor_violators))))))
-(typeattribute base_typeattr_38_26_0)
-(typeattributeset base_typeattr_38_26_0 ((and (domain) ((not (hwservicemanager_26_0 servicemanager_26_0 vndservicemanager_26_0))))))
-(typeattribute base_typeattr_37_26_0)
-(typeattributeset base_typeattr_37_26_0 ((and (domain) ((not (domain hal_bootctl init_26_0 recovery_26_0 ueventd_26_0 uncrypt_26_0 update_engine_26_0 vold_26_0))))))
-(typeattribute base_typeattr_36_26_0)
-(typeattributeset base_typeattr_36_26_0 ((and (domain) ((not (install_recovery_26_0 recovery_26_0))))))
-(typeattribute base_typeattr_35_26_0)
-(typeattributeset base_typeattr_35_26_0 ((and (domain) ((not (recovery_26_0 update_engine_26_0))))))
-(typeattribute base_typeattr_34_26_0)
-(typeattributeset base_typeattr_34_26_0 ((and (domain) ((not (init_26_0 recovery_26_0 vold_26_0))))))
-(typeattribute base_typeattr_33_26_0)
-(typeattributeset base_typeattr_33_26_0 ((and (domain) ((not (init_26_0 recovery_26_0 shell_26_0 system_server_26_0 ueventd_26_0))))))
-(typeattribute base_typeattr_32_26_0)
-(typeattributeset base_typeattr_32_26_0 ((and (domain) ((not (init_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_31_26_0)
-(typeattributeset base_typeattr_31_26_0 ((and (domain) ((not (hal_drm adbd_26_0 dumpstate_26_0 init_26_0 mediadrmserver_26_0 recovery_26_0 shell_26_0 system_server_26_0))))))
-(typeattribute base_typeattr_30_26_0)
-(typeattributeset base_typeattr_30_26_0 ((and (fs_type) ((not (contextmount_type))))))
-(typeattribute base_typeattr_29_26_0)
-(typeattributeset base_typeattr_29_26_0 ((and (domain) ((not (kernel_26_0 recovery_26_0))))))
-(typeattribute base_typeattr_28_26_0)
-(typeattributeset base_typeattr_28_26_0 ((and (domain) ((not (shell_26_0))))))
-(typeattribute base_typeattr_27_26_0)
-(typeattributeset base_typeattr_27_26_0 ((and (data_file_type) ((not (system_data_file_26_0 apk_data_file_26_0 dalvikcache_data_file_26_0))))))
-(typeattribute base_typeattr_26_26_0)
-(typeattributeset base_typeattr_26_26_0 ((and (domain) ((not (appdomain))))))
-(typeattribute base_typeattr_25_26_0)
-(typeattributeset base_typeattr_25_26_0 ((and (fs_type) ((not (rootfs_26_0))))))
-(typeattribute base_typeattr_24_26_0)
-(typeattributeset base_typeattr_24_26_0 ((and (domain) ((not (appdomain recovery_26_0))))))
-(typeattribute base_typeattr_23_26_0)
-(typeattributeset base_typeattr_23_26_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_26_0 postinstall_file_26_0))))))
-(typeattribute base_typeattr_22_26_0)
-(typeattributeset base_typeattr_22_26_0 ((and (domain) ((not (appdomain dumpstate_26_0 shell_26_0 su_26_0 system_server_26_0 webview_zygote_26_0 zygote_26_0))))))
-(typeattribute base_typeattr_21_26_0)
-(typeattributeset base_typeattr_21_26_0 ((and (fs_type) ((not (sdcard_type))))))
-(typeattribute base_typeattr_20_26_0)
-(typeattributeset base_typeattr_20_26_0 ((and (domain) ((not (init_26_0 kernel_26_0 otapreopt_chroot_26_0 recovery_26_0 update_engine_26_0 vold_26_0 zygote_26_0))))))
-(typeattribute base_typeattr_19_26_0)
-(typeattributeset base_typeattr_19_26_0 ((and (domain) ((not (init_26_0 kernel_26_0 recovery_26_0))))))
-(typeattribute base_typeattr_18_26_0)
-(typeattributeset base_typeattr_18_26_0 ((and (domain) ((not (shell_26_0 ueventd_26_0))))))
-(typeattribute base_typeattr_17_26_0)
-(typeattributeset base_typeattr_17_26_0 ((and (file_type) ((not (exec_type postinstall_file_26_0))))))
-(typeattribute base_typeattr_16_26_0)
-(typeattributeset base_typeattr_16_26_0 ((and (domain) ((not (init_26_0 shell_26_0 system_server_26_0 ueventd_26_0))))))
-(typeattribute base_typeattr_15_26_0)
-(typeattributeset base_typeattr_15_26_0 ((and (domain) ((not (kernel_26_0))))))
-(typeattribute base_typeattr_14_26_0)
-(typeattributeset base_typeattr_14_26_0 ((and (domain) ((not (recovery_26_0))))))
-(typeattribute base_typeattr_13_26_0)
-(typeattributeset base_typeattr_13_26_0 ((and (domain) ((not (domain healthd_26_0 init_26_0 kernel_26_0 recovery_26_0 tee_26_0 ueventd_26_0 uncrypt_26_0))))))
-(typeattribute base_typeattr_12_26_0)
-(typeattributeset base_typeattr_12_26_0 ((and (domain) ((not (init_26_0 kernel_26_0 ueventd_26_0 vold_26_0))))))
-(typeattribute base_typeattr_11_26_0)
-(typeattributeset base_typeattr_11_26_0 ((and (domain) ((not (init_26_0 recovery_26_0))))))
-(typeattribute base_typeattr_10_26_0)
-(typeattributeset base_typeattr_10_26_0 ((all)))
-(typeattribute base_typeattr_9_26_0)
-(typeattributeset base_typeattr_9_26_0 ((and (domain) ((not (domain))))))
-(typeattribute base_typeattr_8_26_0)
-(typeattributeset base_typeattr_8_26_0 ((and (domain) ((not (coredomain))))))
-(typeattribute base_typeattr_7_26_0)
-(typeattributeset base_typeattr_7_26_0 ((and (domain) ((not (servicemanager_26_0 vndservicemanager_26_0))))))
-(typeattribute base_typeattr_6_26_0)
-(typeattributeset base_typeattr_6_26_0 ((and (appdomain coredomain binder_in_vendor_violators) ((not (hwservicemanager_26_0))))))
-(typeattribute base_typeattr_5_26_0)
-(typeattributeset base_typeattr_5_26_0 ((and (domain) ((not (init_26_0))))))
-(typeattribute base_typeattr_4_26_0)
-(typeattributeset base_typeattr_4_26_0 ((and (domain) ((not (display_service_server))))))
-(typeattribute base_typeattr_3_26_0)
-(typeattributeset base_typeattr_3_26_0 ((and (domain) ((not (crash_dump_26_0 init_26_0 keystore_26_0 logd_26_0))))))
-(typeattribute base_typeattr_2_26_0)
-(typeattributeset base_typeattr_2_26_0 ((and (domain) ((not (cameraserver_26_0))))))
-(typeattribute base_typeattr_1_26_0)
-(typeattributeset base_typeattr_1_26_0 ((and (domain) ((not (bufferhubd_26_0))))))
diff --git a/prebuilts/api/26.0/private/access_vectors b/prebuilts/api/26.0/private/access_vectors
deleted file mode 100644
index 74cf530..0000000
--- a/prebuilts/api/26.0/private/access_vectors
+++ /dev/null
@@ -1,710 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- quotaon
- mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin # unused by SELinux
- syslog
- wake_alarm
- block_suspend
- audit_read
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
- open
- audit_access
- execmod
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class lnk_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class blk_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class sock_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class fifo_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- flow_in # deprecated
- flow_out # deprecated
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
diff --git a/prebuilts/api/26.0/private/adbd.te b/prebuilts/api/26.0/private/adbd.te
deleted file mode 100644
index 52597eb..0000000
--- a/prebuilts/api/26.0/private/adbd.te
+++ /dev/null
@@ -1,141 +0,0 @@
-### ADB daemon
-
-typeattribute adbd coredomain;
-typeattribute adbd mlstrustedsubject;
-
-domain_auto_trans(adbd, shell_exec, shell)
-
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
-
-# Do not sanitize the environment or open fds of the shell. Allow signaling
-# created processes.
-allow adbd shell:process { noatsecure signal };
-
-# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:capability { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
-
-# Create and use network sockets.
-net_domain(adbd)
-
-# Access /dev/usb-ffs/adb/ep0
-allow adbd functionfs:dir search;
-allow adbd functionfs:file rw_file_perms;
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
-# adb pull /data/misc/profman.
-allow adbd profman_dump_data_file:dir r_dir_perms;
-allow adbd profman_dump_data_file:file r_file_perms;
-
-# adb push/pull sdcard.
-allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
-allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-# adb pull /data/anr/traces.txt
-allow adbd anr_data_file:dir r_dir_perms;
-allow adbd anr_data_file:file r_file_perms;
-
-# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-set_prop(adbd, shell_prop)
-set_prop(adbd, powerctl_prop)
-set_prop(adbd, ffs_prop)
-
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Run /system/bin/bu
-allow adbd system_file:file rx_file_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
-# Needed for various screenshots
-hal_client_domain(adbd, hal_graphics_allocator)
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Write debugging information to /data/adb
- # when persist.adb.trace_mask is set
- # https://code.google.com/p/android/issues/detail?id=72895
- allow adbd adb_data_file:dir rw_dir_perms;
- allow adbd adb_data_file:file create_file_perms;
-')
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-allow adbd service_contexts_file:file r_file_perms;
-allow adbd file_contexts_file:file r_file_perms;
-allow adbd seapp_contexts_file:file r_file_perms;
-allow adbd property_contexts_file:file r_file_perms;
-allow adbd sepolicy_file:file r_file_perms;
-
-# Allow pulling config.gz for CTS purposes
-allow adbd config_gz:file r_file_perms;
-
-allow adbd surfaceflinger_service:service_manager find;
-allow adbd bootchart_data_file:dir search;
-allow adbd bootchart_data_file:file r_file_perms;
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow adbd storage_file:dir r_dir_perms;
-allow adbd storage_file:lnk_file r_file_perms;
-allow adbd mnt_user_file:dir r_dir_perms;
-allow adbd mnt_user_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow adbd media_rw_data_file:dir create_dir_perms;
-allow adbd media_rw_data_file:file create_file_perms;
-
-r_dir_file(adbd, apk_data_file)
-
-allow adbd rootfs:dir r_dir_perms;
-
-###
-### Neverallow rules
-###
-
-# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
deleted file mode 100644
index da8c67b..0000000
--- a/prebuilts/api/26.0/private/app.te
+++ /dev/null
@@ -1,524 +0,0 @@
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain ashmem_device:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Place process into foreground / background
-allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file rw_file_perms;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-userdebug_or_eng(`
- # Notify zygote of the wrapped process PID when using --invoke-with.
- allow appdomain zygote:fifo_file write;
-
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Query whether a Surface supports wide color
-allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
-allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
-
-# Write to /data/anr/traces.txt.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
-# read /proc/net/xt_qtguid/stats
-r_dir_file({ appdomain -ephemeral_app}, proc_net)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-
-# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
-# as OMX HAL
-hwbinder_use({ appdomain -isolated_app })
-allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app untrusted_v2_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
-
-# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
-get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-
-# Allow app access to mediacodec (IOMX HAL)
-binder_call({ appdomain -isolated_app }, mediacodec)
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
- { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow appdomain
- domain:{
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_dnrt_socket
- } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain vold_socket:sock_file write;
-neverallow appdomain zygote_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-neverallow appdomain { domain -appdomain }:process
- { sigkill sigstop signal };
-
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
- { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { dyntransition };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
- shell_data_file:dir_file_class_set
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
- bluetooth_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- keystore_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- systemkeys_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- dhcp_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -platform_app -priv_app }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
- sysfs:dir_file_class_set write;
-neverallow appdomain
- proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
- apk_data_file
- cache_file
- cache_recovery_file
- dev_type
- rootfs
- system_file
- tmpfs
-}:lnk_file no_w_file_perms;
-
-# Denylist app domains not allowed to execute from /data
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-# Applications should use the activity model for receiving events
-neverallow {
- appdomain
- -shell # bugreport
-} input_device:chr_file ~getattr;
-
-# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
-# neverallow rules for access to Bluetooth-related data files are above.
-neverallow {
- appdomain
- -bluetooth
- -system_app
-} bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/26.0/private/app_neverallows.te b/prebuilts/api/26.0/private/app_neverallows.te
deleted file mode 100644
index 3c159d5..0000000
--- a/prebuilts/api/26.0/private/app_neverallows.te
+++ /dev/null
@@ -1,215 +0,0 @@
-###
-### neverallow rules for untrusted app domains
-###
-
-# Only allow domains in AOSP to use the untrusted_app_all attribute.
-neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
-
-define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
-# Receive or send uevent messages.
-neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow all_untrusted_apps domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps debugfs_type:file read;
-
-# Do not allow untrusted apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow all_untrusted_apps service_manager_type:service_manager add;
-
-# Do not allow untrusted apps to use VendorBinder
-neverallow all_untrusted_apps vndbinder_device:chr_file *;
-neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
-
-# Do not allow untrusted apps to connect to the property service
-# or set properties. b/10243159
-neverallow all_untrusted_apps property_socket:sock_file write;
-neverallow all_untrusted_apps init:unix_stream_socket connectto;
-neverallow all_untrusted_apps property_type:property_service set;
-
-# Do not allow untrusted apps to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and an untrusted app is allowed fork permission to itself.
-neverallow all_untrusted_apps mlstrustedsubject:process fork;
-
-# Do not allow untrusted apps to hard link to any files.
-# In particular, if an untrusted app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure untrusted apps never have this
-# capability.
-neverallow all_untrusted_apps file_type:file link;
-
-# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow all_untrusted_apps *:{
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
-
-# Do not allow untrusted apps access to /cache
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
-
-# Do not allow untrusted apps to create/unlink files outside of its sandbox,
-# internal storage or sdcard.
-# World accessible data locations allow application to fill the device
-# with unaccounted for data. This data will not get removed during
-# application un-installation.
-neverallow all_untrusted_apps {
- fs_type
- -fuse # sdcard
- -sdcardfs # sdcard
- -vfat
- file_type
- -app_data_file # The apps sandbox itself
- -media_rw_data_file # Internal storage. Known that apps can
- # leave artfacts here after uninstall.
- -user_profile_data_file # Access to profile files
- userdebug_or_eng(`
- -method_trace_data_file # only on ro.debuggable=1
- -coredump_file # userdebug/eng only
- ')
-}:dir_file_class_set { create unlink };
-
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
-
-# Do not allow untrusted apps to directly open tun_device
-neverallow all_untrusted_apps tun_device:chr_file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow all_untrusted_apps anr_data_file:file ~{ open append };
-neverallow all_untrusted_apps anr_data_file:dir ~search;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
-
-# Avoid all access to kernel configuration
-neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
-
-# Do not allow untrusted apps access to preloads data files
-neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
-
-# Locking of files on /system could lead to denial of service attacks
-# against privileged system components
-neverallow all_untrusted_apps system_file:file lock;
-
-# Do not permit untrusted apps to perform actions on HwBinder service_manager
-# other than find actions for services listed below
-neverallow all_untrusted_apps *:hwservice_manager ~find;
-
-# Do not permit access from apps which host arbitrary code to HwBinder services,
-# except those considered sufficiently safe for access from such apps.
-# The two main reasons for this are:
-# 1. HwBinder servers do not perform client authentication because HIDL
-# currently does not expose caller UID information and, even if it did, many
-# HwBinder services either operate at a level below that of apps (e.g., HALs)
-# or must not rely on app identity for authorization. Thus, to be safe, the
-# default assumption is that every HwBinder service treats all its clients as
-# equally authorized to perform operations offered by the service.
-# 2. HAL servers (a subset of HwBinder services) contain code with higher
-# incidence rate of security issues than system/core components and have
-# access to lower layes of the stack (all the way down to hardware) thus
-# increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-# associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
-neverallow all_untrusted_apps {
- hwservice_manager_type
- -same_process_hwservice
- -coredomain_hwservice
- -hal_configstore_ISurfaceFlingerConfigs
- -hal_graphics_allocator_hwservice
- -hal_omx_hwservice
- -untrusted_app_visible_hwservice
-}:hwservice_manager find;
-neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
-# Make sure that the following services are never accessible by untrusted_apps
-neverallow all_untrusted_apps {
- default_android_hwservice
- hal_audio_hwservice
- hal_bluetooth_hwservice
- hal_bootctl_hwservice
- hal_camera_hwservice
- hal_contexthub_hwservice
- hal_drm_hwservice
- hal_dumpstate_hwservice
- hal_fingerprint_hwservice
- hal_gatekeeper_hwservice
- hal_gnss_hwservice
- hal_graphics_composer_hwservice
- hal_health_hwservice
- hal_ir_hwservice
- hal_keymaster_hwservice
- hal_light_hwservice
- hal_memtrack_hwservice
- hal_nfc_hwservice
- hal_oemlock_hwservice
- hal_power_hwservice
- hal_sensors_hwservice
- hal_telephony_hwservice
- hal_thermal_hwservice
- hal_tv_cec_hwservice
- hal_tv_input_hwservice
- hal_usb_hwservice
- hal_vibrator_hwservice
- hal_vr_hwservice
- hal_weaver_hwservice
- hal_wifi_hwservice
- hal_wifi_supplicant_hwservice
- hidl_base_hwservice
-}:hwservice_manager find;
-# HwBinder services offered by core components (as opposed to vendor components)
-# are considered somewhat safer due to point #2 above.
-neverallow all_untrusted_apps {
- coredomain_hwservice
- -same_process_hwservice
- -hidl_allocator_hwservice # Designed for use by any domain
- -hidl_manager_hwservice # Designed for use by any domain
- -hidl_memory_hwservice # Designed for use by any domain
- -hidl_token_hwservice # Designed for use by any domain
-}:hwservice_manager find;
-
-# Restrict *Binder access from apps to HAL domains. We can only do this on full
-# Treble devices where *Binder communications between apps and HALs are tightly
-# restricted.
-full_treble_only(`
- neverallow all_untrusted_apps {
- halserverdomain
- -coredomain
- -hal_configstore_server
- -hal_graphics_allocator_server
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- }:binder { call transfer };
-')
diff --git a/prebuilts/api/26.0/private/asan_extract.te b/prebuilts/api/26.0/private/asan_extract.te
deleted file mode 100644
index 1c20d78..0000000
--- a/prebuilts/api/26.0/private/asan_extract.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# Technically not a daemon but we do want the transition from init domain to
-# asan_extract to occur.
-with_asan(`
-typeattribute asan_extract coredomain;
-init_daemon_domain(asan_extract)
-')
diff --git a/prebuilts/api/26.0/private/atrace.te b/prebuilts/api/26.0/private/atrace.te
deleted file mode 100644
index 94d8483..0000000
--- a/prebuilts/api/26.0/private/atrace.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# Domain for atrace process spawned by boottrace service.
-
-type atrace_exec, exec_type, file_type;
-
-userdebug_or_eng(`
- type atrace, domain, coredomain, domain_deprecated;
-
- init_daemon_domain(atrace)
-
- # boottrace services uses /data/misc/boottrace/categories
- allow atrace boottrace_data_file:dir search;
- allow atrace boottrace_data_file:file r_file_perms;
-
- # atrace reads the files in /sys/kernel/debug/tracing/
- allow atrace debugfs_tracing:file r_file_perms;
-
- # atrace sets debug.atrace.* properties
- set_prop(atrace, debug_prop)
-
- # atrace pokes all the binder-enabled processes at startup.
- binder_use(atrace)
- allow atrace healthd:binder call;
- allow atrace surfaceflinger:binder call;
-')
diff --git a/prebuilts/api/26.0/private/attributes b/prebuilts/api/26.0/private/attributes
deleted file mode 100644
index fcbfecf..0000000
--- a/prebuilts/api/26.0/private/attributes
+++ /dev/null
@@ -1,9 +0,0 @@
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
diff --git a/prebuilts/api/26.0/private/audioserver.te b/prebuilts/api/26.0/private/audioserver.te
deleted file mode 100644
index 9119daa..0000000
--- a/prebuilts/api/26.0/private/audioserver.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# audioserver - audio services daemon
-
-typeattribute audioserver coredomain;
-
-type audioserver_exec, exec_type, file_type;
-init_daemon_domain(audioserver)
-
-r_dir_file(audioserver, sdcard_type)
-
-binder_use(audioserver)
-binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, appdomain)
-binder_service(audioserver)
-
-hal_client_domain(audioserver, hal_allocator)
-# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
-r_dir_file(audioserver, system_file)
-
-hal_client_domain(audioserver, hal_audio)
-
-userdebug_or_eng(`
- # used for TEE sink - pcm capture for debug.
- allow audioserver media_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:file create_file_perms;
-
- # ptrace to processes in the same domain for memory leak detection
- allow audioserver self:process ptrace;
-')
-
-add_service(audioserver, audioserver_service)
-allow audioserver appops_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-
-# Grant access to audio files to audioserver
-allow audioserver audio_data_file:dir ra_dir_perms;
-allow audioserver audio_data_file:file create_file_perms;
-
-# allow access to ALSA MMAP FDs for AAudio API
-allow audioserver audio_device:chr_file { read write };
-
-# For A2DP bridge which is loaded directly into audioserver
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
-###
-### neverallow rules
-###
-
-# audioserver should never execute any executable without a
-# domain transition
-neverallow audioserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/private/binder_in_vendor_violators.te b/prebuilts/api/26.0/private/binder_in_vendor_violators.te
deleted file mode 100644
index 4a1218e..0000000
--- a/prebuilts/api/26.0/private/binder_in_vendor_violators.te
+++ /dev/null
@@ -1 +0,0 @@
-allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/26.0/private/binderservicedomain.te b/prebuilts/api/26.0/private/binderservicedomain.te
deleted file mode 100644
index 0891ee5..0000000
--- a/prebuilts/api/26.0/private/binderservicedomain.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# Rules common to all binder service domains
-
-# Allow dumpstate and incidentd to collect information from binder services
-allow binderservicedomain { dumpstate incidentd }:fd use;
-allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
-allow binderservicedomain shell_data_file:file { getattr write };
-
-# Allow dumpsys to work from adb shell or the serial console
-allow binderservicedomain devpts:chr_file rw_file_perms;
-allow binderservicedomain console_device:chr_file rw_file_perms;
-
-# Receive and write to a pipe received over Binder from an app.
-allow binderservicedomain appdomain:fd use;
-allow binderservicedomain appdomain:fifo_file write;
-
-# allow all services to run permission checks
-allow binderservicedomain permission_service:service_manager find;
-
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore(binderservicedomain)
diff --git a/prebuilts/api/26.0/private/blkid.te b/prebuilts/api/26.0/private/blkid.te
deleted file mode 100644
index 090912b..0000000
--- a/prebuilts/api/26.0/private/blkid.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# blkid called from vold
-
-typeattribute blkid coredomain;
-
-type blkid_exec, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/private/bluetooth.te b/prebuilts/api/26.0/private/bluetooth.te
deleted file mode 100644
index 1c0e14f..0000000
--- a/prebuilts/api/26.0/private/bluetooth.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# bluetooth subsystem
-
-typeattribute bluetooth coredomain;
-typeattribute bluetooth domain_deprecated;
-
-app_domain(bluetooth)
-net_domain(bluetooth)
-
-# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
-
-wakelock_use(bluetooth);
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
-allow bluetooth bluetooth_logs_data_file:file create_file_perms;
-
-# Socket creation under /data/misc/bluedroid.
-allow bluetooth bluetooth_socket:sock_file create_file_perms;
-
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
-
-# tethering
-allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
-allow bluetooth tun_device:chr_file rw_file_perms;
-allow bluetooth efs_file:dir search;
-
-# allow Bluetooth to access uhid device for HID profile
-allow bluetooth uhid_device:chr_file rw_file_perms;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# Allow write access to bluetooth specific properties
-set_prop(bluetooth, bluetooth_prop)
-set_prop(bluetooth, pan_result_prop)
-
-allow bluetooth audioserver_service:service_manager find;
-allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth drmserver_service:service_manager find;
-allow bluetooth mediaserver_service:service_manager find;
-allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth app_api_service:service_manager find;
-allow bluetooth system_api_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the bluetooth process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow bluetooth shell_data_file:file read;
-
-# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:capability sys_nice;
-
-hal_client_domain(bluetooth, hal_bluetooth)
-hal_client_domain(bluetooth, hal_telephony)
-
-read_runtime_log_tags(bluetooth)
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/prebuilts/api/26.0/private/bootanim.te b/prebuilts/api/26.0/private/bootanim.te
deleted file mode 100644
index 8c9f6c7..0000000
--- a/prebuilts/api/26.0/private/bootanim.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bootanim coredomain;
-
-init_daemon_domain(bootanim)
diff --git a/prebuilts/api/26.0/private/bootstat.te b/prebuilts/api/26.0/private/bootstat.te
deleted file mode 100644
index 806144c..0000000
--- a/prebuilts/api/26.0/private/bootstat.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bootstat coredomain;
-
-init_daemon_domain(bootstat)
diff --git a/prebuilts/api/26.0/private/cameraserver.te b/prebuilts/api/26.0/private/cameraserver.te
deleted file mode 100644
index c16c132..0000000
--- a/prebuilts/api/26.0/private/cameraserver.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute cameraserver coredomain;
-
-init_daemon_domain(cameraserver)
diff --git a/prebuilts/api/26.0/private/charger.te b/prebuilts/api/26.0/private/charger.te
deleted file mode 100644
index 65109de..0000000
--- a/prebuilts/api/26.0/private/charger.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute charger coredomain;
diff --git a/prebuilts/api/26.0/private/clatd.te b/prebuilts/api/26.0/private/clatd.te
deleted file mode 100644
index c09398d..0000000
--- a/prebuilts/api/26.0/private/clatd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute clatd coredomain;
-typeattribute clatd domain_deprecated;
diff --git a/prebuilts/api/26.0/private/cppreopts.te b/prebuilts/api/26.0/private/cppreopts.te
deleted file mode 100644
index 34f0d66..0000000
--- a/prebuilts/api/26.0/private/cppreopts.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute cppreopts coredomain;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/prebuilts/api/26.0/private/crash_dump.te b/prebuilts/api/26.0/private/crash_dump.te
deleted file mode 100644
index fb73f08..0000000
--- a/prebuilts/api/26.0/private/crash_dump.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute crash_dump coredomain;
diff --git a/prebuilts/api/26.0/private/dex2oat.te b/prebuilts/api/26.0/private/dex2oat.te
deleted file mode 100644
index 89c3970..0000000
--- a/prebuilts/api/26.0/private/dex2oat.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute dex2oat coredomain;
-typeattribute dex2oat domain_deprecated;
diff --git a/prebuilts/api/26.0/private/dexoptanalyzer.te b/prebuilts/api/26.0/private/dexoptanalyzer.te
deleted file mode 100644
index db81d0d..0000000
--- a/prebuilts/api/26.0/private/dexoptanalyzer.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, exec_type, file_type;
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-#processes.
-tmpfs_domain(dexoptanalyzer)
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-allow dexoptanalyzer installd:fd use;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file r_file_perms;
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/prebuilts/api/26.0/private/dhcp.te b/prebuilts/api/26.0/private/dhcp.te
deleted file mode 100644
index 6a6a139..0000000
--- a/prebuilts/api/26.0/private/dhcp.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute dhcp coredomain;
-typeattribute dhcp domain_deprecated;
-
-init_daemon_domain(dhcp)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
deleted file mode 100644
index 999c16a..0000000
--- a/prebuilts/api/26.0/private/domain.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# Transition to crash_dump when /system/bin/crash_dump* is executed.
-# This occurs when the process crashes.
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
-allow domain crash_dump:process sigchld;
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
-neverallow {
- domain
- -vold
- -dumpstate
- -storaged
- -system_server
- userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
-
-# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/prebuilts/api/26.0/private/domain_deprecated.te b/prebuilts/api/26.0/private/domain_deprecated.te
deleted file mode 100644
index aefb724..0000000
--- a/prebuilts/api/26.0/private/domain_deprecated.te
+++ /dev/null
@@ -1,311 +0,0 @@
-# rules removed from the domain attribute
-
-# Search /storage/emulated tmpfs mount.
-allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -sdcardd
- -surfaceflinger
- -system_server
- -vold
- -zygote
-} tmpfs:dir r_dir_perms;
-')
-
-# Inherit or receive open files from others.
-allow domain_deprecated system_server:fd use;
-userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
-')
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:fd use;
-userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
-')
-
-# Root fs.
-allow domain_deprecated rootfs:dir r_dir_perms;
-allow domain_deprecated rootfs:file r_file_perms;
-allow domain_deprecated rootfs:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -fsck
- -healthd
- -installd
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -healthd
- -installd
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -healthd
- -installd
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-')
-
-# System file accesses.
-allow domain_deprecated system_file:dir r_dir_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -installd
- -keystore
- -surfaceflinger
- -system_server
- -update_engine
- -vold
- -zygote
-} system_file:dir { open read ioctl lock }; # search getattr in domain
-')
-
-# Read files already opened under /data.
-allow domain_deprecated system_data_file:file { getattr read };
-allow domain_deprecated system_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -sdcardd
- -system_server
- -tee
-} system_data_file:file { getattr read };
-auditallow {
- domain_deprecated
- -appdomain
- -system_server
- -tee
-} system_data_file:lnk_file r_file_perms;
-')
-
-# Read apk files under /data/app.
-allow domain_deprecated apk_data_file:dir { getattr search };
-allow domain_deprecated apk_data_file:file r_file_perms;
-allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:dir { getattr search };
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:lnk_file r_file_perms;
-')
-
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:dir { open read search ioctl lock };
-auditallow {
- domain_deprecated
- -appdomain
- -system_server
- -vold
-} cache_file:dir getattr;
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:file { getattr read };
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:lnk_file r_file_perms;
-')
-
-# Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -keystore
- -surfaceflinger
- -system_server
- -tee
- -vold
- -zygote
-} ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
-')
-
-# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
-r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, cgroup)
-allow domain_deprecated proc_meminfo:file r_file_perms;
-
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -sdcardd
- -system_server
- -update_engine
- -vold
-} proc:file r_file_perms;
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -system_server
- -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow {
- domain_deprecated
- -bluetooth
- -fingerprintd
- -healthd
- -netd
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -bluetooth
- -fingerprintd
- -healthd
- -netd
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:file r_file_perms;
-auditallow {
- domain_deprecated
- -bluetooth
- -fingerprintd
- -healthd
- -netd
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -dumpstate
- -fingerprintd
- -healthd
- -inputflinger
- -installd
- -keystore
- -netd
- -surfaceflinger
- -system_server
- -zygote
-} cgroup:dir r_dir_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -dumpstate
- -fingerprintd
- -healthd
- -inputflinger
- -installd
- -keystore
- -netd
- -surfaceflinger
- -system_server
- -zygote
-} cgroup:{ file lnk_file } r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -surfaceflinger
- -system_server
- -vold
-} proc_meminfo:file r_file_perms;
-')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')
diff --git a/prebuilts/api/26.0/private/drmserver.te b/prebuilts/api/26.0/private/drmserver.te
deleted file mode 100644
index afe4f0a..0000000
--- a/prebuilts/api/26.0/private/drmserver.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute drmserver coredomain;
-
-init_daemon_domain(drmserver)
-
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
-
-typeattribute drmserver_socket coredomain_socket;
diff --git a/prebuilts/api/26.0/private/dumpstate.te b/prebuilts/api/26.0/private/dumpstate.te
deleted file mode 100644
index 0fe2adf..0000000
--- a/prebuilts/api/26.0/private/dumpstate.te
+++ /dev/null
@@ -1,26 +0,0 @@
-typeattribute dumpstate coredomain;
-typeattribute dumpstate domain_deprecated;
-
-init_daemon_domain(dumpstate)
-
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
-# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
-allow dumpstate system_file:file lock;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-allow dumpstate dumpstate_tmpfs:file execute;
-
-# systrace support - allow atrace to run
-allow dumpstate debugfs_tracing:dir r_dir_perms;
-allow dumpstate debugfs_tracing:file rw_file_perms;
-allow dumpstate debugfs_trace_marker:file getattr;
-allow dumpstate atrace_exec:file rx_file_perms;
-allow dumpstate storaged_exec:file rx_file_perms;
-
-# Allow dumpstate to make binder calls to storaged service
-binder_call(dumpstate, storaged)
-
-# Collect metrics on boot time created by init
-get_prop(dumpstate, boottime_prop)
diff --git a/prebuilts/api/26.0/private/ephemeral_app.te b/prebuilts/api/26.0/private/ephemeral_app.te
deleted file mode 100644
index d664a50..0000000
--- a/prebuilts/api/26.0/private/ephemeral_app.te
+++ /dev/null
@@ -1,68 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-typeattribute ephemeral_app coredomain;
-
-net_domain(ephemeral_app)
-app_domain(ephemeral_app)
-
-# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
-
-# services
-allow ephemeral_app audioserver_service:service_manager find;
-allow ephemeral_app cameraserver_service:service_manager find;
-allow ephemeral_app mediaserver_service:service_manager find;
-allow ephemeral_app mediaextractor_service:service_manager find;
-allow ephemeral_app mediacodec_service:service_manager find;
-allow ephemeral_app mediametrics_service:service_manager find;
-allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app mediacasserver_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
-allow ephemeral_app radio_service:service_manager find;
-allow ephemeral_app ephemeral_app_api_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
-
-# Receive or send uevent messages.
-neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow ephemeral_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
-
-# execute gpu_device
-neverallow ephemeral_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow ephemeral_app sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/private/file.te b/prebuilts/api/26.0/private/file.te
deleted file mode 100644
index da5f9ad..0000000
--- a/prebuilts/api/26.0/private/file.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-typealias app_data_file alias platform_app_data_file;
-typealias app_data_file alias download_file;
-
-# /proc/config.gz
-type config_gz, fs_type;
diff --git a/prebuilts/api/26.0/private/file_contexts b/prebuilts/api/26.0/private/file_contexts
deleted file mode 100644
index 4485b95..0000000
--- a/prebuilts/api/26.0/private/file_contexts
+++ /dev/null
@@ -1,539 +0,0 @@
-###########################################
-# Root
-/ u:object_r:rootfs:s0
-
-# Data files
-/adb_keys u:object_r:adb_keys_file:s0
-/build\.prop u:object_r:rootfs:s0
-/default\.prop u:object_r:rootfs:s0
-/fstab\..* u:object_r:rootfs:s0
-/init\..* u:object_r:rootfs:s0
-/res(/.*)? u:object_r:rootfs:s0
-/selinux_version u:object_r:rootfs:s0
-/ueventd\..* u:object_r:rootfs:s0
-/verity_key u:object_r:rootfs:s0
-
-# Executables
-/charger u:object_r:rootfs:s0
-/init u:object_r:init_exec:s0
-/sbin(/.*)? u:object_r:rootfs:s0
-
-# For kernel modules
-/lib(/.*)? u:object_r:rootfs:s0
-
-# Empty directories
-/lost\+found u:object_r:rootfs:s0
-/acct u:object_r:cgroup:s0
-/config u:object_r:rootfs:s0
-/mnt u:object_r:tmpfs:s0
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/proc u:object_r:rootfs:s0
-/root u:object_r:rootfs:s0
-/sys u:object_r:sysfs:s0
-
-# Symlinks
-/bugreports u:object_r:rootfs:s0
-/d u:object_r:rootfs:s0
-/etc u:object_r:rootfs:s0
-/sdcard u:object_r:rootfs:s0
-
-# SELinux policy files
-/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/plat_file_contexts u:object_r:file_contexts_file:s0
-/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
-/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/plat_property_contexts u:object_r:property_contexts_file:s0
-/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/seapp_contexts u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/sepolicy u:object_r:sepolicy_file:s0
-/plat_service_contexts u:object_r:service_contexts_file:s0
-/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/nonplat_service_contexts u:object_r:service_contexts_file:s0
-/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
-##########################
-# Devices
-#
-/dev(/.*)? u:object_r:device:s0
-/dev/akm8973.* u:object_r:sensors_device:s0
-/dev/accelerometer u:object_r:sensors_device:s0
-/dev/adf[0-9]* u:object_r:graphics_device:s0
-/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/alarm u:object_r:alarm_device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/audio.* u:object_r:audio_device:s0
-/dev/binder u:object_r:binder_device:s0
-/dev/block(/.*)? u:object_r:block_device:s0
-/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
-/dev/block/loop[0-9]* u:object_r:loop_device:s0
-/dev/block/vold/.+ u:object_r:vold_device:s0
-/dev/block/ram[0-9]* u:object_r:ram_device:s0
-/dev/block/zram[0-9]* u:object_r:ram_device:s0
-/dev/bus/usb(.*)? u:object_r:usb_device:s0
-/dev/cam u:object_r:camera_device:s0
-/dev/console u:object_r:console_device:s0
-/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
-/dev/device-mapper u:object_r:dm_device:s0
-/dev/eac u:object_r:audio_device:s0
-/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
-/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
-/dev/full u:object_r:full_device:s0
-/dev/fuse u:object_r:fuse_device:s0
-/dev/graphics(/.*)? u:object_r:graphics_device:s0
-/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
-/dev/input(/.*) u:object_r:input_device:s0
-/dev/iio:device[0-9]+ u:object_r:iio_device:s0
-/dev/ion u:object_r:ion_device:s0
-/dev/keychord u:object_r:keychord_device:s0
-/dev/kmem u:object_r:kmem_device:s0
-/dev/log(/.*)? u:object_r:log_device:s0
-/dev/loop-control u:object_r:loop_control_device:s0
-/dev/mem u:object_r:kmem_device:s0
-/dev/modem.* u:object_r:radio_device:s0
-/dev/mtd(/.*)? u:object_r:mtd_device:s0
-/dev/mtp_usb u:object_r:mtp_device:s0
-/dev/pmsg0 u:object_r:pmsg_device:s0
-/dev/pn544 u:object_r:nfc_device:s0
-/dev/port u:object_r:port_device:s0
-/dev/ppp u:object_r:ppp_device:s0
-/dev/ptmx u:object_r:ptmx_device:s0
-/dev/pvrsrvkm u:object_r:gpu_device:s0
-/dev/kmsg u:object_r:kmsg_device:s0
-/dev/null u:object_r:null_device:s0
-/dev/nvhdcp1 u:object_r:video_device:s0
-/dev/random u:object_r:random_device:s0
-/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
-/dev/rproc_user u:object_r:rpmsg_device:s0
-/dev/rtc[0-9] u:object_r:rtc_device:s0
-/dev/snd(/.*)? u:object_r:audio_device:s0
-/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
-/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
-/dev/socket(/.*)? u:object_r:socket_device:s0
-/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/cryptd u:object_r:vold_socket:s0
-/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
-/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
-/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
-/dev/socket/lmkd u:object_r:lmkd_socket:s0
-/dev/socket/logd u:object_r:logd_socket:s0
-/dev/socket/logdr u:object_r:logdr_socket:s0
-/dev/socket/logdw u:object_r:logdw_socket:s0
-/dev/socket/mdns u:object_r:mdns_socket:s0
-/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd u:object_r:mtpd_socket:s0
-/dev/socket/netd u:object_r:netd_socket:s0
-/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
-/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
-/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
-/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
-/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
-/dev/socket/property_service u:object_r:property_socket:s0
-/dev/socket/racoon u:object_r:racoon_socket:s0
-/dev/socket/rild u:object_r:rild_socket:s0
-/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
-/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
-/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
-/dev/socket/vold u:object_r:vold_socket:s0
-/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
-/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
-/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
-/dev/socket/zygote u:object_r:zygote_socket:s0
-/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/spdif_out.* u:object_r:audio_device:s0
-/dev/tegra.* u:object_r:video_device:s0
-/dev/tty u:object_r:owntty_device:s0
-/dev/tty[0-9]* u:object_r:tty_device:s0
-/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:random_device:s0
-/dev/usb_accessory u:object_r:usbaccessory_device:s0
-/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
-/dev/video[0-9]* u:object_r:video_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
-/dev/watchdog u:object_r:watchdog_device:s0
-/dev/xt_qtaguid u:object_r:qtaguid_device:s0
-/dev/zero u:object_r:zero_device:s0
-/dev/__properties__ u:object_r:properties_device:s0
-#############################
-# System files
-#
-/system(/.*)? u:object_r:system_file:s0
-/system/bin/atrace u:object_r:atrace_exec:s0
-/system/bin/e2fsck -- u:object_r:fsck_exec:s0
-/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
-/system/bin/tune2fs -- u:object_r:fsck_exec:s0
-/system/bin/toolbox -- u:object_r:toolbox_exec:s0
-/system/bin/toybox -- u:object_r:toolbox_exec:s0
-/system/bin/logcat -- u:object_r:logcat_exec:s0
-/system/bin/logcatd -- u:object_r:logcat_exec:s0
-/system/bin/sh -- u:object_r:shell_exec:s0
-/system/bin/run-as -- u:object_r:runas_exec:s0
-/system/bin/bootanimation u:object_r:bootanim_exec:s0
-/system/bin/bootstat u:object_r:bootstat_exec:s0
-/system/bin/app_process32 u:object_r:zygote_exec:s0
-/system/bin/app_process64 u:object_r:zygote_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
-/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
-/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
-/system/bin/performanced u:object_r:performanced_exec:s0
-/system/bin/drmserver u:object_r:drmserver_exec:s0
-/system/bin/dumpstate u:object_r:dumpstate_exec:s0
-/system/bin/incident u:object_r:incident_exec:s0
-/system/bin/incidentd u:object_r:incidentd_exec:s0
-/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
-/system/bin/vold u:object_r:vold_exec:s0
-/system/bin/netd u:object_r:netd_exec:s0
-/system/bin/wificond u:object_r:wificond_exec:s0
-/system/bin/audioserver u:object_r:audioserver_exec:s0
-/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
-/system/bin/mediaserver u:object_r:mediaserver_exec:s0
-/system/bin/mediametrics u:object_r:mediametrics_exec:s0
-/system/bin/cameraserver u:object_r:cameraserver_exec:s0
-/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mdnsd u:object_r:mdnsd_exec:s0
-/system/bin/installd u:object_r:installd_exec:s0
-/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
-/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
-/system/bin/keystore u:object_r:keystore_exec:s0
-/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
-/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
-/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
-/system/bin/tombstoned u:object_r:tombstoned_exec:s0
-/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
-/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
-/system/bin/sdcard u:object_r:sdcardd_exec:s0
-/system/bin/dhcpcd u:object_r:dhcp_exec:s0
-/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
-/system/bin/mtpd u:object_r:mtp_exec:s0
-/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/racoon u:object_r:racoon_exec:s0
-/system/xbin/su u:object_r:su_exec:s0
-/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
-/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
-/system/bin/lmkd u:object_r:lmkd_exec:s0
-/system/bin/inputflinger u:object_r:inputflinger_exec:s0
-/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/uncrypt u:object_r:uncrypt_exec:s0
-/system/bin/update_verifier u:object_r:update_verifier_exec:s0
-/system/bin/logwrapper u:object_r:system_file:s0
-/system/bin/vdc u:object_r:vdc_exec:s0
-/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
-/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
-/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
-# patchoat executable has (essentially) the same requirements as dex2oat.
-/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/profman u:object_r:profman_exec:s0
-/system/bin/sgdisk u:object_r:sgdisk_exec:s0
-/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
-/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/bspatch u:object_r:update_engine_exec:s0
-/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
-/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
-/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
-/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
-/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
-/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
-/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
-
-#############################
-# Vendor files
-#
-/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
-/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
-/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
-
-/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-# TODO: b/36790901 move this to /vendor/etc
-/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
-/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-# HAL location
-/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
-/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
-/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
-#############################
-# OEM and ODM files
-#
-/odm(/.*)? u:object_r:system_file:s0
-/oem(/.*)? u:object_r:oemfs:s0
-
-
-#############################
-# Data files
-#
-# NOTE: When modifying existing label rules, changes may also need to
-# propagate to the "Expanded data files" section.
-#
-/data(/.*)? u:object_r:system_data_file:s0
-/data/.layout_version u:object_r:install_data_file:s0
-/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
-/data/backup(/.*)? u:object_r:backup_data_file:s0
-/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
-/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
-/data/drm(/.*)? u:object_r:drm_data_file:s0
-/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
-/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/ota(/.*)? u:object_r:ota_data_file:s0
-/data/ota_package(/.*)? u:object_r:ota_package_file:s0
-/data/adb(/.*)? u:object_r:adb_data_file:s0
-/data/anr(/.*)? u:object_r:anr_data_file:s0
-/data/app(/.*)? u:object_r:apk_data_file:s0
-/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
-/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/data/media(/.*)? u:object_r:media_rw_data_file:s0
-/data/mediadrm(/.*)? u:object_r:media_data_file:s0
-/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
-/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
-/data/property(/.*)? u:object_r:property_data_file:s0
-/data/preloads(/.*)? u:object_r:preloads_data_file:s0
-/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
-/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
-
-# Misc data
-/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
-/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
-/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
-/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
-/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
-/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
-/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
-/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
-/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
-/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
-/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
-/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
-/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
-/data/misc/media(/.*)? u:object_r:media_data_file:s0
-/data/misc/net(/.*)? u:object_r:net_data_file:s0
-/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
-/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
-/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
-/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
-/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
-/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
-/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
-/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
-/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
-/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
-/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
-/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
-/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
-/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
-/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
-# TODO(calin) label profile reference differently so that only
-# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
-
-# Fingerprint data
-/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
-
-# Bootchart data
-/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
-
-#############################
-# Expanded data files
-#
-/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
-/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
-/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
-
-# coredump directory for userdebug/eng devices
-/cores(/.*)? u:object_r:coredump_file:s0
-
-# Wallpaper files
-/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
-
-# Ringtone files
-/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
-
-# ShortcutManager icons, e.g.
-# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
-/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
-
-# User icon files
-/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
-
-#############################
-# efs files
-#
-/efs(/.*)? u:object_r:efs_file:s0
-
-#############################
-# Cache files
-#
-/cache(/.*)? u:object_r:cache_file:s0
-/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-/data/cache(/.*)? u:object_r:cache_file:s0
-/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-#############################
-# sysfs files
-#
-/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
-/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
-/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
-/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
-/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
-/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
-/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
-/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
-/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
-/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
-/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-
-#############################
-# debugfs files
-#
-/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-
-#############################
-# tracefs files
-#
-/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
-
-###########################################
-# debug-only tracing
-#
-/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
-
-/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
-
-/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/saved_cmdlines_size u:object_r:tracing_shell_writable_debug:s0
-
-#############################
-# asec containers
-/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
-/data/app-asec(/.*)? u:object_r:asec_image_file:s0
-
-#############################
-# external storage
-/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
-/mnt/user(/.*)? u:object_r:mnt_user_file:s0
-/mnt/runtime(/.*)? u:object_r:storage_file:s0
-/storage(/.*)? u:object_r:storage_file:s0
diff --git a/prebuilts/api/26.0/private/file_contexts_asan b/prebuilts/api/26.0/private/file_contexts_asan
deleted file mode 100644
index d35cd3c..0000000
--- a/prebuilts/api/26.0/private/file_contexts_asan
+++ /dev/null
@@ -1,5 +0,0 @@
-/data/asan/system/lib(/.*)? u:object_r:system_file:s0
-/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
-/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
-/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
-/system/bin/asan_extract u:object_r:asan_extract_exec:s0
diff --git a/prebuilts/api/26.0/private/fingerprintd.te b/prebuilts/api/26.0/private/fingerprintd.te
deleted file mode 100644
index 0c1dfaa..0000000
--- a/prebuilts/api/26.0/private/fingerprintd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute fingerprintd coredomain;
-typeattribute fingerprintd domain_deprecated;
-
-init_daemon_domain(fingerprintd)
diff --git a/prebuilts/api/26.0/private/fs_use b/prebuilts/api/26.0/private/fs_use
deleted file mode 100644
index 4bd1112..0000000
--- a/prebuilts/api/26.0/private/fs_use
+++ /dev/null
@@ -1,23 +0,0 @@
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-fs_use_xattr f2fs u:object_r:labeledfs:s0;
-fs_use_xattr squashfs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
diff --git a/prebuilts/api/26.0/private/fsck.te b/prebuilts/api/26.0/private/fsck.te
deleted file mode 100644
index e846797..0000000
--- a/prebuilts/api/26.0/private/fsck.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute fsck coredomain;
-typeattribute fsck domain_deprecated;
-
-init_daemon_domain(fsck)
diff --git a/prebuilts/api/26.0/private/fsck_untrusted.te b/prebuilts/api/26.0/private/fsck_untrusted.te
deleted file mode 100644
index 2a1a39f..0000000
--- a/prebuilts/api/26.0/private/fsck_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute fsck_untrusted coredomain;
-typeattribute fsck_untrusted domain_deprecated;
diff --git a/prebuilts/api/26.0/private/gatekeeperd.te b/prebuilts/api/26.0/private/gatekeeperd.te
deleted file mode 100644
index 5e4d0a2..0000000
--- a/prebuilts/api/26.0/private/gatekeeperd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute gatekeeperd coredomain;
-
-init_daemon_domain(gatekeeperd)
diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
deleted file mode 100644
index a2d9b89..0000000
--- a/prebuilts/api/26.0/private/genfs_contexts
+++ /dev/null
@@ -1,61 +0,0 @@
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-genfscon proc /config.gz u:object_r:config_gz:s0
-genfscon proc /interrupts u:object_r:proc_interrupts:s0
-genfscon proc /iomem u:object_r:proc_iomem:s0
-genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /misc u:object_r:proc_misc:s0
-genfscon proc /modules u:object_r:proc_modules:s0
-genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
-genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
-genfscon proc /softirqs u:object_r:proc_timer:s0
-genfscon proc /stat u:object_r:proc_stat:s0
-genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
-genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
-genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
-genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
-genfscon proc /sys/net u:object_r:proc_net:s0
-genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
-genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
-genfscon proc /timer_list u:object_r:proc_timer:s0
-genfscon proc /timer_stats u:object_r:proc_timer:s0
-genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
-genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
-genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
-genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
-genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
-genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
-
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:vfat:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon tracefs / u:object_r:debugfs_tracing:s0
-genfscon fuse / u:object_r:fuse:s0
-genfscon configfs / u:object_r:configfs:s0
-genfscon sdcardfs / u:object_r:sdcardfs:s0
-genfscon pstore / u:object_r:pstorefs:s0
-genfscon functionfs / u:object_r:functionfs:s0
-genfscon usbfs / u:object_r:usbfs:s0
-genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
diff --git a/prebuilts/api/26.0/private/hal_allocator_default.te b/prebuilts/api/26.0/private/hal_allocator_default.te
deleted file mode 100644
index 49ef178..0000000
--- a/prebuilts/api/26.0/private/hal_allocator_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_allocator_default, domain, coredomain;
-hal_server_domain(hal_allocator_default, hal_allocator)
-
-type hal_allocator_default_exec, exec_type, file_type;
-init_daemon_domain(hal_allocator_default)
diff --git a/prebuilts/api/26.0/private/healthd.te b/prebuilts/api/26.0/private/healthd.te
deleted file mode 100644
index 0693a3a..0000000
--- a/prebuilts/api/26.0/private/healthd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow callback to storaged batteryproperties listener
-binder_call(healthd, storaged)
diff --git a/prebuilts/api/26.0/private/hwservice_contexts b/prebuilts/api/26.0/private/hwservice_contexts
deleted file mode 100644
index 0516364..0000000
--- a/prebuilts/api/26.0/private/hwservice_contexts
+++ /dev/null
@@ -1,52 +0,0 @@
-android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
-android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
-android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
-android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
-android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
-android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
-android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
-android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
-android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
-android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
-android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
-android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
-android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
-android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
-android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
-android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
-android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
-android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
-android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
-android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
-android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
-android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
-android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
-android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
-android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
-android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
-android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
-android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
-android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
-android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
-android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
-android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
-android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
-android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
-android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
-android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/prebuilts/api/26.0/private/hwservicemanager.te b/prebuilts/api/26.0/private/hwservicemanager.te
deleted file mode 100644
index a43eb02..0000000
--- a/prebuilts/api/26.0/private/hwservicemanager.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/prebuilts/api/26.0/private/idmap.te b/prebuilts/api/26.0/private/idmap.te
deleted file mode 100644
index 73abf35..0000000
--- a/prebuilts/api/26.0/private/idmap.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute idmap coredomain;
diff --git a/prebuilts/api/26.0/private/incident.te b/prebuilts/api/26.0/private/incident.te
deleted file mode 100644
index b910dde..0000000
--- a/prebuilts/api/26.0/private/incident.te
+++ /dev/null
@@ -1,25 +0,0 @@
-typeattribute incident coredomain;
-
-type incident_exec, exec_type, file_type;
-
-# switch to incident domain for incident command
-domain_auto_trans(shell, incident_exec, incident)
-
-# allow incident access to stdout from its parent shell.
-allow incident shell:fd use;
-
-# allow incident to communicate use, read and write over the adb
-# connection.
-allow incident adbd:fd use;
-allow incident adbd:unix_stream_socket { read write };
-
-# allow adbd to reap incident
-allow incident adbd:process { sigchld };
-
-# Allow the incident command to talk to the incidentd over the binder, and get
-# back the incident report data from a ParcelFileDescriptor.
-binder_use(incident)
-allow incident incident_service:service_manager find;
-binder_call(incident, incidentd)
-allow incident incidentd:fifo_file write;
-
diff --git a/prebuilts/api/26.0/private/incidentd.te b/prebuilts/api/26.0/private/incidentd.te
deleted file mode 100644
index 64e174f..0000000
--- a/prebuilts/api/26.0/private/incidentd.te
+++ /dev/null
@@ -1,110 +0,0 @@
-typeattribute incidentd coredomain;
-
-init_daemon_domain(incidentd)
-type incidentd_exec, exec_type, file_type;
-binder_use(incidentd)
-wakelock_use(incidentd)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
-
-# Allow incidentd to scan through /proc/pid for all processes
-r_dir_file(incidentd, domain)
-
-allow incidentd self:capability {
- # Send signals to processes
- kill
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow incidentd system_file:file execute_no_trans;
-allow incidentd toolbox_exec:file rx_file_perms;
-
-# Create and write into /data/misc/incidents
-allow incidentd incident_data_file:dir rw_dir_perms;
-allow incidentd incident_data_file:file create_file_perms;
-
-# Get process attributes
-# TODO allow incidentd domain:process getattr;
-
-# Signal java processes to dump their stack and get the results
-# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir rw_dir_perms;
-# TODO allow incidentd anr_data_file:file create_file_perms;
-
-# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in incidentd/utils.c
-allow incidentd {
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:process signal;
-
-# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, binderservicedomain)
-binder_call(incidentd, appdomain)
-
-# Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
-
-# Run a shell.
-allow incidentd shell_exec:file rx_file_perms;
-
-# logd access - work to be done is a PII safe log (possibly an event log?)
-# TODO read_logd(incidentd)
-# TODO control_logd(incidentd)
-
-# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
-allow incidentd {
- system_server_service
- app_api_service
- system_api_service
-}:service_manager find;
-
-# Only incidentd can publish the binder service
-add_service(incidentd, incident_service)
-
-# Allow pipes from (and only from) incident
-allow incidentd incident:fd use;
-allow incidentd incident:fifo_file write;
-
-# Allow incident to call back to incident with status updates.
-binder_call(incidentd, incident)
-
-###
-### neverallow rules
-###
-
-# only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
-
-# only incidentd and the other root services in limited circumstances
-# can get to the files in /data/misc/incidents
-#
-# write, execute, append are forbidden almost everywhere
-neverallow { domain -incidentd -init -vold } incident_data_file:file {
- w_file_perms
- x_file_perms
- create
- rename
- setattr
- unlink
- append
-};
-# read is also allowed by system_server, for when the file is handed to dropbox
-neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
-# limited access to the directory itself
-neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
-
diff --git a/prebuilts/api/26.0/private/init.te b/prebuilts/api/26.0/private/init.te
deleted file mode 100644
index 568e0d3..0000000
--- a/prebuilts/api/26.0/private/init.te
+++ /dev/null
@@ -1,25 +0,0 @@
-typeattribute init coredomain;
-
-tmpfs_domain(init)
-
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, adbd)
-domain_trans(init, rootfs, charger)
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-recovery_only(`
- domain_trans(init, rootfs, recovery)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
-domain_trans(init, { rootfs toolbox_exec }, modprobe)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
- domain_auto_trans(init, logcat_exec, logpersist)
-')
-
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit init sysfs:dir write;
diff --git a/prebuilts/api/26.0/private/install_recovery.te b/prebuilts/api/26.0/private/install_recovery.te
deleted file mode 100644
index b79d683..0000000
--- a/prebuilts/api/26.0/private/install_recovery.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute install_recovery coredomain;
-
-init_daemon_domain(install_recovery)
diff --git a/prebuilts/api/26.0/private/installd.te b/prebuilts/api/26.0/private/installd.te
deleted file mode 100644
index d726e7d..0000000
--- a/prebuilts/api/26.0/private/installd.te
+++ /dev/null
@@ -1,19 +0,0 @@
-typeattribute installd coredomain;
-typeattribute installd domain_deprecated;
-
-init_daemon_domain(installd)
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
-# Create /data/.layout_version.* file
-type_transition installd system_data_file:file install_data_file;
diff --git a/prebuilts/api/26.0/private/isolated_app.te b/prebuilts/api/26.0/private/isolated_app.te
deleted file mode 100644
index 418a322..0000000
--- a/prebuilts/api/26.0/private/isolated_app.te
+++ /dev/null
@@ -1,93 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-typeattribute isolated_app coredomain;
-
-app_domain(isolated_app)
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
-# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
-# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
-# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
-
-# For webviews, isolated_app processes can be forked from the webview_zygote
-# in addition to the zygote. Allow access to resources inherited from the
-# webview_zygote process. These rules are specialized copies of the ones in app.te.
-# Inherit FDs from the webview_zygote.
-allow isolated_app webview_zygote:fd use;
-# Notify webview_zygote of child death.
-allow isolated_app webview_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app webview_zygote:unix_dgram_socket write;
-# Read system properties managed by webview_zygote.
-allow isolated_app webview_zygote_tmpfs:file read;
-
-#####
-##### Neverallow
-#####
-
-# Do not allow isolated_app to directly open tun_device
-neverallow isolated_app tun_device:chr_file open;
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
-neverallow isolated_app {
- service_manager_type
- -activity_service
- -display_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote_socket:sock_file write;
diff --git a/prebuilts/api/26.0/private/kernel.te b/prebuilts/api/26.0/private/kernel.te
deleted file mode 100644
index a4e6ebe..0000000
--- a/prebuilts/api/26.0/private/kernel.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute kernel coredomain;
-
-domain_auto_trans(kernel, init_exec, init)
diff --git a/prebuilts/api/26.0/private/keys.conf b/prebuilts/api/26.0/private/keys.conf
deleted file mode 100644
index 7a307b5..0000000
--- a/prebuilts/api/26.0/private/keys.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
-# name it after the base file name of the pem file.
-#
-# Each tag (section) then allows one to specify any string found in
-# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
-#
-
-[@PLATFORM]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
-
-[@MEDIA]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
-
-[@SHARED]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
-
-# Example of ALL TARGET_BUILD_VARIANTS
-[@RELEASE]
-ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-
diff --git a/prebuilts/api/26.0/private/keystore.te b/prebuilts/api/26.0/private/keystore.te
deleted file mode 100644
index 1e56338..0000000
--- a/prebuilts/api/26.0/private/keystore.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute keystore coredomain;
-typeattribute keystore domain_deprecated;
-
-init_daemon_domain(keystore)
-
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-typeattribute keystore wifi_keystore_service_server;
-add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/prebuilts/api/26.0/private/lmkd.te b/prebuilts/api/26.0/private/lmkd.te
deleted file mode 100644
index a07ce87..0000000
--- a/prebuilts/api/26.0/private/lmkd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute lmkd coredomain;
-
-init_daemon_domain(lmkd)
diff --git a/prebuilts/api/26.0/private/logd.te b/prebuilts/api/26.0/private/logd.te
deleted file mode 100644
index 4338e40..0000000
--- a/prebuilts/api/26.0/private/logd.te
+++ /dev/null
@@ -1,39 +0,0 @@
-typeattribute logd coredomain;
-
-init_daemon_domain(logd)
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow logd {
- file_type
- -logd_tmpfs
- -runtime_event_log_tags_file
- userdebug_or_eng(`-coredump_file -misc_logd_file')
-}:file { create write append };
-
-# protect the event-log-tags file
-neverallow {
- domain
- -appdomain # covered below
- -bootstat
- -dumpstate
- -init
- -logd
- userdebug_or_eng(`-logpersist')
- -servicemanager
- -system_server
- -surfaceflinger
- -zygote
-} runtime_event_log_tags_file:file no_rw_file_perms;
-
-neverallow {
- appdomain
- -bluetooth
- -platform_app
- -priv_app
- -radio
- -shell
- userdebug_or_eng(`-su')
- -system_app
-} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/private/logpersist.te b/prebuilts/api/26.0/private/logpersist.te
deleted file mode 100644
index 70e3198..0000000
--- a/prebuilts/api/26.0/private/logpersist.te
+++ /dev/null
@@ -1,24 +0,0 @@
-typeattribute logpersist coredomain;
-
-# android debug log storage in logpersist domains (eng and userdebug only)
-userdebug_or_eng(`
-
- r_dir_file(logpersist, cgroup)
-
- allow logpersist misc_logd_file:file create_file_perms;
- allow logpersist misc_logd_file:dir rw_dir_perms;
-
- allow logpersist self:capability sys_nice;
- allow logpersist pstorefs:dir search;
- allow logpersist pstorefs:file r_file_perms;
-
- control_logd(logpersist)
- unix_socket_connect(logpersist, logdr, logd)
- read_runtime_log_tags(logpersist)
-
-')
-
-# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/26.0/private/mac_permissions.xml b/prebuilts/api/26.0/private/mac_permissions.xml
deleted file mode 100644
index 1fcd2a4..0000000
--- a/prebuilts/api/26.0/private/mac_permissions.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
- * A signature is a hex encoded X.509 certificate or a tag defined in
- keys.conf and is required for each signer tag. The signature can
- either appear as a set of attached cert child tags or as an attribute.
- * A signer tag must contain a seinfo tag XOR multiple package stanzas.
- * Each signer/package tag is allowed to contain one seinfo tag. This tag
- represents additional info that each app can use in setting a SELinux security
- context on the eventual process as well as the apps data directory.
- * seinfo assignments are made according to the following rules:
- - Stanzas with package name refinements will be checked first.
- - Stanzas w/o package name refinements will be checked second.
- - The "default" seinfo label is automatically applied.
-
- * valid stanzas can take one of the following forms:
-
- // single cert protecting seinfo
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- // multiple certs protecting seinfo (all contained certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <seinfo value="platform" />
- </signer>
-
- // single cert protecting explicitly named app
- <signer signature="@PLATFORM" >
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
-
- // multiple certs protecting explicitly named app (all certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
--->
-
- <!-- Platform dev key in AOSP -->
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- <!-- Media key in AOSP -->
- <signer signature="@MEDIA" >
- <seinfo value="media" />
- </signer>
-
-</policy>
diff --git a/prebuilts/api/26.0/private/mdnsd.te b/prebuilts/api/26.0/private/mdnsd.te
deleted file mode 100644
index 96259e2..0000000
--- a/prebuilts/api/26.0/private/mdnsd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# mdns daemon
-
-typeattribute mdnsd coredomain;
-typeattribute mdnsd mlstrustedsubject;
-
-type mdnsd_exec, exec_type, file_type;
-init_daemon_domain(mdnsd)
-
-net_domain(mdnsd)
-
-# Read from /proc/net
-r_dir_file(mdnsd, proc_net)
diff --git a/prebuilts/api/26.0/private/mediaextractor.te b/prebuilts/api/26.0/private/mediaextractor.te
deleted file mode 100644
index c1a8521..0000000
--- a/prebuilts/api/26.0/private/mediaextractor.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediaextractor coredomain;
-
-init_daemon_domain(mediaextractor)
diff --git a/prebuilts/api/26.0/private/mediametrics.te b/prebuilts/api/26.0/private/mediametrics.te
deleted file mode 100644
index f8b2fa5..0000000
--- a/prebuilts/api/26.0/private/mediametrics.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediametrics coredomain;
-
-init_daemon_domain(mediametrics)
diff --git a/prebuilts/api/26.0/private/mediaserver.te b/prebuilts/api/26.0/private/mediaserver.te
deleted file mode 100644
index a9b85be..0000000
--- a/prebuilts/api/26.0/private/mediaserver.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute mediaserver coredomain;
-
-init_daemon_domain(mediaserver)
-
-# allocate and use graphic buffers
-hal_client_domain(mediaserver, hal_graphics_allocator)
-
-# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
-# of OMX HAL.
-allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/private/mls b/prebuilts/api/26.0/private/mls
deleted file mode 100644
index a561de1..0000000
--- a/prebuilts/api/26.0/private/mls
+++ /dev/null
@@ -1,100 +0,0 @@
-#################################################
-# MLS policy constraints
-#
-
-#
-# Process constraints
-#
-
-# Process transition: Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations: Require equivalence unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
- (l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Sockets inherit the range of their creator.
-mlsconstrain socket_class_set { create relabelfrom relabelto }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be equivalent to the receiver unless one of them
-# is trusted.
-mlsconstrain unix_dgram_socket { sendto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect: Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain dir_file_class_set { create relabelfrom relabelto }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be equivalent to the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a domain type, so that processes can communicate via unnamed pipes
-# passed by binder or local socket IPC.
-mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/prebuilts/api/26.0/private/mtp.te b/prebuilts/api/26.0/private/mtp.te
deleted file mode 100644
index 3cfda0b..0000000
--- a/prebuilts/api/26.0/private/mtp.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute mtp coredomain;
-typeattribute mtp domain_deprecated;
-
-init_daemon_domain(mtp)
diff --git a/prebuilts/api/26.0/private/net.te b/prebuilts/api/26.0/private/net.te
deleted file mode 100644
index f16daf9..0000000
--- a/prebuilts/api/26.0/private/net.te
+++ /dev/null
@@ -1,24 +0,0 @@
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/prebuilts/api/26.0/private/netd.te b/prebuilts/api/26.0/private/netd.te
deleted file mode 100644
index 3a824af..0000000
--- a/prebuilts/api/26.0/private/netd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute netd coredomain;
-typeattribute netd domain_deprecated;
-
-init_daemon_domain(netd)
-
-# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-
-# Allow netd to start clatd in its own domain
-domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/prebuilts/api/26.0/private/netutils_wrapper.te b/prebuilts/api/26.0/private/netutils_wrapper.te
deleted file mode 100644
index f7fe32a..0000000
--- a/prebuilts/api/26.0/private/netutils_wrapper.te
+++ /dev/null
@@ -1,28 +0,0 @@
-typeattribute netutils_wrapper coredomain;
-
-r_dir_file(netutils_wrapper, system_file);
-
-# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:capability net_raw;
-
-allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
-allow netutils_wrapper self:rawip_socket create_socket_perms;
-allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:capability net_admin;
-# ip utils need everything but ioctl
-allow netutils_wrapper self:netlink_route_socket ~ioctl;
-allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
-
-# For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
-allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
-
-# For /data/misc/net access to ndc and ip
-r_dir_file(netutils_wrapper, net_data_file)
-
-domain_auto_trans({
- domain
- -coredomain
- -appdomain
-}, netutils_wrapper_exec, netutils_wrapper)
diff --git a/prebuilts/api/26.0/private/nfc.te b/prebuilts/api/26.0/private/nfc.te
deleted file mode 100644
index 25ad702..0000000
--- a/prebuilts/api/26.0/private/nfc.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# nfc subsystem
-typeattribute nfc coredomain;
-app_domain(nfc)
-net_domain(nfc)
-
-binder_service(nfc)
-add_service(nfc, nfc_service)
-
-hal_client_domain(nfc, hal_nfc)
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-
-# SoundPool loading and playback
-allow nfc audioserver_service:service_manager find;
-allow nfc drmserver_service:service_manager find;
-allow nfc mediacodec_service:service_manager find;
-allow nfc mediametrics_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
-allow nfc mediaserver_service:service_manager find;
-
-allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
-allow nfc app_api_service:service_manager find;
-allow nfc system_api_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the nfc process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow nfc shell_data_file:file read;
diff --git a/prebuilts/api/26.0/private/otapreopt_chroot.te b/prebuilts/api/26.0/private/otapreopt_chroot.te
deleted file mode 100644
index 1f69931..0000000
--- a/prebuilts/api/26.0/private/otapreopt_chroot.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute otapreopt_chroot coredomain;
-
-# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/prebuilts/api/26.0/private/otapreopt_slot.te b/prebuilts/api/26.0/private/otapreopt_slot.te
deleted file mode 100644
index 98b93d4..0000000
--- a/prebuilts/api/26.0/private/otapreopt_slot.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute otapreopt_slot coredomain;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
diff --git a/prebuilts/api/26.0/private/perfprofd.te b/prebuilts/api/26.0/private/perfprofd.te
deleted file mode 100644
index a655f1d..0000000
--- a/prebuilts/api/26.0/private/perfprofd.te
+++ /dev/null
@@ -1,5 +0,0 @@
-userdebug_or_eng(`
- typeattribute perfprofd coredomain;
- typeattribute perfprofd domain_deprecated;
- init_daemon_domain(perfprofd)
-')
diff --git a/prebuilts/api/26.0/private/platform_app.te b/prebuilts/api/26.0/private/platform_app.te
deleted file mode 100644
index fd4634a..0000000
--- a/prebuilts/api/26.0/private/platform_app.te
+++ /dev/null
@@ -1,70 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-typeattribute platform_app coredomain;
-typeattribute platform_app domain_deprecated;
-
-app_domain(platform_app)
-
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-# Read from /data/local/tmp or /data/data/com.android.shell.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-
-# Access to /data/media.
-allow platform_app media_rw_data_file:dir create_dir_perms;
-allow platform_app media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
-
-allow platform_app audioserver_service:service_manager find;
-allow platform_app cameraserver_service:service_manager find;
-allow platform_app drmserver_service:service_manager find;
-allow platform_app mediaserver_service:service_manager find;
-allow platform_app mediametrics_service:service_manager find;
-allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediacodec_service:service_manager find;
-allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app mediacasserver_service:service_manager find;
-allow platform_app persistent_data_block_service:service_manager find;
-allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app app_api_service:service_manager find;
-allow platform_app system_api_service:service_manager find;
-allow platform_app vr_manager_service:service_manager find;
-
-# Access to /data/preloads
-allow platform_app preloads_data_file:file r_file_perms;
-allow platform_app preloads_data_file:dir r_dir_perms;
-allow platform_app preloads_media_file:file r_file_perms;
-allow platform_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(platform_app)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as platform_app
-neverallow platform_app fuse_device:chr_file *;
diff --git a/prebuilts/api/26.0/private/policy_capabilities b/prebuilts/api/26.0/private/policy_capabilities
deleted file mode 100644
index ab55c15..0000000
--- a/prebuilts/api/26.0/private/policy_capabilities
+++ /dev/null
@@ -1,13 +0,0 @@
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
-
-# Enable separate security classes for
-# all network address families previously
-# mapped to the socket class and for
-# ICMP and SCTP sockets previously mapped
-# to the rawip_socket class.
-policycap extended_socket_class;
-
diff --git a/prebuilts/api/26.0/private/postinstall.te b/prebuilts/api/26.0/private/postinstall.te
deleted file mode 100644
index 363e362..0000000
--- a/prebuilts/api/26.0/private/postinstall.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute postinstall coredomain;
-
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/prebuilts/api/26.0/private/postinstall_dexopt.te b/prebuilts/api/26.0/private/postinstall_dexopt.te
deleted file mode 100644
index ff5fe87..0000000
--- a/prebuilts/api/26.0/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute postinstall_dexopt coredomain;
-
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/prebuilts/api/26.0/private/ppp.te b/prebuilts/api/26.0/private/ppp.te
deleted file mode 100644
index 9b301f4..0000000
--- a/prebuilts/api/26.0/private/ppp.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute ppp coredomain;
-typeattribute ppp domain_deprecated;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/prebuilts/api/26.0/private/preopt2cachename.te b/prebuilts/api/26.0/private/preopt2cachename.te
deleted file mode 100644
index d10f767..0000000
--- a/prebuilts/api/26.0/private/preopt2cachename.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute preopt2cachename coredomain;
diff --git a/prebuilts/api/26.0/private/priv_app.te b/prebuilts/api/26.0/private/priv_app.te
deleted file mode 100644
index 065ea1a..0000000
--- a/prebuilts/api/26.0/private/priv_app.te
+++ /dev/null
@@ -1,168 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-typeattribute priv_app coredomain;
-app_domain(priv_app)
-
-# Access the network.
-net_domain(priv_app)
-# Access bluetooth.
-bluetooth_domain(priv_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
-create_pty(priv_app)
-
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-
-# Some apps ship with shared libraries that they write out
-# to their sandbox directory and then dlopen().
-allow priv_app app_data_file:file execute;
-
-allow priv_app audioserver_service:service_manager find;
-allow priv_app cameraserver_service:service_manager find;
-allow priv_app drmserver_service:service_manager find;
-allow priv_app mediacodec_service:service_manager find;
-allow priv_app mediametrics_service:service_manager find;
-allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediacasserver_service:service_manager find;
-allow priv_app mediaextractor_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app nfc_service:service_manager find;
-allow priv_app oem_lock_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-allow priv_app persistent_data_block_service:service_manager find;
-allow priv_app recovery_service:service_manager find;
-
-# Write to /cache.
-allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow priv_app cache_file:lnk_file r_file_perms;
-
-# Write to /data/ota_package for OTA packages.
-allow priv_app ota_package_file:dir rw_dir_perms;
-allow priv_app ota_package_file:file create_file_perms;
-
-# Access to /data/media.
-allow priv_app media_rw_data_file:dir create_dir_perms;
-allow priv_app media_rw_data_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow priv_app shell_data_file:file r_file_perms;
-allow priv_app shell_data_file:dir r_dir_perms;
-
-# Allow verifier to access staged apks.
-allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow priv_app anr_data_file:file r_file_perms;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow priv_app perfprofd_data_file:file r_file_perms;
- allow priv_app perfprofd_data_file:dir r_dir_perms;
-')
-
-# For AppFuse.
-allow priv_app vold:fd use;
-allow priv_app fuse_device:chr_file { read write };
-
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
-r_dir_file(priv_app, rootfs)
-
-# Allow GMS core to open kernel config for OTA matching through libvintf
-allow priv_app config_gz:file { open read getattr };
-
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(priv_app, update_engine)
-allow priv_app update_engine_service:service_manager find;
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(priv_app, storaged)
-allow priv_app storaged_service:service_manager find;
-
-# Allow Phone to read/write cached ringtones (opened by system).
-allow priv_app ringtone_file:file { getattr read write };
-
-# Access to /data/preloads
-allow priv_app preloads_data_file:file r_file_perms;
-allow priv_app preloads_data_file:dir r_dir_perms;
-allow priv_app preloads_media_file:file r_file_perms;
-allow priv_app preloads_media_file:dir r_dir_perms;
-
-# TODO: revert this as part of fixing 33574909
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# MtpServer uses /dev/usb-ffs/mtp
-allow priv_app functionfs:dir search;
-allow priv_app functionfs:file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
-# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
-allow priv_app keystore:keystore_key gen_unique_id;
-
-read_runtime_log_tags(priv_app)
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow priv_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow priv_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
-
-# Do not allow privileged apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow priv_app service_manager_type:service_manager add;
-
-# Do not allow privileged apps to connect to the property service
-# or set properties. b/10243159
-neverallow priv_app property_socket:sock_file write;
-neverallow priv_app init:unix_stream_socket connectto;
-neverallow priv_app property_type:property_service set;
-
-# Do not allow priv_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and priv_app is allowed fork permission to itself.
-neverallow priv_app mlstrustedsubject:process fork;
-
-# Do not allow priv_app to hard link to any files.
-# In particular, if priv_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure priv_app never has this
-# capability.
-neverallow priv_app file_type:file link;
diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts
deleted file mode 100644
index 4c27b35..0000000
--- a/prebuilts/api/26.0/private/property_contexts
+++ /dev/null
@@ -1,116 +0,0 @@
-##########################
-# property service keys
-#
-#
-net.rmnet u:object_r:net_radio_prop:s0
-net.gprs u:object_r:net_radio_prop:s0
-net.ppp u:object_r:net_radio_prop:s0
-net.qmi u:object_r:net_radio_prop:s0
-net.lte u:object_r:net_radio_prop:s0
-net.cdma u:object_r:net_radio_prop:s0
-net.dns u:object_r:net_dns_prop:s0
-sys.usb.config u:object_r:system_radio_prop:s0
-ril. u:object_r:radio_prop:s0
-ro.ril. u:object_r:radio_prop:s0
-gsm. u:object_r:radio_prop:s0
-persist.radio u:object_r:radio_prop:s0
-
-net. u:object_r:system_prop:s0
-dev. u:object_r:system_prop:s0
-ro.runtime. u:object_r:system_prop:s0
-ro.runtime.firstboot u:object_r:firstboot_prop:s0
-hw. u:object_r:system_prop:s0
-ro.hw. u:object_r:system_prop:s0
-sys. u:object_r:system_prop:s0
-sys.cppreopt u:object_r:cppreopt_prop:s0
-sys.powerctl u:object_r:powerctl_prop:s0
-sys.usb.ffs. u:object_r:ffs_prop:s0
-service. u:object_r:system_prop:s0
-dhcp. u:object_r:dhcp_prop:s0
-dhcp.bt-pan.result u:object_r:pan_result_prop:s0
-bluetooth. u:object_r:bluetooth_prop:s0
-
-debug. u:object_r:debug_prop:s0
-debug.db. u:object_r:debuggerd_prop:s0
-dumpstate. u:object_r:dumpstate_prop:s0
-dumpstate.options u:object_r:dumpstate_options_prop:s0
-log. u:object_r:log_prop:s0
-log.tag u:object_r:log_tag_prop:s0
-log.tag.WifiHAL u:object_r:wifi_log_prop:s0
-security.perf_harden u:object_r:shell_prop:s0
-service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
-
-persist.audio. u:object_r:audio_prop:s0
-persist.bluetooth. u:object_r:bluetooth_prop:s0
-persist.debug. u:object_r:persist_debug_prop:s0
-persist.logd. u:object_r:logd_prop:s0
-persist.logd.security u:object_r:device_logging_prop:s0
-persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-persist.log.tag u:object_r:log_tag_prop:s0
-persist.mmc. u:object_r:mmc_prop:s0
-persist.sys. u:object_r:system_prop:s0
-persist.sys.safemode u:object_r:safemode_prop:s0
-ro.sys.safemode u:object_r:safemode_prop:s0
-persist.sys.audit_safemode u:object_r:safemode_prop:s0
-persist.service. u:object_r:system_prop:s0
-persist.service.bdroid. u:object_r:bluetooth_prop:s0
-persist.security. u:object_r:system_prop:s0
-persist.vendor.overlay. u:object_r:overlay_prop:s0
-ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
-ro.boottime. u:object_r:boottime_prop:s0
-ro.serialno u:object_r:serialno_prop:s0
-ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
-ro.boot.serialno u:object_r:serialno_prop:s0
-ro.bt. u:object_r:bluetooth_prop:s0
-
-# Boolean property set by system server upon boot indicating
-# if device owner is provisioned.
-ro.device_owner u:object_r:device_logging_prop:s0
-
-# selinux non-persistent properties
-selinux.restorecon_recursive u:object_r:restorecon_prop:s0
-
-# default property context
-* u:object_r:default_prop:s0
-
-# data partition encryption properties
-vold. u:object_r:vold_prop:s0
-ro.crypto. u:object_r:vold_prop:s0
-
-# ro.build.fingerprint is either set in /system/build.prop, or is
-# set at runtime by system_server.
-ro.build.fingerprint u:object_r:fingerprint_prop:s0
-
-ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
-
-# ctl properties
-ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
-ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
-ctl.bugreport u:object_r:ctl_bugreport_prop:s0
-ctl.console u:object_r:ctl_console_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
-
-# NFC properties
-nfc. u:object_r:nfc_prop:s0
-
-# These properties are not normally set by processes other than init.
-# They are only distinguished here for setting by qemu-props on the
-# emulator/goldfish.
-config. u:object_r:config_prop:s0
-ro.config. u:object_r:config_prop:s0
-dalvik. u:object_r:dalvik_prop:s0
-ro.dalvik. u:object_r:dalvik_prop:s0
-
-# Shared between system server and wificond
-wlan. u:object_r:wifi_prop:s0
-
-# hwservicemanager properties
-hwservicemanager. u:object_r:hwservicemanager_prop:s0
-
-# ASAN install trigger
-asan.restore_reboot u:object_r:asan_reboot_prop:s0
diff --git a/prebuilts/api/26.0/private/radio.te b/prebuilts/api/26.0/private/radio.te
deleted file mode 100644
index 83b5b41..0000000
--- a/prebuilts/api/26.0/private/radio.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute radio coredomain;
-typeattribute radio domain_deprecated;
-
-app_domain(radio)
-
-read_runtime_log_tags(radio)
diff --git a/prebuilts/api/26.0/private/recovery.te b/prebuilts/api/26.0/private/recovery.te
deleted file mode 100644
index b7b2847..0000000
--- a/prebuilts/api/26.0/private/recovery.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute recovery coredomain;
-typeattribute recovery domain_deprecated;
diff --git a/prebuilts/api/26.0/private/recovery_persist.te b/prebuilts/api/26.0/private/recovery_persist.te
deleted file mode 100644
index 1fdd758..0000000
--- a/prebuilts/api/26.0/private/recovery_persist.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute recovery_persist coredomain;
-
-init_daemon_domain(recovery_persist)
-
-# recovery_persist is not allowed to write anywhere other than recovery_data_file
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/26.0/private/recovery_refresh.te b/prebuilts/api/26.0/private/recovery_refresh.te
deleted file mode 100644
index 327098d..0000000
--- a/prebuilts/api/26.0/private/recovery_refresh.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute recovery_refresh coredomain;
-
-init_daemon_domain(recovery_refresh)
-
-# recovery_refresh is not allowed to write anywhere
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/26.0/private/runas.te b/prebuilts/api/26.0/private/runas.te
deleted file mode 100644
index 73a91ff..0000000
--- a/prebuilts/api/26.0/private/runas.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute runas coredomain;
-typeattribute runas domain_deprecated;
-
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
diff --git a/prebuilts/api/26.0/private/sdcardd.te b/prebuilts/api/26.0/private/sdcardd.te
deleted file mode 100644
index ac6bb4e..0000000
--- a/prebuilts/api/26.0/private/sdcardd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute sdcardd coredomain;
-typeattribute sdcardd domain_deprecated;
-
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/prebuilts/api/26.0/private/seapp_contexts b/prebuilts/api/26.0/private/seapp_contexts
deleted file mode 100644
index 4356889..0000000
--- a/prebuilts/api/26.0/private/seapp_contexts
+++ /dev/null
@@ -1,110 +0,0 @@
-# Input selectors:
-# isSystemServer (boolean)
-# isEphemeralApp (boolean)
-# isV2App (boolean)
-# isOwner (boolean)
-# user (string)
-# seinfo (string)
-# name (string)
-# path (string)
-# isPrivApp (boolean)
-# minTargetSdkVersion (unsigned integer)
-# isSystemServer=true can only be used once.
-# An unspecified isSystemServer defaults to false.
-# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
-# isV2App=true will match apps in the v2 app sandbox.
-# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
-# isPrivApp=true will only match for applications preinstalled in
-# /system/priv-app.
-# minTargetSdkVersion will match applications with a targetSdkVersion
-# greater than or equal to the specified value. If unspecified,
-# it has a default value of 0.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
-#
-# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
-# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
-# (3) Specified isV2App= before unspecified isV2App= boolean.
-# (4) Specified isOwner= before unspecified isOwner= boolean.
-# (5) Specified user= string before unspecified user= string.
-# (6) Fixed user= string before user= prefix (i.e. ending in *).
-# (7) Longer user= prefix before shorter user= prefix.
-# (8) Specified seinfo= string before unspecified seinfo= string.
-# ':' character is reserved and may not be used.
-# (9) Specified name= string before unspecified name= string.
-# (10) Specified path= string before unspecified path= string.
-# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
-# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
-#
-# Outputs:
-# domain (string)
-# type (string)
-# levelFrom (string; one of none, all, app, or user)
-# level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
-# levelFrom=user is only supported for _app or _isolated UIDs.
-# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
-#
-#
-# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
-# rules are lines beginning with the keyword neverallow. Full support for PCRE
-# regular expressions exists on all input and output selectors. Neverallow
-# rules are never output to the built seapp_contexts file. Like all keywords,
-# neverallows are case-insensitive. A neverallow is asserted when all key value
-# inputs are matched on a key value rule line.
-#
-
-# only the system server can be in system_server domain
-neverallow isSystemServer=false domain=system_server
-neverallow isSystemServer="" domain=system_server
-
-# system domains should never be assigned outside of system uid
-neverallow user=((?!system).)* domain=system_app
-neverallow user=((?!system).)* type=system_app_data_file
-
-# anything with a non-known uid with a specified name should have a specified seinfo
-neverallow user=_app name=.* seinfo=""
-neverallow user=_app name=.* seinfo=default
-
-# neverallow shared relro to any other domain
-# and neverallow any other uid into shared_relro
-neverallow user=shared_relro domain=((?!shared_relro).)*
-neverallow user=((?!shared_relro).)* domain=shared_relro
-
-# neverallow non-isolated uids into isolated_app domain
-# and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
-neverallow user=((?!_isolated).)* domain=isolated_app
-
-# uid shell should always be in shell domain, however non-shell
-# uid's can be in shell domain
-neverallow user=shell domain=((?!shell).)*
-
-# Ephemeral Apps must run in the ephemeral_app domain
-neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
-
-isSystemServer=true domain=system_server
-user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=nfc seinfo=platform domain=nfc type=nfc_data_file
-user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
-user=_isolated domain=isolated_app levelFrom=user
-user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
-user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
-user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
-user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/prebuilts/api/26.0/private/security_classes b/prebuilts/api/26.0/private/security_classes
deleted file mode 100644
index 02e3ef2..0000000
--- a/prebuilts/api/26.0/private/security_classes
+++ /dev/null
@@ -1,144 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Keystore Key
-class keystore_key # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/prebuilts/api/26.0/private/service_contexts b/prebuilts/api/26.0/private/service_contexts
deleted file mode 100644
index ff97d66..0000000
--- a/prebuilts/api/26.0/private/service_contexts
+++ /dev/null
@@ -1,173 +0,0 @@
-accessibility u:object_r:accessibility_service:s0
-account u:object_r:account_service:s0
-activity u:object_r:activity_service:s0
-alarm u:object_r:alarm_service:s0
-android.os.UpdateEngineService u:object_r:update_engine_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
-appops u:object_r:appops_service:s0
-appwidget u:object_r:appwidget_service:s0
-assetatlas u:object_r:assetatlas_service:s0
-audio u:object_r:audio_service:s0
-autofill u:object_r:autofill_service:s0
-backup u:object_r:backup_service:s0
-batteryproperties u:object_r:batteryproperties_service:s0
-batterystats u:object_r:batterystats_service:s0
-battery u:object_r:battery_service:s0
-bluetooth_manager u:object_r:bluetooth_manager_service:s0
-bluetooth u:object_r:bluetooth_service:s0
-carrier_config u:object_r:radio_service:s0
-clipboard u:object_r:clipboard_service:s0
-com.android.net.IProxyService u:object_r:IProxyService_service:s0
-commontime_management u:object_r:commontime_management_service:s0
-common_time.clock u:object_r:mediaserver_service:s0
-common_time.config u:object_r:mediaserver_service:s0
-companiondevice u:object_r:companion_device_service:s0
-connectivity u:object_r:connectivity_service:s0
-connmetrics u:object_r:connmetrics_service:s0
-consumer_ir u:object_r:consumer_ir_service:s0
-content u:object_r:content_service:s0
-contexthub u:object_r:contexthub_service:s0
-country_detector u:object_r:country_detector_service:s0
-coverage u:object_r:coverage_service:s0
-cpuinfo u:object_r:cpuinfo_service:s0
-dbinfo u:object_r:dbinfo_service:s0
-device_policy u:object_r:device_policy_service:s0
-device_identifiers u:object_r:device_identifiers_service:s0
-deviceidle u:object_r:deviceidle_service:s0
-devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
-diskstats u:object_r:diskstats_service:s0
-display.qservice u:object_r:surfaceflinger_service:s0
-display u:object_r:display_service:s0
-netd_listener u:object_r:netd_listener_service:s0
-DockObserver u:object_r:DockObserver_service:s0
-dreams u:object_r:dreams_service:s0
-drm.drmManager u:object_r:drmserver_service:s0
-dropbox u:object_r:dropbox_service:s0
-dumpstate u:object_r:dumpstate_service:s0
-econtroller u:object_r:radio_service:s0
-ethernet u:object_r:ethernet_service:s0
-fingerprint u:object_r:fingerprint_service:s0
-font u:object_r:font_service:s0
-android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
-gfxinfo u:object_r:gfxinfo_service:s0
-graphicsstats u:object_r:graphicsstats_service:s0
-gpu u:object_r:gpu_service:s0
-hardware u:object_r:hardware_service:s0
-hardware_properties u:object_r:hardware_properties_service:s0
-hdmi_control u:object_r:hdmi_control_service:s0
-incident u:object_r:incident_service:s0
-inputflinger u:object_r:inputflinger_service:s0
-input_method u:object_r:input_method_service:s0
-input u:object_r:input_service:s0
-installd u:object_r:installd_service:s0
-iphonesubinfo_msim u:object_r:radio_service:s0
-iphonesubinfo2 u:object_r:radio_service:s0
-iphonesubinfo u:object_r:radio_service:s0
-ims u:object_r:radio_service:s0
-imms u:object_r:imms_service:s0
-ipsec u:object_r:ipsec_service:s0
-isms_msim u:object_r:radio_service:s0
-isms2 u:object_r:radio_service:s0
-isms u:object_r:radio_service:s0
-isub u:object_r:radio_service:s0
-jobscheduler u:object_r:jobscheduler_service:s0
-launcherapps u:object_r:launcherapps_service:s0
-location u:object_r:location_service:s0
-lock_settings u:object_r:lock_settings_service:s0
-media.aaudio u:object_r:audioserver_service:s0
-media.audio_flinger u:object_r:audioserver_service:s0
-media.audio_policy u:object_r:audioserver_service:s0
-media.camera u:object_r:cameraserver_service:s0
-media.camera.proxy u:object_r:cameraproxy_service:s0
-media.log u:object_r:audioserver_service:s0
-media.player u:object_r:mediaserver_service:s0
-media.metrics u:object_r:mediametrics_service:s0
-media.extractor u:object_r:mediaextractor_service:s0
-media.codec u:object_r:mediacodec_service:s0
-media.resource_manager u:object_r:mediaserver_service:s0
-media.radio u:object_r:audioserver_service:s0
-media.sound_trigger_hw u:object_r:audioserver_service:s0
-media.drm u:object_r:mediadrmserver_service:s0
-media.cas u:object_r:mediacasserver_service:s0
-media_projection u:object_r:media_projection_service:s0
-media_resource_monitor u:object_r:media_session_service:s0
-media_router u:object_r:media_router_service:s0
-media_session u:object_r:media_session_service:s0
-meminfo u:object_r:meminfo_service:s0
-midi u:object_r:midi_service:s0
-mount u:object_r:mount_service:s0
-netd u:object_r:netd_service:s0
-netpolicy u:object_r:netpolicy_service:s0
-netstats u:object_r:netstats_service:s0
-network_management u:object_r:network_management_service:s0
-network_score u:object_r:network_score_service:s0
-network_time_update_service u:object_r:network_time_update_service:s0
-nfc u:object_r:nfc_service:s0
-notification u:object_r:notification_service:s0
-oem_lock u:object_r:oem_lock_service:s0
-otadexopt u:object_r:otadexopt_service:s0
-overlay u:object_r:overlay_service:s0
-package u:object_r:package_service:s0
-permission u:object_r:permission_service:s0
-persistent_data_block u:object_r:persistent_data_block_service:s0
-phone_msim u:object_r:radio_service:s0
-phone1 u:object_r:radio_service:s0
-phone2 u:object_r:radio_service:s0
-phone u:object_r:radio_service:s0
-pinner u:object_r:pinner_service:s0
-power u:object_r:power_service:s0
-print u:object_r:print_service:s0
-processinfo u:object_r:processinfo_service:s0
-procstats u:object_r:procstats_service:s0
-radio.phonesubinfo u:object_r:radio_service:s0
-radio.phone u:object_r:radio_service:s0
-radio.sms u:object_r:radio_service:s0
-recovery u:object_r:recovery_service:s0
-restrictions u:object_r:restrictions_service:s0
-rttmanager u:object_r:rttmanager_service:s0
-samplingprofiler u:object_r:samplingprofiler_service:s0
-scheduling_policy u:object_r:scheduling_policy_service:s0
-search u:object_r:search_service:s0
-sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
-sensorservice u:object_r:sensorservice_service:s0
-serial u:object_r:serial_service:s0
-servicediscovery u:object_r:servicediscovery_service:s0
-settings u:object_r:settings_service:s0
-shortcut u:object_r:shortcut_service:s0
-simphonebook_msim u:object_r:radio_service:s0
-simphonebook2 u:object_r:radio_service:s0
-simphonebook u:object_r:radio_service:s0
-sip u:object_r:radio_service:s0
-soundtrigger u:object_r:voiceinteraction_service:s0
-statusbar u:object_r:statusbar_service:s0
-storaged u:object_r:storaged_service:s0
-storaged_pri u:object_r:storaged_service:s0
-storagestats u:object_r:storagestats_service:s0
-SurfaceFlinger u:object_r:surfaceflinger_service:s0
-task u:object_r:task_service:s0
-telecom u:object_r:telecom_service:s0
-telephony.registry u:object_r:registry_service:s0
-textclassification u:object_r:textclassification_service:s0
-textservices u:object_r:textservices_service:s0
-trust u:object_r:trust_service:s0
-tv_input u:object_r:tv_input_service:s0
-uimode u:object_r:uimode_service:s0
-updatelock u:object_r:updatelock_service:s0
-usagestats u:object_r:usagestats_service:s0
-usb u:object_r:usb_service:s0
-user u:object_r:user_service:s0
-vibrator u:object_r:vibrator_service:s0
-virtual_touchpad u:object_r:virtual_touchpad_service:s0
-voiceinteraction u:object_r:voiceinteraction_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrmanager u:object_r:vr_manager_service:s0
-wallpaper u:object_r:wallpaper_service:s0
-webviewupdate u:object_r:webviewupdate_service:s0
-wifip2p u:object_r:wifip2p_service:s0
-wifiscanner u:object_r:wifiscanner_service:s0
-wifi u:object_r:wifi_service:s0
-wificond u:object_r:wificond_service:s0
-wifiaware u:object_r:wifiaware_service:s0
-window u:object_r:window_service:s0
-* u:object_r:default_android_service:s0
diff --git a/prebuilts/api/26.0/private/servicemanager.te b/prebuilts/api/26.0/private/servicemanager.te
deleted file mode 100644
index 9f675a2..0000000
--- a/prebuilts/api/26.0/private/servicemanager.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-read_runtime_log_tags(servicemanager)
diff --git a/prebuilts/api/26.0/private/shared_relro.te b/prebuilts/api/26.0/private/shared_relro.te
deleted file mode 100644
index 8d06294..0000000
--- a/prebuilts/api/26.0/private/shared_relro.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute shared_relro coredomain;
-typeattribute shared_relro domain_deprecated;
-
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
diff --git a/prebuilts/api/26.0/private/shell.te b/prebuilts/api/26.0/private/shell.te
deleted file mode 100644
index fbd9676..0000000
--- a/prebuilts/api/26.0/private/shell.te
+++ /dev/null
@@ -1,22 +0,0 @@
-typeattribute shell coredomain;
-
-# systrace support - allow atrace to run
-allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file r_file_perms;
-allow shell tracing_shell_writable:file rw_file_perms;
-allow shell debugfs_trace_marker:file getattr;
-allow shell atrace_exec:file rx_file_perms;
-
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
-userdebug_or_eng(`
- allow shell tracing_shell_writable_debug:file rw_file_perms;
-')
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# allow shell to call dumpsys storaged
-binder_call(shell, storaged)
diff --git a/prebuilts/api/26.0/private/storaged.te b/prebuilts/api/26.0/private/storaged.te
deleted file mode 100644
index 96433b3..0000000
--- a/prebuilts/api/26.0/private/storaged.te
+++ /dev/null
@@ -1,51 +0,0 @@
-# storaged daemon
-type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, exec_type, file_type;
-
-init_daemon_domain(storaged)
-
-# Read access to pseudo filesystems
-r_dir_file(storaged, sysfs_type)
-r_dir_file(storaged, proc_net)
-r_dir_file(storaged, domain)
-
-# Read /proc/uid_io/stats
-allow storaged proc_uid_io_stats:file r_file_perms;
-
-# Read /data/system/packages.list
-allow storaged system_data_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
-')
-
-# Needed to provide debug dump output via dumpsys pipes.
-allow storaged shell:fd use;
-allow storaged shell:fifo_file write;
-
-# Needed for GMScore to call dumpsys storaged
-allow storaged priv_app:fd use;
-allow storaged app_data_file:file write;
-allow storaged permission_service:service_manager find;
-
-# Binder permissions
-add_service(storaged, storaged_service)
-
-binder_use(storaged)
-binder_call(storaged, system_server)
-
-# use batteryproperties service
-allow storaged batteryproperties_service:service_manager find;
-binder_call(storaged, healthd)
-
-# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
-# running as root. See b/35323867 #3.
-dontaudit storaged self:capability dac_override;
-
-###
-### neverallow
-###
-neverallow storaged domain:process ptrace;
-neverallow storaged self:capability_class_set *;
diff --git a/prebuilts/api/26.0/private/su.te b/prebuilts/api/26.0/private/su.te
deleted file mode 100644
index d42bf61..0000000
--- a/prebuilts/api/26.0/private/su.te
+++ /dev/null
@@ -1,20 +0,0 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
-
- domain_auto_trans(shell, su_exec, su)
- # Allow dumpstate to call su on userdebug / eng builds to collect
- # additional information.
- domain_auto_trans(dumpstate, su_exec, su)
-
- # Make sure that dumpstate runs the same from the "su" domain as
- # from the "init" domain.
- domain_auto_trans(su, dumpstate_exec, dumpstate)
-
- # Put the incident command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, incident_exec, incident)
-
-# su is also permissive to permit setenforce.
- permissive su;
-
- app_domain(su)
-')
diff --git a/prebuilts/api/26.0/private/surfaceflinger.te b/prebuilts/api/26.0/private/surfaceflinger.te
deleted file mode 100644
index 3595ee4..0000000
--- a/prebuilts/api/26.0/private/surfaceflinger.te
+++ /dev/null
@@ -1,110 +0,0 @@
-# surfaceflinger - display compositor service
-
-typeattribute surfaceflinger coredomain;
-
-type surfaceflinger_exec, exec_type, file_type;
-init_daemon_domain(surfaceflinger)
-
-typeattribute surfaceflinger mlstrustedsubject;
-typeattribute surfaceflinger display_service_server;
-
-read_runtime_log_tags(surfaceflinger)
-
-# Perform HwBinder IPC.
-hal_client_domain(surfaceflinger, hal_graphics_allocator)
-hal_client_domain(surfaceflinger, hal_graphics_composer)
-hal_client_domain(surfaceflinger, hal_configstore)
-allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
-binder_call(surfaceflinger, bootanim)
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger app_data_file:file { read write };
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow surfaceflinger adbd:unix_stream_socket { read write getattr };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-allow surfaceflinger tee_device:chr_file rw_file_perms;
-
-
-# media.player service
-add_service(surfaceflinger, gpu_service)
-
-# do not use add_service() as hal_graphics_composer_default may be the
-# provider as well
-#add_service(surfaceflinger, surfaceflinger_service)
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger vr_manager_service:service_manager find;
-allow surfaceflinger window_service:service_manager find;
-
-
-# allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, sysfs_type)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger ion_device:chr_file r_file_perms;
-
-# pdx IPC
-pdx_server(surfaceflinger, display_client)
-pdx_server(surfaceflinger, display_manager)
-pdx_server(surfaceflinger, display_screenshot)
-pdx_server(surfaceflinger, display_vsync)
-
-pdx_client(surfaceflinger, bufferhub_client)
-pdx_client(surfaceflinger, performance_client)
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/prebuilts/api/26.0/private/system_app.te b/prebuilts/api/26.0/private/system_app.te
deleted file mode 100644
index 7950044..0000000
--- a/prebuilts/api/26.0/private/system_app.te
+++ /dev/null
@@ -1,92 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-typeattribute system_app coredomain;
-typeattribute system_app domain_deprecated;
-
-app_domain(system_app)
-net_domain(system_app)
-binder_service(system_app)
-
-# Read and write /data/data subdirectory.
-allow system_app system_app_data_file:dir create_dir_perms;
-allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-# Read and write to /data/misc/user.
-allow system_app misc_user_data_file:dir create_dir_perms;
-allow system_app misc_user_data_file:file create_file_perms;
-
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Read icon file.
-allow system_app icon_file:file r_file_perms;
-
-# Write to properties
-set_prop(system_app, bluetooth_prop)
-set_prop(system_app, debug_prop)
-set_prop(system_app, system_prop)
-set_prop(system_app, logd_prop)
-set_prop(system_app, net_radio_prop)
-set_prop(system_app, system_radio_prop)
-set_prop(system_app, log_tag_prop)
-userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
-auditallow system_app net_radio_prop:property_service set;
-auditallow system_app system_radio_prop:property_service set;
-
-# ctl interface
-set_prop(system_app, ctl_default_prop)
-set_prop(system_app, ctl_bugreport_prop)
-
-# Create /data/anr/traces.txt.
-allow system_app anr_data_file:dir ra_dir_perms;
-allow system_app anr_data_file:file create_file_perms;
-
-# Settings need to access app name and icon from asec
-allow system_app asec_apk_file:file r_file_perms;
-
-# Allow system apps to interact with incidentd
-binder_call(system_app, incidentd)
-
-allow system_app servicemanager:service_manager list;
-# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-control_logd(system_app)
-read_runtime_log_tags(system_app)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as system_app
-neverallow system_app fuse_device:chr_file *;
diff --git a/prebuilts/api/26.0/private/system_server.te b/prebuilts/api/26.0/private/system_server.te
deleted file mode 100644
index 2e14d18..0000000
--- a/prebuilts/api/26.0/private/system_server.te
+++ /dev/null
@@ -1,740 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-
-typeattribute system_server coredomain;
-typeattribute system_server domain_deprecated;
-typeattribute system_server mlstrustedsubject;
-
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
-# Create a socket for connections from crash_dump.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-
-allow system_server zygote_tmpfs:file read;
-
-# For art.
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file { r_file_perms execute };
-userdebug_or_eng(`
- # Report dalvikcache_data_file:file execute violations.
- auditallow system_server dalvikcache_data_file:file execute;
-')
-
-# /data/resource-cache
-allow system_server resourcecache_data_file:file r_file_perms;
-allow system_server resourcecache_data_file:dir r_dir_perms;
-
-# ptrace to processes in the same domain for debugging crashes.
-allow system_server self:process ptrace;
-
-# Read and delete last_reboot_reason file
-allow system_server reboot_data_file:file { rename r_file_perms unlink };
-allow system_server reboot_data_file:dir { write search open remove_name };
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-
-# May kill zygote on crashes.
-allow system_server zygote:process sigkill;
-allow system_server crash_dump:process sigkill;
-
-# Read /system/bin/app_process.
-allow system_server zygote_exec:file r_file_perms;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
-bluetooth_domain(system_server)
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:capability {
- ipc_lock
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_nice
- sys_ptrace
- sys_time
- sys_tty_config
-};
-
-wakelock_use(system_server)
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms_no_ioctl;
-allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# libvintf reads the kernel config to verify vendor interface compatibility.
-allow system_server config_gz:file { read open };
-
-# Use generic "sockets" where the address family is not known
-# to the kernel. The ioctl permission is specifically omitted here, but may
-# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
-
-# Set and get routes directly via netlink.
-allow system_server self:netlink_route_socket nlmsg_write;
-
-# Kill apps.
-allow system_server appdomain:process { sigkill signal };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server audioserver:process { getsched setsched };
-allow system_server hal_audio:process { getsched setsched };
-allow system_server hal_bluetooth:process { getsched setsched };
-allow system_server cameraserver:process { getsched setsched };
-allow system_server hal_camera:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-allow system_server bootanim:process { getsched setsched };
-
-# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-# within system_server to keep track of memory and CPU usage for
-# all processes on the device. In addition, /proc/pid files access is needed
-# for dumping stack traces of native processes.
-r_dir_file(system_server, domain)
-
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system_server qtaguid_proc:file rw_file_perms;
-allow system_server qtaguid_device:chr_file rw_file_perms;
-
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
-# Write /proc/uid_cputime/remove_uid_range.
-allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
-
-# Write /proc/uid_procstat/set.
-allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-
-# Write to /proc/sysrq-trigger.
-allow system_server proc_sysrq:file rw_file_perms;
-
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
-# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-
-# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms_no_ioctl;
-
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms_no_ioctl;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, netd, netd)
-unix_socket_connect(system_server, vold, vold)
-unix_socket_connect(system_server, webview_zygote, webview_zygote)
-unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
-unix_socket_connect(system_server, uncrypt, uncrypt)
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-# Perform Binder IPC.
-binder_use(system_server)
-binder_call(system_server, appdomain)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, dumpstate)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, installd)
-binder_call(system_server, incidentd)
-binder_call(system_server, netd)
-binder_call(system_server, wificond)
-binder_service(system_server)
-
-# Use HALs
-hal_client_domain(system_server, hal_allocator)
-hal_client_domain(system_server, hal_contexthub)
-hal_client_domain(system_server, hal_fingerprint)
-hal_client_domain(system_server, hal_gnss)
-hal_client_domain(system_server, hal_graphics_allocator)
-hal_client_domain(system_server, hal_ir)
-hal_client_domain(system_server, hal_light)
-hal_client_domain(system_server, hal_memtrack)
-hal_client_domain(system_server, hal_oemlock)
-allow system_server hal_omx_hwservice:hwservice_manager find;
-allow system_server hidl_token_hwservice:hwservice_manager find;
-hal_client_domain(system_server, hal_power)
-hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_tetheroffload)
-hal_client_domain(system_server, hal_thermal)
-hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_input)
-hal_client_domain(system_server, hal_usb)
-hal_client_domain(system_server, hal_vibrator)
-hal_client_domain(system_server, hal_vr)
-hal_client_domain(system_server, hal_weaver)
-hal_client_domain(system_server, hal_wifi)
-hal_client_domain(system_server, hal_wifi_offload)
-hal_client_domain(system_server, hal_wifi_supplicant)
-
-binder_call(system_server, mediacodec)
-
-# Talk with graphics composer fences
-allow system_server hal_graphics_composer:fd use;
-
-# Use RenderScript always-passthrough HAL
-allow system_server hal_renderscript_hwservice:hwservice_manager find;
-
-# Offer HwBinder services
-add_hwservice(system_server, fwk_scheduler_hwservice)
-add_hwservice(system_server, fwk_sensor_hwservice)
-
-# Talk to tombstoned to get ANR traces.
-unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
-
-# List HAL interfaces to get ANR traces.
-allow system_server hwservicemanager:hwservice_manager list;
-
-# Send signals to trigger ANR traces.
-allow system_server {
- # This is derived from the list that system server defines as interesting native processes
- # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediaserver
- mediametrics
- sdcardd
- surfaceflinger
-
- # This list comes from HAL_INTERFACES_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_graphics_composer_server
- hal_vr_server
- mediacodec # TODO(b/36375899): hal_omx_server
-}:process { signal };
-
-# Use sockets received over binder from various services.
-allow system_server audioserver:tcp_socket rw_socket_perms;
-allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server mediaserver:tcp_socket rw_socket_perms;
-allow system_server mediaserver:udp_socket rw_socket_perms;
-
-# Use sockets received over binder from various services.
-allow system_server mediadrmserver:tcp_socket rw_socket_perms;
-allow system_server mediadrmserver:udp_socket rw_socket_perms;
-
-# Get file context
-allow system_server file_contexts_file:file r_file_perms;
-# access for mac_permissions
-allow system_server mac_perms_file: file r_file_perms;
-# Check SELinux permissions.
-selinux_check_access(system_server)
-
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
-allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
-allow system_server sysfs_mac_address:file r_file_perms;
-allow system_server sysfs_thermal:dir search;
-allow system_server sysfs_thermal:file r_file_perms;
-
-# TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file { write append };
-
-# TODO: added to match above sysfs rule. Remove me?
-allow system_server sysfs_usb:file w_file_perms;
-
-# Access devices.
-allow system_server device:dir r_dir_perms;
-allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server alarm_device:chr_file rw_file_perms;
-allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server iio_device:chr_file rw_file_perms;
-allow system_server input_device:dir r_dir_perms;
-allow system_server input_device:chr_file rw_file_perms;
-allow system_server radio_device:chr_file r_file_perms;
-allow system_server tty_device:chr_file rw_file_perms;
-allow system_server usbaccessory_device:chr_file rw_file_perms;
-allow system_server video_device:dir r_dir_perms;
-allow system_server video_device:chr_file rw_file_perms;
-allow system_server adbd_socket:sock_file rw_file_perms;
-allow system_server rtc_device:chr_file rw_file_perms;
-allow system_server audio_device:dir r_dir_perms;
-
-# write access needed for MIDI
-allow system_server audio_device:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file rw_file_perms;
-
-# Manage system data files.
-allow system_server system_data_file:dir create_dir_perms;
-allow system_server system_data_file:notdevfile_class_set create_file_perms;
-allow system_server keychain_data_file:dir create_dir_perms;
-allow system_server keychain_data_file:file create_file_perms;
-allow system_server keychain_data_file:lnk_file create_file_perms;
-
-# Manage /data/app.
-allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
-allow system_server apk_tmp_file:dir create_dir_perms;
-allow system_server apk_tmp_file:file create_file_perms;
-
-# Access /vendor/app
-r_dir_file(system_server, vendor_app_file)
-
-# Access /vendor/app
-r_dir_file(system_server, vendor_overlay_file)
-
-# Manage /data/app-private.
-allow system_server apk_private_data_file:dir create_dir_perms;
-allow system_server apk_private_data_file:file create_file_perms;
-allow system_server apk_private_tmp_file:dir create_dir_perms;
-allow system_server apk_private_tmp_file:file create_file_perms;
-
-# Manage files within asec containers.
-allow system_server asec_apk_file:dir create_dir_perms;
-allow system_server asec_apk_file:file create_file_perms;
-allow system_server asec_public_file:file create_file_perms;
-
-# Manage /data/anr.
-allow system_server anr_data_file:dir create_dir_perms;
-allow system_server anr_data_file:file create_file_perms;
-
-# Read /data/misc/incidents - only read. The fd will be sent over binder,
-# with no DAC access to it, for dropbox to read.
-allow system_server incident_data_file:file read;
-
-# Manage /data/backup.
-allow system_server backup_data_file:dir create_dir_perms;
-allow system_server backup_data_file:file create_file_perms;
-
-# Write to /data/system/heapdump
-allow system_server heapdump_data_file:dir rw_dir_perms;
-allow system_server heapdump_data_file:file create_file_perms;
-
-# Manage /data/misc/adb.
-allow system_server adb_keys_file:dir create_dir_perms;
-allow system_server adb_keys_file:file create_file_perms;
-
-# Manage /data/misc/sms.
-# TODO: Split into a separate type?
-allow system_server radio_data_file:dir create_dir_perms;
-allow system_server radio_data_file:file create_file_perms;
-
-# Manage /data/misc/systemkeys.
-allow system_server systemkeys_data_file:dir create_dir_perms;
-allow system_server systemkeys_data_file:file create_file_perms;
-
-# Manage /data/misc/textclassifier.
-allow system_server textclassifier_data_file:dir create_dir_perms;
-allow system_server textclassifier_data_file:file create_file_perms;
-
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Manage /data/misc/vpn.
-allow system_server vpn_data_file:dir create_dir_perms;
-allow system_server vpn_data_file:file create_file_perms;
-
-# Manage /data/misc/wifi.
-allow system_server wifi_data_file:dir create_dir_perms;
-allow system_server wifi_data_file:file create_file_perms;
-
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
-# Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
-# Also permit for unlabeled /data/data subdirectories and
-# for unlabeled asec containers on upgrades from 4.2.
-allow system_server unlabeled:dir r_dir_perms;
-# Read pkg.apk file before it has been relabeled by vold.
-allow system_server unlabeled:file r_file_perms;
-
-# Populate com.android.providers.settings/databases/settings.db.
-allow system_server system_app_data_file:dir create_dir_perms;
-allow system_server system_app_data_file:file create_file_perms;
-
-# Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
-
-# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
-
-# Receive and use open /data/media files passed over binder IPC.
-# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
-
-# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms rename unlink };
-
-# Backup of wallpaper imagery uses temporary hard links to avoid data churn
-allow system_server { system_data_file wallpaper_file }:file link;
-
-# ShortcutManager icons
-allow system_server system_data_file:dir relabelfrom;
-allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
-allow system_server shortcut_manager_icons:file create_file_perms;
-
-# Manage ringtones.
-allow system_server ringtone_file:dir { create_dir_perms relabelto };
-allow system_server ringtone_file:file create_file_perms;
-
-# Relabel icon file.
-allow system_server icon_file:file relabelto;
-allow system_server icon_file:file { rw_file_perms unlink };
-
-# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
-allow system_server system_data_file:dir relabelfrom;
-
-# Property Service write
-set_prop(system_server, system_prop)
-set_prop(system_server, safemode_prop)
-set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_radio_prop)
-set_prop(system_server, net_dns_prop)
-set_prop(system_server, system_radio_prop)
-set_prop(system_server, debug_prop)
-set_prop(system_server, powerctl_prop)
-set_prop(system_server, fingerprint_prop)
-set_prop(system_server, device_logging_prop)
-set_prop(system_server, dumpstate_options_prop)
-set_prop(system_server, overlay_prop)
-userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
-
-# ctl interface
-set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_bugreport_prop)
-
-# cppreopt property
-set_prop(system_server, cppreopt_prop)
-
-# Collect metrics on boot time created by init
-get_prop(system_server, boottime_prop)
-
-# Read device's serial number from system properties
-get_prop(system_server, serialno_prop)
-
-# Read/write the property which keeps track of whether this is the first start of system_server
-set_prop(system_server, firstboot_prop)
-
-# Create a socket for connections from debuggerd.
-allow system_server system_ndebug_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
-allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
-allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_control:file rw_file_perms;
-
-# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-
-# BackupManagerService needs to manipulate backup data files
-allow system_server cache_backup_file:dir rw_dir_perms;
-allow system_server cache_backup_file:file create_file_perms;
-# LocalTransport works inside /cache/backup
-allow system_server cache_private_backup_file:dir create_dir_perms;
-allow system_server cache_private_backup_file:file create_file_perms;
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file rw_file_perms;
-allow system_server usb_device:dir r_dir_perms;
-
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
-# Read and delete files under /dev/fscklogs.
-r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Read from log daemon.
-read_logd(system_server)
-read_runtime_log_tags(system_server)
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow system_server pstorefs:dir r_dir_perms;
-allow system_server pstorefs:file r_file_perms;
-
-# /sys access
-allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
-
-add_service(system_server, system_server_service);
-allow system_server audioserver_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server cameraserver_service:service_manager find;
-allow system_server drmserver_service:service_manager find;
-allow system_server dumpstate_service:service_manager find;
-allow system_server fingerprintd_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
-allow system_server incident_service:service_manager find;
-allow system_server installd_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server mediaserver_service:service_manager find;
-allow system_server mediametrics_service:service_manager find;
-allow system_server mediaextractor_service:service_manager find;
-allow system_server mediacodec_service:service_manager find;
-allow system_server mediadrmserver_service:service_manager find;
-allow system_server mediacasserver_service:service_manager find;
-allow system_server netd_service:service_manager find;
-allow system_server nfc_service:service_manager find;
-allow system_server radio_service:service_manager find;
-allow system_server surfaceflinger_service:service_manager find;
-allow system_server wificond_service:service_manager find;
-
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
-# Allow system server to search and write to the persistent factory reset
-# protection partition. This block device does not get wiped in a factory reset.
-allow system_server block_device:dir search;
-allow system_server frp_block_device:blk_file rw_file_perms;
-
-# Clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
-
-# /oem access
-r_dir_file(system_server, oemfs)
-
-# Allow resolving per-user storage symlinks
-allow system_server { mnt_user_file storage_file }:dir { getattr search };
-allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
-
-# Allow statfs() on storage devices, which happens fast enough that
-# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
-
-# Traverse into expanded storage
-allow system_server mnt_expand_file:dir r_dir_perms;
-
-# Allow system process to relabel the fingerprint directory after mkdir
-# and delete the directory and files when no longer needed
-allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
-allow system_server fingerprintd_data_file:file { getattr unlink };
-
-# Allow system process to read network MAC address
-allow system_server sysfs_mac_address:file r_file_perms;
-
-userdebug_or_eng(`
- # Allow system server to create and write method traces in /data/misc/trace.
- allow system_server method_trace_data_file:dir w_dir_perms;
- allow system_server method_trace_data_file:file { create w_file_perms };
-
- # Allow system server to read dmesg
- allow system_server kernel:system syslog_read;
-')
-
-# For AppFuse.
-allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
-
-# For configuring sdcardfs
-allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open unlink write };
-
-# Connect to adbd and use a socket transferred from it.
-# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Allow invoking tools like "timeout"
-allow system_server toolbox_exec:file rx_file_perms;
-
-# Postinstall
-#
-# For OTA dexopt, allow calls coming from postinstall.
-binder_call(system_server, postinstall)
-
-allow system_server postinstall:fifo_file write;
-allow system_server update_engine:fd use;
-allow system_server update_engine:fifo_file write;
-
-# Access to /data/preloads
-allow system_server preloads_data_file:file { r_file_perms unlink };
-allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow system_server preloads_media_file:file { r_file_perms unlink };
-allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-r_dir_file(system_server, cgroup)
-allow system_server ion_device:chr_file r_file_perms;
-
-r_dir_file(system_server, proc)
-r_dir_file(system_server, proc_meminfo)
-r_dir_file(system_server, proc_net)
-r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
-
-### Rules needed when Light HAL runs inside system_server process.
-### These rules should eventually be granted only when needed.
-allow system_server sysfs_leds:lnk_file read;
-allow system_server sysfs_leds:file rw_file_perms;
-allow system_server sysfs_leds:dir r_dir_perms;
-###
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow system_server debugfs_tracing_instances:dir search;
-allow system_server debugfs_wifi_tracing:file rw_file_perms;
-
-# allow system_server to exec shell on ASAN builds. Needed to run
-# asanwrapper.
-with_asan(`
- allow system_server shell_exec:file rx_file_perms;
-')
-
-###
-### Neverallow rules
-###
-### system_server should NEVER do any of this
-
-# Do not allow opening files from external storage as unsafe ejection
-# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
-
-# system server should never be operating on zygote spawned app data
-# files directly. Rather, they should always be passed via a
-# file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
-
-# Forking and execing is inherently dangerous and racy. See, for
-# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
-# Prevent the addition of new file execs to stop the problem from
-# getting worse. b/28035297
-neverallow system_server {
- file_type
- -toolbox_exec
- -logcat_exec
- with_asan(`-shell_exec')
-}:file execute_no_trans;
-
-# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
-neverallow system_server *:process dyntransition;
-
-# Only allow crash_dump to connect to system_ndebug_socket.
-neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
-
-# system_server should never be executing dex2oat. This is either
-# a bug (for example, bug 16317188), or represents an attempt by
-# system server to dynamically load a dex file, something we do not
-# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
-
-# system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
- data_file_type
- -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
-
-# The only block device system_server should be accessing is
-# the frp_block_device. This helps avoid a system_server to root
-# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
-
-# system_server should never use JIT functionality
-neverallow system_server self:process execmem;
-neverallow system_server ashmem_device:chr_file execute;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow system_server system_server_tmpfs:file execute;
-
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
-# No ptracing others
-neverallow system_server { domain -system_server }:process ptrace;
-
-# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
-# file read access. However, that is now unnecessary (b/34951864)
-# This neverallow can be removed after b/34951864 is fixed.
-neverallow system_server system_server:capability sys_resource;
diff --git a/prebuilts/api/26.0/private/technical_debt.cil b/prebuilts/api/26.0/private/technical_debt.cil
deleted file mode 100644
index ccbae10..0000000
--- a/prebuilts/api/26.0/private/technical_debt.cil
+++ /dev/null
@@ -1,28 +0,0 @@
-; THIS IS A WORKAROUND for the current limitations of the module policy language
-; This should be used sparingly until we figure out a saner way to achieve the
-; stuff below, for example, by improving typeattribute statement of module
-; language.
-;
-; NOTE: This file has no effect on recovery policy.
-
-; Apps, except isolated apps, are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_allocator_client;
-; typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
-(typeattributeset halclientdomain (hal_allocator_client))
-
-; Apps, except isolated apps, are clients of Configstore HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Graphics Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
-
-; Domains hosting Camera HAL implementations are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute hal_camera hal_allocator_client;
-(typeattributeset hal_allocator_client (hal_camera))
diff --git a/prebuilts/api/26.0/private/tombstoned.te b/prebuilts/api/26.0/private/tombstoned.te
deleted file mode 100644
index 305f9d0..0000000
--- a/prebuilts/api/26.0/private/tombstoned.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tombstoned coredomain;
-
-init_daemon_domain(tombstoned)
diff --git a/prebuilts/api/26.0/private/ueventd.te b/prebuilts/api/26.0/private/ueventd.te
deleted file mode 100644
index 0df587f..0000000
--- a/prebuilts/api/26.0/private/ueventd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute ueventd coredomain;
-typeattribute ueventd domain_deprecated;
-
-tmpfs_domain(ueventd)
diff --git a/prebuilts/api/26.0/private/uncrypt.te b/prebuilts/api/26.0/private/uncrypt.te
deleted file mode 100644
index fde686b..0000000
--- a/prebuilts/api/26.0/private/uncrypt.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute uncrypt coredomain;
-typeattribute uncrypt domain_deprecated;
-
-init_daemon_domain(uncrypt)
diff --git a/prebuilts/api/26.0/private/untrusted_app.te b/prebuilts/api/26.0/private/untrusted_app.te
deleted file mode 100644
index 68c1a41..0000000
--- a/prebuilts/api/26.0/private/untrusted_app.te
+++ /dev/null
@@ -1,29 +0,0 @@
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-typeattribute untrusted_app coredomain;
-
-app_domain(untrusted_app)
-untrusted_app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
diff --git a/prebuilts/api/26.0/private/untrusted_app_25.te b/prebuilts/api/26.0/private/untrusted_app_25.te
deleted file mode 100644
index 3fa79ef..0000000
--- a/prebuilts/api/26.0/private/untrusted_app_25.te
+++ /dev/null
@@ -1,46 +0,0 @@
-###
-### Untrusted_app_25
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion <= 25.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-typeattribute untrusted_app_25 coredomain;
-
-app_domain(untrusted_app_25)
-untrusted_app_domain(untrusted_app_25)
-net_domain(untrusted_app_25)
-bluetooth_domain(untrusted_app_25)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_25)
-
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
-# b/35917228 - /proc/misc access
-# This will go away in a future Android release
-allow untrusted_app_25 proc_misc:file r_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
diff --git a/prebuilts/api/26.0/private/untrusted_app_all.te b/prebuilts/api/26.0/private/untrusted_app_all.te
deleted file mode 100644
index fc80129..0000000
--- a/prebuilts/api/26.0/private/untrusted_app_all.te
+++ /dev/null
@@ -1,106 +0,0 @@
-###
-### Untrusted_app_all.
-###
-### This file defines the rules shared by all untrusted app domains except
-### apps which target the v2 security sandbox (ephemeral_app for instant apps,
-### untrusted_v2_app for fully installed v2 apps).
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_all attribute is assigned to all default
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### attribute is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-### Note that rules that should apply to all untrusted apps must be in app.te or also
-### added to untrusted_v2_app.te and ephemeral_app.te.
-
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
-
-# ASEC
-allow untrusted_app_all asec_apk_file:file r_file_perms;
-allow untrusted_app_all asec_apk_file:dir r_dir_perms;
-# Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app_all shell_data_file:file r_file_perms;
-allow untrusted_app_all shell_data_file:dir r_dir_perms;
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app_all system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
-allow untrusted_app_all media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_app_all servicemanager:service_manager list;
-
-allow untrusted_app_all audioserver_service:service_manager find;
-allow untrusted_app_all cameraserver_service:service_manager find;
-allow untrusted_app_all drmserver_service:service_manager find;
-allow untrusted_app_all mediaserver_service:service_manager find;
-allow untrusted_app_all mediaextractor_service:service_manager find;
-allow untrusted_app_all mediacodec_service:service_manager find;
-allow untrusted_app_all mediametrics_service:service_manager find;
-allow untrusted_app_all mediadrmserver_service:service_manager find;
-allow untrusted_app_all mediacasserver_service:service_manager find;
-allow untrusted_app_all nfc_service:service_manager find;
-allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all surfaceflinger_service:service_manager find;
-allow untrusted_app_all app_api_service:service_manager find;
-allow untrusted_app_all vr_manager_service:service_manager find;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow untrusted_app_all perfprofd_data_file:file r_file_perms;
- allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
-')
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app_all self:process ptrace;
-
-# Cts: HwRngTest
-allow untrusted_app_all sysfs_hwrandom:dir search;
-allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
-
-# Allow apps to view preloaded media content
-allow untrusted_app_all preloads_media_file:dir r_dir_perms;
-allow untrusted_app_all preloads_media_file:file r_file_perms;
-allow untrusted_app_all preloads_data_file:dir search;
-
-# Allow untrusted apps read / execute access to /vendor/app for there can
-# be pre-installed vendor apps that package a library within themselves.
-# TODO (b/37784178) Consider creating a special type for /vendor/app installed
-# apps.
-allow untrusted_app_all vendor_app_file:dir { open getattr read search };
-allow untrusted_app_all vendor_app_file:file { open getattr read execute };
-allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/prebuilts/api/26.0/private/untrusted_v2_app.te b/prebuilts/api/26.0/private/untrusted_v2_app.te
deleted file mode 100644
index ef62841..0000000
--- a/prebuilts/api/26.0/private/untrusted_v2_app.te
+++ /dev/null
@@ -1,43 +0,0 @@
-###
-### Untrusted v2 sandbox apps.
-###
-
-typeattribute untrusted_v2_app coredomain;
-
-app_domain(untrusted_v2_app)
-net_domain(untrusted_v2_app)
-bluetooth_domain(untrusted_v2_app)
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_v2_app system_app_data_file:file { read write getattr };
-
-# Access to /data/media.
-allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
-allow untrusted_v2_app media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_v2_app mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_v2_app servicemanager:service_manager list;
-
-allow untrusted_v2_app audioserver_service:service_manager find;
-allow untrusted_v2_app cameraserver_service:service_manager find;
-allow untrusted_v2_app drmserver_service:service_manager find;
-allow untrusted_v2_app mediaserver_service:service_manager find;
-allow untrusted_v2_app mediaextractor_service:service_manager find;
-allow untrusted_v2_app mediacodec_service:service_manager find;
-allow untrusted_v2_app mediametrics_service:service_manager find;
-allow untrusted_v2_app mediadrmserver_service:service_manager find;
-allow untrusted_v2_app mediacasserver_service:service_manager find;
-allow untrusted_v2_app nfc_service:service_manager find;
-allow untrusted_v2_app radio_service:service_manager find;
-allow untrusted_v2_app surfaceflinger_service:service_manager find;
-# TODO: potentially provide a tighter list of services here
-allow untrusted_v2_app app_api_service:service_manager find;
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_v2_app self:process ptrace;
diff --git a/prebuilts/api/26.0/private/update_engine.te b/prebuilts/api/26.0/private/update_engine.te
deleted file mode 100644
index f460272..0000000
--- a/prebuilts/api/26.0/private/update_engine.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute update_engine coredomain;
-typeattribute update_engine domain_deprecated;
-
-init_daemon_domain(update_engine);
diff --git a/prebuilts/api/26.0/private/update_engine_common.te b/prebuilts/api/26.0/private/update_engine_common.te
deleted file mode 100644
index a7fb584..0000000
--- a/prebuilts/api/26.0/private/update_engine_common.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/prebuilts/api/26.0/private/update_verifier.te b/prebuilts/api/26.0/private/update_verifier.te
deleted file mode 100644
index 1b934d9..0000000
--- a/prebuilts/api/26.0/private/update_verifier.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute update_verifier coredomain;
-
-init_daemon_domain(update_verifier)
diff --git a/prebuilts/api/26.0/private/vdc.te b/prebuilts/api/26.0/private/vdc.te
deleted file mode 100644
index bc7409e..0000000
--- a/prebuilts/api/26.0/private/vdc.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute vdc coredomain;
-
-init_daemon_domain(vdc)
diff --git a/prebuilts/api/26.0/private/vold.te b/prebuilts/api/26.0/private/vold.te
deleted file mode 100644
index f2416f8..0000000
--- a/prebuilts/api/26.0/private/vold.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute vold coredomain;
-typeattribute vold domain_deprecated;
-
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/prebuilts/api/26.0/private/vr_hwc.te b/prebuilts/api/26.0/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/prebuilts/api/26.0/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/prebuilts/api/26.0/private/watchdogd.te b/prebuilts/api/26.0/private/watchdogd.te
deleted file mode 100644
index 36dd30f..0000000
--- a/prebuilts/api/26.0/private/watchdogd.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute watchdogd coredomain;
diff --git a/prebuilts/api/26.0/private/webview_zygote.te b/prebuilts/api/26.0/private/webview_zygote.te
deleted file mode 100644
index 501581a..0000000
--- a/prebuilts/api/26.0/private/webview_zygote.te
+++ /dev/null
@@ -1,116 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-typeattribute webview_zygote coredomain;
-
-# The webview_zygote needs to be able to transition domains.
-typeattribute webview_zygote mlstrustedsubject;
-
-# When init launches the WebView zygote's executable, transition the
-# resulting process into webview_zygote domain.
-init_daemon_domain(webview_zygote)
-
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
-# Access to the WebView relro file.
-allow webview_zygote shared_relro_file:dir search;
-allow webview_zygote shared_relro_file:file r_file_perms;
-
-# Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
-# Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
-# Switch SELinux context to app domains.
-allow webview_zygote self:process setcurrent;
-allow webview_zygote isolated_app:process dyntransition;
-
-# For art.
-allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
-allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
-
-# Allow webview_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow webview_zygote debugfs_trace_marker:file getattr;
-
-# Allow webview_zygote to manage the pgroup of its children.
-allow webview_zygote system_server:process getpgid;
-
-# Interaction between the webview_zygote and its children.
-allow webview_zygote isolated_app:process setpgid;
-
-# Get seapp_contexts
-allow webview_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(webview_zygote)
-# Check SELinux permissions.
-selinux_check_access(webview_zygote)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow webview_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow webview_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for init to exec() us.
-neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow webview_zygote property_socket:sock_file write;
-neverallow webview_zygote property_type:property_service set;
-
-# Should not have any access to app data files.
-neverallow webview_zygote {
- app_data_file
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
-}:file { rwx_file_perms };
-
-neverallow webview_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow webview_zygote access to /cache.
-neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
-neverallow webview_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow webview_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket
-} *;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/26.0/private/wificond.te b/prebuilts/api/26.0/private/wificond.te
deleted file mode 100644
index cc76447..0000000
--- a/prebuilts/api/26.0/private/wificond.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute wificond coredomain;
-
-init_daemon_domain(wificond)
-hal_client_domain(wificond, hal_wifi_offload)
diff --git a/prebuilts/api/26.0/private/zygote.te b/prebuilts/api/26.0/private/zygote.te
deleted file mode 100644
index daabbc0..0000000
--- a/prebuilts/api/26.0/private/zygote.te
+++ /dev/null
@@ -1,134 +0,0 @@
-# zygote
-typeattribute zygote coredomain;
-typeattribute zygote domain_deprecated;
-typeattribute zygote mlstrustedsubject;
-
-init_daemon_domain(zygote)
-
-read_runtime_log_tags(zygote)
-
-# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
-
-# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
-
-# Switch SELinux context to app domains.
-allow zygote self:process setcurrent;
-allow zygote system_server:process dyntransition;
-allow zygote appdomain:process dyntransition;
-
-# Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
-
-# Move children into the peer process group.
-allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-
-# Read system data.
-allow zygote system_data_file:dir r_dir_perms;
-allow zygote system_data_file:file r_file_perms;
-
-# Write to /data/dalvik-cache.
-allow zygote dalvikcache_data_file:dir create_dir_perms;
-allow zygote dalvikcache_data_file:file create_file_perms;
-
-# Create symlinks in /data/dalvik-cache.
-allow zygote dalvikcache_data_file:lnk_file create_file_perms;
-
-# Write to /data/resource-cache.
-allow zygote resourcecache_data_file:dir rw_dir_perms;
-allow zygote resourcecache_data_file:file create_file_perms;
-
-# When WITH_DEXPREOPT is true, the zygote does not load executable content from
-# /data/dalvik-cache.
-allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
-
-# Execute idmap and dex2oat within zygote's own domain.
-# TODO: Should either of these be transitioned to the same domain
-# used by installd or stay in-domain for zygote?
-allow zygote idmap_exec:file rx_file_perms;
-allow zygote dex2oat_exec:file rx_file_perms;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(zygote, vendor_overlay_file)
-
-# Control cgroups.
-allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote self:capability sys_admin;
-
-# Allow zygote to stat the files that it opens. The zygote must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow zygote pmsg_device:chr_file getattr;
-allow zygote debugfs_trace_marker:file getattr;
-
-# Get seapp_contexts
-allow zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(zygote)
-# Check SELinux permissions.
-selinux_check_access(zygote)
-
-# Native bridge functionality requires that zygote replaces
-# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
-allow zygote proc_cpuinfo:file mounton;
-
-# Allow remounting rootfs as MS_SLAVE.
-allow zygote rootfs:dir mounton;
-allow zygote tmpfs:filesystem { mount unmount };
-allow zygote fuse:filesystem { unmount };
-allow zygote sdcardfs:filesystem { unmount };
-
-# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir create_dir_perms;
-allow zygote mnt_user_file:lnk_file create_file_perms;
-# Allowed to mount user-specific storage into place
-allow zygote storage_file:dir { search mounton };
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file rx_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
-
-# Root fs.
-r_dir_file(zygote, rootfs)
-
-# System file accesses.
-r_dir_file(zygote, system_file)
-
-userdebug_or_eng(`
- # Allow zygote to create and write method traces in /data/misc/trace.
- allow zygote method_trace_data_file:dir w_dir_perms;
- allow zygote method_trace_data_file:file { create w_file_perms };
-')
-
-allow zygote ion_device:chr_file r_file_perms;
-allow zygote tmpfs:dir r_dir_perms;
-
-# Let the zygote access overlays so it can initialize the AssetManager.
-get_prop(zygote, overlay_prop)
-
-###
-### neverallow rules
-###
-
-# Ensure that all types assigned to app processes are included
-# in the appdomain attribute, so that all allow and neverallow rules
-# written on appdomain are applied to all app processes.
-# This is achieved by ensuring that it is impossible for zygote to
-# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
-
-# Zygote should never execute anything from /data except for /data/dalvik-cache files.
-neverallow zygote {
- data_file_type
- -dalvikcache_data_file # map PROT_EXEC
-}:file no_x_file_perms;
-
-# Do not allow access to Bluetooth-related system properties and files
-neverallow zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/26.0/public/adbd.te b/prebuilts/api/26.0/public/adbd.te
deleted file mode 100644
index 7ecd045..0000000
--- a/prebuilts/api/26.0/public/adbd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type adbd, domain;
diff --git a/prebuilts/api/26.0/public/asan_extract.te b/prebuilts/api/26.0/public/asan_extract.te
deleted file mode 100644
index 6d0de6c..0000000
--- a/prebuilts/api/26.0/public/asan_extract.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# asan_extract
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-with_asan(`
- type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type;
-
- # Allow asan_extract to execute itself using #!/system/bin/sh
- allow asan_extract shell_exec:file rx_file_perms;
-
- # We execute log, rm, gzip and tar.
- allow asan_extract toolbox_exec:file rx_file_perms;
- allow asan_extract system_file:file execute_no_trans;
-
- # asan_extract deletes old /data/lib.
- allow asan_extract system_file:dir { open read remove_name rmdir write };
- allow asan_extract system_file:file unlink;
-
- # asan_extract untars ASAN libraries into /data.
- allow asan_extract system_data_file:dir create_dir_perms ;
- allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
-
- # Relabel the libraries with restorecon.
- allow asan_extract file_contexts_file:file r_file_perms;
- allow asan_extract system_data_file:{ dir file } relabelfrom;
- allow asan_extract system_file:dir { relabelto setattr };
- allow asan_extract system_file:file relabelto;
-
- # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
- allow asan_extract system_data_file:file execute;
-
- # We use asan.restore_reboot to signal a reboot is required.
- set_prop(asan_extract, asan_reboot_prop)
-')
diff --git a/prebuilts/api/26.0/public/attributes b/prebuilts/api/26.0/public/attributes
deleted file mode 100644
index cde55da..0000000
--- a/prebuilts/api/26.0/public/attributes
+++ /dev/null
@@ -1,291 +0,0 @@
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# in tools/checkfc.c
-attribute dev_type;
-
-# All types used for processes.
-attribute domain;
-
-# All types used for filesystems.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute fs_type;
-
-# All types used for context= mounts.
-attribute contextmount_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-# All types in /data, not in /data/vendor
-attribute core_data_file_type;
-# All types in /vendor
-attribute vendor_file_type;
-
-# All types use for sysfs files.
-attribute sysfs_type;
-
-# All types use for debugfs files.
-attribute debugfs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-# On change, update CHECK_PC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute property_type;
-
-# All properties defined in core SELinux policy. Should not be
-# used by device specific properties
-attribute core_property_type;
-
-# All properties used to configure log filtering.
-attribute log_property_type;
-
-# All service_manager types created by system_server
-attribute system_server_service;
-
-# services which should be available to all but isolated apps
-attribute app_api_service;
-
-# services which should be available to all ephemeral apps
-attribute ephemeral_app_api_service;
-
-# services which export only system_api
-attribute system_api_service;
-
-# All types used for services managed by servicemanager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All types used for services managed by hwservicemanager
-attribute hwservice_manager_type;
-
-# All HwBinder services guaranteed to be passthrough. These services always run
-# in the process of their clients, and thus operate with the same access as
-# their clients.
-attribute same_process_hwservice;
-
-# All HwBinder services guaranteed to be offered only by core domain components
-attribute coredomain_hwservice;
-
-# All types used for services managed by vndservicemanager
-attribute vndservice_manager_type;
-
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All third party apps.
-attribute untrusted_app_all;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
-
-# update_engine related domains that need to apply an update and run
-# postinstall. This includes the background daemon and the sideload tool from
-# recovery for A/B devices.
-attribute update_engine_common;
-
-# All core domains (as opposed to vendor/device-specific domains)
-attribute coredomain;
-
-# All socket devices owned by core domain components
-attribute coredomain_socket;
-
-# All vendor domains which violate the requirement of not using Binder
-# TODO(b/35870313): Remove this once there are no violations
-attribute binder_in_vendor_violators;
-
-# All vendor domains which violate the requirement of not using sockets for
-# communicating with core components
-# TODO(b/36577153): Remove this once there are no violations
-attribute socket_between_core_and_vendor_violators;
-
-# All vendor domains which violate the requirement of not executing
-# system processes
-# TODO(b/36463595)
-attribute vendor_executes_system_violators;
-
-# hwservices that are accessible from untrusted applications
-# WARNING: Use of this attribute should be avoided unless
-# absolutely necessary. It is a temporary allowance to aid the
-# transition to treble and will be removed in a future platform
-# version, requiring all hwservices that are labeled with this
-# attribute to be submitted to AOSP in order to maintain their
-# app-visibility.
-attribute untrusted_app_visible_hwservice;
-
-# PDX services
-attribute pdx_endpoint_dir_type;
-attribute pdx_endpoint_socket_type;
-attribute pdx_channel_socket_type;
-
-pdx_service_attributes(display_client)
-pdx_service_attributes(display_manager)
-pdx_service_attributes(display_screenshot)
-pdx_service_attributes(display_vsync)
-pdx_service_attributes(performance_client)
-pdx_service_attributes(bufferhub_client)
-
-# All HAL servers
-attribute halserverdomain;
-# All HAL clients
-attribute halclientdomain;
-
-# HALs
-attribute hal_allocator;
-attribute hal_allocator_client;
-attribute hal_allocator_server;
-attribute hal_audio;
-attribute hal_audio_client;
-attribute hal_audio_server;
-attribute hal_bluetooth;
-attribute hal_bluetooth_client;
-attribute hal_bluetooth_server;
-attribute hal_bootctl;
-attribute hal_bootctl_client;
-attribute hal_bootctl_server;
-attribute hal_camera;
-attribute hal_camera_client;
-attribute hal_camera_server;
-attribute hal_configstore;
-attribute hal_configstore_client;
-attribute hal_configstore_server;
-attribute hal_contexthub;
-attribute hal_contexthub_client;
-attribute hal_contexthub_server;
-attribute hal_drm;
-attribute hal_drm_client;
-attribute hal_drm_server;
-attribute hal_dumpstate;
-attribute hal_dumpstate_client;
-attribute hal_dumpstate_server;
-attribute hal_fingerprint;
-attribute hal_fingerprint_client;
-attribute hal_fingerprint_server;
-attribute hal_gatekeeper;
-attribute hal_gatekeeper_client;
-attribute hal_gatekeeper_server;
-attribute hal_gnss;
-attribute hal_gnss_client;
-attribute hal_gnss_server;
-attribute hal_graphics_allocator;
-attribute hal_graphics_allocator_client;
-attribute hal_graphics_allocator_server;
-attribute hal_graphics_composer;
-attribute hal_graphics_composer_client;
-attribute hal_graphics_composer_server;
-attribute hal_health;
-attribute hal_health_client;
-attribute hal_health_server;
-attribute hal_ir;
-attribute hal_ir_client;
-attribute hal_ir_server;
-attribute hal_keymaster;
-attribute hal_keymaster_client;
-attribute hal_keymaster_server;
-attribute hal_light;
-attribute hal_light_client;
-attribute hal_light_server;
-attribute hal_memtrack;
-attribute hal_memtrack_client;
-attribute hal_memtrack_server;
-attribute hal_nfc;
-attribute hal_nfc_client;
-attribute hal_nfc_server;
-attribute hal_oemlock;
-attribute hal_oemlock_client;
-attribute hal_oemlock_server;
-attribute hal_power;
-attribute hal_power_client;
-attribute hal_power_server;
-attribute hal_sensors;
-attribute hal_sensors_client;
-attribute hal_sensors_server;
-attribute hal_telephony;
-attribute hal_telephony_client;
-attribute hal_telephony_server;
-attribute hal_tetheroffload;
-attribute hal_tetheroffload_client;
-attribute hal_tetheroffload_server;
-attribute hal_thermal;
-attribute hal_thermal_client;
-attribute hal_thermal_server;
-attribute hal_tv_cec;
-attribute hal_tv_cec_client;
-attribute hal_tv_cec_server;
-attribute hal_tv_input;
-attribute hal_tv_input_client;
-attribute hal_tv_input_server;
-attribute hal_usb;
-attribute hal_usb_client;
-attribute hal_usb_server;
-attribute hal_vibrator;
-attribute hal_vibrator_client;
-attribute hal_vibrator_server;
-attribute hal_vr;
-attribute hal_vr_client;
-attribute hal_vr_server;
-attribute hal_weaver;
-attribute hal_weaver_client;
-attribute hal_weaver_server;
-attribute hal_wifi;
-attribute hal_wifi_client;
-attribute hal_wifi_server;
-attribute hal_wifi_keystore;
-attribute hal_wifi_keystore_client;
-attribute hal_wifi_keystore_server;
-attribute hal_wifi_offload;
-attribute hal_wifi_offload_client;
-attribute hal_wifi_offload_server;
-attribute hal_wifi_supplicant;
-attribute hal_wifi_supplicant_client;
-attribute hal_wifi_supplicant_server;
-
-# HwBinder services offered across the core-vendor boundary
-#
-# We annotate server domains with x_server to loosen the coupling between
-# system and vendor images. For example, it should be possible to move a service
-# from one core domain to another, without having to update the vendor image
-# which contains clients of this service.
-
-attribute display_service_server;
-attribute wifi_keystore_service_server;
diff --git a/prebuilts/api/26.0/public/audioserver.te b/prebuilts/api/26.0/public/audioserver.te
deleted file mode 100644
index 9a72858..0000000
--- a/prebuilts/api/26.0/public/audioserver.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# audioserver - audio services daemon
-type audioserver, domain;
diff --git a/prebuilts/api/26.0/public/bootanim.te b/prebuilts/api/26.0/public/bootanim.te
deleted file mode 100644
index e2584c3..0000000
--- a/prebuilts/api/26.0/public/bootanim.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# bootanimation oneshot service
-type bootanim, domain;
-type bootanim_exec, exec_type, file_type;
-
-hal_client_domain(bootanim, hal_graphics_allocator)
-hal_client_domain(bootanim, hal_graphics_composer)
-
-binder_use(bootanim)
-binder_call(bootanim, surfaceflinger)
-binder_call(bootanim, audioserver)
-
-hwbinder_use(bootanim)
-
-allow bootanim gpu_device:chr_file rw_file_perms;
-
-# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
-
-allow bootanim audio_device:dir r_dir_perms;
-allow bootanim audio_device:chr_file rw_file_perms;
-
-allow bootanim audioserver_service:service_manager find;
-allow bootanim surfaceflinger_service:service_manager find;
-
-# Allow access to ion memory allocation device
-allow bootanim ion_device:chr_file rw_file_perms;
-allow bootanim hal_graphics_allocator:fd use;
-
-# Fences
-allow bootanim hal_graphics_composer:fd use;
-
-# Read access to pseudo filesystems.
-r_dir_file(bootanim, proc)
-allow bootanim proc_meminfo:file r_file_perms;
-r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, cgroup)
-
-# System file accesses.
-allow bootanim system_file:dir r_dir_perms;
diff --git a/prebuilts/api/26.0/public/bootstat.te b/prebuilts/api/26.0/public/bootstat.te
deleted file mode 100644
index f5c7268..0000000
--- a/prebuilts/api/26.0/public/bootstat.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# bootstat command
-type bootstat, domain;
-type bootstat_exec, exec_type, file_type;
-
-read_runtime_log_tags(bootstat)
-
-# Allow persistent storage in /data/misc/bootstat.
-allow bootstat bootstat_data_file:dir rw_dir_perms;
-allow bootstat bootstat_data_file:file create_file_perms;
-
-# Read access to pseudo filesystems (for /proc/uptime).
-r_dir_file(bootstat, proc)
-
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
diff --git a/prebuilts/api/26.0/public/bufferhubd.te b/prebuilts/api/26.0/public/bufferhubd.te
deleted file mode 100644
index 274c271..0000000
--- a/prebuilts/api/26.0/public/bufferhubd.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# bufferhubd
-type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, exec_type, file_type;
-
-hal_client_domain(bufferhubd, hal_graphics_allocator)
-
-pdx_server(bufferhubd, bufferhub_client)
-pdx_client(bufferhubd, performance_client)
-
-# Access the GPU.
-allow bufferhubd gpu_device:chr_file rw_file_perms;
-
-# Access /dev/ion
-allow bufferhubd ion_device:chr_file r_file_perms;
-
-# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
-# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
-# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use pdx_client macro.
-allow bufferhubd mediacodec:fd use;
diff --git a/prebuilts/api/26.0/public/cameraserver.te b/prebuilts/api/26.0/public/cameraserver.te
deleted file mode 100644
index 0dd4a80..0000000
--- a/prebuilts/api/26.0/public/cameraserver.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# cameraserver - camera daemon
-type cameraserver, domain;
-type cameraserver_exec, exec_type, file_type;
-
-binder_use(cameraserver)
-binder_call(cameraserver, binderservicedomain)
-binder_call(cameraserver, appdomain)
-binder_service(cameraserver)
-
-hal_client_domain(cameraserver, hal_camera)
-
-hal_client_domain(cameraserver, hal_graphics_allocator)
-
-allow cameraserver ion_device:chr_file rw_file_perms;
-
-# Talk with graphics composer fences
-allow cameraserver hal_graphics_composer:fd use;
-
-add_service(cameraserver, cameraserver_service)
-allow cameraserver appops_service:service_manager find;
-allow cameraserver audioserver_service:service_manager find;
-allow cameraserver batterystats_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
-allow cameraserver surfaceflinger_service:service_manager find;
-
-allow cameraserver hidl_token_hwservice:hwservice_manager find;
-
-###
-### neverallow rules
-###
-
-# cameraserver should never execute any executable without a
-# domain transition
-neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/public/charger.te b/prebuilts/api/26.0/public/charger.te
deleted file mode 100644
index 4b20d1d..0000000
--- a/prebuilts/api/26.0/public/charger.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# charger seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type charger, domain;
-
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, sysfs_type)
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-
-allow charger self:capability { sys_tty_config };
-allow charger self:capability sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Write to /sys/power/state
-# TODO: Split into a separate type?
-allow charger sysfs:file write;
-
-allow charger sysfs_batteryinfo:file r_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
diff --git a/prebuilts/api/26.0/public/clatd.te b/prebuilts/api/26.0/public/clatd.te
deleted file mode 100644
index 212b76e..0000000
--- a/prebuilts/api/26.0/public/clatd.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# 464xlat daemon
-type clatd, domain;
-type clatd_exec, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net)
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:capability { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/26.0/public/cppreopts.te b/prebuilts/api/26.0/public/cppreopts.te
deleted file mode 100644
index 8cbf801..0000000
--- a/prebuilts/api/26.0/public/cppreopts.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, exec_type, file_type;
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/26.0/public/crash_dump.te b/prebuilts/api/26.0/public/crash_dump.te
deleted file mode 100644
index ee617a1..0000000
--- a/prebuilts/api/26.0/public/crash_dump.te
+++ /dev/null
@@ -1,60 +0,0 @@
-type crash_dump, domain;
-type crash_dump_exec, exec_type, file_type;
-
-allow crash_dump {
- domain
- -init
- -crash_dump
- -keystore
- -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:capability { sys_ptrace };
-
-userdebug_or_eng(`
- allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-')
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Write to the IPC pipe inherited from crashing processes.
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { write append };
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow crash_dump dalvikcache_data_file:dir { search getattr };
-allow crash_dump dalvikcache_data_file:file r_file_perms;
-
-# Read APK files.
-r_dir_file(crash_dump, apk_data_file);
-
-# Read all /vendor
-r_dir_file(crash_dump, { vendor_file same_process_hal_file })
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Talk to ActivityManager.
-unix_socket_connect(crash_dump, system_ndebug, system_server)
-
-# Append to ANR files.
-allow crash_dump anr_data_file:file { append getattr };
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-read_logd(crash_dump)
-
-###
-### neverallow assertions
-###
-
-# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
-# Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/prebuilts/api/26.0/public/device.te b/prebuilts/api/26.0/public/device.te
deleted file mode 100644
index 4a3bec9..0000000
--- a/prebuilts/api/26.0/public/device.te
+++ /dev/null
@@ -1,103 +0,0 @@
-# Device types
-type device, dev_type, fs_type;
-type alarm_device, dev_type, mlstrustedobject;
-type ashmem_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
-type audio_timer_device, dev_type;
-type audio_seq_device, dev_type;
-type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
-type vndbinder_device, dev_type;
-type block_device, dev_type;
-type camera_device, dev_type;
-type dm_device, dev_type;
-type keychord_device, dev_type;
-type loop_control_device, dev_type;
-type loop_device, dev_type;
-type pmsg_device, dev_type, mlstrustedobject;
-type radio_device, dev_type;
-type ram_device, dev_type;
-type rtc_device, dev_type;
-type vold_device, dev_type;
-type console_device, dev_type;
-type cpuctl_device, dev_type;
-type fscklogs, dev_type;
-type full_device, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type kmem_device, dev_type;
-type port_device, dev_type;
-type log_device, dev_type, mlstrustedobject;
-type mtd_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type, mlstrustedobject;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
-type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type video_device, dev_type;
-type vcs_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type, mlstrustedobject;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type;
-type uio_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type, mlstrustedobject;
-type usb_device, dev_type, mlstrustedobject;
-type properties_device, dev_type;
-type properties_serial, dev_type;
-type i2c_device, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type;
-
-# factory reset protection block device
-type frp_block_device, dev_type;
-
-# System block device mounted on /system.
-type system_block_device, dev_type;
-
-# Recovery block device.
-type recovery_block_device, dev_type;
-
-# boot block device.
-type boot_block_device, dev_type;
-
-# Userdata block device mounted on /data.
-type userdata_block_device, dev_type;
-
-# Cache block device mounted on /cache.
-type cache_block_device, dev_type;
-
-# Block device for any swap partition.
-type swap_block_device, dev_type;
-
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-type metadata_block_device, dev_type;
-
-# The 'misc' partition used by recovery and A/B.
-type misc_block_device, dev_type;
diff --git a/prebuilts/api/26.0/public/dex2oat.te b/prebuilts/api/26.0/public/dex2oat.te
deleted file mode 100644
index 47f3bcb..0000000
--- a/prebuilts/api/26.0/public/dex2oat.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# dex2oat
-type dex2oat, domain;
-type dex2oat_exec, exec_type, file_type;
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
-
-allow dex2oat tmpfs:file { read getattr };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat dalvikcache_data_file:lnk_file read;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat app_data_file:file { getattr read write lock };
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-allow dex2oat postinstall_file:dir { getattr search };
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file read;
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/26.0/public/dhcp.te b/prebuilts/api/26.0/public/dhcp.te
deleted file mode 100644
index 2b54b7f..0000000
--- a/prebuilts/api/26.0/public/dhcp.te
+++ /dev/null
@@ -1,30 +0,0 @@
-type dhcp, domain;
-type dhcp_exec, exec_type, file_type;
-
-net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms_no_ioctl;
-allow dhcp self:netlink_route_socket nlmsg_write;
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
-
-# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
-allow dhcp toolbox_exec:file rx_file_perms;
-
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
-
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
-
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/prebuilts/api/26.0/public/dnsmasq.te b/prebuilts/api/26.0/public/dnsmasq.te
deleted file mode 100644
index ccac69a..0000000
--- a/prebuilts/api/26.0/public/dnsmasq.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# DNS, DHCP services
-type dnsmasq, domain;
-type dnsmasq_exec, exec_type, file_type;
-
-net_domain(dnsmasq)
-allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
-
-# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
-
-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
-
-allow dnsmasq dhcp_data_file:dir w_dir_perms;
-allow dnsmasq dhcp_data_file:file create_file_perms;
-
-# Inherit and use open files from netd.
-allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
-allow dnsmasq netd:netlink_nflog_socket { read write };
-allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { read write };
-allow dnsmasq netd:unix_dgram_socket { read write };
-allow dnsmasq netd:udp_socket { read write };
diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te
deleted file mode 100644
index 3adefd1..0000000
--- a/prebuilts/api/26.0/public/domain.te
+++ /dev/null
@@ -1,1028 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
- # Same as adbd rules above, except allow su to do the same thing
- allow domain su:unix_stream_socket connectto;
- allow domain su:fd use;
- allow domain su:unix_stream_socket { getattr getopt read write shutdown };
-
- allow { domain -init } su:binder { call transfer };
- allow { domain -init } su:fd use;
-
- # Running something like "pm dump com.android.bluetooth" requires
- # fifo writes
- allow domain su:fifo_file { write getattr };
-
- # allow "gdbserver --attach" to work for su.
- allow domain su:process sigchld;
-
- # Allow writing coredumps to /cores/*
- allow domain coredump_file:file create_file_perms;
- allow domain coredump_file:dir ra_dir_perms;
-')
-
-# Root fs.
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
- coredomain
- appdomain
- binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
-allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-get_prop(domain, core_property_type)
-# Let everyone read log properties, so that liblog can avoid sending unloggable
-# messages to logd.
-get_prop(domain, log_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts_file:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# System file accesses.
-allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
-allow domain system_file:lnk_file { getattr read };
-
-# Make sure system/vendor split doesn not affect non-treble
-# devices
-not_full_treble(`
- allow domain vendor_file_type:dir { search getattr };
- allow domain vendor_file_type:file { execute read open getattr };
- allow domain vendor_file_type:lnk_file { getattr read };
-')
-
-# All domains are allowed to open and read directories
-# that contain HAL implementations (e.g. passthrough
-# HALs require clients to have these permissions)
-allow domain vendor_hal_file:dir r_dir_perms;
-
-# Everyone can read and execute all same process HALs
-allow domain same_process_hal_file:dir r_dir_perms;
-allow domain same_process_hal_file:file { execute read open getattr };
-
-# Any process can load vndk-sp libraries, which are system libraries
-# used by same process HALs
-allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr };
-
-full_treble_only(`
- # Allow all domains to be able to follow /system/vendor symlink
- allow domain vendor_file:lnk_file { getattr open read };
-
- # This is required to be able to search & read /vendor/lib64
- # in order to lookup vendor libraries. The execute permission
- # for coredomains is granted *only* for same process HALs
- allow domain vendor_file:dir { getattr search };
-
- # Allow reading and executing out of /vendor to all vendor domains
- allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
- allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
- allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-')
-
-# read any sysfs symlinks
-allow domain sysfs:lnk_file read;
-
-# libc references /data/misc/zoneinfo for timezone related information
-# This directory is considered to be a VNDK-stable
-r_dir_file(domain, zoneinfo_data_file)
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-r_dir_file(domain, sysfs_usb);
-
-# files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
-allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_file. Vendor components need the search
-# permission on system_data_file for path traversal to /data/vendor.
-allow domain system_data_file:dir search;
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# jemalloc needs to read /proc/sys/vm/overcommit_memory
-allow domain proc_overcommit_memory:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to a allowlist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
-allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only allowlisted ioctls.
-# Note that granting this allowlist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
-# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:service_manager { add find };
-
-###
-### neverallow rules
-###
-
-# All socket ioctls must be restricted to a allowlist.
-neverallowxperm domain domain:socket_class_set ioctl { 0 };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init or recovery to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these allowlisted domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
- -vold
-} self:capability mknod;
-
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
-} self:capability sys_rawio;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
-
-# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only init, ueventd, shell and system_server should be able to access HW RNG
-neverallow {
- domain
- -init
- -shell # For CTS and is restricted to getattr in shell.te
- -system_server
- -ueventd
-} hw_random_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
- domain
- -shell # For CTS and is restricted to getattr in shell.te
- -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
-#Ensure that nothing in userspace can access /dev/port
-neverallow {
- domain
- -shell # Shell user should not have any abilities outside of getattr
- -ueventd
-} port_device:chr_file *;
-neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append open read write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-neverallow domain device:chr_file { open read write };
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
-#
-neverallow {
- domain
- -appdomain
- with_asan(`-asan_extract')
- -dumpstate
- -shell
- userdebug_or_eng(`-su')
- -system_server
- -webview_zygote
- -zygote
-} {
- file_type
- -system_file
- -vendor_file_type
- -exec_type
- -postinstall_file
-}:file execute;
-
-neverallow {
- domain
- -appdomain # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
-} { fs_type -rootfs }:file execute;
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Only recovery should be doing writes to /system & /vendor
-neverallow {
- domain
- -recovery
- with_asan(`-asan_extract')
-} {
- system_file
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow { domain -recovery } contextmount_type:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
-
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
-
-# Do not allow reading device's serial number from system properties except form
-# a few allowlisted domains.
-neverallow {
- domain
- -adbd
- -dumpstate
- -hal_drm
- -init
- -mediadrmserver
- -recovery
- -shell
- -system_server
-} serialno_prop:file r_file_perms;
-
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
-
-neverallow {
- domain
- -init
- -recovery
- -system_server
- -shell # Shell is further restricted in shell.te
- -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file no_rw_file_perms;
-
-# The metadata block device is set aside for device encryption and
-# verified boot metadata. It may be reset at will and should not
-# be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
- { append link rename write open read ioctl lock };
-
-# No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
-
-# No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
-
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -hal_bootctl
- -init
- -uncrypt
- -update_engine
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } binder_device:chr_file rw_file_perms;
- neverallow {
- domain
- -coredomain
- -appdomain # restrictions for vendor apps are declared lower down
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } service_manager_type:service_manager find;
- # Vendor apps are permited to use only stable public services. If they were to use arbitrary
- # services which can change any time framework/core is updated, breakage is likely.
- neverallow {
- appdomain
- -coredomain
- } {
- service_manager_type
- -app_api_service
- -ephemeral_app_api_service
- -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
- -cameraserver_service
- -drmserver_service
- -keystore_service
- -mediacasserver_service
- -mediadrmserver_service
- -mediaextractor_service
- -mediametrics_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -virtual_touchpad_service
- -vr_hwc_service
- -vr_manager_service
- }:service_manager find;
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } servicemanager:binder { call transfer };
- neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
-')
-
-# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- -ueventd # uevent is granted create for this device, but we still neverallow I/O below
- } vndbinder_device:chr_file rw_file_perms;
- neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservice_manager_type:service_manager *;
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservicemanager:binder *;
-')
-
-# On full TREBLE devices, socket communications between core components and vendor components are
-# not permitted.
-full_treble_only(`
- # Most general rules first, more specific rules below.
-
- # Core domains are not permitted to initiate communications to vendor domain sockets.
- # We are not restricting the use of already established sockets because it is fine for a process
- # to obtain an already established socket via some public/official/stable API and then exchange
- # data with its peer over that socket. The wire format in this scenario is dicatated by the API
- # and thus does not break the core-vendor separation.
- neverallow_establish_socket_comms({
- coredomain
- -init
- -adbd
- }, {
- domain
- -coredomain
- -socket_between_core_and_vendor_violators
- });
- # Vendor domains are not permitted to initiate communications to core domain sockets
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
- -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
- });
- neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
-
- # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -netdomain
- -socket_between_core_and_vendor_violators
- }, netd);
-
- # Vendor domains are not permitted to initiate create/open sockets owned by core domains
- neverallow {
- domain
- -coredomain
- -appdomain # appdomain restrictions below
- -socket_between_core_and_vendor_violators
- } {
- coredomain_socket
- core_data_file_type
- unlabeled # used only by core domains
- }:sock_file ~{ append getattr ioctl read write };
- neverallow {
- appdomain
- -coredomain
- } {
- coredomain_socket
- unlabeled # used only by core domains
- core_data_file_type
- -app_data_file
- -pdx_endpoint_socket_type # used by VR layer
- -pdx_channel_socket_type # used by VR layer
- }:sock_file ~{ append getattr ioctl read write };
- neverallow {
- pdx_endpoint_socket_type
- pdx_channel_socket_type
- } unlabeled:service_manager list; #TODO: b/62658302
-
- # Core domains are not permitted to create/open sockets owned by vendor domains
- neverallow {
- coredomain
- -init
- -ueventd
- -socket_between_core_and_vendor_violators
- } {
- file_type
- dev_type
- -coredomain_socket
- -core_data_file_type
- -unlabeled
- }:sock_file ~{ append getattr ioctl read write };
-')
-
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
-full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- -postinstall_dexopt
- -system_server
- } vendor_app_file:dir { open read getattr search };
-
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- -postinstall_dexopt
- -system_server
- } vendor_app_file:{ file lnk_file } r_file_perms;
-
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -zygote
- } vendor_overlay_file:dir { getattr open read search };
-
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -zygote
- } vendor_overlay_file:{ file lnk_file } r_file_perms;
-
- # Non-vendor domains are not allowed to file execute shell
- # from vendor
- neverallow {
- coredomain
- -init
- } vendor_shell_exec:file { execute execute_no_trans };
-
- # Do not allow vendor components to execute files from system
- # except for the ones allowlist here.
- neverallow {
- domain
- -coredomain
- -appdomain
- -rild
- -vendor_executes_system_violators
- } {
- exec_type
- -vendor_file_type
- -crash_dump_exec
- -netutils_wrapper_exec
- }:file { entrypoint execute execute_no_trans };
- neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
-')
-
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote_socket:sock_file write;
-
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -system_server
-
- # Processes that can't exec crash_dump
- -mediacodec
- -mediaextractor
-} tombstoned:unix_stream_socket connectto;
-neverallow {
- domain
- -crash_dump
- -mediacodec
- -mediaextractor
-} tombstoned_crash_socket:sock_file write;
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
- file_type
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# prohibit non-zygote spawned processes from using shared libraries
-# with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_all } file_type:file execmod;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
-
-# Services should respect app sandboxes
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
- -zygote
-} shell:process { transition dyntransition };
-
-# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su') -bluetooth
-}:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -appdomain
- -installd
- -uncrypt # TODO: see if we can remove
-} app_data_file:lnk_file read;
-
-neverallow {
- domain
- -shell
- userdebug_or_eng(`-uncrypt')
- -installd
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowlisted domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -init
- -installd
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
-
-# servicemanager and vndservicemanager are the only processes which handle the
-# service_manager list request
-neverallow * ~{
- servicemanager
- vndservicemanager
- }:service_manager list;
-
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-
-# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
-neverallow {
- domain
- -installd
- -profman
-} profman_exec:file no_x_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file rootfs }:system module_load;
-
-# Only allow filesystem caps to be set at build time or
-# during upgrade by recovery.
-neverallow {
- domain
- -recovery
-} self:capability setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
diff --git a/prebuilts/api/26.0/public/drmserver.te b/prebuilts/api/26.0/public/drmserver.te
deleted file mode 100644
index f752c13..0000000
--- a/prebuilts/api/26.0/public/drmserver.te
+++ /dev/null
@@ -1,58 +0,0 @@
-# drmserver - DRM service
-type drmserver, domain;
-type drmserver_exec, exec_type, file_type;
-
-typeattribute drmserver mlstrustedsubject;
-
-net_domain(drmserver)
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
-binder_service(drmserver)
-# Inherit or receive open files from system_server.
-allow drmserver system_server:fd use;
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
-r_dir_file(drmserver, efs_file)
-
-type drmserver_socket, file_type;
-
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket. Not.
-allow drmserver apk_data_file:dir rw_dir_perms;
-allow drmserver drmserver_socket:sock_file create_file_perms;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-r_dir_file(drmserver, media_rw_data_file)
-
-# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
-
-# /oem access
-allow drmserver oemfs:dir search;
-allow drmserver oemfs:file r_file_perms;
-
-add_service(drmserver, drmserver_service)
-allow drmserver permission_service:service_manager find;
-
-selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, system_file)
diff --git a/prebuilts/api/26.0/public/dumpstate.te b/prebuilts/api/26.0/public/dumpstate.te
deleted file mode 100644
index 4f66ffb..0000000
--- a/prebuilts/api/26.0/public/dumpstate.te
+++ /dev/null
@@ -1,215 +0,0 @@
-# dumpstate
-type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, exec_type, file_type;
-
-net_domain(dumpstate)
-binder_use(dumpstate)
-wakelock_use(dumpstate)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-r_dir_file(dumpstate, domain)
-
-allow dumpstate self:capability {
- # Send signals to processes
- kill
- # Run iptables
- net_raw
- net_admin
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
-allow dumpstate toolbox_exec:file rx_file_perms;
-
-# Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
-allow dumpstate anr_data_file:dir rw_dir_perms;
-allow dumpstate anr_data_file:file create_file_perms;
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file r_file_perms;
-
-# Read dmesg
-allow dumpstate self:capability2 syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Read /sys/fs/pstore/console-ramoops
-allow dumpstate pstorefs:dir r_dir_perms;
-allow dumpstate pstorefs:file r_file_perms;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server }:process signal;
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- # This list comes from native_processes_to_dump in dumpstate/utils.c
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-
- # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_graphics_composer_server
- hal_vr_server
- mediacodec # TODO(b/36375899): hal_omx_server
-}:process signal;
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-
-# TODO: added to match above sysfs rule. Remove me?
-allow dumpstate sysfs_usb:file w_file_perms;
-
-# Other random bits of data we want to collect
-allow dumpstate qtaguid_proc:file r_file_perms;
-allow dumpstate debugfs:file r_file_perms;
-# df for /storage/emulated needs search
-allow dumpstate { storage_file block_device }:dir { search getattr };
-allow dumpstate fuse_device:chr_file getattr;
-allow dumpstate { dm_device cache_block_device }:blk_file getattr;
-
-# Read /dev/cpuctl and /dev/cpuset
-r_dir_file(dumpstate, cgroup)
-
-# Allow dumpstate to make binder calls to any binder service
-binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
-
-hal_client_domain(dumpstate, hal_dumpstate)
-hal_client_domain(dumpstate, hal_graphics_allocator)
-# Vibrate the device after we are done collecting the bugreport
-hal_client_domain(dumpstate, hal_vibrator)
-# For passthrough mode:
-allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir create_dir_perms;
-allow dumpstate shell_data_file:file create_file_perms;
-
-# Run a shell.
-allow dumpstate shell_exec:file rx_file_perms;
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file rx_file_perms;
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:dir { search getattr };
-allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
-allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
-
-# For Bluetooth
-allow dumpstate bluetooth_data_file:dir search;
-allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
-allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
-# logd access
-read_logd(dumpstate)
-control_logd(dumpstate)
-read_runtime_log_tags(dumpstate)
-
-# Read /proc/net
-allow dumpstate proc_net:file r_file_perms;
-
-# Read network state info files.
-allow dumpstate net_data_file:dir search;
-allow dumpstate net_data_file:file r_file_perms;
-
-# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Access /data/tombstones.
-allow dumpstate tombstone_data_file:dir r_dir_perms;
-allow dumpstate tombstone_data_file:file r_file_perms;
-
-# Access /cache/recovery
-allow dumpstate cache_recovery_file:dir r_dir_perms;
-allow dumpstate cache_recovery_file:file r_file_perms;
-
-# Access /data/misc/recovery
-allow dumpstate recovery_data_file:dir r_dir_perms;
-allow dumpstate recovery_data_file:file r_file_perms;
-
-# Access /data/misc/profiles/{cur,ref}/
-userdebug_or_eng(`
- allow dumpstate user_profile_data_file:dir r_dir_perms;
- allow dumpstate user_profile_data_file:file r_file_perms;
-')
-
-# Access /data/misc/logd
-userdebug_or_eng(`
- allow dumpstate misc_logd_file:dir r_dir_perms;
- allow dumpstate misc_logd_file:file r_file_perms;
-')
-
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-allow dumpstate servicemanager:service_manager list;
-allow dumpstate hwservicemanager:hwservice_manager list;
-
-allow dumpstate devpts:chr_file rw_file_perms;
-
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow dumpstate media_rw_data_file:dir getattr;
-allow dumpstate proc_interrupts:file r_file_perms;
-allow dumpstate proc_zoneinfo:file r_file_perms;
-
-# Create a service for talking back to system_server
-add_service(dumpstate, dumpstate_service)
-
-###
-### neverallow rules
-###
-
-# dumpstate has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow dumpstate *:process ptrace;
-
-# only system_server, dumpstate and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
-
-# Dumpstate should not be writing to any generically labeled sysfs files.
-# Create a specific label for the file type
-neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/prebuilts/api/26.0/public/file.te b/prebuilts/api/26.0/public/file.te
deleted file mode 100644
index 057af41..0000000
--- a/prebuilts/api/26.0/public/file.te
+++ /dev/null
@@ -1,337 +0,0 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type;
-type proc_drop_caches, fs_type;
-type proc_overcommit_memory, fs_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
-type qtaguid_proc, fs_type, mlstrustedobject;
-type proc_bluetooth_writable, fs_type;
-type proc_cpuinfo, fs_type;
-type proc_interrupts, fs_type;
-type proc_iomem, fs_type;
-type proc_meminfo, fs_type;
-type proc_misc, fs_type;
-type proc_modules, fs_type;
-type proc_net, fs_type;
-type proc_perf, fs_type;
-type proc_stat, fs_type;
-type proc_sysrq, fs_type;
-type proc_timer, fs_type;
-type proc_tty_drivers, fs_type;
-type proc_uid_cputime_showstat, fs_type;
-type proc_uid_cputime_removeuid, fs_type;
-type proc_uid_io_stats, fs_type;
-type proc_uid_procstat_set, fs_type;
-type proc_zoneinfo, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
-type cgroup, fs_type, mlstrustedobject;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_leds, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_mac_address, fs_type, sysfs_type;
-type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
-type configfs, fs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-# /sys/module/wlan/parameters/fwpath
-type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-
-type sysfs_thermal, sysfs_type, fs_type;
-
-type sysfs_zram, fs_type, sysfs_type;
-type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
-type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
-type tracing_shell_writable, fs_type, debugfs_type;
-type tracing_shell_writable_debug, fs_type, debugfs_type;
-
-type pstorefs, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type oemfs, fs_type, contextmount_type;
-type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-
-# Default type for anything under /system.
-type system_file, file_type;
-
-# Default type for directories search for
-# HAL implementations
-type vendor_hal_file, vendor_file_type, file_type;
-# Default type for under /vendor or /system/vendor
-type vendor_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/app
-type vendor_app_file, vendor_file_type, file_type;
-# Default type for everything under /vendor/etc/
-type vendor_configs_file, vendor_file_type, file_type;
-# Default type for all *same process* HALs.
-# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
-type same_process_hal_file, vendor_file_type, file_type;
-# Default type for vndk-sp libs. /vendor/lib/vndk-sp
-type vndk_sp_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/framework
-type vendor_framework_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/overlay
-type vendor_overlay_file, vendor_file_type, file_type;
-
-# Speedup access for trusted applications to the runtime event tags
-type runtime_event_log_tags_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, exec_type, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type, core_data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
-# /data/.layout_version or other installd-created files that
-# are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type, core_data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type, core_data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type, core_data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, core_data_file_type;
-type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type, core_data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota
-type ota_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota_package
-type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/property
-type property_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/preloads
-type preloads_data_file, file_type, data_file_type, core_data_file_type;
-# /data/preloads/media
-type preloads_media_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/dhcp and /data/misc/dhcp-6.8.2
-type dhcp_data_file, file_type, data_file_type, core_data_file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_expand_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
-type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
-type bootstat_data_file, file_type, data_file_type, core_data_file_type;
-type boottrace_data_file, file_type, data_file_type, core_data_file_type;
-type camera_data_file, file_type, data_file_type, core_data_file_type;
-type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
-type incident_data_file, file_type, data_file_type, core_data_file_type;
-type keychain_data_file, file_type, data_file_type, core_data_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
-type media_data_file, file_type, data_file_type, core_data_file_type;
-type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type, core_data_file_type;
-type net_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type, core_data_file_type;
-type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type;
-type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
-type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
-type vpn_data_file, file_type, data_file_type, core_data_file_type;
-type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
-type vold_data_file, file_type, data_file_type, core_data_file_type;
-type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tee_data_file, file_type, data_file_type;
-type update_engine_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-# Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
-# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, mlstrustedobject;
-# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for user icon file.
-type icon_file, file_type, data_file_type, core_data_file_type;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type, core_data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type, core_data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-
-# Socket types
-type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, coredomain_socket;
-type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
-type dumpstate_socket, file_type, coredomain_socket;
-type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
-type lmkd_socket, file_type, coredomain_socket;
-type logd_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type mdns_socket, file_type, coredomain_socket;
-type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type;
-type mtpd_socket, file_type, coredomain_socket;
-type netd_socket, file_type, coredomain_socket;
-type property_socket, file_type, coredomain_socket, mlstrustedobject;
-type racoon_socket, file_type, coredomain_socket;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, coredomain_socket;
-type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type uncrypt_socket, file_type, coredomain_socket;
-type vold_socket, file_type, coredomain_socket;
-type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type;
-type zygote_socket, file_type, coredomain_socket;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# PDX endpoint types
-type pdx_display_dir, pdx_endpoint_dir_type, file_type;
-type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
-
-pdx_service_socket_types(display_client, pdx_display_dir)
-pdx_service_socket_types(display_manager, pdx_display_dir)
-pdx_service_socket_types(display_screenshot, pdx_display_dir)
-pdx_service_socket_types(display_vsync, pdx_display_dir)
-pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
-
-# file_contexts files
-type file_contexts_file, file_type;
-
-# mac_permissions file
-type mac_perms_file, file_type;
-
-# property_contexts file
-type property_contexts_file, file_type;
-
-# seapp_contexts file
-type seapp_contexts_file, file_type;
-
-# sepolicy files binary and others
-type sepolicy_file, file_type;
-
-# service_contexts file
-type service_contexts_file, file_type;
-
-# hwservice_contexts file
-type hwservice_contexts_file, file_type;
-
-# vndservice_contexts file
-type vndservice_contexts_file, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-# type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
diff --git a/prebuilts/api/26.0/public/fingerprintd.te b/prebuilts/api/26.0/public/fingerprintd.te
deleted file mode 100644
index 5dd18a3..0000000
--- a/prebuilts/api/26.0/public/fingerprintd.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type fingerprintd, domain;
-type fingerprintd_exec, exec_type, file_type;
-
-binder_use(fingerprintd)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow fingerprintd system_file:dir r_dir_perms;
-
-# need to find KeyStore and add self
-add_service(fingerprintd, fingerprintd_service)
-
-# allow HAL module to read dir contents
-allow fingerprintd fingerprintd_data_file:file { create_file_perms };
-
-# allow HAL module to read/write/unlink contents of this dir
-allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
-
-# Need to add auth tokens to KeyStore
-use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
-
-# For permissions checking
-binder_call(fingerprintd, system_server);
-allow fingerprintd permission_service:service_manager find;
-
-r_dir_file(fingerprintd, cgroup)
-r_dir_file(fingerprintd, sysfs_type)
-allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/26.0/public/fsck.te b/prebuilts/api/26.0/public/fsck.te
deleted file mode 100644
index b682a87..0000000
--- a/prebuilts/api/26.0/public/fsck.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# Any fsck program run by init
-type fsck, domain;
-type fsck_exec, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow fsck tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
-
-# Run fsck on certain block devices
-allow fsck block_device:dir search;
-allow fsck userdata_block_device:blk_file rw_file_perms;
-allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck dm_device:blk_file rw_file_perms;
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck dev_type:blk_file getattr;
-
-r_dir_file(fsck, proc)
-allow fsck rootfs:dir r_dir_perms;
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow fsck {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- vold_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
-neverallow * fsck:process dyntransition;
-neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/public/fsck_untrusted.te b/prebuilts/api/26.0/public/fsck_untrusted.te
deleted file mode 100644
index e2aceb8..0000000
--- a/prebuilts/api/26.0/public/fsck_untrusted.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck_untrusted vold:fd use;
-allow fsck_untrusted vold:fifo_file { read write getattr };
-
-# Run fsck on vold block devices
-allow fsck_untrusted block_device:dir search;
-allow fsck_untrusted vold_device:blk_file rw_file_perms;
-
-r_dir_file(fsck_untrusted, proc)
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck_untrusted dev_type:blk_file getattr;
-
-###
-### neverallow rules
-###
-
-# Untrusted fsck should never be run on block devices holding sensitive data
-neverallow fsck_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow * fsck_untrusted:process dyntransition;
-neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/public/gatekeeperd.te b/prebuilts/api/26.0/public/gatekeeperd.te
deleted file mode 100644
index ff36956..0000000
--- a/prebuilts/api/26.0/public/gatekeeperd.te
+++ /dev/null
@@ -1,42 +0,0 @@
-type gatekeeperd, domain;
-type gatekeeperd_exec, exec_type, file_type;
-
-# gatekeeperd
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-
-### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
-### These rules should eventually be granted only when needed.
-allow gatekeeperd tee_device:chr_file rw_file_perms;
-allow gatekeeperd ion_device:chr_file r_file_perms;
-# Load HAL implementation
-allow gatekeeperd system_file:dir r_dir_perms;
-###
-
-### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
-### These rules should eventually be granted only when needed.
-hal_client_domain(gatekeeperd, hal_gatekeeper)
-###
-
-# need to find KeyStore and add self
-add_service(gatekeeperd, gatekeeper_service)
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-
-# For parent user ID lookup
-allow gatekeeperd user_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-# For hardware properties retrieval
-allow gatekeeperd hardware_properties_service:service_manager find;
-
-r_dir_file(gatekeeperd, cgroup)
diff --git a/prebuilts/api/26.0/public/global_macros b/prebuilts/api/26.0/public/global_macros
deleted file mode 100644
index a61ffbc..0000000
--- a/prebuilts/api/26.0/public/global_macros
+++ /dev/null
@@ -1,48 +0,0 @@
-#####################################
-# Common groupings of object classes.
-#
-define(`capability_class_set', `{ capability capability2 }')
-
-define(`devfile_class_set', `{ chr_file blk_file }')
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
-define(`dir_file_class_set', `{ dir file_class_set }')
-
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-
-define(`ipc_class_set', `{ sem msgq shm ipc }')
-
-#####################################
-# Common groupings of permissions.
-#
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
-define(`w_file_perms', `{ open append write lock }')
-define(`rx_file_perms', `{ r_file_perms x_file_perms }')
-define(`ra_file_perms', `{ r_file_perms append }')
-define(`rw_file_perms', `{ r_file_perms w_file_perms }')
-define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
-
-define(`r_dir_perms', `{ open getattr read search ioctl lock }')
-define(`w_dir_perms', `{ open search write add_name remove_name lock }')
-define(`ra_dir_perms', `{ r_dir_perms add_name write }')
-define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
-
-define(`r_ipc_perms', `{ getattr read associate unix_read }')
-define(`w_ipc_perms', `{ write unix_write }')
-define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
-define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
-
-#####################################
-# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`create_socket_perms', `{ create rw_socket_perms }')
-define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/prebuilts/api/26.0/public/hal_allocator.te b/prebuilts/api/26.0/public/hal_allocator.te
deleted file mode 100644
index 646cebd..0000000
--- a/prebuilts/api/26.0/public/hal_allocator.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_allocator_client, hal_allocator_server)
-
-add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
-allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
-allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_audio.te b/prebuilts/api/26.0/public/hal_audio.te
deleted file mode 100644
index 33330bf..0000000
--- a/prebuilts/api/26.0/public/hal_audio.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audio_client, hal_audio_server)
-binder_call(hal_audio_server, hal_audio_client)
-
-add_hwservice(hal_audio_server, hal_audio_hwservice)
-allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
-
-allow hal_audio ion_device:chr_file r_file_perms;
-
-userdebug_or_eng(`
- # used for pcm capture for debug.
- allow hal_audio audiohal_data_file:dir create_dir_perms;
- allow hal_audio audiohal_data_file:file create_file_perms;
-')
-
-r_dir_file(hal_audio, proc)
-allow hal_audio audio_device:dir r_dir_perms;
-allow hal_audio audio_device:chr_file rw_file_perms;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_audio shell:fd use;
-allow hal_audio shell:fifo_file write;
-allow hal_audio dumpstate:fd use;
-allow hal_audio dumpstate:fifo_file write;
-
-###
-### neverallow rules
-###
-
-# Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
-
-# Should never need network access.
-# Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/prebuilts/api/26.0/public/hal_bluetooth.te b/prebuilts/api/26.0/public/hal_bluetooth.te
deleted file mode 100644
index 2394e2e..0000000
--- a/prebuilts/api/26.0/public/hal_bluetooth.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_bluetooth_client, hal_bluetooth_server)
-binder_call(hal_bluetooth_server, hal_bluetooth_client)
-
-add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
-allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
-
-wakelock_use(hal_bluetooth);
-
-# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:capability net_admin;
-
-# bluetooth factory file accesses.
-r_dir_file(hal_bluetooth, bluetooth_efs_file)
-
-allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(hal_bluetooth, sysfs_type)
-allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:capability2 wake_alarm;
-
-# Allow write access to bluetooth-specific properties
-set_prop(hal_bluetooth, bluetooth_prop)
-
-# /proc access (bluesleep etc.).
-allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_bluetooth self:capability sys_nice;
diff --git a/prebuilts/api/26.0/public/hal_bootctl.te b/prebuilts/api/26.0/public/hal_bootctl.te
deleted file mode 100644
index 8b240b1..0000000
--- a/prebuilts/api/26.0/public/hal_bootctl.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_bootctl_client, hal_bootctl_server)
-binder_call(hal_bootctl_server, hal_bootctl_client)
-
-add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
-allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_camera.te b/prebuilts/api/26.0/public/hal_camera.te
deleted file mode 100644
index 413a057..0000000
--- a/prebuilts/api/26.0/public/hal_camera.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# HwBinder IPC from clients to server and callbacks
-binder_call(hal_camera_client, hal_camera_server)
-binder_call(hal_camera_server, hal_camera_client)
-
-add_hwservice(hal_camera_server, hal_camera_hwservice)
-allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
-
-# access /data/misc/camera
-allow hal_camera camera_data_file:dir create_dir_perms;
-allow hal_camera camera_data_file:file create_file_perms;
-
-allow hal_camera video_device:dir r_dir_perms;
-allow hal_camera video_device:chr_file rw_file_perms;
-allow hal_camera camera_device:chr_file rw_file_perms;
-allow hal_camera ion_device:chr_file rw_file_perms;
-# Both the client and the server need to use the graphics allocator
-allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
-
-# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
-allow hal_camera { appdomain -isolated_app }:fd use;
-allow hal_camera surfaceflinger:fd use;
-allow hal_camera hal_allocator_server:fd use;
-
-###
-### neverallow rules
-###
-
-# hal_camera should never execute any executable without a
-# domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
-
-# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only camera HAL may directly access the camera hardware
-neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/prebuilts/api/26.0/public/hal_configstore.te b/prebuilts/api/26.0/public/hal_configstore.te
deleted file mode 100644
index 4bf6cfd..0000000
--- a/prebuilts/api/26.0/public/hal_configstore.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_configstore_client, hal_configstore_server)
-
-add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
-# As opposed to the rules of most other HALs, the different services exposed by
-# this HAL should be restricted to different clients. Thus, the allow rules for
-# clients are defined in the .te files of the clients.
diff --git a/prebuilts/api/26.0/public/hal_contexthub.te b/prebuilts/api/26.0/public/hal_contexthub.te
deleted file mode 100644
index f11bfc8..0000000
--- a/prebuilts/api/26.0/public/hal_contexthub.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_contexthub_client, hal_contexthub_server)
-binder_call(hal_contexthub_server, hal_contexthub_client)
-
-add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
-allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_drm.te b/prebuilts/api/26.0/public/hal_drm.te
deleted file mode 100644
index 5a6bf5c..0000000
--- a/prebuilts/api/26.0/public/hal_drm.te
+++ /dev/null
@@ -1,60 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_drm_client, hal_drm_server)
-binder_call(hal_drm_server, hal_drm_client)
-
-add_hwservice(hal_drm_server, hal_drm_hwservice)
-allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
-
-allow hal_drm hidl_memory_hwservice:hwservice_manager find;
-
-# Required by Widevine DRM (b/22990512)
-allow hal_drm self:process execmem;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_drm, serialno_prop)
-
-# System file accesses
-allow hal_drm system_file:dir r_dir_perms;
-allow hal_drm system_file:file r_file_perms;
-allow hal_drm system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data
-allow hal_drm system_data_file:dir { search getattr };
-allow hal_drm system_data_file:file { getattr read };
-allow hal_drm system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems
-r_dir_file(hal_drm, cgroup)
-allow hal_drm cgroup:dir { search write };
-allow hal_drm cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_drm ion_device:chr_file rw_file_perms;
-allow hal_drm hal_graphics_allocator:fd use;
-
-# Allow access to fds allocated by mediaserver
-allow hal_drm mediaserver:fd use;
-
-# Allow access to app_data and media_data_files
-allow hal_drm media_data_file:dir create_dir_perms;
-allow hal_drm media_data_file:file create_file_perms;
-allow hal_drm media_data_file:file { getattr read };
-
-allow hal_drm sysfs:file r_file_perms;
-
-allow hal_drm tee_device:chr_file rw_file_perms;
-
-# only allow unprivileged socket ioctl commands
-allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-###
-### neverallow rules
-###
-
-# hal_drm should never execute any executable without a
-# domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/26.0/public/hal_dumpstate.te b/prebuilts/api/26.0/public/hal_dumpstate.te
deleted file mode 100644
index 2853567..0000000
--- a/prebuilts/api/26.0/public/hal_dumpstate.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_dumpstate_client, hal_dumpstate_server)
-binder_call(hal_dumpstate_server, hal_dumpstate_client)
-
-add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
-allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
-
-# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
-allow hal_dumpstate shell_data_file:file write;
-# allow reading /proc/interrupts for all hal impls
-allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_fingerprint.te b/prebuilts/api/26.0/public/hal_fingerprint.te
deleted file mode 100644
index bef9f55..0000000
--- a/prebuilts/api/26.0/public/hal_fingerprint.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_fingerprint_client, hal_fingerprint_server)
-binder_call(hal_fingerprint_server, hal_fingerprint_client)
-
-add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
-allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
-
-# allow HAL module to read dir contents
-allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
-
-# allow HAL module to read/write/unlink contents of this dir
-allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
-
-# For memory allocation
-allow hal_fingerprint ion_device:chr_file r_file_perms;
-
-r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, sysfs)
diff --git a/prebuilts/api/26.0/public/hal_gatekeeper.te b/prebuilts/api/26.0/public/hal_gatekeeper.te
deleted file mode 100644
index 123acf5..0000000
--- a/prebuilts/api/26.0/public/hal_gatekeeper.te
+++ /dev/null
@@ -1,8 +0,0 @@
-binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
-
-add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
-
-# TEE access.
-allow hal_gatekeeper tee_device:chr_file rw_file_perms;
-allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_gnss.te b/prebuilts/api/26.0/public/hal_gnss.te
deleted file mode 100644
index b59cd1d..0000000
--- a/prebuilts/api/26.0/public/hal_gnss.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_gnss_client, hal_gnss_server)
-binder_call(hal_gnss_server, hal_gnss_client)
-
-add_hwservice(hal_gnss_server, hal_gnss_hwservice)
-allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_graphics_allocator.te b/prebuilts/api/26.0/public/hal_graphics_allocator.te
deleted file mode 100644
index f56e8f6..0000000
--- a/prebuilts/api/26.0/public/hal_graphics_allocator.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
-
-add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
-allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
-allow hal_graphics_allocator ion_device:chr_file r_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:capability sys_nice;
diff --git a/prebuilts/api/26.0/public/hal_graphics_composer.te b/prebuilts/api/26.0/public/hal_graphics_composer.te
deleted file mode 100644
index 287037c..0000000
--- a/prebuilts/api/26.0/public/hal_graphics_composer.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
-binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-
-add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
-allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
-
-# Coordinate with hal_graphics_mapper
-allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
-allow hal_graphics_composer ion_device:chr_file r_file_perms;
-allow hal_graphics_composer hal_graphics_allocator:fd use;
-
-# Access /dev/graphics/fb0.
-allow hal_graphics_composer graphics_device:dir search;
-allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
-
-# Fences
-allow hal_graphics_composer system_server:fd use;
-allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer appdomain:fd use;
-
-# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:capability sys_nice;
diff --git a/prebuilts/api/26.0/public/hal_health.te b/prebuilts/api/26.0/public/hal_health.te
deleted file mode 100644
index c19c5f1..0000000
--- a/prebuilts/api/26.0/public/hal_health.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_client, hal_health_server)
-binder_call(hal_health_server, hal_health_client)
-
-add_hwservice(hal_health_server, hal_health_hwservice)
-allow hal_health_client hal_health_hwservice:hwservice_manager find;
-
-# Read access to system files for HALs in
-# /{system,vendor,odm}/lib[64]/hw/ in order
-# to be able to open the hal implementation .so files
-r_dir_file(hal_health, system_file)
diff --git a/prebuilts/api/26.0/public/hal_ir.te b/prebuilts/api/26.0/public/hal_ir.te
deleted file mode 100644
index b1bfdd8..0000000
--- a/prebuilts/api/26.0/public/hal_ir.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_ir_client, hal_ir_server)
-binder_call(hal_ir_server, hal_ir_client)
-
-add_hwservice(hal_ir_server, hal_ir_hwservice)
-allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_keymaster.te b/prebuilts/api/26.0/public/hal_keymaster.te
deleted file mode 100644
index dc5f6d0..0000000
--- a/prebuilts/api/26.0/public/hal_keymaster.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_keymaster_client, hal_keymaster_server)
-
-add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
-allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
-
-allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_light.te b/prebuilts/api/26.0/public/hal_light.te
deleted file mode 100644
index 5b93dd1..0000000
--- a/prebuilts/api/26.0/public/hal_light.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_light_client, hal_light_server)
-binder_call(hal_light_server, hal_light_client)
-
-add_hwservice(hal_light_server, hal_light_hwservice)
-allow hal_light_client hal_light_hwservice:hwservice_manager find;
-
-allow hal_light sysfs_leds:lnk_file read;
-allow hal_light sysfs_leds:file rw_file_perms;
-allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/prebuilts/api/26.0/public/hal_memtrack.te b/prebuilts/api/26.0/public/hal_memtrack.te
deleted file mode 100644
index b2cc9cd..0000000
--- a/prebuilts/api/26.0/public/hal_memtrack.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_memtrack_client, hal_memtrack_server)
-
-add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
-allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_neverallows.te b/prebuilts/api/26.0/public/hal_neverallows.te
deleted file mode 100644
index fc2b5f6..0000000
--- a/prebuilts/api/26.0/public/hal_neverallows.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# only HALs responsible for network hardware should have privileged
-# network capabilities
-neverallow {
- halserverdomain
- -hal_bluetooth_server
- -hal_wifi_server
- -hal_wifi_supplicant_server
- -rild
-} self:capability { net_admin net_raw };
-
-# Unless a HAL's job is to communicate over the network, or control network
-# hardware, it should not be using network sockets.
-neverallow {
- halserverdomain
- -hal_tetheroffload_server
- -hal_wifi_server
- -hal_wifi_supplicant_server
- -rild
-} domain:{ tcp_socket udp_socket rawip_socket } *;
-neverallow hal_tetheroffload_server unlabeled:service_manager list; #TODO: b/62658302
-
-###
-# HALs are defined as an attribute and so a given domain could hypothetically
-# have multiple HALs in it (or even all of them) with the subsequent policy of
-# the domain comprised of the union of all the HALs.
-#
-# This is a problem because
-# 1) Security sensitive components should only be accessed by specific HALs.
-# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
-# the platform.
-# 3) The platform cannot reason about defense in depth if there are
-# monolithic domains etc.
-#
-# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
-# its OK for them to share a process its not OK with them to share processes
-# with other hals.
-#
-# The following neverallow rules, in conjuntion with CTS tests, assert that
-# these security principles are adhered to.
-#
-# Do not allow a hal to exec another process without a domain transition.
-# TODO remove exemptions.
-neverallow {
- halserverdomain
- -hal_dumpstate_server
- -rild
-} { file_type fs_type }:file execute_no_trans;
-# Do not allow a process other than init to transition into a HAL domain.
-neverallow { domain -init } halserverdomain:process transition;
-# Only allow transitioning to a domain by running its executable. Do not
-# allow transitioning into a HAL domain by use of seclabel in an
-# init.*.rc script.
-neverallow * halserverdomain:process dyntransition;
diff --git a/prebuilts/api/26.0/public/hal_nfc.te b/prebuilts/api/26.0/public/hal_nfc.te
deleted file mode 100644
index a027c48..0000000
--- a/prebuilts/api/26.0/public/hal_nfc.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_nfc_client, hal_nfc_server)
-binder_call(hal_nfc_server, hal_nfc_client)
-
-add_hwservice(hal_nfc_server, hal_nfc_hwservice)
-allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
-
-# Set NFC properties (used by bcm2079x HAL).
-set_prop(hal_nfc, nfc_prop)
-
-# NFC device access.
-allow hal_nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_oemlock.te b/prebuilts/api/26.0/public/hal_oemlock.te
deleted file mode 100644
index 3fb5a18..0000000
--- a/prebuilts/api/26.0/public/hal_oemlock.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_oemlock_client, hal_oemlock_server)
-
-add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
-allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_power.te b/prebuilts/api/26.0/public/hal_power.te
deleted file mode 100644
index fcba3d2..0000000
--- a/prebuilts/api/26.0/public/hal_power.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_client, hal_power_server)
-binder_call(hal_power_server, hal_power_client)
-
-add_hwservice(hal_power_server, hal_power_hwservice)
-allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_sensors.te b/prebuilts/api/26.0/public/hal_sensors.te
deleted file mode 100644
index 068c93b..0000000
--- a/prebuilts/api/26.0/public/hal_sensors.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_sensors_client, hal_sensors_server)
-
-add_hwservice(hal_sensors_server, hal_sensors_hwservice)
-allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
-
-# Allow sensor hals to access ashmem memory allocated by apps
-allow hal_sensors { appdomain -isolated_app }:fd use;
-
-# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
-# fd is passed in from framework sensorservice HAL.
-allow hal_sensors hal_allocator:fd use;
-
-# allow to run with real-time scheduling policy
-allow hal_sensors self:capability sys_nice;
diff --git a/prebuilts/api/26.0/public/hal_telephony.te b/prebuilts/api/26.0/public/hal_telephony.te
deleted file mode 100644
index 41cfd4b..0000000
--- a/prebuilts/api/26.0/public/hal_telephony.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_telephony_client, hal_telephony_server)
-binder_call(hal_telephony_server, hal_telephony_client)
-
-add_hwservice(hal_telephony_server, hal_telephony_hwservice)
-allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
-
diff --git a/prebuilts/api/26.0/public/hal_tetheroffload.te b/prebuilts/api/26.0/public/hal_tetheroffload.te
deleted file mode 100644
index a4c21fcd..0000000
--- a/prebuilts/api/26.0/public/hal_tetheroffload.te
+++ /dev/null
@@ -1,3 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
-binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
diff --git a/prebuilts/api/26.0/public/hal_thermal.te b/prebuilts/api/26.0/public/hal_thermal.te
deleted file mode 100644
index b1764f1..0000000
--- a/prebuilts/api/26.0/public/hal_thermal.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_thermal_client, hal_thermal_server)
-binder_call(hal_thermal_server, hal_thermal_client)
-
-add_hwservice(hal_thermal_server, hal_thermal_hwservice)
-allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_tv_cec.te b/prebuilts/api/26.0/public/hal_tv_cec.te
deleted file mode 100644
index 7719cae..0000000
--- a/prebuilts/api/26.0/public/hal_tv_cec.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_cec_client, hal_tv_cec_server)
-binder_call(hal_tv_cec_server, hal_tv_cec_client)
-
-add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
-allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_tv_input.te b/prebuilts/api/26.0/public/hal_tv_input.te
deleted file mode 100644
index 31a0067..0000000
--- a/prebuilts/api/26.0/public/hal_tv_input.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_input_client, hal_tv_input_server)
-binder_call(hal_tv_input_server, hal_tv_input_client)
-
-add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
-allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_usb.te b/prebuilts/api/26.0/public/hal_usb.te
deleted file mode 100644
index 9cfd516..0000000
--- a/prebuilts/api/26.0/public/hal_usb.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_client, hal_usb_server)
-binder_call(hal_usb_server, hal_usb_client)
-
-add_hwservice(hal_usb_server, hal_usb_hwservice)
-allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
-
-allow hal_usb self:netlink_kobject_uevent_socket create;
-allow hal_usb self:netlink_kobject_uevent_socket setopt;
-allow hal_usb self:netlink_kobject_uevent_socket bind;
-allow hal_usb self:netlink_kobject_uevent_socket read;
-allow hal_usb sysfs:dir open;
-allow hal_usb sysfs:dir read;
-allow hal_usb sysfs:file read;
-allow hal_usb sysfs:file open;
-allow hal_usb sysfs:file write;
-allow hal_usb sysfs:file getattr;
-
diff --git a/prebuilts/api/26.0/public/hal_vibrator.te b/prebuilts/api/26.0/public/hal_vibrator.te
deleted file mode 100644
index c8612d7..0000000
--- a/prebuilts/api/26.0/public/hal_vibrator.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_vibrator_client, hal_vibrator_server)
-
-add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
-allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
-
-# vibrator sysfs rw access
-allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/prebuilts/api/26.0/public/hal_vr.te b/prebuilts/api/26.0/public/hal_vr.te
deleted file mode 100644
index 3cb392d..0000000
--- a/prebuilts/api/26.0/public/hal_vr.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vr_client, hal_vr_server)
-binder_call(hal_vr_server, hal_vr_client)
-
-add_hwservice(hal_vr_server, hal_vr_hwservice)
-allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_weaver.te b/prebuilts/api/26.0/public/hal_weaver.te
deleted file mode 100644
index b80ba29..0000000
--- a/prebuilts/api/26.0/public/hal_weaver.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_weaver_client, hal_weaver_server)
-
-add_hwservice(hal_weaver_server, hal_weaver_hwservice)
-allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/public/hal_wifi.te b/prebuilts/api/26.0/public/hal_wifi.te
deleted file mode 100644
index 5e0b9bc..0000000
--- a/prebuilts/api/26.0/public/hal_wifi.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_client, hal_wifi_server)
-binder_call(hal_wifi_server, hal_wifi_client)
-
-add_hwservice(hal_wifi_server, hal_wifi_hwservice)
-allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
-
-r_dir_file(hal_wifi, proc_net)
-r_dir_file(hal_wifi, sysfs_type)
-
-set_prop(hal_wifi, wifi_prop)
-
-# allow hal wifi set interfaces up and down
-allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
-
-allow hal_wifi self:capability { net_admin net_raw };
-# allow hal_wifi to speak to nl80211 in the kernel
-allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
-# hal_wifi writes firmware paths to this file.
-allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
diff --git a/prebuilts/api/26.0/public/hal_wifi_offload.te b/prebuilts/api/26.0/public/hal_wifi_offload.te
deleted file mode 100644
index dac5171..0000000
--- a/prebuilts/api/26.0/public/hal_wifi_offload.te
+++ /dev/null
@@ -1,6 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
-binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
-
-r_dir_file(hal_wifi_offload, proc_net)
-r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/prebuilts/api/26.0/public/hal_wifi_supplicant.te b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
deleted file mode 100644
index 028440c..0000000
--- a/prebuilts/api/26.0/public/hal_wifi_supplicant.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
-binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
-
-add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
-allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
-allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
-
-allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
-allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
-allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:packet_socket create_socket_perms;
-allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-
-# Create a socket for receiving info from wpa
-allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
-allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
-userdebug_or_eng(`
- unix_socket_send(hal_wifi_supplicant, wpa, su)
-')
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/prebuilts/api/26.0/public/healthd.te b/prebuilts/api/26.0/public/healthd.te
deleted file mode 100644
index c0a7bec..0000000
--- a/prebuilts/api/26.0/public/healthd.te
+++ /dev/null
@@ -1,63 +0,0 @@
-# healthd - battery/charger monitoring service daemon
-type healthd, domain;
-type healthd_exec, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs_type)
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-
-# Read access to system files for passthrough HALs in
-# /{system,vendor,odm}/lib[64]/hw/
-r_dir_file(healthd, system_file)
-
-allow healthd self:capability { sys_tty_config };
-allow healthd self:capability sys_boot;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-binder_use(healthd)
-binder_service(healthd)
-binder_call(healthd, system_server)
-hal_client_domain(healthd, hal_health)
-
-# Write to state file.
-# TODO: Split into a separate type?
-allow healthd sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-allow healthd sysfs_batteryinfo:file r_file_perms;
-
-r_dir_file(healthd, sysfs_type)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd self:process execmem;
-allow healthd proc_sysrq:file rw_file_perms;
-
-add_service(healthd, batteryproperties_service)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
diff --git a/prebuilts/api/26.0/public/hwservice.te b/prebuilts/api/26.0/public/hwservice.te
deleted file mode 100644
index 65c52a2..0000000
--- a/prebuilts/api/26.0/public/hwservice.te
+++ /dev/null
@@ -1,45 +0,0 @@
-type default_android_hwservice, hwservice_manager_type;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_audio_hwservice, hwservice_manager_type;
-type hal_bluetooth_hwservice, hwservice_manager_type;
-type hal_bootctl_hwservice, hwservice_manager_type;
-type hal_camera_hwservice, hwservice_manager_type;
-type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_contexthub_hwservice, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_dumpstate_hwservice, hwservice_manager_type;
-type hal_fingerprint_hwservice, hwservice_manager_type;
-type hal_gatekeeper_hwservice, hwservice_manager_type;
-type hal_gnss_hwservice, hwservice_manager_type;
-type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_composer_hwservice, hwservice_manager_type;
-type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_health_hwservice, hwservice_manager_type;
-type hal_ir_hwservice, hwservice_manager_type;
-type hal_keymaster_hwservice, hwservice_manager_type;
-type hal_light_hwservice, hwservice_manager_type;
-type hal_memtrack_hwservice, hwservice_manager_type;
-type hal_nfc_hwservice, hwservice_manager_type;
-type hal_oemlock_hwservice, hwservice_manager_type;
-type hal_omx_hwservice, hwservice_manager_type;
-type hal_power_hwservice, hwservice_manager_type;
-type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_sensors_hwservice, hwservice_manager_type;
-type hal_telephony_hwservice, hwservice_manager_type;
-type hal_thermal_hwservice, hwservice_manager_type;
-type hal_tv_cec_hwservice, hwservice_manager_type;
-type hal_tv_input_hwservice, hwservice_manager_type;
-type hal_usb_hwservice, hwservice_manager_type;
-type hal_vibrator_hwservice, hwservice_manager_type;
-type hal_vr_hwservice, hwservice_manager_type;
-type hal_weaver_hwservice, hwservice_manager_type;
-type hal_wifi_hwservice, hwservice_manager_type;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/prebuilts/api/26.0/public/hwservicemanager.te b/prebuilts/api/26.0/public/hwservicemanager.te
deleted file mode 100644
index 1ffd2a6..0000000
--- a/prebuilts/api/26.0/public/hwservicemanager.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# hwservicemanager - the Binder context manager for HAL services
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-set_prop(hwservicemanager, hwservicemanager_prop)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
diff --git a/prebuilts/api/26.0/public/idmap.te b/prebuilts/api/26.0/public/idmap.te
deleted file mode 100644
index 1c32f8f..0000000
--- a/prebuilts/api/26.0/public/idmap.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# idmap, when executed by installd
-type idmap, domain;
-type idmap_exec, exec_type, file_type;
-
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
-
-# Open and read from target and overlay apk files passed by argument.
-allow idmap apk_data_file:file r_file_perms;
-allow idmap apk_data_file:dir search;
-
-# Allow apps access to /vendor/app
-r_dir_file(idmap, vendor_app_file)
-
-# Allow apps access to /vendor/overlay
-r_dir_file(idmap, vendor_overlay_file)
diff --git a/prebuilts/api/26.0/public/init.te b/prebuilts/api/26.0/public/init.te
deleted file mode 100644
index 6d43ef4..0000000
--- a/prebuilts/api/26.0/public/init.te
+++ /dev/null
@@ -1,429 +0,0 @@
-# init is its own domain.
-type init, domain, mlstrustedsubject;
-
-# The init domain is entered by execing init.
-type init_exec, exec_type, file_type;
-
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-#
-# init direct restorecon calls.
-#
-# /dev/kmsg
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { write relabelto };
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { create_file_perms relabelto };
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto };
-# /dev/socket
-allow init { device socket_device }:dir relabelto;
-# /dev/random, /dev/urandom
-allow init random_device:chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init system_block_device:{ blk_file lnk_file } relabelto;
-
-# setrlimit
-allow init self:capability sys_resource;
-
-# Remove /dev/.booting, created before initial policy load or restorecon /dev.
-allow init tmpfs:file unlink;
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Create /dev/fscklogs files.
-allow init fscklogs:file create_file_perms;
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:capability sys_admin;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-r_dir_file(init, cgroup)
-allow init cpuctl_device:dir { create mounton };
-
-# /config
-allow init configfs:dir mounton;
-allow init configfs:dir create_dir_perms;
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:capability dac_override;
-
-# Set system clock.
-allow init self:capability sys_time;
-
-allow init self:capability { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init fs_type:filesystem ~relabelto;
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:capability { chown fowner fsetid };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -misc_logd_file
- -system_app_data_file
- -system_file
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -app_data_file
- -runtime_event_log_tags_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init cache_file:lnk_file r_file_perms;
-
-allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init tracing_shell_writable:file w_file_perms;
-
-# Setup and control wifi event tracing (see wifi-events.rc)
-allow init debugfs_tracing_instances:dir create_dir_perms;
-allow init debugfs_tracing_instances:file w_file_perms;
-allow init debugfs_wifi_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
-
-# init should not be able to read or open generic devices
-# TODO: auditing to see if this can be deleted entirely
-allow init {
- dev_type
- -kmem_device
- -port_device
- -device
- -vndbinder_device
- }:chr_file { read open };
-auditallow init {
- dev_type
- -alarm_device
- -ashmem_device
- -binder_device
- -console_device
- -device
- -devpts
- -dm_device
- -hwbinder_device
- -hw_random_device
- -keychord_device
- -kmem_device
- -kmsg_device
- -null_device
- -owntty_device
- -port_device
- -ptmx_device
- -random_device
- -zero_device
-}:chr_file { read open };
-
-# chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file setattr;
-
-# Unlabeled file access for upgrades from 4.2.
-allow init unlabeled:dir { create_dir_perms relabelfrom };
-allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:capability2 syslog;
-
-# Set usermodehelpers and /proc security settings.
-allow init usermodehelper:file rw_file_perms;
-allow init proc_security:file rw_file_perms;
-
-# Write to /proc/sys/kernel/panic_on_oops.
-r_dir_file(init, proc)
-allow init proc:file w_file_perms;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(init, proc_net)
-allow init proc_net:file w_file_perms;
-allow init self:capability net_admin;
-
-# Write to /proc/sysrq-trigger.
-allow init proc_sysrq:file w_file_perms;
-
-# Read /proc/stat for bootchart.
-allow init proc_stat:file r_file_perms;
-
-# Reboot.
-allow init self:capability sys_boot;
-
-# Write to sysfs nodes.
-allow init sysfs_type:dir r_dir_perms;
-allow init sysfs_type:lnk_file read;
-allow init sysfs_type:file rw_file_perms;
-
-# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
-# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
-allow init misc_logd_file:file { open create getattr setattr write };
-
-# Support "adb shell stop"
-allow init self:capability kill;
-allow init domain:process { sigkill signal };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates vold's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init vold_data_file:dir { open create read getattr setattr search };
-allow init vold_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:capability { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind };
-allow init domain:unix_dgram_socket { create bind };
-
-# Create /data/property and files within it.
-allow init property_data_file:dir create_dir_perms;
-allow init property_data_file:file create_file_perms;
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:capability audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:capability net_raw;
-
-# This line seems suspect, as it should not really need to
-# set scheduling parameters for a kernel domain task.
-allow init kernel:process setsched;
-
-# swapon() needs write access to swap device
-# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
-allow init swap_block_device:blk_file rw_file_perms;
-
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# keychord configuration
-allow init self:capability sys_tty_config;
-allow init keychord_device:chr_file rw_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# Access metadata block device for storing dm-verity state
-allow init metadata_block_device:blk_file rw_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops to detect restarts caused
-# by dm-verity detecting corrupted blocks
-allow init pstorefs:dir search;
-allow init pstorefs:file r_file_perms;
-allow init kernel:system syslog_read;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-# Allow init to create /data/unencrypted
-allow init unencrypted_data_file:dir create_dir_perms;
-
-# Allow init to write to /proc/sys/vm/overcommit_memory
-allow init proc_overcommit_memory:file { write };
-
-unix_socket_connect(init, vold, vold)
-
-# Raw writes to misc block device
-allow init misc_block_device:blk_file w_file_perms;
-
-r_dir_file(init, system_file)
-r_dir_file(init, vendor_file_type)
-allow init proc_meminfo:file r_file_perms;
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# For init to be able to run shell scripts from vendor
-allow init vendor_shell_exec:file execute;
-
-###
-### neverallow rules
-###
-
-# The init domain is only entered via an exec based transition from the
-# kernel domain, never via setcon().
-neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
-neverallow init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow init shell_data_file:lnk_file read;
-neverallow init app_data_file:lnk_file read;
-
-# init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
-
-# Init never adds or uses services via service_manager.
-neverallow init service_manager_type:service_manager { add find };
-neverallow init servicemanager:service_manager list;
-
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow init shell_data_file:dir { write add_name remove_name };
diff --git a/prebuilts/api/26.0/public/inputflinger.te b/prebuilts/api/26.0/public/inputflinger.te
deleted file mode 100644
index e5f12a0..0000000
--- a/prebuilts/api/26.0/public/inputflinger.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# inputflinger
-type inputflinger, domain;
-type inputflinger_exec, exec_type, file_type;
-
-binder_use(inputflinger)
-binder_service(inputflinger)
-
-binder_call(inputflinger, system_server)
-
-wakelock_use(inputflinger)
-
-add_service(inputflinger, inputflinger_service)
-allow inputflinger input_device:dir r_dir_perms;
-allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)
diff --git a/prebuilts/api/26.0/public/install_recovery.te b/prebuilts/api/26.0/public/install_recovery.te
deleted file mode 100644
index 2115663..0000000
--- a/prebuilts/api/26.0/public/install_recovery.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain;
-type install_recovery_exec, exec_type, file_type;
-
-allow install_recovery self:capability dac_override;
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/prebuilts/api/26.0/public/installd.te b/prebuilts/api/26.0/public/installd.te
deleted file mode 100644
index 939a481..0000000
--- a/prebuilts/api/26.0/public/installd.te
+++ /dev/null
@@ -1,159 +0,0 @@
-# installer daemon
-type installd, domain;
-type installd_exec, exec_type, file_type;
-typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
-
-# Allow labeling of files under /data/app/com.example/oat/
-allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file { relabelto link };
-
-# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-
-allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
-allow installd oemfs:dir r_dir_perms;
-allow installd oemfs:file r_file_perms;
-allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
-allow installd mnt_expand_file:dir { search getattr };
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-
-r_dir_file(installd, rootfs)
-# Scan through APKs in /system/app and /system/priv-app
-r_dir_file(installd, system_file)
-# Scan through APKs in /vendor/app
-r_dir_file(installd, vendor_app_file)
-# Scan through Runtime Resource Overlay APKs in /vendor/overlay
-r_dir_file(installd, vendor_overlay_file)
-# Get file context
-allow installd file_contexts_file:file r_file_perms;
-# Get seapp_context
-allow installd seapp_contexts_file:file r_file_perms;
-
-# Search /data/app-asec and stat files in it.
-allow installd asec_image_file:dir search;
-allow installd asec_image_file:file getattr;
-
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
-# and lib symlinks before the setfilecon call. May want to
-# move symlink creation after setfilecon in installd.
-allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create setattr unlink };
-
-# Upgrade /data/media for multi-user if necessary.
-allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file { getattr unlink };
-# restorecon new /data/media directory.
-allow installd system_data_file:dir relabelfrom;
-allow installd media_rw_data_file:dir relabelto;
-
-# Delete /data/media files through sdcardfs, instead of going behind its back
-allow installd tmpfs:dir r_dir_perms;
-allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
-
-# Upgrade /data/misc/keychain for multi-user if necessary.
-allow installd misc_user_data_file:dir create_dir_perms;
-allow installd misc_user_data_file:file create_file_perms;
-allow installd keychain_data_file:dir create_dir_perms;
-allow installd keychain_data_file:file {r_file_perms unlink};
-
-# Create /data/.layout_version.* file
-allow installd install_data_file:file create_file_perms;
-
-# Create files under /data/dalvik-cache.
-allow installd dalvikcache_data_file:dir create_dir_perms;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd dalvikcache_data_file:lnk_file getattr;
-
-# Create files under /data/resource-cache.
-allow installd resourcecache_data_file:dir rw_dir_perms;
-allow installd resourcecache_data_file:file create_file_perms;
-
-# Upgrade from unlabeled userdata.
-# Just need enough to remove and/or relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
-# Read pkg.apk file for input during dexopt.
-allow installd unlabeled:file r_file_perms;
-
-# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it and to unlink removed package files.
-# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
-
-# Manage /data/data subdirectories, including initially labeling them
-# upon creation via setfilecon or running restorecon_recursive,
-# setting owner/mode, creating symlinks within them, and deleting them
-# upon package uninstall.
-# Types extracted from seapp_contexts type= fields.
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
-}:dir { create_dir_perms relabelfrom relabelto };
-
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
-}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
-# Files created/updated by profman dumps.
-allow installd profman_dump_data_file:dir { search add_name write };
-allow installd profman_dump_data_file:file { create setattr open write };
-
-# Create and use pty created by android_fork_execvp().
-allow installd devpts:chr_file rw_file_perms;
-
-# execute toybox for app relocation
-allow installd toolbox_exec:file rx_file_perms;
-
-# Allow installd to publish a binder service and make binder calls.
-binder_use(installd)
-add_service(installd, installd_service)
-allow installd dumpstate:fifo_file { getattr write };
-
-# Allow installd to call into the system server so it can check permissions.
-binder_call(installd, system_server)
-allow installd permission_service:service_manager find;
-
-# Allow installd to read and write quotas
-allow installd block_device:dir { search };
-allow installd labeledfs:filesystem { quotaget quotamod };
-
-# Allow installd to delete from /data/preloads when trimming data caches
-# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
-allow installd preloads_data_file:file { r_file_perms unlink };
-allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow installd preloads_media_file:file { r_file_perms unlink };
-allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-###
-### Neverallow rules
-###
-
-# only system_server, installd and dumpstate may interact with installd over binder
-neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } installd:binder call;
-neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/prebuilts/api/26.0/public/ioctl_defines b/prebuilts/api/26.0/public/ioctl_defines
deleted file mode 100644
index a1cd0b9..0000000
--- a/prebuilts/api/26.0/public/ioctl_defines
+++ /dev/null
@@ -1,2694 +0,0 @@
-define(`FIBMAP', `0x00000001')
-define(`FIGETBSZ', `0x00000002')
-define(`FDCLRPRM', `0x00000241')
-define(`FDMSGON', `0x00000245')
-define(`FDMSGOFF', `0x00000246')
-define(`FDFMTBEG', `0x00000247')
-define(`FDFMTEND', `0x00000249')
-define(`FDSETEMSGTRESH', `0x0000024a')
-define(`FDFLUSH', `0x0000024b')
-define(`FDRESET', `0x00000254')
-define(`FDWERRORCLR', `0x00000256')
-define(`FDRAWCMD', `0x00000258')
-define(`FDTWADDLE', `0x00000259')
-define(`FDEJECT', `0x0000025a')
-define(`HDIO_GETGEO', `0x00000301')
-define(`HDIO_GET_UNMASKINTR', `0x00000302')
-define(`HDIO_GET_MULTCOUNT', `0x00000304')
-define(`HDIO_GET_QDMA', `0x00000305')
-define(`HDIO_SET_XFER', `0x00000306')
-define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
-define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
-define(`HDIO_GET_32BIT', `0x00000309')
-define(`HDIO_GET_NOWERR', `0x0000030a')
-define(`HDIO_GET_DMA', `0x0000030b')
-define(`HDIO_GET_NICE', `0x0000030c')
-define(`HDIO_GET_IDENTITY', `0x0000030d')
-define(`HDIO_GET_WCACHE', `0x0000030e')
-define(`HDIO_GET_ACOUSTIC', `0x0000030f')
-define(`HDIO_GET_ADDRESS', `0x00000310')
-define(`HDIO_GET_BUSSTATE', `0x0000031a')
-define(`HDIO_TRISTATE_HWIF', `0x0000031b')
-define(`HDIO_DRIVE_RESET', `0x0000031c')
-define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
-define(`HDIO_DRIVE_TASK', `0x0000031e')
-define(`HDIO_DRIVE_CMD', `0x0000031f')
-define(`HDIO_SET_MULTCOUNT', `0x00000321')
-define(`HDIO_SET_UNMASKINTR', `0x00000322')
-define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
-define(`HDIO_SET_32BIT', `0x00000324')
-define(`HDIO_SET_NOWERR', `0x00000325')
-define(`HDIO_SET_DMA', `0x00000326')
-define(`HDIO_SET_PIO_MODE', `0x00000327')
-define(`HDIO_SCAN_HWIF', `0x00000328')
-define(`HDIO_SET_NICE', `0x00000329')
-define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
-define(`HDIO_SET_WCACHE', `0x0000032b')
-define(`HDIO_SET_ACOUSTIC', `0x0000032c')
-define(`HDIO_SET_BUSSTATE', `0x0000032d')
-define(`HDIO_SET_QDMA', `0x0000032e')
-define(`HDIO_SET_ADDRESS', `0x0000032f')
-define(`IOCTL_VMCI_VERSION', `0x0000079f')
-define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
-define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
-define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
-define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
-define(`IOCTL_VMCI_VERSION2', `0x000007a7')
-define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
-define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
-define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
-define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
-define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
-define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
-define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
-define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
-define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
-define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
-define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
-define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
-define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
-define(`RAID_AUTORUN', `0x00000914')
-define(`CLEAR_ARRAY', `0x00000920')
-define(`HOT_REMOVE_DISK', `0x00000922')
-define(`SET_DISK_INFO', `0x00000924')
-define(`WRITE_RAID_INFO', `0x00000925')
-define(`UNPROTECT_ARRAY', `0x00000926')
-define(`PROTECT_ARRAY', `0x00000927')
-define(`HOT_ADD_DISK', `0x00000928')
-define(`SET_DISK_FAULTY', `0x00000929')
-define(`HOT_GENERATE_ERROR', `0x0000092a')
-define(`STOP_ARRAY', `0x00000932')
-define(`STOP_ARRAY_RO', `0x00000933')
-define(`RESTART_ARRAY_RW', `0x00000934')
-define(`BLKROSET', `0x0000125d')
-define(`BLKROGET', `0x0000125e')
-define(`BLKRRPART', `0x0000125f')
-define(`BLKGETSIZE', `0x00001260')
-define(`BLKFLSBUF', `0x00001261')
-define(`BLKRASET', `0x00001262')
-define(`BLKRAGET', `0x00001263')
-define(`BLKFRASET', `0x00001264')
-define(`BLKFRAGET', `0x00001265')
-define(`BLKSECTSET', `0x00001266')
-define(`BLKSECTGET', `0x00001267')
-define(`BLKSSZGET', `0x00001268')
-define(`BLKPG', `0x00001269')
-define(`BLKTRACESTART', `0x00001274')
-define(`BLKTRACESTOP', `0x00001275')
-define(`BLKTRACETEARDOWN', `0x00001276')
-define(`BLKDISCARD', `0x00001277')
-define(`BLKIOMIN', `0x00001278')
-define(`BLKIOOPT', `0x00001279')
-define(`BLKALIGNOFF', `0x0000127a')
-define(`BLKPBSZGET', `0x0000127b')
-define(`BLKDISCARDZEROES', `0x0000127c')
-define(`BLKSECDISCARD', `0x0000127d')
-define(`BLKROTATIONAL', `0x0000127e')
-define(`BLKZEROOUT', `0x0000127f')
-define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
-define(`SG_SET_TIMEOUT', `0x00002201')
-define(`SG_GET_TIMEOUT', `0x00002202')
-define(`SG_EMULATED_HOST', `0x00002203')
-define(`SG_SET_TRANSFORM', `0x00002204')
-define(`SG_GET_TRANSFORM', `0x00002205')
-define(`SG_GET_COMMAND_Q', `0x00002270')
-define(`SG_SET_COMMAND_Q', `0x00002271')
-define(`SG_GET_RESERVED_SIZE', `0x00002272')
-define(`SG_SET_RESERVED_SIZE', `0x00002275')
-define(`SG_GET_SCSI_ID', `0x00002276')
-define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
-define(`SG_GET_LOW_DMA', `0x0000227a')
-define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
-define(`SG_GET_PACK_ID', `0x0000227c')
-define(`SG_GET_NUM_WAITING', `0x0000227d')
-define(`SG_SET_DEBUG', `0x0000227e')
-define(`SG_GET_SG_TABLESIZE', `0x0000227f')
-define(`SG_GET_VERSION_NUM', `0x00002282')
-define(`SG_NEXT_CMD_LEN', `0x00002283')
-define(`SG_SCSI_RESET', `0x00002284')
-define(`SG_IO', `0x00002285')
-define(`SG_GET_REQUEST_TABLE', `0x00002286')
-define(`SG_SET_KEEP_ORPHAN', `0x00002287')
-define(`SG_GET_KEEP_ORPHAN', `0x00002288')
-define(`SG_GET_ACCESS_COUNT', `0x00002289')
-define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
-define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
-define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
-define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
-define(`PERF_EVENT_IOC_RESET', `0x00002403')
-define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
-define(`SNAPSHOT_FREEZE', `0x00003301')
-define(`SNAPSHOT_UNFREEZE', `0x00003302')
-define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
-define(`SNAPSHOT_FREE', `0x00003305')
-define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
-define(`SNAPSHOT_S2RAM', `0x0000330b')
-define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
-define(`SNAPSHOT_POWER_OFF', `0x00003310')
-define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
-define(`VFIO_GET_API_VERSION', `0x00003b64')
-define(`VFIO_CHECK_EXTENSION', `0x00003b65')
-define(`VFIO_SET_IOMMU', `0x00003b66')
-define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
-define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
-define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
-define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
-define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
-define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
-define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
-define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
-define(`VFIO_DEVICE_RESET', `0x00003b6f')
-define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
-define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
-define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
-define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
-define(`VFIO_IOMMU_ENABLE', `0x00003b73')
-define(`VFIO_IOMMU_DISABLE', `0x00003b74')
-define(`VFIO_EEH_PE_OP', `0x00003b79')
-define(`AGPIOC_ACQUIRE', `0x00004101')
-define(`APM_IOC_STANDBY', `0x00004101')
-define(`AGPIOC_RELEASE', `0x00004102')
-define(`APM_IOC_SUSPEND', `0x00004102')
-define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
-define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
-define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
-define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
-define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
-define(`SNDRV_PCM_IOCTL_START', `0x00004142')
-define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
-define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
-define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
-define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
-define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
-define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
-define(`PMU_IOC_SLEEP', `0x00004200')
-define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
-define(`CCISS_REVALIDVOLS', `0x0000420a')
-define(`CCISS_DEREGDISK', `0x0000420c')
-define(`CCISS_REGNEWD', `0x0000420e')
-define(`CCISS_RESCANDISK', `0x00004210')
-define(`SNDCTL_COPR_RESET', `0x00004300')
-define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
-define(`SNDRV_COMPRESS_RESUME', `0x00004331')
-define(`SNDRV_COMPRESS_START', `0x00004332')
-define(`SNDRV_COMPRESS_STOP', `0x00004333')
-define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
-define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
-define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
-define(`IOCTL_EVTCHN_RESET', `0x00004505')
-define(`FBIOGET_VSCREENINFO', `0x00004600')
-define(`FBIOPUT_VSCREENINFO', `0x00004601')
-define(`FBIOGET_FSCREENINFO', `0x00004602')
-define(`FBIOGETCMAP', `0x00004604')
-define(`FBIOPUTCMAP', `0x00004605')
-define(`FBIOPAN_DISPLAY', `0x00004606')
-define(`FBIOGET_CON2FBMAP', `0x0000460f')
-define(`FBIOPUT_CON2FBMAP', `0x00004610')
-define(`FBIOBLANK', `0x00004611')
-define(`FBIO_ALLOC', `0x00004613')
-define(`FBIO_FREE', `0x00004614')
-define(`FBIOGET_GLYPH', `0x00004615')
-define(`FBIOGET_HWCINFO', `0x00004616')
-define(`FBIOPUT_MODEINFO', `0x00004617')
-define(`FBIOGET_DISPINFO', `0x00004618')
-define(`FBIO_WAITEVENT', `0x00004688')
-define(`GSMIOC_DISABLE_NET', `0x00004703')
-define(`HIDIOCAPPLICATION', `0x00004802')
-define(`HIDIOCINITREPORT', `0x00004805')
-define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
-define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
-define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
-define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
-define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
-define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
-define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
-define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
-define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
-define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
-define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
-define(`IIOCNETAIF', `0x00004901')
-define(`IIOCNETDIF', `0x00004902')
-define(`IIOCNETSCF', `0x00004903')
-define(`IIOCNETGCF', `0x00004904')
-define(`IIOCNETANM', `0x00004905')
-define(`IIOCNETDNM', `0x00004906')
-define(`IIOCNETGNM', `0x00004907')
-define(`IIOCGETSET', `0x00004908')
-define(`IIOCSETSET', `0x00004909')
-define(`IIOCSETVER', `0x0000490a')
-define(`IIOCNETHUP', `0x0000490b')
-define(`IIOCSETGST', `0x0000490c')
-define(`IIOCSETBRJ', `0x0000490d')
-define(`IIOCSIGPRF', `0x0000490e')
-define(`IIOCGETPRF', `0x0000490f')
-define(`IIOCSETPRF', `0x00004910')
-define(`IIOCGETMAP', `0x00004911')
-define(`IIOCSETMAP', `0x00004912')
-define(`IIOCNETASL', `0x00004913')
-define(`IIOCNETDIL', `0x00004914')
-define(`IIOCGETCPS', `0x00004915')
-define(`IIOCGETDVR', `0x00004916')
-define(`IIOCNETLCR', `0x00004917')
-define(`IIOCNETDWRSET', `0x00004918')
-define(`IIOCNETALN', `0x00004920')
-define(`IIOCNETDLN', `0x00004921')
-define(`IIOCNETGPN', `0x00004922')
-define(`IIOCDBGVAR', `0x0000497f')
-define(`IIOCDRVCTL', `0x00004980')
-define(`ION_IOC_TEST_SET_FD', `0x000049f0')
-define(`KIOCSOUND', `0x00004b2f')
-define(`KDMKTONE', `0x00004b30')
-define(`KDGETLED', `0x00004b31')
-define(`KDSETLED', `0x00004b32')
-define(`KDGKBTYPE', `0x00004b33')
-define(`KDADDIO', `0x00004b34')
-define(`KDDELIO', `0x00004b35')
-define(`KDENABIO', `0x00004b36')
-define(`KDDISABIO', `0x00004b37')
-define(`KDSETMODE', `0x00004b3a')
-define(`KDGETMODE', `0x00004b3b')
-define(`KDMAPDISP', `0x00004b3c')
-define(`KDUNMAPDISP', `0x00004b3d')
-define(`GIO_SCRNMAP', `0x00004b40')
-define(`PIO_SCRNMAP', `0x00004b41')
-define(`KDGKBMODE', `0x00004b44')
-define(`KDSKBMODE', `0x00004b45')
-define(`KDGKBENT', `0x00004b46')
-define(`KDSKBENT', `0x00004b47')
-define(`KDGKBSENT', `0x00004b48')
-define(`KDSKBSENT', `0x00004b49')
-define(`KDGKBDIACR', `0x00004b4a')
-define(`KDSKBDIACR', `0x00004b4b')
-define(`KDGETKEYCODE', `0x00004b4c')
-define(`KDSETKEYCODE', `0x00004b4d')
-define(`KDSIGACCEPT', `0x00004b4e')
-define(`KDKBDREP', `0x00004b52')
-define(`GIO_FONT', `0x00004b60')
-define(`PIO_FONT', `0x00004b61')
-define(`KDGKBMETA', `0x00004b62')
-define(`KDSKBMETA', `0x00004b63')
-define(`KDGKBLED', `0x00004b64')
-define(`KDSKBLED', `0x00004b65')
-define(`GIO_UNIMAP', `0x00004b66')
-define(`PIO_UNIMAP', `0x00004b67')
-define(`PIO_UNIMAPCLR', `0x00004b68')
-define(`GIO_UNISCRNMAP', `0x00004b69')
-define(`PIO_UNISCRNMAP', `0x00004b6a')
-define(`GIO_FONTX', `0x00004b6b')
-define(`PIO_FONTX', `0x00004b6c')
-define(`PIO_FONTRESET', `0x00004b6d')
-define(`GIO_CMAP', `0x00004b70')
-define(`PIO_CMAP', `0x00004b71')
-define(`KDFONTOP', `0x00004b72')
-define(`KDGKBDIACRUC', `0x00004bfa')
-define(`KDSKBDIACRUC', `0x00004bfb')
-define(`LOOP_SET_FD', `0x00004c00')
-define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_SET_STATUS', `0x00004c02')
-define(`LOOP_GET_STATUS', `0x00004c03')
-define(`LOOP_SET_STATUS64', `0x00004c04')
-define(`LOOP_GET_STATUS64', `0x00004c05')
-define(`LOOP_CHANGE_FD', `0x00004c06')
-define(`LOOP_SET_CAPACITY', `0x00004c07')
-define(`LOOP_CTL_ADD', `0x00004c80')
-define(`LOOP_CTL_REMOVE', `0x00004c81')
-define(`LOOP_CTL_GET_FREE', `0x00004c82')
-define(`MTDFILEMODE', `0x00004d13')
-define(`NVME_IOCTL_ID', `0x00004e40')
-define(`UBI_IOCVOLRMBLK', `0x00004f08')
-define(`OMAPFB_SYNC_GFX', `0x00004f25')
-define(`OMAPFB_VSYNC', `0x00004f26')
-define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
-define(`OMAPFB_WAITFORGO', `0x00004f3c')
-define(`SNDCTL_DSP_RESET', `0x00005000')
-define(`SNDCTL_DSP_SYNC', `0x00005001')
-define(`SNDCTL_DSP_POST', `0x00005008')
-define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
-define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
-define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
-define(`SNDCTL_SEQ_RESET', `0x00005100')
-define(`SNDCTL_SEQ_SYNC', `0x00005101')
-define(`SNDCTL_SEQ_PANIC', `0x00005111')
-define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
-define(`RNDZAPENTCNT', `0x00005204')
-define(`RNDCLEARPOOL', `0x00005206')
-define(`CDROMPAUSE', `0x00005301')
-define(`CDROMRESUME', `0x00005302')
-define(`CDROMPLAYMSF', `0x00005303')
-define(`CDROMPLAYTRKIND', `0x00005304')
-define(`CDROMREADTOCHDR', `0x00005305')
-define(`CDROMREADTOCENTRY', `0x00005306')
-define(`CDROMSTOP', `0x00005307')
-define(`CDROMSTART', `0x00005308')
-define(`CDROMEJECT', `0x00005309')
-define(`CDROMVOLCTRL', `0x0000530a')
-define(`CDROMSUBCHNL', `0x0000530b')
-define(`CDROMREADMODE2', `0x0000530c')
-define(`CDROMREADMODE1', `0x0000530d')
-define(`CDROMREADAUDIO', `0x0000530e')
-define(`CDROMEJECT_SW', `0x0000530f')
-define(`CDROMMULTISESSION', `0x00005310')
-define(`CDROM_GET_MCN', `0x00005311')
-define(`CDROMRESET', `0x00005312')
-define(`CDROMVOLREAD', `0x00005313')
-define(`CDROMREADRAW', `0x00005314')
-define(`CDROMREADCOOKED', `0x00005315')
-define(`CDROMSEEK', `0x00005316')
-define(`CDROMPLAYBLK', `0x00005317')
-define(`CDROMREADALL', `0x00005318')
-define(`CDROMCLOSETRAY', `0x00005319')
-define(`CDROMGETSPINDOWN', `0x0000531d')
-define(`CDROMSETSPINDOWN', `0x0000531e')
-define(`CDROM_SET_OPTIONS', `0x00005320')
-define(`CDROM_CLEAR_OPTIONS', `0x00005321')
-define(`CDROM_SELECT_SPEED', `0x00005322')
-define(`CDROM_SELECT_DISC', `0x00005323')
-define(`CDROM_MEDIA_CHANGED', `0x00005325')
-define(`CDROM_DRIVE_STATUS', `0x00005326')
-define(`CDROM_DISC_STATUS', `0x00005327')
-define(`CDROM_CHANGER_NSLOTS', `0x00005328')
-define(`CDROM_LOCKDOOR', `0x00005329')
-define(`CDROM_DEBUG', `0x00005330')
-define(`CDROM_GET_CAPABILITY', `0x00005331')
-define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
-define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
-define(`CDROMAUDIOBUFSIZ', `0x00005382')
-define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
-define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
-define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
-define(`SCSI_IOCTL_GET_PCI', `0x00005387')
-define(`DVD_READ_STRUCT', `0x00005390')
-define(`DVD_WRITE_STRUCT', `0x00005391')
-define(`DVD_AUTH', `0x00005392')
-define(`CDROM_SEND_PACKET', `0x00005393')
-define(`CDROM_NEXT_WRITABLE', `0x00005394')
-define(`CDROM_LAST_WRITTEN', `0x00005395')
-define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
-define(`SNDCTL_TMR_START', `0x00005402')
-define(`TCSETS', `0x00005402')
-define(`SNDCTL_TMR_STOP', `0x00005403')
-define(`TCSETSW', `0x00005403')
-define(`SNDCTL_TMR_CONTINUE', `0x00005404')
-define(`TCSETSF', `0x00005404')
-define(`TCGETA', `0x00005405')
-define(`TCSETA', `0x00005406')
-define(`TCSETAW', `0x00005407')
-define(`TCSETAF', `0x00005408')
-define(`TCSBRK', `0x00005409')
-define(`TCXONC', `0x0000540a')
-define(`TCFLSH', `0x0000540b')
-define(`TIOCEXCL', `0x0000540c')
-define(`TIOCNXCL', `0x0000540d')
-define(`TIOCSCTTY', `0x0000540e')
-define(`TIOCGPGRP', `0x0000540f')
-define(`TIOCSPGRP', `0x00005410')
-define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
-define(`TIOCSTI', `0x00005412')
-define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
-define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
-define(`TIOCMGET', `0x00005415')
-define(`TIOCMBIS', `0x00005416')
-define(`TIOCMBIC', `0x00005417')
-define(`TIOCMSET', `0x00005418')
-define(`TIOCGSOFTCAR', `0x00005419')
-define(`TIOCSSOFTCAR', `0x0000541a')
-define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
-define(`TIOCLINUX', `0x0000541c')
-define(`TIOCCONS', `0x0000541d')
-define(`TIOCGSERIAL', `0x0000541e')
-define(`TIOCSSERIAL', `0x0000541f')
-define(`TIOCPKT', `0x00005420')
-define(`FIONBIO', `0x00005421')
-define(`TIOCNOTTY', `0x00005422')
-define(`TIOCSETD', `0x00005423')
-define(`TIOCGETD', `0x00005424')
-define(`TCSBRKP', `0x00005425')
-define(`TIOCSBRK', `0x00005427')
-define(`TIOCCBRK', `0x00005428')
-define(`TIOCGSID', `0x00005429')
-define(`TIOCGRS485', `0x0000542e')
-define(`TIOCSRS485', `0x0000542f')
-define(`TCGETX', `0x00005432')
-define(`TCSETX', `0x00005433')
-define(`TCSETXF', `0x00005434')
-define(`TCSETXW', `0x00005435')
-define(`TIOCVHANGUP', `0x00005437')
-define(`FIONCLEX', `0x00005450')
-define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
-define(`FIOASYNC', `0x00005452')
-define(`TIOCSERCONFIG', `0x00005453')
-define(`TIOCSERGWILD', `0x00005454')
-define(`TIOCSERSWILD', `0x00005455')
-define(`TIOCGLCKTRMIOS', `0x00005456')
-define(`TIOCSLCKTRMIOS', `0x00005457')
-define(`TIOCSERGSTRUCT', `0x00005458')
-define(`TIOCSERGETLSR', `0x00005459')
-define(`TIOCSERGETMULTI', `0x0000545a')
-define(`TIOCSERSETMULTI', `0x0000545b')
-define(`TIOCMIWAIT', `0x0000545c')
-define(`TIOCGICOUNT', `0x0000545d')
-define(`FIOQSIZE', `0x00005460')
-define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
-define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
-define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
-define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
-define(`UI_DEV_CREATE', `0x00005501')
-define(`UI_DEV_DESTROY', `0x00005502')
-define(`USBDEVFS_DISCARDURB', `0x0000550b')
-define(`USBDEVFS_RESET', `0x00005514')
-define(`USBDEVFS_DISCONNECT', `0x00005516')
-define(`USBDEVFS_CONNECT', `0x00005517')
-define(`VT_OPENQRY', `0x00005600')
-define(`VIDIOC_RESERVED', `0x00005601')
-define(`VT_GETMODE', `0x00005601')
-define(`VT_SETMODE', `0x00005602')
-define(`VT_GETSTATE', `0x00005603')
-define(`VT_SENDSIG', `0x00005604')
-define(`VT_RELDISP', `0x00005605')
-define(`VT_ACTIVATE', `0x00005606')
-define(`VT_WAITACTIVE', `0x00005607')
-define(`VT_DISALLOCATE', `0x00005608')
-define(`VT_RESIZE', `0x00005609')
-define(`VT_RESIZEX', `0x0000560a')
-define(`VT_LOCKSWITCH', `0x0000560b')
-define(`VT_UNLOCKSWITCH', `0x0000560c')
-define(`VT_GETHIFONTMASK', `0x0000560d')
-define(`VT_WAITEVENT', `0x0000560e')
-define(`VT_SETACTIVATE', `0x0000560f')
-define(`VIDIOC_LOG_STATUS', `0x00005646')
-define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
-define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
-define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
-define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
-define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
-define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
-define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
-define(`ANDROID_ALARM_WAIT', `0x00006101')
-define(`NS_ADJBUFLEV', `0x00006163')
-define(`SIOCSIFATMTCP', `0x00006180')
-define(`ATMTCP_CREATE', `0x0000618e')
-define(`ATMTCP_REMOVE', `0x0000618f')
-define(`ATMLEC_CTRL', `0x000061d0')
-define(`ATMLEC_DATA', `0x000061d1')
-define(`ATMLEC_MCAST', `0x000061d2')
-define(`ATMMPC_CTRL', `0x000061d8')
-define(`ATMMPC_DATA', `0x000061d9')
-define(`SIOCMKCLIP', `0x000061e0')
-define(`ATMARPD_CTRL', `0x000061e1')
-define(`ATMARP_MKIP', `0x000061e2')
-define(`ATMARP_SETENTRY', `0x000061e3')
-define(`ATMARP_ENCAP', `0x000061e5')
-define(`ATMSIGD_CTRL', `0x000061f0')
-define(`BT819_FIFO_RESET_LOW', `0x00006200')
-define(`BT819_FIFO_RESET_HIGH', `0x00006201')
-define(`CM_IOCSRDR', `0x00006303')
-define(`CM_IOCARDOFF', `0x00006304')
-define(`BC_REGISTER_LOOPER', `0x0000630b')
-define(`BC_ENTER_LOOPER', `0x0000630c')
-define(`BC_EXIT_LOOPER', `0x0000630d')
-define(`CHIOINITELEM', `0x00006311')
-define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
-define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
-define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
-define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
-define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
-define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
-define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
-define(`DRM_IOCTL_I915_FLIP', `0x00006442')
-define(`DRM_IOCTL_MGA_RESET', `0x00006442')
-define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
-define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
-define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
-define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
-define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
-define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
-define(`DRM_IOCTL_I810_SWAP', `0x00006446')
-define(`DRM_IOCTL_R128_RESET', `0x00006446')
-define(`DRM_IOCTL_R128_SWAP', `0x00006447')
-define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
-define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
-define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
-define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
-define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
-define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
-define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
-define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
-define(`DRM_IOCTL_R128_FLIP', `0x00006453')
-define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
-define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
-define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
-define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
-define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
-define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
-define(`GADGETFS_FIFO_STATUS', `0x00006701')
-define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
-define(`GADGETFS_FIFO_FLUSH', `0x00006702')
-define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
-define(`GADGETFS_CLEAR_HALT', `0x00006703')
-define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
-define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
-define(`HPET_IE_ON', `0x00006801')
-define(`HPET_IE_OFF', `0x00006802')
-define(`HPET_EPI', `0x00006804')
-define(`HPET_DPI', `0x00006805')
-define(`LIRC_NOTIFY_DECODE', `0x00006920')
-define(`LIRC_SETUP_START', `0x00006921')
-define(`LIRC_SETUP_END', `0x00006922')
-define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
-define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
-define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
-define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
-define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
-define(`KYRO_IOCTL_STRIDE', `0x00006b05')
-define(`HSC_RESET', `0x00006b10')
-define(`HSC_SET_PM', `0x00006b11')
-define(`HSC_SEND_BREAK', `0x00006b12')
-define(`MMTIMER_GETOFFSET', `0x00006d00')
-define(`MGSL_IOCSTXIDLE', `0x00006d02')
-define(`MGSL_IOCGTXIDLE', `0x00006d03')
-define(`MGSL_IOCTXENABLE', `0x00006d04')
-define(`MMTIMER_GETBITS', `0x00006d04')
-define(`MGSL_IOCRXENABLE', `0x00006d05')
-define(`MGSL_IOCTXABORT', `0x00006d06')
-define(`MMTIMER_MMAPAVAIL', `0x00006d06')
-define(`MGSL_IOCGSTATS', `0x00006d07')
-define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
-define(`MGSL_IOCSIF', `0x00006d0a')
-define(`MGSL_IOCGIF', `0x00006d0b')
-define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
-define(`MGSL_IOCSXSYNC', `0x00006d13')
-define(`MGSL_IOCGXSYNC', `0x00006d14')
-define(`MGSL_IOCSXCTRL', `0x00006d15')
-define(`MGSL_IOCGXCTRL', `0x00006d16')
-define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
-define(`AUDIO_STOP', `0x00006f01')
-define(`AUDIO_PLAY', `0x00006f02')
-define(`AUDIO_PAUSE', `0x00006f03')
-define(`AUDIO_CONTINUE', `0x00006f04')
-define(`AUDIO_SELECT_SOURCE', `0x00006f05')
-define(`AUDIO_SET_MUTE', `0x00006f06')
-define(`AUDIO_SET_AV_SYNC', `0x00006f07')
-define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
-define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
-define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
-define(`AUDIO_SET_ID', `0x00006f0d')
-define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
-define(`AUDIO_SET_EXT_ID', `0x00006f10')
-define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
-define(`VIDEO_STOP', `0x00006f15')
-define(`VIDEO_PLAY', `0x00006f16')
-define(`VIDEO_FREEZE', `0x00006f17')
-define(`VIDEO_CONTINUE', `0x00006f18')
-define(`VIDEO_SELECT_SOURCE', `0x00006f19')
-define(`VIDEO_SET_BLANK', `0x00006f1a')
-define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
-define(`VIDEO_FAST_FORWARD', `0x00006f1f')
-define(`VIDEO_SLOWMOTION', `0x00006f20')
-define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
-define(`VIDEO_SET_ID', `0x00006f23')
-define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
-define(`VIDEO_SET_FORMAT', `0x00006f25')
-define(`VIDEO_SET_SYSTEM', `0x00006f26')
-define(`DMX_START', `0x00006f29')
-define(`DMX_STOP', `0x00006f2a')
-define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
-define(`NET_REMOVE_IF', `0x00006f35')
-define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
-define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
-define(`FE_DISEQC_SEND_BURST', `0x00006f41')
-define(`FE_SET_TONE', `0x00006f42')
-define(`FE_SET_VOLTAGE', `0x00006f43')
-define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
-define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
-define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
-define(`CA_RESET', `0x00006f80')
-define(`RTC_AIE_ON', `0x00007001')
-define(`RTC_AIE_OFF', `0x00007002')
-define(`RTC_UIE_ON', `0x00007003')
-define(`PHN_NOT_OH', `0x00007004')
-define(`RTC_UIE_OFF', `0x00007004')
-define(`RTC_PIE_ON', `0x00007005')
-define(`RTC_PIE_OFF', `0x00007006')
-define(`RTC_WIE_ON', `0x0000700f')
-define(`RTC_WIE_OFF', `0x00007010')
-define(`RTC_VL_CLR', `0x00007014')
-define(`NVRAM_INIT', `0x00007040')
-define(`NVRAM_SETCKS', `0x00007041')
-define(`PPCLAIM', `0x0000708b')
-define(`PPRELEASE', `0x0000708c')
-define(`PPYIELD', `0x0000708d')
-define(`PPEXCL', `0x0000708f')
-define(`PHONE_CAPABILITIES', `0x00007180')
-define(`PHONE_RING', `0x00007183')
-define(`PHONE_HOOKSTATE', `0x00007184')
-define(`OLD_PHONE_RING_START', `0x00007187')
-define(`PHONE_RING_STOP', `0x00007188')
-define(`PHONE_REC_START', `0x0000718a')
-define(`PHONE_REC_STOP', `0x0000718b')
-define(`PHONE_REC_LEVEL', `0x0000718f')
-define(`PHONE_PLAY_START', `0x00007191')
-define(`PHONE_PLAY_STOP', `0x00007192')
-define(`PHONE_PLAY_LEVEL', `0x00007195')
-define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
-define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
-define(`PHONE_GET_TONE_STATE', `0x000071a0')
-define(`PHONE_BUSY', `0x000071a1')
-define(`PHONE_RINGBACK', `0x000071a2')
-define(`PHONE_DIALTONE', `0x000071a3')
-define(`PHONE_CPT_STOP', `0x000071a4')
-define(`PHONE_PSTN_GET_STATE', `0x000071a5')
-define(`PHONE_PSTN_LINETEST', `0x000071a8')
-define(`IXJCTL_DSP_RESET', `0x000071c0')
-define(`IXJCTL_DSP_IDLE', `0x000071c5')
-define(`IXJCTL_TESTRAM', `0x000071c6')
-define(`IXJCTL_AEC_STOP', `0x000071cc')
-define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
-define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
-define(`IXJCTL_PLAY_CID', `0x000071d7')
-define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
-define(`BR_OK', `0x00007201')
-define(`BR_DEAD_REPLY', `0x00007205')
-define(`BR_TRANSACTION_COMPLETE', `0x00007206')
-define(`BR_NOOP', `0x0000720c')
-define(`BR_SPAWN_LOOPER', `0x0000720d')
-define(`BR_FINISHED', `0x0000720e')
-define(`BR_FAILED_REPLY', `0x00007211')
-define(`MEYEIOC_STILLCAPT', `0x000076c4')
-define(`ASHMEM_GET_SIZE', `0x00007704')
-define(`ASHMEM_GET_PROT_MASK', `0x00007706')
-define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
-define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
-define(`FIOSETOWN', `0x00008901')
-define(`SIOCSPGRP', `0x00008902')
-define(`FIOGETOWN', `0x00008903')
-define(`SIOCGPGRP', `0x00008904')
-define(`SIOCATMARK', `0x00008905')
-define(`SIOCGSTAMP', `0x00008906')
-define(`SIOCGSTAMPNS', `0x00008907')
-define(`SIOCADDRT', `0x0000890b')
-define(`SIOCDELRT', `0x0000890c')
-define(`SIOCRTMSG', `0x0000890d')
-define(`SIOCGIFNAME', `0x00008910')
-define(`SIOCSIFLINK', `0x00008911')
-define(`SIOCGIFCONF', `0x00008912')
-define(`SIOCGIFFLAGS', `0x00008913')
-define(`SIOCSIFFLAGS', `0x00008914')
-define(`SIOCGIFADDR', `0x00008915')
-define(`SIOCSIFADDR', `0x00008916')
-define(`SIOCGIFDSTADDR', `0x00008917')
-define(`SIOCSIFDSTADDR', `0x00008918')
-define(`SIOCGIFBRDADDR', `0x00008919')
-define(`SIOCSIFBRDADDR', `0x0000891a')
-define(`SIOCGIFNETMASK', `0x0000891b')
-define(`SIOCSIFNETMASK', `0x0000891c')
-define(`SIOCGIFMETRIC', `0x0000891d')
-define(`SIOCSIFMETRIC', `0x0000891e')
-define(`SIOCGIFMEM', `0x0000891f')
-define(`SIOCSIFMEM', `0x00008920')
-define(`SIOCGIFMTU', `0x00008921')
-define(`SIOCSIFMTU', `0x00008922')
-define(`SIOCSIFNAME', `0x00008923')
-define(`SIOCSIFHWADDR', `0x00008924')
-define(`SIOCGIFENCAP', `0x00008925')
-define(`SIOCSIFENCAP', `0x00008926')
-define(`SIOCGIFHWADDR', `0x00008927')
-define(`SIOCGIFSLAVE', `0x00008929')
-define(`SIOCSIFSLAVE', `0x00008930')
-define(`SIOCADDMULTI', `0x00008931')
-define(`SIOCDELMULTI', `0x00008932')
-define(`SIOCGIFINDEX', `0x00008933')
-define(`SIOCSIFPFLAGS', `0x00008934')
-define(`SIOCGIFPFLAGS', `0x00008935')
-define(`SIOCDIFADDR', `0x00008936')
-define(`SIOCSIFHWBROADCAST', `0x00008937')
-define(`SIOCGIFCOUNT', `0x00008938')
-define(`SIOCKILLADDR', `0x00008939')
-define(`SIOCGIFBR', `0x00008940')
-define(`SIOCSIFBR', `0x00008941')
-define(`SIOCGIFTXQLEN', `0x00008942')
-define(`SIOCSIFTXQLEN', `0x00008943')
-define(`SIOCETHTOOL', `0x00008946')
-define(`SIOCGMIIPHY', `0x00008947')
-define(`SIOCGMIIREG', `0x00008948')
-define(`SIOCSMIIREG', `0x00008949')
-define(`SIOCWANDEV', `0x0000894a')
-define(`SIOCOUTQNSD', `0x0000894b')
-define(`SIOCDARP', `0x00008953')
-define(`SIOCGARP', `0x00008954')
-define(`SIOCSARP', `0x00008955')
-define(`SIOCDRARP', `0x00008960')
-define(`SIOCGRARP', `0x00008961')
-define(`SIOCSRARP', `0x00008962')
-define(`SIOCGIFMAP', `0x00008970')
-define(`SIOCSIFMAP', `0x00008971')
-define(`SIOCADDDLCI', `0x00008980')
-define(`SIOCDELDLCI', `0x00008981')
-define(`SIOCGIFVLAN', `0x00008982')
-define(`SIOCSIFVLAN', `0x00008983')
-define(`SIOCBONDENSLAVE', `0x00008990')
-define(`SIOCBONDRELEASE', `0x00008991')
-define(`SIOCBONDSETHWADDR', `0x00008992')
-define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
-define(`SIOCBONDINFOQUERY', `0x00008994')
-define(`SIOCBONDCHANGEACTIVE', `0x00008995')
-define(`SIOCBRADDBR', `0x000089a0')
-define(`SIOCBRDELBR', `0x000089a1')
-define(`SIOCBRADDIF', `0x000089a2')
-define(`SIOCBRDELIF', `0x000089a3')
-define(`SIOCSHWTSTAMP', `0x000089b0')
-define(`SIOCGHWTSTAMP', `0x000089b1')
-define(`SIOCPROTOPRIVATE', `0x000089e0')
-define(`SIOCPROTOPRIVATE_1', `0x000089e1')
-define(`SIOCPROTOPRIVATE_2', `0x000089e2')
-define(`SIOCPROTOPRIVATE_3', `0x000089e3')
-define(`SIOCPROTOPRIVATE_4', `0x000089e4')
-define(`SIOCPROTOPRIVATE_5', `0x000089e5')
-define(`SIOCPROTOPRIVATE_6', `0x000089e6')
-define(`SIOCPROTOPRIVATE_7', `0x000089e7')
-define(`SIOCPROTOPRIVATE_8', `0x000089e8')
-define(`SIOCPROTOPRIVATE_9', `0x000089e9')
-define(`SIOCPROTOPRIVATE_A', `0x000089ea')
-define(`SIOCPROTOPRIVATE_B', `0x000089eb')
-define(`SIOCPROTOPRIVATE_C', `0x000089ec')
-define(`SIOCPROTOPRIVATE_D', `0x000089ed')
-define(`SIOCPROTOPRIVATE_E', `0x000089ee')
-define(`SIOCPROTOPRIVLAST', `0x000089ef')
-define(`SIOCDEVPRIVATE', `0x000089f0')
-define(`SIOCDEVPRIVATE_1', `0x000089f1')
-define(`SIOCDEVPRIVATE_2', `0x000089f2')
-define(`SIOCDEVPRIVATE_3', `0x000089f3')
-define(`SIOCDEVPRIVATE_4', `0x000089f4')
-define(`SIOCDEVPRIVATE_5', `0x000089f5')
-define(`SIOCDEVPRIVATE_6', `0x000089f6')
-define(`SIOCDEVPRIVATE_7', `0x000089f7')
-define(`SIOCDEVPRIVATE_8', `0x000089f8')
-define(`SIOCDEVPRIVATE_9', `0x000089f9')
-define(`SIOCDEVPRIVATE_A', `0x000089fa')
-define(`SIOCDEVPRIVATE_B', `0x000089fb')
-define(`SIOCDEVPRIVATE_C', `0x000089fc')
-define(`SIOCDEVPRIVATE_D', `0x000089fd')
-define(`SIOCDEVPRIVATE_E', `0x000089fe')
-define(`SIOCDEVPRIVLAST', `0x000089ff')
-define(`SIOCIWFIRST', `0x00008b00')
-define(`SIOCSIWCOMMIT', `0x00008b00')
-define(`SIOCGIWNAME', `0x00008b01')
-define(`SIOCSIWNWID', `0x00008b02')
-define(`SIOCGIWNWID', `0x00008b03')
-define(`SIOCSIWFREQ', `0x00008b04')
-define(`SIOCGIWFREQ', `0x00008b05')
-define(`SIOCSIWMODE', `0x00008b06')
-define(`SIOCGIWMODE', `0x00008b07')
-define(`SIOCSIWSENS', `0x00008b08')
-define(`SIOCGIWSENS', `0x00008b09')
-define(`SIOCSIWRANGE', `0x00008b0a')
-define(`SIOCGIWRANGE', `0x00008b0b')
-define(`SIOCSIWPRIV', `0x00008b0c')
-define(`SIOCGIWPRIV', `0x00008b0d')
-define(`SIOCSIWSTATS', `0x00008b0e')
-define(`SIOCGIWSTATS', `0x00008b0f')
-define(`SIOCSIWSPY', `0x00008b10')
-define(`SIOCGIWSPY', `0x00008b11')
-define(`SIOCSIWTHRSPY', `0x00008b12')
-define(`SIOCGIWTHRSPY', `0x00008b13')
-define(`SIOCSIWAP', `0x00008b14')
-define(`SIOCGIWAP', `0x00008b15')
-define(`SIOCSIWMLME', `0x00008b16')
-define(`SIOCGIWAPLIST', `0x00008b17')
-define(`SIOCSIWSCAN', `0x00008b18')
-define(`SIOCGIWSCAN', `0x00008b19')
-define(`SIOCSIWESSID', `0x00008b1a')
-define(`SIOCGIWESSID', `0x00008b1b')
-define(`SIOCSIWNICKN', `0x00008b1c')
-define(`SIOCGIWNICKN', `0x00008b1d')
-define(`SIOCSIWRATE', `0x00008b20')
-define(`SIOCGIWRATE', `0x00008b21')
-define(`SIOCSIWRTS', `0x00008b22')
-define(`SIOCGIWRTS', `0x00008b23')
-define(`SIOCSIWFRAG', `0x00008b24')
-define(`SIOCGIWFRAG', `0x00008b25')
-define(`SIOCSIWTXPOW', `0x00008b26')
-define(`SIOCGIWTXPOW', `0x00008b27')
-define(`SIOCSIWRETRY', `0x00008b28')
-define(`SIOCGIWRETRY', `0x00008b29')
-define(`SIOCSIWENCODE', `0x00008b2a')
-define(`SIOCGIWENCODE', `0x00008b2b')
-define(`SIOCSIWPOWER', `0x00008b2c')
-define(`SIOCGIWPOWER', `0x00008b2d')
-define(`SIOCSIWGENIE', `0x00008b30')
-define(`SIOCGIWGENIE', `0x00008b31')
-define(`SIOCSIWAUTH', `0x00008b32')
-define(`SIOCGIWAUTH', `0x00008b33')
-define(`SIOCSIWENCODEEXT', `0x00008b34')
-define(`SIOCGIWENCODEEXT', `0x00008b35')
-define(`SIOCSIWPMKSA', `0x00008b36')
-define(`SIOCIWFIRSTPRIV', `0x00008be0')
-define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
-define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
-define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
-define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
-define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
-define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
-define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
-define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
-define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
-define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
-define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
-define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
-define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
-define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
-define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
-define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
-define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
-define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
-define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
-define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
-define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
-define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
-define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
-define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
-define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
-define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
-define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
-define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
-define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
-define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
-define(`SIOCIWLASTPRIV', `0x00008bff')
-define(`AUTOFS_IOC_READY', `0x00009360')
-define(`AUTOFS_IOC_FAIL', `0x00009361')
-define(`AUTOFS_IOC_CATATONIC', `0x00009362')
-define(`BTRFS_IOC_TRANS_START', `0x00009406')
-define(`BTRFS_IOC_TRANS_END', `0x00009407')
-define(`BTRFS_IOC_SYNC', `0x00009408')
-define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
-define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
-define(`NBD_SET_SOCK', `0x0000ab00')
-define(`NBD_SET_BLKSIZE', `0x0000ab01')
-define(`NBD_SET_SIZE', `0x0000ab02')
-define(`NBD_DO_IT', `0x0000ab03')
-define(`NBD_CLEAR_SOCK', `0x0000ab04')
-define(`NBD_CLEAR_QUE', `0x0000ab05')
-define(`NBD_PRINT_DEBUG', `0x0000ab06')
-define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
-define(`NBD_DISCONNECT', `0x0000ab08')
-define(`NBD_SET_TIMEOUT', `0x0000ab09')
-define(`NBD_SET_FLAGS', `0x0000ab0a')
-define(`RAW_SETBIND', `0x0000ac00')
-define(`RAW_GETBIND', `0x0000ac01')
-define(`KVM_GET_API_VERSION', `0x0000ae00')
-define(`KVM_CREATE_VM', `0x0000ae01')
-define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
-define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
-define(`KVM_CHECK_EXTENSION', `0x0000ae03')
-define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
-define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
-define(`LOGGER_FLUSH_LOG', `0x0000ae04')
-define(`LOGGER_GET_VERSION', `0x0000ae05')
-define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
-define(`LOGGER_SET_VERSION', `0x0000ae06')
-define(`KVM_CREATE_VCPU', `0x0000ae41')
-define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
-define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
-define(`KVM_SET_TSS_ADDR', `0x0000ae47')
-define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
-define(`KVM_CREATE_PIT', `0x0000ae64')
-define(`KVM_REINJECT_CONTROL', `0x0000ae71')
-define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
-define(`KVM_RUN', `0x0000ae80')
-define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
-define(`KVM_NMI', `0x0000ae9a')
-define(`KVM_SET_TSC_KHZ', `0x0000aea2')
-define(`KVM_GET_TSC_KHZ', `0x0000aea3')
-define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
-define(`VHOST_SET_OWNER', `0x0000af01')
-define(`VHOST_RESET_OWNER', `0x0000af02')
-define(`PPPOEIOCDFWD', `0x0000b101')
-define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
-define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
-define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
-define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
-define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
-define(`MFB_SET_ALPHA', `0x40014d00')
-define(`MFB_SET_GAMMA', `0x40014d01')
-define(`MFB_SET_BRIGHTNESS', `0x40014d03')
-define(`SPI_IOC_WR_MODE', `0x40016b01')
-define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
-define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
-define(`PPWCONTROL', `0x40017084')
-define(`PPWDATA', `0x40017086')
-define(`PPWCTLONIRQ', `0x40017092')
-define(`PHONE_MAXRINGS', `0x40017185')
-define(`PHONE_PLAY_TONE', `0x4001719b')
-define(`SONYPI_IOCSBRT', `0x40017600')
-define(`SONYPI_IOCSBLUE', `0x40017609')
-define(`SONYPI_IOCSFAN', `0x4001760b')
-define(`ATM_SETBACKEND', `0x400261f2')
-define(`ATM_NEWBACKENDIF', `0x400261f3')
-define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
-define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
-define(`DMX_ADD_PID', `0x40026f33')
-define(`DMX_REMOVE_PID', `0x40026f34')
-define(`PPFCONTROL', `0x4002708e')
-define(`PHONE_RING_CADENCE', `0x40027186')
-define(`SET_BITMAP_FILE', `0x4004092b')
-define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
-define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
-define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
-define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
-define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
-define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
-define(`BLKI2OSRSTRAT', `0x40043203')
-define(`BLKI2OSWSTRAT', `0x40043204')
-define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
-define(`PTP_ENABLE_PPS', `0x40043d04')
-define(`SYNC_IOC_WAIT', `0x40043e00')
-define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
-define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
-define(`AGPIOC_DEALLOCATE', `0x40044107')
-define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
-define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
-define(`CCISS_REGNEWDISK', `0x4004420d')
-define(`EVIOCRMFF', `0x40044581')
-define(`EVIOCGRAB', `0x40044590')
-define(`EVIOCREVOKE', `0x40044591')
-define(`EVIOCSCLOCKID', `0x400445a0')
-define(`FBIOPUT_CONTRAST', `0x40044602')
-define(`FBIPUT_BRIGHTNESS', `0x40044603')
-define(`FBIPUT_COLOR', `0x40044606')
-define(`FBIPUT_HSYNC', `0x40044609')
-define(`FBIPUT_VSYNC', `0x4004460a')
-define(`FBIO_WAITFORVSYNC', `0x40044620')
-define(`SSTFB_SET_VGAPASS', `0x400446dd')
-define(`HIDIOCSFLAG', `0x4004480f')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
-define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
-define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
-define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
-define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
-define(`HCIDEVUP', `0x400448c9')
-define(`HCIDEVDOWN', `0x400448ca')
-define(`HCIDEVRESET', `0x400448cb')
-define(`HCIDEVRESTAT', `0x400448cc')
-define(`HCISETRAW', `0x400448dc')
-define(`HCISETSCAN', `0x400448dd')
-define(`HCISETAUTH', `0x400448de')
-define(`HCISETENCRYPT', `0x400448df')
-define(`HCISETPTYPE', `0x400448e0')
-define(`HCISETLINKPOL', `0x400448e1')
-define(`HCISETLINKMODE', `0x400448e2')
-define(`HCISETACLMTU', `0x400448e3')
-define(`HCISETSCOMTU', `0x400448e4')
-define(`HCIBLOCKADDR', `0x400448e6')
-define(`HCIUNBLOCKADDR', `0x400448e7')
-define(`MFB_SET_PIXFMT', `0x40044d08')
-define(`OTPGETREGIONCOUNT', `0x40044d0e')
-define(`UBI_IOCEBER', `0x40044f01')
-define(`UBI_IOCEBCH', `0x40044f02')
-define(`UBI_IOCEBUNMAP', `0x40044f04')
-define(`OMAPFB_MIRROR', `0x40044f1f')
-define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
-define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
-define(`OMAPFB_LCD_TEST', `0x40044f2d')
-define(`OMAPFB_CTRL_TEST', `0x40044f2e')
-define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
-define(`SNDCTL_DSP_PROFILE', `0x40045017')
-define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
-define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
-define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
-define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
-define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
-define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
-define(`RNDADDTOENTCNT', `0x40045201')
-define(`SAA6588_CMD_CLOSE', `0x40045202')
-define(`RFCOMMCREATEDEV', `0x400452c8')
-define(`RFCOMMRELEASEDEV', `0x400452c9')
-define(`RFCOMMSTEALDLC', `0x400452dc')
-define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
-define(`SNDCTL_TMR_METRONOME', `0x40045407')
-define(`SNDCTL_TMR_SELECT', `0x40045408')
-define(`TIOCSPTLCK', `0x40045431')
-define(`TIOCSIG', `0x40045436')
-define(`TUNSETNOCSUM', `0x400454c8')
-define(`TUNSETDEBUG', `0x400454c9')
-define(`TUNSETIFF', `0x400454ca')
-define(`TUNSETPERSIST', `0x400454cb')
-define(`TUNSETOWNER', `0x400454cc')
-define(`TUNSETLINK', `0x400454cd')
-define(`TUNSETGROUP', `0x400454ce')
-define(`TUNSETOFFLOAD', `0x400454d0')
-define(`TUNSETTXFILTER', `0x400454d1')
-define(`TUNSETSNDBUF', `0x400454d4')
-define(`TUNSETVNETHDRSZ', `0x400454d8')
-define(`TUNSETQUEUE', `0x400454d9')
-define(`TUNSETIFINDEX', `0x400454da')
-define(`TUNSETVNETLE', `0x400454dc')
-define(`USBDEVFS_REAPURB32', `0x4004550c')
-define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
-define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
-define(`UI_SET_EVBIT', `0x40045564')
-define(`UI_SET_KEYBIT', `0x40045565')
-define(`UI_SET_RELBIT', `0x40045566')
-define(`UI_SET_ABSBIT', `0x40045567')
-define(`UI_SET_MSCBIT', `0x40045568')
-define(`UI_SET_LEDBIT', `0x40045569')
-define(`UI_SET_SNDBIT', `0x4004556a')
-define(`UI_SET_FFBIT', `0x4004556b')
-define(`UI_SET_SWBIT', `0x4004556d')
-define(`UI_SET_PROPBIT', `0x4004556e')
-define(`VIDIOC_OVERLAY', `0x4004560e')
-define(`VIDIOC_STREAMON', `0x40045612')
-define(`VIDIOC_STREAMOFF', `0x40045613')
-define(`VIDIOC_S_PRIORITY', `0x40045644')
-define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
-define(`SW_SYNC_IOC_INC', `0x40045701')
-define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
-define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
-define(`SONET_SETFRAMING', `0x40046115')
-define(`ATM_SETSC', `0x400461f1')
-define(`ATM_DROPPARTY', `0x400461f5')
-define(`BINDER_SET_MAX_THREADS', `0x40046205')
-define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
-define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
-define(`BINDER_THREAD_EXIT', `0x40046208')
-define(`BC_ACQUIRE_RESULT', `0x40046302')
-define(`BC_INCREFS', `0x40046304')
-define(`BC_ACQUIRE', `0x40046305')
-define(`CHIOSPICKER', `0x40046305')
-define(`BC_RELEASE', `0x40046306')
-define(`BC_DECREFS', `0x40046307')
-define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
-define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
-define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
-define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
-define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
-define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
-define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
-define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
-define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
-define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
-define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
-define(`VIDIOC_INT_RESET', `0x40046466')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
-define(`FS_IOC32_SETFLAGS', `0x40046602')
-define(`LIRC_SET_SEND_MODE', `0x40046911')
-define(`LIRC_SET_REC_MODE', `0x40046912')
-define(`LIRC_SET_SEND_CARRIER', `0x40046913')
-define(`LIRC_SET_REC_CARRIER', `0x40046914')
-define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
-define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
-define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
-define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
-define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
-define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
-define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
-define(`LIRC_SET_REC_FILTER', `0x4004691c')
-define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
-define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
-define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
-define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
-define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
-define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
-define(`SPI_IOC_WR_MODE32', `0x40046b05')
-define(`MSMFB_GRP_DISP', `0x40046d01')
-define(`MSMFB_BLIT', `0x40046d02')
-define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
-define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
-define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
-define(`UBI_IOCRMVOL', `0x40046f01')
-define(`DMX_SET_SOURCE', `0x40046f31')
-define(`UBI_IOCDET', `0x40046f41')
-define(`PPSETMODE', `0x40047080')
-define(`PPDATADIR', `0x40047090')
-define(`PPNEGOT', `0x40047091')
-define(`PPSETPHASE', `0x40047094')
-define(`PPSETFLAGS', `0x4004709b')
-define(`PHONE_REC_CODEC', `0x40047189')
-define(`PHONE_REC_DEPTH', `0x4004718c')
-define(`PHONE_FRAME', `0x4004718d')
-define(`PHONE_REC_VOLUME', `0x4004718e')
-define(`PHONE_PLAY_CODEC', `0x40047190')
-define(`PHONE_PLAY_DEPTH', `0x40047193')
-define(`PHONE_PLAY_VOLUME', `0x40047194')
-define(`PHONE_DTMF_OOB', `0x40047199')
-define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
-define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
-define(`PHONE_PSTN_SET_STATE', `0x400471a4')
-define(`PHONE_WINK_DURATION', `0x400471a6')
-define(`PHONE_VAD', `0x400471a9')
-define(`PHONE_WINK', `0x400471aa')
-define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
-define(`IXJCTL_AEC_START', `0x400471cb')
-define(`IXJCTL_SET_LED', `0x400471ce')
-define(`IXJCTL_MIXER', `0x400471cf')
-define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
-define(`IXJCTL_PORT', `0x400471d1')
-define(`IXJCTL_DAA_AGAIN', `0x400471d2')
-define(`IXJCTL_POTS_PSTN', `0x400471d5')
-define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
-define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
-define(`IXJCTL_HZ', `0x400471e0')
-define(`IXJCTL_RATE', `0x400471e1')
-define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
-define(`IXJCTL_SC_RXG', `0x400471ea')
-define(`IXJCTL_SC_TXG', `0x400471eb')
-define(`IXJCTL_INTERCOM_START', `0x400471fd')
-define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
-define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
-define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
-define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
-define(`FS_IOC32_SETVERSION', `0x40047602')
-define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
-define(`OSIOCSNETADDR', `0x400489e0')
-define(`SIOCSNETADDR', `0x400489e0')
-define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
-define(`BTRFS_IOC_CLONE', `0x40049409')
-define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
-define(`KVM_INTERRUPT', `0x4004ae86')
-define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
-define(`KVM_SET_MP_STATE', `0x4004ae99')
-define(`VHOST_SET_LOG_FD', `0x4004af07')
-define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
-define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
-define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
-define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
-define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
-define(`SISFB_SET_LOCK', `0x4004f306')
-define(`GIGASET_BRKCHARS', `0x40064702')
-define(`MEYEIOC_S_PARAMS', `0x400676c1')
-define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
-define(`BLKBSZSET', `0x40081271')
-define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
-define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
-define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
-define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
-define(`AGPIOC_SETUP', `0x40084103')
-define(`AGPIOC_RESERVE', `0x40084104')
-define(`AGPIOC_PROTECT', `0x40084105')
-define(`AGPIOC_BIND', `0x40084108')
-define(`AGPIOC_UNBIND', `0x40084109')
-define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
-define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
-define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
-define(`CCISS_SETINTINFO', `0x40084203')
-define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
-define(`EVIOCSREP', `0x40084503')
-define(`EVIOCSKEYCODE', `0x40084504')
-define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
-define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
-define(`MEMERASE', `0x40084d02')
-define(`MFB_SET_AOID', `0x40084d04')
-define(`MEMLOCK', `0x40084d05')
-define(`MEMUNLOCK', `0x40084d06')
-define(`MEMGETBADBLOCK', `0x40084d0b')
-define(`MEMSETBADBLOCK', `0x40084d0c')
-define(`UBI_IOCVOLUP', `0x40084f00')
-define(`UBI_IOCEBMAP', `0x40084f03')
-define(`OMAPFB_SETUP_MEM', `0x40084f37')
-define(`OMAPFB_QUERY_MEM', `0x40084f38')
-define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
-define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
-define(`RNDADDENTROPY', `0x40085203')
-define(`TFD_IOC_SET_TICKS', `0x40085400')
-define(`USBDEVFS_REAPURB', `0x4008550c')
-define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
-define(`USBDEVFS_CONNECTINFO', `0x40085511')
-define(`UI_SET_PHYS', `0x4008556c')
-define(`VIDIOC_S_STD', `0x40085618')
-define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
-define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
-define(`CM_IOCSPTS', `0x40086302')
-define(`BC_FREE_BUFFER', `0x40086303')
-define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
-define(`BC_DEAD_BINDER_DONE', `0x40086310')
-define(`CM_IOSDBGLVL', `0x400863fa')
-define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
-define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
-define(`DRM_IOCTL_CONTROL', `0x40086414')
-define(`DRM_IOCTL_MOD_CTX', `0x40086422')
-define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
-define(`DRM_IOCTL_NEW_CTX', `0x40086425')
-define(`DRM_IOCTL_LOCK', `0x4008642a')
-define(`DRM_IOCTL_UNLOCK', `0x4008642b')
-define(`DRM_IOCTL_FINISH', `0x4008642c')
-define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
-define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
-define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
-define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
-define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
-define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
-define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
-define(`DRM_IOCTL_I915_FREE', `0x40086449')
-define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
-define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
-define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
-define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
-define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
-define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
-define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
-define(`FS_IOC_SETFLAGS', `0x40086602')
-define(`HPET_IRQFREQ', `0x40086806')
-define(`MTIOCTOP', `0x40086d01')
-define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
-define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
-define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
-define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
-define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
-define(`AUDIO_SET_MIXER', `0x40086f0e')
-define(`VIDEO_SET_SPU', `0x40086f32')
-define(`CA_SET_PID', `0x40086f87')
-define(`PHN_SET_REG', `0x40087001')
-define(`PHN_SET_REGS', `0x40087003')
-define(`PHN_SETREG', `0x40087006')
-define(`RTC_IRQP_SET', `0x4008700c')
-define(`RTC_EPOCH_SET', `0x4008700e')
-define(`PPS_SETPARAMS', `0x400870a2')
-define(`PPS_KC_BIND', `0x400870a5')
-define(`SPIOCSTYPE', `0x40087101')
-define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
-define(`PHONE_RING_START', `0x40087187')
-define(`IXJCTL_SET_FILTER', `0x400871c7')
-define(`IXJCTL_INIT_TONE', `0x400871c9')
-define(`IXJCTL_TONE_CADENCE', `0x400871ca')
-define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
-define(`IXJCTL_CIDCW', `0x400871d9')
-define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
-define(`IXJCTL_SIGCTL', `0x400871e9')
-define(`FS_IOC_SETVERSION', `0x40087602')
-define(`ASHMEM_SET_SIZE', `0x40087703')
-define(`ASHMEM_SET_PROT_MASK', `0x40087705')
-define(`ASHMEM_PIN', `0x40087707')
-define(`ASHMEM_UNPIN', `0x40087708')
-define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
-define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
-define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
-define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
-define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
-define(`KVM_IRQ_LINE', `0x4008ae61')
-define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
-define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
-define(`KVM_SET_MSRS', `0x4008ae89')
-define(`KVM_SET_CPUID', `0x4008ae8a')
-define(`KVM_SET_CPUID2', `0x4008ae90')
-define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
-define(`KVM_S390_STORE_STATUS', `0x4008ae95')
-define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
-define(`VHOST_SET_FEATURES', `0x4008af00')
-define(`VHOST_SET_MEM_TABLE', `0x4008af03')
-define(`VHOST_SET_LOG_BASE', `0x4008af04')
-define(`VHOST_SET_VRING_NUM', `0x4008af10')
-define(`VHOST_SET_VRING_BASE', `0x4008af12')
-define(`VHOST_SET_VRING_KICK', `0x4008af20')
-define(`VHOST_SET_VRING_CALL', `0x4008af21')
-define(`VHOST_SET_VRING_ERR', `0x4008af22')
-define(`VHOST_NET_SET_BACKEND', `0x4008af30')
-define(`PPPOEIOCSFWD', `0x4008b100')
-define(`IOW_WRITE', `0x4008c001')
-define(`IOW_READ', `0x4008c002')
-define(`REISERFS_IOC_UNPACK', `0x4008cd01')
-define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
-define(`FDFMTTRK', `0x400c0248')
-define(`RUN_ARRAY', `0x400c0930')
-define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
-define(`CAPI_REGISTER', `0x400c4301')
-define(`HIDIOCGREPORT', `0x400c4807')
-define(`HIDIOCSREPORT', `0x400c4808')
-define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
-define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
-define(`OTPGETREGIONINFO', `0x400c4d0f')
-define(`UI_END_FF_ERASE', `0x400c55cb')
-define(`CHIOPOSITION', `0x400c6303')
-define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
-define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
-define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
-define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
-define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
-define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
-define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
-define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
-define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
-define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
-define(`I2OEVTREG', `0x400c690a')
-define(`HSC_SET_RX', `0x400c6b13')
-define(`HSC_GET_RX', `0x400c6b14')
-define(`NCP_IOC_GETROOT', `0x400c6e08')
-define(`UBI_IOCRSVOL', `0x400c6f02')
-define(`AUDIO_SET_KARAOKE', `0x400c6f12')
-define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
-define(`MBXFB_IOCS_REG', `0x400cf404')
-define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
-define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
-define(`PTP_EXTTS_REQUEST', `0x40103d02')
-define(`CCISS_SETNODENAME', `0x40104205')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
-define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
-define(`MTRRIOC_SET_ENTRY', `0x40104d01')
-define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
-define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
-define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
-define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
-define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
-define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
-define(`MEMERASE64', `0x40104d14')
-define(`UBI_IOCSETVOLPROP', `0x40104f06')
-define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
-define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
-define(`TUNATTACHFILTER', `0x401054d5')
-define(`TUNDETACHFILTER', `0x401054d6')
-define(`ANDROID_ALARM_SET_RTC', `0x40106105')
-define(`IDT77105_GETSTAT', `0x40106132')
-define(`IDT77105_GETSTATZ', `0x40106133')
-define(`ATM_GETSTAT', `0x40106150')
-define(`ATM_GETSTATZ', `0x40106151')
-define(`ATM_GETLOOP', `0x40106152')
-define(`ATM_SETLOOP', `0x40106153')
-define(`ATM_QUERYLOOP', `0x40106154')
-define(`ENI_MEMDUMP', `0x40106160')
-define(`HE_GET_REG', `0x40106160')
-define(`ZATM_GETPOOL', `0x40106161')
-define(`NS_SETBUFLEV', `0x40106162')
-define(`ZATM_GETPOOLZ', `0x40106162')
-define(`ZATM_SETPOOL', `0x40106163')
-define(`ENI_SETMULT', `0x40106167')
-define(`ATM_GETLINKRATE', `0x40106181')
-define(`ATM_GETNAMES', `0x40106183')
-define(`ATM_GETTYPE', `0x40106184')
-define(`ATM_GETESI', `0x40106185')
-define(`ATM_GETADDR', `0x40106186')
-define(`ATM_RSTADDR', `0x40106187')
-define(`ATM_ADDADDR', `0x40106188')
-define(`ATM_DELADDR', `0x40106189')
-define(`ATM_GETCIRANGE', `0x4010618a')
-define(`ATM_SETCIRANGE', `0x4010618b')
-define(`ATM_SETESI', `0x4010618c')
-define(`ATM_SETESIF', `0x4010618d')
-define(`ATM_ADDLECSADDR', `0x4010618e')
-define(`ATM_DELLECSADDR', `0x4010618f')
-define(`ATM_GETLECSADDR', `0x40106190')
-define(`ATM_ADDPARTY', `0x401061f4')
-define(`BC_INCREFS_DONE', `0x40106308')
-define(`CHIOGSTATUS', `0x40106308')
-define(`BC_ACQUIRE_DONE', `0x40106309')
-define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
-define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
-define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
-define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
-define(`DRM_IOCTL_AGP_BIND', `0x40106436')
-define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
-define(`DRM_IOCTL_SG_FREE', `0x40106439')
-define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
-define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
-define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
-define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
-define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
-define(`DRM_IOCTL_I810_COPY', `0x40106447')
-define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
-define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
-define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
-define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
-define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
-define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
-define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
-define(`TUNER_SET_CONFIG', `0x4010645c')
-define(`HSC_SET_TX', `0x40106b15')
-define(`HSC_GET_TX', `0x40106b16')
-define(`MGSL_IOCSGPIO', `0x40106d10')
-define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
-define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
-define(`VIDEO_STILLPICTURE', `0x40106f1e')
-define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
-define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
-define(`FE_SET_PROPERTY', `0x40106f52')
-define(`CA_SET_DESCR', `0x40106f86')
-define(`PPSETTIME', `0x40107096')
-define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
-define(`GENWQE_WRITE_REG64', `0x4010a51f')
-define(`GENWQE_WRITE_REG32', `0x4010a521')
-define(`GENWQE_WRITE_REG16', `0x4010a523')
-define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
-define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
-define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
-define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
-define(`KVM_S390_INTERRUPT', `0x4010ae94')
-define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
-define(`KVM_DIRTY_TLB', `0x4010aeaa')
-define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
-define(`KVM_GET_ONE_REG', `0x4010aeab')
-define(`KVM_SET_ONE_REG', `0x4010aeac')
-define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
-define(`FDSETMAXERRS', `0x4014024c')
-define(`ADD_NEW_DISK', `0x40140921')
-define(`SNDCTL_COPR_WDATA', `0x40144304')
-define(`SNDCTL_COPR_WCODE', `0x40144305')
-define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
-define(`VIDIOC_S_CROP', `0x4014563c')
-define(`CHIOMOVE', `0x40146301')
-define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
-define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
-define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
-define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
-define(`DMX_SET_PES_FILTER', `0x40146f2c')
-define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
-define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
-define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
-define(`HIDIOCSUSAGE', `0x4018480c')
-define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
-define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
-define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
-define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
-define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
-define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
-define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
-define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
-define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
-define(`UBI_IOCATT', `0x40186f40')
-define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
-define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
-define(`KVM_S390_UCAS_MAP', `0x4018ae50')
-define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
-define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
-define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
-define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
-define(`MBXFB_IOCS_ALPHA', `0x4018f402')
-define(`BR2684_SETFILT', `0x401c6190')
-define(`CHIOEXCHANGE', `0x401c6302')
-define(`FDSETPRM', `0x40200242')
-define(`FDDEFPRM', `0x40200243')
-define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
-define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
-define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
-define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
-define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
-define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
-define(`DRM_IOCTL_AGP_FREE', `0x40206435')
-define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
-define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
-define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
-define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
-define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
-define(`DRM_IOCTL_I810_MC', `0x4020644c')
-define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
-define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
-define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
-define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
-define(`OSD_SEND_CMD', `0x40206fa0')
-define(`RTC_PLL_SET', `0x40207012')
-define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
-define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
-define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
-define(`KVM_IRQFD', `0x4020ae76')
-define(`KVM_SIGNAL_MSI', `0x4020aea5')
-define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
-define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
-define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
-define(`JSIOCSCORR', `0x40246a21')
-define(`FE_SET_FRONTEND', `0x40246f4c')
-define(`RTC_ALM_SET', `0x40247007')
-define(`RTC_SET_TIME', `0x4024700a')
-define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
-define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
-define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
-define(`EVIOCSKEYCODE_V2', `0x40284504')
-define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
-define(`DRM_IOCTL_RM_MAP', `0x4028641b')
-define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
-define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
-define(`PHN_SETREGS', `0x40287008')
-define(`RTC_WKALM_SET', `0x4028700f')
-define(`VHOST_SET_VRING_ADDR', `0x4028af11')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
-define(`TCSETS2', `0x402c542b')
-define(`TCSETSW2', `0x402c542c')
-define(`TCSETSF2', `0x402c542d')
-define(`VIDIOC_S_FREQUENCY', `0x402c5639')
-define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
-define(`EVIOCSFF', `0x40304580')
-define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
-define(`VIDIOC_S_FBUF', `0x4030560b')
-define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
-define(`CHIOSVOLTAG', `0x40306312')
-define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
-define(`MGSL_IOCSPARAMS', `0x40306d00')
-define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
-define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
-define(`KVM_SET_CLOCK', `0x4030ae7b')
-define(`GSMIOC_ENABLE_NET', `0x40344702')
-define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
-define(`VIDIOC_S_AUDIO', `0x40345622')
-define(`VIDIOC_S_AUDOUT', `0x40345632')
-define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
-define(`PTP_PEROUT_REQUEST', `0x40383d03')
-define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
-define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
-define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
-define(`DMX_SET_FILTER', `0x403c6f2b')
-define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
-define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
-define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
-define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
-define(`BC_TRANSACTION', `0x40406300')
-define(`BC_REPLY', `0x40406301')
-define(`DRM_IOCTL_I810_INIT', `0x40406440')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
-define(`JSIOCSAXMAP', `0x40406a31')
-define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
-define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
-define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
-define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
-define(`KVM_CREATE_PIT2', `0x4040ae77')
-define(`KVM_IOEVENTFD', `0x4040ae79')
-define(`KVM_X86_SET_MCE', `0x4040ae9e')
-define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
-define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
-define(`CXL_IOCTL_START_WORK', `0x4040ca00')
-define(`OMAPFB_SETUP_PLANE', `0x40444f34')
-define(`OMAPFB_QUERY_PLANE', `0x40444f35')
-define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
-define(`VIDIOC_S_MODULATOR', `0x40445637')
-define(`DRM_IOCTL_I915_INIT', `0x40446440')
-define(`SET_ARRAY_INFO', `0x40480923')
-define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
-define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
-define(`BTRFS_IOC_SEND', `0x40489426')
-define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
-define(`GSMIOC_SETCONF', `0x404c4701')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
-define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
-define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
-define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
-define(`VIDIOC_S_TUNER', `0x4054561e')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
-define(`PTP_PIN_SETFUNC', `0x40603d07')
-define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
-define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
-define(`UI_END_FF_UPLOAD', `0x406855c9')
-define(`KVM_ENABLE_CAP', `0x4068aea3')
-define(`CHIOGELEM', `0x406c6310')
-define(`KVM_SET_PIT2', `0x4070aea0')
-define(`DRM_IOCTL_R128_INIT', `0x40786440')
-define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
-define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
-define(`FDSETDRVPRM', `0x40800290')
-define(`UBI_IOCVOLCRBLK', `0x40804f07')
-define(`DRM_IOCTL_MGA_INIT', `0x40806440')
-define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
-define(`KVM_SET_DEBUGREGS', `0x4080aea2')
-define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
-define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
-define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
-define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
-define(`KVM_SET_REGS', `0x4090ae82')
-define(`UBI_IOCMKVOL', `0x40986f00')
-define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
-define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
-define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
-define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
-define(`ASHMEM_SET_NAME', `0x41007701')
-define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
-define(`USBDEVFS_GETDRIVER', `0x41045508')
-define(`CA_SEND_MSG', `0x410c6f85')
-define(`KVM_SET_SREGS', `0x4138ae84')
-define(`KVM_SET_XCRS', `0x4188aea7')
-define(`KVM_SET_FPU', `0x41a0ae8d')
-define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
-define(`PTP_SYS_OFFSET', `0x43403d05')
-define(`JSIOCSBTNMAP', `0x44006a33')
-define(`KVM_SET_LAPIC', `0x4400ae8f')
-define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
-define(`BTRFS_IOC_DEFRAG', `0x50009402')
-define(`BTRFS_IOC_RESIZE', `0x50009403')
-define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
-define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
-define(`BTRFS_IOC_RM_DEV', `0x5000940b')
-define(`BTRFS_IOC_BALANCE', `0x5000940c')
-define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
-define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
-define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
-define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
-define(`KVM_SET_XSAVE', `0x5000aea5')
-define(`HIDIOCSUSAGES', `0x501c4814')
-define(`UBI_IOCRNVOL', `0x51106f03')
-define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
-define(`MFB_GET_ALPHA', `0x80014d00')
-define(`MFB_GET_GAMMA', `0x80014d01')
-define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
-define(`JSIOCGAXES', `0x80016a11')
-define(`JSIOCGBUTTONS', `0x80016a12')
-define(`SPI_IOC_RD_MODE', `0x80016b01')
-define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
-define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
-define(`PPRSTATUS', `0x80017081')
-define(`PPRCONTROL', `0x80017083')
-define(`PPRDATA', `0x80017085')
-define(`SONYPI_IOCGBRT', `0x80017600')
-define(`SONYPI_IOCGBATFLAGS', `0x80017607')
-define(`SONYPI_IOCGBLUE', `0x80017608')
-define(`SONYPI_IOCGFAN', `0x8001760a')
-define(`SONYPI_IOCGTEMP', `0x8001760c')
-define(`CAPI_GET_ERRCODE', `0x80024321')
-define(`CAPI_INSTALLED', `0x80024322')
-define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
-define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
-define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
-define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
-define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
-define(`FE_READ_SNR', `0x80026f48')
-define(`SONYPI_IOCGBAT1CAP', `0x80027602')
-define(`SONYPI_IOCGBAT1REM', `0x80027603')
-define(`SONYPI_IOCGBAT2CAP', `0x80027604')
-define(`SONYPI_IOCGBAT2REM', `0x80027605')
-define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
-define(`BLKI2OGRSTRAT', `0x80043201')
-define(`BLKI2OGWSTRAT', `0x80043202')
-define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
-define(`CCISS_GETHEARTBEAT', `0x80044206')
-define(`CCISS_GETBUSTYPES', `0x80044207')
-define(`CCISS_GETFIRMVER', `0x80044208')
-define(`CCISS_GETDRIVVER', `0x80044209')
-define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
-define(`CAPI_GET_FLAGS', `0x80044323')
-define(`CAPI_SET_FLAGS', `0x80044324')
-define(`CAPI_CLR_FLAGS', `0x80044325')
-define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
-define(`CAPI_NCCI_GETUNIT', `0x80044327')
-define(`EVIOCGVERSION', `0x80044501')
-define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
-define(`EVIOCGEFFECTS', `0x80044584')
-define(`FBIOGET_CONTRAST', `0x80044601')
-define(`FBIGET_BRIGHTNESS', `0x80044603')
-define(`FBIGET_COLOR', `0x80044605')
-define(`SSTFB_GET_VGAPASS', `0x800446dd')
-define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
-define(`HIDIOCGRDESCSIZE', `0x80044801')
-define(`HIDIOCGVERSION', `0x80044801')
-define(`HIDIOCGFLAG', `0x8004480e')
-define(`HDA_IOCTL_PVERSION', `0x80044810')
-define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
-define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
-define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
-define(`HCIGETDEVLIST', `0x800448d2')
-define(`HCIGETDEVINFO', `0x800448d3')
-define(`HCIGETCONNLIST', `0x800448d4')
-define(`HCIGETCONNINFO', `0x800448d5')
-define(`HCIGETAUTHINFO', `0x800448d7')
-define(`HCIINQUIRY', `0x800448f0')
-define(`ROCCATIOCGREPSIZE', `0x800448f1')
-define(`IMADDTIMER', `0x80044940')
-define(`IMDELTIMER', `0x80044941')
-define(`IMGETVERSION', `0x80044942')
-define(`IMGETCOUNT', `0x80044943')
-define(`IMGETDEVINFO', `0x80044944')
-define(`IMCTRLREQ', `0x80044945')
-define(`IMCLEAR_L2', `0x80044946')
-define(`IMHOLD_L1', `0x80044948')
-define(`MCE_GET_RECORD_LEN', `0x80044d01')
-define(`MCE_GET_LOG_LEN', `0x80044d02')
-define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
-define(`MEMGETREGIONCOUNT', `0x80044d07')
-define(`MFB_GET_PIXFMT', `0x80044d08')
-define(`OTPSELECT', `0x80044d0d')
-define(`OSS_GETVERSION', `0x80044d76')
-define(`UBI_IOCEBISMAP', `0x80044f05')
-define(`SOUND_PCM_READ_RATE', `0x80045002')
-define(`SOUND_PCM_READ_BITS', `0x80045005')
-define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
-define(`SOUND_PCM_READ_FILTER', `0x80045007')
-define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
-define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
-define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
-define(`SNDCTL_DSP_GETODELAY', `0x80045017')
-define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
-define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
-define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
-define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
-define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
-define(`SNDCTL_SEQ_GETTIME', `0x80045113')
-define(`RNDGETENTCNT', `0x80045200')
-define(`SAA6588_CMD_READ', `0x80045203')
-define(`SAA6588_CMD_POLL', `0x80045204')
-define(`RFCOMMGETDEVLIST', `0x800452d2')
-define(`RFCOMMGETDEVINFO', `0x800452d3')
-define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
-define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
-define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
-define(`TIOCGPTN', `0x80045430')
-define(`TIOCGDEV', `0x80045432')
-define(`TIOCGPKT', `0x80045438')
-define(`TIOCGPTLCK', `0x80045439')
-define(`TIOCGEXCL', `0x80045440')
-define(`TUNGETFEATURES', `0x800454cf')
-define(`TUNGETIFF', `0x800454d2')
-define(`TUNGETSNDBUF', `0x800454d3')
-define(`TUNGETVNETHDRSZ', `0x800454d7')
-define(`TUNGETVNETLE', `0x800454dd')
-define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
-define(`USBDEVFS_RESETEP', `0x80045503')
-define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
-define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
-define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
-define(`USBDEVFS_CLEAR_HALT', `0x80045515')
-define(`USBDEVFS_CLAIM_PORT', `0x80045518')
-define(`USBDEVFS_RELEASE_PORT', `0x80045519')
-define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
-define(`UI_GET_VERSION', `0x8004552d')
-define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
-define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
-define(`VIDIOC_G_INPUT', `0x80045626')
-define(`VIDIOC_G_OUTPUT', `0x8004562e')
-define(`VIDIOC_G_PRIORITY', `0x80045643')
-define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
-define(`WDIOC_GETSTATUS', `0x80045701')
-define(`WDIOC_GETBOOTSTATUS', `0x80045702')
-define(`WDIOC_GETTEMP', `0x80045703')
-define(`WDIOC_SETOPTIONS', `0x80045704')
-define(`WDIOC_KEEPALIVE', `0x80045705')
-define(`WDIOC_GETTIMEOUT', `0x80045707')
-define(`WDIOC_GETPRETIMEOUT', `0x80045709')
-define(`WDIOC_GETTIMELEFT', `0x8004570a')
-define(`SONET_GETDIAG', `0x80046114')
-define(`SONET_GETFRAMING', `0x80046116')
-define(`CHIOGPICKER', `0x80046304')
-define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
-define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
-define(`FS_IOC32_GETFLAGS', `0x80046601')
-define(`LIRC_GET_FEATURES', `0x80046900')
-define(`LIRC_GET_SEND_MODE', `0x80046901')
-define(`LIRC_GET_REC_MODE', `0x80046902')
-define(`LIRC_GET_SEND_CARRIER', `0x80046903')
-define(`LIRC_GET_REC_CARRIER', `0x80046904')
-define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
-define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
-define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
-define(`I2OVALIDATE', `0x80046908')
-define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
-define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
-define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
-define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
-define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
-define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
-define(`LIRC_GET_LENGTH', `0x8004690f')
-define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
-define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
-define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
-define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
-define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
-define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
-define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
-define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
-define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
-define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
-define(`I8K_BIOS_VERSION', `0x80046980')
-define(`I8K_MACHINE_ID', `0x80046981')
-define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
-define(`JSIOCGVERSION', `0x80046a01')
-define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
-define(`SPI_IOC_RD_MODE32', `0x80046b05')
-define(`UDF_GETEASIZE', `0x80046c40')
-define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
-define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
-define(`SISFB_GET_INFO_OLD', `0x80046ef8')
-define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
-define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
-define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
-define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
-define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
-define(`FE_READ_STATUS', `0x80046f45')
-define(`FE_READ_BER', `0x80046f46')
-define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
-define(`RTC_VL_READ', `0x80047013')
-define(`PPCLRIRQ', `0x80047093')
-define(`PPGETMODES', `0x80047097')
-define(`PPGETMODE', `0x80047098')
-define(`PPGETPHASE', `0x80047099')
-define(`PPGETFLAGS', `0x8004709a')
-define(`PHONE_DTMF_READY', `0x80047196')
-define(`PHONE_GET_DTMF', `0x80047197')
-define(`PHONE_GET_DTMF_ASCII', `0x80047198')
-define(`PHONE_EXCEPTION', `0x8004719a')
-define(`IXJCTL_CARDTYPE', `0x800471c1')
-define(`IXJCTL_SERIAL', `0x800471c2')
-define(`IXJCTL_DSP_TYPE', `0x800471c3')
-define(`IXJCTL_DSP_VERSION', `0x800471c4')
-define(`IXJCTL_VMWI', `0x800471d8')
-define(`BR_ERROR', `0x80047200')
-define(`BR_ACQUIRE_RESULT', `0x80047204')
-define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
-define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
-define(`FS_IOC32_GETVERSION', `0x80047601')
-define(`MEYEIOC_STILLJCAPT', `0x800476c5')
-define(`OSIOCGNETADDR', `0x800489e1')
-define(`SIOCGNETADDR', `0x800489e1')
-define(`AUTOFS_IOC_PROTOVER', `0x80049363')
-define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
-define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
-define(`GENWQE_GET_CARD_STATE', `0x8004a524')
-define(`KVM_GET_MP_STATE', `0x8004ae98')
-define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
-define(`SISFB_GET_INFO_SIZE', `0x8004f300')
-define(`SISFB_GET_VBRSTATUS', `0x8004f302')
-define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
-define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
-define(`SONET_GETFRSENSE', `0x80066117')
-define(`MEYEIOC_G_PARAMS', `0x800676c0')
-define(`BLKBSZGET', `0x80081270')
-define(`BLKGETSIZE64', `0x80081272')
-define(`PERF_EVENT_IOC_ID', `0x80082407')
-define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
-define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
-define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
-define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
-define(`AGPIOC_INFO', `0x80084100')
-define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
-define(`CCISS_GETPCIINFO', `0x80084201')
-define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
-define(`CCISS_GETINTINFO', `0x80084202')
-define(`PMU_IOC_GET_MODEL', `0x80084203')
-define(`PMU_IOC_HAS_ADB', `0x80084204')
-define(`PMU_IOC_CAN_SLEEP', `0x80084205')
-define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
-define(`EVIOCGID', `0x80084502')
-define(`EVIOCGREP', `0x80084503')
-define(`EVIOCGKEYCODE', `0x80084504')
-define(`FBIO_GETCONTROL2', `0x80084689')
-define(`HIDIOCGRAWINFO', `0x80084803')
-define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
-define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
-define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
-define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
-define(`MFB_GET_AOID', `0x80084d04')
-define(`MEMISLOCKED', `0x80084d17')
-define(`RNDGETPOOL', `0x80085202')
-define(`USBDEVFS_SETINTERFACE', `0x80085504')
-define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
-define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
-define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
-define(`VIDIOC_G_STD', `0x80085617')
-define(`VIDIOC_QUERYSTD', `0x8008563f')
-define(`CM_IOCGSTATUS', `0x80086300')
-define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
-define(`FS_IOC_GETFLAGS', `0x80086601')
-define(`I2OPASSTHRU32', `0x8008690c')
-define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
-define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
-define(`I8K_POWER_STATUS', `0x80086982')
-define(`I8K_FN_STATUS', `0x80086983')
-define(`I8K_GET_TEMP', `0x80086984')
-define(`UDF_GETEABLOCK', `0x80086c41')
-define(`UDF_GETVOLIDENT', `0x80086c42')
-define(`MMTIMER_GETRES', `0x80086d01')
-define(`MMTIMER_GETFREQ', `0x80086d02')
-define(`MTIOCPOS', `0x80086d03')
-define(`MMTIMER_GETCOUNTER', `0x80086d09')
-define(`NILFS_IOCTL_SYNC', `0x80086e8a')
-define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
-define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
-define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
-define(`AUDIO_GET_PTS', `0x80086f13')
-define(`DMX_GET_CAPS', `0x80086f30')
-define(`VIDEO_GET_PTS', `0x80086f39')
-define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
-define(`CA_GET_DESCR_INFO', `0x80086f83')
-define(`RTC_IRQP_READ', `0x8008700b')
-define(`RTC_EPOCH_READ', `0x8008700d')
-define(`PPS_GETPARAMS', `0x800870a1')
-define(`PPS_GETCAP', `0x800870a3')
-define(`PHONE_CAPABILITIES_LIST', `0x80087181')
-define(`IXJCTL_CID', `0x800871d4')
-define(`IXJCTL_VERSION', `0x800871da')
-define(`IXJCTL_FRAMES_READ', `0x800871e2')
-define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
-define(`IXJCTL_READ_WAIT', `0x800871e4')
-define(`IXJCTL_WRITE_WAIT', `0x800871e5')
-define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
-define(`BR_DEAD_BINDER', `0x8008720f')
-define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
-define(`FS_IOC_GETVERSION', `0x80087601')
-define(`BTRFS_IOC_START_SYNC', `0x80089418')
-define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
-define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
-define(`KVM_ALLOCATE_RMA', `0x8008aea9')
-define(`VHOST_GET_FEATURES', `0x8008af00')
-define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
-define(`DMX_GET_PES_PIDS', `0x800a6f2f')
-define(`RAID_VERSION', `0x800c0910')
-define(`CCISS_GETLUNINFO', `0x800c4211')
-define(`OTPLOCK', `0x800c4d10')
-define(`OMAPFB_GET_CAPS', `0x800c4f2a')
-define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
-define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
-define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
-define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
-define(`NCP_IOC_SETROOT', `0x800c6e08')
-define(`VIDEO_GET_SIZE', `0x800c6f37')
-define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
-define(`CA_GET_SLOT_INFO', `0x800c6f82')
-define(`FDGETDRVTYP', `0x8010020f')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
-define(`CCISS_GETNODENAME', `0x80104204')
-define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
-define(`ECCGETSTATS', `0x80104d12')
-define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
-define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
-define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
-define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
-define(`TUNGETFILTER', `0x801054db')
-define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
-define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
-define(`I2OPASSTHRU', `0x8010690c')
-define(`MGSL_IOCGGPIO', `0x80106d11')
-define(`NCP_IOC_NCPREQUEST', `0x80106e01')
-define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
-define(`FE_GET_PROPERTY', `0x80106f53')
-define(`CA_GET_CAP', `0x80106f81')
-define(`OSD_GET_CAPABILITY', `0x80106fa1')
-define(`PPGETTIME', `0x80107095')
-define(`BR_INCREFS', `0x80107207')
-define(`BR_ACQUIRE', `0x80107208')
-define(`BR_RELEASE', `0x80107209')
-define(`BR_DECREFS', `0x8010720a')
-define(`GENWQE_READ_REG64', `0x8010a51e')
-define(`GENWQE_READ_REG32', `0x8010a520')
-define(`GENWQE_READ_REG16', `0x8010a522')
-define(`FDGETMAXERRS', `0x8014020e')
-define(`GET_DISK_INFO', `0x80140912')
-define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
-define(`CHIOGPARAMS', `0x80146306')
-define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
-define(`VIDEO_GET_STATUS', `0x80146f1b')
-define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
-define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
-define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
-define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
-define(`IMSETDEVNAME', `0x80184947')
-define(`OMAPFB_MEMORY_READ', `0x80184f3a')
-define(`HPET_INFO', `0x80186803')
-define(`NCP_IOC_SIGN_INIT', `0x80186e05')
-define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
-define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
-define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
-define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
-define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
-define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
-define(`MBXFB_IOCG_ALPHA', `0x8018f401')
-define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
-define(`HIDIOCGDEVINFO', `0x801c4803')
-define(`FDGETPRM', `0x80200204')
-define(`FBIOGET_VBLANK', `0x80204612')
-define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
-define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
-define(`MEMGETINFO', `0x80204d01')
-define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
-define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
-define(`I2OGETIOPS', `0x80206900')
-define(`AUDIO_GET_STATUS', `0x80206f0a')
-define(`VIDEO_GET_EVENT', `0x80206f1c')
-define(`RTC_PLL_GET', `0x80207011')
-define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
-define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
-define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
-define(`SONET_GETSTAT', `0x80246110')
-define(`SONET_GETSTATZ', `0x80246111')
-define(`JSIOCGCORR', `0x80246a22')
-define(`FE_GET_FRONTEND', `0x80246f4d')
-define(`RTC_ALM_READ', `0x80247008')
-define(`RTC_RD_TIME', `0x80247009')
-define(`FDGETFDCSTAT', `0x80280215')
-define(`FDWERRORGET', `0x80280217')
-define(`EVIOCGKEYCODE_V2', `0x80284504')
-define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
-define(`WDIOC_GETSUPPORT', `0x80285700')
-define(`IPMICTL_SEND_COMMAND', `0x8028690d')
-define(`FE_GET_EVENT', `0x80286f4e')
-define(`RTC_WKALM_RD', `0x80287010')
-define(`IOW_GETINFO', `0x8028c003')
-define(`USBDEVFS_SUBMITURB32', `0x802a550a')
-define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
-define(`TCGETS2', `0x802c542a')
-define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
-define(`VIDIOC_G_FBUF', `0x8030560a')
-define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
-define(`MGSL_IOCGPARAMS', `0x80306d01')
-define(`MTIOCGET', `0x80306d02')
-define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
-define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
-define(`KVM_GET_CLOCK', `0x8030ae7c')
-define(`VIDIOC_G_AUDIO', `0x80345621')
-define(`VIDIOC_G_AUDOUT', `0x80345631')
-define(`USBDEVFS_SUBMITURB', `0x8038550a')
-define(`DRM_IOCTL_AGP_INFO', `0x80386433')
-define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
-define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
-define(`JSIOCGAXMAP', `0x80406a32')
-define(`BR_TRANSACTION', `0x80407202')
-define(`BR_REPLY', `0x80407203')
-define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
-define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
-define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
-define(`GET_ARRAY_INFO', `0x80480911')
-define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
-define(`KVM_SET_PIT', `0x8048ae66')
-define(`GSMIOC_GETCONF', `0x804c4700')
-define(`FDGETDRVSTAT', `0x80500212')
-define(`FDPOLLDRVSTAT', `0x80500213')
-define(`PTP_CLOCK_GETCAPS', `0x80503d01')
-define(`SOUND_MIXER_INFO', `0x805c4d65')
-define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
-define(`VIDIOC_QUERYCAP', `0x80685600')
-define(`I2OEVTGET', `0x8068690b')
-define(`CHIOGVPARAMS', `0x80706313')
-define(`KVM_GET_PIT2', `0x8070ae9f')
-define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
-define(`FDGETDRVPRM', `0x80800211')
-define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
-define(`KVM_GET_DEBUGREGS', `0x8080aea1')
-define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_DQEVENT', `0x80885659')
-define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
-define(`KVM_GET_REGS', `0x8090ae81')
-define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
-define(`FE_GET_INFO', `0x80a86f3d')
-define(`MEMGETOOBSEL', `0x80c84d0a')
-define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
-define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
-define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
-define(`DRM_IOCTL_GET_STATS', `0x80f86406')
-define(`ASHMEM_GET_NAME', `0x81007702')
-define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
-define(`HIDIOCGSTRING', `0x81044804')
-define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
-define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
-define(`CA_GET_MSG', `0x810c6f84')
-define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
-define(`SISFB_GET_INFO', `0x811cf301')
-define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
-define(`KVM_GET_SREGS', `0x8138ae83')
-define(`ECCGETLAYOUT', `0x81484d11')
-define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
-define(`KVM_GET_XCRS', `0x8188aea6')
-define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
-define(`KVM_GET_FPU', `0x81a0ae8c')
-define(`KVM_SET_IRQCHIP', `0x8208ae63')
-define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
-define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
-define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
-define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
-define(`JSIOCGBTNMAP', `0x84006a34')
-define(`BTRFS_IOC_FS_INFO', `0x8400941f')
-define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
-define(`KVM_GET_LAPIC', `0x8400ae8e')
-define(`VIDEO_GET_NAVI', `0x84046f34')
-define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
-define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
-define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
-define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
-define(`GET_BITMAP_FILE', `0x90000915')
-define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
-define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
-define(`KVM_GET_XSAVE', `0x9000aea4')
-define(`HIDIOCGRDESC', `0x90044802')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
-define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
-define(`CAPI_GET_MANUFACTURER', `0xc0044306')
-define(`CAPI_GET_SERIAL', `0xc0044308')
-define(`GIGASET_REDIR', `0xc0044700')
-define(`GIGASET_CONFIG', `0xc0044701')
-define(`ION_IOC_FREE', `0xc0044901')
-define(`SOUND_MIXER_AGC', `0xc0044d67')
-define(`SOUND_MIXER_3DSE', `0xc0044d68')
-define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
-define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
-define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
-define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
-define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
-define(`SNDCTL_DSP_SPEED', `0xc0045002')
-define(`SNDCTL_DSP_STEREO', `0xc0045003')
-define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
-define(`SNDCTL_DSP_SETFMT', `0xc0045005')
-define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
-define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
-define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
-define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
-define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
-define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
-define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
-define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
-define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
-define(`SNDCTL_TMR_TEMPO', `0xc0045405')
-define(`SNDCTL_TMR_SOURCE', `0xc0045406')
-define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
-define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
-define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
-define(`VIDIOC_S_INPUT', `0xc0045627')
-define(`VIDIOC_S_OUTPUT', `0xc004562f')
-define(`WDIOC_SETTIMEOUT', `0xc0045706')
-define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
-define(`FIFREEZE', `0xc0045877')
-define(`FITHAW', `0xc0045878')
-define(`SONET_SETDIAG', `0xc0046112')
-define(`SONET_CLRDIAG', `0xc0046113')
-define(`BINDER_VERSION', `0xc0046209')
-define(`DRM_IOCTL_BLOCK', `0xc0046412')
-define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
-define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
-define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
-define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
-define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
-define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
-define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
-define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
-define(`MGSL_IOCWAITEVENT', `0xc0046d08')
-define(`TOSH_SMM', `0xc0047490')
-define(`MEYEIOC_SYNC', `0xc00476c3')
-define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
-define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
-define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
-define(`NET_ADD_IF', `0xc0066f34')
-define(`NET_GET_IF', `0xc0066f36')
-define(`AGPIOC_ALLOCATE', `0xc0084106')
-define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
-define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
-define(`ION_IOC_MAP', `0xc0084902')
-define(`ION_IOC_SHARE', `0xc0084904')
-define(`ION_IOC_IMPORT', `0xc0084905')
-define(`ION_IOC_SYNC', `0xc0084907')
-define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
-define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
-define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
-define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
-define(`VIDIOC_G_CTRL', `0xc008561b')
-define(`VIDIOC_S_CTRL', `0xc008561c')
-define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
-define(`CM_IOCGATR', `0xc0086301')
-define(`CIOC_KERNEL_VERSION', `0xc008630a')
-define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
-define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
-define(`DRM_IOCTL_RM_CTX', `0xc0086421')
-define(`DRM_IOCTL_GET_CTX', `0xc0086423')
-define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
-define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
-define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
-define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
-define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
-define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
-define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
-define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
-define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
-define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
-define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
-define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
-define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
-define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
-define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
-define(`I8K_GET_SPEED', `0xc0086985')
-define(`I8K_GET_FAN', `0xc0086986')
-define(`I8K_SET_FAN', `0xc0086987')
-define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
-define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
-define(`PHN_GET_REG', `0xc0087000')
-define(`PHN_GET_REGS', `0xc0087002')
-define(`PHN_GETREG', `0xc0087005')
-define(`PPS_FETCH', `0xc00870a4')
-define(`PHONE_QUERY_CODEC', `0xc00871a7')
-define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
-define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
-define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
-define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
-define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
-define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
-define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
-define(`KVM_GET_MSRS', `0xc008ae88')
-define(`KVM_GET_CPUID2', `0xc008ae91')
-define(`KVM_GET_REG_LIST', `0xc008aeb0')
-define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
-define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
-define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
-define(`VHOST_GET_VRING_BASE', `0xc008af12')
-define(`HIDIOCGREPORTINFO', `0xc00c4809')
-define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
-define(`USBDEVFS_IOCTL32', `0xc00c5512')
-define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
-define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
-define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
-define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
-define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
-define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
-define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
-define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
-define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
-define(`KVM_CREATE_DEVICE', `0xc00caee0')
-define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
-define(`MBXFB_IOCX_REG', `0xc00cf405')
-define(`CAPI_GET_VERSION', `0xc0104307')
-define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
-define(`GIGASET_VERSION', `0xc0104703')
-define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
-define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
-define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
-define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
-define(`ION_IOC_CUSTOM', `0xc0104906')
-define(`MEMWRITEOOB', `0xc0104d03')
-define(`MEMREADOOB', `0xc0104d04')
-define(`MEMGETREGIONINFO', `0xc0104d08')
-define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
-define(`USBDEVFS_CONTROL32', `0xc0105500')
-define(`USBDEVFS_BULK32', `0xc0105502')
-define(`USBDEVFS_IOCTL', `0xc0105512')
-define(`NS_GETPSTAT', `0xc0106161')
-define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
-define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
-define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
-define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
-define(`DRM_IOCTL_GET_CAP', `0xc010640c')
-define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
-define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
-define(`DRM_IOCTL_RES_CTX', `0xc0106426')
-define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
-define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
-define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
-define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
-define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
-define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
-define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
-define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
-define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
-define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
-define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
-define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
-define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
-define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
-define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
-define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
-define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
-define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
-define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
-define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
-define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
-define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
-define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
-define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
-define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
-define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
-define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
-define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
-define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
-define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
-define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
-define(`MGSL_IOCWAITGPIO', `0xc0106d12')
-define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
-define(`DMX_GET_STC', `0xc0106f32')
-define(`UVCIOC_CTRL_QUERY', `0xc0107521')
-define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
-define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
-define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
-define(`SNDCTL_COPR_RDATA', `0xc0144302')
-define(`SNDCTL_COPR_RCODE', `0xc0144303')
-define(`SNDCTL_COPR_RUN', `0xc0144306')
-define(`SNDCTL_COPR_HALT', `0xc0144307')
-define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
-define(`VIDIOC_REQBUFS', `0xc0145608')
-define(`VIDIOC_G_CROP', `0xc014563b')
-define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
-define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
-define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
-define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
-define(`HIDIOCGUSAGE', `0xc018480b')
-define(`HIDIOCGUCODE', `0xc018480d')
-define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
-define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
-define(`MEMWRITEOOB64', `0xc0184d15')
-define(`MEMREADOOB64', `0xc0184d16')
-define(`USBDEVFS_CONTROL', `0xc0185500')
-define(`USBDEVFS_BULK', `0xc0185502')
-define(`PACKET_CTRL_CMD', `0xc0185801')
-define(`FITRIM', `0xc0185879')
-define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
-define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
-define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
-define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
-define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
-define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
-define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
-define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
-define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
-define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
-define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
-define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
-define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
-define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
-define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
-define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
-define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
-define(`I2OHRTGET', `0xc0186901')
-define(`I2OLCTGET', `0xc0186902')
-define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
-define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
-define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
-define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
-define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
-define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
-define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
-define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
-define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
-define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
-define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
-define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
-define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
-define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
-define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
-define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
-define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
-define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
-define(`KVM_TRANSLATE', `0xc018ae85')
-define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
-define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
-define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
-define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
-define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
-define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
-define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
-define(`ION_IOC_ALLOC', `0xc0204900')
-define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
-define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
-define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
-define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
-define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
-define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
-define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
-define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
-define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
-define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
-define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
-define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
-define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
-define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
-define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
-define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
-define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
-define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
-define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
-define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
-define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
-define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
-define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
-define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
-define(`FS_IOC_FIEMAP', `0xc020660b')
-define(`GENWQE_PIN_MEM', `0xc020a528')
-define(`GENWQE_UNPIN_MEM', `0xc020a529')
-define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
-define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
-define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
-define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
-define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
-define(`SYNC_IOC_MERGE', `0xc0283e01')
-define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
-define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
-define(`VIDIOC_G_EDID', `0xc0285628')
-define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
-define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
-define(`VIDIOC_S_EDID', `0xc0285629')
-define(`VIDIOC_ENCODER_CMD', `0xc028564d')
-define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
-define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
-define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
-define(`DRM_IOCTL_GET_MAP', `0xc0286404')
-define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
-define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
-define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
-define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
-define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
-define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
-define(`I2OPARMSET', `0xc0286903')
-define(`I2OPARMGET', `0xc0286904')
-define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
-define(`PHN_GETREGS', `0xc0287007')
-define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
-define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
-define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
-define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
-define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
-define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
-define(`VIDIOC_QUERYMENU', `0xc02c5625')
-define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
-define(`VIDIOC_CROPCAP', `0xc02c563a')
-define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
-define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
-define(`MEMWRITE', `0xc0304d18')
-define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
-define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
-define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
-define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
-define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
-define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
-define(`BINDER_WRITE_READ', `0xc0306201')
-define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
-define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
-define(`I2OSWDL', `0xc0306905')
-define(`I2OSWUL', `0xc0306906')
-define(`I2OSWDEL', `0xc0306907')
-define(`I2OHTML', `0xc0306909')
-define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
-define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
-define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
-define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
-define(`VIDIOC_ENUMAUDIO', `0xc0345641')
-define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
-define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
-define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
-define(`HIDIOCGFIELDINFO', `0xc038480a')
-define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
-define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
-define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
-define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
-define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
-define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
-define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
-define(`GENWQE_SLU_UPDATE', `0xc038a550')
-define(`GENWQE_SLU_READ', `0xc038a551')
-define(`CAPI_GET_PROFILE', `0xc0404309')
-define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
-define(`VIDIOC_ENUM_FMT', `0xc0405602')
-define(`VIDIOC_EXPBUF', `0xc0405610')
-define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
-define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
-define(`VIDIOC_G_SELECTION', `0xc040565e')
-define(`VIDIOC_S_SELECTION', `0xc040565f')
-define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
-define(`DRM_IOCTL_VERSION', `0xc0406400')
-define(`DRM_IOCTL_DMA', `0xc0406429')
-define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
-define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
-define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
-define(`VIDIOC_QUERYCTRL', `0xc0445624')
-define(`VIDIOC_G_MODULATOR', `0xc0445636')
-define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
-define(`BLKTRACESETUP', `0xc0481273')
-define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
-define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
-define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
-define(`VIDIOC_ENUMSTD', `0xc0485619')
-define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
-define(`VIDIOC_DECODER_CMD', `0xc0485660')
-define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
-define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
-define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
-define(`VIDEO_COMMAND', `0xc0486f3b')
-define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
-define(`KVM_GET_PIT', `0xc048ae65')
-define(`MMC_IOC_CMD', `0xc048b300')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
-define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
-define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
-define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
-define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
-define(`VIDIOC_ENUMINPUT', `0xc050561a')
-define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
-define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
-define(`VIDIOC_G_TUNER', `0xc054561d')
-define(`SISFB_COMMAND', `0xc054f305')
-define(`CCISS_PASSTHRU', `0xc058420b')
-define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
-define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
-define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
-define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
-define(`VIDIOC_QUERYBUF', `0xc0585609')
-define(`VIDIOC_QBUF', `0xc058560f')
-define(`VIDIOC_DQBUF', `0xc0585611')
-define(`VIDIOC_PREPARE_BUF', `0xc058565d')
-define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
-define(`PTP_PIN_GETFUNC', `0xc0603d06')
-define(`CCISS_BIG_PASSTHRU', `0xc0604212')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
-define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
-define(`UVCIOC_CTRL_MAP', `0xc0607520')
-define(`FBIO_CURSOR', `0xc0684608')
-define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
-define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
-define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
-define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
-define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
-define(`SNDCTL_MIDI_INFO', `0xc074510c')
-define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
-define(`SOUND_MIXER_ACCESS', `0xc0804d66')
-define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
-define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
-define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
-define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
-define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
-define(`SNDCTL_SYNTH_ID', `0xc08c5114')
-define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
-define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
-define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
-define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
-define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
-define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
-define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
-define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
-define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
-define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
-define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
-define(`VIDIOC_G_PARM', `0xc0cc5615')
-define(`VIDIOC_S_PARM', `0xc0cc5616')
-define(`VIDIOC_G_FMT', `0xc0d05604')
-define(`VIDIOC_S_FMT', `0xc0d05605')
-define(`VIDIOC_TRY_FMT', `0xc0d05640')
-define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
-define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
-define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
-define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
-define(`VIDIOC_CREATE_BUFS', `0xc100565c')
-define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
-define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
-define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
-define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
-define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
-define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
-define(`DM_VERSION', `0xc138fd00')
-define(`DM_REMOVE_ALL', `0xc138fd01')
-define(`DM_LIST_DEVICES', `0xc138fd02')
-define(`DM_DEV_CREATE', `0xc138fd03')
-define(`DM_DEV_REMOVE', `0xc138fd04')
-define(`DM_DEV_RENAME', `0xc138fd05')
-define(`DM_DEV_SUSPEND', `0xc138fd06')
-define(`DM_DEV_STATUS', `0xc138fd07')
-define(`DM_DEV_WAIT', `0xc138fd08')
-define(`DM_TABLE_LOAD', `0xc138fd09')
-define(`DM_TABLE_CLEAR', `0xc138fd0a')
-define(`DM_TABLE_DEPS', `0xc138fd0b')
-define(`DM_TABLE_STATUS', `0xc138fd0c')
-define(`DM_LIST_VERSIONS', `0xc138fd0d')
-define(`DM_TARGET_MSG', `0xc138fd0e')
-define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
-define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
-define(`KVM_GET_IRQCHIP', `0xc208ae62')
-define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
-define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
-define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
-define(`BTRFS_IOC_SCRUB', `0xc400941b')
-define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
-define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
-define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
-define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
-define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
-define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
-define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
-define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
-define(`SNDCTL_COPR_LOAD', `0xcfb04301')
-define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
-define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
-define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
-define(`HIDIOCGUSAGES', `0xd01c4813')
-define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
-define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
-define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
-define(`PPPIOCGL2TPSTATS', `0x7436')
-define(`PPPIOCGCHAN', `0x7437')
-define(`PPPIOCATTCHAN', `0x7438')
-define(`PPPIOCDISCONN', `0x7439')
-define(`PPPIOCCONNECT', `0x743a')
-define(`PPPIOCSMRRU', `0x743b')
-define(`PPPIOCDETACH', `0x743c')
-define(`PPPIOCATTACH', `0x743d')
-define(`PPPIOCNEWUNIT', `0x743e')
-define(`PPPIOCGIDLE', `0x743f')
-define(`PPPIOCSDEBUG', `0x7440')
-define(`PPPIOCGDEBUG', `0x7441')
-define(`PPPIOCSACTIVE', `0x7446')
-define(`PPPIOCSPASS', `0x7447')
-define(`PPPIOCSNPMODE', `0x744b')
-define(`PPPIOCGNPMODE', `0x744c')
-define(`PPPIOCSCOMPRESS', `0x744d')
-define(`PPPIOCXFERUNIT', `0x744e')
-define(`PPPIOCSXASYNCMAP', `0x744f')
-define(`PPPIOCGXASYNCMAP', `0x7450')
-define(`PPPIOCSMAXCID', `0x7451')
-define(`PPPIOCSMRU', `0x7452')
-define(`PPPIOCGMRU', `0x7453')
-define(`PPPIOCSRASYNCMAP', `0x7454')
-define(`PPPIOCGRASYNCMAP', `0x7455')
-define(`PPPIOCGUNIT', `0x7456')
-define(`PPPIOCSASYNCMAP', `0x7457')
-define(`PPPIOCGASYNCMAP', `0x7458')
-define(`PPPIOCSFLAGS', `0x7459')
-define(`PPPIOCGFLAGS', `0x745a')
-define(`PPPIOCGCALLINFO', `0x7480')
-define(`PPPIOCBUNDLE', `0x7481')
-define(`PPPIOCGMPFLAGS', `0x7482')
-define(`PPPIOCSMPFLAGS', `0x7483')
-define(`PPPIOCSMPMTU', `0x7484')
-define(`PPPIOCSMPMRU', `0x7485')
-define(`PPPIOCGCOMPRESSORS', `0x7486')
-define(`PPPIOCSCOMPRESSOR', `0x7487')
-define(`PPPIOCGIFNAME', `0x7488')
diff --git a/prebuilts/api/26.0/public/ioctl_macros b/prebuilts/api/26.0/public/ioctl_macros
deleted file mode 100644
index f7081d5..0000000
--- a/prebuilts/api/26.0/public/ioctl_macros
+++ /dev/null
@@ -1,68 +0,0 @@
-# socket ioctls allowed to unprivileged apps
-define(`unpriv_sock_ioctls', `
-{
-# Socket ioctls for gathering information about the interface
-SIOCGSTAMP SIOCGSTAMPNS
-SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
-SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
-# Wireless extension ioctls. Primarily get functions.
-SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
-SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
-SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-}')
-
-# socket ioctls never allowed to unprivileged apps
-define(`priv_sock_ioctls', `
-{
-# qualcomm rmnet ioctls
-WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
-# socket ioctls
-SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
-SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
-SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
-SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
-SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
-SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
-SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
-SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
-SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
-SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
-# device and protocol specific ioctls
-SIOCDEVPRIVATE-SIOCDEVPRIVLAST
-SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
-# Wireless extension ioctls
-SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
-SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
-SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
-SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
-SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
-SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
-# Dev private ioctl i.e. hardware specific ioctls
-SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
-}')
-
-# commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{
- TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
-}')
-
-# commonly used TTY ioctls
-# merge with unpriv_unix_sock_ioctls?
-define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW
- TCFLSH TIOCSPGRP TIOCGPGRP
-}')
-
-# point to point ioctls
-define(`ppp_ioctls', `{
-PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
-PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
-PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
-PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
-PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
-PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
-PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
-PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
-PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
-PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
-}')
diff --git a/prebuilts/api/26.0/public/kernel.te b/prebuilts/api/26.0/public/kernel.te
deleted file mode 100644
index 9537c0d..0000000
--- a/prebuilts/api/26.0/public/kernel.te
+++ /dev/null
@@ -1,103 +0,0 @@
-# Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
-
-allow kernel self:capability sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-r_dir_file(kernel, proc)
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Mount usbfs.
-allow kernel usbfs:filesystem mount;
-allow kernel usbfs:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:capability sys_resource;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:capability sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# MTP sync (b/15835289)
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel priv_app:fd use;
-allow kernel sdcard_type:file { read write };
-
-# Allow the kernel to read OBB files from app directories. (b/17428116)
-# Kernel thread "loop0" reads a vold supplied file descriptor.
-# Fixes CTS tests:
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
-allow kernel vold:fd use;
-allow kernel app_data_file:file read;
-allow kernel asec_image_file:file read;
-
-# Allow reading loop device in update_engine_unittests. (b/28319454)
-userdebug_or_eng(`
- allow kernel update_engine_data_file:file read;
- allow kernel nativetest_data_file:file read;
-')
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow kernel media_rw_data_file:dir create_dir_perms;
-allow kernel media_rw_data_file:file create_file_perms;
-
-# Access to /data/misc/vold/virtual_disk.
-allow kernel vold_data_file:file read;
-
-###
-### neverallow rules
-###
-
-# The initial task starts in the kernel domain (assigned via
-# initial_sid_contexts), but nothing ever transitions to it.
-neverallow * kernel:process { transition dyntransition };
-
-# The kernel domain is never entered via an exec, nor should it
-# ever execute a program outside the rootfs without changing to another domain.
-# If you encounter an execute_no_trans denial on the kernel domain, then
-# possible causes include:
-# - The program is a kernel usermodehelper. In this case, define a domain
-# for the program and domain_auto_trans() to it.
-# - You are running an exploit which switched to the init task credentials
-# and is then trying to exec a shell or other program. You lose!
-neverallow kernel *:file { entrypoint execute_no_trans };
-
-# the kernel should not be accessing files owned by other users.
-# Instead of adding dac_{read_search,override}, fix the unix permissions
-# on files being accessed.
-neverallow kernel self:capability { dac_override dac_read_search };
diff --git a/prebuilts/api/26.0/public/keystore.te b/prebuilts/api/26.0/public/keystore.te
deleted file mode 100644
index ee5e675..0000000
--- a/prebuilts/api/26.0/public/keystore.te
+++ /dev/null
@@ -1,34 +0,0 @@
-type keystore, domain;
-type keystore_exec, exec_type, file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-binder_call(keystore, system_server)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-allow keystore sec_key_att_app_id_provider_service:service_manager find;
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-
-###
-### Neverallow rules
-###
-### Protect ourself from others
-###
-
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-
-neverallow * keystore:process ptrace;
diff --git a/prebuilts/api/26.0/public/lmkd.te b/prebuilts/api/26.0/public/lmkd.te
deleted file mode 100644
index f4e6c2d..0000000
--- a/prebuilts/api/26.0/public/lmkd.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, exec_type, file_type;
-
-allow lmkd self:capability { dac_override sys_resource kill };
-
-# lmkd locks itself in memory, to prevent it from being
-# swapped out and unable to kill other memory hogs.
-# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
-# b/16236289
-allow lmkd self:capability ipc_lock;
-
-## Open and write to /proc/PID/oom_score_adj
-## TODO: maybe scope this down?
-r_dir_file(lmkd, appdomain)
-allow lmkd appdomain:file write;
-r_dir_file(lmkd, system_server)
-allow lmkd system_server:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_type)
-allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-
-# Send kill signals
-allow lmkd appdomain:process sigkill;
-
-# Clean up old cgroups
-allow lmkd cgroup:dir { remove_name rmdir };
-
-# Set self to SCHED_FIFO
-allow lmkd self:capability sys_nice;
-
-allow lmkd proc_zoneinfo:file r_file_perms;
-
-### neverallow rules
-
-# never honor LD_PRELOAD
-neverallow * lmkd:process noatsecure;
diff --git a/prebuilts/api/26.0/public/logd.te b/prebuilts/api/26.0/public/logd.te
deleted file mode 100644
index 62bff97..0000000
--- a/prebuilts/api/26.0/public/logd.te
+++ /dev/null
@@ -1,73 +0,0 @@
-# android user-space log manager
-type logd, domain, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
-r_dir_file(logd, proc)
-r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
-
-allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
-allow logd self:capability2 syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file w_file_perms;
-allow logd system_data_file:{ file lnk_file } r_file_perms;
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-userdebug_or_eng(`
- # Access to /data/misc/logd/event-log-tags
- allow logd misc_logd_file:dir r_dir_perms;
- allow logd misc_logd_file:file rw_file_perms;
-')
-allow logd runtime_event_log_tags_file:file rw_file_perms;
-
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-allow runtime_event_log_tags_file tmpfs:filesystem associate;
-# Typically harmlessly blindly trying to access via liblog
-# event tag mapping while in the untrusted_app domain.
-# Access for that domain is controlled and gated via the
-# event log tag service (albeit at a performance penalty,
-# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { open read };
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init is allowed to enter the logd domain via exec()
-neverallow { domain -init } logd:process transition;
-neverallow * logd:process dyntransition;
-
-# protect the event-log-tags file
-neverallow {
- domain
- -init
- -logd
-} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/prebuilts/api/26.0/public/logpersist.te b/prebuilts/api/26.0/public/logpersist.te
deleted file mode 100644
index 7536cb8..0000000
--- a/prebuilts/api/26.0/public/logpersist.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# android debug logging, logpersist domains
-type logpersist, domain;
-
-###
-### Neverallow rules
-###
-### logpersist should NEVER do any of this
-
-# Block device access.
-neverallow logpersist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logpersist domain:process ptrace;
-
-# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init should be allowed to enter the logpersist domain via exec()
-# Following is a list of debug domains we know that transition to logpersist
-# neverallow_with_undefined_domains {
-# domain
-# -init # goldfish, logcatd, raft
-# -mmi # bat, mtp8996, msmcobalt
-# -system_app # Smith.apk
-# } logpersist:process transition;
-neverallow * logpersist:process dyntransition;
diff --git a/prebuilts/api/26.0/public/mediacodec.te b/prebuilts/api/26.0/public/mediacodec.te
deleted file mode 100644
index 5ca41fc..0000000
--- a/prebuilts/api/26.0/public/mediacodec.te
+++ /dev/null
@@ -1,67 +0,0 @@
-# mediacodec - audio and video codecs live here
-type mediacodec, domain;
-type mediacodec_exec, exec_type, vendor_file_type, file_type;
-
-typeattribute mediacodec mlstrustedsubject;
-
-# TODO(b/36375899) attributize this domain appropriately as hal_omx
-# and use macro hal_server_domain
-get_prop(mediacodec, hwservicemanager_prop)
-
-# can route /dev/binder traffic to /dev/vndbinder
-vndbinder_use(mediacodec)
-
-not_full_treble(`
- # on legacy devices, continue to allow /dev/binder traffic
- binder_use(mediacodec)
- binder_service(mediacodec)
- add_service(mediacodec, mediacodec_service)
- allow mediacodec mediametrics_service:service_manager find;
- allow mediacodec surfaceflinger_service:service_manager find;
-')
-binder_call(mediacodec, binderservicedomain)
-binder_call(mediacodec, appdomain)
-
-# Allow mediacodec access to composer sync fences
-allow mediacodec hal_graphics_composer:fd use;
-
-allow mediacodec gpu_device:chr_file rw_file_perms;
-allow mediacodec video_device:chr_file rw_file_perms;
-allow mediacodec video_device:dir search;
-allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_camera:fd use;
-
-crash_dump_fallback(mediacodec)
-
-add_hwservice(mediacodec, hal_omx_hwservice)
-
-hal_client_domain(mediacodec, hal_allocator)
-
-# allocate and use graphic buffers
-hal_client_domain(mediacodec, hal_graphics_allocator)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to mediacodec via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediacodec bufferhubd:fd use;
-
-###
-### neverallow rules
-###
-
-# mediacodec should never execute any executable without a
-# domain transition
-neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/public/mediadrmserver.te b/prebuilts/api/26.0/public/mediadrmserver.te
deleted file mode 100644
index cef8121..0000000
--- a/prebuilts/api/26.0/public/mediadrmserver.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# mediadrmserver - mediadrm daemon
-type mediadrmserver, domain;
-type mediadrmserver_exec, exec_type, file_type;
-
-typeattribute mediadrmserver mlstrustedsubject;
-
-net_domain(mediadrmserver)
-binder_use(mediadrmserver)
-binder_call(mediadrmserver, binderservicedomain)
-binder_call(mediadrmserver, appdomain)
-binder_service(mediadrmserver)
-hal_client_domain(mediadrmserver, hal_drm)
-
-add_service(mediadrmserver, mediadrmserver_service)
-allow mediadrmserver mediaserver_service:service_manager find;
-allow mediadrmserver mediametrics_service:service_manager find;
-allow mediadrmserver processinfo_service:service_manager find;
-allow mediadrmserver surfaceflinger_service:service_manager find;
-allow mediadrmserver system_file:dir r_dir_perms;
-
-add_service(mediadrmserver, mediacasserver_service)
-
-binder_call(mediadrmserver, mediacodec)
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/26.0/public/mediaextractor.te b/prebuilts/api/26.0/public/mediaextractor.te
deleted file mode 100644
index 94824b7..0000000
--- a/prebuilts/api/26.0/public/mediaextractor.te
+++ /dev/null
@@ -1,50 +0,0 @@
-# mediaextractor - multimedia daemon
-type mediaextractor, domain;
-type mediaextractor_exec, exec_type, file_type;
-
-typeattribute mediaextractor mlstrustedsubject;
-
-binder_use(mediaextractor)
-binder_call(mediaextractor, binderservicedomain)
-binder_call(mediaextractor, appdomain)
-binder_service(mediaextractor)
-
-add_service(mediaextractor, mediaextractor_service)
-allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor mediacasserver_service:service_manager find;
-
-allow mediaextractor system_server:fd use;
-
-r_dir_file(mediaextractor, cgroup)
-allow mediaextractor proc_meminfo:file r_file_perms;
-
-crash_dump_fallback(mediaextractor)
-
-# allow mediaextractor read permissions for file sources
-allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor app_data_file:file { getattr read };
-
-# Read resources from open apk files passed over Binder
-allow mediaextractor apk_data_file:file { read getattr };
-allow mediaextractor asec_apk_file:file { read getattr };
-allow mediaextractor ringtone_file:file { read getattr };
-
-###
-### neverallow rules
-###
-
-# mediaextractor should never execute any executable without a
-# domain transition
-neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/public/mediametrics.te b/prebuilts/api/26.0/public/mediametrics.te
deleted file mode 100644
index 4c10d87..0000000
--- a/prebuilts/api/26.0/public/mediametrics.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# mediametrics - daemon for collecting media.metrics data
-type mediametrics, domain;
-type mediametrics_exec, exec_type, file_type;
-
-
-binder_use(mediametrics)
-binder_call(mediametrics, binderservicedomain)
-binder_service(mediametrics)
-
-add_service(mediametrics, mediametrics_service)
-
-allow mediametrics system_server:fd use;
-
-r_dir_file(mediametrics, cgroup)
-allow mediametrics proc_meminfo:file r_file_perms;
-
-# allows interactions with dumpsys to GMScore
-allow mediametrics app_data_file:file write;
-
-###
-### neverallow rules
-###
-
-# mediametrics should never execute any executable without a
-# domain transition
-neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/public/mediaserver.te b/prebuilts/api/26.0/public/mediaserver.te
deleted file mode 100644
index 6efaf0f..0000000
--- a/prebuilts/api/26.0/public/mediaserver.te
+++ /dev/null
@@ -1,150 +0,0 @@
-# mediaserver - multimedia daemon
-type mediaserver, domain;
-type mediaserver_exec, exec_type, file_type;
-
-typeattribute mediaserver mlstrustedsubject;
-
-# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
-typeattribute mediaserver halclientdomain;
-
-net_domain(mediaserver)
-
-r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaserver, cgroup)
-
-# stat /proc/self
-allow mediaserver proc:lnk_file getattr;
-
-# open /vendor/lib/mediadrm
-allow mediaserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # ptrace to processes in the same domain for memory leak detection
- allow mediaserver self:process ptrace;
-')
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver media_data_file:dir create_dir_perms;
-allow mediaserver media_data_file:file create_file_perms;
-allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver sdcard_type:file write;
-allow mediaserver gpu_device:chr_file rw_file_perms;
-allow mediaserver video_device:dir r_dir_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-
-set_prop(mediaserver, audio_prop)
-
-# XXX Label with a specific type?
-allow mediaserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow mediaserver apk_data_file:file { read getattr };
-allow mediaserver asec_apk_file:file { read getattr };
-allow mediaserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow mediaserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
-
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file r_file_perms;
-
-r_dir_file(mediaserver, media_rw_data_file)
-
-# Grant access to read files on appfuse.
-allow mediaserver app_fuse_file:file { read getattr };
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file rw_file_perms;
-allow mediaserver qtaguid_device:chr_file r_file_perms;
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediaserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(mediaserver, bluetooth, bluetooth)
-
-add_service(mediaserver, mediaserver_service)
-allow mediaserver activity_service:service_manager find;
-allow mediaserver appops_service:service_manager find;
-allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver drmserver_service:service_manager find;
-allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediacodec_service:service_manager find;
-allow mediaserver mediametrics_service:service_manager find;
-allow mediaserver media_session_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver processinfo_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-allow mediaserver surfaceflinger_service:service_manager find;
-
-# for ModDrm/MediaPlayer
-allow mediaserver mediadrmserver_service:service_manager find;
-
-# For interfacing with OMX HAL
-allow mediaserver hidl_token_hwservice:hwservice_manager find;
-
-# /oem access
-allow mediaserver oemfs:dir search;
-allow mediaserver oemfs:file r_file_perms;
-
-use_drmservice(mediaserver)
-allow mediaserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow mediaserver media_rw_data_file:dir create_dir_perms;
-allow mediaserver media_rw_data_file:file create_file_perms;
-
-# Access to media in /data/preloads
-allow mediaserver preloads_media_file:file { getattr read ioctl };
-
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver hal_graphics_allocator:fd use;
-allow mediaserver hal_graphics_composer:fd use;
-allow mediaserver hal_camera:fd use;
-
-allow mediaserver system_server:fd use;
-
-hal_client_domain(mediaserver, hal_allocator)
-
-binder_call(mediaserver, mediacodec)
-
-###
-### neverallow rules
-###
-
-# mediaserver should never execute any executable without a
-# domain transition
-neverallow mediaserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/26.0/public/modprobe.te b/prebuilts/api/26.0/public/modprobe.te
deleted file mode 100644
index 3ed320e..0000000
--- a/prebuilts/api/26.0/public/modprobe.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type modprobe, domain;
-
-allow modprobe proc_modules:file r_file_perms;
-allow modprobe self:capability sys_module;
-allow modprobe kernel:key search;
-recovery_only(`
- allow modprobe rootfs:system module_load;
- allow modprobe rootfs:file r_file_perms;
-')
-allow modprobe { system_file }:system module_load;
-r_dir_file(modprobe, { system_file })
diff --git a/prebuilts/api/26.0/public/mtp.te b/prebuilts/api/26.0/public/mtp.te
deleted file mode 100644
index a776240..0000000
--- a/prebuilts/api/26.0/public/mtp.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# vpn tunneling protocol manager
-type mtp, domain;
-type mtp_exec, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:socket create_socket_perms_no_ioctl;
-allow mtp self:capability net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/prebuilts/api/26.0/public/net.te b/prebuilts/api/26.0/public/net.te
deleted file mode 100644
index 7e00ed8..0000000
--- a/prebuilts/api/26.0/public/net.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
diff --git a/prebuilts/api/26.0/public/netd.te b/prebuilts/api/26.0/public/netd.te
deleted file mode 100644
index 80fb76d..0000000
--- a/prebuilts/api/26.0/public/netd.te
+++ /dev/null
@@ -1,110 +0,0 @@
-# network manager
-type netd, domain, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
-
-net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
-allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(netd, cgroup)
-allow netd system_server:fd use;
-
-allow netd self:capability { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:capability fsetid;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-not_full_treble(`allow netd vendor_file:file x_file_perms;')
-allow netd devpts:chr_file rw_file_perms;
-
-# Acquire advisory lock on /system/etc/xtables.lock
-allow netd system_file:file lock;
-
-r_dir_file(netd, proc_net)
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
-
-# Enables PppController and interface enumeration (among others)
-r_dir_file(netd, sysfs_type)
-# Allows setting interface MTU
-allow netd sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow netd sysfs_usb:file write;
-
-# TODO: netd previously thought it needed these permissions to do WiFi related
-# work. However, after all the WiFi stuff is gone, we still need them.
-# Why?
-allow netd self:capability { dac_override chown };
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-allow netd self:capability fowner;
-
-# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
-
-# Allow netd to start clatd in its own domain
-allow netd clatd:process signal;
-
-set_prop(netd, ctl_mdnsd_prop)
-
-# Allow netd to publish a binder service and make binder calls.
-binder_use(netd)
-add_service(netd, netd_service)
-allow netd dumpstate:fifo_file { getattr write };
-
-# Allow netd to call into the system server so it can check permissions.
-allow netd system_server:binder call;
-allow netd permission_service:service_manager find;
-
-# Allow netd to talk to the framework service which collects netd events.
-allow netd netd_listener_service:service_manager find;
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{
- tcp_socket
- udp_socket
- rawip_socket
- tun_socket
-} { read write getattr setattr getopt setopt };
-allow netd netdomain:fd use;
-
-# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-
-# only system_server, dumpstate and netd may interact with netd over binder
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } netd:binder call;
-neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/prebuilts/api/26.0/public/netutils_wrapper.te b/prebuilts/api/26.0/public/netutils_wrapper.te
deleted file mode 100644
index c844762..0000000
--- a/prebuilts/api/26.0/public/netutils_wrapper.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type netutils_wrapper, domain;
-type netutils_wrapper_exec, exec_type, file_type;
-
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/prebuilts/api/26.0/public/neverallow_macros b/prebuilts/api/26.0/public/neverallow_macros
deleted file mode 100644
index e2b6ed1..0000000
--- a/prebuilts/api/26.0/public/neverallow_macros
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Common neverallow permissions
-define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
-define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
-define(`no_x_file_perms', `{ execute execute_no_trans }')
-define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
-
-#####################################
-# neverallow_establish_socket_comms(src, dst)
-# neverallow src domain establishing socket connections to dst domain.
-#
-define(`neverallow_establish_socket_comms', `
- neverallow $1 $2:socket_class_set { connect sendto };
- neverallow $1 $2:unix_stream_socket connectto;
-')
diff --git a/prebuilts/api/26.0/public/otapreopt_chroot.te b/prebuilts/api/26.0/public/otapreopt_chroot.te
deleted file mode 100644
index c071f44..0000000
--- a/prebuilts/api/26.0/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:capability { sys_admin sys_chroot };
-
-# This is required to mount /vendor.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem mount;
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/prebuilts/api/26.0/public/otapreopt_slot.te b/prebuilts/api/26.0/public/otapreopt_slot.te
deleted file mode 100644
index 6551864..0000000
--- a/prebuilts/api/26.0/public/otapreopt_slot.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# otapreopt_slot
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, exec_type, file_type;
-
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/26.0/public/performanced.te b/prebuilts/api/26.0/public/performanced.te
deleted file mode 100644
index 3d3fadb..0000000
--- a/prebuilts/api/26.0/public/performanced.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# performanced
-type performanced, domain, mlstrustedsubject;
-type performanced_exec, exec_type, file_type;
-
-pdx_server(performanced, performance_client)
-
-# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:capability { setuid setgid sys_nice };
-
-# Access /proc to validate we're only affecting threads in the same thread group.
-# Performanced also shields unbound kernel threads. It scans every task in the
-# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
-dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
-
-# Access /dev/cpuset/cpuset.cpus
-r_dir_file(performanced, cgroup)
diff --git a/prebuilts/api/26.0/public/perfprofd.te b/prebuilts/api/26.0/public/perfprofd.te
deleted file mode 100644
index bfb8693..0000000
--- a/prebuilts/api/26.0/public/perfprofd.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# perfprofd - perf profile collection daemon
-type perfprofd, domain;
-type perfprofd_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-
- typeattribute perfprofd coredomain;
- typeattribute perfprofd mlstrustedsubject;
-
- # perfprofd needs to control CPU hot-plug in order to avoid kernel
- # perfevents problems in cases where CPU goes on/off during measurement;
- # this means read access to /sys/devices/system/cpu/possible
- # and read/write access to /sys/devices/system/cpu/cpu*/online
- allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
-
- # perfprofd checks for the existence of and then invokes simpleperf;
- # simpleperf retains perfprofd domain after exec
- allow perfprofd system_file:file rx_file_perms;
-
- # perfprofd reads a config file from /data/data/com.google.android.gms/files
- allow perfprofd app_data_file:file r_file_perms;
- allow perfprofd app_data_file:dir search;
- allow perfprofd self:capability { dac_override };
-
- # perfprofd opens a file for writing in /data/misc/perfprofd
- allow perfprofd perfprofd_data_file:file create_file_perms;
- allow perfprofd perfprofd_data_file:dir rw_dir_perms;
-
- # perfprofd uses the system log
- read_logd(perfprofd);
- write_logd(perfprofd);
-
- # perfprofd inspects /sys/power/wake_unlock
- wakelock_use(perfprofd);
-
- # simpleperf uses ioctl() to turn on kernel perf events measurements
- allow perfprofd self:capability sys_admin;
-
- # simpleperf needs to examine /proc to collect task/thread info
- r_dir_file(perfprofd, domain)
-
- # simpleperf needs to access /proc/<pid>/exec
- allow perfprofd self:capability { sys_resource sys_ptrace };
- neverallow perfprofd domain:process ptrace;
-
- # simpleperf needs open/read any file that turns up in a profile
- # to see whether it has a build ID
- allow perfprofd exec_type:file r_file_perms;
-
- # simpleperf examines debugfs on startup to collect tracepoint event types
- allow perfprofd debugfs_tracing:file r_file_perms;
-
- # simpleperf is going to execute "sleep"
- allow perfprofd toolbox_exec:file rx_file_perms;
-
- # needed for simpleperf on some kernels
- allow perfprofd self:capability ipc_lock;
-
-')
diff --git a/prebuilts/api/26.0/public/postinstall.te b/prebuilts/api/26.0/public/postinstall.te
deleted file mode 100644
index 7fd4dc6..0000000
--- a/prebuilts/api/26.0/public/postinstall.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# Domain where the postinstall program runs during the update.
-# Extend the permissions in this domain to allow this program to access other
-# files needed by the specific device on your device's sepolicy directory.
-type postinstall, domain;
-
-# Allow postinstall to write to its stdout/stderr when redirected via pipes to
-# update_engine.
-allow postinstall update_engine_common:fd use;
-allow postinstall update_engine_common:fifo_file rw_file_perms;
-
-# Allow postinstall to read and execute directories and files in the same
-# mounted location.
-allow postinstall postinstall_file:file rx_file_perms;
-allow postinstall postinstall_file:lnk_file r_file_perms;
-allow postinstall postinstall_file:dir r_dir_perms;
-
-# Allow postinstall to execute the shell or other system executables.
-allow postinstall shell_exec:file rx_file_perms;
-allow postinstall system_file:file rx_file_perms;
-allow postinstall toolbox_exec:file rx_file_perms;
-
-#
-# For OTA dexopt.
-#
-
-# Allow postinstall scripts to talk to the system server.
-binder_use(postinstall)
-binder_call(postinstall, system_server)
-
-# Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
-
-# No domain other than update_engine and recovery (via update_engine_sideload)
-# should transition to postinstall, as it is only meant to run during the
-# update.
-neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/prebuilts/api/26.0/public/postinstall_dexopt.te b/prebuilts/api/26.0/public/postinstall_dexopt.te
deleted file mode 100644
index 0ce617b..0000000
--- a/prebuilts/api/26.0/public/postinstall_dexopt.te
+++ /dev/null
@@ -1,57 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain;
-
-allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr search };
-allow postinstall_dexopt postinstall_file:lnk_file read;
-allow postinstall_dexopt proc:file { getattr open read };
-allow postinstall_dexopt tmpfs:file read;
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
-
-allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/prebuilts/api/26.0/public/ppp.te b/prebuilts/api/26.0/public/ppp.te
deleted file mode 100644
index 04e17f5..0000000
--- a/prebuilts/api/26.0/public/ppp.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Point to Point Protocol daemon
-type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net)
-
-allow ppp mtp:socket rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:socket ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/prebuilts/api/26.0/public/preopt2cachename.te b/prebuilts/api/26.0/public/preopt2cachename.te
deleted file mode 100644
index 49df647..0000000
--- a/prebuilts/api/26.0/public/preopt2cachename.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-type preopt2cachename, domain;
-type preopt2cachename_exec, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
diff --git a/prebuilts/api/26.0/public/profman.te b/prebuilts/api/26.0/public/profman.te
deleted file mode 100644
index a5c18b5..0000000
--- a/prebuilts/api/26.0/public/profman.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# profman
-type profman, domain;
-type profman_exec, exec_type, file_type;
-
-allow profman user_profile_data_file:file { getattr read write lock };
-
-# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
-allow profman oemfs:file { read };
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read };
-allow profman profman_dump_data_file:file { write };
-
-allow profman installd:fd use;
-
-# Allow profman to analyze profiles for the secondary dex files. These
-# are application dex files reported back to the framework when using
-# BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
-
-###
-### neverallow rules
-###
-
-neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/26.0/public/property.te b/prebuilts/api/26.0/public/property.te
deleted file mode 100644
index 232872c..0000000
--- a/prebuilts/api/26.0/public/property.te
+++ /dev/null
@@ -1,90 +0,0 @@
-type asan_reboot_prop, property_type;
-type audio_prop, property_type, core_property_type;
-type boottime_prop, property_type;
-type boottime_public_prop, property_type;
-type bluetooth_prop, property_type;
-type config_prop, property_type, core_property_type;
-type cppreopt_prop, property_type, core_property_type;
-type ctl_bootanim_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_dumpstate_prop, property_type;
-type ctl_fuse_prop, property_type;
-type ctl_mdnsd_prop, property_type;
-type ctl_rildaemon_prop, property_type;
-type dalvik_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type default_prop, property_type, core_property_type;
-type device_logging_prop, property_type;
-type dhcp_prop, property_type, core_property_type;
-type dumpstate_options_prop, property_type;
-type dumpstate_prop, property_type, core_property_type;
-type ffs_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type firstboot_prop, property_type;
-type hwservicemanager_prop, property_type;
-type logd_prop, property_type, core_property_type;
-type logpersistd_logging_prop, property_type;
-type log_prop, property_type, log_property_type;
-type log_tag_prop, property_type, log_property_type;
-type mmc_prop, property_type;
-type net_dns_prop, property_type;
-type net_radio_prop, property_type, core_property_type;
-type nfc_prop, property_type, core_property_type;
-type overlay_prop, property_type;
-type pan_result_prop, property_type, core_property_type;
-type persist_debug_prop, property_type, core_property_type;
-type persistent_properties_ready_prop, property_type;
-type powerctl_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type restorecon_prop, property_type, core_property_type;
-type safemode_prop, property_type;
-type serialno_prop, property_type;
-type shell_prop, property_type, core_property_type;
-type system_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type vold_prop, property_type, core_property_type;
-type wifi_log_prop, property_type, log_property_type;
-type wifi_prop, property_type;
-
-allow property_type tmpfs:filesystem associate;
-
-###
-### Neverallow rules
-###
-
-# core_property_type should not be used for new properties or
-# device specific properties. Properties with this attribute
-# are readable to everyone, which is overly broad and should
-# be avoided.
-# New properties should have appropriate read / write access
-# control rules written.
-
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -default_prop
- -dhcp_prop
- -dumpstate_prop
- -ffs_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -system_radio_prop
- -vold_prop
-}:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/public/racoon.te b/prebuilts/api/26.0/public/racoon.te
deleted file mode 100644
index 00744d8..0000000
--- a/prebuilts/api/26.0/public/racoon.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allow racoon cgroup:dir { add_name create };
-allow racoon kernel:system module_request;
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/prebuilts/api/26.0/public/radio.te b/prebuilts/api/26.0/public/radio.te
deleted file mode 100644
index 6f29a70..0000000
--- a/prebuilts/api/26.0/public/radio.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# phone subsystem
-type radio, domain, mlstrustedsubject;
-
-net_domain(radio)
-bluetooth_domain(radio)
-binder_service(radio)
-
-# Talks to rild via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, rild)')
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
-allow radio alarm_device:chr_file rw_file_perms;
-
-allow radio net_data_file:dir search;
-allow radio net_data_file:file r_file_perms;
-
-# Property service
-set_prop(radio, radio_prop)
-set_prop(radio, net_radio_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
-add_service(radio, radio_service)
-allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
-allow radio drmserver_service:service_manager find;
-allow radio mediaserver_service:service_manager find;
-allow radio nfc_service:service_manager find;
-allow radio surfaceflinger_service:service_manager find;
-allow radio app_api_service:service_manager find;
-allow radio system_api_service:service_manager find;
-
-# Perform HwBinder IPC.
-hwbinder_use(radio)
-hal_client_domain(radio, hal_telephony)
diff --git a/prebuilts/api/26.0/public/recovery.te b/prebuilts/api/26.0/public/recovery.te
deleted file mode 100644
index f55dc8a..0000000
--- a/prebuilts/api/26.0/public/recovery.te
+++ /dev/null
@@ -1,143 +0,0 @@
-# recovery console (used in recovery init.rc for /sbin/recovery)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type recovery, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common;
- # Recovery can only use HALs in passthrough mode
- passthrough_hal_client_domain(recovery, hal_bootctl)
-
- allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
-
- # Set security contexts on files that are not known to the loaded policy.
- allow recovery self:capability2 mac_admin;
-
- # Run helpers from / or /system without changing domain.
- allow recovery rootfs:file execute_no_trans;
- allow recovery system_file:file execute_no_trans;
- allow recovery toolbox_exec:file rx_file_perms;
-
- # Mount filesystems.
- allow recovery rootfs:dir mounton;
- allow recovery fs_type:filesystem ~relabelto;
- allow recovery unlabeled:filesystem ~relabelto;
- allow recovery contextmount_type:filesystem relabelto;
-
- # Create and relabel files and directories under /system.
- allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
-
- # We may be asked to set an SELinux label for a type not known to the
- # currently loaded policy. Allow it.
- allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
- # Get file contexts
- allow recovery file_contexts_file:file r_file_perms;
-
- # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
- # support to OTAs. However, that code has a bug. When an update occurs,
- # some directories are inappropriately labeled as exec_type. This is
- # only transient, and subsequent steps in the OTA script correct this
- # mistake. New devices are moving to block based OTAs, so this is not
- # worth fixing. b/15575013
- allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
-
- # Write to /proc/sys/vm/drop_caches
- allow recovery proc_drop_caches:file w_file_perms;
-
- # Read kernel config through libvintf for OTA matching
- allow recovery config_gz:file { open read getattr };
-
- # Write to /sys/class/android_usb/android0/enable.
- # TODO: create more specific label?
- allow recovery sysfs:file w_file_perms;
-
- # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
- allow recovery sysfs_devices_system_cpu:file w_file_perms;
-
- allow recovery sysfs_batteryinfo:file r_file_perms;
-
- # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
- # control backlight brightness.
- allow recovery sysfs_leds:dir r_dir_perms;
- allow recovery sysfs_leds:file rw_file_perms;
- allow recovery sysfs_leds:lnk_file read;
-
- allow recovery kernel:system syslog_read;
-
- # Access /dev/usb-ffs/adb/ep0
- allow recovery functionfs:dir search;
- allow recovery functionfs:file rw_file_perms;
-
- # Required to e.g. wipe userdata/cache.
- allow recovery device:dir r_dir_perms;
- allow recovery block_device:dir r_dir_perms;
- allow recovery dev_type:blk_file rw_file_perms;
-
- # GUI
- allow recovery graphics_device:chr_file rw_file_perms;
- allow recovery graphics_device:dir r_dir_perms;
- allow recovery input_device:dir r_dir_perms;
- allow recovery input_device:chr_file r_file_perms;
- allow recovery tty_device:chr_file rw_file_perms;
-
- # Create /tmp/recovery.log and execute /tmp/update_binary.
- allow recovery tmpfs:file { create_file_perms x_file_perms };
- allow recovery tmpfs:dir create_dir_perms;
-
- # Manage files on /cache and /cache/recovery
- allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
- allow recovery { cache_file cache_recovery_file }:file create_file_perms;
-
- # Read /sys/class/thermal/*/temp for thermal info.
- r_dir_file(recovery, sysfs_thermal)
-
- # Read files on /oem.
- r_dir_file(recovery, oemfs);
-
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Start/stop adbd via ctl.start adbd
- set_prop(recovery, ctl_default_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Use setfscreatecon() to label files for OTA updates.
- allow recovery self:process setfscreate;
-
- # Allow recovery to create a fuse filesystem, and read files from it.
- allow recovery fuse_device:chr_file rw_file_perms;
- allow recovery fuse:dir r_dir_perms;
- allow recovery fuse:file r_file_perms;
-
- wakelock_use(recovery)
-
- # This line seems suspect, as it should not really need to
- # set scheduling parameters for a kernel domain task.
- allow recovery kernel:process setsched;
-')
-
-###
-### neverallow rules
-###
-
-# Recovery should never touch /data.
-#
-# In particular, if /data is encrypted, it is not accessible
-# to recovery anyway.
-#
-# For now, we only enforce write/execute restrictions, as domain.te
-# contains a number of read-only rules that apply to all
-# domains, including recovery.
-#
-# TODO: tighten this up further.
-neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
-neverallow recovery data_file_type:dir no_w_dir_perms;
diff --git a/prebuilts/api/26.0/public/recovery_persist.te b/prebuilts/api/26.0/public/recovery_persist.te
deleted file mode 100644
index 091d300..0000000
--- a/prebuilts/api/26.0/public/recovery_persist.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# android recovery persistent log manager
-type recovery_persist, domain;
-type recovery_persist_exec, exec_type, file_type;
-
-allow recovery_persist pstorefs:dir search;
-allow recovery_persist pstorefs:file r_file_perms;
-
-allow recovery_persist recovery_data_file:file create_file_perms;
-allow recovery_persist recovery_data_file:dir create_dir_perms;
-
-###
-### Neverallow rules
-###
-### recovery_persist should NEVER do any of this
-
-# Block device access.
-neverallow recovery_persist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_persist domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
-
-# Write to files in /data/data
-neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
-
diff --git a/prebuilts/api/26.0/public/recovery_refresh.te b/prebuilts/api/26.0/public/recovery_refresh.te
deleted file mode 100644
index 602ed51..0000000
--- a/prebuilts/api/26.0/public/recovery_refresh.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# android recovery refresh log manager
-type recovery_refresh, domain;
-type recovery_refresh_exec, exec_type, file_type;
-
-allow recovery_refresh pstorefs:dir search;
-allow recovery_refresh pstorefs:file r_file_perms;
-# NB: domain inherits write_logd which hands us write to pmsg_device
-
-###
-### Neverallow rules
-###
-### recovery_refresh should NEVER do any of this
-
-# Block device access.
-neverallow recovery_refresh dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_refresh domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/prebuilts/api/26.0/public/rild.te b/prebuilts/api/26.0/public/rild.te
deleted file mode 100644
index 14420df..0000000
--- a/prebuilts/api/26.0/public/rild.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# rild - radio interface layer daemon
-type rild, domain;
-hal_server_domain(rild, hal_telephony)
-
-net_domain(rild)
-allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
-
-allow rild self:netlink_route_socket nlmsg_write;
-allow rild kernel:system module_request;
-allow rild self:capability { setpcap setgid setuid net_admin net_raw };
-allow rild alarm_device:chr_file rw_file_perms;
-allow rild cgroup:dir create_dir_perms;
-allow rild cgroup:{ file lnk_file } r_file_perms;
-allow rild radio_device:chr_file rw_file_perms;
-allow rild radio_device:blk_file r_file_perms;
-allow rild mtd_device:dir search;
-allow rild efs_file:dir create_dir_perms;
-allow rild efs_file:file create_file_perms;
-allow rild shell_exec:file rx_file_perms;
-allow rild bluetooth_efs_file:file r_file_perms;
-allow rild bluetooth_efs_file:dir r_dir_perms;
-allow rild radio_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file create_file_perms;
-allow rild sdcard_type:dir r_dir_perms;
-allow rild system_data_file:dir r_dir_perms;
-allow rild system_data_file:file r_file_perms;
-allow rild system_file:file x_file_perms;
-
-# property service
-set_prop(rild, radio_prop)
-
-allow rild tty_device:chr_file rw_file_perms;
-
-# Allow rild to create and use netlink sockets.
-allow rild self:netlink_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Access to wake locks
-wakelock_use(rild)
-
-r_dir_file(rild, proc)
-r_dir_file(rild, proc_net)
-r_dir_file(rild, sysfs_type)
-r_dir_file(rild, system_file)
-
-# granting the ioctl permission for rild should be device specific
-allow rild self:socket create_socket_perms_no_ioctl;
-
diff --git a/prebuilts/api/26.0/public/runas.te b/prebuilts/api/26.0/public/runas.te
deleted file mode 100644
index 7a7febf..0000000
--- a/prebuilts/api/26.0/public/runas.te
+++ /dev/null
@@ -1,37 +0,0 @@
-type runas, domain, mlstrustedsubject;
-type runas_exec, exec_type, file_type;
-
-allow runas adbd:process sigchld;
-allow runas adbd:unix_stream_socket { read write };
-allow runas shell:fd use;
-allow runas shell:fifo_file { read write };
-allow runas shell:unix_stream_socket { read write };
-allow runas devpts:chr_file { read write ioctl };
-allow runas shell_data_file:file { read write };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
-
-# run-as switches to the app security context.
-selinux_check_context(runas) # validate context
-allow runas self:process setcurrent;
-allow runas non_system_app_set:process dyntransition; # setcon
-
-# runas/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow runas seapp_contexts_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:capability ~{ setuid setgid };
-neverallow runas self:capability2 *;
diff --git a/prebuilts/api/26.0/public/sdcardd.te b/prebuilts/api/26.0/public/sdcardd.te
deleted file mode 100644
index 47a2f80..0000000
--- a/prebuilts/api/26.0/public/sdcardd.te
+++ /dev/null
@@ -1,43 +0,0 @@
-type sdcardd, domain;
-type sdcardd_exec, exec_type, file_type;
-
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
-allow sdcardd sdcardfs:filesystem remount;
-allow sdcardd tmpfs:dir r_dir_perms;
-allow sdcardd mnt_media_rw_file:dir r_dir_perms;
-allow sdcardd storage_file:dir search;
-allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
-
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
-
-allow sdcardd media_rw_data_file:dir create_dir_perms;
-allow sdcardd media_rw_data_file:file create_file_perms;
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file r_file_perms;
-
-# Read /data/.layout_version
-allow sdcardd install_data_file:file r_file_perms;
-
-# Allow stdin/out back to vold
-allow sdcardd vold:fd use;
-allow sdcardd vold:fifo_file { read write getattr };
-
-# Allow running on top of expanded storage
-allow sdcardd mnt_expand_file:dir search;
-
-# access /proc/filesystems
-allow sdcardd proc:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# The sdcard daemon should no longer be started from init
-neverallow init sdcardd_exec:file execute;
-neverallow init sdcardd:process { transition dyntransition };
diff --git a/prebuilts/api/26.0/public/service.te b/prebuilts/api/26.0/public/service.te
deleted file mode 100644
index da540db..0000000
--- a/prebuilts/api/26.0/public/service.te
+++ /dev/null
@@ -1,147 +0,0 @@
-type audioserver_service, service_manager_type;
-type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
-type default_android_service, service_manager_type;
-type drmserver_service, service_manager_type;
-type dumpstate_service, service_manager_type;
-type fingerprintd_service, service_manager_type;
-type hal_fingerprint_service, service_manager_type;
-type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
-type inputflinger_service, service_manager_type;
-type incident_service, service_manager_type;
-type installd_service, service_manager_type;
-type keystore_service, service_manager_type;
-type mediaserver_service, service_manager_type;
-type mediametrics_service, service_manager_type;
-type mediaextractor_service, service_manager_type;
-type mediacodec_service, service_manager_type;
-type mediadrmserver_service, service_manager_type;
-type mediacasserver_service, service_manager_type;
-type netd_service, service_manager_type;
-type nfc_service, service_manager_type;
-type radio_service, service_manager_type;
-type storaged_service, service_manager_type;
-type surfaceflinger_service, service_manager_type;
-type system_app_service, service_manager_type;
-type update_engine_service, service_manager_type;
-type virtual_touchpad_service, service_manager_type;
-type vr_hwc_service, service_manager_type;
-
-# system_server_services broken down
-type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type battery_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type commontime_management_service, system_server_service, service_manager_type;
-type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
-# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
-type coverage_service, system_server_service, service_manager_type;
-type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
-type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netd_listener_service, system_server_service, service_manager_type;
-type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hardware_service, system_server_service, service_manager_type;
-type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lock_settings_service, system_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_score_service, system_api_service, system_server_service, service_manager_type;
-type network_time_update_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type oem_lock_service, system_api_service, system_server_service, service_manager_type;
-type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_server_service, service_manager_type;
-type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
-type pinner_service, system_server_service, service_manager_type;
-type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type task_service, system_server_service, service_manager_type;
-type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vr_manager_service, system_server_service, service_manager_type;
-type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wificond_service, service_manager_type;
-type wifiaware_service, app_api_service, system_server_service, service_manager_type;
-type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/26.0/public/servicemanager.te b/prebuilts/api/26.0/public/servicemanager.te
deleted file mode 100644
index 3cf5a46..0000000
--- a/prebuilts/api/26.0/public/servicemanager.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -hwservicemanager
- -vndservicemanager
-}:binder transfer;
-
-# Access to all (system and vendor) service_contexts
-# TODO(b/36866029) access to nonplat_service_contexts
-# should not be allowed on full treble devices
-allow servicemanager service_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
diff --git a/prebuilts/api/26.0/public/sgdisk.te b/prebuilts/api/26.0/public/sgdisk.te
deleted file mode 100644
index 3007398..0000000
--- a/prebuilts/api/26.0/public/sgdisk.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# sgdisk called from vold
-type sgdisk, domain;
-type sgdisk_exec, exec_type, file_type;
-
-# Allowed to read/write low-level partition tables
-allow sgdisk block_device:dir search;
-allow sgdisk vold_device:blk_file rw_file_perms;
-
-# Inherit and use pty created by android_fork_execvp()
-allow sgdisk devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow sgdisk vold:fd use;
-allow sgdisk vold:fifo_file { read write getattr };
-
-# Used to probe kernel to reload partition tables
-allow sgdisk self:capability sys_admin;
-
-# Only allow entry from vold
-neverallow { domain -vold } sgdisk:process transition;
-neverallow * sgdisk:process dyntransition;
-neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/public/shared_relro.te b/prebuilts/api/26.0/public/shared_relro.te
deleted file mode 100644
index 91cf44d..0000000
--- a/prebuilts/api/26.0/public/shared_relro.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro webviewupdate_service:service_manager find;
diff --git a/prebuilts/api/26.0/public/shell.te b/prebuilts/api/26.0/public/shell.te
deleted file mode 100644
index 1fb896a..0000000
--- a/prebuilts/api/26.0/public/shell.te
+++ /dev/null
@@ -1,184 +0,0 @@
-# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# logcat
-read_logd(shell)
-control_logd(shell)
-# logcat -L (directly, or via dumpstate)
-allow shell pstorefs:dir search;
-allow shell pstorefs:file r_file_perms;
-
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# read files in /data/anr
-allow shell anr_data_file:dir r_dir_perms;
-allow shell anr_data_file:file r_file_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
-
-# Read/execute files in /data/nativetest
-userdebug_or_eng(`
- allow shell nativetest_data_file:dir r_dir_perms;
- allow shell nativetest_data_file:file rx_file_perms;
-')
-
-# adb bugreport
-unix_socket_connect(shell, dumpstate, dumpstate)
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file rw_file_perms;
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-
-r_dir_file(shell, apk_data_file)
-
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-
-userdebug_or_eng(`
- # "systrace --boot" support - allow boottrace service to run
- allow shell boottrace_data_file:dir rw_dir_perms;
- allow shell boottrace_data_file:file create_file_perms;
- set_prop(shell, persist_debug_prop)
-')
-
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# allow shell access to services
-allow shell servicemanager:service_manager list;
-# don't allow shell to access GateKeeper service
-# TODO: why is this so broad? Tightening candidate? It needs at list:
-# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-allow shell dumpstate:binder call;
-
-# allow shell to get information from hwservicemanager
-# for instance, listing hardware services with lshal
-hwbinder_use(shell)
-allow shell hwservicemanager:hwservice_manager list;
-
-# allow shell to look through /proc/ for ps, top, netstat
-r_dir_file(shell, proc)
-r_dir_file(shell, proc_net)
-allow shell proc_interrupts:file r_file_perms;
-allow shell proc_meminfo:file r_file_perms;
-allow shell proc_stat:file r_file_perms;
-allow shell proc_timer:file r_file_perms;
-allow shell proc_zoneinfo:file r_file_perms;
-r_dir_file(shell, cgroup)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# enable shell domain to read/write files/dirs for bootchart data
-# User will creates the start and stop file via adb shell
-# and read other files created by init process under /data/bootchart
-allow shell bootchart_data_file:dir rw_dir_perms;
-allow shell bootchart_data_file:file create_file_perms;
-
-# Make sure strace works for the non-privileged shell user
-allow shell self:process ptrace;
-
-# allow shell to get battery info
-allow shell sysfs_batteryinfo:file r_file_perms;
-allow shell sysfs:dir r_dir_perms;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-
-#
-# filesystem test for insecure chr_file's is done
-# via a host side test
-#
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
-# /dev/fd is a symlink
-allow shell proc:lnk_file getattr;
-
-#
-# filesystem test for insucre blk_file's is done
-# via hostside test
-#
-allow shell dev_type:blk_file getattr;
-
-# read selinux policy files
-allow shell file_contexts_file:file r_file_perms;
-allow shell property_contexts_file:file r_file_perms;
-allow shell seapp_contexts_file:file r_file_perms;
-allow shell service_contexts_file:file r_file_perms;
-allow shell sepolicy_file:file r_file_perms;
-
-###
-### Neverallow rules
-###
-
-# Do not allow shell to hard link to any files.
-# In particular, if shell hard links to app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure the shell user never has this
-# capability.
-neverallow shell file_type:file link;
-
-# Do not allow privileged socket ioctl commands
-neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
-# limit shell access to sensitive char drivers to
-# only getattr required for host side test.
-neverallow shell {
- fuse_device
- hw_random_device
- kmem_device
- port_device
-}:chr_file ~getattr;
-
-# Limit shell to only getattr on blk devices for host side tests.
-neverallow shell dev_type:blk_file ~getattr;
diff --git a/prebuilts/api/26.0/public/slideshow.te b/prebuilts/api/26.0/public/slideshow.te
deleted file mode 100644
index 86d4bff..0000000
--- a/prebuilts/api/26.0/public/slideshow.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# slideshow seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type slideshow, domain;
-
-allow slideshow kmsg_device:chr_file rw_file_perms;
-wakelock_use(slideshow)
-allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability sys_tty_config;
-allow slideshow graphics_device:dir r_dir_perms;
-allow slideshow graphics_device:chr_file rw_file_perms;
-allow slideshow input_device:dir r_dir_perms;
-allow slideshow input_device:chr_file r_file_perms;
-allow slideshow tty_device:chr_file rw_file_perms;
-
diff --git a/prebuilts/api/26.0/public/su.te b/prebuilts/api/26.0/public/su.te
deleted file mode 100644
index 8ddd162..0000000
--- a/prebuilts/api/26.0/public/su.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
-type su, domain;
-
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
- typeattribute su mlstrustedsubject;
-
- # Add su to various domains
- net_domain(su)
-
- # grant su access to vndbinder
- vndbinder_use(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su kernel:security *;
- dontaudit su kernel:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:process *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:service_manager *;
- dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su postinstall_file:filesystem *;
-')
diff --git a/prebuilts/api/26.0/public/surfaceflinger.te b/prebuilts/api/26.0/public/surfaceflinger.te
deleted file mode 100644
index ae00287..0000000
--- a/prebuilts/api/26.0/public/surfaceflinger.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# surfaceflinger - display compositor service
-type surfaceflinger, domain;
diff --git a/prebuilts/api/26.0/public/system_server.te b/prebuilts/api/26.0/public/system_server.te
deleted file mode 100644
index 805d617..0000000
--- a/prebuilts/api/26.0/public/system_server.te
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system_server, domain;
diff --git a/prebuilts/api/26.0/public/te_macros b/prebuilts/api/26.0/public/te_macros
deleted file mode 100644
index d65eb88..0000000
--- a/prebuilts/api/26.0/public/te_macros
+++ /dev/null
@@ -1,572 +0,0 @@
-#####################################
-# domain_trans(olddomain, type, newdomain)
-# Allow a transition from olddomain to newdomain
-# upon executing a file labeled with type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use domain_auto_trans
-# if that is what you want.
-#
-define(`domain_trans', `
-# Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
-allow $1 $3:process transition;
-# New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
-# New domain can send SIGCHLD to its caller.
-ifelse($1, `init', `', `allow $3 $1:process sigchld;')
-# Enable AT_SECURE, i.e. libc secure mode.
-dontaudit $1 $3:process noatsecure;
-# XXX dontaudit candidate but requires further study.
-allow $1 $3:process { siginh rlimitinh };
-')
-
-#####################################
-# domain_auto_trans(olddomain, type, newdomain)
-# Automatically transition from olddomain to newdomain
-# upon executing a file labeled with type.
-#
-define(`domain_auto_trans', `
-# Allow the necessary permissions.
-domain_trans($1,$2,$3)
-# Make the transition occur by default.
-type_transition $1 $2:process $3;
-')
-
-#####################################
-# file_type_trans(domain, dir_type, file_type)
-# Allow domain to create a file labeled file_type in a
-# directory labeled dir_type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use file_type_auto_trans
-# if that is what you want.
-#
-define(`file_type_trans', `
-# Allow the domain to add entries to the directory.
-allow $1 $2:dir ra_dir_perms;
-# Allow the domain to create the file.
-allow $1 $3:notdevfile_class_set create_file_perms;
-allow $1 $3:dir create_dir_perms;
-')
-
-#####################################
-# file_type_auto_trans(domain, dir_type, file_type)
-# Automatically label new files with file_type when
-# they are created by domain in directories labeled dir_type.
-#
-define(`file_type_auto_trans', `
-# Allow the necessary permissions.
-file_type_trans($1, $2, $3)
-# Make the transition occur by default.
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-')
-
-#####################################
-# r_dir_file(domain, type)
-# Allow the specified domain to read directories, files
-# and symbolic links of the specified type.
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:{ file lnk_file } r_file_perms;
-')
-
-#####################################
-# tmpfs_domain(domain)
-# Define and allow access to a unique type for
-# this domain when creating tmpfs / shmem / ashmem files.
-define(`tmpfs_domain', `
-type $1_tmpfs, file_type;
-type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr };
-allow $1 tmpfs:dir { getattr search };
-')
-
-# pdx macros for IPC. pdx is a high-level name which contains transport-specific
-# rules from underlying transport (e.g. UDS-based implementation).
-
-#####################################
-# pdx_service_attributes(service)
-# Defines type attribute used to identify various service-related types.
-define(`pdx_service_attributes', `
-attribute pdx_$1_endpoint_dir_type;
-attribute pdx_$1_endpoint_socket_type;
-attribute pdx_$1_channel_socket_type;
-attribute pdx_$1_server_type;
-')
-
-#####################################
-# pdx_service_socket_types(service, endpoint_dir_t)
-# Define types for endpoint and channel sockets.
-define(`pdx_service_socket_types', `
-typeattribute $2 pdx_$1_endpoint_dir_type;
-type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
-type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
-')
-
-#####################################
-# pdx_server(server_domain, service)
-define(`pdx_server', `
-# Mark the server domain as a PDX server.
-typeattribute $1 pdx_$2_server_type;
-# Allow the init process to create the initial endpoint socket.
-allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
-# Allow the server domain to use the endpoint socket and accept connections on it.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
-# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
-allow $1 self:process setsockcreate;
-# Allow the server domain to create a client channel socket.
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
-# Prevent other processes from claiming to be a server for the same service.
-neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
-')
-
-#####################################
-# pdx_connect(client, service)
-define(`pdx_connect', `
-# Allow client to open the service endpoint file.
-allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
-allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
-# Allow the client to connect to endpoint socket.
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
-')
-
-#####################################
-# pdx_use(client, service)
-define(`pdx_use', `
-# Allow the client to use the PDX channel socket.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
-# Client needs to use an channel event fd from the server.
-allow $1 pdx_$2_server_type:fd use;
-# Servers may receive sync fences, gralloc buffers, etc, from clients.
-# This could be tightened on a per-server basis, but keeping track of service
-# clients is error prone.
-allow pdx_$2_server_type $1:fd use;
-')
-
-#####################################
-# pdx_client(client, service)
-define(`pdx_client', `
-pdx_connect($1, $2)
-pdx_use($1, $2)
-')
-
-#####################################
-# init_daemon_domain(domain)
-# Set up a transition from init to the daemon domain
-# upon executing its binary.
-define(`init_daemon_domain', `
-domain_auto_trans(init, $1_exec, $1)
-tmpfs_domain($1)
-')
-
-#####################################
-# app_domain(domain)
-# Allow a base set of permissions required for all apps.
-define(`app_domain', `
-typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
-')
-
-#####################################
-# untrusted_app_domain(domain)
-# Allow a base set of permissions required for all untrusted apps.
-define(`untrusted_app_domain', `
-typeattribute $1 untrusted_app_all;
-')
-
-#####################################
-# net_domain(domain)
-# Allow a base set of permissions required for network access.
-define(`net_domain', `
-typeattribute $1 netdomain;
-')
-
-#####################################
-# bluetooth_domain(domain)
-# Allow a base set of permissions required for bluetooth access.
-define(`bluetooth_domain', `
-typeattribute $1 bluetoothdomain;
-')
-
-#####################################
-# hal_server_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to offer a
-# HAL implementation of the specified type over HwBinder.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_server_domain(hal_foo_default, hal_foo)
-#
-define(`hal_server_domain', `
-typeattribute $1 halserverdomain;
-typeattribute $1 $2_server;
-typeattribute $1 $2;
-')
-
-#####################################
-# hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a HAL of the specified type.
-#
-# For example, make some_domain a client of Foo HAL:
-# hal_client_domain(some_domain, hal_foo)
-#
-define(`hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-
-# TODO(b/34170079): Make the inclusion of the rules below conditional also on
-# non-Treble devices. For now, on non-Treble device, always grant clients of a
-# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
-not_full_treble(`
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
-')
-')
-
-#####################################
-# passthrough_hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a passthrough HAL of the specified type.
-#
-# For example, make some_domain a client of passthrough Foo HAL:
-# passthrough_hal_client_domain(some_domain, hal_foo)
-#
-define(`passthrough_hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
-')
-
-#####################################
-# unix_socket_connect(clientdomain, socket, serverdomain)
-# Allow a local socket connection from clientdomain via
-# socket to serverdomain.
-#
-# Note: If you see denial records that distill to the
-# following allow rules:
-# allow clientdomain property_socket:sock_file write;
-# allow clientdomain init:unix_stream_socket connectto;
-# allow clientdomain something_prop:property_service set;
-#
-# This sequence is indicative of attempting to set a property.
-# use set_prop(sourcedomain, targetproperty)
-#
-define(`unix_socket_connect', `
-ifelse($2, `property', `
- ifelse($3,`init', `
- print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
- ')
-')
-__unix_socket_connect__($1, $2, $3)
-')
-
-define(`__unix_socket_connect__', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_stream_socket connectto;
-')
-
-#####################################
-# set_prop(sourcedomain, targetproperty)
-# Allows source domain to set the
-# targetproperty.
-#
-define(`set_prop', `
-__unix_socket_connect__($1, property, init)
-allow $1 $2:property_service set;
-get_prop($1, $2)
-')
-
-#####################################
-# get_prop(sourcedomain, targetproperty)
-# Allows source domain to read the
-# targetproperty.
-#
-define(`get_prop', `
-allow $1 $2:file r_file_perms;
-')
-
-#####################################
-# unix_socket_send(clientdomain, socket, serverdomain)
-# Allow a local socket send from clientdomain via
-# socket to serverdomain.
-define(`unix_socket_send', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_dgram_socket sendto;
-')
-
-#####################################
-# binder_use(domain)
-# Allow domain to use Binder IPC.
-define(`binder_use', `
-# Call the servicemanager and transfer references to it.
-allow $1 servicemanager:binder { call transfer };
-# servicemanager performs getpidcon on clients.
-allow servicemanager $1:dir search;
-allow servicemanager $1:file { read open };
-allow servicemanager $1:process getattr;
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# hwbinder_use(domain)
-# Allow domain to use HwBinder IPC.
-define(`hwbinder_use', `
-# Call the hwservicemanager and transfer references to it.
-allow $1 hwservicemanager:binder { call transfer };
-# Allow hwservicemanager to send out callbacks
-allow hwservicemanager $1:binder { call transfer };
-# hwservicemanager performs getpidcon on clients.
-allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
-allow hwservicemanager $1:process getattr;
-# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# vndbinder_use(domain)
-# Allow domain to use Binder IPC.
-define(`vndbinder_use', `
-# Talk to the vndbinder device node
-allow $1 vndbinder_device:chr_file rw_file_perms;
-# Call the vndservicemanager and transfer references to it.
-allow $1 vndservicemanager:binder { call transfer };
-# vndservicemanager performs getpidcon on clients.
-allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
-allow vndservicemanager $1:process getattr;
-')
-
-#####################################
-# binder_call(clientdomain, serverdomain)
-# Allow clientdomain to perform binder IPC to serverdomain.
-define(`binder_call', `
-# Call the server domain and optionally transfer references to it.
-allow $1 $2:binder { call transfer };
-# Allow the serverdomain to transfer references to the client on the reply.
-allow $2 $1:binder transfer;
-# Receive and use open files from the server.
-allow $1 $2:fd use;
-')
-
-#####################################
-# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
-define(`binder_service', `
-typeattribute $1 binderservicedomain;
-')
-
-#####################################
-# wakelock_use(domain)
-# Allow domain to manage wake locks
-define(`wakelock_use', `
-# Access /sys/power/wake_lock and /sys/power/wake_unlock
-allow $1 sysfs_wake_lock:file rw_file_perms;
-# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
-')
-
-#####################################
-# selinux_check_access(domain)
-# Allow domain to check SELinux permissions via selinuxfs.
-define(`selinux_check_access', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
-')
-
-#####################################
-# selinux_check_context(domain)
-# Allow domain to check SELinux contexts via selinuxfs.
-define(`selinux_check_context', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security check_context;
-')
-
-#####################################
-# create_pty(domain)
-# Allow domain to create and use a pty, isolated from any other domain ptys.
-define(`create_pty', `
-# Each domain gets a unique devpts type.
-type $1_devpts, fs_type;
-# Label the pty with the unique type when created.
-type_transition $1 devpts:chr_file $1_devpts;
-# Allow use of the pty after creation.
-allow $1 $1_devpts:chr_file { open getattr read write ioctl };
-allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
-# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
-# allowed to everyone via domain.te.
-')
-
-#####################################
-# Non system_app application set
-#
-define(`non_system_app_set', `{ appdomain -system_app }')
-
-#####################################
-# Recovery only
-# SELinux rules which apply only to recovery mode
-#
-define(`recovery_only', ifelse(target_recovery, `true', $1, ))
-
-#####################################
-# Full TREBLE only
-# SELinux rules which apply only to full TREBLE devices
-#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1,
-ifelse(target_full_treble, `cts',
-# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# Not full TREBLE
-# SELinux rules which apply only to devices which are not full TREBLE devices
-#
-define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
-
-#####################################
-# Userdebug or eng builds
-# SELinux rules which apply only to userdebug or eng builds
-#
-define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-
-#####################################
-# asan builds
-# SELinux rules which apply only to asan builds
-#
-define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
-
-####################################
-# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
-#
-define(`crash_dump_fallback', `
-userdebug_or_eng(`
- allow $1 su:fifo_file append;
-')
-allow $1 anr_data_file:file append;
-allow $1 dumpstate:fd use;
-# TODO: Figure out why write is needed and remove.
-allow $1 dumpstate:fifo_file { append write };
-allow $1 tombstoned:unix_stream_socket connectto;
-allow $1 tombstoned:fd use;
-allow $1 tombstoned_crash_socket:sock_file write;
-allow $1 tombstone_data_file:file append;
-')
-
-#####################################
-# WITH_DEXPREOPT builds
-# SELinux rules which apply only when pre-opting.
-#
-define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
-
-#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# read_runtime_log_tags(domain)
-# ability to directly map the runtime event log tags
-define(`read_runtime_log_tags', `
-allow $1 runtime_event_log_tags_file:file r_file_perms;
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
-# use_keystore(domain)
-# Ability to use keystore.
-# Keystore is requires the following permissions
-# to call getpidcon.
-define(`use_keystore', `
- allow keystore $1:dir search;
- allow keystore $1:file { read open };
- allow keystore $1:process getattr;
- allow $1 keystore_service:service_manager find;
- binder_call($1, keystore)
-')
-
-###########################################
-# use_drmservice(domain)
-# Ability to use DrmService which requires
-# DrmService to call getpidcon.
-define(`use_drmservice', `
- allow drmserver $1:dir search;
- allow drmserver $1:file { read open };
- allow drmserver $1:process getattr;
-')
-
-###########################################
-# add_service(domain, service)
-# Ability for domain to add a service to service_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_service', `
- allow $1 $2:service_manager { add find };
- neverallow { domain -$1 } $2:service_manager add;
- neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
-')
-
-###########################################
-# add_hwservice(domain, service)
-# Ability for domain to add a service to hwservice_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_hwservice', `
- allow $1 $2:hwservice_manager { add find };
- allow $1 hidl_base_hwservice:hwservice_manager add;
- neverallow { domain -$1 } $2:hwservice_manager add;
- neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
-')
-
-##########################################
-# print a message with a trailing newline
-# print(`args')
-define(`print', `errprint(`m4: '__file__: __line__`: $*
-')')
diff --git a/prebuilts/api/26.0/public/tee.te b/prebuilts/api/26.0/public/tee.te
deleted file mode 100644
index f023d5c..0000000
--- a/prebuilts/api/26.0/public/tee.te
+++ /dev/null
@@ -1,7 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain;
-
-# Device(s) for communicating with the TEE
-type tee_device, dev_type;
diff --git a/prebuilts/api/26.0/public/tombstoned.te b/prebuilts/api/26.0/public/tombstoned.te
deleted file mode 100644
index 37243bb..0000000
--- a/prebuilts/api/26.0/public/tombstoned.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# debugger interface
-type tombstoned, domain, mlstrustedsubject;
-type tombstoned_exec, exec_type, file_type;
-
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file create_file_perms;
-allow tombstoned anr_data_file:file { getattr append };
-
-# TODO: Find out why this is happening.
-allow tombstoned anr_data_file:file write;
-auditallow tombstoned anr_data_file:file write;
diff --git a/prebuilts/api/26.0/public/toolbox.te b/prebuilts/api/26.0/public/toolbox.te
deleted file mode 100644
index 59c3a9c..0000000
--- a/prebuilts/api/26.0/public/toolbox.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
-# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain;
-type toolbox_exec, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow toolbox tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow toolbox devpts:chr_file { read write getattr ioctl };
-
-# mkswap-specific.
-# Read/write block devices used for swap partitions.
-# Assign swap_block_device type any such partition in your
-# device/<vendor>/<product>/sepolicy/file_contexts file.
-allow toolbox block_device:dir search;
-allow toolbox swap_block_device:blk_file rw_file_perms;
-
-# Only allow entry from init via the toolbox binary.
-neverallow { domain -init } toolbox:process transition;
-neverallow * toolbox:process dyntransition;
-neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/prebuilts/api/26.0/public/tzdatacheck.te b/prebuilts/api/26.0/public/tzdatacheck.te
deleted file mode 100644
index 93ae165..0000000
--- a/prebuilts/api/26.0/public/tzdatacheck.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/prebuilts/api/26.0/public/ueventd.te b/prebuilts/api/26.0/public/ueventd.te
deleted file mode 100644
index 4c77e11..0000000
--- a/prebuilts/api/26.0/public/ueventd.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# ueventd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type ueventd, domain;
-
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, sysfs_type)
-r_dir_file(ueventd, rootfs)
-allow ueventd sysfs:file w_file_perms;
-allow ueventd sysfs_usb:file w_file_perms;
-allow ueventd sysfs_hwrandom:file w_file_perms;
-allow ueventd sysfs_zram_uevent:file w_file_perms;
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
-allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, vendor_file)
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-#####
-##### neverallow rules
-#####
-
-# ueventd must never set properties, otherwise deadlocks may occur.
-# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
-# No writing to the property socket, connecting to init, or setting properties.
-neverallow ueventd property_socket:sock_file write;
-neverallow ueventd init:unix_stream_socket connectto;
-neverallow ueventd property_type:property_service set;
-
-# Restrict ueventd access on block devices to maintenence operations.
-neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
diff --git a/prebuilts/api/26.0/public/uncrypt.te b/prebuilts/api/26.0/public/uncrypt.te
deleted file mode 100644
index 7ae7d39..0000000
--- a/prebuilts/api/26.0/public/uncrypt.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# uncrypt
-type uncrypt, domain, mlstrustedsubject;
-type uncrypt_exec, exec_type, file_type;
-
-allow uncrypt self:capability dac_override;
-
-# Read OTA zip file from /data/data/com.google.android.gsf/app_download
-r_dir_file(uncrypt, app_data_file)
-
-userdebug_or_eng(`
- # For debugging, allow /data/local/tmp access
- r_dir_file(uncrypt, shell_data_file)
-')
-
-# Read /cache/recovery/command
-# Read /cache/recovery/uncrypt_file
-allow uncrypt cache_recovery_file:dir rw_dir_perms;
-allow uncrypt cache_recovery_file:file create_file_perms;
-
-# Read OTA zip file at /data/ota_package/.
-allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
-
-# Write to /dev/socket/uncrypt
-unix_socket_connect(uncrypt, uncrypt, uncrypt)
-
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
-
-# Raw writes to block device
-allow uncrypt self:capability sys_rawio;
-allow uncrypt misc_block_device:blk_file w_file_perms;
-allow uncrypt block_device:dir r_dir_perms;
-
-# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
diff --git a/prebuilts/api/26.0/public/untrusted_app.te b/prebuilts/api/26.0/public/untrusted_app.te
deleted file mode 100644
index 6f29396..0000000
--- a/prebuilts/api/26.0/public/untrusted_app.te
+++ /dev/null
@@ -1,19 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-type untrusted_app, domain;
diff --git a/prebuilts/api/26.0/public/untrusted_app_25.te b/prebuilts/api/26.0/public/untrusted_app_25.te
deleted file mode 100644
index 4ca6e31..0000000
--- a/prebuilts/api/26.0/public/untrusted_app_25.te
+++ /dev/null
@@ -1,20 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-type untrusted_app_25, domain;
-
diff --git a/prebuilts/api/26.0/public/untrusted_v2_app.te b/prebuilts/api/26.0/public/untrusted_v2_app.te
deleted file mode 100644
index ac82f15..0000000
--- a/prebuilts/api/26.0/public/untrusted_v2_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Untrusted v2 sandbox apps.
-###
-
-type untrusted_v2_app, domain;
diff --git a/prebuilts/api/26.0/public/update_engine.te b/prebuilts/api/26.0/public/update_engine.te
deleted file mode 100644
index b8f0035..0000000
--- a/prebuilts/api/26.0/public/update_engine.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# Domain for update_engine daemon.
-type update_engine, domain, update_engine_common;
-type update_engine_exec, exec_type, file_type;
-
-net_domain(update_engine);
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
-# sockets.
-allow update_engine qtaguid_proc:file rw_file_perms;
-allow update_engine qtaguid_device:chr_file r_file_perms;
-
-# Following permissions are needed for update_engine.
-allow update_engine self:process { setsched };
-allow update_engine self:capability { fowner sys_admin };
-allow update_engine kmsg_device:chr_file w_file_perms;
-allow update_engine update_engine_exec:file rx_file_perms;
-wakelock_use(update_engine);
-
-# Ignore these denials.
-dontaudit update_engine kernel:process setsched;
-
-# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir { create_dir_perms };
-allow update_engine update_engine_data_file:file { create_file_perms };
-
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
-# Register the service to perform Binder IPC.
-binder_use(update_engine)
-add_service(update_engine, update_engine_service)
-
-# Allow update_engine to call the callback function provided by priv_app.
-binder_call(update_engine, priv_app)
-
-# Read OTA zip file at /data/ota_package/.
-allow update_engine ota_package_file:file r_file_perms;
-allow update_engine ota_package_file:dir r_dir_perms;
-
-# Use Boot Control HAL
-hal_client_domain(update_engine, hal_bootctl)
diff --git a/prebuilts/api/26.0/public/update_engine_common.te b/prebuilts/api/26.0/public/update_engine_common.te
deleted file mode 100644
index 8e454cc..0000000
--- a/prebuilts/api/26.0/public/update_engine_common.te
+++ /dev/null
@@ -1,42 +0,0 @@
-# update_engine payload application permissions. These are shared between the
-# background daemon and the recovery tool to sideload an update.
-
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine_common block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine_common boot_block_device:blk_file rw_file_perms;
-allow update_engine_common system_block_device:blk_file rw_file_perms;
-
-# Allow to set recovery options in the BCB. Used to trigger factory reset when
-# the update to an older version (channel change) or incompatible version
-# requires it.
-allow update_engine_common misc_block_device:blk_file rw_file_perms;
-
-# Allow update_engine_common to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir mounton;
-allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem relabelfrom;
-
-# Allow update_engine_common to read and execute postinstall_file.
-allow update_engine_common postinstall_file:file rx_file_perms;
-allow update_engine_common postinstall_file:lnk_file r_file_perms;
-allow update_engine_common postinstall_file:dir r_dir_perms;
-
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine_common shell_exec:file rx_file_perms;
-
-# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/misc
-# Access is also granted to proc:file, but it is likely unneeded
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
diff --git a/prebuilts/api/26.0/public/update_verifier.te b/prebuilts/api/26.0/public/update_verifier.te
deleted file mode 100644
index 4d4e1f9..0000000
--- a/prebuilts/api/26.0/public/update_verifier.te
+++ /dev/null
@@ -1,19 +0,0 @@
-# update_verifier
-type update_verifier, domain;
-type update_verifier_exec, exec_type, file_type;
-
-# Allow update_verifier to reach block devices in /dev/block.
-allow update_verifier block_device:dir search;
-
-# Read care map in /data/ota_package/.
-allow update_verifier ota_package_file:dir r_dir_perms;
-allow update_verifier ota_package_file:file r_file_perms;
-
-# Read all blocks in dm wrapped system partition.
-allow update_verifier dm_device:blk_file r_file_perms;
-
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Use Boot Control HAL
-hal_client_domain(update_verifier, hal_bootctl)
diff --git a/prebuilts/api/26.0/public/vdc.te b/prebuilts/api/26.0/public/vdc.te
deleted file mode 100644
index 53d7bbe..0000000
--- a/prebuilts/api/26.0/public/vdc.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
-#
-# We also transition into this domain from dumpstate, when
-# collecting bug reports.
-
-type vdc, domain;
-type vdc_exec, exec_type, file_type;
-
-unix_socket_connect(vdc, vold, vold)
-
-# vdc sends information back to dumpstate when "adb bugreport" is used
-allow vdc dumpstate:fd use;
-allow vdc dumpstate:unix_stream_socket { read write getattr };
-
-# vdc information is written to shell owned bugreport files
-allow vdc shell_data_file:file { write getattr };
-
-# Why?
-allow vdc dumpstate:unix_dgram_socket { read write };
-
-# vdc can be invoked with logwrapper, so let it write to pty
-allow vdc devpts:chr_file rw_file_perms;
-
-# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file w_file_perms;
diff --git a/prebuilts/api/26.0/public/vendor_shell.te b/prebuilts/api/26.0/public/vendor_shell.te
deleted file mode 100644
index b330542..0000000
--- a/prebuilts/api/26.0/public/vendor_shell.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# vendor shell MUST never run as interactive or login shell.
-# vendor shell CAN never be traisitioned to by any process, so it is
-# only intended by shell script interpreter.
-type vendor_shell_exec, exec_type, vendor_file_type, file_type;
diff --git a/prebuilts/api/26.0/public/virtual_touchpad.te b/prebuilts/api/26.0/public/virtual_touchpad.te
deleted file mode 100644
index c2800e3..0000000
--- a/prebuilts/api/26.0/public/virtual_touchpad.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type virtual_touchpad, domain;
-type virtual_touchpad_exec, exec_type, file_type;
-
-binder_use(virtual_touchpad)
-binder_service(virtual_touchpad)
-add_service(virtual_touchpad, virtual_touchpad_service)
-
-# Needed to check app permissions.
-binder_call(virtual_touchpad, system_server)
-
-# Requires access to /dev/uinput to create and feed the virtual device.
-allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow virtual_touchpad permission_service:service_manager find;
diff --git a/prebuilts/api/26.0/public/vndservice.te b/prebuilts/api/26.0/public/vndservice.te
deleted file mode 100644
index 0d309bf..0000000
--- a/prebuilts/api/26.0/public/vndservice.te
+++ /dev/null
@@ -1 +0,0 @@
-type default_android_vndservice, vndservice_manager_type;
diff --git a/prebuilts/api/26.0/public/vold.te b/prebuilts/api/26.0/public/vold.te
deleted file mode 100644
index 81ee28c..0000000
--- a/prebuilts/api/26.0/public/vold.te
+++ /dev/null
@@ -1,187 +0,0 @@
-# volume manager
-type vold, domain;
-type vold_exec, exec_type, file_type;
-
-# Read already opened /cache files.
-allow vold cache_file:dir r_dir_perms;
-allow vold cache_file:file { getattr read };
-allow vold cache_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(vold, proc)
-r_dir_file(vold, proc_net)
-r_dir_file(vold, sysfs_type)
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
-allow vold sysfs_usb:file w_file_perms;
-allow vold sysfs_zram_uevent:file w_file_perms;
-
-r_dir_file(vold, rootfs)
-allow vold proc_meminfo:file r_file_perms;
-
-#Get file contexts
-allow vold file_contexts_file:file r_file_perms;
-
-# Allow us to jump into execution domains of above tools
-allow vold self:process setexec;
-
-# For sgdisk launched through popen()
-allow vold shell_exec:file rx_file_perms;
-
-typeattribute vold mlstrustedsubject;
-allow vold self:process setfscreate;
-allow vold system_file:file x_file_perms;
-not_full_treble(`allow vold vendor_file:file x_file_perms;')
-allow vold block_device:dir create_dir_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
-
-# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
-
-# Access to storage that backs emulated FUSE daemons for migration optimization
-allow vold media_rw_data_file:dir create_dir_perms;
-allow vold media_rw_data_file:file create_file_perms;
-
-# Allow mounting of storage devices
-allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-
-# Manage per-user primary symlinks
-allow vold mnt_user_file:dir create_dir_perms;
-allow vold mnt_user_file:lnk_file create_file_perms;
-
-# Allow to create and mount expanded storage
-allow vold mnt_expand_file:dir { create_dir_perms mounton };
-allow vold apk_data_file:dir { create getattr setattr };
-allow vold shell_data_file:dir { create getattr setattr };
-
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow vold app_data_file:dir search;
-allow vold app_data_file:file rw_file_perms;
-allow vold loop_control_device:chr_file rw_file_perms;
-allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
-allow vold dm_device:chr_file rw_file_perms;
-allow vold dm_device:blk_file rw_file_perms;
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
-
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
-allow vold kmsg_device:chr_file rw_file_perms;
-
-# Run fsck in the fsck domain.
-allow vold fsck_exec:file { r_file_perms execute };
-
-# Log fsck results
-allow vold fscklogs:dir rw_dir_perms;
-allow vold fscklogs:file create_file_perms;
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
-# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# Property Service
-set_prop(vold, vold_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
-allow vold asec_public_file:file { relabelto setattr };
-# restorecon files in asec containers created on 4.2 or earlier.
-allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
-allow vold unlabeled:file { r_file_perms setattr relabelfrom };
-
-# Handle wake locks (used for device encryption)
-wakelock_use(vold)
-
-# talk to batteryservice
-binder_use(vold)
-binder_call(vold, healthd)
-
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
-# Access userdata block device.
-allow vold userdata_block_device:blk_file rw_file_perms;
-
-# Access metadata block device used for encryption meta-data.
-allow vold metadata_block_device:blk_file rw_file_perms;
-
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
-allow vold unencrypted_data_file:dir create_dir_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vold proc_drop_caches:file w_file_perms;
-
-# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir create_dir_perms;
-allow vold vold_data_file:file create_file_perms;
-
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
-# vold temporarily changes its priority when running benchmarks
-allow vold self:capability sys_nice;
-
-# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:capability sys_chroot;
-allow vold storage_file:dir mounton;
-
-# For AppFuse.
-allow vold fuse_device:chr_file rw_file_perms;
-allow vold fuse:filesystem { relabelfrom };
-allow vold app_fusefs:filesystem { relabelfrom relabelto };
-allow vold app_fusefs:filesystem { mount unmount };
-
-# MoveTask.cpp executes cp and rm
-allow vold toolbox_exec:file rx_file_perms;
-
-# Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
-
-# Raw writes to misc block device
-allow vold misc_block_device:blk_file w_file_perms;
-
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
-neverallow { domain -vold -init } restorecon_prop:property_service set;
-
-neverallow vold fsck_exec:file execute_no_trans;
diff --git a/prebuilts/api/26.0/public/vr_hwc.te b/prebuilts/api/26.0/public/vr_hwc.te
deleted file mode 100644
index c05dd63..0000000
--- a/prebuilts/api/26.0/public/vr_hwc.te
+++ /dev/null
@@ -1,31 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
diff --git a/prebuilts/api/26.0/public/watchdogd.te b/prebuilts/api/26.0/public/watchdogd.te
deleted file mode 100644
index 00292a9..0000000
--- a/prebuilts/api/26.0/public/watchdogd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/26.0/public/webview_zygote.te b/prebuilts/api/26.0/public/webview_zygote.te
deleted file mode 100644
index 5d19b32..0000000
--- a/prebuilts/api/26.0/public/webview_zygote.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-type webview_zygote, domain;
-type webview_zygote_exec, exec_type, file_type;
diff --git a/prebuilts/api/26.0/public/wificond.te b/prebuilts/api/26.0/public/wificond.te
deleted file mode 100644
index c91053e..0000000
--- a/prebuilts/api/26.0/public/wificond.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# wificond
-type wificond, domain;
-type wificond_exec, exec_type, file_type;
-
-binder_use(wificond)
-binder_call(wificond, system_server)
-
-add_service(wificond, wificond_service)
-
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
-# create sockets to set interfaces up and down
-allow wificond self:udp_socket create_socket_perms;
-# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
-allow wificond self:capability { net_admin net_raw };
-# allow wificond to speak to nl80211 in the kernel
-allow wificond self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-r_dir_file(wificond, proc_net)
-
-# wificond writes out configuration files for wpa_supplicant/hostapd.
-# wificond also reads pid files out of this directory
-allow wificond wifi_data_file:dir rw_dir_perms;
-allow wificond wifi_data_file:file create_file_perms;
-
-# allow wificond to check permission for dumping logs
-allow wificond permission_service:service_manager find;
-
-# dumpstate support
-allow wificond dumpstate:fd use;
-allow wificond dumpstate:fifo_file write;
diff --git a/prebuilts/api/26.0/public/zygote.te b/prebuilts/api/26.0/public/zygote.te
deleted file mode 100644
index 83c42ef..0000000
--- a/prebuilts/api/26.0/public/zygote.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# zygote
-type zygote, domain;
-type zygote_exec, exec_type, file_type;
diff --git a/prebuilts/api/27.0/nonplat_sepolicy.cil b/prebuilts/api/27.0/nonplat_sepolicy.cil
deleted file mode 100644
index da550c1..0000000
--- a/prebuilts/api/27.0/nonplat_sepolicy.cil
+++ /dev/null
@@ -1,6660 +0,0 @@
-(roletype r domain)
-(typeattributeset dev_type (device_27_0 alarm_device_27_0 ashmem_device_27_0 audio_device_27_0 audio_timer_device_27_0 audio_seq_device_27_0 binder_device_27_0 hwbinder_device_27_0 vndbinder_device_27_0 block_device_27_0 camera_device_27_0 dm_device_27_0 keychord_device_27_0 loop_control_device_27_0 loop_device_27_0 pmsg_device_27_0 radio_device_27_0 ram_device_27_0 rtc_device_27_0 vold_device_27_0 console_device_27_0 cpuctl_device_27_0 fscklogs_27_0 full_device_27_0 gpu_device_27_0 graphics_device_27_0 hw_random_device_27_0 input_device_27_0 kmem_device_27_0 port_device_27_0 mtd_device_27_0 mtp_device_27_0 nfc_device_27_0 ptmx_device_27_0 kmsg_device_27_0 kmsg_debug_device_27_0 null_device_27_0 random_device_27_0 sensors_device_27_0 serial_device_27_0 socket_device_27_0 owntty_device_27_0 tty_device_27_0 video_device_27_0 vcs_device_27_0 zero_device_27_0 fuse_device_27_0 iio_device_27_0 ion_device_27_0 qtaguid_device_27_0 watchdog_device_27_0 uhid_device_27_0 uio_device_27_0 tun_device_27_0 usbaccessory_device_27_0 usb_device_27_0 properties_device_27_0 properties_serial_27_0 i2c_device_27_0 hci_attach_dev_27_0 rpmsg_device_27_0 root_block_device_27_0 frp_block_device_27_0 system_block_device_27_0 recovery_block_device_27_0 boot_block_device_27_0 userdata_block_device_27_0 cache_block_device_27_0 swap_block_device_27_0 metadata_block_device_27_0 misc_block_device_27_0 ppp_device_27_0 tee_device_27_0 qemu_device))
-(typeattributeset domain (adbd_27_0 audioserver_27_0 blkid_27_0 blkid_untrusted_27_0 bluetooth_27_0 bootanim_27_0 bootstat_27_0 bufferhubd_27_0 cameraserver_27_0 charger_27_0 clatd_27_0 cppreopts_27_0 crash_dump_27_0 dex2oat_27_0 dhcp_27_0 dnsmasq_27_0 drmserver_27_0 dumpstate_27_0 e2fs_27_0 ephemeral_app_27_0 fingerprintd_27_0 fsck_27_0 fsck_untrusted_27_0 gatekeeperd_27_0 healthd_27_0 hwservicemanager_27_0 idmap_27_0 incident_27_0 incidentd_27_0 init_27_0 inputflinger_27_0 install_recovery_27_0 installd_27_0 isolated_app_27_0 kernel_27_0 keystore_27_0 lmkd_27_0 logd_27_0 logpersist_27_0 mdnsd_27_0 mediacodec_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediametrics_27_0 mediaprovider_27_0 mediaserver_27_0 modprobe_27_0 mtp_27_0 netd_27_0 netutils_wrapper_27_0 nfc_27_0 otapreopt_chroot_27_0 otapreopt_slot_27_0 performanced_27_0 perfprofd_27_0 platform_app_27_0 postinstall_27_0 postinstall_dexopt_27_0 ppp_27_0 preopt2cachename_27_0 priv_app_27_0 profman_27_0 racoon_27_0 radio_27_0 recovery_27_0 recovery_persist_27_0 recovery_refresh_27_0 rild_27_0 runas_27_0 sdcardd_27_0 servicemanager_27_0 sgdisk_27_0 shared_relro_27_0 shell_27_0 slideshow_27_0 su_27_0 surfaceflinger_27_0 system_app_27_0 system_server_27_0 tee_27_0 thermalserviced_27_0 tombstoned_27_0 toolbox_27_0 tzdatacheck_27_0 ueventd_27_0 uncrypt_27_0 untrusted_app_27_0 untrusted_app_25_27_0 untrusted_v2_app_27_0 update_engine_27_0 update_verifier_27_0 vdc_27_0 virtual_touchpad_27_0 vndservicemanager_27_0 vold_27_0 vr_hwc_27_0 watchdogd_27_0 webview_zygote_27_0 wificond_27_0 zygote_27_0 hal_audio_default hal_bluetooth_default hal_bootctl_default hal_broadcastradio_default hal_camera_default hal_cas_default hal_configstore_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_memtrack_default hal_nfc_default hal_power_default hal_sensors_default hal_tetheroffload_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_offload_default hal_wifi_supplicant_default hostapd vendor_modprobe goldfish_setup hal_drm_widevine qemu_props))
-(typeattributeset fs_type (device_27_0 labeledfs_27_0 pipefs_27_0 sockfs_27_0 rootfs_27_0 proc_27_0 proc_security_27_0 proc_drop_caches_27_0 proc_overcommit_memory_27_0 usermodehelper_27_0 sysfs_usermodehelper_27_0 qtaguid_proc_27_0 proc_bluetooth_writable_27_0 proc_cpuinfo_27_0 proc_interrupts_27_0 proc_iomem_27_0 proc_meminfo_27_0 proc_misc_27_0 proc_modules_27_0 proc_net_27_0 proc_perf_27_0 proc_stat_27_0 proc_sysrq_27_0 proc_timer_27_0 proc_tty_drivers_27_0 proc_uid_cputime_showstat_27_0 proc_uid_cputime_removeuid_27_0 proc_uid_io_stats_27_0 proc_uid_procstat_set_27_0 proc_uid_time_in_state_27_0 proc_zoneinfo_27_0 selinuxfs_27_0 cgroup_27_0 sysfs_27_0 sysfs_uio_27_0 sysfs_batteryinfo_27_0 sysfs_bluetooth_writable_27_0 sysfs_leds_27_0 sysfs_hwrandom_27_0 sysfs_nfc_power_writable_27_0 sysfs_wake_lock_27_0 sysfs_mac_address_27_0 sysfs_fs_ext4_features_27_0 configfs_27_0 sysfs_devices_system_cpu_27_0 sysfs_lowmemorykiller_27_0 sysfs_wlan_fwpath_27_0 sysfs_vibrator_27_0 sysfs_thermal_27_0 sysfs_zram_27_0 sysfs_zram_uevent_27_0 inotify_27_0 devpts_27_0 tmpfs_27_0 shm_27_0 mqueue_27_0 fuse_27_0 sdcardfs_27_0 vfat_27_0 debugfs_27_0 debugfs_mmc_27_0 debugfs_trace_marker_27_0 debugfs_tracing_27_0 debugfs_tracing_debug_27_0 debugfs_tracing_instances_27_0 debugfs_wifi_tracing_27_0 pstorefs_27_0 functionfs_27_0 oemfs_27_0 usbfs_27_0 binfmt_miscfs_27_0 app_fusefs_27_0 sysfs_writable))
-(typeattributeset contextmount_type (oemfs_27_0 app_fusefs_27_0))
-(typeattributeset file_type (adbd_exec_27_0 bootanim_exec_27_0 bootstat_exec_27_0 bufferhubd_exec_27_0 cameraserver_exec_27_0 clatd_exec_27_0 cppreopts_exec_27_0 crash_dump_exec_27_0 dex2oat_exec_27_0 dhcp_exec_27_0 dnsmasq_exec_27_0 drmserver_exec_27_0 drmserver_socket_27_0 dumpstate_exec_27_0 e2fs_exec_27_0 sysfs_usb_27_0 unlabeled_27_0 system_file_27_0 vendor_hal_file_27_0 vendor_file_27_0 vendor_app_file_27_0 vendor_configs_file_27_0 same_process_hal_file_27_0 vndk_sp_file_27_0 vendor_framework_file_27_0 vendor_overlay_file_27_0 runtime_event_log_tags_file_27_0 logcat_exec_27_0 coredump_file_27_0 system_data_file_27_0 unencrypted_data_file_27_0 install_data_file_27_0 drm_data_file_27_0 adb_data_file_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_data_file_27_0 apk_tmp_file_27_0 apk_private_data_file_27_0 apk_private_tmp_file_27_0 dalvikcache_data_file_27_0 ota_data_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 profman_dump_data_file_27_0 resourcecache_data_file_27_0 shell_data_file_27_0 property_data_file_27_0 bootchart_data_file_27_0 heapdump_data_file_27_0 nativetest_data_file_27_0 ringtone_file_27_0 preloads_data_file_27_0 preloads_media_file_27_0 dhcp_data_file_27_0 mnt_media_rw_file_27_0 mnt_user_file_27_0 mnt_expand_file_27_0 storage_file_27_0 mnt_media_rw_stub_file_27_0 storage_stub_file_27_0 postinstall_mnt_dir_27_0 postinstall_file_27_0 adb_keys_file_27_0 audio_data_file_27_0 audiohal_data_file_27_0 audioserver_data_file_27_0 bluetooth_data_file_27_0 bluetooth_logs_data_file_27_0 bootstat_data_file_27_0 boottrace_data_file_27_0 camera_data_file_27_0 gatekeeper_data_file_27_0 incident_data_file_27_0 keychain_data_file_27_0 keystore_data_file_27_0 media_data_file_27_0 media_rw_data_file_27_0 misc_user_data_file_27_0 net_data_file_27_0 nfc_data_file_27_0 radio_data_file_27_0 reboot_data_file_27_0 recovery_data_file_27_0 shared_relro_file_27_0 systemkeys_data_file_27_0 textclassifier_data_file_27_0 vpn_data_file_27_0 wifi_data_file_27_0 zoneinfo_data_file_27_0 vold_data_file_27_0 perfprofd_data_file_27_0 tee_data_file_27_0 update_engine_data_file_27_0 method_trace_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_private_backup_file_27_0 cache_recovery_file_27_0 efs_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 icon_file_27_0 asec_apk_file_27_0 asec_public_file_27_0 asec_image_file_27_0 backup_data_file_27_0 bluetooth_efs_file_27_0 fingerprintd_data_file_27_0 app_fuse_file_27_0 adbd_socket_27_0 bluetooth_socket_27_0 dnsproxyd_socket_27_0 dumpstate_socket_27_0 fwmarkd_socket_27_0 lmkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdns_socket_27_0 mdnsd_socket_27_0 misc_logd_file_27_0 mtpd_socket_27_0 netd_socket_27_0 property_socket_27_0 racoon_socket_27_0 rild_socket_27_0 rild_debug_socket_27_0 system_wpa_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_java_trace_socket_27_0 tombstoned_intercept_socket_27_0 uncrypt_socket_27_0 vold_socket_27_0 webview_zygote_socket_27_0 wpa_socket_27_0 zygote_socket_27_0 gps_control_27_0 pdx_display_dir_27_0 pdx_performance_dir_27_0 pdx_bufferhub_dir_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 file_contexts_file_27_0 mac_perms_file_27_0 property_contexts_file_27_0 seapp_contexts_file_27_0 sepolicy_file_27_0 service_contexts_file_27_0 nonplat_service_contexts_file_27_0 hwservice_contexts_file_27_0 vndservice_contexts_file_27_0 fingerprintd_exec_27_0 fsck_exec_27_0 gatekeeperd_exec_27_0 healthd_exec_27_0 hwservicemanager_exec_27_0 idmap_exec_27_0 init_exec_27_0 inputflinger_exec_27_0 install_recovery_exec_27_0 installd_exec_27_0 keystore_exec_27_0 lmkd_exec_27_0 logd_exec_27_0 mediacodec_exec_27_0 mediadrmserver_exec_27_0 mediaextractor_exec_27_0 mediametrics_exec_27_0 mediaserver_exec_27_0 mtp_exec_27_0 netd_exec_27_0 netutils_wrapper_exec_27_0 otapreopt_chroot_exec_27_0 otapreopt_slot_exec_27_0 performanced_exec_27_0 perfprofd_exec_27_0 ppp_exec_27_0 preopt2cachename_exec_27_0 profman_exec_27_0 racoon_exec_27_0 recovery_persist_exec_27_0 recovery_refresh_exec_27_0 runas_exec_27_0 sdcardd_exec_27_0 servicemanager_exec_27_0 sgdisk_exec_27_0 shell_exec_27_0 su_exec_27_0 thermalserviced_exec_27_0 tombstoned_exec_27_0 toolbox_exec_27_0 tzdatacheck_exec_27_0 uncrypt_exec_27_0 update_engine_exec_27_0 update_verifier_exec_27_0 vdc_exec_27_0 vendor_shell_exec_27_0 vendor_toolbox_exec_27_0 virtual_touchpad_exec_27_0 vold_exec_27_0 vr_hwc_exec_27_0 webview_zygote_exec_27_0 wificond_exec_27_0 zygote_exec_27_0 hostapd_socket hal_audio_default_exec hal_audio_default_tmpfs hal_bluetooth_default_exec hal_bluetooth_default_tmpfs hal_bootctl_default_exec hal_bootctl_default_tmpfs hal_broadcastradio_default_exec hal_broadcastradio_default_tmpfs hal_camera_default_exec hal_camera_default_tmpfs hal_cas_default_exec hal_cas_default_tmpfs hal_configstore_default_exec hal_configstore_default_tmpfs hal_contexthub_default_exec hal_contexthub_default_tmpfs hal_drm_default_exec hal_drm_default_tmpfs hal_dumpstate_default_exec hal_dumpstate_default_tmpfs hal_fingerprint_default_exec hal_fingerprint_default_tmpfs hal_gatekeeper_default_exec hal_gatekeeper_default_tmpfs hal_gnss_default_exec hal_gnss_default_tmpfs hal_graphics_allocator_default_exec hal_graphics_allocator_default_tmpfs hal_graphics_composer_default_exec hal_graphics_composer_default_tmpfs hal_health_default_exec hal_health_default_tmpfs hal_ir_default_exec hal_ir_default_tmpfs hal_keymaster_default_exec hal_keymaster_default_tmpfs hal_light_default_exec hal_light_default_tmpfs hal_memtrack_default_exec hal_memtrack_default_tmpfs hal_nfc_default_exec hal_nfc_default_tmpfs mediacodec_tmpfs hal_power_default_exec hal_power_default_tmpfs hal_sensors_default_exec hal_sensors_default_tmpfs hal_tetheroffload_default_exec hal_tetheroffload_default_tmpfs hal_thermal_default_exec hal_thermal_default_tmpfs hal_tv_cec_default_exec hal_tv_cec_default_tmpfs hal_tv_input_default_exec hal_tv_input_default_tmpfs hal_usb_default_exec hal_usb_default_tmpfs hal_vibrator_default_exec hal_vibrator_default_tmpfs hal_vr_default_exec hal_vr_default_tmpfs hal_wifi_default_exec hal_wifi_default_tmpfs hal_wifi_offload_default_exec hal_wifi_offload_default_tmpfs hal_wifi_supplicant_default_exec hal_wifi_supplicant_default_tmpfs hostapd_exec hostapd_tmpfs rild_exec rild_tmpfs tee_exec tee_tmpfs vndservicemanager_exec vndservicemanager_tmpfs goldfish_setup_exec goldfish_setup_tmpfs hal_drm_widevine_exec hal_drm_widevine_tmpfs qemu_props_exec qemu_props_tmpfs))
-(typeattributeset exec_type (adbd_exec_27_0 bootanim_exec_27_0 bootstat_exec_27_0 bufferhubd_exec_27_0 cameraserver_exec_27_0 clatd_exec_27_0 cppreopts_exec_27_0 crash_dump_exec_27_0 dex2oat_exec_27_0 dhcp_exec_27_0 dnsmasq_exec_27_0 drmserver_exec_27_0 dumpstate_exec_27_0 e2fs_exec_27_0 logcat_exec_27_0 fingerprintd_exec_27_0 fsck_exec_27_0 gatekeeperd_exec_27_0 healthd_exec_27_0 hwservicemanager_exec_27_0 idmap_exec_27_0 init_exec_27_0 inputflinger_exec_27_0 install_recovery_exec_27_0 installd_exec_27_0 keystore_exec_27_0 lmkd_exec_27_0 logd_exec_27_0 mediacodec_exec_27_0 mediadrmserver_exec_27_0 mediaextractor_exec_27_0 mediametrics_exec_27_0 mediaserver_exec_27_0 mtp_exec_27_0 netd_exec_27_0 netutils_wrapper_exec_27_0 otapreopt_chroot_exec_27_0 otapreopt_slot_exec_27_0 performanced_exec_27_0 perfprofd_exec_27_0 ppp_exec_27_0 preopt2cachename_exec_27_0 profman_exec_27_0 racoon_exec_27_0 recovery_persist_exec_27_0 recovery_refresh_exec_27_0 runas_exec_27_0 sdcardd_exec_27_0 servicemanager_exec_27_0 sgdisk_exec_27_0 shell_exec_27_0 su_exec_27_0 thermalserviced_exec_27_0 tombstoned_exec_27_0 toolbox_exec_27_0 tzdatacheck_exec_27_0 uncrypt_exec_27_0 update_engine_exec_27_0 update_verifier_exec_27_0 vdc_exec_27_0 vendor_shell_exec_27_0 vendor_toolbox_exec_27_0 virtual_touchpad_exec_27_0 vold_exec_27_0 vr_hwc_exec_27_0 webview_zygote_exec_27_0 wificond_exec_27_0 zygote_exec_27_0 hal_audio_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_broadcastradio_default_exec hal_camera_default_exec hal_cas_default_exec hal_configstore_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_sensors_default_exec hal_tetheroffload_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec hostapd_exec rild_exec tee_exec vndservicemanager_exec goldfish_setup_exec hal_drm_widevine_exec qemu_props_exec))
-(expandtypeattribute (data_file_type) false)
-(typeattributeset data_file_type (system_data_file_27_0 unencrypted_data_file_27_0 install_data_file_27_0 drm_data_file_27_0 adb_data_file_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_data_file_27_0 apk_tmp_file_27_0 apk_private_data_file_27_0 apk_private_tmp_file_27_0 dalvikcache_data_file_27_0 ota_data_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 profman_dump_data_file_27_0 resourcecache_data_file_27_0 shell_data_file_27_0 property_data_file_27_0 bootchart_data_file_27_0 heapdump_data_file_27_0 nativetest_data_file_27_0 ringtone_file_27_0 preloads_data_file_27_0 preloads_media_file_27_0 dhcp_data_file_27_0 adb_keys_file_27_0 audio_data_file_27_0 audiohal_data_file_27_0 audioserver_data_file_27_0 bluetooth_data_file_27_0 bluetooth_logs_data_file_27_0 bootstat_data_file_27_0 boottrace_data_file_27_0 camera_data_file_27_0 gatekeeper_data_file_27_0 incident_data_file_27_0 keychain_data_file_27_0 keystore_data_file_27_0 media_data_file_27_0 media_rw_data_file_27_0 misc_user_data_file_27_0 net_data_file_27_0 nfc_data_file_27_0 radio_data_file_27_0 reboot_data_file_27_0 recovery_data_file_27_0 shared_relro_file_27_0 systemkeys_data_file_27_0 textclassifier_data_file_27_0 vpn_data_file_27_0 wifi_data_file_27_0 zoneinfo_data_file_27_0 vold_data_file_27_0 perfprofd_data_file_27_0 tee_data_file_27_0 update_engine_data_file_27_0 method_trace_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_private_backup_file_27_0 cache_recovery_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 icon_file_27_0 asec_apk_file_27_0 asec_public_file_27_0 asec_image_file_27_0 backup_data_file_27_0 fingerprintd_data_file_27_0 app_fuse_file_27_0 bluetooth_socket_27_0 misc_logd_file_27_0 system_wpa_socket_27_0 system_ndebug_socket_27_0 wpa_socket_27_0 hostapd_socket))
-(typeattributeset core_data_file_type (system_data_file_27_0 unencrypted_data_file_27_0 install_data_file_27_0 drm_data_file_27_0 adb_data_file_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_data_file_27_0 apk_tmp_file_27_0 apk_private_data_file_27_0 apk_private_tmp_file_27_0 dalvikcache_data_file_27_0 ota_data_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 profman_dump_data_file_27_0 resourcecache_data_file_27_0 shell_data_file_27_0 property_data_file_27_0 bootchart_data_file_27_0 heapdump_data_file_27_0 nativetest_data_file_27_0 ringtone_file_27_0 preloads_data_file_27_0 preloads_media_file_27_0 dhcp_data_file_27_0 adb_keys_file_27_0 audio_data_file_27_0 audiohal_data_file_27_0 audioserver_data_file_27_0 bluetooth_data_file_27_0 bluetooth_logs_data_file_27_0 bootstat_data_file_27_0 boottrace_data_file_27_0 camera_data_file_27_0 gatekeeper_data_file_27_0 incident_data_file_27_0 keychain_data_file_27_0 keystore_data_file_27_0 media_data_file_27_0 media_rw_data_file_27_0 misc_user_data_file_27_0 net_data_file_27_0 nfc_data_file_27_0 radio_data_file_27_0 reboot_data_file_27_0 recovery_data_file_27_0 shared_relro_file_27_0 systemkeys_data_file_27_0 textclassifier_data_file_27_0 vpn_data_file_27_0 wifi_data_file_27_0 zoneinfo_data_file_27_0 vold_data_file_27_0 perfprofd_data_file_27_0 update_engine_data_file_27_0 method_trace_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 icon_file_27_0 asec_apk_file_27_0 asec_public_file_27_0 asec_image_file_27_0 backup_data_file_27_0 fingerprintd_data_file_27_0 app_fuse_file_27_0))
-(typeattributeset vendor_file_type (vendor_hal_file_27_0 vendor_file_27_0 vendor_app_file_27_0 vendor_configs_file_27_0 same_process_hal_file_27_0 vndk_sp_file_27_0 vendor_framework_file_27_0 vendor_overlay_file_27_0 mediacodec_exec_27_0 vendor_shell_exec_27_0 vendor_toolbox_exec_27_0 hal_audio_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_broadcastradio_default_exec hal_camera_default_exec hal_cas_default_exec hal_configstore_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_sensors_default_exec hal_tetheroffload_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec hostapd_exec rild_exec tee_exec vndservicemanager_exec goldfish_setup_exec hal_drm_widevine_exec qemu_props_exec))
-(typeattributeset sysfs_type (sysfs_usermodehelper_27_0 sysfs_27_0 sysfs_uio_27_0 sysfs_batteryinfo_27_0 sysfs_bluetooth_writable_27_0 sysfs_leds_27_0 sysfs_hwrandom_27_0 sysfs_nfc_power_writable_27_0 sysfs_wake_lock_27_0 sysfs_mac_address_27_0 sysfs_usb_27_0 sysfs_fs_ext4_features_27_0 sysfs_devices_system_cpu_27_0 sysfs_lowmemorykiller_27_0 sysfs_wlan_fwpath_27_0 sysfs_vibrator_27_0 sysfs_thermal_27_0 sysfs_zram_27_0 sysfs_zram_uevent_27_0 sysfs_writable))
-(typeattributeset debugfs_type (debugfs_27_0 debugfs_mmc_27_0 debugfs_trace_marker_27_0 debugfs_tracing_27_0 debugfs_tracing_debug_27_0 debugfs_tracing_instances_27_0 debugfs_wifi_tracing_27_0))
-(typeattributeset sdcard_type (fuse_27_0 sdcardfs_27_0 vfat_27_0))
-(typeattributeset node_type (node_27_0))
-(typeattributeset netif_type (netif_27_0))
-(typeattributeset port_type (port_27_0))
-(typeattributeset property_type (audio_prop_27_0 boottime_prop_27_0 bluetooth_prop_27_0 config_prop_27_0 cppreopt_prop_27_0 ctl_bootanim_prop_27_0 ctl_bugreport_prop_27_0 ctl_console_prop_27_0 ctl_default_prop_27_0 ctl_dumpstate_prop_27_0 ctl_fuse_prop_27_0 ctl_mdnsd_prop_27_0 ctl_rildaemon_prop_27_0 dalvik_prop_27_0 debuggerd_prop_27_0 debug_prop_27_0 default_prop_27_0 device_logging_prop_27_0 dhcp_prop_27_0 dumpstate_options_prop_27_0 dumpstate_prop_27_0 ffs_prop_27_0 fingerprint_prop_27_0 firstboot_prop_27_0 hwservicemanager_prop_27_0 logd_prop_27_0 logpersistd_logging_prop_27_0 log_prop_27_0 log_tag_prop_27_0 mmc_prop_27_0 net_dns_prop_27_0 net_radio_prop_27_0 netd_stable_secret_prop_27_0 nfc_prop_27_0 overlay_prop_27_0 pan_result_prop_27_0 persist_debug_prop_27_0 persistent_properties_ready_prop_27_0 powerctl_prop_27_0 radio_prop_27_0 restorecon_prop_27_0 safemode_prop_27_0 serialno_prop_27_0 shell_prop_27_0 system_prop_27_0 system_radio_prop_27_0 vold_prop_27_0 wifi_log_prop_27_0 wifi_prop_27_0 qemu_prop qemu_cmdline radio_noril_prop opengles_prop))
-(typeattributeset core_property_type (audio_prop_27_0 config_prop_27_0 cppreopt_prop_27_0 dalvik_prop_27_0 debuggerd_prop_27_0 debug_prop_27_0 default_prop_27_0 dhcp_prop_27_0 dumpstate_prop_27_0 ffs_prop_27_0 fingerprint_prop_27_0 logd_prop_27_0 net_radio_prop_27_0 nfc_prop_27_0 pan_result_prop_27_0 persist_debug_prop_27_0 powerctl_prop_27_0 radio_prop_27_0 restorecon_prop_27_0 shell_prop_27_0 system_prop_27_0 system_radio_prop_27_0 vold_prop_27_0))
-(typeattributeset log_property_type (log_prop_27_0 log_tag_prop_27_0 wifi_log_prop_27_0))
-(typeattributeset system_server_service (accessibility_service_27_0 account_service_27_0 activity_service_27_0 alarm_service_27_0 appops_service_27_0 appwidget_service_27_0 assetatlas_service_27_0 audio_service_27_0 autofill_service_27_0 backup_service_27_0 batterystats_service_27_0 battery_service_27_0 bluetooth_manager_service_27_0 broadcastradio_service_27_0 cameraproxy_service_27_0 clipboard_service_27_0 contexthub_service_27_0 IProxyService_service_27_0 commontime_management_service_27_0 companion_device_service_27_0 connectivity_service_27_0 connmetrics_service_27_0 consumer_ir_service_27_0 content_service_27_0 country_detector_service_27_0 coverage_service_27_0 cpuinfo_service_27_0 dbinfo_service_27_0 device_policy_service_27_0 deviceidle_service_27_0 device_identifiers_service_27_0 devicestoragemonitor_service_27_0 diskstats_service_27_0 display_service_27_0 font_service_27_0 netd_listener_service_27_0 DockObserver_service_27_0 dreams_service_27_0 dropbox_service_27_0 ethernet_service_27_0 fingerprint_service_27_0 gfxinfo_service_27_0 graphicsstats_service_27_0 hardware_service_27_0 hardware_properties_service_27_0 hdmi_control_service_27_0 input_method_service_27_0 input_service_27_0 imms_service_27_0 ipsec_service_27_0 jobscheduler_service_27_0 launcherapps_service_27_0 location_service_27_0 lock_settings_service_27_0 media_projection_service_27_0 media_router_service_27_0 media_session_service_27_0 meminfo_service_27_0 midi_service_27_0 mount_service_27_0 netpolicy_service_27_0 netstats_service_27_0 network_management_service_27_0 network_score_service_27_0 network_time_update_service_27_0 notification_service_27_0 oem_lock_service_27_0 otadexopt_service_27_0 overlay_service_27_0 package_service_27_0 package_native_service_27_0 permission_service_27_0 persistent_data_block_service_27_0 pinner_service_27_0 power_service_27_0 print_service_27_0 processinfo_service_27_0 procstats_service_27_0 recovery_service_27_0 registry_service_27_0 restrictions_service_27_0 rttmanager_service_27_0 samplingprofiler_service_27_0 scheduling_policy_service_27_0 search_service_27_0 sec_key_att_app_id_provider_service_27_0 sensorservice_service_27_0 serial_service_27_0 servicediscovery_service_27_0 settings_service_27_0 shortcut_service_27_0 statusbar_service_27_0 storagestats_service_27_0 task_service_27_0 textclassification_service_27_0 textservices_service_27_0 telecom_service_27_0 timezone_service_27_0 trust_service_27_0 tv_input_service_27_0 uimode_service_27_0 updatelock_service_27_0 usagestats_service_27_0 usb_service_27_0 user_service_27_0 vibrator_service_27_0 voiceinteraction_service_27_0 vr_manager_service_27_0 wallpaper_service_27_0 webviewupdate_service_27_0 wifip2p_service_27_0 wifiscanner_service_27_0 wifi_service_27_0 wifiaware_service_27_0 window_service_27_0))
-(typeattributeset app_api_service (batteryproperties_service_27_0 gatekeeper_service_27_0 accessibility_service_27_0 account_service_27_0 activity_service_27_0 alarm_service_27_0 appops_service_27_0 appwidget_service_27_0 assetatlas_service_27_0 audio_service_27_0 autofill_service_27_0 backup_service_27_0 batterystats_service_27_0 bluetooth_manager_service_27_0 clipboard_service_27_0 contexthub_service_27_0 IProxyService_service_27_0 companion_device_service_27_0 connectivity_service_27_0 connmetrics_service_27_0 consumer_ir_service_27_0 content_service_27_0 country_detector_service_27_0 device_policy_service_27_0 deviceidle_service_27_0 device_identifiers_service_27_0 display_service_27_0 font_service_27_0 dreams_service_27_0 dropbox_service_27_0 ethernet_service_27_0 fingerprint_service_27_0 graphicsstats_service_27_0 hardware_properties_service_27_0 input_method_service_27_0 input_service_27_0 imms_service_27_0 ipsec_service_27_0 jobscheduler_service_27_0 launcherapps_service_27_0 location_service_27_0 media_projection_service_27_0 media_router_service_27_0 media_session_service_27_0 midi_service_27_0 mount_service_27_0 netpolicy_service_27_0 netstats_service_27_0 network_management_service_27_0 notification_service_27_0 package_service_27_0 permission_service_27_0 power_service_27_0 print_service_27_0 procstats_service_27_0 registry_service_27_0 restrictions_service_27_0 rttmanager_service_27_0 search_service_27_0 sec_key_att_app_id_provider_service_27_0 sensorservice_service_27_0 servicediscovery_service_27_0 settings_service_27_0 shortcut_service_27_0 statusbar_service_27_0 storagestats_service_27_0 textclassification_service_27_0 textservices_service_27_0 telecom_service_27_0 trust_service_27_0 tv_input_service_27_0 uimode_service_27_0 usagestats_service_27_0 usb_service_27_0 user_service_27_0 vibrator_service_27_0 voiceinteraction_service_27_0 wallpaper_service_27_0 webviewupdate_service_27_0 wifip2p_service_27_0 wifi_service_27_0 wifiaware_service_27_0))
-(typeattributeset ephemeral_app_api_service (batteryproperties_service_27_0 accessibility_service_27_0 account_service_27_0 activity_service_27_0 alarm_service_27_0 appops_service_27_0 appwidget_service_27_0 assetatlas_service_27_0 audio_service_27_0 autofill_service_27_0 backup_service_27_0 batterystats_service_27_0 bluetooth_manager_service_27_0 clipboard_service_27_0 IProxyService_service_27_0 companion_device_service_27_0 connectivity_service_27_0 connmetrics_service_27_0 consumer_ir_service_27_0 content_service_27_0 country_detector_service_27_0 deviceidle_service_27_0 device_identifiers_service_27_0 display_service_27_0 font_service_27_0 dreams_service_27_0 dropbox_service_27_0 graphicsstats_service_27_0 hardware_properties_service_27_0 input_method_service_27_0 input_service_27_0 imms_service_27_0 ipsec_service_27_0 jobscheduler_service_27_0 launcherapps_service_27_0 location_service_27_0 media_projection_service_27_0 media_router_service_27_0 media_session_service_27_0 midi_service_27_0 mount_service_27_0 netpolicy_service_27_0 netstats_service_27_0 network_management_service_27_0 notification_service_27_0 package_service_27_0 permission_service_27_0 power_service_27_0 print_service_27_0 procstats_service_27_0 registry_service_27_0 restrictions_service_27_0 rttmanager_service_27_0 search_service_27_0 sensorservice_service_27_0 servicediscovery_service_27_0 settings_service_27_0 statusbar_service_27_0 storagestats_service_27_0 textclassification_service_27_0 textservices_service_27_0 telecom_service_27_0 tv_input_service_27_0 uimode_service_27_0 usagestats_service_27_0 user_service_27_0 vibrator_service_27_0 voiceinteraction_service_27_0 webviewupdate_service_27_0))
-(typeattributeset system_api_service (cpuinfo_service_27_0 dbinfo_service_27_0 diskstats_service_27_0 gfxinfo_service_27_0 hdmi_control_service_27_0 lock_settings_service_27_0 meminfo_service_27_0 network_score_service_27_0 oem_lock_service_27_0 overlay_service_27_0 persistent_data_block_service_27_0 serial_service_27_0 updatelock_service_27_0 wifiscanner_service_27_0 window_service_27_0))
-(typeattributeset service_manager_type (audioserver_service_27_0 batteryproperties_service_27_0 bluetooth_service_27_0 cameraserver_service_27_0 default_android_service_27_0 drmserver_service_27_0 dumpstate_service_27_0 fingerprintd_service_27_0 hal_fingerprint_service_27_0 gatekeeper_service_27_0 gpu_service_27_0 inputflinger_service_27_0 incident_service_27_0 installd_service_27_0 keystore_service_27_0 mediaserver_service_27_0 mediametrics_service_27_0 mediaextractor_service_27_0 mediacodec_service_27_0 mediadrmserver_service_27_0 netd_service_27_0 nfc_service_27_0 radio_service_27_0 storaged_service_27_0 surfaceflinger_service_27_0 system_app_service_27_0 thermal_service_27_0 update_engine_service_27_0 virtual_touchpad_service_27_0 vr_hwc_service_27_0 accessibility_service_27_0 account_service_27_0 activity_service_27_0 alarm_service_27_0 appops_service_27_0 appwidget_service_27_0 assetatlas_service_27_0 audio_service_27_0 autofill_service_27_0 backup_service_27_0 batterystats_service_27_0 battery_service_27_0 bluetooth_manager_service_27_0 broadcastradio_service_27_0 cameraproxy_service_27_0 clipboard_service_27_0 contexthub_service_27_0 IProxyService_service_27_0 commontime_management_service_27_0 companion_device_service_27_0 connectivity_service_27_0 connmetrics_service_27_0 consumer_ir_service_27_0 content_service_27_0 country_detector_service_27_0 coverage_service_27_0 cpuinfo_service_27_0 dbinfo_service_27_0 device_policy_service_27_0 deviceidle_service_27_0 device_identifiers_service_27_0 devicestoragemonitor_service_27_0 diskstats_service_27_0 display_service_27_0 font_service_27_0 netd_listener_service_27_0 DockObserver_service_27_0 dreams_service_27_0 dropbox_service_27_0 ethernet_service_27_0 fingerprint_service_27_0 gfxinfo_service_27_0 graphicsstats_service_27_0 hardware_service_27_0 hardware_properties_service_27_0 hdmi_control_service_27_0 input_method_service_27_0 input_service_27_0 imms_service_27_0 ipsec_service_27_0 jobscheduler_service_27_0 launcherapps_service_27_0 location_service_27_0 lock_settings_service_27_0 media_projection_service_27_0 media_router_service_27_0 media_session_service_27_0 meminfo_service_27_0 midi_service_27_0 mount_service_27_0 netpolicy_service_27_0 netstats_service_27_0 network_management_service_27_0 network_score_service_27_0 network_time_update_service_27_0 notification_service_27_0 oem_lock_service_27_0 otadexopt_service_27_0 overlay_service_27_0 package_service_27_0 package_native_service_27_0 permission_service_27_0 persistent_data_block_service_27_0 pinner_service_27_0 power_service_27_0 print_service_27_0 processinfo_service_27_0 procstats_service_27_0 recovery_service_27_0 registry_service_27_0 restrictions_service_27_0 rttmanager_service_27_0 samplingprofiler_service_27_0 scheduling_policy_service_27_0 search_service_27_0 sec_key_att_app_id_provider_service_27_0 sensorservice_service_27_0 serial_service_27_0 servicediscovery_service_27_0 settings_service_27_0 shortcut_service_27_0 statusbar_service_27_0 storagestats_service_27_0 task_service_27_0 textclassification_service_27_0 textservices_service_27_0 telecom_service_27_0 timezone_service_27_0 trust_service_27_0 tv_input_service_27_0 uimode_service_27_0 updatelock_service_27_0 usagestats_service_27_0 usb_service_27_0 user_service_27_0 vibrator_service_27_0 voiceinteraction_service_27_0 vr_manager_service_27_0 wallpaper_service_27_0 webviewupdate_service_27_0 wifip2p_service_27_0 wifiscanner_service_27_0 wifi_service_27_0 wificond_service_27_0 wifiaware_service_27_0 window_service_27_0))
-(typeattributeset hwservice_manager_type (default_android_hwservice_27_0 fwk_display_hwservice_27_0 fwk_scheduler_hwservice_27_0 fwk_sensor_hwservice_27_0 hal_audio_hwservice_27_0 hal_bluetooth_hwservice_27_0 hal_bootctl_hwservice_27_0 hal_broadcastradio_hwservice_27_0 hal_camera_hwservice_27_0 hal_configstore_ISurfaceFlingerConfigs_27_0 hal_contexthub_hwservice_27_0 hal_drm_hwservice_27_0 hal_cas_hwservice_27_0 hal_dumpstate_hwservice_27_0 hal_fingerprint_hwservice_27_0 hal_gatekeeper_hwservice_27_0 hal_gnss_hwservice_27_0 hal_graphics_allocator_hwservice_27_0 hal_graphics_composer_hwservice_27_0 hal_graphics_mapper_hwservice_27_0 hal_health_hwservice_27_0 hal_ir_hwservice_27_0 hal_keymaster_hwservice_27_0 hal_light_hwservice_27_0 hal_memtrack_hwservice_27_0 hal_neuralnetworks_hwservice_27_0 hal_nfc_hwservice_27_0 hal_oemlock_hwservice_27_0 hal_omx_hwservice_27_0 hal_power_hwservice_27_0 hal_renderscript_hwservice_27_0 hal_sensors_hwservice_27_0 hal_telephony_hwservice_27_0 hal_tetheroffload_hwservice_27_0 hal_thermal_hwservice_27_0 hal_tv_cec_hwservice_27_0 hal_tv_input_hwservice_27_0 hal_usb_hwservice_27_0 hal_vibrator_hwservice_27_0 hal_vr_hwservice_27_0 hal_weaver_hwservice_27_0 hal_wifi_hwservice_27_0 hal_wifi_offload_hwservice_27_0 hal_wifi_supplicant_hwservice_27_0 hidl_allocator_hwservice_27_0 hidl_base_hwservice_27_0 hidl_manager_hwservice_27_0 hidl_memory_hwservice_27_0 hidl_token_hwservice_27_0 system_net_netd_hwservice_27_0 system_wifi_keystore_hwservice_27_0 thermalcallback_hwservice_27_0))
-(typeattributeset same_process_hwservice (hal_graphics_mapper_hwservice_27_0 hal_renderscript_hwservice_27_0))
-(typeattributeset coredomain_hwservice (fwk_display_hwservice_27_0 fwk_scheduler_hwservice_27_0 fwk_sensor_hwservice_27_0 hidl_allocator_hwservice_27_0 hidl_manager_hwservice_27_0 hidl_memory_hwservice_27_0 hidl_token_hwservice_27_0 system_net_netd_hwservice_27_0 system_wifi_keystore_hwservice_27_0))
-(typeattributeset vndservice_manager_type (default_android_vndservice_27_0))
-(typeattributeset mlstrustedsubject (bufferhubd_27_0 cppreopts_27_0 drmserver_27_0 dumpstate_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 hwservicemanager_27_0 init_27_0 installd_27_0 kernel_27_0 keystore_27_0 lmkd_27_0 logd_27_0 mediacodec_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediaserver_27_0 netd_27_0 otapreopt_slot_27_0 performanced_27_0 perfprofd_27_0 racoon_27_0 radio_27_0 runas_27_0 servicemanager_27_0 shell_27_0 su_27_0 tombstoned_27_0 uncrypt_27_0 vold_27_0))
-(typeattributeset mlstrustedobject (alarm_device_27_0 ashmem_device_27_0 binder_device_27_0 hwbinder_device_27_0 pmsg_device_27_0 gpu_device_27_0 mtp_device_27_0 ptmx_device_27_0 null_device_27_0 random_device_27_0 owntty_device_27_0 zero_device_27_0 fuse_device_27_0 ion_device_27_0 tun_device_27_0 usbaccessory_device_27_0 usb_device_27_0 qtaguid_proc_27_0 selinuxfs_27_0 cgroup_27_0 sysfs_27_0 sysfs_bluetooth_writable_27_0 sysfs_nfc_power_writable_27_0 sysfs_usb_27_0 inotify_27_0 devpts_27_0 fuse_27_0 sdcardfs_27_0 vfat_27_0 debugfs_trace_marker_27_0 functionfs_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_tmp_file_27_0 apk_private_tmp_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 shell_data_file_27_0 heapdump_data_file_27_0 ringtone_file_27_0 media_rw_data_file_27_0 radio_data_file_27_0 perfprofd_data_file_27_0 method_trace_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_recovery_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 asec_apk_file_27_0 backup_data_file_27_0 app_fuse_file_27_0 dnsproxyd_socket_27_0 fwmarkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdnsd_socket_27_0 property_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_java_trace_socket_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 qemu_device sysfs_writable))
-(typeattributeset netdomain (clatd_27_0 dhcp_27_0 dnsmasq_27_0 drmserver_27_0 dumpstate_27_0 mediadrmserver_27_0 mediaserver_27_0 mtp_27_0 netd_27_0 ppp_27_0 racoon_27_0 radio_27_0 rild_27_0 shell_27_0 su_27_0 update_engine_27_0 hal_wifi_supplicant_default hostapd))
-(typeattributeset bluetoothdomain (radio_27_0))
-(typeattributeset binderservicedomain (cameraserver_27_0 drmserver_27_0 gatekeeperd_27_0 healthd_27_0 inputflinger_27_0 keystore_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediametrics_27_0 mediaserver_27_0 radio_27_0 thermalserviced_27_0 virtual_touchpad_27_0 vr_hwc_27_0))
-(typeattributeset update_engine_common (update_engine_27_0))
-(typeattributeset coredomain (e2fs_27_0 perfprofd_27_0))
-(typeattributeset coredomain_socket (adbd_socket_27_0 bluetooth_socket_27_0 dnsproxyd_socket_27_0 dumpstate_socket_27_0 fwmarkd_socket_27_0 lmkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdns_socket_27_0 mdnsd_socket_27_0 misc_logd_file_27_0 mtpd_socket_27_0 netd_socket_27_0 property_socket_27_0 racoon_socket_27_0 system_wpa_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_intercept_socket_27_0 uncrypt_socket_27_0 vold_socket_27_0 webview_zygote_socket_27_0 zygote_socket_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_client_channel_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_manager_channel_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_screenshot_channel_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_display_vsync_channel_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_performance_client_channel_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 pdx_bufferhub_client_channel_socket_27_0))
-(expandtypeattribute (binder_in_vendor_violators) false)
-(expandtypeattribute (socket_between_core_and_vendor_violators) false)
-(expandtypeattribute (vendor_executes_system_violators) false)
-(expandtypeattribute (untrusted_app_visible_hwservice) false)
-(expandtypeattribute (untrusted_app_visible_halserver) false)
-(typeattributeset pdx_endpoint_dir_type (pdx_display_dir_27_0 pdx_performance_dir_27_0 pdx_bufferhub_dir_27_0))
-(expandtypeattribute (pdx_endpoint_socket_type) false)
-(typeattributeset pdx_endpoint_socket_type (pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0))
-(expandtypeattribute (pdx_channel_socket_type) false)
-(typeattributeset pdx_channel_socket_type (pdx_display_client_channel_socket_27_0 pdx_display_manager_channel_socket_27_0 pdx_display_screenshot_channel_socket_27_0 pdx_display_vsync_channel_socket_27_0 pdx_performance_client_channel_socket_27_0 pdx_bufferhub_client_channel_socket_27_0))
-(typeattributeset pdx_display_client_endpoint_dir_type (pdx_display_dir_27_0))
-(typeattributeset pdx_display_client_endpoint_socket_type (pdx_display_client_endpoint_socket_27_0))
-(typeattributeset pdx_display_client_channel_socket_type (pdx_display_client_channel_socket_27_0))
-(typeattributeset pdx_display_manager_endpoint_dir_type (pdx_display_dir_27_0))
-(typeattributeset pdx_display_manager_endpoint_socket_type (pdx_display_manager_endpoint_socket_27_0))
-(typeattributeset pdx_display_manager_channel_socket_type (pdx_display_manager_channel_socket_27_0))
-(typeattributeset pdx_display_screenshot_endpoint_dir_type (pdx_display_dir_27_0))
-(typeattributeset pdx_display_screenshot_endpoint_socket_type (pdx_display_screenshot_endpoint_socket_27_0))
-(typeattributeset pdx_display_screenshot_channel_socket_type (pdx_display_screenshot_channel_socket_27_0))
-(typeattributeset pdx_display_vsync_endpoint_dir_type (pdx_display_dir_27_0))
-(typeattributeset pdx_display_vsync_endpoint_socket_type (pdx_display_vsync_endpoint_socket_27_0))
-(typeattributeset pdx_display_vsync_channel_socket_type (pdx_display_vsync_channel_socket_27_0))
-(typeattributeset pdx_performance_client_endpoint_dir_type (pdx_performance_dir_27_0))
-(typeattributeset pdx_performance_client_endpoint_socket_type (pdx_performance_client_endpoint_socket_27_0))
-(typeattributeset pdx_performance_client_channel_socket_type (pdx_performance_client_channel_socket_27_0))
-(typeattributeset pdx_performance_client_server_type (performanced_27_0))
-(typeattributeset pdx_bufferhub_client_endpoint_dir_type (pdx_bufferhub_dir_27_0))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_type (pdx_bufferhub_client_endpoint_socket_27_0))
-(typeattributeset pdx_bufferhub_client_channel_socket_type (pdx_bufferhub_client_channel_socket_27_0))
-(typeattributeset pdx_bufferhub_client_server_type (bufferhubd_27_0))
-(typeattributeset halserverdomain (rild_27_0 hal_audio_default hal_bluetooth_default hal_bootctl_default hal_broadcastradio_default hal_camera_default hal_cas_default hal_configstore_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_memtrack_default hal_nfc_default hal_power_default hal_sensors_default hal_tetheroffload_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_offload_default hal_wifi_supplicant_default hal_drm_widevine))
-(expandtypeattribute (halclientdomain) true)
-(typeattributeset halclientdomain (bootanim_27_0 bufferhubd_27_0 cameraserver_27_0 dumpstate_27_0 gatekeeperd_27_0 healthd_27_0 mediacodec_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediaserver_27_0 radio_27_0 thermalserviced_27_0 update_engine_27_0 update_verifier_27_0 vold_27_0 vr_hwc_27_0 hal_audio_default hal_camera_default hal_drm_default hal_drm_widevine))
-(expandtypeattribute (hal_allocator) true)
-(expandtypeattribute (hal_allocator_client) true)
-(typeattributeset hal_allocator_client (mediacodec_27_0 mediaserver_27_0 hal_audio_default))
-(expandtypeattribute (hal_allocator_server) false)
-(expandtypeattribute (hal_audio) false)
-(typeattributeset hal_audio (hal_audio_default))
-(expandtypeattribute (hal_audio_client) true)
-(expandtypeattribute (hal_audio_server) false)
-(typeattributeset hal_audio_server (hal_audio_default))
-(expandtypeattribute (hal_bluetooth) true)
-(typeattributeset hal_bluetooth (hal_bluetooth_default))
-(expandtypeattribute (hal_bluetooth_client) true)
-(expandtypeattribute (hal_bluetooth_server) false)
-(typeattributeset hal_bluetooth_server (hal_bluetooth_default))
-(expandtypeattribute (hal_bootctl) false)
-(typeattributeset hal_bootctl (hal_bootctl_default))
-(expandtypeattribute (hal_bootctl_client) true)
-(typeattributeset hal_bootctl_client (update_engine_27_0 update_verifier_27_0))
-(expandtypeattribute (hal_bootctl_server) false)
-(typeattributeset hal_bootctl_server (hal_bootctl_default))
-(expandtypeattribute (hal_broadcastradio) true)
-(typeattributeset hal_broadcastradio (hal_broadcastradio_default))
-(expandtypeattribute (hal_broadcastradio_client) true)
-(expandtypeattribute (hal_broadcastradio_server) false)
-(typeattributeset hal_broadcastradio_server (hal_broadcastradio_default))
-(expandtypeattribute (hal_camera) false)
-(typeattributeset hal_camera (hal_camera_default))
-(expandtypeattribute (hal_camera_client) true)
-(typeattributeset hal_camera_client (cameraserver_27_0))
-(expandtypeattribute (hal_camera_server) false)
-(typeattributeset hal_camera_server (hal_camera_default))
-(expandtypeattribute (hal_configstore) true)
-(typeattributeset hal_configstore (hal_configstore_default))
-(expandtypeattribute (hal_configstore_client) true)
-(typeattributeset hal_configstore_client (bootanim_27_0))
-(expandtypeattribute (hal_configstore_server) false)
-(typeattributeset hal_configstore_server (hal_configstore_default))
-(expandtypeattribute (hal_contexthub) true)
-(typeattributeset hal_contexthub (hal_contexthub_default))
-(expandtypeattribute (hal_contexthub_client) true)
-(expandtypeattribute (hal_contexthub_server) false)
-(typeattributeset hal_contexthub_server (hal_contexthub_default))
-(expandtypeattribute (hal_drm) false)
-(typeattributeset hal_drm (hal_drm_default hal_drm_widevine))
-(expandtypeattribute (hal_drm_client) true)
-(typeattributeset hal_drm_client (mediadrmserver_27_0))
-(expandtypeattribute (hal_drm_server) false)
-(typeattributeset hal_drm_server (hal_drm_default hal_drm_widevine))
-(expandtypeattribute (hal_cas) false)
-(typeattributeset hal_cas (hal_cas_default))
-(expandtypeattribute (hal_cas_client) true)
-(typeattributeset hal_cas_client (mediacodec_27_0 mediaextractor_27_0))
-(expandtypeattribute (hal_cas_server) false)
-(typeattributeset hal_cas_server (hal_cas_default))
-(expandtypeattribute (hal_dumpstate) true)
-(typeattributeset hal_dumpstate (hal_dumpstate_default))
-(expandtypeattribute (hal_dumpstate_client) true)
-(typeattributeset hal_dumpstate_client (dumpstate_27_0))
-(expandtypeattribute (hal_dumpstate_server) false)
-(typeattributeset hal_dumpstate_server (hal_dumpstate_default))
-(expandtypeattribute (hal_fingerprint) true)
-(typeattributeset hal_fingerprint (hal_fingerprint_default))
-(expandtypeattribute (hal_fingerprint_client) true)
-(expandtypeattribute (hal_fingerprint_server) false)
-(typeattributeset hal_fingerprint_server (hal_fingerprint_default))
-(expandtypeattribute (hal_gatekeeper) true)
-(typeattributeset hal_gatekeeper (hal_gatekeeper_default))
-(expandtypeattribute (hal_gatekeeper_client) true)
-(typeattributeset hal_gatekeeper_client (gatekeeperd_27_0))
-(expandtypeattribute (hal_gatekeeper_server) false)
-(typeattributeset hal_gatekeeper_server (hal_gatekeeper_default))
-(expandtypeattribute (hal_gnss) true)
-(typeattributeset hal_gnss (hal_gnss_default))
-(expandtypeattribute (hal_gnss_client) true)
-(expandtypeattribute (hal_gnss_server) false)
-(typeattributeset hal_gnss_server (hal_gnss_default))
-(expandtypeattribute (hal_graphics_allocator) true)
-(typeattributeset hal_graphics_allocator (hal_graphics_allocator_default))
-(expandtypeattribute (hal_graphics_allocator_client) true)
-(typeattributeset hal_graphics_allocator_client (bootanim_27_0 bufferhubd_27_0 cameraserver_27_0 dumpstate_27_0 mediacodec_27_0 vr_hwc_27_0))
-(expandtypeattribute (hal_graphics_allocator_server) false)
-(typeattributeset hal_graphics_allocator_server (hal_graphics_allocator_default))
-(expandtypeattribute (hal_graphics_composer) true)
-(typeattributeset hal_graphics_composer (hal_graphics_composer_default))
-(expandtypeattribute (hal_graphics_composer_client) true)
-(typeattributeset hal_graphics_composer_client (bootanim_27_0 hal_camera_default hal_drm_default hal_drm_widevine))
-(expandtypeattribute (hal_graphics_composer_server) false)
-(typeattributeset hal_graphics_composer_server (hal_graphics_composer_default))
-(expandtypeattribute (hal_health) true)
-(typeattributeset hal_health (hal_health_default))
-(expandtypeattribute (hal_health_client) true)
-(typeattributeset hal_health_client (healthd_27_0))
-(expandtypeattribute (hal_health_server) false)
-(typeattributeset hal_health_server (hal_health_default))
-(expandtypeattribute (hal_ir) true)
-(typeattributeset hal_ir (hal_ir_default))
-(expandtypeattribute (hal_ir_client) true)
-(expandtypeattribute (hal_ir_server) false)
-(typeattributeset hal_ir_server (hal_ir_default))
-(expandtypeattribute (hal_keymaster) true)
-(typeattributeset hal_keymaster (hal_keymaster_default))
-(expandtypeattribute (hal_keymaster_client) true)
-(typeattributeset hal_keymaster_client (vold_27_0))
-(expandtypeattribute (hal_keymaster_server) false)
-(typeattributeset hal_keymaster_server (hal_keymaster_default))
-(expandtypeattribute (hal_light) true)
-(typeattributeset hal_light (hal_light_default))
-(expandtypeattribute (hal_light_client) true)
-(expandtypeattribute (hal_light_server) false)
-(typeattributeset hal_light_server (hal_light_default))
-(expandtypeattribute (hal_memtrack) true)
-(typeattributeset hal_memtrack (hal_memtrack_default))
-(expandtypeattribute (hal_memtrack_client) true)
-(expandtypeattribute (hal_memtrack_server) false)
-(typeattributeset hal_memtrack_server (hal_memtrack_default))
-(expandtypeattribute (hal_neuralnetworks) true)
-(expandtypeattribute (hal_neuralnetworks_client) true)
-(expandtypeattribute (hal_neuralnetworks_server) false)
-(expandtypeattribute (hal_nfc) true)
-(typeattributeset hal_nfc (hal_nfc_default))
-(expandtypeattribute (hal_nfc_client) true)
-(expandtypeattribute (hal_nfc_server) false)
-(typeattributeset hal_nfc_server (hal_nfc_default))
-(expandtypeattribute (hal_oemlock) true)
-(expandtypeattribute (hal_oemlock_client) true)
-(expandtypeattribute (hal_oemlock_server) false)
-(expandtypeattribute (hal_power) true)
-(typeattributeset hal_power (hal_power_default))
-(expandtypeattribute (hal_power_client) true)
-(expandtypeattribute (hal_power_server) false)
-(typeattributeset hal_power_server (hal_power_default))
-(expandtypeattribute (hal_sensors) true)
-(typeattributeset hal_sensors (hal_sensors_default))
-(expandtypeattribute (hal_sensors_client) true)
-(expandtypeattribute (hal_sensors_server) false)
-(typeattributeset hal_sensors_server (hal_sensors_default))
-(expandtypeattribute (hal_telephony) true)
-(typeattributeset hal_telephony (rild_27_0))
-(expandtypeattribute (hal_telephony_client) true)
-(typeattributeset hal_telephony_client (radio_27_0))
-(expandtypeattribute (hal_telephony_server) false)
-(typeattributeset hal_telephony_server (rild_27_0))
-(expandtypeattribute (hal_tetheroffload) true)
-(typeattributeset hal_tetheroffload (hal_tetheroffload_default))
-(expandtypeattribute (hal_tetheroffload_client) true)
-(expandtypeattribute (hal_tetheroffload_server) false)
-(typeattributeset hal_tetheroffload_server (hal_tetheroffload_default))
-(expandtypeattribute (hal_thermal) true)
-(typeattributeset hal_thermal (hal_thermal_default))
-(expandtypeattribute (hal_thermal_client) true)
-(typeattributeset hal_thermal_client (thermalserviced_27_0))
-(expandtypeattribute (hal_thermal_server) false)
-(typeattributeset hal_thermal_server (hal_thermal_default))
-(expandtypeattribute (hal_tv_cec) true)
-(typeattributeset hal_tv_cec (hal_tv_cec_default))
-(expandtypeattribute (hal_tv_cec_client) true)
-(expandtypeattribute (hal_tv_cec_server) false)
-(typeattributeset hal_tv_cec_server (hal_tv_cec_default))
-(expandtypeattribute (hal_tv_input) true)
-(typeattributeset hal_tv_input (hal_tv_input_default))
-(expandtypeattribute (hal_tv_input_client) true)
-(expandtypeattribute (hal_tv_input_server) false)
-(typeattributeset hal_tv_input_server (hal_tv_input_default))
-(expandtypeattribute (hal_usb) true)
-(typeattributeset hal_usb (hal_usb_default))
-(expandtypeattribute (hal_usb_client) true)
-(expandtypeattribute (hal_usb_server) false)
-(typeattributeset hal_usb_server (hal_usb_default))
-(expandtypeattribute (hal_vibrator) true)
-(typeattributeset hal_vibrator (hal_vibrator_default))
-(expandtypeattribute (hal_vibrator_client) true)
-(typeattributeset hal_vibrator_client (dumpstate_27_0))
-(expandtypeattribute (hal_vibrator_server) false)
-(typeattributeset hal_vibrator_server (hal_vibrator_default))
-(expandtypeattribute (hal_vr) true)
-(typeattributeset hal_vr (hal_vr_default))
-(expandtypeattribute (hal_vr_client) true)
-(expandtypeattribute (hal_vr_server) false)
-(typeattributeset hal_vr_server (hal_vr_default))
-(expandtypeattribute (hal_weaver) true)
-(expandtypeattribute (hal_weaver_client) true)
-(expandtypeattribute (hal_weaver_server) false)
-(expandtypeattribute (hal_wifi) true)
-(typeattributeset hal_wifi (hal_wifi_default))
-(expandtypeattribute (hal_wifi_client) true)
-(expandtypeattribute (hal_wifi_server) false)
-(typeattributeset hal_wifi_server (hal_wifi_default))
-(expandtypeattribute (hal_wifi_offload) true)
-(typeattributeset hal_wifi_offload (hal_wifi_offload_default))
-(expandtypeattribute (hal_wifi_offload_client) true)
-(expandtypeattribute (hal_wifi_offload_server) false)
-(typeattributeset hal_wifi_offload_server (hal_wifi_offload_default))
-(expandtypeattribute (hal_wifi_supplicant) true)
-(typeattributeset hal_wifi_supplicant (hal_wifi_supplicant_default))
-(expandtypeattribute (hal_wifi_supplicant_client) true)
-(expandtypeattribute (hal_wifi_supplicant_server) false)
-(typeattributeset hal_wifi_supplicant_server (hal_wifi_supplicant_default))
-(typeattribute adbd_27_0)
-(roletype object_r adbd_27_0)
-(typeattribute adbd_exec_27_0)
-(roletype object_r adbd_exec_27_0)
-(typeattribute audioserver_27_0)
-(roletype object_r audioserver_27_0)
-(typeattribute blkid_27_0)
-(roletype object_r blkid_27_0)
-(typeattribute blkid_untrusted_27_0)
-(roletype object_r blkid_untrusted_27_0)
-(typeattribute bluetooth_27_0)
-(roletype object_r bluetooth_27_0)
-(typeattribute bootanim_27_0)
-(roletype object_r bootanim_27_0)
-(typeattribute bootanim_exec_27_0)
-(roletype object_r bootanim_exec_27_0)
-(typeattribute bootstat_27_0)
-(roletype object_r bootstat_27_0)
-(typeattribute bootstat_exec_27_0)
-(roletype object_r bootstat_exec_27_0)
-(typeattribute bufferhubd_27_0)
-(roletype object_r bufferhubd_27_0)
-(typeattribute bufferhubd_exec_27_0)
-(roletype object_r bufferhubd_exec_27_0)
-(typeattribute cameraserver_27_0)
-(roletype object_r cameraserver_27_0)
-(typeattribute cameraserver_exec_27_0)
-(roletype object_r cameraserver_exec_27_0)
-(typeattribute charger_27_0)
-(roletype object_r charger_27_0)
-(typeattribute clatd_27_0)
-(roletype object_r clatd_27_0)
-(typeattribute clatd_exec_27_0)
-(roletype object_r clatd_exec_27_0)
-(typeattribute cppreopts_27_0)
-(roletype object_r cppreopts_27_0)
-(typeattribute cppreopts_exec_27_0)
-(roletype object_r cppreopts_exec_27_0)
-(typeattribute crash_dump_27_0)
-(roletype object_r crash_dump_27_0)
-(typeattribute crash_dump_exec_27_0)
-(roletype object_r crash_dump_exec_27_0)
-(typeattribute device_27_0)
-(roletype object_r device_27_0)
-(typeattribute alarm_device_27_0)
-(roletype object_r alarm_device_27_0)
-(typeattribute ashmem_device_27_0)
-(roletype object_r ashmem_device_27_0)
-(typeattribute audio_device_27_0)
-(roletype object_r audio_device_27_0)
-(typeattribute audio_timer_device_27_0)
-(roletype object_r audio_timer_device_27_0)
-(typeattribute audio_seq_device_27_0)
-(roletype object_r audio_seq_device_27_0)
-(typeattribute binder_device_27_0)
-(roletype object_r binder_device_27_0)
-(typeattribute hwbinder_device_27_0)
-(roletype object_r hwbinder_device_27_0)
-(typeattribute vndbinder_device_27_0)
-(roletype object_r vndbinder_device_27_0)
-(typeattribute block_device_27_0)
-(roletype object_r block_device_27_0)
-(typeattribute camera_device_27_0)
-(roletype object_r camera_device_27_0)
-(typeattribute dm_device_27_0)
-(roletype object_r dm_device_27_0)
-(typeattribute keychord_device_27_0)
-(roletype object_r keychord_device_27_0)
-(typeattribute loop_control_device_27_0)
-(roletype object_r loop_control_device_27_0)
-(typeattribute loop_device_27_0)
-(roletype object_r loop_device_27_0)
-(typeattribute pmsg_device_27_0)
-(roletype object_r pmsg_device_27_0)
-(typeattribute radio_device_27_0)
-(roletype object_r radio_device_27_0)
-(typeattribute ram_device_27_0)
-(roletype object_r ram_device_27_0)
-(typeattribute rtc_device_27_0)
-(roletype object_r rtc_device_27_0)
-(typeattribute vold_device_27_0)
-(roletype object_r vold_device_27_0)
-(typeattribute console_device_27_0)
-(roletype object_r console_device_27_0)
-(typeattribute cpuctl_device_27_0)
-(roletype object_r cpuctl_device_27_0)
-(typeattribute fscklogs_27_0)
-(roletype object_r fscklogs_27_0)
-(typeattribute full_device_27_0)
-(roletype object_r full_device_27_0)
-(typeattribute gpu_device_27_0)
-(roletype object_r gpu_device_27_0)
-(typeattribute graphics_device_27_0)
-(roletype object_r graphics_device_27_0)
-(typeattribute hw_random_device_27_0)
-(roletype object_r hw_random_device_27_0)
-(typeattribute input_device_27_0)
-(roletype object_r input_device_27_0)
-(typeattribute kmem_device_27_0)
-(roletype object_r kmem_device_27_0)
-(typeattribute port_device_27_0)
-(roletype object_r port_device_27_0)
-(typeattribute mtd_device_27_0)
-(roletype object_r mtd_device_27_0)
-(typeattribute mtp_device_27_0)
-(roletype object_r mtp_device_27_0)
-(typeattribute nfc_device_27_0)
-(roletype object_r nfc_device_27_0)
-(typeattribute ptmx_device_27_0)
-(roletype object_r ptmx_device_27_0)
-(typeattribute kmsg_device_27_0)
-(roletype object_r kmsg_device_27_0)
-(typeattribute kmsg_debug_device_27_0)
-(roletype object_r kmsg_debug_device_27_0)
-(typeattribute null_device_27_0)
-(roletype object_r null_device_27_0)
-(typeattribute random_device_27_0)
-(roletype object_r random_device_27_0)
-(typeattribute sensors_device_27_0)
-(roletype object_r sensors_device_27_0)
-(typeattribute serial_device_27_0)
-(roletype object_r serial_device_27_0)
-(typeattribute socket_device_27_0)
-(roletype object_r socket_device_27_0)
-(typeattribute owntty_device_27_0)
-(roletype object_r owntty_device_27_0)
-(typeattribute tty_device_27_0)
-(roletype object_r tty_device_27_0)
-(typeattribute video_device_27_0)
-(roletype object_r video_device_27_0)
-(typeattribute vcs_device_27_0)
-(roletype object_r vcs_device_27_0)
-(typeattribute zero_device_27_0)
-(roletype object_r zero_device_27_0)
-(typeattribute fuse_device_27_0)
-(roletype object_r fuse_device_27_0)
-(typeattribute iio_device_27_0)
-(roletype object_r iio_device_27_0)
-(typeattribute ion_device_27_0)
-(roletype object_r ion_device_27_0)
-(typeattribute qtaguid_device_27_0)
-(roletype object_r qtaguid_device_27_0)
-(typeattribute watchdog_device_27_0)
-(roletype object_r watchdog_device_27_0)
-(typeattribute uhid_device_27_0)
-(roletype object_r uhid_device_27_0)
-(typeattribute uio_device_27_0)
-(roletype object_r uio_device_27_0)
-(typeattribute tun_device_27_0)
-(roletype object_r tun_device_27_0)
-(typeattribute usbaccessory_device_27_0)
-(roletype object_r usbaccessory_device_27_0)
-(typeattribute usb_device_27_0)
-(roletype object_r usb_device_27_0)
-(typeattribute properties_device_27_0)
-(roletype object_r properties_device_27_0)
-(typeattribute properties_serial_27_0)
-(roletype object_r properties_serial_27_0)
-(typeattribute i2c_device_27_0)
-(roletype object_r i2c_device_27_0)
-(typeattribute hci_attach_dev_27_0)
-(roletype object_r hci_attach_dev_27_0)
-(typeattribute rpmsg_device_27_0)
-(roletype object_r rpmsg_device_27_0)
-(typeattribute root_block_device_27_0)
-(roletype object_r root_block_device_27_0)
-(typeattribute frp_block_device_27_0)
-(roletype object_r frp_block_device_27_0)
-(typeattribute system_block_device_27_0)
-(roletype object_r system_block_device_27_0)
-(typeattribute recovery_block_device_27_0)
-(roletype object_r recovery_block_device_27_0)
-(typeattribute boot_block_device_27_0)
-(roletype object_r boot_block_device_27_0)
-(typeattribute userdata_block_device_27_0)
-(roletype object_r userdata_block_device_27_0)
-(typeattribute cache_block_device_27_0)
-(roletype object_r cache_block_device_27_0)
-(typeattribute swap_block_device_27_0)
-(roletype object_r swap_block_device_27_0)
-(typeattribute metadata_block_device_27_0)
-(roletype object_r metadata_block_device_27_0)
-(typeattribute misc_block_device_27_0)
-(roletype object_r misc_block_device_27_0)
-(typeattribute dex2oat_27_0)
-(roletype object_r dex2oat_27_0)
-(typeattribute dex2oat_exec_27_0)
-(roletype object_r dex2oat_exec_27_0)
-(typeattribute dhcp_27_0)
-(roletype object_r dhcp_27_0)
-(typeattribute dhcp_exec_27_0)
-(roletype object_r dhcp_exec_27_0)
-(typeattribute dnsmasq_27_0)
-(roletype object_r dnsmasq_27_0)
-(typeattribute dnsmasq_exec_27_0)
-(roletype object_r dnsmasq_exec_27_0)
-(typeattribute drmserver_27_0)
-(roletype object_r drmserver_27_0)
-(typeattribute drmserver_exec_27_0)
-(roletype object_r drmserver_exec_27_0)
-(typeattribute drmserver_socket_27_0)
-(roletype object_r drmserver_socket_27_0)
-(typeattribute dumpstate_27_0)
-(roletype object_r dumpstate_27_0)
-(typeattribute dumpstate_exec_27_0)
-(roletype object_r dumpstate_exec_27_0)
-(typeattribute e2fs_27_0)
-(roletype object_r e2fs_27_0)
-(typeattribute e2fs_exec_27_0)
-(roletype object_r e2fs_exec_27_0)
-(typeattribute ephemeral_app_27_0)
-(roletype object_r ephemeral_app_27_0)
-(typeattribute labeledfs_27_0)
-(roletype object_r labeledfs_27_0)
-(typeattribute pipefs_27_0)
-(roletype object_r pipefs_27_0)
-(typeattribute sockfs_27_0)
-(roletype object_r sockfs_27_0)
-(typeattribute rootfs_27_0)
-(roletype object_r rootfs_27_0)
-(typeattribute proc_27_0)
-(roletype object_r proc_27_0)
-(typeattribute proc_security_27_0)
-(roletype object_r proc_security_27_0)
-(typeattribute proc_drop_caches_27_0)
-(roletype object_r proc_drop_caches_27_0)
-(typeattribute proc_overcommit_memory_27_0)
-(roletype object_r proc_overcommit_memory_27_0)
-(typeattribute usermodehelper_27_0)
-(roletype object_r usermodehelper_27_0)
-(typeattribute sysfs_usermodehelper_27_0)
-(roletype object_r sysfs_usermodehelper_27_0)
-(typeattribute qtaguid_proc_27_0)
-(roletype object_r qtaguid_proc_27_0)
-(typeattribute proc_bluetooth_writable_27_0)
-(roletype object_r proc_bluetooth_writable_27_0)
-(typeattribute proc_cpuinfo_27_0)
-(roletype object_r proc_cpuinfo_27_0)
-(typeattribute proc_interrupts_27_0)
-(roletype object_r proc_interrupts_27_0)
-(typeattribute proc_iomem_27_0)
-(roletype object_r proc_iomem_27_0)
-(typeattribute proc_meminfo_27_0)
-(roletype object_r proc_meminfo_27_0)
-(typeattribute proc_misc_27_0)
-(roletype object_r proc_misc_27_0)
-(typeattribute proc_modules_27_0)
-(roletype object_r proc_modules_27_0)
-(typeattribute proc_net_27_0)
-(roletype object_r proc_net_27_0)
-(typeattribute proc_perf_27_0)
-(roletype object_r proc_perf_27_0)
-(typeattribute proc_stat_27_0)
-(roletype object_r proc_stat_27_0)
-(typeattribute proc_sysrq_27_0)
-(roletype object_r proc_sysrq_27_0)
-(typeattribute proc_timer_27_0)
-(roletype object_r proc_timer_27_0)
-(typeattribute proc_tty_drivers_27_0)
-(roletype object_r proc_tty_drivers_27_0)
-(typeattribute proc_uid_cputime_showstat_27_0)
-(roletype object_r proc_uid_cputime_showstat_27_0)
-(typeattribute proc_uid_cputime_removeuid_27_0)
-(roletype object_r proc_uid_cputime_removeuid_27_0)
-(typeattribute proc_uid_io_stats_27_0)
-(roletype object_r proc_uid_io_stats_27_0)
-(typeattribute proc_uid_procstat_set_27_0)
-(roletype object_r proc_uid_procstat_set_27_0)
-(typeattribute proc_uid_time_in_state_27_0)
-(roletype object_r proc_uid_time_in_state_27_0)
-(typeattribute proc_zoneinfo_27_0)
-(roletype object_r proc_zoneinfo_27_0)
-(typeattribute selinuxfs_27_0)
-(roletype object_r selinuxfs_27_0)
-(typeattribute cgroup_27_0)
-(roletype object_r cgroup_27_0)
-(typeattribute sysfs_27_0)
-(roletype object_r sysfs_27_0)
-(typeattribute sysfs_uio_27_0)
-(roletype object_r sysfs_uio_27_0)
-(typeattribute sysfs_batteryinfo_27_0)
-(roletype object_r sysfs_batteryinfo_27_0)
-(typeattribute sysfs_bluetooth_writable_27_0)
-(roletype object_r sysfs_bluetooth_writable_27_0)
-(typeattribute sysfs_leds_27_0)
-(roletype object_r sysfs_leds_27_0)
-(typeattribute sysfs_hwrandom_27_0)
-(roletype object_r sysfs_hwrandom_27_0)
-(typeattribute sysfs_nfc_power_writable_27_0)
-(roletype object_r sysfs_nfc_power_writable_27_0)
-(typeattribute sysfs_wake_lock_27_0)
-(roletype object_r sysfs_wake_lock_27_0)
-(typeattribute sysfs_mac_address_27_0)
-(roletype object_r sysfs_mac_address_27_0)
-(typeattribute sysfs_usb_27_0)
-(roletype object_r sysfs_usb_27_0)
-(typeattribute sysfs_fs_ext4_features_27_0)
-(roletype object_r sysfs_fs_ext4_features_27_0)
-(typeattribute configfs_27_0)
-(roletype object_r configfs_27_0)
-(typeattribute sysfs_devices_system_cpu_27_0)
-(roletype object_r sysfs_devices_system_cpu_27_0)
-(typeattribute sysfs_lowmemorykiller_27_0)
-(roletype object_r sysfs_lowmemorykiller_27_0)
-(typeattribute sysfs_wlan_fwpath_27_0)
-(roletype object_r sysfs_wlan_fwpath_27_0)
-(typeattribute sysfs_vibrator_27_0)
-(roletype object_r sysfs_vibrator_27_0)
-(typeattribute sysfs_thermal_27_0)
-(roletype object_r sysfs_thermal_27_0)
-(typeattribute sysfs_zram_27_0)
-(roletype object_r sysfs_zram_27_0)
-(typeattribute sysfs_zram_uevent_27_0)
-(roletype object_r sysfs_zram_uevent_27_0)
-(typeattribute inotify_27_0)
-(roletype object_r inotify_27_0)
-(typeattribute devpts_27_0)
-(roletype object_r devpts_27_0)
-(typeattribute tmpfs_27_0)
-(roletype object_r tmpfs_27_0)
-(typeattribute shm_27_0)
-(roletype object_r shm_27_0)
-(typeattribute mqueue_27_0)
-(roletype object_r mqueue_27_0)
-(typeattribute fuse_27_0)
-(roletype object_r fuse_27_0)
-(typeattribute sdcardfs_27_0)
-(roletype object_r sdcardfs_27_0)
-(typeattribute vfat_27_0)
-(roletype object_r vfat_27_0)
-(typeattribute debugfs_27_0)
-(roletype object_r debugfs_27_0)
-(typeattribute debugfs_mmc_27_0)
-(roletype object_r debugfs_mmc_27_0)
-(typeattribute debugfs_trace_marker_27_0)
-(roletype object_r debugfs_trace_marker_27_0)
-(typeattribute debugfs_tracing_27_0)
-(roletype object_r debugfs_tracing_27_0)
-(typeattribute debugfs_tracing_debug_27_0)
-(roletype object_r debugfs_tracing_debug_27_0)
-(typeattribute debugfs_tracing_instances_27_0)
-(roletype object_r debugfs_tracing_instances_27_0)
-(typeattribute debugfs_wifi_tracing_27_0)
-(roletype object_r debugfs_wifi_tracing_27_0)
-(typeattribute pstorefs_27_0)
-(roletype object_r pstorefs_27_0)
-(typeattribute functionfs_27_0)
-(roletype object_r functionfs_27_0)
-(typeattribute oemfs_27_0)
-(roletype object_r oemfs_27_0)
-(typeattribute usbfs_27_0)
-(roletype object_r usbfs_27_0)
-(typeattribute binfmt_miscfs_27_0)
-(roletype object_r binfmt_miscfs_27_0)
-(typeattribute app_fusefs_27_0)
-(roletype object_r app_fusefs_27_0)
-(typeattribute unlabeled_27_0)
-(roletype object_r unlabeled_27_0)
-(typeattribute system_file_27_0)
-(roletype object_r system_file_27_0)
-(typeattribute vendor_hal_file_27_0)
-(roletype object_r vendor_hal_file_27_0)
-(typeattribute vendor_file_27_0)
-(roletype object_r vendor_file_27_0)
-(typeattribute vendor_app_file_27_0)
-(roletype object_r vendor_app_file_27_0)
-(typeattribute vendor_configs_file_27_0)
-(roletype object_r vendor_configs_file_27_0)
-(typeattribute same_process_hal_file_27_0)
-(roletype object_r same_process_hal_file_27_0)
-(typeattribute vndk_sp_file_27_0)
-(roletype object_r vndk_sp_file_27_0)
-(typeattribute vendor_framework_file_27_0)
-(roletype object_r vendor_framework_file_27_0)
-(typeattribute vendor_overlay_file_27_0)
-(roletype object_r vendor_overlay_file_27_0)
-(typeattribute runtime_event_log_tags_file_27_0)
-(roletype object_r runtime_event_log_tags_file_27_0)
-(typeattribute logcat_exec_27_0)
-(roletype object_r logcat_exec_27_0)
-(typeattribute coredump_file_27_0)
-(roletype object_r coredump_file_27_0)
-(typeattribute system_data_file_27_0)
-(roletype object_r system_data_file_27_0)
-(typeattribute unencrypted_data_file_27_0)
-(roletype object_r unencrypted_data_file_27_0)
-(typeattribute install_data_file_27_0)
-(roletype object_r install_data_file_27_0)
-(typeattribute drm_data_file_27_0)
-(roletype object_r drm_data_file_27_0)
-(typeattribute adb_data_file_27_0)
-(roletype object_r adb_data_file_27_0)
-(typeattribute anr_data_file_27_0)
-(roletype object_r anr_data_file_27_0)
-(typeattribute tombstone_data_file_27_0)
-(roletype object_r tombstone_data_file_27_0)
-(typeattribute apk_data_file_27_0)
-(roletype object_r apk_data_file_27_0)
-(typeattribute apk_tmp_file_27_0)
-(roletype object_r apk_tmp_file_27_0)
-(typeattribute apk_private_data_file_27_0)
-(roletype object_r apk_private_data_file_27_0)
-(typeattribute apk_private_tmp_file_27_0)
-(roletype object_r apk_private_tmp_file_27_0)
-(typeattribute dalvikcache_data_file_27_0)
-(roletype object_r dalvikcache_data_file_27_0)
-(typeattribute ota_data_file_27_0)
-(roletype object_r ota_data_file_27_0)
-(typeattribute ota_package_file_27_0)
-(roletype object_r ota_package_file_27_0)
-(typeattribute user_profile_data_file_27_0)
-(roletype object_r user_profile_data_file_27_0)
-(typeattribute profman_dump_data_file_27_0)
-(roletype object_r profman_dump_data_file_27_0)
-(typeattribute resourcecache_data_file_27_0)
-(roletype object_r resourcecache_data_file_27_0)
-(typeattribute shell_data_file_27_0)
-(roletype object_r shell_data_file_27_0)
-(typeattribute property_data_file_27_0)
-(roletype object_r property_data_file_27_0)
-(typeattribute bootchart_data_file_27_0)
-(roletype object_r bootchart_data_file_27_0)
-(typeattribute heapdump_data_file_27_0)
-(roletype object_r heapdump_data_file_27_0)
-(typeattribute nativetest_data_file_27_0)
-(roletype object_r nativetest_data_file_27_0)
-(typeattribute ringtone_file_27_0)
-(roletype object_r ringtone_file_27_0)
-(typeattribute preloads_data_file_27_0)
-(roletype object_r preloads_data_file_27_0)
-(typeattribute preloads_media_file_27_0)
-(roletype object_r preloads_media_file_27_0)
-(typeattribute dhcp_data_file_27_0)
-(roletype object_r dhcp_data_file_27_0)
-(typeattribute mnt_media_rw_file_27_0)
-(roletype object_r mnt_media_rw_file_27_0)
-(typeattribute mnt_user_file_27_0)
-(roletype object_r mnt_user_file_27_0)
-(typeattribute mnt_expand_file_27_0)
-(roletype object_r mnt_expand_file_27_0)
-(typeattribute storage_file_27_0)
-(roletype object_r storage_file_27_0)
-(typeattribute mnt_media_rw_stub_file_27_0)
-(roletype object_r mnt_media_rw_stub_file_27_0)
-(typeattribute storage_stub_file_27_0)
-(roletype object_r storage_stub_file_27_0)
-(typeattribute postinstall_mnt_dir_27_0)
-(roletype object_r postinstall_mnt_dir_27_0)
-(typeattribute postinstall_file_27_0)
-(roletype object_r postinstall_file_27_0)
-(typeattribute adb_keys_file_27_0)
-(roletype object_r adb_keys_file_27_0)
-(typeattribute audio_data_file_27_0)
-(roletype object_r audio_data_file_27_0)
-(typeattribute audiohal_data_file_27_0)
-(roletype object_r audiohal_data_file_27_0)
-(typeattribute audioserver_data_file_27_0)
-(roletype object_r audioserver_data_file_27_0)
-(typeattribute bluetooth_data_file_27_0)
-(roletype object_r bluetooth_data_file_27_0)
-(typeattribute bluetooth_logs_data_file_27_0)
-(roletype object_r bluetooth_logs_data_file_27_0)
-(typeattribute bootstat_data_file_27_0)
-(roletype object_r bootstat_data_file_27_0)
-(typeattribute boottrace_data_file_27_0)
-(roletype object_r boottrace_data_file_27_0)
-(typeattribute camera_data_file_27_0)
-(roletype object_r camera_data_file_27_0)
-(typeattribute gatekeeper_data_file_27_0)
-(roletype object_r gatekeeper_data_file_27_0)
-(typeattribute incident_data_file_27_0)
-(roletype object_r incident_data_file_27_0)
-(typeattribute keychain_data_file_27_0)
-(roletype object_r keychain_data_file_27_0)
-(typeattribute keystore_data_file_27_0)
-(roletype object_r keystore_data_file_27_0)
-(typeattribute media_data_file_27_0)
-(roletype object_r media_data_file_27_0)
-(typeattribute media_rw_data_file_27_0)
-(roletype object_r media_rw_data_file_27_0)
-(typeattribute misc_user_data_file_27_0)
-(roletype object_r misc_user_data_file_27_0)
-(typeattribute net_data_file_27_0)
-(roletype object_r net_data_file_27_0)
-(typeattribute nfc_data_file_27_0)
-(roletype object_r nfc_data_file_27_0)
-(typeattribute radio_data_file_27_0)
-(roletype object_r radio_data_file_27_0)
-(typeattribute reboot_data_file_27_0)
-(roletype object_r reboot_data_file_27_0)
-(typeattribute recovery_data_file_27_0)
-(roletype object_r recovery_data_file_27_0)
-(typeattribute shared_relro_file_27_0)
-(roletype object_r shared_relro_file_27_0)
-(typeattribute systemkeys_data_file_27_0)
-(roletype object_r systemkeys_data_file_27_0)
-(typeattribute textclassifier_data_file_27_0)
-(roletype object_r textclassifier_data_file_27_0)
-(typeattribute vpn_data_file_27_0)
-(roletype object_r vpn_data_file_27_0)
-(typeattribute wifi_data_file_27_0)
-(roletype object_r wifi_data_file_27_0)
-(typeattribute zoneinfo_data_file_27_0)
-(roletype object_r zoneinfo_data_file_27_0)
-(typeattribute vold_data_file_27_0)
-(roletype object_r vold_data_file_27_0)
-(typeattribute perfprofd_data_file_27_0)
-(roletype object_r perfprofd_data_file_27_0)
-(typeattribute tee_data_file_27_0)
-(roletype object_r tee_data_file_27_0)
-(typeattribute update_engine_data_file_27_0)
-(roletype object_r update_engine_data_file_27_0)
-(typeattribute method_trace_data_file_27_0)
-(roletype object_r method_trace_data_file_27_0)
-(typeattribute app_data_file_27_0)
-(roletype object_r app_data_file_27_0)
-(typeattribute system_app_data_file_27_0)
-(roletype object_r system_app_data_file_27_0)
-(typeattribute cache_file_27_0)
-(roletype object_r cache_file_27_0)
-(typeattribute cache_backup_file_27_0)
-(roletype object_r cache_backup_file_27_0)
-(typeattribute cache_private_backup_file_27_0)
-(roletype object_r cache_private_backup_file_27_0)
-(typeattribute cache_recovery_file_27_0)
-(roletype object_r cache_recovery_file_27_0)
-(typeattribute efs_file_27_0)
-(roletype object_r efs_file_27_0)
-(typeattribute wallpaper_file_27_0)
-(roletype object_r wallpaper_file_27_0)
-(typeattribute shortcut_manager_icons_27_0)
-(roletype object_r shortcut_manager_icons_27_0)
-(typeattribute icon_file_27_0)
-(roletype object_r icon_file_27_0)
-(typeattribute asec_apk_file_27_0)
-(roletype object_r asec_apk_file_27_0)
-(typeattribute asec_public_file_27_0)
-(roletype object_r asec_public_file_27_0)
-(typeattribute asec_image_file_27_0)
-(roletype object_r asec_image_file_27_0)
-(typeattribute backup_data_file_27_0)
-(roletype object_r backup_data_file_27_0)
-(typeattribute bluetooth_efs_file_27_0)
-(roletype object_r bluetooth_efs_file_27_0)
-(typeattribute fingerprintd_data_file_27_0)
-(roletype object_r fingerprintd_data_file_27_0)
-(typeattribute app_fuse_file_27_0)
-(roletype object_r app_fuse_file_27_0)
-(typeattribute adbd_socket_27_0)
-(roletype object_r adbd_socket_27_0)
-(typeattribute bluetooth_socket_27_0)
-(roletype object_r bluetooth_socket_27_0)
-(typeattribute dnsproxyd_socket_27_0)
-(roletype object_r dnsproxyd_socket_27_0)
-(typeattribute dumpstate_socket_27_0)
-(roletype object_r dumpstate_socket_27_0)
-(typeattribute fwmarkd_socket_27_0)
-(roletype object_r fwmarkd_socket_27_0)
-(typeattribute lmkd_socket_27_0)
-(roletype object_r lmkd_socket_27_0)
-(typeattribute logd_socket_27_0)
-(roletype object_r logd_socket_27_0)
-(typeattribute logdr_socket_27_0)
-(roletype object_r logdr_socket_27_0)
-(typeattribute logdw_socket_27_0)
-(roletype object_r logdw_socket_27_0)
-(typeattribute mdns_socket_27_0)
-(roletype object_r mdns_socket_27_0)
-(typeattribute mdnsd_socket_27_0)
-(roletype object_r mdnsd_socket_27_0)
-(typeattribute misc_logd_file_27_0)
-(roletype object_r misc_logd_file_27_0)
-(typeattribute mtpd_socket_27_0)
-(roletype object_r mtpd_socket_27_0)
-(typeattribute netd_socket_27_0)
-(roletype object_r netd_socket_27_0)
-(typeattribute property_socket_27_0)
-(roletype object_r property_socket_27_0)
-(typeattribute racoon_socket_27_0)
-(roletype object_r racoon_socket_27_0)
-(typeattribute rild_socket_27_0)
-(roletype object_r rild_socket_27_0)
-(typeattribute rild_debug_socket_27_0)
-(roletype object_r rild_debug_socket_27_0)
-(typeattribute system_wpa_socket_27_0)
-(roletype object_r system_wpa_socket_27_0)
-(typeattribute system_ndebug_socket_27_0)
-(roletype object_r system_ndebug_socket_27_0)
-(typeattribute tombstoned_crash_socket_27_0)
-(roletype object_r tombstoned_crash_socket_27_0)
-(typeattribute tombstoned_java_trace_socket_27_0)
-(roletype object_r tombstoned_java_trace_socket_27_0)
-(typeattribute tombstoned_intercept_socket_27_0)
-(roletype object_r tombstoned_intercept_socket_27_0)
-(typeattribute uncrypt_socket_27_0)
-(roletype object_r uncrypt_socket_27_0)
-(typeattribute vold_socket_27_0)
-(roletype object_r vold_socket_27_0)
-(typeattribute webview_zygote_socket_27_0)
-(roletype object_r webview_zygote_socket_27_0)
-(typeattribute wpa_socket_27_0)
-(roletype object_r wpa_socket_27_0)
-(typeattribute zygote_socket_27_0)
-(roletype object_r zygote_socket_27_0)
-(typeattribute gps_control_27_0)
-(roletype object_r gps_control_27_0)
-(typeattribute pdx_display_dir_27_0)
-(roletype object_r pdx_display_dir_27_0)
-(typeattribute pdx_performance_dir_27_0)
-(roletype object_r pdx_performance_dir_27_0)
-(typeattribute pdx_bufferhub_dir_27_0)
-(roletype object_r pdx_bufferhub_dir_27_0)
-(typeattribute pdx_display_client_endpoint_socket_27_0)
-(roletype object_r pdx_display_client_endpoint_socket_27_0)
-(typeattribute pdx_display_client_channel_socket_27_0)
-(roletype object_r pdx_display_client_channel_socket_27_0)
-(typeattribute pdx_display_manager_endpoint_socket_27_0)
-(roletype object_r pdx_display_manager_endpoint_socket_27_0)
-(typeattribute pdx_display_manager_channel_socket_27_0)
-(roletype object_r pdx_display_manager_channel_socket_27_0)
-(typeattribute pdx_display_screenshot_endpoint_socket_27_0)
-(roletype object_r pdx_display_screenshot_endpoint_socket_27_0)
-(typeattribute pdx_display_screenshot_channel_socket_27_0)
-(roletype object_r pdx_display_screenshot_channel_socket_27_0)
-(typeattribute pdx_display_vsync_endpoint_socket_27_0)
-(roletype object_r pdx_display_vsync_endpoint_socket_27_0)
-(typeattribute pdx_display_vsync_channel_socket_27_0)
-(roletype object_r pdx_display_vsync_channel_socket_27_0)
-(typeattribute pdx_performance_client_endpoint_socket_27_0)
-(roletype object_r pdx_performance_client_endpoint_socket_27_0)
-(typeattribute pdx_performance_client_channel_socket_27_0)
-(roletype object_r pdx_performance_client_channel_socket_27_0)
-(typeattribute pdx_bufferhub_client_endpoint_socket_27_0)
-(roletype object_r pdx_bufferhub_client_endpoint_socket_27_0)
-(typeattribute pdx_bufferhub_client_channel_socket_27_0)
-(roletype object_r pdx_bufferhub_client_channel_socket_27_0)
-(typeattribute file_contexts_file_27_0)
-(roletype object_r file_contexts_file_27_0)
-(typeattribute mac_perms_file_27_0)
-(roletype object_r mac_perms_file_27_0)
-(typeattribute property_contexts_file_27_0)
-(roletype object_r property_contexts_file_27_0)
-(typeattribute seapp_contexts_file_27_0)
-(roletype object_r seapp_contexts_file_27_0)
-(typeattribute sepolicy_file_27_0)
-(roletype object_r sepolicy_file_27_0)
-(typeattribute service_contexts_file_27_0)
-(roletype object_r service_contexts_file_27_0)
-(typeattribute nonplat_service_contexts_file_27_0)
-(roletype object_r nonplat_service_contexts_file_27_0)
-(typeattribute hwservice_contexts_file_27_0)
-(roletype object_r hwservice_contexts_file_27_0)
-(typeattribute vndservice_contexts_file_27_0)
-(roletype object_r vndservice_contexts_file_27_0)
-(typeattribute fingerprintd_27_0)
-(roletype object_r fingerprintd_27_0)
-(typeattribute fingerprintd_exec_27_0)
-(roletype object_r fingerprintd_exec_27_0)
-(typeattribute fsck_27_0)
-(roletype object_r fsck_27_0)
-(typeattribute fsck_exec_27_0)
-(roletype object_r fsck_exec_27_0)
-(typeattribute fsck_untrusted_27_0)
-(roletype object_r fsck_untrusted_27_0)
-(typeattribute gatekeeperd_27_0)
-(roletype object_r gatekeeperd_27_0)
-(typeattribute gatekeeperd_exec_27_0)
-(roletype object_r gatekeeperd_exec_27_0)
-(typeattribute healthd_27_0)
-(roletype object_r healthd_27_0)
-(typeattribute healthd_exec_27_0)
-(roletype object_r healthd_exec_27_0)
-(typeattribute default_android_hwservice_27_0)
-(roletype object_r default_android_hwservice_27_0)
-(typeattribute fwk_display_hwservice_27_0)
-(roletype object_r fwk_display_hwservice_27_0)
-(typeattribute fwk_scheduler_hwservice_27_0)
-(roletype object_r fwk_scheduler_hwservice_27_0)
-(typeattribute fwk_sensor_hwservice_27_0)
-(roletype object_r fwk_sensor_hwservice_27_0)
-(typeattribute hal_audio_hwservice_27_0)
-(roletype object_r hal_audio_hwservice_27_0)
-(typeattribute hal_bluetooth_hwservice_27_0)
-(roletype object_r hal_bluetooth_hwservice_27_0)
-(typeattribute hal_bootctl_hwservice_27_0)
-(roletype object_r hal_bootctl_hwservice_27_0)
-(typeattribute hal_broadcastradio_hwservice_27_0)
-(roletype object_r hal_broadcastradio_hwservice_27_0)
-(typeattribute hal_camera_hwservice_27_0)
-(roletype object_r hal_camera_hwservice_27_0)
-(typeattribute hal_configstore_ISurfaceFlingerConfigs_27_0)
-(roletype object_r hal_configstore_ISurfaceFlingerConfigs_27_0)
-(typeattribute hal_contexthub_hwservice_27_0)
-(roletype object_r hal_contexthub_hwservice_27_0)
-(typeattribute hal_drm_hwservice_27_0)
-(roletype object_r hal_drm_hwservice_27_0)
-(typeattribute hal_cas_hwservice_27_0)
-(roletype object_r hal_cas_hwservice_27_0)
-(typeattribute hal_dumpstate_hwservice_27_0)
-(roletype object_r hal_dumpstate_hwservice_27_0)
-(typeattribute hal_fingerprint_hwservice_27_0)
-(roletype object_r hal_fingerprint_hwservice_27_0)
-(typeattribute hal_gatekeeper_hwservice_27_0)
-(roletype object_r hal_gatekeeper_hwservice_27_0)
-(typeattribute hal_gnss_hwservice_27_0)
-(roletype object_r hal_gnss_hwservice_27_0)
-(typeattribute hal_graphics_allocator_hwservice_27_0)
-(roletype object_r hal_graphics_allocator_hwservice_27_0)
-(typeattribute hal_graphics_composer_hwservice_27_0)
-(roletype object_r hal_graphics_composer_hwservice_27_0)
-(typeattribute hal_graphics_mapper_hwservice_27_0)
-(roletype object_r hal_graphics_mapper_hwservice_27_0)
-(typeattribute hal_health_hwservice_27_0)
-(roletype object_r hal_health_hwservice_27_0)
-(typeattribute hal_ir_hwservice_27_0)
-(roletype object_r hal_ir_hwservice_27_0)
-(typeattribute hal_keymaster_hwservice_27_0)
-(roletype object_r hal_keymaster_hwservice_27_0)
-(typeattribute hal_light_hwservice_27_0)
-(roletype object_r hal_light_hwservice_27_0)
-(typeattribute hal_memtrack_hwservice_27_0)
-(roletype object_r hal_memtrack_hwservice_27_0)
-(typeattribute hal_neuralnetworks_hwservice_27_0)
-(roletype object_r hal_neuralnetworks_hwservice_27_0)
-(typeattribute hal_nfc_hwservice_27_0)
-(roletype object_r hal_nfc_hwservice_27_0)
-(typeattribute hal_oemlock_hwservice_27_0)
-(roletype object_r hal_oemlock_hwservice_27_0)
-(typeattribute hal_omx_hwservice_27_0)
-(roletype object_r hal_omx_hwservice_27_0)
-(typeattribute hal_power_hwservice_27_0)
-(roletype object_r hal_power_hwservice_27_0)
-(typeattribute hal_renderscript_hwservice_27_0)
-(roletype object_r hal_renderscript_hwservice_27_0)
-(typeattribute hal_sensors_hwservice_27_0)
-(roletype object_r hal_sensors_hwservice_27_0)
-(typeattribute hal_telephony_hwservice_27_0)
-(roletype object_r hal_telephony_hwservice_27_0)
-(typeattribute hal_tetheroffload_hwservice_27_0)
-(roletype object_r hal_tetheroffload_hwservice_27_0)
-(typeattribute hal_thermal_hwservice_27_0)
-(roletype object_r hal_thermal_hwservice_27_0)
-(typeattribute hal_tv_cec_hwservice_27_0)
-(roletype object_r hal_tv_cec_hwservice_27_0)
-(typeattribute hal_tv_input_hwservice_27_0)
-(roletype object_r hal_tv_input_hwservice_27_0)
-(typeattribute hal_usb_hwservice_27_0)
-(roletype object_r hal_usb_hwservice_27_0)
-(typeattribute hal_vibrator_hwservice_27_0)
-(roletype object_r hal_vibrator_hwservice_27_0)
-(typeattribute hal_vr_hwservice_27_0)
-(roletype object_r hal_vr_hwservice_27_0)
-(typeattribute hal_weaver_hwservice_27_0)
-(roletype object_r hal_weaver_hwservice_27_0)
-(typeattribute hal_wifi_hwservice_27_0)
-(roletype object_r hal_wifi_hwservice_27_0)
-(typeattribute hal_wifi_offload_hwservice_27_0)
-(roletype object_r hal_wifi_offload_hwservice_27_0)
-(typeattribute hal_wifi_supplicant_hwservice_27_0)
-(roletype object_r hal_wifi_supplicant_hwservice_27_0)
-(typeattribute hidl_allocator_hwservice_27_0)
-(roletype object_r hidl_allocator_hwservice_27_0)
-(typeattribute hidl_base_hwservice_27_0)
-(roletype object_r hidl_base_hwservice_27_0)
-(typeattribute hidl_manager_hwservice_27_0)
-(roletype object_r hidl_manager_hwservice_27_0)
-(typeattribute hidl_memory_hwservice_27_0)
-(roletype object_r hidl_memory_hwservice_27_0)
-(typeattribute hidl_token_hwservice_27_0)
-(roletype object_r hidl_token_hwservice_27_0)
-(typeattribute system_net_netd_hwservice_27_0)
-(roletype object_r system_net_netd_hwservice_27_0)
-(typeattribute system_wifi_keystore_hwservice_27_0)
-(roletype object_r system_wifi_keystore_hwservice_27_0)
-(typeattribute thermalcallback_hwservice_27_0)
-(roletype object_r thermalcallback_hwservice_27_0)
-(typeattribute hwservicemanager_27_0)
-(roletype object_r hwservicemanager_27_0)
-(typeattribute hwservicemanager_exec_27_0)
-(roletype object_r hwservicemanager_exec_27_0)
-(typeattribute idmap_27_0)
-(roletype object_r idmap_27_0)
-(typeattribute idmap_exec_27_0)
-(roletype object_r idmap_exec_27_0)
-(typeattribute incident_27_0)
-(roletype object_r incident_27_0)
-(typeattribute incidentd_27_0)
-(roletype object_r incidentd_27_0)
-(typeattribute init_27_0)
-(roletype object_r init_27_0)
-(typeattribute init_exec_27_0)
-(roletype object_r init_exec_27_0)
-(typeattribute inputflinger_27_0)
-(roletype object_r inputflinger_27_0)
-(typeattribute inputflinger_exec_27_0)
-(roletype object_r inputflinger_exec_27_0)
-(typeattribute install_recovery_27_0)
-(roletype object_r install_recovery_27_0)
-(typeattribute install_recovery_exec_27_0)
-(roletype object_r install_recovery_exec_27_0)
-(typeattribute installd_27_0)
-(roletype object_r installd_27_0)
-(typeattribute installd_exec_27_0)
-(roletype object_r installd_exec_27_0)
-(typeattribute isolated_app_27_0)
-(roletype object_r isolated_app_27_0)
-(typeattribute kernel_27_0)
-(roletype object_r kernel_27_0)
-(typeattribute keystore_27_0)
-(roletype object_r keystore_27_0)
-(typeattribute keystore_exec_27_0)
-(roletype object_r keystore_exec_27_0)
-(typeattribute lmkd_27_0)
-(roletype object_r lmkd_27_0)
-(typeattribute lmkd_exec_27_0)
-(roletype object_r lmkd_exec_27_0)
-(typeattribute logd_27_0)
-(roletype object_r logd_27_0)
-(typeattribute logd_exec_27_0)
-(roletype object_r logd_exec_27_0)
-(typeattribute logpersist_27_0)
-(roletype object_r logpersist_27_0)
-(typeattribute mdnsd_27_0)
-(roletype object_r mdnsd_27_0)
-(typeattribute mediacodec_27_0)
-(roletype object_r mediacodec_27_0)
-(typeattribute mediacodec_exec_27_0)
-(roletype object_r mediacodec_exec_27_0)
-(typeattribute mediadrmserver_27_0)
-(roletype object_r mediadrmserver_27_0)
-(typeattribute mediadrmserver_exec_27_0)
-(roletype object_r mediadrmserver_exec_27_0)
-(typeattribute mediaextractor_27_0)
-(roletype object_r mediaextractor_27_0)
-(typeattribute mediaextractor_exec_27_0)
-(roletype object_r mediaextractor_exec_27_0)
-(typeattribute mediametrics_27_0)
-(roletype object_r mediametrics_27_0)
-(typeattribute mediametrics_exec_27_0)
-(roletype object_r mediametrics_exec_27_0)
-(typeattribute mediaprovider_27_0)
-(roletype object_r mediaprovider_27_0)
-(typeattribute mediaserver_27_0)
-(roletype object_r mediaserver_27_0)
-(typeattribute mediaserver_exec_27_0)
-(roletype object_r mediaserver_exec_27_0)
-(typeattribute modprobe_27_0)
-(roletype object_r modprobe_27_0)
-(typeattribute mtp_27_0)
-(roletype object_r mtp_27_0)
-(typeattribute mtp_exec_27_0)
-(roletype object_r mtp_exec_27_0)
-(typeattribute node_27_0)
-(roletype object_r node_27_0)
-(typeattribute netif_27_0)
-(roletype object_r netif_27_0)
-(typeattribute port_27_0)
-(roletype object_r port_27_0)
-(typeattribute netd_27_0)
-(roletype object_r netd_27_0)
-(typeattribute netd_exec_27_0)
-(roletype object_r netd_exec_27_0)
-(typeattribute netutils_wrapper_27_0)
-(roletype object_r netutils_wrapper_27_0)
-(typeattribute netutils_wrapper_exec_27_0)
-(roletype object_r netutils_wrapper_exec_27_0)
-(typeattribute nfc_27_0)
-(roletype object_r nfc_27_0)
-(typeattribute otapreopt_chroot_27_0)
-(roletype object_r otapreopt_chroot_27_0)
-(typeattribute otapreopt_chroot_exec_27_0)
-(roletype object_r otapreopt_chroot_exec_27_0)
-(typeattribute otapreopt_slot_27_0)
-(roletype object_r otapreopt_slot_27_0)
-(typeattribute otapreopt_slot_exec_27_0)
-(roletype object_r otapreopt_slot_exec_27_0)
-(typeattribute performanced_27_0)
-(roletype object_r performanced_27_0)
-(typeattribute performanced_exec_27_0)
-(roletype object_r performanced_exec_27_0)
-(typeattribute perfprofd_27_0)
-(roletype object_r perfprofd_27_0)
-(typeattribute perfprofd_exec_27_0)
-(roletype object_r perfprofd_exec_27_0)
-(typeattribute platform_app_27_0)
-(roletype object_r platform_app_27_0)
-(typeattribute postinstall_27_0)
-(roletype object_r postinstall_27_0)
-(typeattribute postinstall_dexopt_27_0)
-(roletype object_r postinstall_dexopt_27_0)
-(typeattribute ppp_27_0)
-(roletype object_r ppp_27_0)
-(typeattribute ppp_device_27_0)
-(roletype object_r ppp_device_27_0)
-(typeattribute ppp_exec_27_0)
-(roletype object_r ppp_exec_27_0)
-(typeattribute preopt2cachename_27_0)
-(roletype object_r preopt2cachename_27_0)
-(typeattribute preopt2cachename_exec_27_0)
-(roletype object_r preopt2cachename_exec_27_0)
-(typeattribute priv_app_27_0)
-(roletype object_r priv_app_27_0)
-(typeattribute profman_27_0)
-(roletype object_r profman_27_0)
-(typeattribute profman_exec_27_0)
-(roletype object_r profman_exec_27_0)
-(typeattribute audio_prop_27_0)
-(roletype object_r audio_prop_27_0)
-(typeattribute boottime_prop_27_0)
-(roletype object_r boottime_prop_27_0)
-(typeattribute bluetooth_prop_27_0)
-(roletype object_r bluetooth_prop_27_0)
-(typeattribute config_prop_27_0)
-(roletype object_r config_prop_27_0)
-(typeattribute cppreopt_prop_27_0)
-(roletype object_r cppreopt_prop_27_0)
-(typeattribute ctl_bootanim_prop_27_0)
-(roletype object_r ctl_bootanim_prop_27_0)
-(typeattribute ctl_bugreport_prop_27_0)
-(roletype object_r ctl_bugreport_prop_27_0)
-(typeattribute ctl_console_prop_27_0)
-(roletype object_r ctl_console_prop_27_0)
-(typeattribute ctl_default_prop_27_0)
-(roletype object_r ctl_default_prop_27_0)
-(typeattribute ctl_dumpstate_prop_27_0)
-(roletype object_r ctl_dumpstate_prop_27_0)
-(typeattribute ctl_fuse_prop_27_0)
-(roletype object_r ctl_fuse_prop_27_0)
-(typeattribute ctl_mdnsd_prop_27_0)
-(roletype object_r ctl_mdnsd_prop_27_0)
-(typeattribute ctl_rildaemon_prop_27_0)
-(roletype object_r ctl_rildaemon_prop_27_0)
-(typeattribute dalvik_prop_27_0)
-(roletype object_r dalvik_prop_27_0)
-(typeattribute debuggerd_prop_27_0)
-(roletype object_r debuggerd_prop_27_0)
-(typeattribute debug_prop_27_0)
-(roletype object_r debug_prop_27_0)
-(typeattribute default_prop_27_0)
-(roletype object_r default_prop_27_0)
-(typeattribute device_logging_prop_27_0)
-(roletype object_r device_logging_prop_27_0)
-(typeattribute dhcp_prop_27_0)
-(roletype object_r dhcp_prop_27_0)
-(typeattribute dumpstate_options_prop_27_0)
-(roletype object_r dumpstate_options_prop_27_0)
-(typeattribute dumpstate_prop_27_0)
-(roletype object_r dumpstate_prop_27_0)
-(typeattribute ffs_prop_27_0)
-(roletype object_r ffs_prop_27_0)
-(typeattribute fingerprint_prop_27_0)
-(roletype object_r fingerprint_prop_27_0)
-(typeattribute firstboot_prop_27_0)
-(roletype object_r firstboot_prop_27_0)
-(typeattribute hwservicemanager_prop_27_0)
-(roletype object_r hwservicemanager_prop_27_0)
-(typeattribute logd_prop_27_0)
-(roletype object_r logd_prop_27_0)
-(typeattribute logpersistd_logging_prop_27_0)
-(roletype object_r logpersistd_logging_prop_27_0)
-(typeattribute log_prop_27_0)
-(roletype object_r log_prop_27_0)
-(typeattribute log_tag_prop_27_0)
-(roletype object_r log_tag_prop_27_0)
-(typeattribute mmc_prop_27_0)
-(roletype object_r mmc_prop_27_0)
-(typeattribute net_dns_prop_27_0)
-(roletype object_r net_dns_prop_27_0)
-(typeattribute net_radio_prop_27_0)
-(roletype object_r net_radio_prop_27_0)
-(typeattribute netd_stable_secret_prop_27_0)
-(roletype object_r netd_stable_secret_prop_27_0)
-(typeattribute nfc_prop_27_0)
-(roletype object_r nfc_prop_27_0)
-(typeattribute overlay_prop_27_0)
-(roletype object_r overlay_prop_27_0)
-(typeattribute pan_result_prop_27_0)
-(roletype object_r pan_result_prop_27_0)
-(typeattribute persist_debug_prop_27_0)
-(roletype object_r persist_debug_prop_27_0)
-(typeattribute persistent_properties_ready_prop_27_0)
-(roletype object_r persistent_properties_ready_prop_27_0)
-(typeattribute powerctl_prop_27_0)
-(roletype object_r powerctl_prop_27_0)
-(typeattribute radio_prop_27_0)
-(roletype object_r radio_prop_27_0)
-(typeattribute restorecon_prop_27_0)
-(roletype object_r restorecon_prop_27_0)
-(typeattribute safemode_prop_27_0)
-(roletype object_r safemode_prop_27_0)
-(typeattribute serialno_prop_27_0)
-(roletype object_r serialno_prop_27_0)
-(typeattribute shell_prop_27_0)
-(roletype object_r shell_prop_27_0)
-(typeattribute system_prop_27_0)
-(roletype object_r system_prop_27_0)
-(typeattribute system_radio_prop_27_0)
-(roletype object_r system_radio_prop_27_0)
-(typeattribute vold_prop_27_0)
-(roletype object_r vold_prop_27_0)
-(typeattribute wifi_log_prop_27_0)
-(roletype object_r wifi_log_prop_27_0)
-(typeattribute wifi_prop_27_0)
-(roletype object_r wifi_prop_27_0)
-(typeattribute racoon_27_0)
-(roletype object_r racoon_27_0)
-(typeattribute racoon_exec_27_0)
-(roletype object_r racoon_exec_27_0)
-(typeattribute radio_27_0)
-(roletype object_r radio_27_0)
-(typeattribute recovery_27_0)
-(roletype object_r recovery_27_0)
-(typeattribute recovery_persist_27_0)
-(roletype object_r recovery_persist_27_0)
-(typeattribute recovery_persist_exec_27_0)
-(roletype object_r recovery_persist_exec_27_0)
-(typeattribute recovery_refresh_27_0)
-(roletype object_r recovery_refresh_27_0)
-(typeattribute recovery_refresh_exec_27_0)
-(roletype object_r recovery_refresh_exec_27_0)
-(typeattribute rild_27_0)
-(roletype object_r rild_27_0)
-(typeattribute runas_27_0)
-(roletype object_r runas_27_0)
-(typeattribute runas_exec_27_0)
-(roletype object_r runas_exec_27_0)
-(typeattribute sdcardd_27_0)
-(roletype object_r sdcardd_27_0)
-(typeattribute sdcardd_exec_27_0)
-(roletype object_r sdcardd_exec_27_0)
-(typeattribute audioserver_service_27_0)
-(roletype object_r audioserver_service_27_0)
-(typeattribute batteryproperties_service_27_0)
-(roletype object_r batteryproperties_service_27_0)
-(typeattribute bluetooth_service_27_0)
-(roletype object_r bluetooth_service_27_0)
-(typeattribute cameraserver_service_27_0)
-(roletype object_r cameraserver_service_27_0)
-(typeattribute default_android_service_27_0)
-(roletype object_r default_android_service_27_0)
-(typeattribute drmserver_service_27_0)
-(roletype object_r drmserver_service_27_0)
-(typeattribute dumpstate_service_27_0)
-(roletype object_r dumpstate_service_27_0)
-(typeattribute fingerprintd_service_27_0)
-(roletype object_r fingerprintd_service_27_0)
-(typeattribute hal_fingerprint_service_27_0)
-(roletype object_r hal_fingerprint_service_27_0)
-(typeattribute gatekeeper_service_27_0)
-(roletype object_r gatekeeper_service_27_0)
-(typeattribute gpu_service_27_0)
-(roletype object_r gpu_service_27_0)
-(typeattribute inputflinger_service_27_0)
-(roletype object_r inputflinger_service_27_0)
-(typeattribute incident_service_27_0)
-(roletype object_r incident_service_27_0)
-(typeattribute installd_service_27_0)
-(roletype object_r installd_service_27_0)
-(typeattribute keystore_service_27_0)
-(roletype object_r keystore_service_27_0)
-(typeattribute mediaserver_service_27_0)
-(roletype object_r mediaserver_service_27_0)
-(typeattribute mediametrics_service_27_0)
-(roletype object_r mediametrics_service_27_0)
-(typeattribute mediaextractor_service_27_0)
-(roletype object_r mediaextractor_service_27_0)
-(typeattribute mediacodec_service_27_0)
-(roletype object_r mediacodec_service_27_0)
-(typeattribute mediadrmserver_service_27_0)
-(roletype object_r mediadrmserver_service_27_0)
-(typeattribute netd_service_27_0)
-(roletype object_r netd_service_27_0)
-(typeattribute nfc_service_27_0)
-(roletype object_r nfc_service_27_0)
-(typeattribute radio_service_27_0)
-(roletype object_r radio_service_27_0)
-(typeattribute storaged_service_27_0)
-(roletype object_r storaged_service_27_0)
-(typeattribute surfaceflinger_service_27_0)
-(roletype object_r surfaceflinger_service_27_0)
-(typeattribute system_app_service_27_0)
-(roletype object_r system_app_service_27_0)
-(typeattribute thermal_service_27_0)
-(roletype object_r thermal_service_27_0)
-(typeattribute update_engine_service_27_0)
-(roletype object_r update_engine_service_27_0)
-(typeattribute virtual_touchpad_service_27_0)
-(roletype object_r virtual_touchpad_service_27_0)
-(typeattribute vr_hwc_service_27_0)
-(roletype object_r vr_hwc_service_27_0)
-(typeattribute accessibility_service_27_0)
-(roletype object_r accessibility_service_27_0)
-(typeattribute account_service_27_0)
-(roletype object_r account_service_27_0)
-(typeattribute activity_service_27_0)
-(roletype object_r activity_service_27_0)
-(typeattribute alarm_service_27_0)
-(roletype object_r alarm_service_27_0)
-(typeattribute appops_service_27_0)
-(roletype object_r appops_service_27_0)
-(typeattribute appwidget_service_27_0)
-(roletype object_r appwidget_service_27_0)
-(typeattribute assetatlas_service_27_0)
-(roletype object_r assetatlas_service_27_0)
-(typeattribute audio_service_27_0)
-(roletype object_r audio_service_27_0)
-(typeattribute autofill_service_27_0)
-(roletype object_r autofill_service_27_0)
-(typeattribute backup_service_27_0)
-(roletype object_r backup_service_27_0)
-(typeattribute batterystats_service_27_0)
-(roletype object_r batterystats_service_27_0)
-(typeattribute battery_service_27_0)
-(roletype object_r battery_service_27_0)
-(typeattribute bluetooth_manager_service_27_0)
-(roletype object_r bluetooth_manager_service_27_0)
-(typeattribute broadcastradio_service_27_0)
-(roletype object_r broadcastradio_service_27_0)
-(typeattribute cameraproxy_service_27_0)
-(roletype object_r cameraproxy_service_27_0)
-(typeattribute clipboard_service_27_0)
-(roletype object_r clipboard_service_27_0)
-(typeattribute contexthub_service_27_0)
-(roletype object_r contexthub_service_27_0)
-(typeattribute IProxyService_service_27_0)
-(roletype object_r IProxyService_service_27_0)
-(typeattribute commontime_management_service_27_0)
-(roletype object_r commontime_management_service_27_0)
-(typeattribute companion_device_service_27_0)
-(roletype object_r companion_device_service_27_0)
-(typeattribute connectivity_service_27_0)
-(roletype object_r connectivity_service_27_0)
-(typeattribute connmetrics_service_27_0)
-(roletype object_r connmetrics_service_27_0)
-(typeattribute consumer_ir_service_27_0)
-(roletype object_r consumer_ir_service_27_0)
-(typeattribute content_service_27_0)
-(roletype object_r content_service_27_0)
-(typeattribute country_detector_service_27_0)
-(roletype object_r country_detector_service_27_0)
-(typeattribute coverage_service_27_0)
-(roletype object_r coverage_service_27_0)
-(typeattribute cpuinfo_service_27_0)
-(roletype object_r cpuinfo_service_27_0)
-(typeattribute dbinfo_service_27_0)
-(roletype object_r dbinfo_service_27_0)
-(typeattribute device_policy_service_27_0)
-(roletype object_r device_policy_service_27_0)
-(typeattribute deviceidle_service_27_0)
-(roletype object_r deviceidle_service_27_0)
-(typeattribute device_identifiers_service_27_0)
-(roletype object_r device_identifiers_service_27_0)
-(typeattribute devicestoragemonitor_service_27_0)
-(roletype object_r devicestoragemonitor_service_27_0)
-(typeattribute diskstats_service_27_0)
-(roletype object_r diskstats_service_27_0)
-(typeattribute display_service_27_0)
-(roletype object_r display_service_27_0)
-(typeattribute font_service_27_0)
-(roletype object_r font_service_27_0)
-(typeattribute netd_listener_service_27_0)
-(roletype object_r netd_listener_service_27_0)
-(typeattribute DockObserver_service_27_0)
-(roletype object_r DockObserver_service_27_0)
-(typeattribute dreams_service_27_0)
-(roletype object_r dreams_service_27_0)
-(typeattribute dropbox_service_27_0)
-(roletype object_r dropbox_service_27_0)
-(typeattribute ethernet_service_27_0)
-(roletype object_r ethernet_service_27_0)
-(typeattribute fingerprint_service_27_0)
-(roletype object_r fingerprint_service_27_0)
-(typeattribute gfxinfo_service_27_0)
-(roletype object_r gfxinfo_service_27_0)
-(typeattribute graphicsstats_service_27_0)
-(roletype object_r graphicsstats_service_27_0)
-(typeattribute hardware_service_27_0)
-(roletype object_r hardware_service_27_0)
-(typeattribute hardware_properties_service_27_0)
-(roletype object_r hardware_properties_service_27_0)
-(typeattribute hdmi_control_service_27_0)
-(roletype object_r hdmi_control_service_27_0)
-(typeattribute input_method_service_27_0)
-(roletype object_r input_method_service_27_0)
-(typeattribute input_service_27_0)
-(roletype object_r input_service_27_0)
-(typeattribute imms_service_27_0)
-(roletype object_r imms_service_27_0)
-(typeattribute ipsec_service_27_0)
-(roletype object_r ipsec_service_27_0)
-(typeattribute jobscheduler_service_27_0)
-(roletype object_r jobscheduler_service_27_0)
-(typeattribute launcherapps_service_27_0)
-(roletype object_r launcherapps_service_27_0)
-(typeattribute location_service_27_0)
-(roletype object_r location_service_27_0)
-(typeattribute lock_settings_service_27_0)
-(roletype object_r lock_settings_service_27_0)
-(typeattribute media_projection_service_27_0)
-(roletype object_r media_projection_service_27_0)
-(typeattribute media_router_service_27_0)
-(roletype object_r media_router_service_27_0)
-(typeattribute media_session_service_27_0)
-(roletype object_r media_session_service_27_0)
-(typeattribute meminfo_service_27_0)
-(roletype object_r meminfo_service_27_0)
-(typeattribute midi_service_27_0)
-(roletype object_r midi_service_27_0)
-(typeattribute mount_service_27_0)
-(roletype object_r mount_service_27_0)
-(typeattribute netpolicy_service_27_0)
-(roletype object_r netpolicy_service_27_0)
-(typeattribute netstats_service_27_0)
-(roletype object_r netstats_service_27_0)
-(typeattribute network_management_service_27_0)
-(roletype object_r network_management_service_27_0)
-(typeattribute network_score_service_27_0)
-(roletype object_r network_score_service_27_0)
-(typeattribute network_time_update_service_27_0)
-(roletype object_r network_time_update_service_27_0)
-(typeattribute notification_service_27_0)
-(roletype object_r notification_service_27_0)
-(typeattribute oem_lock_service_27_0)
-(roletype object_r oem_lock_service_27_0)
-(typeattribute otadexopt_service_27_0)
-(roletype object_r otadexopt_service_27_0)
-(typeattribute overlay_service_27_0)
-(roletype object_r overlay_service_27_0)
-(typeattribute package_service_27_0)
-(roletype object_r package_service_27_0)
-(typeattribute package_native_service_27_0)
-(roletype object_r package_native_service_27_0)
-(typeattribute permission_service_27_0)
-(roletype object_r permission_service_27_0)
-(typeattribute persistent_data_block_service_27_0)
-(roletype object_r persistent_data_block_service_27_0)
-(typeattribute pinner_service_27_0)
-(roletype object_r pinner_service_27_0)
-(typeattribute power_service_27_0)
-(roletype object_r power_service_27_0)
-(typeattribute print_service_27_0)
-(roletype object_r print_service_27_0)
-(typeattribute processinfo_service_27_0)
-(roletype object_r processinfo_service_27_0)
-(typeattribute procstats_service_27_0)
-(roletype object_r procstats_service_27_0)
-(typeattribute recovery_service_27_0)
-(roletype object_r recovery_service_27_0)
-(typeattribute registry_service_27_0)
-(roletype object_r registry_service_27_0)
-(typeattribute restrictions_service_27_0)
-(roletype object_r restrictions_service_27_0)
-(typeattribute rttmanager_service_27_0)
-(roletype object_r rttmanager_service_27_0)
-(typeattribute samplingprofiler_service_27_0)
-(roletype object_r samplingprofiler_service_27_0)
-(typeattribute scheduling_policy_service_27_0)
-(roletype object_r scheduling_policy_service_27_0)
-(typeattribute search_service_27_0)
-(roletype object_r search_service_27_0)
-(typeattribute sec_key_att_app_id_provider_service_27_0)
-(roletype object_r sec_key_att_app_id_provider_service_27_0)
-(typeattribute sensorservice_service_27_0)
-(roletype object_r sensorservice_service_27_0)
-(typeattribute serial_service_27_0)
-(roletype object_r serial_service_27_0)
-(typeattribute servicediscovery_service_27_0)
-(roletype object_r servicediscovery_service_27_0)
-(typeattribute settings_service_27_0)
-(roletype object_r settings_service_27_0)
-(typeattribute shortcut_service_27_0)
-(roletype object_r shortcut_service_27_0)
-(typeattribute statusbar_service_27_0)
-(roletype object_r statusbar_service_27_0)
-(typeattribute storagestats_service_27_0)
-(roletype object_r storagestats_service_27_0)
-(typeattribute task_service_27_0)
-(roletype object_r task_service_27_0)
-(typeattribute textclassification_service_27_0)
-(roletype object_r textclassification_service_27_0)
-(typeattribute textservices_service_27_0)
-(roletype object_r textservices_service_27_0)
-(typeattribute telecom_service_27_0)
-(roletype object_r telecom_service_27_0)
-(typeattribute timezone_service_27_0)
-(roletype object_r timezone_service_27_0)
-(typeattribute trust_service_27_0)
-(roletype object_r trust_service_27_0)
-(typeattribute tv_input_service_27_0)
-(roletype object_r tv_input_service_27_0)
-(typeattribute uimode_service_27_0)
-(roletype object_r uimode_service_27_0)
-(typeattribute updatelock_service_27_0)
-(roletype object_r updatelock_service_27_0)
-(typeattribute usagestats_service_27_0)
-(roletype object_r usagestats_service_27_0)
-(typeattribute usb_service_27_0)
-(roletype object_r usb_service_27_0)
-(typeattribute user_service_27_0)
-(roletype object_r user_service_27_0)
-(typeattribute vibrator_service_27_0)
-(roletype object_r vibrator_service_27_0)
-(typeattribute voiceinteraction_service_27_0)
-(roletype object_r voiceinteraction_service_27_0)
-(typeattribute vr_manager_service_27_0)
-(roletype object_r vr_manager_service_27_0)
-(typeattribute wallpaper_service_27_0)
-(roletype object_r wallpaper_service_27_0)
-(typeattribute webviewupdate_service_27_0)
-(roletype object_r webviewupdate_service_27_0)
-(typeattribute wifip2p_service_27_0)
-(roletype object_r wifip2p_service_27_0)
-(typeattribute wifiscanner_service_27_0)
-(roletype object_r wifiscanner_service_27_0)
-(typeattribute wifi_service_27_0)
-(roletype object_r wifi_service_27_0)
-(typeattribute wificond_service_27_0)
-(roletype object_r wificond_service_27_0)
-(typeattribute wifiaware_service_27_0)
-(roletype object_r wifiaware_service_27_0)
-(typeattribute window_service_27_0)
-(roletype object_r window_service_27_0)
-(typeattribute servicemanager_27_0)
-(roletype object_r servicemanager_27_0)
-(typeattribute servicemanager_exec_27_0)
-(roletype object_r servicemanager_exec_27_0)
-(typeattribute sgdisk_27_0)
-(roletype object_r sgdisk_27_0)
-(typeattribute sgdisk_exec_27_0)
-(roletype object_r sgdisk_exec_27_0)
-(typeattribute shared_relro_27_0)
-(roletype object_r shared_relro_27_0)
-(typeattribute shell_27_0)
-(roletype object_r shell_27_0)
-(typeattribute shell_exec_27_0)
-(roletype object_r shell_exec_27_0)
-(typeattribute slideshow_27_0)
-(roletype object_r slideshow_27_0)
-(typeattribute su_27_0)
-(roletype object_r su_27_0)
-(typeattribute su_exec_27_0)
-(roletype object_r su_exec_27_0)
-(typeattribute surfaceflinger_27_0)
-(roletype object_r surfaceflinger_27_0)
-(typeattribute system_app_27_0)
-(roletype object_r system_app_27_0)
-(typeattribute system_server_27_0)
-(roletype object_r system_server_27_0)
-(typeattribute tee_27_0)
-(roletype object_r tee_27_0)
-(typeattribute tee_device_27_0)
-(roletype object_r tee_device_27_0)
-(typeattribute thermalserviced_27_0)
-(roletype object_r thermalserviced_27_0)
-(typeattribute thermalserviced_exec_27_0)
-(roletype object_r thermalserviced_exec_27_0)
-(typeattribute tombstoned_27_0)
-(roletype object_r tombstoned_27_0)
-(typeattribute tombstoned_exec_27_0)
-(roletype object_r tombstoned_exec_27_0)
-(typeattribute toolbox_27_0)
-(roletype object_r toolbox_27_0)
-(typeattribute toolbox_exec_27_0)
-(roletype object_r toolbox_exec_27_0)
-(typeattribute tzdatacheck_27_0)
-(roletype object_r tzdatacheck_27_0)
-(typeattribute tzdatacheck_exec_27_0)
-(roletype object_r tzdatacheck_exec_27_0)
-(typeattribute ueventd_27_0)
-(roletype object_r ueventd_27_0)
-(typeattribute uncrypt_27_0)
-(roletype object_r uncrypt_27_0)
-(typeattribute uncrypt_exec_27_0)
-(roletype object_r uncrypt_exec_27_0)
-(typeattribute untrusted_app_27_0)
-(roletype object_r untrusted_app_27_0)
-(typeattribute untrusted_app_25_27_0)
-(roletype object_r untrusted_app_25_27_0)
-(typeattribute untrusted_v2_app_27_0)
-(roletype object_r untrusted_v2_app_27_0)
-(typeattribute update_engine_27_0)
-(roletype object_r update_engine_27_0)
-(typeattribute update_engine_exec_27_0)
-(roletype object_r update_engine_exec_27_0)
-(typeattribute update_verifier_27_0)
-(roletype object_r update_verifier_27_0)
-(typeattribute update_verifier_exec_27_0)
-(roletype object_r update_verifier_exec_27_0)
-(typeattribute vdc_27_0)
-(roletype object_r vdc_27_0)
-(typeattribute vdc_exec_27_0)
-(roletype object_r vdc_exec_27_0)
-(typeattribute vendor_shell_exec_27_0)
-(roletype object_r vendor_shell_exec_27_0)
-(typeattribute vendor_toolbox_exec_27_0)
-(roletype object_r vendor_toolbox_exec_27_0)
-(typeattribute virtual_touchpad_27_0)
-(roletype object_r virtual_touchpad_27_0)
-(typeattribute virtual_touchpad_exec_27_0)
-(roletype object_r virtual_touchpad_exec_27_0)
-(typeattribute default_android_vndservice_27_0)
-(roletype object_r default_android_vndservice_27_0)
-(typeattribute vndservicemanager_27_0)
-(roletype object_r vndservicemanager_27_0)
-(typeattribute vold_27_0)
-(roletype object_r vold_27_0)
-(typeattribute vold_exec_27_0)
-(roletype object_r vold_exec_27_0)
-(typeattribute vr_hwc_27_0)
-(roletype object_r vr_hwc_27_0)
-(typeattribute vr_hwc_exec_27_0)
-(roletype object_r vr_hwc_exec_27_0)
-(typeattribute watchdogd_27_0)
-(roletype object_r watchdogd_27_0)
-(typeattribute webview_zygote_27_0)
-(roletype object_r webview_zygote_27_0)
-(typeattribute webview_zygote_exec_27_0)
-(roletype object_r webview_zygote_exec_27_0)
-(typeattribute wificond_27_0)
-(roletype object_r wificond_27_0)
-(typeattribute wificond_exec_27_0)
-(roletype object_r wificond_exec_27_0)
-(typeattribute zygote_27_0)
-(roletype object_r zygote_27_0)
-(typeattribute zygote_exec_27_0)
-(roletype object_r zygote_exec_27_0)
-(type hostapd_socket)
-(roletype object_r hostapd_socket)
-(type hal_audio_default)
-(roletype object_r hal_audio_default)
-(type hal_audio_default_exec)
-(roletype object_r hal_audio_default_exec)
-(type hal_audio_default_tmpfs)
-(roletype object_r hal_audio_default_tmpfs)
-(type hal_bluetooth_default)
-(roletype object_r hal_bluetooth_default)
-(type hal_bluetooth_default_exec)
-(roletype object_r hal_bluetooth_default_exec)
-(type hal_bluetooth_default_tmpfs)
-(roletype object_r hal_bluetooth_default_tmpfs)
-(type hal_bootctl_default)
-(roletype object_r hal_bootctl_default)
-(type hal_bootctl_default_exec)
-(roletype object_r hal_bootctl_default_exec)
-(type hal_bootctl_default_tmpfs)
-(roletype object_r hal_bootctl_default_tmpfs)
-(type hal_broadcastradio_default)
-(roletype object_r hal_broadcastradio_default)
-(type hal_broadcastradio_default_exec)
-(roletype object_r hal_broadcastradio_default_exec)
-(type hal_broadcastradio_default_tmpfs)
-(roletype object_r hal_broadcastradio_default_tmpfs)
-(type hal_camera_default)
-(roletype object_r hal_camera_default)
-(type hal_camera_default_exec)
-(roletype object_r hal_camera_default_exec)
-(type hal_camera_default_tmpfs)
-(roletype object_r hal_camera_default_tmpfs)
-(type hal_cas_default)
-(roletype object_r hal_cas_default)
-(type hal_cas_default_exec)
-(roletype object_r hal_cas_default_exec)
-(type hal_cas_default_tmpfs)
-(roletype object_r hal_cas_default_tmpfs)
-(type hal_configstore_default)
-(roletype object_r hal_configstore_default)
-(type hal_configstore_default_exec)
-(roletype object_r hal_configstore_default_exec)
-(type hal_configstore_default_tmpfs)
-(roletype object_r hal_configstore_default_tmpfs)
-(type hal_contexthub_default)
-(roletype object_r hal_contexthub_default)
-(type hal_contexthub_default_exec)
-(roletype object_r hal_contexthub_default_exec)
-(type hal_contexthub_default_tmpfs)
-(roletype object_r hal_contexthub_default_tmpfs)
-(type hal_drm_default)
-(roletype object_r hal_drm_default)
-(type hal_drm_default_exec)
-(roletype object_r hal_drm_default_exec)
-(type hal_drm_default_tmpfs)
-(roletype object_r hal_drm_default_tmpfs)
-(type hal_dumpstate_default)
-(roletype object_r hal_dumpstate_default)
-(type hal_dumpstate_default_exec)
-(roletype object_r hal_dumpstate_default_exec)
-(type hal_dumpstate_default_tmpfs)
-(roletype object_r hal_dumpstate_default_tmpfs)
-(type hal_fingerprint_default)
-(roletype object_r hal_fingerprint_default)
-(type hal_fingerprint_default_exec)
-(roletype object_r hal_fingerprint_default_exec)
-(type hal_fingerprint_default_tmpfs)
-(roletype object_r hal_fingerprint_default_tmpfs)
-(type hal_gatekeeper_default)
-(roletype object_r hal_gatekeeper_default)
-(type hal_gatekeeper_default_exec)
-(roletype object_r hal_gatekeeper_default_exec)
-(type hal_gatekeeper_default_tmpfs)
-(roletype object_r hal_gatekeeper_default_tmpfs)
-(type hal_gnss_default)
-(roletype object_r hal_gnss_default)
-(type hal_gnss_default_exec)
-(roletype object_r hal_gnss_default_exec)
-(type hal_gnss_default_tmpfs)
-(roletype object_r hal_gnss_default_tmpfs)
-(type hal_graphics_allocator_default)
-(roletype object_r hal_graphics_allocator_default)
-(type hal_graphics_allocator_default_exec)
-(roletype object_r hal_graphics_allocator_default_exec)
-(type hal_graphics_allocator_default_tmpfs)
-(roletype object_r hal_graphics_allocator_default_tmpfs)
-(type hal_graphics_composer_default)
-(roletype object_r hal_graphics_composer_default)
-(type hal_graphics_composer_default_exec)
-(roletype object_r hal_graphics_composer_default_exec)
-(type hal_graphics_composer_default_tmpfs)
-(roletype object_r hal_graphics_composer_default_tmpfs)
-(type hal_health_default)
-(roletype object_r hal_health_default)
-(type hal_health_default_exec)
-(roletype object_r hal_health_default_exec)
-(type hal_health_default_tmpfs)
-(roletype object_r hal_health_default_tmpfs)
-(type hal_ir_default)
-(roletype object_r hal_ir_default)
-(type hal_ir_default_exec)
-(roletype object_r hal_ir_default_exec)
-(type hal_ir_default_tmpfs)
-(roletype object_r hal_ir_default_tmpfs)
-(type hal_keymaster_default)
-(roletype object_r hal_keymaster_default)
-(type hal_keymaster_default_exec)
-(roletype object_r hal_keymaster_default_exec)
-(type hal_keymaster_default_tmpfs)
-(roletype object_r hal_keymaster_default_tmpfs)
-(type hal_light_default)
-(roletype object_r hal_light_default)
-(type hal_light_default_exec)
-(roletype object_r hal_light_default_exec)
-(type hal_light_default_tmpfs)
-(roletype object_r hal_light_default_tmpfs)
-(type hal_memtrack_default)
-(roletype object_r hal_memtrack_default)
-(type hal_memtrack_default_exec)
-(roletype object_r hal_memtrack_default_exec)
-(type hal_memtrack_default_tmpfs)
-(roletype object_r hal_memtrack_default_tmpfs)
-(type hal_nfc_default)
-(roletype object_r hal_nfc_default)
-(type hal_nfc_default_exec)
-(roletype object_r hal_nfc_default_exec)
-(type hal_nfc_default_tmpfs)
-(roletype object_r hal_nfc_default_tmpfs)
-(type mediacodec_tmpfs)
-(roletype object_r mediacodec_tmpfs)
-(type hal_power_default)
-(roletype object_r hal_power_default)
-(type hal_power_default_exec)
-(roletype object_r hal_power_default_exec)
-(type hal_power_default_tmpfs)
-(roletype object_r hal_power_default_tmpfs)
-(type hal_sensors_default)
-(roletype object_r hal_sensors_default)
-(type hal_sensors_default_exec)
-(roletype object_r hal_sensors_default_exec)
-(type hal_sensors_default_tmpfs)
-(roletype object_r hal_sensors_default_tmpfs)
-(type hal_tetheroffload_default)
-(roletype object_r hal_tetheroffload_default)
-(type hal_tetheroffload_default_exec)
-(roletype object_r hal_tetheroffload_default_exec)
-(type hal_tetheroffload_default_tmpfs)
-(roletype object_r hal_tetheroffload_default_tmpfs)
-(type hal_thermal_default)
-(roletype object_r hal_thermal_default)
-(type hal_thermal_default_exec)
-(roletype object_r hal_thermal_default_exec)
-(type hal_thermal_default_tmpfs)
-(roletype object_r hal_thermal_default_tmpfs)
-(type hal_tv_cec_default)
-(roletype object_r hal_tv_cec_default)
-(type hal_tv_cec_default_exec)
-(roletype object_r hal_tv_cec_default_exec)
-(type hal_tv_cec_default_tmpfs)
-(roletype object_r hal_tv_cec_default_tmpfs)
-(type hal_tv_input_default)
-(roletype object_r hal_tv_input_default)
-(type hal_tv_input_default_exec)
-(roletype object_r hal_tv_input_default_exec)
-(type hal_tv_input_default_tmpfs)
-(roletype object_r hal_tv_input_default_tmpfs)
-(type hal_usb_default)
-(roletype object_r hal_usb_default)
-(type hal_usb_default_exec)
-(roletype object_r hal_usb_default_exec)
-(type hal_usb_default_tmpfs)
-(roletype object_r hal_usb_default_tmpfs)
-(type hal_vibrator_default)
-(roletype object_r hal_vibrator_default)
-(type hal_vibrator_default_exec)
-(roletype object_r hal_vibrator_default_exec)
-(type hal_vibrator_default_tmpfs)
-(roletype object_r hal_vibrator_default_tmpfs)
-(type hal_vr_default)
-(roletype object_r hal_vr_default)
-(type hal_vr_default_exec)
-(roletype object_r hal_vr_default_exec)
-(type hal_vr_default_tmpfs)
-(roletype object_r hal_vr_default_tmpfs)
-(type hal_wifi_default)
-(roletype object_r hal_wifi_default)
-(type hal_wifi_default_exec)
-(roletype object_r hal_wifi_default_exec)
-(type hal_wifi_default_tmpfs)
-(roletype object_r hal_wifi_default_tmpfs)
-(type hal_wifi_offload_default)
-(roletype object_r hal_wifi_offload_default)
-(type hal_wifi_offload_default_exec)
-(roletype object_r hal_wifi_offload_default_exec)
-(type hal_wifi_offload_default_tmpfs)
-(roletype object_r hal_wifi_offload_default_tmpfs)
-(type hal_wifi_supplicant_default)
-(roletype object_r hal_wifi_supplicant_default)
-(type hal_wifi_supplicant_default_exec)
-(roletype object_r hal_wifi_supplicant_default_exec)
-(type hal_wifi_supplicant_default_tmpfs)
-(roletype object_r hal_wifi_supplicant_default_tmpfs)
-(type hostapd)
-(roletype object_r hostapd)
-(type hostapd_exec)
-(roletype object_r hostapd_exec)
-(type hostapd_tmpfs)
-(roletype object_r hostapd_tmpfs)
-(type rild_exec)
-(roletype object_r rild_exec)
-(type rild_tmpfs)
-(roletype object_r rild_tmpfs)
-(type tee_exec)
-(roletype object_r tee_exec)
-(type tee_tmpfs)
-(roletype object_r tee_tmpfs)
-(type vendor_modprobe)
-(roletype object_r vendor_modprobe)
-(type vndservicemanager_exec)
-(roletype object_r vndservicemanager_exec)
-(type vndservicemanager_tmpfs)
-(roletype object_r vndservicemanager_tmpfs)
-(type qemu_device)
-(roletype object_r qemu_device)
-(type sysfs_writable)
-(roletype object_r sysfs_writable)
-(type goldfish_setup)
-(roletype object_r goldfish_setup)
-(type goldfish_setup_exec)
-(roletype object_r goldfish_setup_exec)
-(type goldfish_setup_tmpfs)
-(roletype object_r goldfish_setup_tmpfs)
-(type hal_drm_widevine)
-(roletype object_r hal_drm_widevine)
-(type hal_drm_widevine_exec)
-(roletype object_r hal_drm_widevine_exec)
-(type hal_drm_widevine_tmpfs)
-(roletype object_r hal_drm_widevine_tmpfs)
-(type qemu_prop)
-(roletype object_r qemu_prop)
-(type qemu_cmdline)
-(roletype object_r qemu_cmdline)
-(type radio_noril_prop)
-(roletype object_r radio_noril_prop)
-(type opengles_prop)
-(roletype object_r opengles_prop)
-(type qemu_props)
-(roletype object_r qemu_props)
-(type qemu_props_exec)
-(roletype object_r qemu_props_exec)
-(type qemu_props_tmpfs)
-(roletype object_r qemu_props_tmpfs)
-(allow bootanim_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 bootanim_27_0 (dir (search)))
-(allow servicemanager_27_0 bootanim_27_0 (file (read open)))
-(allow servicemanager_27_0 bootanim_27_0 (process (getattr)))
-(allow bootanim_27_0 surfaceflinger_27_0 (binder (call transfer)))
-(allow surfaceflinger_27_0 bootanim_27_0 (binder (transfer)))
-(allow bootanim_27_0 surfaceflinger_27_0 (fd (use)))
-(allow bootanim_27_0 audioserver_27_0 (binder (call transfer)))
-(allow audioserver_27_0 bootanim_27_0 (binder (transfer)))
-(allow bootanim_27_0 audioserver_27_0 (fd (use)))
-(allow bootanim_27_0 hwservicemanager_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 bootanim_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 bootanim_27_0 (dir (search)))
-(allow hwservicemanager_27_0 bootanim_27_0 (file (read open)))
-(allow hwservicemanager_27_0 bootanim_27_0 (process (getattr)))
-(allow bootanim_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow bootanim_27_0 oemfs_27_0 (dir (search)))
-(allow bootanim_27_0 oemfs_27_0 (file (ioctl read getattr lock map open)))
-(allow bootanim_27_0 audio_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_27_0 audio_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow bootanim_27_0 audioserver_service_27_0 (service_manager (find)))
-(allow bootanim_27_0 surfaceflinger_service_27_0 (service_manager (find)))
-(allow bootanim_27_0 ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow bootanim_27_0 hal_graphics_allocator (fd (use)))
-(allow bootanim_27_0 hal_graphics_composer (fd (use)))
-(allow bootanim_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow bootanim_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow bootanim_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
-(allow bootanim_27_0 sysfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_27_0 sysfs_27_0 (file (ioctl read getattr lock map open)))
-(allow bootanim_27_0 sysfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow bootanim_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow bootanim_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow bootanim_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow bootstat_27_0 runtime_event_log_tags_file_27_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_27_0 bootstat_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow bootstat_27_0 bootstat_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow bootstat_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow bootstat_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow bootstat_27_0 boottime_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (create bind)))
-(allow bufferhubd_27_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (read write getattr setattr lock append listen accept getopt setopt shutdown)))
-(allow bufferhubd_27_0 self (process (setsockcreate)))
-(allow bufferhubd_27_0 pdx_bufferhub_client_channel_socket_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
-(neverallow base_typeattr_1_27_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (listen accept)))
-(allow bufferhubd_27_0 pdx_performance_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow bufferhubd_27_0 pdx_performance_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
-(allow bufferhubd_27_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow bufferhubd_27_0 pdx_performance_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow bufferhubd_27_0 pdx_performance_client_server_type (fd (use)))
-(allow pdx_performance_client_server_type bufferhubd_27_0 (fd (use)))
-(allow bufferhubd_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow bufferhubd_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow bufferhubd_27_0 mediacodec_27_0 (fd (use)))
-(allow cameraserver_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 cameraserver_27_0 (dir (search)))
-(allow servicemanager_27_0 cameraserver_27_0 (file (read open)))
-(allow servicemanager_27_0 cameraserver_27_0 (process (getattr)))
-(allow cameraserver_27_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain cameraserver_27_0 (binder (transfer)))
-(allow cameraserver_27_0 binderservicedomain (fd (use)))
-(allow cameraserver_27_0 appdomain (binder (call transfer)))
-(allow appdomain cameraserver_27_0 (binder (transfer)))
-(allow cameraserver_27_0 appdomain (fd (use)))
-(allow cameraserver_27_0 ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow cameraserver_27_0 hal_graphics_composer (fd (use)))
-(allow cameraserver_27_0 cameraserver_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_2_27_0 cameraserver_service_27_0 (service_manager (add)))
-(allow cameraserver_27_0 appops_service_27_0 (service_manager (find)))
-(allow cameraserver_27_0 audioserver_service_27_0 (service_manager (find)))
-(allow cameraserver_27_0 batterystats_service_27_0 (service_manager (find)))
-(allow cameraserver_27_0 cameraproxy_service_27_0 (service_manager (find)))
-(allow cameraserver_27_0 mediaserver_service_27_0 (service_manager (find)))
-(allow cameraserver_27_0 processinfo_service_27_0 (service_manager (find)))
-(allow cameraserver_27_0 scheduling_policy_service_27_0 (service_manager (find)))
-(allow cameraserver_27_0 surfaceflinger_service_27_0 (service_manager (find)))
-(allow cameraserver_27_0 hidl_token_hwservice_27_0 (hwservice_manager (find)))
-(neverallow cameraserver_27_0 fs_type (file (execute_no_trans)))
-(neverallow cameraserver_27_0 file_type (file (execute_no_trans)))
-(neverallow cameraserver_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow cameraserver_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow cameraserver_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow charger_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow charger_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow charger_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow charger_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow charger_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow charger_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
-(allow charger_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow charger_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow charger_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow charger_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow charger_27_0 self (capability (sys_tty_config)))
-(allow charger_27_0 self (capability (sys_boot)))
-(allow charger_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow charger_27_0 self (capability2 (block_suspend)))
-(allow charger_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow charger_27_0 sysfs_27_0 (file (write)))
-(allow charger_27_0 sysfs_batteryinfo_27_0 (file (ioctl read getattr lock map open)))
-(allow charger_27_0 pstorefs_27_0 (dir (ioctl read getattr lock search open)))
-(allow charger_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
-(allow charger_27_0 graphics_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow charger_27_0 graphics_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow charger_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow charger_27_0 input_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow charger_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow charger_27_0 proc_sysrq_27_0 (file (ioctl read write getattr lock append map open)))
-(allow charger_27_0 property_socket_27_0 (sock_file (write)))
-(allow charger_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow charger_27_0 system_prop_27_0 (property_service (set)))
-(allow charger_27_0 system_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow clatd_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow clatd_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow clatd_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow clatd_27_0 netd_27_0 (fd (use)))
-(allow clatd_27_0 netd_27_0 (fifo_file (read write)))
-(allow clatd_27_0 netd_27_0 (netlink_kobject_uevent_socket (read write)))
-(allow clatd_27_0 netd_27_0 (netlink_nflog_socket (read write)))
-(allow clatd_27_0 netd_27_0 (netlink_route_socket (read write)))
-(allow clatd_27_0 netd_27_0 (udp_socket (read write)))
-(allow clatd_27_0 netd_27_0 (unix_stream_socket (read write)))
-(allow clatd_27_0 netd_27_0 (unix_dgram_socket (read write)))
-(allow clatd_27_0 self (capability (setgid setuid net_admin net_raw)))
-(allow clatd_27_0 self (capability (ipc_lock)))
-(allow clatd_27_0 self (netlink_route_socket (nlmsg_write)))
-(allow clatd_27_0 self (rawip_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_27_0 self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_27_0 self (tun_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_27_0 tun_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow cppreopts_27_0 dalvikcache_data_file_27_0 (dir (write add_name remove_name search)))
-(allow cppreopts_27_0 dalvikcache_data_file_27_0 (file (read write create getattr rename open)))
-(allow cppreopts_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow cppreopts_27_0 system_file_27_0 (dir (read open)))
-(allow cppreopts_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow crash_dump_27_0 base_typeattr_3_27_0 (process (sigchld sigkill sigstop signal ptrace)))
-(dontaudit crash_dump_27_0 self (capability (sys_ptrace)))
-(allow crash_dump_27_0 logd_27_0 (process (sigchld sigkill sigstop signal ptrace)))
-(allow crash_dump_27_0 kmsg_debug_device_27_0 (chr_file (append open)))
-(allow crash_dump_27_0 domain (fd (use)))
-(allow crash_dump_27_0 domain (fifo_file (write append)))
-(allow crash_dump_27_0 domain (dir (ioctl read getattr lock search open)))
-(allow crash_dump_27_0 domain (file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 exec_type (file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 dalvikcache_data_file_27_0 (dir (getattr search)))
-(allow crash_dump_27_0 dalvikcache_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 apk_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 apk_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 vendor_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_27_0 same_process_hal_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_27_0 vendor_file_27_0 (file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 vendor_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 same_process_hal_file_27_0 (file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 same_process_hal_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow crash_dump_27_0 tombstoned_crash_socket_27_0 (sock_file (write)))
-(allow crash_dump_27_0 tombstoned_27_0 (unix_stream_socket (connectto)))
-(allow crash_dump_27_0 system_ndebug_socket_27_0 (sock_file (write)))
-(allow crash_dump_27_0 system_server_27_0 (unix_stream_socket (connectto)))
-(allow crash_dump_27_0 anr_data_file_27_0 (file (getattr append)))
-(allow crash_dump_27_0 tombstone_data_file_27_0 (file (getattr append)))
-(allow crash_dump_27_0 logcat_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow crash_dump_27_0 logdr_socket_27_0 (sock_file (write)))
-(allow crash_dump_27_0 logd_27_0 (unix_stream_socket (connectto)))
-(neverallow domain crash_dump_exec_27_0 (file (execute_no_trans)))
-(allow dex2oat_27_0 apk_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_27_0 apk_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dex2oat_27_0 vendor_app_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dex2oat_27_0 vendor_framework_file_27_0 (dir (getattr search)))
-(allow dex2oat_27_0 vendor_framework_file_27_0 (file (read getattr open)))
-(allow dex2oat_27_0 tmpfs_27_0 (file (read getattr)))
-(allow dex2oat_27_0 dalvikcache_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_27_0 dalvikcache_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_27_0 dalvikcache_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dex2oat_27_0 dalvikcache_data_file_27_0 (file (write)))
-(allow dex2oat_27_0 dalvikcache_data_file_27_0 (lnk_file (read)))
-(allow dex2oat_27_0 installd_27_0 (fd (use)))
-(allow dex2oat_27_0 system_file_27_0 (file (lock)))
-(allow dex2oat_27_0 asec_apk_file_27_0 (file (read)))
-(allow dex2oat_27_0 unlabeled_27_0 (file (read)))
-(allow dex2oat_27_0 oemfs_27_0 (file (read)))
-(allow dex2oat_27_0 apk_tmp_file_27_0 (dir (search)))
-(allow dex2oat_27_0 apk_tmp_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_27_0 user_profile_data_file_27_0 (file (read getattr lock)))
-(allow dex2oat_27_0 app_data_file_27_0 (file (read write getattr lock)))
-(allow dex2oat_27_0 postinstall_dexopt_27_0 (fd (use)))
-(allow dex2oat_27_0 postinstall_file_27_0 (dir (getattr search)))
-(allow dex2oat_27_0 postinstall_file_27_0 (filesystem (getattr)))
-(allow dex2oat_27_0 postinstall_file_27_0 (lnk_file (read)))
-(allow dex2oat_27_0 ota_data_file_27_0 (dir (ioctl read write getattr lock add_name search open)))
-(allow dex2oat_27_0 ota_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_27_0 ota_data_file_27_0 (lnk_file (read create)))
-(allow dex2oat_27_0 ota_data_file_27_0 (file (write create setattr lock append map open)))
-(neverallow dex2oat_27_0 app_data_file_27_0 (file (open)))
-(neverallow dex2oat_27_0 app_data_file_27_0 (lnk_file (open)))
-(neverallow dex2oat_27_0 app_data_file_27_0 (sock_file (open)))
-(neverallow dex2oat_27_0 app_data_file_27_0 (fifo_file (open)))
-(allow dhcp_27_0 cgroup_27_0 (dir (write create add_name)))
-(allow dhcp_27_0 self (capability (setgid setuid net_bind_service net_admin net_raw)))
-(allow dhcp_27_0 self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow dhcp_27_0 self (netlink_route_socket (nlmsg_write)))
-(allow dhcp_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dhcp_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dhcp_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dhcp_27_0 proc_net_27_0 (file (write)))
-(allow dhcp_27_0 property_socket_27_0 (sock_file (write)))
-(allow dhcp_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow dhcp_27_0 dhcp_prop_27_0 (property_service (set)))
-(allow dhcp_27_0 dhcp_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow dhcp_27_0 property_socket_27_0 (sock_file (write)))
-(allow dhcp_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow dhcp_27_0 pan_result_prop_27_0 (property_service (set)))
-(allow dhcp_27_0 pan_result_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow dhcp_27_0 dhcp_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow dhcp_27_0 dhcp_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow dhcp_27_0 netd_27_0 (fd (use)))
-(allow dhcp_27_0 netd_27_0 (fifo_file (ioctl read write getattr lock append map open)))
-(allow dhcp_27_0 netd_27_0 (udp_socket (read write)))
-(allow dhcp_27_0 netd_27_0 (unix_stream_socket (read write)))
-(allow dhcp_27_0 netd_27_0 (unix_dgram_socket (read write)))
-(allow dhcp_27_0 netd_27_0 (netlink_route_socket (read write)))
-(allow dhcp_27_0 netd_27_0 (netlink_nflog_socket (read write)))
-(allow dhcp_27_0 netd_27_0 (netlink_kobject_uevent_socket (read write)))
-(allow display_service_server fwk_display_hwservice_27_0 (hwservice_manager (add find)))
-(allow display_service_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_4_27_0 fwk_display_hwservice_27_0 (hwservice_manager (add)))
-(allowx dnsmasq_27_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx dnsmasq_27_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx dnsmasq_27_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow dnsmasq_27_0 self (capability (dac_override)))
-(allow dnsmasq_27_0 self (capability (setgid setuid net_bind_service net_admin net_raw)))
-(allow dnsmasq_27_0 dhcp_data_file_27_0 (dir (write lock add_name remove_name search open)))
-(allow dnsmasq_27_0 dhcp_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow dnsmasq_27_0 netd_27_0 (fd (use)))
-(allow dnsmasq_27_0 netd_27_0 (fifo_file (read write)))
-(allow dnsmasq_27_0 netd_27_0 (netlink_kobject_uevent_socket (read write)))
-(allow dnsmasq_27_0 netd_27_0 (netlink_nflog_socket (read write)))
-(allow dnsmasq_27_0 netd_27_0 (netlink_route_socket (read write)))
-(allow dnsmasq_27_0 netd_27_0 (unix_stream_socket (read write)))
-(allow dnsmasq_27_0 netd_27_0 (unix_dgram_socket (read write)))
-(allow dnsmasq_27_0 netd_27_0 (udp_socket (read write)))
-(allow domain init_27_0 (process (sigchld)))
-(allow domain self (process (fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit)))
-(allow domain self (fd (use)))
-(allow domain proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain proc_net_27_0 (dir (search)))
-(allow domain self (dir (ioctl read getattr lock search open)))
-(allow domain self (file (ioctl read getattr lock map open)))
-(allow domain self (lnk_file (ioctl read getattr lock map open)))
-(allow domain self (file (ioctl read write getattr lock append map open)))
-(allow domain self (fifo_file (ioctl read write getattr lock append map open)))
-(allow domain self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown sendto)))
-(allow domain self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
-(allow domain init_27_0 (fd (use)))
-(allow domain su_27_0 (unix_stream_socket (connectto)))
-(allow domain su_27_0 (fd (use)))
-(allow domain su_27_0 (unix_stream_socket (read write getattr getopt shutdown)))
-(allow base_typeattr_5_27_0 su_27_0 (binder (call transfer)))
-(allow base_typeattr_5_27_0 su_27_0 (fd (use)))
-(allow domain su_27_0 (fifo_file (write getattr)))
-(allow domain su_27_0 (process (sigchld)))
-(allow domain coredump_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow domain coredump_file_27_0 (dir (ioctl read write getattr lock add_name search open)))
-(allow domain rootfs_27_0 (dir (search)))
-(allow domain rootfs_27_0 (lnk_file (read getattr)))
-(allow domain device_27_0 (dir (search)))
-(allow domain dev_type (lnk_file (ioctl read getattr lock map open)))
-(allow domain devpts_27_0 (dir (search)))
-(allow domain socket_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain owntty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain null_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain zero_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain ashmem_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_6_27_0 binder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_7_27_0 hwbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain ptmx_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain alarm_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow domain random_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain properties_device_27_0 (dir (getattr search)))
-(allow domain properties_serial_27_0 (file (ioctl read getattr lock map open)))
-(allow domain core_property_type (file (ioctl read getattr lock map open)))
-(allow domain log_property_type (file (ioctl read getattr lock map open)))
-(dontaudit domain property_type (file (audit_access)))
-(allow domain property_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow domain init_27_0 (key (search)))
-(allow domain vold_27_0 (key (search)))
-(allow domain logdw_socket_27_0 (sock_file (write)))
-(allow domain logd_27_0 (unix_dgram_socket (sendto)))
-(allow domain pmsg_device_27_0 (chr_file (write lock append map open)))
-(allow domain system_file_27_0 (dir (getattr search)))
-(allow domain system_file_27_0 (file (read getattr map execute open)))
-(allow domain system_file_27_0 (lnk_file (read getattr)))
-(allow domain vendor_hal_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain same_process_hal_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain same_process_hal_file_27_0 (file (read getattr map execute open)))
-(allow domain vndk_sp_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain vndk_sp_file_27_0 (file (read getattr map execute open)))
-(allow domain vendor_configs_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain vendor_configs_file_27_0 (file (read getattr open)))
-(allow domain vendor_file_27_0 (lnk_file (read getattr open)))
-(allow domain vendor_file_27_0 (dir (getattr search)))
-(allow base_typeattr_8_27_0 vendor_file_type (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_8_27_0 vendor_file_type (file (read getattr map execute open)))
-(allow base_typeattr_8_27_0 vendor_file_type (lnk_file (read getattr)))
-(allow domain sysfs_27_0 (lnk_file (read getattr)))
-(allow domain zoneinfo_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain zoneinfo_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow domain zoneinfo_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow domain sysfs_devices_system_cpu_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain sysfs_devices_system_cpu_27_0 (file (ioctl read getattr lock map open)))
-(allow domain sysfs_devices_system_cpu_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow domain sysfs_usb_27_0 (dir (ioctl read getattr lock search open)))
-(allow domain sysfs_usb_27_0 (file (ioctl read getattr lock map open)))
-(allow domain sysfs_usb_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain system_data_file_27_0 (dir (getattr)))
-(allow coredomain system_data_file_27_0 (dir (getattr)))
-(allow domain system_data_file_27_0 (dir (search)))
-(allow domain proc_27_0 (lnk_file (read getattr)))
-(allow domain proc_cpuinfo_27_0 (file (ioctl read getattr lock map open)))
-(allow domain proc_overcommit_memory_27_0 (file (ioctl read getattr lock map open)))
-(allow domain proc_perf_27_0 (file (ioctl read getattr lock map open)))
-(allow domain selinuxfs_27_0 (dir (search)))
-(allow domain selinuxfs_27_0 (file (getattr)))
-(allow domain sysfs_27_0 (dir (search)))
-(allow domain selinuxfs_27_0 (filesystem (getattr)))
-(allow domain cgroup_27_0 (dir (write search)))
-(allow domain cgroup_27_0 (file (write lock append map open)))
-(allow domain debugfs_27_0 (dir (search)))
-(allow domain debugfs_tracing_27_0 (dir (search)))
-(allow domain debugfs_trace_marker_27_0 (file (write lock append map open)))
-(allow domain fs_type (filesystem (getattr)))
-(allow domain fs_type (dir (getattr)))
-(allowx domain domain (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl unix_stream_socket (0x5401 0x5411 ((range 0x5413 0x5414)) 0x541b 0x5451)))
-(allowx domain domain (ioctl unix_dgram_socket (0x5401 0x5411 ((range 0x5413 0x5414)) 0x541b 0x5451)))
-(allowx domain devpts_27_0 (ioctl chr_file (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allow base_typeattr_9_27_0 hwservice_manager_type (hwservice_manager (add find)))
-(allow base_typeattr_9_27_0 vndservice_manager_type (service_manager (add find)))
-(neverallowx domain domain (ioctl socket (0x0)))
-(neverallowx domain domain (ioctl tcp_socket (0x0)))
-(neverallowx domain domain (ioctl udp_socket (0x0)))
-(neverallowx domain domain (ioctl rawip_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_socket (0x0)))
-(neverallowx domain domain (ioctl packet_socket (0x0)))
-(neverallowx domain domain (ioctl key_socket (0x0)))
-(neverallowx domain domain (ioctl unix_stream_socket (0x0)))
-(neverallowx domain domain (ioctl unix_dgram_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_route_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_tcpdiag_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_nflog_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_xfrm_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_selinux_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_audit_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_dnrt_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_kobject_uevent_socket (0x0)))
-(neverallowx domain domain (ioctl appletalk_socket (0x0)))
-(neverallowx domain domain (ioctl tun_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_iscsi_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_fib_lookup_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_connector_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_netfilter_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_generic_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_scsitransport_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_rdma_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_crypto_socket (0x0)))
-(neverallowx domain domain (ioctl sctp_socket (0x0)))
-(neverallowx domain domain (ioctl icmp_socket (0x0)))
-(neverallowx domain domain (ioctl ax25_socket (0x0)))
-(neverallowx domain domain (ioctl ipx_socket (0x0)))
-(neverallowx domain domain (ioctl netrom_socket (0x0)))
-(neverallowx domain domain (ioctl atmpvc_socket (0x0)))
-(neverallowx domain domain (ioctl x25_socket (0x0)))
-(neverallowx domain domain (ioctl rose_socket (0x0)))
-(neverallowx domain domain (ioctl decnet_socket (0x0)))
-(neverallowx domain domain (ioctl atmsvc_socket (0x0)))
-(neverallowx domain domain (ioctl rds_socket (0x0)))
-(neverallowx domain domain (ioctl irda_socket (0x0)))
-(neverallowx domain domain (ioctl pppox_socket (0x0)))
-(neverallowx domain domain (ioctl llc_socket (0x0)))
-(neverallowx domain domain (ioctl can_socket (0x0)))
-(neverallowx domain domain (ioctl tipc_socket (0x0)))
-(neverallowx domain domain (ioctl bluetooth_socket (0x0)))
-(neverallowx domain domain (ioctl iucv_socket (0x0)))
-(neverallowx domain domain (ioctl rxrpc_socket (0x0)))
-(neverallowx domain domain (ioctl isdn_socket (0x0)))
-(neverallowx domain domain (ioctl phonet_socket (0x0)))
-(neverallowx domain domain (ioctl ieee802154_socket (0x0)))
-(neverallowx domain domain (ioctl caif_socket (0x0)))
-(neverallowx domain domain (ioctl alg_socket (0x0)))
-(neverallowx domain domain (ioctl nfc_socket (0x0)))
-(neverallowx domain domain (ioctl vsock_socket (0x0)))
-(neverallowx domain domain (ioctl kcm_socket (0x0)))
-(neverallowx domain domain (ioctl qipcrtr_socket (0x0)))
-(neverallowx domain domain (ioctl smc_socket (0x0)))
-(neverallowx base_typeattr_10_27_0 devpts_27_0 (ioctl chr_file (0x5412)))
-(neverallow base_typeattr_11_27_0 unlabeled_27_0 (file (create)))
-(neverallow base_typeattr_11_27_0 unlabeled_27_0 (dir (create)))
-(neverallow base_typeattr_11_27_0 unlabeled_27_0 (lnk_file (create)))
-(neverallow base_typeattr_11_27_0 unlabeled_27_0 (chr_file (create)))
-(neverallow base_typeattr_11_27_0 unlabeled_27_0 (blk_file (create)))
-(neverallow base_typeattr_11_27_0 unlabeled_27_0 (sock_file (create)))
-(neverallow base_typeattr_11_27_0 unlabeled_27_0 (fifo_file (create)))
-(neverallow base_typeattr_12_27_0 self (capability (mknod)))
-(neverallow base_typeattr_13_27_0 self (capability (sys_rawio)))
-(neverallow base_typeattr_10_27_0 self (memprotect (mmap_zero)))
-(neverallow base_typeattr_10_27_0 self (capability2 (mac_override)))
-(neverallow base_typeattr_14_27_0 self (capability2 (mac_admin)))
-(neverallow base_typeattr_10_27_0 kernel_27_0 (security (load_policy)))
-(neverallow base_typeattr_10_27_0 kernel_27_0 (security (setenforce)))
-(neverallow base_typeattr_15_27_0 kernel_27_0 (security (setcheckreqprot)))
-(neverallow base_typeattr_10_27_0 kernel_27_0 (security (setbool)))
-(neverallow base_typeattr_5_27_0 kernel_27_0 (security (setsecparam)))
-(neverallow base_typeattr_16_27_0 hw_random_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_10_27_0 base_typeattr_17_27_0 (file (entrypoint)))
-(neverallow base_typeattr_18_27_0 kmem_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_10_27_0 kmem_device_27_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_18_27_0 port_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_10_27_0 port_device_27_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_5_27_0 usermodehelper_27_0 (file (write append)))
-(neverallow base_typeattr_19_27_0 sysfs_usermodehelper_27_0 (file (write append)))
-(neverallow base_typeattr_5_27_0 proc_security_27_0 (file (read write append open)))
-(neverallow base_typeattr_10_27_0 init_27_0 (process (ptrace)))
-(neverallow base_typeattr_10_27_0 init_27_0 (binder (impersonate call set_context_mgr transfer)))
-(neverallow base_typeattr_20_27_0 block_device_27_0 (blk_file (read write open)))
-(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (chr_file (rename)))
-(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (blk_file (rename)))
-(neverallow domain device_27_0 (chr_file (read write open)))
-(neverallow base_typeattr_21_27_0 base_typeattr_22_27_0 (filesystem (mount remount relabelfrom relabelto)))
-(neverallow base_typeattr_23_27_0 base_typeattr_24_27_0 (file (execute)))
-(neverallow base_typeattr_25_27_0 base_typeattr_26_27_0 (file (execute)))
-(neverallow domain cache_file_27_0 (file (execute)))
-(neverallow domain cache_backup_file_27_0 (file (execute)))
-(neverallow domain cache_private_backup_file_27_0 (file (execute)))
-(neverallow domain cache_recovery_file_27_0 (file (execute)))
-(neverallow base_typeattr_27_27_0 base_typeattr_28_27_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_29_27_0 nativetest_data_file_27_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_5_27_0 property_data_file_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_5_27_0 property_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_5_27_0 property_type (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_5_27_0 properties_device_27_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_5_27_0 properties_serial_27_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_14_27_0 exec_type (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 exec_type (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 exec_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 exec_type (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 exec_type (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 exec_type (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 exec_type (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 vendor_file_type (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 vendor_file_type (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 vendor_file_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 vendor_file_type (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 vendor_file_type (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 vendor_file_type (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 vendor_file_type (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 system_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 system_file_27_0 (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 system_file_27_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 system_file_27_0 (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 system_file_27_0 (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 system_file_27_0 (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_14_27_0 system_file_27_0 (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_30_27_0 exec_type (file (relabelto)))
-(neverallow base_typeattr_30_27_0 exec_type (dir (relabelto)))
-(neverallow base_typeattr_30_27_0 exec_type (lnk_file (relabelto)))
-(neverallow base_typeattr_30_27_0 exec_type (chr_file (relabelto)))
-(neverallow base_typeattr_30_27_0 exec_type (blk_file (relabelto)))
-(neverallow base_typeattr_30_27_0 exec_type (sock_file (relabelto)))
-(neverallow base_typeattr_30_27_0 exec_type (fifo_file (relabelto)))
-(neverallow base_typeattr_30_27_0 vendor_file_type (file (relabelto)))
-(neverallow base_typeattr_30_27_0 vendor_file_type (dir (relabelto)))
-(neverallow base_typeattr_30_27_0 vendor_file_type (lnk_file (relabelto)))
-(neverallow base_typeattr_30_27_0 vendor_file_type (chr_file (relabelto)))
-(neverallow base_typeattr_30_27_0 vendor_file_type (blk_file (relabelto)))
-(neverallow base_typeattr_30_27_0 vendor_file_type (sock_file (relabelto)))
-(neverallow base_typeattr_30_27_0 vendor_file_type (fifo_file (relabelto)))
-(neverallow base_typeattr_30_27_0 system_file_27_0 (file (relabelto)))
-(neverallow base_typeattr_30_27_0 system_file_27_0 (dir (relabelto)))
-(neverallow base_typeattr_30_27_0 system_file_27_0 (lnk_file (relabelto)))
-(neverallow base_typeattr_30_27_0 system_file_27_0 (chr_file (relabelto)))
-(neverallow base_typeattr_30_27_0 system_file_27_0 (blk_file (relabelto)))
-(neverallow base_typeattr_30_27_0 system_file_27_0 (sock_file (relabelto)))
-(neverallow base_typeattr_30_27_0 system_file_27_0 (fifo_file (relabelto)))
-(neverallow base_typeattr_10_27_0 exec_type (file (mounton)))
-(neverallow base_typeattr_10_27_0 exec_type (dir (mounton)))
-(neverallow base_typeattr_10_27_0 exec_type (lnk_file (mounton)))
-(neverallow base_typeattr_10_27_0 exec_type (chr_file (mounton)))
-(neverallow base_typeattr_10_27_0 exec_type (blk_file (mounton)))
-(neverallow base_typeattr_10_27_0 exec_type (sock_file (mounton)))
-(neverallow base_typeattr_10_27_0 exec_type (fifo_file (mounton)))
-(neverallow base_typeattr_5_27_0 vendor_file_type (file (mounton)))
-(neverallow base_typeattr_5_27_0 vendor_file_type (dir (mounton)))
-(neverallow base_typeattr_5_27_0 vendor_file_type (lnk_file (mounton)))
-(neverallow base_typeattr_5_27_0 vendor_file_type (chr_file (mounton)))
-(neverallow base_typeattr_5_27_0 vendor_file_type (blk_file (mounton)))
-(neverallow base_typeattr_5_27_0 vendor_file_type (sock_file (mounton)))
-(neverallow base_typeattr_5_27_0 vendor_file_type (fifo_file (mounton)))
-(neverallow base_typeattr_5_27_0 system_file_27_0 (file (mounton)))
-(neverallow base_typeattr_5_27_0 system_file_27_0 (dir (mounton)))
-(neverallow base_typeattr_5_27_0 system_file_27_0 (lnk_file (mounton)))
-(neverallow base_typeattr_5_27_0 system_file_27_0 (chr_file (mounton)))
-(neverallow base_typeattr_5_27_0 system_file_27_0 (blk_file (mounton)))
-(neverallow base_typeattr_5_27_0 system_file_27_0 (sock_file (mounton)))
-(neverallow base_typeattr_5_27_0 system_file_27_0 (fifo_file (mounton)))
-(neverallow base_typeattr_10_27_0 rootfs_27_0 (file (write create setattr relabelto append unlink link rename)))
-(neverallow base_typeattr_10_27_0 base_typeattr_31_27_0 (filesystem (relabelto)))
-(neverallow base_typeattr_14_27_0 contextmount_type (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_27_0 contextmount_type (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_27_0 contextmount_type (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_27_0 contextmount_type (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_27_0 contextmount_type (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_27_0 contextmount_type (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_14_27_0 contextmount_type (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_10_27_0 default_android_service_27_0 (service_manager (add)))
-(neverallow base_typeattr_10_27_0 default_android_vndservice_27_0 (service_manager (add find)))
-(neverallow base_typeattr_10_27_0 default_android_hwservice_27_0 (hwservice_manager (add find)))
-(neverallow base_typeattr_10_27_0 hidl_base_hwservice_27_0 (hwservice_manager (find)))
-(neverallow base_typeattr_5_27_0 default_prop_27_0 (property_service (set)))
-(neverallow base_typeattr_5_27_0 mmc_prop_27_0 (property_service (set)))
-(neverallow base_typeattr_32_27_0 serialno_prop_27_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_33_27_0 firstboot_prop_27_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_34_27_0 frp_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_35_27_0 metadata_block_device_27_0 (blk_file (ioctl read write lock append link rename open)))
-(neverallow base_typeattr_36_27_0 system_block_device_27_0 (blk_file (write)))
-(neverallow base_typeattr_37_27_0 recovery_block_device_27_0 (blk_file (write)))
-(neverallow base_typeattr_38_27_0 misc_block_device_27_0 (blk_file (ioctl read write lock relabelfrom append link rename open)))
-(neverallow base_typeattr_39_27_0 base_typeattr_10_27_0 (binder (set_context_mgr)))
-(neverallow servicemanager_27_0 hwbinder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow servicemanager_27_0 vndbinder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow hwservicemanager_27_0 binder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow hwservicemanager_27_0 vndbinder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow vndservicemanager_27_0 binder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow vndservicemanager_27_0 hwbinder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_40_27_0 binder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(neverallow base_typeattr_40_27_0 service_manager_type (service_manager (find)))
-(neverallow base_typeattr_41_27_0 base_typeattr_42_27_0 (service_manager (find)))
-(neverallow base_typeattr_40_27_0 servicemanager_27_0 (binder (call transfer)))
-(neverallow base_typeattr_43_27_0 vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(neverallow ueventd_27_0 vndbinder_device_27_0 (chr_file (ioctl read write append)))
-(neverallow base_typeattr_44_27_0 vndservice_manager_type (service_manager (add find list)))
-(neverallow base_typeattr_44_27_0 vndservicemanager_27_0 (binder (impersonate call set_context_mgr transfer)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (smc_socket (connect sendto)))
-(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (smc_socket (connect sendto)))
-(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (smc_socket (connect sendto)))
-(neverallow base_typeattr_49_27_0 netd_27_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_47_27_0 core_data_file_type (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_47_27_0 coredomain_socket (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_47_27_0 unlabeled_27_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_41_27_0 base_typeattr_50_27_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_51_27_0 base_typeattr_52_27_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_53_27_0 vendor_app_file_27_0 (dir (read getattr search open)))
-(neverallow base_typeattr_53_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_53_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_54_27_0 vendor_overlay_file_27_0 (dir (read getattr search open)))
-(neverallow base_typeattr_54_27_0 vendor_overlay_file_27_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_54_27_0 vendor_overlay_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_55_27_0 vendor_shell_exec_27_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_56_27_0 base_typeattr_57_27_0 (file (execute execute_no_trans entrypoint)))
-(neverallow base_typeattr_58_27_0 dalvikcache_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_58_27_0 dalvikcache_data_file_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_59_27_0 zygote_27_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_60_27_0 zygote_socket_27_0 (sock_file (write)))
-(neverallow base_typeattr_61_27_0 webview_zygote_27_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_60_27_0 webview_zygote_socket_27_0 (sock_file (write)))
-(neverallow base_typeattr_62_27_0 tombstoned_crash_socket_27_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_63_27_0 tombstoned_intercept_socket_27_0 (sock_file (write)))
-(neverallow base_typeattr_63_27_0 tombstoned_intercept_socket_27_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (sem (create destroy getattr setattr read write associate unix_read unix_write)))
-(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (msg (send receive)))
-(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
-(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
-(neverallow base_typeattr_10_27_0 dev_type (lnk_file (mounton)))
-(neverallow base_typeattr_10_27_0 dev_type (sock_file (mounton)))
-(neverallow base_typeattr_10_27_0 dev_type (fifo_file (mounton)))
-(neverallow base_typeattr_10_27_0 fs_type (lnk_file (mounton)))
-(neverallow base_typeattr_10_27_0 fs_type (sock_file (mounton)))
-(neverallow base_typeattr_10_27_0 fs_type (fifo_file (mounton)))
-(neverallow base_typeattr_10_27_0 file_type (lnk_file (mounton)))
-(neverallow base_typeattr_10_27_0 file_type (sock_file (mounton)))
-(neverallow base_typeattr_10_27_0 file_type (fifo_file (mounton)))
-(neverallow base_typeattr_64_27_0 su_exec_27_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_10_27_0 base_typeattr_65_27_0 (file (execmod)))
-(neverallow base_typeattr_10_27_0 self (process (execstack execheap)))
-(neverallow base_typeattr_66_27_0 file_type (file (execmod)))
-(neverallow base_typeattr_5_27_0 proc_27_0 (file (mounton)))
-(neverallow base_typeattr_5_27_0 proc_27_0 (dir (mounton)))
-(neverallow base_typeattr_67_27_0 domain (process (transition dyntransition)))
-(neverallow base_typeattr_68_27_0 system_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow installd_27_0 system_data_file_27_0 (file (write create setattr relabelto append link rename execute quotaon mounton execute_no_trans entrypoint execmod audit_access)))
-(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (file (create unlink open)))
-(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (dir (create unlink open)))
-(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (lnk_file (create unlink open)))
-(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (chr_file (create unlink open)))
-(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (blk_file (create unlink open)))
-(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (sock_file (create unlink open)))
-(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (fifo_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_27_0 (file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_27_0 (dir (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_27_0 (lnk_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_27_0 (chr_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_27_0 (blk_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_27_0 (sock_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_27_0 (fifo_file (create unlink open)))
-(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (file (create unlink open)))
-(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (dir (create unlink open)))
-(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (lnk_file (create unlink open)))
-(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (chr_file (create unlink open)))
-(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (blk_file (create unlink open)))
-(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (sock_file (create unlink open)))
-(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (fifo_file (create unlink open)))
-(neverallow isolated_app_27_0 system_app_data_file_27_0 (file (create unlink open)))
-(neverallow isolated_app_27_0 system_app_data_file_27_0 (dir (create unlink open)))
-(neverallow isolated_app_27_0 system_app_data_file_27_0 (lnk_file (create unlink open)))
-(neverallow isolated_app_27_0 system_app_data_file_27_0 (chr_file (create unlink open)))
-(neverallow isolated_app_27_0 system_app_data_file_27_0 (blk_file (create unlink open)))
-(neverallow isolated_app_27_0 system_app_data_file_27_0 (sock_file (create unlink open)))
-(neverallow isolated_app_27_0 system_app_data_file_27_0 (fifo_file (create unlink open)))
-(neverallow priv_app_27_0 system_app_data_file_27_0 (file (create unlink open)))
-(neverallow priv_app_27_0 system_app_data_file_27_0 (dir (create unlink open)))
-(neverallow priv_app_27_0 system_app_data_file_27_0 (lnk_file (create unlink open)))
-(neverallow priv_app_27_0 system_app_data_file_27_0 (chr_file (create unlink open)))
-(neverallow priv_app_27_0 system_app_data_file_27_0 (blk_file (create unlink open)))
-(neverallow priv_app_27_0 system_app_data_file_27_0 (sock_file (create unlink open)))
-(neverallow priv_app_27_0 system_app_data_file_27_0 (fifo_file (create unlink open)))
-(neverallow base_typeattr_70_27_0 app_data_file_27_0 (file (create unlink)))
-(neverallow base_typeattr_70_27_0 app_data_file_27_0 (dir (create unlink)))
-(neverallow base_typeattr_70_27_0 app_data_file_27_0 (lnk_file (create unlink)))
-(neverallow base_typeattr_70_27_0 app_data_file_27_0 (chr_file (create unlink)))
-(neverallow base_typeattr_70_27_0 app_data_file_27_0 (blk_file (create unlink)))
-(neverallow base_typeattr_70_27_0 app_data_file_27_0 (sock_file (create unlink)))
-(neverallow base_typeattr_70_27_0 app_data_file_27_0 (fifo_file (create unlink)))
-(neverallow base_typeattr_71_27_0 shell_27_0 (process (transition dyntransition)))
-(neverallow base_typeattr_72_27_0 base_typeattr_73_27_0 (process (transition dyntransition)))
-(neverallow base_typeattr_74_27_0 app_data_file_27_0 (lnk_file (read)))
-(neverallow base_typeattr_75_27_0 shell_data_file_27_0 (lnk_file (read)))
-(neverallow base_typeattr_76_27_0 shell_data_file_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_77_27_0 shell_data_file_27_0 (dir (search open)))
-(neverallow base_typeattr_78_27_0 shell_data_file_27_0 (file (open)))
-(neverallow base_typeattr_10_27_0 base_typeattr_79_27_0 (service_manager (list)))
-(neverallow base_typeattr_10_27_0 base_typeattr_80_27_0 (hwservice_manager (list)))
-(neverallow base_typeattr_10_27_0 domain (file (execute execute_no_trans entrypoint)))
-(neverallow base_typeattr_81_27_0 debugfs_27_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_82_27_0 profman_exec_27_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_10_27_0 base_typeattr_83_27_0 (system (module_load)))
-(neverallow base_typeattr_14_27_0 self (capability (setfcap)))
-(neverallow domain crash_dump_27_0 (process (noatsecure)))
-(neverallow base_typeattr_84_27_0 coredomain_hwservice (hwservice_manager (add)))
-(neverallow base_typeattr_10_27_0 same_process_hwservice (hwservice_manager (add)))
-(allow drmserver_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 drmserver_27_0 (dir (search)))
-(allow servicemanager_27_0 drmserver_27_0 (file (read open)))
-(allow servicemanager_27_0 drmserver_27_0 (process (getattr)))
-(allow drmserver_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 drmserver_27_0 (binder (transfer)))
-(allow drmserver_27_0 system_server_27_0 (fd (use)))
-(allow drmserver_27_0 appdomain (binder (call transfer)))
-(allow appdomain drmserver_27_0 (binder (transfer)))
-(allow drmserver_27_0 appdomain (fd (use)))
-(allow drmserver_27_0 system_server_27_0 (fd (use)))
-(allow drmserver_27_0 mediaserver_27_0 (binder (call transfer)))
-(allow mediaserver_27_0 drmserver_27_0 (binder (transfer)))
-(allow drmserver_27_0 mediaserver_27_0 (fd (use)))
-(allow drmserver_27_0 sdcard_type (dir (search)))
-(allow drmserver_27_0 drm_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow drmserver_27_0 drm_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow drmserver_27_0 tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow drmserver_27_0 app_data_file_27_0 (file (read write getattr)))
-(allow drmserver_27_0 sdcard_type (file (read write getattr)))
-(allow drmserver_27_0 efs_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_27_0 efs_file_27_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 efs_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 apk_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow drmserver_27_0 drmserver_socket_27_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow drmserver_27_0 apk_data_file_27_0 (sock_file (unlink)))
-(allow drmserver_27_0 media_rw_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_27_0 media_rw_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 media_rw_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 apk_data_file_27_0 (file (read getattr)))
-(allow drmserver_27_0 asec_apk_file_27_0 (file (read getattr)))
-(allow drmserver_27_0 ringtone_file_27_0 (file (read getattr)))
-(allow drmserver_27_0 radio_data_file_27_0 (file (read getattr)))
-(allow drmserver_27_0 oemfs_27_0 (dir (search)))
-(allow drmserver_27_0 oemfs_27_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 drmserver_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_85_27_0 drmserver_service_27_0 (service_manager (add)))
-(allow drmserver_27_0 permission_service_27_0 (service_manager (find)))
-(allow drmserver_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow drmserver_27_0 kernel_27_0 (security (compute_av)))
-(allow drmserver_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow drmserver_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 dumpstate_27_0 (dir (search)))
-(allow servicemanager_27_0 dumpstate_27_0 (file (read open)))
-(allow servicemanager_27_0 dumpstate_27_0 (process (getattr)))
-(allow dumpstate_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow dumpstate_27_0 self (capability2 (block_suspend)))
-(allow dumpstate_27_0 self (capability (setgid setuid sys_resource)))
-(allow dumpstate_27_0 domain (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 domain (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 self (capability (kill net_admin net_raw)))
-(allow dumpstate_27_0 system_file_27_0 (file (execute_no_trans)))
-(allow dumpstate_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dumpstate_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 self (capability (chown dac_override fowner fsetid)))
-(allow dumpstate_27_0 anr_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow dumpstate_27_0 anr_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow dumpstate_27_0 system_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 self (capability2 (syslog)))
-(allow dumpstate_27_0 kernel_27_0 (system (syslog_read)))
-(allow dumpstate_27_0 pstorefs_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 domain (process (getattr)))
-(allow dumpstate_27_0 appdomain (process (signal)))
-(allow dumpstate_27_0 system_server_27_0 (process (signal)))
-(allow dumpstate_27_0 hal_audio_server (process (signal)))
-(allow dumpstate_27_0 hal_bluetooth_server (process (signal)))
-(allow dumpstate_27_0 hal_camera_server (process (signal)))
-(allow dumpstate_27_0 hal_graphics_composer_server (process (signal)))
-(allow dumpstate_27_0 hal_sensors_server (process (signal)))
-(allow dumpstate_27_0 hal_vr_server (process (signal)))
-(allow dumpstate_27_0 audioserver_27_0 (process (signal)))
-(allow dumpstate_27_0 cameraserver_27_0 (process (signal)))
-(allow dumpstate_27_0 drmserver_27_0 (process (signal)))
-(allow dumpstate_27_0 inputflinger_27_0 (process (signal)))
-(allow dumpstate_27_0 mediacodec_27_0 (process (signal)))
-(allow dumpstate_27_0 mediadrmserver_27_0 (process (signal)))
-(allow dumpstate_27_0 mediaextractor_27_0 (process (signal)))
-(allow dumpstate_27_0 mediaserver_27_0 (process (signal)))
-(allow dumpstate_27_0 sdcardd_27_0 (process (signal)))
-(allow dumpstate_27_0 surfaceflinger_27_0 (process (signal)))
-(allow dumpstate_27_0 tombstoned_intercept_socket_27_0 (sock_file (write)))
-(allow dumpstate_27_0 tombstoned_27_0 (unix_stream_socket (connectto)))
-(allow dumpstate_27_0 sysfs_usb_27_0 (file (write lock append map open)))
-(allow dumpstate_27_0 qtaguid_proc_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 debugfs_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 block_device_27_0 (dir (getattr search)))
-(allow dumpstate_27_0 rootfs_27_0 (dir (getattr search)))
-(allow dumpstate_27_0 selinuxfs_27_0 (dir (getattr search)))
-(allow dumpstate_27_0 tmpfs_27_0 (dir (getattr search)))
-(allow dumpstate_27_0 storage_file_27_0 (dir (getattr search)))
-(allow dumpstate_27_0 cache_file_27_0 (dir (getattr search)))
-(allow dumpstate_27_0 fuse_device_27_0 (chr_file (getattr)))
-(allow dumpstate_27_0 dm_device_27_0 (blk_file (getattr)))
-(allow dumpstate_27_0 cache_block_device_27_0 (blk_file (getattr)))
-(allow dumpstate_27_0 rootfs_27_0 (lnk_file (read getattr)))
-(allow dumpstate_27_0 cache_file_27_0 (lnk_file (read getattr)))
-(allow dumpstate_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain dumpstate_27_0 (binder (transfer)))
-(allow dumpstate_27_0 binderservicedomain (fd (use)))
-(allow dumpstate_27_0 appdomain (binder (call transfer)))
-(allow dumpstate_27_0 netd_27_0 (binder (call transfer)))
-(allow dumpstate_27_0 wificond_27_0 (binder (call transfer)))
-(allow appdomain dumpstate_27_0 (binder (transfer)))
-(allow netd_27_0 dumpstate_27_0 (binder (transfer)))
-(allow wificond_27_0 dumpstate_27_0 (binder (transfer)))
-(allow dumpstate_27_0 appdomain (fd (use)))
-(allow dumpstate_27_0 netd_27_0 (fd (use)))
-(allow dumpstate_27_0 wificond_27_0 (fd (use)))
-(allow dumpstate_27_0 sysfs_vibrator_27_0 (file (ioctl read write getattr lock append map open)))
-(allow dumpstate_27_0 self (capability (sys_ptrace)))
-(allow dumpstate_27_0 shell_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow dumpstate_27_0 shell_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow dumpstate_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dumpstate_27_0 zygote_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dumpstate_27_0 ashmem_device_27_0 (chr_file (execute)))
-(allow dumpstate_27_0 self (process (execmem)))
-(allow dumpstate_27_0 dalvikcache_data_file_27_0 (dir (getattr search)))
-(allow dumpstate_27_0 dalvikcache_data_file_27_0 (file (ioctl read getattr lock map execute open)))
-(allow dumpstate_27_0 dalvikcache_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 bluetooth_data_file_27_0 (dir (search)))
-(allow dumpstate_27_0 bluetooth_logs_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 bluetooth_logs_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow dumpstate_27_0 logcat_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dumpstate_27_0 logdr_socket_27_0 (sock_file (write)))
-(allow dumpstate_27_0 logd_27_0 (unix_stream_socket (connectto)))
-(allow dumpstate_27_0 logd_socket_27_0 (sock_file (write)))
-(allow dumpstate_27_0 logd_27_0 (unix_stream_socket (connectto)))
-(allow dumpstate_27_0 runtime_event_log_tags_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 net_data_file_27_0 (dir (search)))
-(allow dumpstate_27_0 net_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 self (netlink_tcpdiag_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read)))
-(allow dumpstate_27_0 tombstone_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 tombstone_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 cache_recovery_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 cache_recovery_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 recovery_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 recovery_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 user_profile_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 user_profile_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 misc_logd_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 misc_logd_file_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 base_typeattr_86_27_0 (service_manager (find)))
-(allow dumpstate_27_0 servicemanager_27_0 (service_manager (list)))
-(allow dumpstate_27_0 hwservicemanager_27_0 (hwservice_manager (list)))
-(allow dumpstate_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow dumpstate_27_0 property_socket_27_0 (sock_file (write)))
-(allow dumpstate_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow dumpstate_27_0 dumpstate_prop_27_0 (property_service (set)))
-(allow dumpstate_27_0 dumpstate_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 property_socket_27_0 (sock_file (write)))
-(allow dumpstate_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow dumpstate_27_0 dumpstate_options_prop_27_0 (property_service (set)))
-(allow dumpstate_27_0 dumpstate_options_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 serialno_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 device_logging_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 media_rw_data_file_27_0 (dir (getattr)))
-(allow dumpstate_27_0 proc_interrupts_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 proc_zoneinfo_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 dumpstate_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_87_27_0 dumpstate_service_27_0 (service_manager (add)))
-(allow dumpstate_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 sysfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_27_0 sysfs_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 sysfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 proc_stat_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 sysfs_leds_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 sysfs_leds_27_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_27_0 sysfs_leds_27_0 (dir (search)))
-(allow dumpstate_27_0 installd_27_0 (binder (call transfer)))
-(allow installd_27_0 dumpstate_27_0 (binder (transfer)))
-(allow dumpstate_27_0 installd_27_0 (fd (use)))
-(allow dumpstate_27_0 self (netlink_xfrm_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read)))
-(neverallow dumpstate_27_0 base_typeattr_10_27_0 (process (ptrace)))
-(neverallow base_typeattr_88_27_0 dumpstate_service_27_0 (service_manager (find)))
-(neverallow dumpstate_27_0 sysfs_27_0 (file (write create setattr relabelfrom append unlink link rename)))
-(allow e2fs_27_0 block_device_27_0 (blk_file (getattr)))
-(allow e2fs_27_0 block_device_27_0 (dir (search)))
-(allow e2fs_27_0 userdata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow e2fs_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow e2fs_27_0 sysfs_fs_ext4_features_27_0 (file (ioctl read getattr lock map open)))
-(allow e2fs_27_0 file_contexts_file_27_0 (file (read getattr open)))
-(dontaudit su_27_0 pdx_display_client_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_display_client_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_display_manager_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_display_manager_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_display_screenshot_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_display_screenshot_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_display_vsync_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_display_vsync_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_performance_client_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_performance_client_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_bufferhub_client_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 pdx_bufferhub_client_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(allow fs_type self (filesystem (associate)))
-(allow cgroup_27_0 tmpfs_27_0 (filesystem (associate)))
-(allow sysfs_type sysfs_27_0 (filesystem (associate)))
-(allow debugfs_type debugfs_27_0 (filesystem (associate)))
-(allow debugfs_type debugfs_tracing_27_0 (filesystem (associate)))
-(allow file_type labeledfs_27_0 (filesystem (associate)))
-(allow file_type tmpfs_27_0 (filesystem (associate)))
-(allow file_type rootfs_27_0 (filesystem (associate)))
-(allow dev_type tmpfs_27_0 (filesystem (associate)))
-(allow app_fuse_file_27_0 app_fusefs_27_0 (filesystem (associate)))
-(allow postinstall_file_27_0 self (filesystem (associate)))
-(neverallow fs_type file_type (filesystem (associate)))
-(allow fingerprintd_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 fingerprintd_27_0 (dir (search)))
-(allow servicemanager_27_0 fingerprintd_27_0 (file (read open)))
-(allow servicemanager_27_0 fingerprintd_27_0 (process (getattr)))
-(allow fingerprintd_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow fingerprintd_27_0 fingerprintd_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_89_27_0 fingerprintd_service_27_0 (service_manager (add)))
-(allow fingerprintd_27_0 fingerprintd_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow fingerprintd_27_0 fingerprintd_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow keystore_27_0 fingerprintd_27_0 (dir (search)))
-(allow keystore_27_0 fingerprintd_27_0 (file (read open)))
-(allow keystore_27_0 fingerprintd_27_0 (process (getattr)))
-(allow fingerprintd_27_0 keystore_service_27_0 (service_manager (find)))
-(allow fingerprintd_27_0 keystore_27_0 (binder (call transfer)))
-(allow keystore_27_0 fingerprintd_27_0 (binder (transfer)))
-(allow fingerprintd_27_0 keystore_27_0 (fd (use)))
-(allow fingerprintd_27_0 keystore_27_0 (keystore_key (add_auth)))
-(allow fingerprintd_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 fingerprintd_27_0 (binder (transfer)))
-(allow fingerprintd_27_0 system_server_27_0 (fd (use)))
-(allow fingerprintd_27_0 permission_service_27_0 (service_manager (find)))
-(allow fingerprintd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow fingerprintd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow fingerprintd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow fingerprintd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow fingerprintd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow fingerprintd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow fingerprintd_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow fsck_27_0 tmpfs_27_0 (chr_file (ioctl read write)))
-(allow fsck_27_0 devpts_27_0 (chr_file (ioctl read write getattr)))
-(allow fsck_27_0 vold_27_0 (fd (use)))
-(allow fsck_27_0 vold_27_0 (fifo_file (read write getattr)))
-(allow fsck_27_0 block_device_27_0 (dir (search)))
-(allow fsck_27_0 userdata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow fsck_27_0 cache_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow fsck_27_0 dm_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow fsck_27_0 dev_type (blk_file (getattr)))
-(allow fsck_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow fsck_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow fsck_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow fsck_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(neverallow fsck_27_0 vold_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_27_0 root_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_27_0 frp_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_27_0 system_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_27_0 recovery_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_27_0 boot_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_27_0 swap_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_27_0 metadata_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_90_27_0 fsck_27_0 (process (transition)))
-(neverallow base_typeattr_10_27_0 fsck_27_0 (process (dyntransition)))
-(neverallow fsck_27_0 base_typeattr_91_27_0 (file (entrypoint)))
-(allow fsck_untrusted_27_0 devpts_27_0 (chr_file (ioctl read write getattr)))
-(allow fsck_untrusted_27_0 vold_27_0 (fd (use)))
-(allow fsck_untrusted_27_0 vold_27_0 (fifo_file (read write getattr)))
-(allow fsck_untrusted_27_0 block_device_27_0 (dir (search)))
-(allow fsck_untrusted_27_0 vold_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow fsck_untrusted_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow fsck_untrusted_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow fsck_untrusted_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow fsck_untrusted_27_0 dev_type (blk_file (getattr)))
-(neverallow fsck_untrusted_27_0 dm_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 root_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 frp_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 system_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 recovery_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 boot_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 userdata_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 cache_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 swap_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_27_0 metadata_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_92_27_0 fsck_untrusted_27_0 (process (transition)))
-(neverallow base_typeattr_10_27_0 fsck_untrusted_27_0 (process (dyntransition)))
-(neverallow fsck_untrusted_27_0 base_typeattr_91_27_0 (file (entrypoint)))
-(allow gatekeeperd_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 gatekeeperd_27_0 (dir (search)))
-(allow servicemanager_27_0 gatekeeperd_27_0 (file (read open)))
-(allow servicemanager_27_0 gatekeeperd_27_0 (process (getattr)))
-(allow gatekeeperd_27_0 tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow gatekeeperd_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow gatekeeperd_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow gatekeeperd_27_0 gatekeeper_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_93_27_0 gatekeeper_service_27_0 (service_manager (add)))
-(allow keystore_27_0 gatekeeperd_27_0 (dir (search)))
-(allow keystore_27_0 gatekeeperd_27_0 (file (read open)))
-(allow keystore_27_0 gatekeeperd_27_0 (process (getattr)))
-(allow gatekeeperd_27_0 keystore_service_27_0 (service_manager (find)))
-(allow gatekeeperd_27_0 keystore_27_0 (binder (call transfer)))
-(allow keystore_27_0 gatekeeperd_27_0 (binder (transfer)))
-(allow gatekeeperd_27_0 keystore_27_0 (fd (use)))
-(allow gatekeeperd_27_0 keystore_27_0 (keystore_key (add_auth)))
-(allow gatekeeperd_27_0 system_server_27_0 (binder (call)))
-(allow gatekeeperd_27_0 permission_service_27_0 (service_manager (find)))
-(allow gatekeeperd_27_0 gatekeeper_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow gatekeeperd_27_0 gatekeeper_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow gatekeeperd_27_0 hardware_properties_service_27_0 (service_manager (find)))
-(allow gatekeeperd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow gatekeeperd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow gatekeeperd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_allocator_client hal_allocator_server (binder (call transfer)))
-(allow hal_allocator_server hal_allocator_client (binder (transfer)))
-(allow hal_allocator_client hal_allocator_server (fd (use)))
-(allow hal_allocator_server hidl_allocator_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_allocator_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_94_27_0 hidl_allocator_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_allocator_client hidl_allocator_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_allocator_client hidl_memory_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_audio_client hal_audio_server (binder (call transfer)))
-(allow hal_audio_server hal_audio_client (binder (transfer)))
-(allow hal_audio_client hal_audio_server (fd (use)))
-(allow hal_audio_server hal_audio_client (binder (call transfer)))
-(allow hal_audio_client hal_audio_server (binder (transfer)))
-(allow hal_audio_server hal_audio_client (fd (use)))
-(allow hal_audio_server hal_audio_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_audio_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_95_27_0 hal_audio_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_audio_client hal_audio_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_audio ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_audio audiohal_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_audio audiohal_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_audio proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_audio proc_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_audio proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_audio audio_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_audio audio_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_audio shell_27_0 (fd (use)))
-(allow hal_audio shell_27_0 (fifo_file (write)))
-(allow hal_audio dumpstate_27_0 (fd (use)))
-(allow hal_audio dumpstate_27_0 (fifo_file (write)))
-(neverallow hal_audio fs_type (file (execute_no_trans)))
-(neverallow hal_audio file_type (file (execute_no_trans)))
-(neverallow hal_audio domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow hal_audio domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_audio domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_96_27_0 audio_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow hal_bluetooth_client hal_bluetooth_server (binder (call transfer)))
-(allow hal_bluetooth_server hal_bluetooth_client (binder (transfer)))
-(allow hal_bluetooth_client hal_bluetooth_server (fd (use)))
-(allow hal_bluetooth_server hal_bluetooth_client (binder (call transfer)))
-(allow hal_bluetooth_client hal_bluetooth_server (binder (transfer)))
-(allow hal_bluetooth_server hal_bluetooth_client (fd (use)))
-(allow hal_bluetooth_server hal_bluetooth_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_bluetooth_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_97_27_0 hal_bluetooth_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_bluetooth_client hal_bluetooth_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_bluetooth sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth self (capability2 (block_suspend)))
-(allow hal_bluetooth self (capability (net_admin)))
-(allow hal_bluetooth bluetooth_efs_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_bluetooth bluetooth_efs_file_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_bluetooth bluetooth_efs_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_bluetooth uhid_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth hci_attach_dev_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_bluetooth sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_bluetooth sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_bluetooth sysfs_bluetooth_writable_27_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth self (capability2 (wake_alarm)))
-(allow hal_bluetooth property_socket_27_0 (sock_file (write)))
-(allow hal_bluetooth init_27_0 (unix_stream_socket (connectto)))
-(allow hal_bluetooth bluetooth_prop_27_0 (property_service (set)))
-(allow hal_bluetooth bluetooth_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_bluetooth proc_bluetooth_writable_27_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth self (capability (sys_nice)))
-(allow hal_bootctl_client hal_bootctl_server (binder (call transfer)))
-(allow hal_bootctl_server hal_bootctl_client (binder (transfer)))
-(allow hal_bootctl_client hal_bootctl_server (fd (use)))
-(allow hal_bootctl_server hal_bootctl_client (binder (call transfer)))
-(allow hal_bootctl_client hal_bootctl_server (binder (transfer)))
-(allow hal_bootctl_server hal_bootctl_client (fd (use)))
-(allow hal_bootctl_server hal_bootctl_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_bootctl_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_98_27_0 hal_bootctl_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_bootctl_client hal_bootctl_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_broadcastradio_client hal_broadcastradio_server (binder (call transfer)))
-(allow hal_broadcastradio_server hal_broadcastradio_client (binder (transfer)))
-(allow hal_broadcastradio_client hal_broadcastradio_server (fd (use)))
-(allow hal_broadcastradio_server hal_broadcastradio_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_broadcastradio_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_99_27_0 hal_broadcastradio_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_broadcastradio_client hal_broadcastradio_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_camera_client hal_camera_server (binder (call transfer)))
-(allow hal_camera_server hal_camera_client (binder (transfer)))
-(allow hal_camera_client hal_camera_server (fd (use)))
-(allow hal_camera_server hal_camera_client (binder (call transfer)))
-(allow hal_camera_client hal_camera_server (binder (transfer)))
-(allow hal_camera_server hal_camera_client (fd (use)))
-(allow hal_camera_server hal_camera_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_camera_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_100_27_0 hal_camera_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_camera_client hal_camera_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_camera camera_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_camera camera_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_camera video_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_camera video_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_camera camera_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_camera ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_camera_client hal_graphics_allocator (fd (use)))
-(allow hal_camera_server hal_graphics_allocator (fd (use)))
-(allow hal_camera base_typeattr_101_27_0 (fd (use)))
-(allow hal_camera surfaceflinger_27_0 (fd (use)))
-(allow hal_camera hal_allocator_server (fd (use)))
-(neverallow hal_camera fs_type (file (execute_no_trans)))
-(neverallow hal_camera file_type (file (execute_no_trans)))
-(neverallow hal_camera domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow hal_camera domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_camera domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_102_27_0 camera_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow hal_cas_client hal_cas_server (binder (call transfer)))
-(allow hal_cas_server hal_cas_client (binder (transfer)))
-(allow hal_cas_client hal_cas_server (fd (use)))
-(allow hal_cas_server hal_cas_client (binder (call transfer)))
-(allow hal_cas_client hal_cas_server (binder (transfer)))
-(allow hal_cas_server hal_cas_client (fd (use)))
-(allow hal_cas_server hal_cas_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_cas_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_103_27_0 hal_cas_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_cas_client hal_cas_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_cas_server hidl_memory_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_cas serialno_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_cas system_data_file_27_0 (dir (getattr search)))
-(allow hal_cas system_data_file_27_0 (file (read getattr)))
-(allow hal_cas system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_cas cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_cas cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_cas cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_cas cgroup_27_0 (dir (write search)))
-(allow hal_cas cgroup_27_0 (file (write lock append map open)))
-(allow hal_cas ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_cas hal_graphics_allocator (fd (use)))
-(allow hal_cas tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(neverallow hal_cas fs_type (file (execute_no_trans)))
-(neverallow hal_cas file_type (file (execute_no_trans)))
-(neverallowx hal_cas domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx hal_cas domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx hal_cas domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx hal_cas domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_cas domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_cas domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_cas domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_cas domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_cas domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_configstore_client hal_configstore_server (binder (call transfer)))
-(allow hal_configstore_server hal_configstore_client (binder (transfer)))
-(allow hal_configstore_client hal_configstore_server (fd (use)))
-(allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs_27_0 (hwservice_manager (find)))
-(allow hal_configstore_server hal_configstore_ISurfaceFlingerConfigs_27_0 (hwservice_manager (add find)))
-(allow hal_configstore_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_104_27_0 hal_configstore_ISurfaceFlingerConfigs_27_0 (hwservice_manager (add)))
-(allow hal_configstore_server su_27_0 (fifo_file (append)))
-(allow hal_configstore_server anr_data_file_27_0 (file (append)))
-(allow hal_configstore_server dumpstate_27_0 (fd (use)))
-(allow hal_configstore_server dumpstate_27_0 (fifo_file (write append)))
-(allow hal_configstore_server system_server_27_0 (fifo_file (write append)))
-(allow hal_configstore_server tombstoned_27_0 (unix_stream_socket (connectto)))
-(allow hal_configstore_server tombstoned_27_0 (fd (use)))
-(allow hal_configstore_server tombstoned_crash_socket_27_0 (sock_file (write)))
-(allow hal_configstore_server tombstone_data_file_27_0 (file (append)))
-(neverallow hal_configstore_server fs_type (file (execute_no_trans)))
-(neverallow hal_configstore_server file_type (file (execute_no_trans)))
-(neverallow hal_configstore_server domain (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow hal_configstore_server domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_configstore_server domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_configstore_server domain (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(neverallow hal_configstore_server domain (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(neverallow hal_configstore_server domain (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(neverallow hal_configstore_server domain (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(neverallow hal_configstore_server domain (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
-(neverallow hal_configstore_server domain (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server base_typeattr_105_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(neverallow hal_configstore_server base_typeattr_105_27_0 (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server base_typeattr_106_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server base_typeattr_106_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow hal_configstore_server base_typeattr_106_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow hal_configstore_server fuse_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server sdcardfs_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server vfat_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (service_manager (add find list)))
-(neverallow hal_configstore_server self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow hal_configstore_server self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (process (ptrace)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (dir (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (lnk_file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (chr_file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (blk_file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (sock_file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_10_27_0 (fifo_file (relabelfrom relabelto)))
-(allow hal_contexthub_client hal_contexthub_server (binder (call transfer)))
-(allow hal_contexthub_server hal_contexthub_client (binder (transfer)))
-(allow hal_contexthub_client hal_contexthub_server (fd (use)))
-(allow hal_contexthub_server hal_contexthub_client (binder (call transfer)))
-(allow hal_contexthub_client hal_contexthub_server (binder (transfer)))
-(allow hal_contexthub_server hal_contexthub_client (fd (use)))
-(allow hal_contexthub_server hal_contexthub_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_contexthub_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_107_27_0 hal_contexthub_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_contexthub_client hal_contexthub_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_drm_client hal_drm_server (binder (call transfer)))
-(allow hal_drm_server hal_drm_client (binder (transfer)))
-(allow hal_drm_client hal_drm_server (fd (use)))
-(allow hal_drm_server hal_drm_client (binder (call transfer)))
-(allow hal_drm_client hal_drm_server (binder (transfer)))
-(allow hal_drm_server hal_drm_client (fd (use)))
-(allow hal_drm_server hal_drm_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_drm_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_108_27_0 hal_drm_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_drm_client hal_drm_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_drm hidl_memory_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_drm self (process (execmem)))
-(allow hal_drm serialno_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_drm system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_drm system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_drm system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_drm system_data_file_27_0 (dir (getattr search)))
-(allow hal_drm system_data_file_27_0 (file (read getattr)))
-(allow hal_drm system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_drm cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_drm cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_drm cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_drm cgroup_27_0 (dir (write search)))
-(allow hal_drm cgroup_27_0 (file (write lock append map open)))
-(allow hal_drm ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_drm hal_graphics_allocator (fd (use)))
-(allow hal_drm mediaserver_27_0 (fd (use)))
-(allow hal_drm media_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_drm media_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_drm media_data_file_27_0 (file (read getattr)))
-(allow hal_drm sysfs_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_drm tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allowx hal_drm self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx hal_drm self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx hal_drm self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(neverallow hal_drm fs_type (file (execute_no_trans)))
-(neverallow hal_drm file_type (file (execute_no_trans)))
-(neverallowx hal_drm domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx hal_drm domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx hal_drm domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx hal_drm domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_drm domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_drm domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_dumpstate_client hal_dumpstate_server (binder (call transfer)))
-(allow hal_dumpstate_server hal_dumpstate_client (binder (transfer)))
-(allow hal_dumpstate_client hal_dumpstate_server (fd (use)))
-(allow hal_dumpstate_server hal_dumpstate_client (binder (call transfer)))
-(allow hal_dumpstate_client hal_dumpstate_server (binder (transfer)))
-(allow hal_dumpstate_server hal_dumpstate_client (fd (use)))
-(allow hal_dumpstate_server hal_dumpstate_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_dumpstate_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_109_27_0 hal_dumpstate_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_dumpstate_client hal_dumpstate_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_dumpstate shell_data_file_27_0 (file (write)))
-(allow hal_dumpstate proc_interrupts_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_fingerprint_client hal_fingerprint_server (binder (call transfer)))
-(allow hal_fingerprint_server hal_fingerprint_client (binder (transfer)))
-(allow hal_fingerprint_client hal_fingerprint_server (fd (use)))
-(allow hal_fingerprint_server hal_fingerprint_client (binder (call transfer)))
-(allow hal_fingerprint_client hal_fingerprint_server (binder (transfer)))
-(allow hal_fingerprint_server hal_fingerprint_client (fd (use)))
-(allow hal_fingerprint_server hal_fingerprint_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_fingerprint_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_110_27_0 hal_fingerprint_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_fingerprint_client hal_fingerprint_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_fingerprint fingerprintd_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_fingerprint fingerprintd_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow hal_fingerprint ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_fingerprint cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_fingerprint cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_fingerprint cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_fingerprint sysfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_fingerprint sysfs_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_fingerprint sysfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_gatekeeper_client hal_gatekeeper_server (binder (call transfer)))
-(allow hal_gatekeeper_server hal_gatekeeper_client (binder (transfer)))
-(allow hal_gatekeeper_client hal_gatekeeper_server (fd (use)))
-(allow hal_gatekeeper_server hal_gatekeeper_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_gatekeeper_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_111_27_0 hal_gatekeeper_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_gatekeeper_client hal_gatekeeper_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_gatekeeper tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_gatekeeper ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_gnss_client hal_gnss_server (binder (call transfer)))
-(allow hal_gnss_server hal_gnss_client (binder (transfer)))
-(allow hal_gnss_client hal_gnss_server (fd (use)))
-(allow hal_gnss_server hal_gnss_client (binder (call transfer)))
-(allow hal_gnss_client hal_gnss_server (binder (transfer)))
-(allow hal_gnss_server hal_gnss_client (fd (use)))
-(allow hal_gnss_server hal_gnss_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_gnss_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_112_27_0 hal_gnss_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_gnss_client hal_gnss_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_server (binder (call transfer)))
-(allow hal_graphics_allocator_server hal_graphics_allocator_client (binder (transfer)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_server (fd (use)))
-(allow hal_graphics_allocator_server hal_graphics_allocator_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_graphics_allocator_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_113_27_0 hal_graphics_allocator_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator_client hal_graphics_mapper_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_graphics_allocator ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_graphics_allocator self (capability (sys_nice)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (binder (call transfer)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (binder (transfer)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (fd (use)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (binder (call transfer)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (binder (transfer)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (fd (use)))
-(allow hal_graphics_composer_server hal_graphics_composer_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_graphics_composer_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_114_27_0 hal_graphics_composer_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_graphics_composer_client hal_graphics_composer_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_graphics_composer_server hal_graphics_mapper_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_graphics_composer gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_graphics_composer ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_graphics_composer hal_graphics_allocator (fd (use)))
-(allow hal_graphics_composer graphics_device_27_0 (dir (search)))
-(allow hal_graphics_composer graphics_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_graphics_composer system_server_27_0 (fd (use)))
-(allow hal_graphics_composer bootanim_27_0 (fd (use)))
-(allow hal_graphics_composer appdomain (fd (use)))
-(allow hal_graphics_composer self (capability (sys_nice)))
-(allow hal_health_client hal_health_server (binder (call transfer)))
-(allow hal_health_server hal_health_client (binder (transfer)))
-(allow hal_health_client hal_health_server (fd (use)))
-(allow hal_health_server hal_health_client (binder (call transfer)))
-(allow hal_health_client hal_health_server (binder (transfer)))
-(allow hal_health_server hal_health_client (fd (use)))
-(allow hal_health_server hal_health_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_health_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_115_27_0 hal_health_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_health_client hal_health_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_health system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_health system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_health system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_ir_client hal_ir_server (binder (call transfer)))
-(allow hal_ir_server hal_ir_client (binder (transfer)))
-(allow hal_ir_client hal_ir_server (fd (use)))
-(allow hal_ir_server hal_ir_client (binder (call transfer)))
-(allow hal_ir_client hal_ir_server (binder (transfer)))
-(allow hal_ir_server hal_ir_client (fd (use)))
-(allow hal_ir_server hal_ir_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_ir_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_116_27_0 hal_ir_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_ir_client hal_ir_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_keymaster_client hal_keymaster_server (binder (call transfer)))
-(allow hal_keymaster_server hal_keymaster_client (binder (transfer)))
-(allow hal_keymaster_client hal_keymaster_server (fd (use)))
-(allow hal_keymaster_server hal_keymaster_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_keymaster_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_117_27_0 hal_keymaster_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_keymaster_client hal_keymaster_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_keymaster tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_keymaster ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_light_client hal_light_server (binder (call transfer)))
-(allow hal_light_server hal_light_client (binder (transfer)))
-(allow hal_light_client hal_light_server (fd (use)))
-(allow hal_light_server hal_light_client (binder (call transfer)))
-(allow hal_light_client hal_light_server (binder (transfer)))
-(allow hal_light_server hal_light_client (fd (use)))
-(allow hal_light_server hal_light_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_light_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_118_27_0 hal_light_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_light_client hal_light_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_light sysfs_leds_27_0 (lnk_file (read)))
-(allow hal_light sysfs_leds_27_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_light sysfs_leds_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_memtrack_client hal_memtrack_server (binder (call transfer)))
-(allow hal_memtrack_server hal_memtrack_client (binder (transfer)))
-(allow hal_memtrack_client hal_memtrack_server (fd (use)))
-(allow hal_memtrack_server hal_memtrack_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_memtrack_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_119_27_0 hal_memtrack_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_memtrack_client hal_memtrack_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_neuralnetworks_client hal_neuralnetworks_server (binder (call transfer)))
-(allow hal_neuralnetworks_server hal_neuralnetworks_client (binder (transfer)))
-(allow hal_neuralnetworks_client hal_neuralnetworks_server (fd (use)))
-(allow hal_neuralnetworks_server hal_neuralnetworks_client (binder (call transfer)))
-(allow hal_neuralnetworks_client hal_neuralnetworks_server (binder (transfer)))
-(allow hal_neuralnetworks_server hal_neuralnetworks_client (fd (use)))
-(allow hal_neuralnetworks_server hal_neuralnetworks_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_neuralnetworks_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_120_27_0 hal_neuralnetworks_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_neuralnetworks_client hal_neuralnetworks_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_neuralnetworks hidl_memory_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_neuralnetworks hal_allocator (fd (use)))
-(neverallow base_typeattr_121_27_0 self (capability (net_admin net_raw)))
-(neverallow base_typeattr_122_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow base_typeattr_122_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_122_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_123_27_0 fs_type (file (execute_no_trans)))
-(neverallow base_typeattr_123_27_0 file_type (file (execute_no_trans)))
-(neverallow base_typeattr_5_27_0 halserverdomain (process (transition)))
-(neverallow base_typeattr_10_27_0 halserverdomain (process (dyntransition)))
-(allow hal_nfc_client hal_nfc_server (binder (call transfer)))
-(allow hal_nfc_server hal_nfc_client (binder (transfer)))
-(allow hal_nfc_client hal_nfc_server (fd (use)))
-(allow hal_nfc_server hal_nfc_client (binder (call transfer)))
-(allow hal_nfc_client hal_nfc_server (binder (transfer)))
-(allow hal_nfc_server hal_nfc_client (fd (use)))
-(allow hal_nfc_server hal_nfc_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_nfc_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_124_27_0 hal_nfc_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_nfc_client hal_nfc_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_nfc property_socket_27_0 (sock_file (write)))
-(allow hal_nfc init_27_0 (unix_stream_socket (connectto)))
-(allow hal_nfc nfc_prop_27_0 (property_service (set)))
-(allow hal_nfc nfc_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_nfc nfc_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_nfc nfc_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_nfc nfc_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_nfc nfc_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_nfc nfc_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_oemlock_client hal_oemlock_server (binder (call transfer)))
-(allow hal_oemlock_server hal_oemlock_client (binder (transfer)))
-(allow hal_oemlock_client hal_oemlock_server (fd (use)))
-(allow hal_oemlock_server hal_oemlock_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_oemlock_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_125_27_0 hal_oemlock_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_oemlock_client hal_oemlock_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_power_client hal_power_server (binder (call transfer)))
-(allow hal_power_server hal_power_client (binder (transfer)))
-(allow hal_power_client hal_power_server (fd (use)))
-(allow hal_power_server hal_power_client (binder (call transfer)))
-(allow hal_power_client hal_power_server (binder (transfer)))
-(allow hal_power_server hal_power_client (fd (use)))
-(allow hal_power_server hal_power_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_power_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_126_27_0 hal_power_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_power_client hal_power_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_sensors_client hal_sensors_server (binder (call transfer)))
-(allow hal_sensors_server hal_sensors_client (binder (transfer)))
-(allow hal_sensors_client hal_sensors_server (fd (use)))
-(allow hal_sensors_server hal_sensors_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_sensors_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_127_27_0 hal_sensors_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_sensors_client hal_sensors_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_sensors base_typeattr_101_27_0 (fd (use)))
-(allow hal_sensors hal_allocator (fd (use)))
-(allow hal_sensors self (capability (sys_nice)))
-(allow hal_telephony_client hal_telephony_server (binder (call transfer)))
-(allow hal_telephony_server hal_telephony_client (binder (transfer)))
-(allow hal_telephony_client hal_telephony_server (fd (use)))
-(allow hal_telephony_server hal_telephony_client (binder (call transfer)))
-(allow hal_telephony_client hal_telephony_server (binder (transfer)))
-(allow hal_telephony_server hal_telephony_client (fd (use)))
-(allow hal_telephony_server hal_telephony_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_telephony_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_128_27_0 hal_telephony_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_telephony_client hal_telephony_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (binder (call transfer)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (binder (transfer)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (fd (use)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (binder (call transfer)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (binder (transfer)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (fd (use)))
-(allow hal_tetheroffload_client hal_tetheroffload_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (netlink_netfilter_socket (read write getattr setopt)))
-(allow hal_thermal_client hal_thermal_server (binder (call transfer)))
-(allow hal_thermal_server hal_thermal_client (binder (transfer)))
-(allow hal_thermal_client hal_thermal_server (fd (use)))
-(allow hal_thermal_server hal_thermal_client (binder (call transfer)))
-(allow hal_thermal_client hal_thermal_server (binder (transfer)))
-(allow hal_thermal_server hal_thermal_client (fd (use)))
-(allow hal_thermal_server hal_thermal_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_thermal_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_129_27_0 hal_thermal_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_thermal_client hal_thermal_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_tv_cec_client hal_tv_cec_server (binder (call transfer)))
-(allow hal_tv_cec_server hal_tv_cec_client (binder (transfer)))
-(allow hal_tv_cec_client hal_tv_cec_server (fd (use)))
-(allow hal_tv_cec_server hal_tv_cec_client (binder (call transfer)))
-(allow hal_tv_cec_client hal_tv_cec_server (binder (transfer)))
-(allow hal_tv_cec_server hal_tv_cec_client (fd (use)))
-(allow hal_tv_cec_server hal_tv_cec_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_tv_cec_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_130_27_0 hal_tv_cec_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_tv_cec_client hal_tv_cec_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_tv_input_client hal_tv_input_server (binder (call transfer)))
-(allow hal_tv_input_server hal_tv_input_client (binder (transfer)))
-(allow hal_tv_input_client hal_tv_input_server (fd (use)))
-(allow hal_tv_input_server hal_tv_input_client (binder (call transfer)))
-(allow hal_tv_input_client hal_tv_input_server (binder (transfer)))
-(allow hal_tv_input_server hal_tv_input_client (fd (use)))
-(allow hal_tv_input_server hal_tv_input_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_tv_input_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_131_27_0 hal_tv_input_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_tv_input_client hal_tv_input_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_usb_client hal_usb_server (binder (call transfer)))
-(allow hal_usb_server hal_usb_client (binder (transfer)))
-(allow hal_usb_client hal_usb_server (fd (use)))
-(allow hal_usb_server hal_usb_client (binder (call transfer)))
-(allow hal_usb_client hal_usb_server (binder (transfer)))
-(allow hal_usb_server hal_usb_client (fd (use)))
-(allow hal_usb_server hal_usb_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_usb_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_132_27_0 hal_usb_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_usb_client hal_usb_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_usb self (netlink_kobject_uevent_socket (create)))
-(allow hal_usb self (netlink_kobject_uevent_socket (setopt)))
-(allow hal_usb self (netlink_kobject_uevent_socket (bind)))
-(allow hal_usb self (netlink_kobject_uevent_socket (read)))
-(allow hal_usb sysfs_27_0 (dir (open)))
-(allow hal_usb sysfs_27_0 (dir (read)))
-(allow hal_usb sysfs_27_0 (file (read)))
-(allow hal_usb sysfs_27_0 (file (open)))
-(allow hal_usb sysfs_27_0 (file (write)))
-(allow hal_usb sysfs_27_0 (file (getattr)))
-(allow hal_vibrator_client hal_vibrator_server (binder (call transfer)))
-(allow hal_vibrator_server hal_vibrator_client (binder (transfer)))
-(allow hal_vibrator_client hal_vibrator_server (fd (use)))
-(allow hal_vibrator_server hal_vibrator_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_vibrator_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_133_27_0 hal_vibrator_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_vibrator_client hal_vibrator_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_vibrator sysfs_vibrator_27_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_vr_client hal_vr_server (binder (call transfer)))
-(allow hal_vr_server hal_vr_client (binder (transfer)))
-(allow hal_vr_client hal_vr_server (fd (use)))
-(allow hal_vr_server hal_vr_client (binder (call transfer)))
-(allow hal_vr_client hal_vr_server (binder (transfer)))
-(allow hal_vr_server hal_vr_client (fd (use)))
-(allow hal_vr_server hal_vr_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_vr_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_134_27_0 hal_vr_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_vr_client hal_vr_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_weaver_client hal_weaver_server (binder (call transfer)))
-(allow hal_weaver_server hal_weaver_client (binder (transfer)))
-(allow hal_weaver_client hal_weaver_server (fd (use)))
-(allow hal_weaver_server hal_weaver_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_weaver_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_135_27_0 hal_weaver_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_weaver_client hal_weaver_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_wifi_client hal_wifi_server (binder (call transfer)))
-(allow hal_wifi_server hal_wifi_client (binder (transfer)))
-(allow hal_wifi_client hal_wifi_server (fd (use)))
-(allow hal_wifi_server hal_wifi_client (binder (call transfer)))
-(allow hal_wifi_client hal_wifi_server (binder (transfer)))
-(allow hal_wifi_server hal_wifi_client (fd (use)))
-(allow hal_wifi_server hal_wifi_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_wifi_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_136_27_0 hal_wifi_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_wifi_client hal_wifi_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_wifi proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_wifi sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi property_socket_27_0 (sock_file (write)))
-(allow hal_wifi init_27_0 (unix_stream_socket (connectto)))
-(allow hal_wifi wifi_prop_27_0 (property_service (set)))
-(allow hal_wifi wifi_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx hal_wifi self (ioctl udp_socket (0x8914)))
-(allow hal_wifi self (capability (net_admin net_raw)))
-(allow hal_wifi self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi sysfs_wlan_fwpath_27_0 (file (write lock append map open)))
-(allow hal_wifi proc_modules_27_0 (file (read getattr open)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (binder (call transfer)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (binder (transfer)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (fd (use)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (binder (call transfer)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (binder (transfer)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (fd (use)))
-(allow hal_wifi_offload_server hal_wifi_offload_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_wifi_offload_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_137_27_0 hal_wifi_offload_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_wifi_offload_client hal_wifi_offload_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_wifi_offload proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_offload proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi_offload proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi_offload sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_offload sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_wifi_offload sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (binder (call transfer)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (binder (transfer)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (fd (use)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (binder (call transfer)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (binder (transfer)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (fd (use)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_hwservice_27_0 (hwservice_manager (add find)))
-(allow hal_wifi_supplicant_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_138_27_0 hal_wifi_supplicant_hwservice_27_0 (hwservice_manager (add)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice_27_0 (hwservice_manager (find)))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (0x6900 0x6902)))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_wifi_supplicant sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_supplicant sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_supplicant proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant kernel_27_0 (system (module_request)))
-(allow hal_wifi_supplicant self (capability (setgid setuid net_admin net_raw)))
-(allow hal_wifi_supplicant cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_supplicant self (netlink_route_socket (nlmsg_write)))
-(allow hal_wifi_supplicant self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_supplicant self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_supplicant self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (0x6900 0x6902)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x8906 0x8907)) ((range 0x890b 0x890d)) ((range 0x8910 0x8927)) 0x8929 ((range 0x8930 0x8939)) ((range 0x8940 0x8943)) ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x8b00 0x8b02)) ((range 0x8b04 0x8b1d)) ((range 0x8b20 0x8b2d)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_wifi_supplicant wifi_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_supplicant wifi_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_wifi_supplicant wpa_socket_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_supplicant wpa_socket_27_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_wifi_supplicant wpa_socket_27_0 (sock_file (write)))
-(allow hal_wifi_supplicant su_27_0 (unix_dgram_socket (sendto)))
-(neverallow hal_wifi_supplicant_server sdcard_type (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_wifi_supplicant_server sdcard_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow healthd_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow healthd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow healthd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow healthd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
-(allow healthd_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow healthd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow healthd_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_27_0 self (capability (sys_tty_config)))
-(allow healthd_27_0 self (capability (sys_boot)))
-(allow healthd_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow healthd_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow healthd_27_0 self (capability2 (block_suspend)))
-(allow healthd_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 healthd_27_0 (dir (search)))
-(allow servicemanager_27_0 healthd_27_0 (file (read open)))
-(allow servicemanager_27_0 healthd_27_0 (process (getattr)))
-(allow healthd_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 healthd_27_0 (binder (transfer)))
-(allow healthd_27_0 system_server_27_0 (fd (use)))
-(allow healthd_27_0 sysfs_27_0 (file (write)))
-(allow healthd_27_0 sysfs_usb_27_0 (file (write)))
-(allow healthd_27_0 sysfs_batteryinfo_27_0 (file (ioctl read getattr lock map open)))
-(allow healthd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow healthd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow healthd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_27_0 pstorefs_27_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
-(allow healthd_27_0 graphics_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_27_0 graphics_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow healthd_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_27_0 input_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow healthd_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow healthd_27_0 ashmem_device_27_0 (chr_file (execute)))
-(allow healthd_27_0 self (process (execmem)))
-(allow healthd_27_0 proc_sysrq_27_0 (file (ioctl read write getattr lock append map open)))
-(allow healthd_27_0 batteryproperties_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_139_27_0 batteryproperties_service_27_0 (service_manager (add)))
-(allow healthd_27_0 property_socket_27_0 (sock_file (write)))
-(allow healthd_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow healthd_27_0 system_prop_27_0 (property_service (set)))
-(allow healthd_27_0 system_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow hwservicemanager_27_0 self (binder (set_context_mgr)))
-(allow hwservicemanager_27_0 property_socket_27_0 (sock_file (write)))
-(allow hwservicemanager_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow hwservicemanager_27_0 hwservicemanager_prop_27_0 (property_service (set)))
-(allow hwservicemanager_27_0 hwservicemanager_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow hwservicemanager_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow hwservicemanager_27_0 hwservice_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow hwservicemanager_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow hwservicemanager_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow hwservicemanager_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hwservicemanager_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow hwservicemanager_27_0 kernel_27_0 (security (compute_av)))
-(allow hwservicemanager_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow idmap_27_0 installd_27_0 (fd (use)))
-(allow idmap_27_0 resourcecache_data_file_27_0 (file (read write getattr)))
-(allow idmap_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow idmap_27_0 apk_data_file_27_0 (dir (search)))
-(allow idmap_27_0 vendor_app_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow idmap_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
-(allow idmap_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow idmap_27_0 vendor_overlay_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow idmap_27_0 vendor_overlay_file_27_0 (file (ioctl read getattr lock map open)))
-(allow idmap_27_0 vendor_overlay_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 tmpfs_27_0 (chr_file (ioctl read write create getattr setattr lock append map unlink open)))
-(allow init_27_0 tmpfs_27_0 (chr_file (relabelfrom)))
-(allow init_27_0 kmsg_device_27_0 (chr_file (write relabelto)))
-(allow init_27_0 kmsg_debug_device_27_0 (chr_file (write relabelto)))
-(allow init_27_0 properties_device_27_0 (dir (relabelto)))
-(allow init_27_0 properties_serial_27_0 (file (write relabelto)))
-(allow init_27_0 property_type (file (ioctl read write create getattr setattr lock relabelto append map unlink rename open)))
-(allow init_27_0 device_27_0 (file (relabelfrom)))
-(allow init_27_0 runtime_event_log_tags_file_27_0 (file (write setattr relabelto open)))
-(allow init_27_0 device_27_0 (dir (relabelto)))
-(allow init_27_0 socket_device_27_0 (dir (relabelto)))
-(allow init_27_0 random_device_27_0 (chr_file (relabelto)))
-(allow init_27_0 tmpfs_27_0 (chr_file (relabelfrom)))
-(allow init_27_0 tmpfs_27_0 (blk_file (relabelfrom)))
-(allow init_27_0 tmpfs_27_0 (blk_file (getattr)))
-(allow init_27_0 block_device_27_0 (dir (relabelto)))
-(allow init_27_0 block_device_27_0 (lnk_file (relabelto)))
-(allow init_27_0 block_device_27_0 (blk_file (relabelto)))
-(allow init_27_0 dm_device_27_0 (chr_file (relabelto)))
-(allow init_27_0 dm_device_27_0 (blk_file (relabelto)))
-(allow init_27_0 kernel_27_0 (fd (use)))
-(allow init_27_0 tmpfs_27_0 (lnk_file (read getattr relabelfrom)))
-(allow init_27_0 system_block_device_27_0 (lnk_file (relabelto)))
-(allow init_27_0 system_block_device_27_0 (blk_file (relabelto)))
-(allow init_27_0 self (capability (sys_resource)))
-(allow init_27_0 tmpfs_27_0 (file (unlink)))
-(allow init_27_0 devpts_27_0 (chr_file (read write open)))
-(allow init_27_0 fscklogs_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_27_0 tmpfs_27_0 (chr_file (write)))
-(allow init_27_0 console_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_27_0 self (capability (sys_admin)))
-(allow init_27_0 rootfs_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 rootfs_27_0 (dir (mounton)))
-(allow init_27_0 cgroup_27_0 (dir (mounton)))
-(allow init_27_0 system_file_27_0 (dir (mounton)))
-(allow init_27_0 vendor_file_27_0 (dir (mounton)))
-(allow init_27_0 system_data_file_27_0 (dir (mounton)))
-(allow init_27_0 storage_file_27_0 (dir (mounton)))
-(allow init_27_0 postinstall_mnt_dir_27_0 (dir (mounton)))
-(allow init_27_0 cache_file_27_0 (dir (mounton)))
-(allow init_27_0 device_27_0 (dir (mounton)))
-(allow init_27_0 rootfs_27_0 (lnk_file (create unlink)))
-(allow init_27_0 sysfs_27_0 (dir (mounton)))
-(allow init_27_0 tmpfs_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 tmpfs_27_0 (dir (mounton)))
-(allow init_27_0 cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow init_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 cpuctl_device_27_0 (dir (create mounton)))
-(allow init_27_0 configfs_27_0 (dir (mounton)))
-(allow init_27_0 configfs_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 configfs_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_27_0 configfs_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_27_0 tmpfs_27_0 (dir (relabelfrom)))
-(allow init_27_0 self (capability (dac_override)))
-(allow init_27_0 self (capability (sys_time)))
-(allow init_27_0 self (capability (sys_rawio mknod)))
-(allow init_27_0 dev_type (blk_file (ioctl read getattr lock map open)))
-(allow init_27_0 fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget)))
-(allow init_27_0 unlabeled_27_0 (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget)))
-(allow init_27_0 contextmount_type (filesystem (relabelto)))
-(allow init_27_0 contextmount_type (dir (ioctl read getattr lock search open)))
-(allow init_27_0 contextmount_type (file (ioctl read getattr lock map open)))
-(allow init_27_0 contextmount_type (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 contextmount_type (sock_file (ioctl read getattr lock map open)))
-(allow init_27_0 contextmount_type (fifo_file (ioctl read getattr lock map open)))
-(allow init_27_0 rootfs_27_0 (file (relabelfrom)))
-(allow init_27_0 rootfs_27_0 (dir (relabelfrom)))
-(allow init_27_0 self (capability (chown fowner fsetid)))
-(allow init_27_0 base_typeattr_140_27_0 (dir (ioctl read create getattr setattr search open)))
-(allow init_27_0 base_typeattr_141_27_0 (dir (write relabelfrom add_name remove_name rmdir)))
-(allow init_27_0 base_typeattr_142_27_0 (file (read write create getattr setattr relabelfrom unlink open)))
-(allow init_27_0 base_typeattr_141_27_0 (sock_file (read create getattr setattr relabelfrom unlink open)))
-(allow init_27_0 base_typeattr_141_27_0 (fifo_file (read create getattr setattr relabelfrom unlink open)))
-(allow init_27_0 base_typeattr_141_27_0 (lnk_file (create getattr setattr relabelfrom unlink)))
-(allow init_27_0 cache_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 base_typeattr_143_27_0 (file (relabelto)))
-(allow init_27_0 base_typeattr_143_27_0 (dir (relabelto)))
-(allow init_27_0 base_typeattr_143_27_0 (lnk_file (relabelto)))
-(allow init_27_0 base_typeattr_143_27_0 (chr_file (relabelto)))
-(allow init_27_0 base_typeattr_143_27_0 (blk_file (relabelto)))
-(allow init_27_0 base_typeattr_143_27_0 (sock_file (relabelto)))
-(allow init_27_0 base_typeattr_143_27_0 (fifo_file (relabelto)))
-(allow init_27_0 sysfs_27_0 (file (getattr relabelfrom)))
-(allow init_27_0 sysfs_27_0 (dir (getattr relabelfrom)))
-(allow init_27_0 sysfs_27_0 (lnk_file (getattr relabelfrom)))
-(allow init_27_0 debugfs_27_0 (file (getattr relabelfrom)))
-(allow init_27_0 debugfs_27_0 (dir (getattr relabelfrom)))
-(allow init_27_0 debugfs_27_0 (lnk_file (getattr relabelfrom)))
-(allow init_27_0 debugfs_tracing_27_0 (file (getattr relabelfrom)))
-(allow init_27_0 debugfs_tracing_27_0 (dir (getattr relabelfrom)))
-(allow init_27_0 debugfs_tracing_27_0 (lnk_file (getattr relabelfrom)))
-(allow init_27_0 sysfs_type (file (getattr relabelto)))
-(allow init_27_0 sysfs_type (dir (getattr relabelto)))
-(allow init_27_0 sysfs_type (lnk_file (getattr relabelto)))
-(allow init_27_0 debugfs_type (file (getattr relabelto)))
-(allow init_27_0 debugfs_type (dir (getattr relabelto)))
-(allow init_27_0 debugfs_type (lnk_file (getattr relabelto)))
-(allow init_27_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 dev_type (lnk_file (create)))
-(allow init_27_0 debugfs_tracing_27_0 (file (write lock append map open)))
-(allow init_27_0 debugfs_tracing_instances_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 debugfs_tracing_instances_27_0 (file (write lock append map open)))
-(allow init_27_0 debugfs_wifi_tracing_27_0 (file (write lock append map open)))
-(allow init_27_0 base_typeattr_144_27_0 (file (read setattr open)))
-(allow init_27_0 base_typeattr_144_27_0 (dir (read setattr search open)))
-(allow init_27_0 base_typeattr_145_27_0 (chr_file (read open)))
-(auditallow init_27_0 base_typeattr_146_27_0 (chr_file (read open)))
-(allow init_27_0 base_typeattr_147_27_0 (chr_file (setattr)))
-(allow init_27_0 unlabeled_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 unlabeled_27_0 (file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
-(allow init_27_0 unlabeled_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
-(allow init_27_0 unlabeled_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
-(allow init_27_0 unlabeled_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
-(allow init_27_0 kernel_27_0 (system (syslog_mod)))
-(allow init_27_0 self (capability2 (syslog)))
-(allow init_27_0 usermodehelper_27_0 (file (ioctl read write getattr lock append map open)))
-(allow init_27_0 sysfs_usermodehelper_27_0 (file (ioctl read write getattr lock append map open)))
-(allow init_27_0 proc_security_27_0 (file (ioctl read write getattr lock append map open)))
-(allow init_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow init_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 proc_27_0 (file (write lock append map open)))
-(allow init_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow init_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 proc_net_27_0 (file (write lock append map open)))
-(allow init_27_0 self (capability (net_admin)))
-(allow init_27_0 proc_sysrq_27_0 (file (write lock append map open)))
-(allow init_27_0 proc_stat_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 self (capability (sys_boot)))
-(allow init_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow init_27_0 sysfs_type (lnk_file (read)))
-(allow init_27_0 sysfs_type (file (ioctl read write getattr lock append map open)))
-(allow init_27_0 misc_logd_file_27_0 (dir (read write create getattr setattr add_name search open)))
-(allow init_27_0 misc_logd_file_27_0 (file (write create getattr setattr open)))
-(allow init_27_0 self (capability (kill)))
-(allow init_27_0 domain (process (sigkill signal getpgid)))
-(allow init_27_0 keystore_data_file_27_0 (dir (read create getattr setattr search open)))
-(allow init_27_0 keystore_data_file_27_0 (file (getattr)))
-(allow init_27_0 vold_data_file_27_0 (dir (read create getattr setattr search open)))
-(allow init_27_0 vold_data_file_27_0 (file (getattr)))
-(allow init_27_0 shell_data_file_27_0 (dir (read create getattr setattr search open)))
-(allow init_27_0 shell_data_file_27_0 (file (getattr)))
-(allow init_27_0 self (capability (setgid setuid setpcap)))
-(allow init_27_0 domain (dir (ioctl read getattr lock search open)))
-(allow init_27_0 domain (file (ioctl read getattr lock map open)))
-(allow init_27_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 self (process (setexec setfscreate setsockcreate)))
-(allow init_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 sepolicy_file_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow init_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow init_27_0 kernel_27_0 (security (compute_av)))
-(allow init_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow init_27_0 kernel_27_0 (security (compute_create)))
-(allow init_27_0 domain (unix_stream_socket (create bind setopt)))
-(allow init_27_0 domain (unix_dgram_socket (create bind setopt)))
-(allow init_27_0 property_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 property_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_27_0 property_type (property_service (set)))
-(allow init_27_0 self (netlink_audit_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_relay)))
-(allow init_27_0 self (capability (audit_write)))
-(allow init_27_0 self (udp_socket (ioctl create)))
-(allowx init_27_0 self (ioctl udp_socket (0x8914)))
-(allow init_27_0 self (capability (net_raw)))
-(allow init_27_0 kernel_27_0 (process (setsched)))
-(allow init_27_0 swap_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow init_27_0 hw_random_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow init_27_0 device_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_27_0 self (capability (sys_tty_config)))
-(allow init_27_0 keychord_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_27_0 dm_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_27_0 dm_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow init_27_0 metadata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow init_27_0 pstorefs_27_0 (dir (search)))
-(allow init_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 kernel_27_0 (system (syslog_read)))
-(allow init_27_0 init_27_0 (key (write search setattr)))
-(allow init_27_0 unencrypted_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_27_0 proc_overcommit_memory_27_0 (file (write)))
-(allow init_27_0 vold_socket_27_0 (sock_file (write)))
-(allow init_27_0 vold_27_0 (unix_stream_socket (connectto)))
-(allow init_27_0 misc_block_device_27_0 (blk_file (write lock append map open)))
-(allow init_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow init_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 vendor_file_type (dir (ioctl read getattr lock search open)))
-(allow init_27_0 vendor_file_type (file (ioctl read getattr lock map open)))
-(allow init_27_0 vendor_file_type (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
-(allow init_27_0 system_data_file_27_0 (file (read getattr)))
-(allow init_27_0 system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 vendor_shell_exec_27_0 (file (execute)))
-(neverallow domain init_27_0 (process (dyntransition)))
-(neverallow base_typeattr_15_27_0 init_27_0 (process (transition)))
-(neverallow init_27_0 base_typeattr_148_27_0 (file (entrypoint)))
-(neverallow init_27_0 shell_data_file_27_0 (lnk_file (read)))
-(neverallow init_27_0 app_data_file_27_0 (lnk_file (read)))
-(neverallow init_27_0 fs_type (file (execute_no_trans)))
-(neverallow init_27_0 file_type (file (execute_no_trans)))
-(neverallow init_27_0 service_manager_type (service_manager (add find)))
-(neverallow init_27_0 servicemanager_27_0 (service_manager (list)))
-(neverallow init_27_0 shell_data_file_27_0 (dir (write add_name remove_name)))
-(allow inputflinger_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 inputflinger_27_0 (dir (search)))
-(allow servicemanager_27_0 inputflinger_27_0 (file (read open)))
-(allow servicemanager_27_0 inputflinger_27_0 (process (getattr)))
-(allow inputflinger_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 inputflinger_27_0 (binder (transfer)))
-(allow inputflinger_27_0 system_server_27_0 (fd (use)))
-(allow inputflinger_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow inputflinger_27_0 self (capability2 (block_suspend)))
-(allow inputflinger_27_0 inputflinger_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_149_27_0 inputflinger_service_27_0 (service_manager (add)))
-(allow inputflinger_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow inputflinger_27_0 input_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow inputflinger_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow inputflinger_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow inputflinger_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow install_recovery_27_0 self (capability (dac_override)))
-(allow install_recovery_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow install_recovery_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow install_recovery_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow install_recovery_27_0 block_device_27_0 (dir (search)))
-(allow install_recovery_27_0 boot_block_device_27_0 (blk_file (ioctl read getattr lock map open)))
-(allow install_recovery_27_0 recovery_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow install_recovery_27_0 cache_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow install_recovery_27_0 cache_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow install_recovery_27_0 proc_drop_caches_27_0 (file (write lock append map open)))
-(allow installd_27_0 self (capability (chown dac_override fowner fsetid setgid setuid sys_admin)))
-(allow installd_27_0 dalvikcache_data_file_27_0 (dir (relabelto)))
-(allow installd_27_0 dalvikcache_data_file_27_0 (file (relabelto link)))
-(allow installd_27_0 apk_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 apk_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom append map unlink link rename open)))
-(allow installd_27_0 apk_data_file_27_0 (lnk_file (ioctl read create getattr lock map unlink open)))
-(allow installd_27_0 asec_apk_file_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 apk_tmp_file_27_0 (file (ioctl read getattr lock map unlink open)))
-(allow installd_27_0 apk_tmp_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 oemfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow installd_27_0 oemfs_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 cgroup_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_27_0 cgroup_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_27_0 mnt_expand_file_27_0 (dir (getattr search)))
-(allow installd_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow installd_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow installd_27_0 kernel_27_0 (security (check_context)))
-(allow installd_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow installd_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow installd_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_27_0 vendor_app_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow installd_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_27_0 vendor_overlay_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow installd_27_0 vendor_overlay_file_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 vendor_overlay_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 seapp_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 asec_image_file_27_0 (dir (search)))
-(allow installd_27_0 asec_image_file_27_0 (file (getattr)))
-(allow installd_27_0 system_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 system_data_file_27_0 (lnk_file (create setattr unlink)))
-(allow installd_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 media_rw_data_file_27_0 (file (getattr unlink)))
-(allow installd_27_0 system_data_file_27_0 (dir (relabelfrom)))
-(allow installd_27_0 media_rw_data_file_27_0 (dir (relabelto)))
-(allow installd_27_0 tmpfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow installd_27_0 storage_file_27_0 (dir (search)))
-(allow installd_27_0 sdcardfs_27_0 (dir (read write getattr remove_name search rmdir open)))
-(allow installd_27_0 sdcardfs_27_0 (file (getattr unlink)))
-(allow installd_27_0 misc_user_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 misc_user_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_27_0 keychain_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 keychain_data_file_27_0 (file (ioctl read getattr lock map unlink open)))
-(allow installd_27_0 install_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_27_0 dalvikcache_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 dalvikcache_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_27_0 dalvikcache_data_file_27_0 (lnk_file (getattr)))
-(allow installd_27_0 resourcecache_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow installd_27_0 resourcecache_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_27_0 unlabeled_27_0 (dir (ioctl read write getattr lock relabelfrom add_name remove_name search rmdir open)))
-(allow installd_27_0 unlabeled_27_0 (file (getattr setattr relabelfrom unlink rename)))
-(allow installd_27_0 unlabeled_27_0 (lnk_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_27_0 unlabeled_27_0 (sock_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_27_0 unlabeled_27_0 (fifo_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_27_0 unlabeled_27_0 (file (ioctl read getattr lock map open)))
-(allow installd_27_0 system_data_file_27_0 (file (getattr relabelfrom unlink)))
-(allow installd_27_0 system_data_file_27_0 (lnk_file (getattr relabelfrom unlink)))
-(allow installd_27_0 system_data_file_27_0 (sock_file (getattr relabelfrom unlink)))
-(allow installd_27_0 system_data_file_27_0 (fifo_file (getattr relabelfrom unlink)))
-(allow installd_27_0 shell_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 bluetooth_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 nfc_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 radio_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 app_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 system_app_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 shell_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 shell_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 shell_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 shell_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 bluetooth_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 bluetooth_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 bluetooth_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 bluetooth_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 nfc_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 nfc_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 nfc_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 nfc_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 radio_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 radio_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 radio_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 radio_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 app_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 app_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 app_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 app_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 system_app_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 system_app_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 system_app_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 system_app_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_27_0 user_profile_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_27_0 user_profile_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_27_0 user_profile_data_file_27_0 (dir (rmdir)))
-(allow installd_27_0 user_profile_data_file_27_0 (file (unlink)))
-(allow installd_27_0 profman_dump_data_file_27_0 (dir (write add_name search)))
-(allow installd_27_0 profman_dump_data_file_27_0 (file (write create setattr open)))
-(allow installd_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow installd_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow installd_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 installd_27_0 (dir (search)))
-(allow servicemanager_27_0 installd_27_0 (file (read open)))
-(allow servicemanager_27_0 installd_27_0 (process (getattr)))
-(allow installd_27_0 installd_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_150_27_0 installd_service_27_0 (service_manager (add)))
-(allow installd_27_0 dumpstate_27_0 (fifo_file (write getattr)))
-(allow installd_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 installd_27_0 (binder (transfer)))
-(allow installd_27_0 system_server_27_0 (fd (use)))
-(allow installd_27_0 permission_service_27_0 (service_manager (find)))
-(allow installd_27_0 block_device_27_0 (dir (search)))
-(allow installd_27_0 labeledfs_27_0 (filesystem (quotamod quotaget)))
-(allow installd_27_0 preloads_data_file_27_0 (file (ioctl read getattr lock map unlink open)))
-(allow installd_27_0 preloads_data_file_27_0 (dir (ioctl read write getattr lock remove_name search rmdir open)))
-(allow installd_27_0 preloads_media_file_27_0 (file (ioctl read getattr lock map unlink open)))
-(allow installd_27_0 preloads_media_file_27_0 (dir (ioctl read write getattr lock remove_name search rmdir open)))
-(neverallow base_typeattr_151_27_0 installd_service_27_0 (service_manager (find)))
-(neverallow base_typeattr_63_27_0 installd_27_0 (binder (call)))
-(neverallow installd_27_0 base_typeattr_152_27_0 (binder (call)))
-(allow kernel_27_0 self (capability (sys_nice)))
-(allow kernel_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow kernel_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
-(allow kernel_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow kernel_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow kernel_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow kernel_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow kernel_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow kernel_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow kernel_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow kernel_27_0 rootfs_27_0 (file (relabelfrom)))
-(allow kernel_27_0 init_exec_27_0 (file (relabelto)))
-(allow kernel_27_0 init_27_0 (process (share)))
-(allow kernel_27_0 unlabeled_27_0 (dir (search)))
-(allow kernel_27_0 usbfs_27_0 (filesystem (mount)))
-(allow kernel_27_0 usbfs_27_0 (dir (search)))
-(dontaudit kernel_27_0 self (security (setenforce)))
-(allow kernel_27_0 self (capability (sys_resource)))
-(allow kernel_27_0 self (capability (sys_boot)))
-(allow kernel_27_0 proc_sysrq_27_0 (file (write lock append map open)))
-(allow kernel_27_0 tmpfs_27_0 (chr_file (write)))
-(allow kernel_27_0 selinuxfs_27_0 (file (write)))
-(allow kernel_27_0 self (security (setcheckreqprot)))
-(allow kernel_27_0 sdcard_type (file (read write)))
-(allow kernel_27_0 mediaprovider_27_0 (fd (use)))
-(allow kernel_27_0 vold_27_0 (fd (use)))
-(allow kernel_27_0 app_data_file_27_0 (file (read)))
-(allow kernel_27_0 asec_image_file_27_0 (file (read)))
-(allow kernel_27_0 update_engine_data_file_27_0 (file (read)))
-(allow kernel_27_0 nativetest_data_file_27_0 (file (read)))
-(allow kernel_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow kernel_27_0 media_rw_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow kernel_27_0 vold_data_file_27_0 (file (read)))
-(neverallow base_typeattr_10_27_0 kernel_27_0 (process (transition dyntransition)))
-(neverallow kernel_27_0 base_typeattr_10_27_0 (file (execute_no_trans entrypoint)))
-(neverallow kernel_27_0 self (capability (dac_override dac_read_search)))
-(allow keystore_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 keystore_27_0 (dir (search)))
-(allow servicemanager_27_0 keystore_27_0 (file (read open)))
-(allow servicemanager_27_0 keystore_27_0 (process (getattr)))
-(allow keystore_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 keystore_27_0 (binder (transfer)))
-(allow keystore_27_0 system_server_27_0 (fd (use)))
-(allow keystore_27_0 keystore_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow keystore_27_0 keystore_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow keystore_27_0 keystore_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow keystore_27_0 keystore_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow keystore_27_0 keystore_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow keystore_27_0 keystore_exec_27_0 (file (getattr)))
-(allow keystore_27_0 keystore_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_153_27_0 keystore_service_27_0 (service_manager (add)))
-(allow keystore_27_0 sec_key_att_app_id_provider_service_27_0 (service_manager (find)))
-(allow keystore_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow keystore_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow keystore_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow keystore_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow keystore_27_0 kernel_27_0 (security (compute_av)))
-(allow keystore_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow keystore_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow keystore_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow keystore_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (dir (write lock relabelfrom append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir audit_access execmod)))
-(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (lnk_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (sock_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (fifo_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_10_27_0 keystore_27_0 (process (ptrace)))
-(allow lmkd_27_0 self (capability (dac_override kill sys_resource)))
-(allow lmkd_27_0 self (capability (ipc_lock)))
-(allow lmkd_27_0 appdomain (dir (ioctl read getattr lock search open)))
-(allow lmkd_27_0 appdomain (file (ioctl read getattr lock map open)))
-(allow lmkd_27_0 appdomain (lnk_file (ioctl read getattr lock map open)))
-(allow lmkd_27_0 appdomain (file (write)))
-(allow lmkd_27_0 system_server_27_0 (dir (ioctl read getattr lock search open)))
-(allow lmkd_27_0 system_server_27_0 (file (ioctl read getattr lock map open)))
-(allow lmkd_27_0 system_server_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow lmkd_27_0 system_server_27_0 (file (write)))
-(allow lmkd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow lmkd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow lmkd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow lmkd_27_0 sysfs_lowmemorykiller_27_0 (file (write lock append map open)))
-(allow lmkd_27_0 appdomain (process (sigkill)))
-(allow lmkd_27_0 cgroup_27_0 (dir (remove_name rmdir)))
-(allow lmkd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow lmkd_27_0 self (capability (sys_nice)))
-(allow lmkd_27_0 proc_zoneinfo_27_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_10_27_0 lmkd_27_0 (process (noatsecure)))
-(allow logd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow logd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow logd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow logd_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow logd_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_27_0 proc_meminfo_27_0 (dir (ioctl read getattr lock search open)))
-(allow logd_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
-(allow logd_27_0 proc_meminfo_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow logd_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow logd_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_27_0 self (capability (setgid setuid setpcap sys_nice audit_control)))
-(allow logd_27_0 self (capability2 (syslog)))
-(allow logd_27_0 self (netlink_audit_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_write)))
-(allow logd_27_0 kernel_27_0 (system (syslog_read)))
-(allow logd_27_0 kmsg_device_27_0 (chr_file (write lock append map open)))
-(allow logd_27_0 system_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow logd_27_0 system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_27_0 pstorefs_27_0 (dir (search)))
-(allow logd_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
-(allow logd_27_0 misc_logd_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow logd_27_0 misc_logd_file_27_0 (file (ioctl read write getattr lock append map open)))
-(allow logd_27_0 runtime_event_log_tags_file_27_0 (file (ioctl read write getattr lock append map open)))
-(allow logd_27_0 device_logging_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow logd_27_0 domain (dir (ioctl read getattr lock search open)))
-(allow logd_27_0 domain (file (ioctl read getattr lock map open)))
-(allow logd_27_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow logd_27_0 kernel_27_0 (system (syslog_mod)))
-(allow logd_27_0 logd_socket_27_0 (sock_file (write)))
-(allow logd_27_0 logd_27_0 (unix_stream_socket (connectto)))
-(allow logd_27_0 runtime_event_log_tags_file_27_0 (file (ioctl read getattr lock map open)))
-(allow runtime_event_log_tags_file_27_0 tmpfs_27_0 (filesystem (associate)))
-(dontaudit domain runtime_event_log_tags_file_27_0 (file (read open)))
-(neverallow logd_27_0 dev_type (blk_file (read write)))
-(neverallow logd_27_0 domain (process (ptrace)))
-(neverallow base_typeattr_155_27_0 logd_27_0 (process (ptrace)))
-(neverallow logd_27_0 system_file_27_0 (file (write)))
-(neverallow logd_27_0 system_file_27_0 (dir (write)))
-(neverallow logd_27_0 system_file_27_0 (lnk_file (write)))
-(neverallow logd_27_0 system_file_27_0 (chr_file (write)))
-(neverallow logd_27_0 system_file_27_0 (blk_file (write)))
-(neverallow logd_27_0 system_file_27_0 (sock_file (write)))
-(neverallow logd_27_0 system_file_27_0 (fifo_file (write)))
-(neverallow logd_27_0 system_data_file_27_0 (file (write)))
-(neverallow logd_27_0 system_data_file_27_0 (dir (write)))
-(neverallow logd_27_0 system_data_file_27_0 (lnk_file (write)))
-(neverallow logd_27_0 system_data_file_27_0 (chr_file (write)))
-(neverallow logd_27_0 system_data_file_27_0 (blk_file (write)))
-(neverallow logd_27_0 system_data_file_27_0 (sock_file (write)))
-(neverallow logd_27_0 system_data_file_27_0 (fifo_file (write)))
-(neverallow logd_27_0 app_data_file_27_0 (file (write)))
-(neverallow logd_27_0 app_data_file_27_0 (dir (write)))
-(neverallow logd_27_0 app_data_file_27_0 (lnk_file (write)))
-(neverallow logd_27_0 app_data_file_27_0 (chr_file (write)))
-(neverallow logd_27_0 app_data_file_27_0 (blk_file (write)))
-(neverallow logd_27_0 app_data_file_27_0 (sock_file (write)))
-(neverallow logd_27_0 app_data_file_27_0 (fifo_file (write)))
-(neverallow base_typeattr_5_27_0 logd_27_0 (process (transition)))
-(neverallow base_typeattr_10_27_0 logd_27_0 (process (dyntransition)))
-(neverallow base_typeattr_156_27_0 runtime_event_log_tags_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow logpersist_27_0 dev_type (blk_file (read write)))
-(neverallow logpersist_27_0 domain (process (ptrace)))
-(neverallow logpersist_27_0 system_data_file_27_0 (file (write)))
-(neverallow logpersist_27_0 system_data_file_27_0 (dir (write)))
-(neverallow logpersist_27_0 system_data_file_27_0 (lnk_file (write)))
-(neverallow logpersist_27_0 system_data_file_27_0 (chr_file (write)))
-(neverallow logpersist_27_0 system_data_file_27_0 (blk_file (write)))
-(neverallow logpersist_27_0 system_data_file_27_0 (sock_file (write)))
-(neverallow logpersist_27_0 system_data_file_27_0 (fifo_file (write)))
-(neverallow logpersist_27_0 app_data_file_27_0 (file (write)))
-(neverallow logpersist_27_0 app_data_file_27_0 (dir (write)))
-(neverallow logpersist_27_0 app_data_file_27_0 (lnk_file (write)))
-(neverallow logpersist_27_0 app_data_file_27_0 (chr_file (write)))
-(neverallow logpersist_27_0 app_data_file_27_0 (blk_file (write)))
-(neverallow logpersist_27_0 app_data_file_27_0 (sock_file (write)))
-(neverallow logpersist_27_0 app_data_file_27_0 (fifo_file (write)))
-(neverallow base_typeattr_10_27_0 logpersist_27_0 (process (dyntransition)))
-(allow mediacodec_27_0 hwservicemanager_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow mediacodec_27_0 vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediacodec_27_0 vndservicemanager_27_0 (binder (call transfer)))
-(allow vndservicemanager_27_0 mediacodec_27_0 (dir (search)))
-(allow vndservicemanager_27_0 mediacodec_27_0 (file (read open)))
-(allow vndservicemanager_27_0 mediacodec_27_0 (process (getattr)))
-(allow mediacodec_27_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediacodec_27_0 (binder (transfer)))
-(allow mediacodec_27_0 binderservicedomain (fd (use)))
-(allow mediacodec_27_0 appdomain (binder (call transfer)))
-(allow appdomain mediacodec_27_0 (binder (transfer)))
-(allow mediacodec_27_0 appdomain (fd (use)))
-(allow mediacodec_27_0 hal_graphics_composer (fd (use)))
-(allow mediacodec_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediacodec_27_0 video_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediacodec_27_0 video_device_27_0 (dir (search)))
-(allow mediacodec_27_0 ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediacodec_27_0 hal_camera (fd (use)))
-(allow mediacodec_27_0 su_27_0 (fifo_file (append)))
-(allow mediacodec_27_0 anr_data_file_27_0 (file (append)))
-(allow mediacodec_27_0 dumpstate_27_0 (fd (use)))
-(allow mediacodec_27_0 dumpstate_27_0 (fifo_file (write append)))
-(allow mediacodec_27_0 system_server_27_0 (fifo_file (write append)))
-(allow mediacodec_27_0 tombstoned_27_0 (unix_stream_socket (connectto)))
-(allow mediacodec_27_0 tombstoned_27_0 (fd (use)))
-(allow mediacodec_27_0 tombstoned_crash_socket_27_0 (sock_file (write)))
-(allow mediacodec_27_0 tombstone_data_file_27_0 (file (append)))
-(allow mediacodec_27_0 hal_omx_hwservice_27_0 (hwservice_manager (add find)))
-(allow mediacodec_27_0 hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_157_27_0 hal_omx_hwservice_27_0 (hwservice_manager (add)))
-(allow mediacodec_27_0 bufferhubd_27_0 (fd (use)))
-(neverallow mediacodec_27_0 fs_type (file (execute_no_trans)))
-(neverallow mediacodec_27_0 file_type (file (execute_no_trans)))
-(neverallow mediacodec_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediacodec_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediacodec_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow mediadrmserver_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 mediadrmserver_27_0 (dir (search)))
-(allow servicemanager_27_0 mediadrmserver_27_0 (file (read open)))
-(allow servicemanager_27_0 mediadrmserver_27_0 (process (getattr)))
-(allow mediadrmserver_27_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediadrmserver_27_0 (binder (transfer)))
-(allow mediadrmserver_27_0 binderservicedomain (fd (use)))
-(allow mediadrmserver_27_0 appdomain (binder (call transfer)))
-(allow appdomain mediadrmserver_27_0 (binder (transfer)))
-(allow mediadrmserver_27_0 appdomain (fd (use)))
-(allow mediadrmserver_27_0 mediadrmserver_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_158_27_0 mediadrmserver_service_27_0 (service_manager (add)))
-(allow mediadrmserver_27_0 mediaserver_service_27_0 (service_manager (find)))
-(allow mediadrmserver_27_0 mediametrics_service_27_0 (service_manager (find)))
-(allow mediadrmserver_27_0 processinfo_service_27_0 (service_manager (find)))
-(allow mediadrmserver_27_0 surfaceflinger_service_27_0 (service_manager (find)))
-(allow mediadrmserver_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow mediadrmserver_27_0 mediacodec_27_0 (binder (call transfer)))
-(allow mediacodec_27_0 mediadrmserver_27_0 (binder (transfer)))
-(allow mediadrmserver_27_0 mediacodec_27_0 (fd (use)))
-(neverallow mediadrmserver_27_0 fs_type (file (execute_no_trans)))
-(neverallow mediadrmserver_27_0 file_type (file (execute_no_trans)))
-(neverallowx mediadrmserver_27_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_27_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_27_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_27_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_27_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_27_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_27_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediadrmserver_27_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediadrmserver_27_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow mediaextractor_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 mediaextractor_27_0 (dir (search)))
-(allow servicemanager_27_0 mediaextractor_27_0 (file (read open)))
-(allow servicemanager_27_0 mediaextractor_27_0 (process (getattr)))
-(allow mediaextractor_27_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediaextractor_27_0 (binder (transfer)))
-(allow mediaextractor_27_0 binderservicedomain (fd (use)))
-(allow mediaextractor_27_0 appdomain (binder (call transfer)))
-(allow appdomain mediaextractor_27_0 (binder (transfer)))
-(allow mediaextractor_27_0 appdomain (fd (use)))
-(allow mediaextractor_27_0 mediaextractor_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_159_27_0 mediaextractor_service_27_0 (service_manager (add)))
-(allow mediaextractor_27_0 mediametrics_service_27_0 (service_manager (find)))
-(allow mediaextractor_27_0 hidl_token_hwservice_27_0 (hwservice_manager (find)))
-(allow mediaextractor_27_0 system_server_27_0 (fd (use)))
-(allow mediaextractor_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow mediaextractor_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow mediaextractor_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mediaextractor_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
-(allow mediaextractor_27_0 su_27_0 (fifo_file (append)))
-(allow mediaextractor_27_0 anr_data_file_27_0 (file (append)))
-(allow mediaextractor_27_0 dumpstate_27_0 (fd (use)))
-(allow mediaextractor_27_0 dumpstate_27_0 (fifo_file (write append)))
-(allow mediaextractor_27_0 system_server_27_0 (fifo_file (write append)))
-(allow mediaextractor_27_0 tombstoned_27_0 (unix_stream_socket (connectto)))
-(allow mediaextractor_27_0 tombstoned_27_0 (fd (use)))
-(allow mediaextractor_27_0 tombstoned_crash_socket_27_0 (sock_file (write)))
-(allow mediaextractor_27_0 tombstone_data_file_27_0 (file (append)))
-(allow mediaextractor_27_0 media_rw_data_file_27_0 (file (read getattr)))
-(allow mediaextractor_27_0 app_data_file_27_0 (file (read getattr)))
-(allow mediaextractor_27_0 apk_data_file_27_0 (file (read getattr)))
-(allow mediaextractor_27_0 asec_apk_file_27_0 (file (read getattr)))
-(allow mediaextractor_27_0 ringtone_file_27_0 (file (read getattr)))
-(neverallow mediaextractor_27_0 fs_type (file (execute_no_trans)))
-(neverallow mediaextractor_27_0 file_type (file (execute_no_trans)))
-(neverallow mediaextractor_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediaextractor_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediaextractor_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow mediametrics_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 mediametrics_27_0 (dir (search)))
-(allow servicemanager_27_0 mediametrics_27_0 (file (read open)))
-(allow servicemanager_27_0 mediametrics_27_0 (process (getattr)))
-(allow mediametrics_27_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediametrics_27_0 (binder (transfer)))
-(allow mediametrics_27_0 binderservicedomain (fd (use)))
-(allow mediametrics_27_0 mediametrics_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_160_27_0 mediametrics_service_27_0 (service_manager (add)))
-(allow mediametrics_27_0 system_server_27_0 (fd (use)))
-(allow mediametrics_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow mediametrics_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow mediametrics_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mediametrics_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
-(allow mediametrics_27_0 app_data_file_27_0 (file (write)))
-(allow mediametrics_27_0 package_native_service_27_0 (service_manager (find)))
-(neverallow mediametrics_27_0 fs_type (file (execute_no_trans)))
-(neverallow mediametrics_27_0 file_type (file (execute_no_trans)))
-(neverallow mediametrics_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediametrics_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediametrics_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow mediaserver_27_0 sdcard_type (dir (ioctl read getattr lock search open)))
-(allow mediaserver_27_0 sdcard_type (file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 sdcard_type (lnk_file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 proc_27_0 (lnk_file (getattr)))
-(allow mediaserver_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_27_0 self (process (ptrace)))
-(allow mediaserver_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 mediaserver_27_0 (dir (search)))
-(allow servicemanager_27_0 mediaserver_27_0 (file (read open)))
-(allow servicemanager_27_0 mediaserver_27_0 (process (getattr)))
-(allow mediaserver_27_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediaserver_27_0 (binder (transfer)))
-(allow mediaserver_27_0 binderservicedomain (fd (use)))
-(allow mediaserver_27_0 appdomain (binder (call transfer)))
-(allow appdomain mediaserver_27_0 (binder (transfer)))
-(allow mediaserver_27_0 appdomain (fd (use)))
-(allow mediaserver_27_0 media_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow mediaserver_27_0 media_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow mediaserver_27_0 app_data_file_27_0 (dir (search)))
-(allow mediaserver_27_0 app_data_file_27_0 (file (ioctl read write getattr lock append map open)))
-(allow mediaserver_27_0 sdcard_type (file (write)))
-(allow mediaserver_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediaserver_27_0 video_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_27_0 video_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediaserver_27_0 property_socket_27_0 (sock_file (write)))
-(allow mediaserver_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow mediaserver_27_0 audio_prop_27_0 (property_service (set)))
-(allow mediaserver_27_0 audio_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 sysfs_27_0 (file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 apk_data_file_27_0 (file (read getattr)))
-(allow mediaserver_27_0 asec_apk_file_27_0 (file (read getattr)))
-(allow mediaserver_27_0 ringtone_file_27_0 (file (read getattr)))
-(allow mediaserver_27_0 radio_data_file_27_0 (file (read getattr)))
-(allow mediaserver_27_0 appdomain (fifo_file (read write getattr)))
-(allow mediaserver_27_0 rpmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediaserver_27_0 system_server_27_0 (fifo_file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 media_rw_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_27_0 media_rw_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 media_rw_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 app_fuse_file_27_0 (file (read getattr)))
-(allow mediaserver_27_0 qtaguid_proc_27_0 (file (ioctl read write getattr lock append map open)))
-(allow mediaserver_27_0 qtaguid_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 drmserver_socket_27_0 (sock_file (write)))
-(allow mediaserver_27_0 drmserver_27_0 (unix_stream_socket (connectto)))
-(allow mediaserver_27_0 bluetooth_socket_27_0 (sock_file (write)))
-(allow mediaserver_27_0 bluetooth_27_0 (unix_stream_socket (connectto)))
-(allow mediaserver_27_0 mediaserver_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_161_27_0 mediaserver_service_27_0 (service_manager (add)))
-(allow mediaserver_27_0 activity_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 appops_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 audioserver_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 cameraserver_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 batterystats_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 drmserver_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 mediaextractor_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 mediacodec_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 mediametrics_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 media_session_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 permission_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 power_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 processinfo_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 scheduling_policy_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 surfaceflinger_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 mediadrmserver_service_27_0 (service_manager (find)))
-(allow mediaserver_27_0 hidl_token_hwservice_27_0 (hwservice_manager (find)))
-(allow mediaserver_27_0 oemfs_27_0 (dir (search)))
-(allow mediaserver_27_0 oemfs_27_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_27_0 mediaserver_27_0 (dir (search)))
-(allow drmserver_27_0 mediaserver_27_0 (file (read open)))
-(allow drmserver_27_0 mediaserver_27_0 (process (getattr)))
-(allow mediaserver_27_0 drmserver_27_0 (drmservice (consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread)))
-(allowx mediaserver_27_0 self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_27_0 self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_27_0 self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_27_0 self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_27_0 self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_27_0 self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_27_0 self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx mediaserver_27_0 self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx mediaserver_27_0 self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allow mediaserver_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow mediaserver_27_0 media_rw_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow mediaserver_27_0 preloads_media_file_27_0 (file (ioctl read getattr)))
-(allow mediaserver_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow mediaserver_27_0 hal_graphics_allocator (fd (use)))
-(allow mediaserver_27_0 hal_graphics_composer (fd (use)))
-(allow mediaserver_27_0 hal_camera (fd (use)))
-(allow mediaserver_27_0 system_server_27_0 (fd (use)))
-(allow mediaserver_27_0 mediacodec_27_0 (binder (call transfer)))
-(allow mediacodec_27_0 mediaserver_27_0 (binder (transfer)))
-(allow mediaserver_27_0 mediacodec_27_0 (fd (use)))
-(neverallow mediaserver_27_0 fs_type (file (execute_no_trans)))
-(neverallow mediaserver_27_0 file_type (file (execute_no_trans)))
-(neverallowx mediaserver_27_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx mediaserver_27_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx mediaserver_27_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx mediaserver_27_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_27_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_27_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_27_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediaserver_27_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediaserver_27_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow modprobe_27_0 proc_modules_27_0 (file (ioctl read getattr lock map open)))
-(allow modprobe_27_0 self (capability (sys_module)))
-(allow modprobe_27_0 kernel_27_0 (key (search)))
-(allow modprobe_27_0 system_file_27_0 (system (module_load)))
-(allow modprobe_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow modprobe_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow modprobe_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mtp_27_0 self (socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow mtp_27_0 self (capability (net_raw)))
-(allow mtp_27_0 ppp_27_0 (process (signal)))
-(allow mtp_27_0 vpn_data_file_27_0 (dir (search)))
-(allowx netd_27_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx netd_27_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx netd_27_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow netd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow netd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow netd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow netd_27_0 system_server_27_0 (fd (use)))
-(allow netd_27_0 self (capability (kill net_admin net_raw)))
-(dontaudit netd_27_0 self (capability (fsetid)))
-(allow netd_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_27_0 self (netlink_route_socket (nlmsg_write)))
-(allow netd_27_0 self (netlink_nflog_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_27_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_27_0 self (netlink_tcpdiag_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write)))
-(allow netd_27_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_27_0 self (netlink_netfilter_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow netd_27_0 system_file_27_0 (file (getattr map execute execute_no_trans)))
-(allow netd_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow netd_27_0 system_file_27_0 (file (lock)))
-(allow netd_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow netd_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow netd_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow netd_27_0 proc_net_27_0 (file (ioctl read write getattr lock append map open)))
-(allow netd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow netd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow netd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow netd_27_0 sysfs_27_0 (file (write)))
-(allow netd_27_0 sysfs_usb_27_0 (file (write)))
-(allow netd_27_0 self (capability (chown dac_override)))
-(allow netd_27_0 net_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow netd_27_0 net_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow netd_27_0 self (capability (fowner)))
-(allow netd_27_0 system_file_27_0 (file (lock)))
-(allow netd_27_0 dnsmasq_27_0 (process (signal)))
-(allow netd_27_0 clatd_27_0 (process (signal)))
-(allow netd_27_0 property_socket_27_0 (sock_file (write)))
-(allow netd_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow netd_27_0 ctl_mdnsd_prop_27_0 (property_service (set)))
-(allow netd_27_0 ctl_mdnsd_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow netd_27_0 property_socket_27_0 (sock_file (write)))
-(allow netd_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow netd_27_0 netd_stable_secret_prop_27_0 (property_service (set)))
-(allow netd_27_0 netd_stable_secret_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow netd_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 netd_27_0 (dir (search)))
-(allow servicemanager_27_0 netd_27_0 (file (read open)))
-(allow servicemanager_27_0 netd_27_0 (process (getattr)))
-(allow netd_27_0 netd_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_162_27_0 netd_service_27_0 (service_manager (add)))
-(allow netd_27_0 dumpstate_27_0 (fifo_file (write getattr)))
-(allow netd_27_0 system_server_27_0 (binder (call)))
-(allow netd_27_0 permission_service_27_0 (service_manager (find)))
-(allow netd_27_0 netd_listener_service_27_0 (service_manager (find)))
-(allow netd_27_0 netdomain (tcp_socket (read write getattr setattr getopt setopt)))
-(allow netd_27_0 netdomain (udp_socket (read write getattr setattr getopt setopt)))
-(allow netd_27_0 netdomain (rawip_socket (read write getattr setattr getopt setopt)))
-(allow netd_27_0 netdomain (tun_socket (read write getattr setattr getopt setopt)))
-(allow netd_27_0 netdomain (fd (use)))
-(allow netd_27_0 self (netlink_xfrm_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write)))
-(allow netd_27_0 system_net_netd_hwservice_27_0 (hwservice_manager (add find)))
-(allow netd_27_0 hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_162_27_0 system_net_netd_hwservice_27_0 (hwservice_manager (add)))
-(allow netd_27_0 hwservicemanager_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 netd_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 netd_27_0 (dir (search)))
-(allow hwservicemanager_27_0 netd_27_0 (file (read open)))
-(allow hwservicemanager_27_0 netd_27_0 (process (getattr)))
-(allow netd_27_0 hwservicemanager_prop_27_0 (file (ioctl read getattr lock map open)))
-(neverallow netd_27_0 dev_type (blk_file (read write)))
-(neverallow netd_27_0 domain (process (ptrace)))
-(neverallow netd_27_0 system_file_27_0 (file (write)))
-(neverallow netd_27_0 system_file_27_0 (dir (write)))
-(neverallow netd_27_0 system_file_27_0 (lnk_file (write)))
-(neverallow netd_27_0 system_file_27_0 (chr_file (write)))
-(neverallow netd_27_0 system_file_27_0 (blk_file (write)))
-(neverallow netd_27_0 system_file_27_0 (sock_file (write)))
-(neverallow netd_27_0 system_file_27_0 (fifo_file (write)))
-(neverallow netd_27_0 system_data_file_27_0 (file (write)))
-(neverallow netd_27_0 system_data_file_27_0 (dir (write)))
-(neverallow netd_27_0 system_data_file_27_0 (lnk_file (write)))
-(neverallow netd_27_0 system_data_file_27_0 (chr_file (write)))
-(neverallow netd_27_0 system_data_file_27_0 (blk_file (write)))
-(neverallow netd_27_0 system_data_file_27_0 (sock_file (write)))
-(neverallow netd_27_0 system_data_file_27_0 (fifo_file (write)))
-(neverallow netd_27_0 app_data_file_27_0 (file (write)))
-(neverallow netd_27_0 app_data_file_27_0 (dir (write)))
-(neverallow netd_27_0 app_data_file_27_0 (lnk_file (write)))
-(neverallow netd_27_0 app_data_file_27_0 (chr_file (write)))
-(neverallow netd_27_0 app_data_file_27_0 (blk_file (write)))
-(neverallow netd_27_0 app_data_file_27_0 (sock_file (write)))
-(neverallow netd_27_0 app_data_file_27_0 (fifo_file (write)))
-(neverallow base_typeattr_163_27_0 netd_service_27_0 (service_manager (find)))
-(neverallow appdomain netd_27_0 (binder (call)))
-(neverallow netd_27_0 base_typeattr_164_27_0 (binder (call)))
-(neverallow base_typeattr_165_27_0 netd_stable_secret_prop_27_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_165_27_0 netd_stable_secret_prop_27_0 (property_service (set)))
-(neverallow domain netutils_wrapper_exec_27_0 (file (execute_no_trans)))
-(allow otapreopt_chroot_27_0 postinstall_file_27_0 (dir (mounton search)))
-(allow otapreopt_chroot_27_0 self (capability (sys_chroot sys_admin)))
-(allow otapreopt_chroot_27_0 block_device_27_0 (dir (search)))
-(allow otapreopt_chroot_27_0 labeledfs_27_0 (filesystem (mount)))
-(dontaudit otapreopt_chroot_27_0 kernel_27_0 (process (setsched)))
-(allow otapreopt_chroot_27_0 postinstall_27_0 (fd (use)))
-(allow otapreopt_chroot_27_0 update_engine_27_0 (fd (use)))
-(allow otapreopt_chroot_27_0 update_engine_27_0 (fifo_file (write)))
-(allow otapreopt_slot_27_0 ota_data_file_27_0 (dir (ioctl read write getattr lock rename add_name remove_name reparent search rmdir open)))
-(allow otapreopt_slot_27_0 ota_data_file_27_0 (file (getattr)))
-(allow otapreopt_slot_27_0 ota_data_file_27_0 (lnk_file (getattr)))
-(allow otapreopt_slot_27_0 ota_data_file_27_0 (lnk_file (read)))
-(allow otapreopt_slot_27_0 dalvikcache_data_file_27_0 (dir (read write getattr add_name remove_name search rmdir open)))
-(allow otapreopt_slot_27_0 dalvikcache_data_file_27_0 (file (getattr unlink)))
-(allow otapreopt_slot_27_0 dalvikcache_data_file_27_0 (lnk_file (read getattr unlink)))
-(allow otapreopt_slot_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow otapreopt_slot_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow performanced_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 performanced_27_0 (dir (search)))
-(allow servicemanager_27_0 performanced_27_0 (file (read open)))
-(allow servicemanager_27_0 performanced_27_0 (process (getattr)))
-(allow performanced_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 performanced_27_0 (binder (transfer)))
-(allow performanced_27_0 system_server_27_0 (fd (use)))
-(allow performanced_27_0 permission_service_27_0 (service_manager (find)))
-(allow init_27_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (create bind)))
-(allow performanced_27_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write getattr setattr lock append listen accept getopt setopt shutdown)))
-(allow performanced_27_0 self (process (setsockcreate)))
-(allow performanced_27_0 pdx_performance_client_channel_socket_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
-(neverallow base_typeattr_166_27_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (listen accept)))
-(allow performanced_27_0 self (capability (setgid setuid sys_nice)))
-(allow performanced_27_0 appdomain (dir (ioctl read getattr lock search open)))
-(allow performanced_27_0 bufferhubd_27_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_27_0 kernel_27_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_27_0 surfaceflinger_27_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_27_0 appdomain (file (ioctl read getattr lock map open)))
-(allow performanced_27_0 appdomain (lnk_file (ioctl read getattr lock map open)))
-(allow performanced_27_0 bufferhubd_27_0 (file (ioctl read getattr lock map open)))
-(allow performanced_27_0 bufferhubd_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow performanced_27_0 kernel_27_0 (file (ioctl read getattr lock map open)))
-(allow performanced_27_0 kernel_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow performanced_27_0 surfaceflinger_27_0 (file (ioctl read getattr lock map open)))
-(allow performanced_27_0 surfaceflinger_27_0 (lnk_file (ioctl read getattr lock map open)))
-(dontaudit performanced_27_0 domain (dir (read)))
-(allow performanced_27_0 appdomain (process (setsched)))
-(allow performanced_27_0 bufferhubd_27_0 (process (setsched)))
-(allow performanced_27_0 kernel_27_0 (process (setsched)))
-(allow performanced_27_0 surfaceflinger_27_0 (process (setsched)))
-(allow performanced_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow performanced_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_27_0 sysfs_devices_system_cpu_27_0 (file (ioctl read write getattr lock append map open)))
-(allow perfprofd_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow perfprofd_27_0 app_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_27_0 app_data_file_27_0 (dir (search)))
-(allow perfprofd_27_0 self (capability (dac_override)))
-(allow perfprofd_27_0 perfprofd_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow perfprofd_27_0 perfprofd_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow perfprofd_27_0 logcat_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow perfprofd_27_0 logdr_socket_27_0 (sock_file (write)))
-(allow perfprofd_27_0 logd_27_0 (unix_stream_socket (connectto)))
-(allow perfprofd_27_0 logdw_socket_27_0 (sock_file (write)))
-(allow perfprofd_27_0 logd_27_0 (unix_dgram_socket (sendto)))
-(allow perfprofd_27_0 pmsg_device_27_0 (chr_file (write lock append map open)))
-(allow perfprofd_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow perfprofd_27_0 self (capability2 (block_suspend)))
-(allow perfprofd_27_0 self (capability (sys_admin)))
-(allow perfprofd_27_0 domain (dir (ioctl read getattr lock search open)))
-(allow perfprofd_27_0 domain (file (ioctl read getattr lock map open)))
-(allow perfprofd_27_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_27_0 self (capability (sys_ptrace sys_resource)))
-(neverallow perfprofd_27_0 domain (process (ptrace)))
-(allow perfprofd_27_0 exec_type (file (ioctl read getattr lock map open)))
-(allow perfprofd_27_0 debugfs_tracing_27_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow perfprofd_27_0 self (capability (ipc_lock)))
-(allow postinstall_27_0 update_engine_common (fd (use)))
-(allow postinstall_27_0 update_engine_common (fifo_file (ioctl read write getattr lock append map open)))
-(allow postinstall_27_0 postinstall_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow postinstall_27_0 postinstall_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_27_0 postinstall_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow postinstall_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow postinstall_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow postinstall_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 postinstall_27_0 (dir (search)))
-(allow servicemanager_27_0 postinstall_27_0 (file (read open)))
-(allow servicemanager_27_0 postinstall_27_0 (process (getattr)))
-(allow postinstall_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 postinstall_27_0 (binder (transfer)))
-(allow postinstall_27_0 system_server_27_0 (fd (use)))
-(allow postinstall_27_0 otadexopt_service_27_0 (service_manager (find)))
-(neverallow base_typeattr_36_27_0 postinstall_27_0 (process (transition dyntransition)))
-(allow postinstall_dexopt_27_0 self (capability (chown dac_override fowner setgid setuid)))
-(allow postinstall_dexopt_27_0 postinstall_file_27_0 (filesystem (getattr)))
-(allow postinstall_dexopt_27_0 postinstall_file_27_0 (dir (getattr search)))
-(allow postinstall_dexopt_27_0 postinstall_file_27_0 (lnk_file (read)))
-(allow postinstall_dexopt_27_0 proc_27_0 (file (read getattr open)))
-(allow postinstall_dexopt_27_0 tmpfs_27_0 (file (read)))
-(allow postinstall_dexopt_27_0 apk_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 apk_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 vendor_app_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 user_profile_data_file_27_0 (dir (getattr search)))
-(allow postinstall_dexopt_27_0 user_profile_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 ota_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow postinstall_dexopt_27_0 ota_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow postinstall_dexopt_27_0 ota_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (dir (relabelto)))
-(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (file (relabelto link)))
-(allow postinstall_dexopt_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow postinstall_dexopt_27_0 kernel_27_0 (security (check_context)))
-(allow postinstall_dexopt_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow postinstall_dexopt_27_0 kernel_27_0 (security (compute_av)))
-(allow postinstall_dexopt_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow postinstall_dexopt_27_0 postinstall_27_0 (process (sigchld)))
-(allow postinstall_dexopt_27_0 otapreopt_chroot_27_0 (fd (use)))
-(allow postinstall_dexopt_27_0 cpuctl_device_27_0 (dir (search)))
-(allow ppp_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow ppp_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow ppp_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow ppp_27_0 mtp_27_0 (socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx ppp_27_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx ppp_27_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx ppp_27_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allowx ppp_27_0 mtp_27_0 (ioctl socket (((range 0x7436 0x7441)) ((range 0x7446 0x7447)) ((range 0x744b 0x745a)) ((range 0x7480 0x7488)))))
-(allow ppp_27_0 mtp_27_0 (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow ppp_27_0 ppp_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow ppp_27_0 self (capability (net_admin)))
-(allow ppp_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow ppp_27_0 vpn_data_file_27_0 (dir (write lock add_name remove_name search open)))
-(allow ppp_27_0 vpn_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow ppp_27_0 mtp_27_0 (fd (use)))
-(allow preopt2cachename_27_0 cppreopts_27_0 (fd (use)))
-(allow preopt2cachename_27_0 cppreopts_27_0 (fifo_file (read write getattr)))
-(allow preopt2cachename_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow profman_27_0 user_profile_data_file_27_0 (file (read write getattr lock)))
-(allow profman_27_0 asec_apk_file_27_0 (file (read)))
-(allow profman_27_0 apk_data_file_27_0 (file (read)))
-(allow profman_27_0 oemfs_27_0 (file (read)))
-(allow profman_27_0 tmpfs_27_0 (file (read)))
-(allow profman_27_0 profman_dump_data_file_27_0 (file (write)))
-(allow profman_27_0 installd_27_0 (fd (use)))
-(allow profman_27_0 app_data_file_27_0 (file (read write getattr lock)))
-(neverallow profman_27_0 app_data_file_27_0 (file (open)))
-(neverallow profman_27_0 app_data_file_27_0 (lnk_file (open)))
-(neverallow profman_27_0 app_data_file_27_0 (sock_file (open)))
-(neverallow profman_27_0 app_data_file_27_0 (fifo_file (open)))
-(allow property_type tmpfs_27_0 (filesystem (associate)))
-(neverallow base_typeattr_10_27_0 base_typeattr_167_27_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(allowx racoon_27_0 self (ioctl udp_socket (0x8914 0x8916 0x891c)))
-(allow racoon_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 racoon_27_0 (dir (search)))
-(allow servicemanager_27_0 racoon_27_0 (file (read open)))
-(allow servicemanager_27_0 racoon_27_0 (process (getattr)))
-(allow racoon_27_0 tun_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow racoon_27_0 cgroup_27_0 (dir (create add_name)))
-(allow racoon_27_0 kernel_27_0 (system (module_request)))
-(allow racoon_27_0 self (key_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow racoon_27_0 self (tun_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow racoon_27_0 self (capability (net_bind_service net_admin net_raw)))
-(allow racoon_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow racoon_27_0 vpn_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow racoon_27_0 vpn_data_file_27_0 (dir (write lock add_name remove_name search open)))
-(allow keystore_27_0 racoon_27_0 (dir (search)))
-(allow keystore_27_0 racoon_27_0 (file (read open)))
-(allow keystore_27_0 racoon_27_0 (process (getattr)))
-(allow racoon_27_0 keystore_service_27_0 (service_manager (find)))
-(allow racoon_27_0 keystore_27_0 (binder (call transfer)))
-(allow keystore_27_0 racoon_27_0 (binder (transfer)))
-(allow racoon_27_0 keystore_27_0 (fd (use)))
-(allow racoon_27_0 keystore_27_0 (keystore_key (get sign verify)))
-(allow radio_27_0 radio_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow radio_27_0 radio_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow radio_27_0 radio_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow radio_27_0 radio_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow radio_27_0 radio_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow radio_27_0 alarm_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow radio_27_0 net_data_file_27_0 (dir (search)))
-(allow radio_27_0 net_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow radio_27_0 property_socket_27_0 (sock_file (write)))
-(allow radio_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow radio_27_0 radio_prop_27_0 (property_service (set)))
-(allow radio_27_0 radio_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow radio_27_0 property_socket_27_0 (sock_file (write)))
-(allow radio_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow radio_27_0 net_radio_prop_27_0 (property_service (set)))
-(allow radio_27_0 net_radio_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow radio_27_0 property_socket_27_0 (sock_file (write)))
-(allow radio_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow radio_27_0 ctl_rildaemon_prop_27_0 (property_service (set)))
-(allow radio_27_0 ctl_rildaemon_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow radio_27_0 radio_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_168_27_0 radio_service_27_0 (service_manager (add)))
-(allow radio_27_0 audioserver_service_27_0 (service_manager (find)))
-(allow radio_27_0 cameraserver_service_27_0 (service_manager (find)))
-(allow radio_27_0 drmserver_service_27_0 (service_manager (find)))
-(allow radio_27_0 mediaserver_service_27_0 (service_manager (find)))
-(allow radio_27_0 nfc_service_27_0 (service_manager (find)))
-(allow radio_27_0 surfaceflinger_service_27_0 (service_manager (find)))
-(allow radio_27_0 app_api_service (service_manager (find)))
-(allow radio_27_0 system_api_service (service_manager (find)))
-(allow radio_27_0 hwservicemanager_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 radio_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 radio_27_0 (dir (search)))
-(allow hwservicemanager_27_0 radio_27_0 (file (read open)))
-(allow hwservicemanager_27_0 radio_27_0 (process (getattr)))
-(neverallow recovery_27_0 base_typeattr_169_27_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow recovery_27_0 base_typeattr_169_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(allow recovery_persist_27_0 pstorefs_27_0 (dir (search)))
-(allow recovery_persist_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
-(allow recovery_persist_27_0 recovery_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow recovery_persist_27_0 recovery_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(neverallow recovery_persist_27_0 dev_type (blk_file (read write)))
-(neverallow recovery_persist_27_0 domain (process (ptrace)))
-(neverallow recovery_persist_27_0 system_file_27_0 (file (write)))
-(neverallow recovery_persist_27_0 system_file_27_0 (dir (write)))
-(neverallow recovery_persist_27_0 system_file_27_0 (lnk_file (write)))
-(neverallow recovery_persist_27_0 system_file_27_0 (chr_file (write)))
-(neverallow recovery_persist_27_0 system_file_27_0 (blk_file (write)))
-(neverallow recovery_persist_27_0 system_file_27_0 (sock_file (write)))
-(neverallow recovery_persist_27_0 system_file_27_0 (fifo_file (write)))
-(neverallow recovery_persist_27_0 system_data_file_27_0 (file (write)))
-(neverallow recovery_persist_27_0 system_data_file_27_0 (dir (write)))
-(neverallow recovery_persist_27_0 system_data_file_27_0 (lnk_file (write)))
-(neverallow recovery_persist_27_0 system_data_file_27_0 (chr_file (write)))
-(neverallow recovery_persist_27_0 system_data_file_27_0 (blk_file (write)))
-(neverallow recovery_persist_27_0 system_data_file_27_0 (sock_file (write)))
-(neverallow recovery_persist_27_0 system_data_file_27_0 (fifo_file (write)))
-(neverallow recovery_persist_27_0 app_data_file_27_0 (file (write)))
-(neverallow recovery_persist_27_0 app_data_file_27_0 (dir (write)))
-(neverallow recovery_persist_27_0 app_data_file_27_0 (lnk_file (write)))
-(neverallow recovery_persist_27_0 app_data_file_27_0 (chr_file (write)))
-(neverallow recovery_persist_27_0 app_data_file_27_0 (blk_file (write)))
-(neverallow recovery_persist_27_0 app_data_file_27_0 (sock_file (write)))
-(neverallow recovery_persist_27_0 app_data_file_27_0 (fifo_file (write)))
-(allow recovery_refresh_27_0 pstorefs_27_0 (dir (search)))
-(allow recovery_refresh_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
-(neverallow recovery_refresh_27_0 dev_type (blk_file (read write)))
-(neverallow recovery_refresh_27_0 domain (process (ptrace)))
-(neverallow recovery_refresh_27_0 system_file_27_0 (file (write)))
-(neverallow recovery_refresh_27_0 system_file_27_0 (dir (write)))
-(neverallow recovery_refresh_27_0 system_file_27_0 (lnk_file (write)))
-(neverallow recovery_refresh_27_0 system_file_27_0 (chr_file (write)))
-(neverallow recovery_refresh_27_0 system_file_27_0 (blk_file (write)))
-(neverallow recovery_refresh_27_0 system_file_27_0 (sock_file (write)))
-(neverallow recovery_refresh_27_0 system_file_27_0 (fifo_file (write)))
-(neverallow recovery_refresh_27_0 system_data_file_27_0 (file (write)))
-(neverallow recovery_refresh_27_0 system_data_file_27_0 (dir (write)))
-(neverallow recovery_refresh_27_0 system_data_file_27_0 (lnk_file (write)))
-(neverallow recovery_refresh_27_0 system_data_file_27_0 (chr_file (write)))
-(neverallow recovery_refresh_27_0 system_data_file_27_0 (blk_file (write)))
-(neverallow recovery_refresh_27_0 system_data_file_27_0 (sock_file (write)))
-(neverallow recovery_refresh_27_0 system_data_file_27_0 (fifo_file (write)))
-(neverallow recovery_refresh_27_0 app_data_file_27_0 (file (write)))
-(neverallow recovery_refresh_27_0 app_data_file_27_0 (dir (write)))
-(neverallow recovery_refresh_27_0 app_data_file_27_0 (lnk_file (write)))
-(neverallow recovery_refresh_27_0 app_data_file_27_0 (chr_file (write)))
-(neverallow recovery_refresh_27_0 app_data_file_27_0 (blk_file (write)))
-(neverallow recovery_refresh_27_0 app_data_file_27_0 (sock_file (write)))
-(neverallow recovery_refresh_27_0 app_data_file_27_0 (fifo_file (write)))
-(allowx rild_27_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx rild_27_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx rild_27_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow rild_27_0 self (netlink_route_socket (nlmsg_write)))
-(allow rild_27_0 kernel_27_0 (system (module_request)))
-(allow rild_27_0 self (capability (setgid setuid setpcap net_admin net_raw)))
-(allow rild_27_0 alarm_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow rild_27_0 cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow rild_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow rild_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow rild_27_0 radio_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow rild_27_0 radio_device_27_0 (blk_file (ioctl read getattr lock map open)))
-(allow rild_27_0 mtd_device_27_0 (dir (search)))
-(allow rild_27_0 efs_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow rild_27_0 efs_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow rild_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow rild_27_0 bluetooth_efs_file_27_0 (file (ioctl read getattr lock map open)))
-(allow rild_27_0 bluetooth_efs_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow rild_27_0 sdcard_type (dir (ioctl read getattr lock search open)))
-(allow rild_27_0 property_socket_27_0 (sock_file (write)))
-(allow rild_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow rild_27_0 radio_prop_27_0 (property_service (set)))
-(allow rild_27_0 radio_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow rild_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow rild_27_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow rild_27_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow rild_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow rild_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow rild_27_0 self (capability2 (block_suspend)))
-(allow rild_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow rild_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow rild_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow rild_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow rild_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow rild_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow rild_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow rild_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow rild_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow rild_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow rild_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow rild_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow rild_27_0 self (socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow runas_27_0 adbd_27_0 (fd (use)))
-(allow runas_27_0 adbd_27_0 (process (sigchld)))
-(allow runas_27_0 adbd_27_0 (unix_stream_socket (read write)))
-(allow runas_27_0 shell_27_0 (fd (use)))
-(allow runas_27_0 shell_27_0 (fifo_file (read write)))
-(allow runas_27_0 shell_27_0 (unix_stream_socket (read write)))
-(allow runas_27_0 devpts_27_0 (chr_file (ioctl read write)))
-(allow runas_27_0 shell_data_file_27_0 (file (read write)))
-(allow runas_27_0 system_data_file_27_0 (file (ioctl read getattr lock map open)))
-(dontaudit runas_27_0 self (capability (dac_override)))
-(allow runas_27_0 app_data_file_27_0 (dir (getattr search)))
-(allow runas_27_0 self (capability (setgid setuid)))
-(allow runas_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow runas_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow runas_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow runas_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow runas_27_0 kernel_27_0 (security (check_context)))
-(allow runas_27_0 self (process (setcurrent)))
-(allow runas_27_0 base_typeattr_170_27_0 (process (dyntransition)))
-(allow runas_27_0 seapp_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(neverallow runas_27_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow runas_27_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(allow sdcardd_27_0 cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_27_0 fuse_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow sdcardd_27_0 rootfs_27_0 (dir (mounton)))
-(allow sdcardd_27_0 sdcardfs_27_0 (filesystem (remount)))
-(allow sdcardd_27_0 tmpfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow sdcardd_27_0 mnt_media_rw_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow sdcardd_27_0 storage_file_27_0 (dir (search)))
-(allow sdcardd_27_0 storage_stub_file_27_0 (dir (mounton search)))
-(allow sdcardd_27_0 sdcard_type (filesystem (mount unmount)))
-(allow sdcardd_27_0 self (capability (dac_override setgid setuid sys_admin sys_resource)))
-(allow sdcardd_27_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_27_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow sdcardd_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_27_0 media_rw_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow sdcardd_27_0 system_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow sdcardd_27_0 install_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow sdcardd_27_0 vold_27_0 (fd (use)))
-(allow sdcardd_27_0 vold_27_0 (fifo_file (read write getattr)))
-(allow sdcardd_27_0 mnt_expand_file_27_0 (dir (search)))
-(allow sdcardd_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(neverallow init_27_0 sdcardd_exec_27_0 (file (execute)))
-(neverallow init_27_0 sdcardd_27_0 (process (transition dyntransition)))
-(allow servicemanager_27_0 self (binder (set_context_mgr)))
-(allow servicemanager_27_0 base_typeattr_171_27_0 (binder (transfer)))
-(allow servicemanager_27_0 service_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow servicemanager_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow servicemanager_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow servicemanager_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow servicemanager_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow servicemanager_27_0 kernel_27_0 (security (compute_av)))
-(allow servicemanager_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow sgdisk_27_0 block_device_27_0 (dir (search)))
-(allow sgdisk_27_0 vold_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow sgdisk_27_0 devpts_27_0 (chr_file (ioctl read write getattr)))
-(allow sgdisk_27_0 vold_27_0 (fd (use)))
-(allow sgdisk_27_0 vold_27_0 (fifo_file (read write getattr)))
-(allow sgdisk_27_0 self (capability (sys_admin)))
-(neverallow base_typeattr_92_27_0 sgdisk_27_0 (process (transition)))
-(neverallow base_typeattr_10_27_0 sgdisk_27_0 (process (dyntransition)))
-(neverallow sgdisk_27_0 base_typeattr_172_27_0 (file (entrypoint)))
-(allow shared_relro_27_0 shared_relro_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shared_relro_27_0 shared_relro_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shared_relro_27_0 webviewupdate_service_27_0 (service_manager (find)))
-(allow shell_27_0 logcat_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_27_0 logdr_socket_27_0 (sock_file (write)))
-(allow shell_27_0 logd_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 logd_socket_27_0 (sock_file (write)))
-(allow shell_27_0 logd_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 pstorefs_27_0 (dir (search)))
-(allow shell_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 anr_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 anr_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 shell_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow shell_27_0 shell_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shell_27_0 shell_data_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_27_0 shell_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shell_27_0 profman_dump_data_file_27_0 (dir (write getattr remove_name search)))
-(allow shell_27_0 profman_dump_data_file_27_0 (file (getattr unlink)))
-(allow shell_27_0 nativetest_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 nativetest_data_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_27_0 dumpstate_socket_27_0 (sock_file (write)))
-(allow shell_27_0 dumpstate_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_27_0 console_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 input_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_27_0 system_file_27_0 (file (getattr map execute execute_no_trans)))
-(allow shell_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_27_0 tzdatacheck_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_27_0 zygote_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_27_0 apk_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 apk_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 shell_prop_27_0 (property_service (set)))
-(allow shell_27_0 shell_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 ctl_bugreport_prop_27_0 (property_service (set)))
-(allow shell_27_0 ctl_bugreport_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 ctl_dumpstate_prop_27_0 (property_service (set)))
-(allow shell_27_0 ctl_dumpstate_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 dumpstate_prop_27_0 (property_service (set)))
-(allow shell_27_0 dumpstate_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 debug_prop_27_0 (property_service (set)))
-(allow shell_27_0 debug_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 powerctl_prop_27_0 (property_service (set)))
-(allow shell_27_0 powerctl_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 log_tag_prop_27_0 (property_service (set)))
-(allow shell_27_0 log_tag_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 wifi_log_prop_27_0 (property_service (set)))
-(allow shell_27_0 wifi_log_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 log_prop_27_0 (property_service (set)))
-(allow shell_27_0 log_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 logpersistd_logging_prop_27_0 (property_service (set)))
-(allow shell_27_0 logpersistd_logging_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 boottrace_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shell_27_0 boottrace_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shell_27_0 property_socket_27_0 (sock_file (write)))
-(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow shell_27_0 persist_debug_prop_27_0 (property_service (set)))
-(allow shell_27_0 persist_debug_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 serialno_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 device_logging_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 servicemanager_27_0 (service_manager (list)))
-(allow shell_27_0 base_typeattr_173_27_0 (service_manager (find)))
-(allow shell_27_0 dumpstate_27_0 (binder (call)))
-(allow shell_27_0 hwservicemanager_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 shell_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 shell_27_0 (dir (search)))
-(allow hwservicemanager_27_0 shell_27_0 (file (read open)))
-(allow hwservicemanager_27_0 shell_27_0 (process (getattr)))
-(allow shell_27_0 hwservicemanager_27_0 (hwservice_manager (list)))
-(allow shell_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_27_0 proc_interrupts_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 proc_stat_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 proc_timer_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 proc_zoneinfo_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_27_0 domain (dir (read getattr search open)))
-(allow shell_27_0 domain (file (read getattr open)))
-(allow shell_27_0 domain (lnk_file (read getattr open)))
-(allow shell_27_0 labeledfs_27_0 (filesystem (getattr)))
-(allow shell_27_0 proc_27_0 (filesystem (getattr)))
-(allow shell_27_0 device_27_0 (dir (getattr)))
-(allow shell_27_0 domain (process (getattr)))
-(allow shell_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 bootchart_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shell_27_0 bootchart_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shell_27_0 self (process (ptrace)))
-(allow shell_27_0 sysfs_batteryinfo_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 sysfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_27_0 dev_type (dir (ioctl read getattr lock search open)))
-(allow shell_27_0 dev_type (chr_file (getattr)))
-(allow shell_27_0 proc_27_0 (lnk_file (getattr)))
-(allow shell_27_0 dev_type (blk_file (getattr)))
-(allow shell_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 property_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 seapp_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 service_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow shell_27_0 sepolicy_file_27_0 (file (ioctl read getattr lock map open)))
-(neverallow shell_27_0 file_type (file (link)))
-(neverallowx shell_27_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx shell_27_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx shell_27_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx shell_27_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_27_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_27_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_27_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx shell_27_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx shell_27_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallow shell_27_0 hw_random_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_27_0 kmem_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_27_0 port_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_27_0 fuse_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_27_0 dev_type (blk_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(allow slideshow_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow slideshow_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow slideshow_27_0 self (capability2 (block_suspend)))
-(allow slideshow_27_0 device_27_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_27_0 self (capability (sys_tty_config)))
-(allow slideshow_27_0 graphics_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_27_0 graphics_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow slideshow_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_27_0 input_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow slideshow_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow su_27_0 vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow su_27_0 vndservicemanager_27_0 (binder (call transfer)))
-(allow vndservicemanager_27_0 su_27_0 (dir (search)))
-(allow vndservicemanager_27_0 su_27_0 (file (read open)))
-(allow vndservicemanager_27_0 su_27_0 (process (getattr)))
-(dontaudit su_27_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(dontaudit su_27_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(dontaudit su_27_0 kernel_27_0 (security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans)))
-(dontaudit su_27_0 kernel_27_0 (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load)))
-(dontaudit su_27_0 self (memprotect (mmap_zero)))
-(dontaudit su_27_0 domain (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
-(dontaudit su_27_0 domain (fd (use)))
-(dontaudit su_27_0 domain (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_27_0 domain (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 domain (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_27_0 domain (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 domain (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 domain (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 domain (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_27_0 domain (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_27_0 domain (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_27_0 domain (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(dontaudit su_27_0 domain (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
-(dontaudit su_27_0 domain (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 domain (icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 domain (ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 domain (sem (create destroy getattr setattr read write associate unix_read unix_write)))
-(dontaudit su_27_0 domain (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
-(dontaudit su_27_0 domain (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
-(dontaudit su_27_0 domain (ipc (create destroy getattr setattr read write associate unix_read unix_write)))
-(dontaudit su_27_0 domain (key (view read write search link setattr create)))
-(dontaudit su_27_0 fs_type (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(dontaudit su_27_0 dev_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_27_0 dev_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_27_0 dev_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 dev_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_27_0 dev_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 dev_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 dev_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 fs_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_27_0 fs_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_27_0 fs_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 fs_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_27_0 fs_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 fs_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 fs_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 file_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_27_0 file_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_27_0 file_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 file_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_27_0 file_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 file_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 file_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_27_0 node_type (node (recvfrom sendto)))
-(dontaudit su_27_0 node_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_27_0 node_type (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 node_type (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 netif_type (netif (ingress egress)))
-(dontaudit su_27_0 port_type (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_27_0 port_type (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 port_type (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 port_type (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_27_0 port_type (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_27_0 port_type (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_27_0 port_type (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_27_0 port_type (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(dontaudit su_27_0 port_type (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
-(dontaudit su_27_0 port_type (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 port_type (icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_27_0 port_type (ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_27_0 port_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_27_0 port_type (dccp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_27_0 domain (peer (recv)))
-(dontaudit su_27_0 domain (binder (impersonate call set_context_mgr transfer)))
-(dontaudit su_27_0 property_type (property_service (set)))
-(dontaudit su_27_0 property_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_27_0 service_manager_type (service_manager (add find list)))
-(dontaudit su_27_0 hwservice_manager_type (hwservice_manager (add find list)))
-(dontaudit su_27_0 vndservice_manager_type (service_manager (add find list)))
-(dontaudit su_27_0 servicemanager_27_0 (service_manager (list)))
-(dontaudit su_27_0 hwservicemanager_27_0 (hwservice_manager (list)))
-(dontaudit su_27_0 vndservicemanager_27_0 (service_manager (list)))
-(dontaudit su_27_0 keystore_27_0 (keystore_key (get_state get insert delete exist list reset password lock unlock is_empty sign verify grant duplicate clear_uid add_auth user_changed gen_unique_id)))
-(dontaudit su_27_0 domain (drmservice (consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread)))
-(dontaudit su_27_0 unlabeled_27_0 (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(dontaudit su_27_0 postinstall_file_27_0 (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(allow thermalserviced_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 thermalserviced_27_0 (dir (search)))
-(allow servicemanager_27_0 thermalserviced_27_0 (file (read open)))
-(allow servicemanager_27_0 thermalserviced_27_0 (process (getattr)))
-(allow thermalserviced_27_0 thermal_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_174_27_0 thermal_service_27_0 (service_manager (add)))
-(allow thermalserviced_27_0 hwservicemanager_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 thermalserviced_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 thermalserviced_27_0 (dir (search)))
-(allow hwservicemanager_27_0 thermalserviced_27_0 (file (read open)))
-(allow hwservicemanager_27_0 thermalserviced_27_0 (process (getattr)))
-(allow thermalserviced_27_0 thermalcallback_hwservice_27_0 (hwservice_manager (add find)))
-(allow thermalserviced_27_0 hidl_base_hwservice_27_0 (hwservice_manager (add)))
-(neverallow base_typeattr_174_27_0 thermalcallback_hwservice_27_0 (hwservice_manager (add)))
-(allow tombstoned_27_0 domain (fd (use)))
-(allow tombstoned_27_0 domain (fifo_file (write)))
-(allow tombstoned_27_0 domain (dir (ioctl read getattr lock search open)))
-(allow tombstoned_27_0 domain (file (ioctl read getattr lock map open)))
-(allow tombstoned_27_0 tombstone_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tombstoned_27_0 tombstone_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow tombstoned_27_0 anr_data_file_27_0 (file (write append)))
-(auditallow tombstoned_27_0 anr_data_file_27_0 (file (write append)))
-(allow tombstoned_27_0 anr_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tombstoned_27_0 anr_data_file_27_0 (file (create getattr open)))
-(allow toolbox_27_0 tmpfs_27_0 (chr_file (ioctl read write)))
-(allow toolbox_27_0 devpts_27_0 (chr_file (ioctl read write getattr)))
-(allow toolbox_27_0 block_device_27_0 (dir (search)))
-(allow toolbox_27_0 swap_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(neverallow base_typeattr_5_27_0 toolbox_27_0 (process (transition)))
-(neverallow base_typeattr_10_27_0 toolbox_27_0 (process (dyntransition)))
-(neverallow toolbox_27_0 base_typeattr_175_27_0 (file (entrypoint)))
-(allow tzdatacheck_27_0 zoneinfo_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow tzdatacheck_27_0 zoneinfo_data_file_27_0 (file (unlink)))
-(neverallow base_typeattr_176_27_0 zoneinfo_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_176_27_0 zoneinfo_data_file_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(allow ueventd_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow ueventd_27_0 self (capability (chown dac_override fowner fsetid setgid net_admin sys_rawio mknod)))
-(allow ueventd_27_0 device_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow ueventd_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 sysfs_type (file (write lock append map open)))
-(allow ueventd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow ueventd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 sysfs_type (file (setattr relabelfrom relabelto)))
-(allow ueventd_27_0 sysfs_type (lnk_file (setattr relabelfrom relabelto)))
-(allow ueventd_27_0 sysfs_type (dir (setattr relabelfrom relabelto)))
-(allow ueventd_27_0 tmpfs_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow ueventd_27_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow ueventd_27_0 dev_type (lnk_file (create unlink)))
-(allow ueventd_27_0 dev_type (chr_file (create getattr setattr unlink)))
-(allow ueventd_27_0 dev_type (blk_file (create getattr setattr relabelfrom relabelto unlink)))
-(allow ueventd_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow ueventd_27_0 efs_file_27_0 (dir (search)))
-(allow ueventd_27_0 efs_file_27_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 base_typeattr_177_27_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_27_0 base_typeattr_177_27_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 base_typeattr_177_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_27_0 self (process (setfscreate)))
-(neverallow ueventd_27_0 property_socket_27_0 (sock_file (write)))
-(neverallow ueventd_27_0 init_27_0 (unix_stream_socket (connectto)))
-(neverallow ueventd_27_0 property_type (property_service (set)))
-(neverallow ueventd_27_0 dev_type (blk_file (ioctl read write lock append map link rename execute quotaon mounton open audit_access execmod)))
-(neverallow ueventd_27_0 kmem_device_27_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow ueventd_27_0 port_device_27_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow uncrypt_27_0 self (capability (dac_override)))
-(allow uncrypt_27_0 app_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_27_0 app_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_27_0 app_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow uncrypt_27_0 shell_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_27_0 shell_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_27_0 shell_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow uncrypt_27_0 cache_file_27_0 (dir (search)))
-(allow uncrypt_27_0 cache_recovery_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow uncrypt_27_0 cache_recovery_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow uncrypt_27_0 ota_package_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_27_0 ota_package_file_27_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_27_0 uncrypt_socket_27_0 (sock_file (write)))
-(allow uncrypt_27_0 uncrypt_27_0 (unix_stream_socket (connectto)))
-(allow uncrypt_27_0 property_socket_27_0 (sock_file (write)))
-(allow uncrypt_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow uncrypt_27_0 powerctl_prop_27_0 (property_service (set)))
-(allow uncrypt_27_0 powerctl_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_27_0 self (capability (sys_rawio)))
-(allow uncrypt_27_0 misc_block_device_27_0 (blk_file (write lock append map open)))
-(allow uncrypt_27_0 block_device_27_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_27_0 userdata_block_device_27_0 (blk_file (write lock append map open)))
-(allow uncrypt_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow update_engine_27_0 qtaguid_proc_27_0 (file (ioctl read write getattr lock append map open)))
-(allow update_engine_27_0 qtaguid_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow update_engine_27_0 self (process (setsched)))
-(allow update_engine_27_0 self (capability (fowner sys_admin)))
-(allow update_engine_27_0 kmsg_device_27_0 (chr_file (write lock append map open)))
-(allow update_engine_27_0 update_engine_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow update_engine_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow update_engine_27_0 self (capability2 (block_suspend)))
-(dontaudit update_engine_27_0 kernel_27_0 (process (setsched)))
-(allow update_engine_27_0 update_engine_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow update_engine_27_0 update_engine_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(dontaudit update_engine_27_0 kernel_27_0 (system (module_request)))
-(allow update_engine_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 update_engine_27_0 (dir (search)))
-(allow servicemanager_27_0 update_engine_27_0 (file (read open)))
-(allow servicemanager_27_0 update_engine_27_0 (process (getattr)))
-(allow update_engine_27_0 update_engine_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_178_27_0 update_engine_service_27_0 (service_manager (add)))
-(allow update_engine_27_0 priv_app_27_0 (binder (call transfer)))
-(allow priv_app_27_0 update_engine_27_0 (binder (transfer)))
-(allow update_engine_27_0 priv_app_27_0 (fd (use)))
-(allow update_engine_27_0 ota_package_file_27_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_27_0 ota_package_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common block_device_27_0 (dir (search)))
-(allow update_engine_common boot_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow update_engine_common system_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow update_engine_common misc_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow update_engine_common rootfs_27_0 (dir (getattr)))
-(allow update_engine_common rootfs_27_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_common postinstall_mnt_dir_27_0 (dir (getattr mounton search)))
-(allow update_engine_common postinstall_file_27_0 (filesystem (mount unmount relabelfrom relabelto)))
-(allow update_engine_common labeledfs_27_0 (filesystem (relabelfrom)))
-(allow update_engine_common postinstall_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow update_engine_common postinstall_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow update_engine_common postinstall_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common cache_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common cache_file_27_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_common cache_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow update_engine_common shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow update_engine_common postinstall_27_0 (process (sigkill sigstop signal)))
-(allow update_engine_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_27_0 proc_misc_27_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow update_verifier_27_0 block_device_27_0 (dir (search)))
-(allow update_verifier_27_0 ota_package_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow update_verifier_27_0 ota_package_file_27_0 (file (ioctl read getattr lock map open)))
-(allow update_verifier_27_0 dm_device_27_0 (blk_file (ioctl read getattr lock map open)))
-(allow update_verifier_27_0 property_socket_27_0 (sock_file (write)))
-(allow update_verifier_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow update_verifier_27_0 powerctl_prop_27_0 (property_service (set)))
-(allow update_verifier_27_0 powerctl_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow vdc_27_0 vold_socket_27_0 (sock_file (write)))
-(allow vdc_27_0 vold_27_0 (unix_stream_socket (connectto)))
-(allow vdc_27_0 dumpstate_27_0 (fd (use)))
-(allow vdc_27_0 dumpstate_27_0 (unix_stream_socket (read write getattr)))
-(allow vdc_27_0 shell_data_file_27_0 (file (write getattr)))
-(allow vdc_27_0 dumpstate_27_0 (unix_dgram_socket (read write)))
-(allow vdc_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vdc_27_0 kmsg_device_27_0 (chr_file (write lock append map open)))
-(neverallow base_typeattr_179_27_0 vendor_toolbox_exec_27_0 (file (execute execute_no_trans entrypoint)))
-(allow virtual_touchpad_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 virtual_touchpad_27_0 (dir (search)))
-(allow servicemanager_27_0 virtual_touchpad_27_0 (file (read open)))
-(allow servicemanager_27_0 virtual_touchpad_27_0 (process (getattr)))
-(allow virtual_touchpad_27_0 virtual_touchpad_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_180_27_0 virtual_touchpad_service_27_0 (service_manager (add)))
-(allow virtual_touchpad_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 virtual_touchpad_27_0 (binder (transfer)))
-(allow virtual_touchpad_27_0 system_server_27_0 (fd (use)))
-(allow virtual_touchpad_27_0 uhid_device_27_0 (chr_file (ioctl write lock append map open)))
-(allow virtual_touchpad_27_0 permission_service_27_0 (service_manager (find)))
-(allow vold_27_0 cache_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow vold_27_0 cache_file_27_0 (file (read getattr)))
-(allow vold_27_0 cache_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vold_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
-(allow vold_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vold_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow vold_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vold_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow vold_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow vold_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow vold_27_0 sysfs_27_0 (file (write lock append map open)))
-(allow vold_27_0 sysfs_usb_27_0 (file (write lock append map open)))
-(allow vold_27_0 sysfs_zram_uevent_27_0 (file (write lock append map open)))
-(allow vold_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow vold_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vold_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 self (process (setexec)))
-(allow vold_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow vold_27_0 e2fs_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow vold_27_0 self (process (setfscreate)))
-(allow vold_27_0 system_file_27_0 (file (getattr map execute execute_no_trans)))
-(allow vold_27_0 block_device_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 device_27_0 (dir (write)))
-(allow vold_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 rootfs_27_0 (dir (mounton)))
-(allow vold_27_0 sdcard_type (dir (mounton)))
-(allow vold_27_0 sdcard_type (filesystem (mount remount unmount)))
-(allow vold_27_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 mnt_media_rw_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 storage_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 mnt_media_rw_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 storage_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 media_rw_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 mnt_media_rw_stub_file_27_0 (dir (create getattr setattr mounton rmdir)))
-(allow vold_27_0 storage_stub_file_27_0 (dir (create getattr setattr mounton rmdir)))
-(allow vold_27_0 mnt_user_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 mnt_user_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 mnt_expand_file_27_0 (dir (ioctl read write create getattr setattr lock rename mounton add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 apk_data_file_27_0 (dir (create getattr setattr)))
-(allow vold_27_0 shell_data_file_27_0 (dir (create getattr setattr)))
-(allow vold_27_0 tmpfs_27_0 (filesystem (mount unmount)))
-(allow vold_27_0 tmpfs_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 tmpfs_27_0 (dir (mounton)))
-(allow vold_27_0 self (capability (chown dac_override fowner fsetid net_admin sys_admin mknod)))
-(allow vold_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow vold_27_0 app_data_file_27_0 (dir (search)))
-(allow vold_27_0 app_data_file_27_0 (file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 loop_control_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 loop_device_27_0 (blk_file (ioctl read write create getattr setattr lock append map unlink open)))
-(allow vold_27_0 vold_device_27_0 (blk_file (ioctl read write create getattr setattr lock append map unlink open)))
-(allow vold_27_0 dm_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 dm_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 domain (dir (ioctl read getattr lock search open)))
-(allow vold_27_0 domain (file (ioctl read getattr lock map open)))
-(allow vold_27_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow vold_27_0 domain (process (sigkill signal)))
-(allow vold_27_0 self (capability (kill sys_ptrace)))
-(allow vold_27_0 sysfs_27_0 (file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 fsck_exec_27_0 (file (ioctl read getattr lock map execute open)))
-(allow vold_27_0 fscklogs_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow vold_27_0 fscklogs_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 labeledfs_27_0 (filesystem (mount unmount)))
-(allow vold_27_0 efs_file_27_0 (file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 system_data_file_27_0 (dir (ioctl read write create getattr setattr lock mounton add_name remove_name search rmdir open)))
-(allow vold_27_0 kernel_27_0 (process (setsched)))
-(allow vold_27_0 property_socket_27_0 (sock_file (write)))
-(allow vold_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow vold_27_0 vold_prop_27_0 (property_service (set)))
-(allow vold_27_0 vold_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 property_socket_27_0 (sock_file (write)))
-(allow vold_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow vold_27_0 powerctl_prop_27_0 (property_service (set)))
-(allow vold_27_0 powerctl_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 property_socket_27_0 (sock_file (write)))
-(allow vold_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow vold_27_0 ctl_fuse_prop_27_0 (property_service (set)))
-(allow vold_27_0 ctl_fuse_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 property_socket_27_0 (sock_file (write)))
-(allow vold_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow vold_27_0 restorecon_prop_27_0 (property_service (set)))
-(allow vold_27_0 restorecon_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow vold_27_0 asec_image_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 asec_image_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow vold_27_0 asec_apk_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename mounton add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 asec_public_file_27_0 (dir (setattr relabelto)))
-(allow vold_27_0 asec_apk_file_27_0 (file (ioctl read getattr setattr lock relabelfrom relabelto map open)))
-(allow vold_27_0 asec_public_file_27_0 (file (setattr relabelto)))
-(allow vold_27_0 unlabeled_27_0 (dir (ioctl read getattr setattr lock relabelfrom search open)))
-(allow vold_27_0 unlabeled_27_0 (file (ioctl read getattr setattr lock relabelfrom map open)))
-(allow vold_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 self (capability2 (block_suspend)))
-(allow vold_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 vold_27_0 (dir (search)))
-(allow servicemanager_27_0 vold_27_0 (file (read open)))
-(allow servicemanager_27_0 vold_27_0 (process (getattr)))
-(allow vold_27_0 healthd_27_0 (binder (call transfer)))
-(allow healthd_27_0 vold_27_0 (binder (transfer)))
-(allow vold_27_0 healthd_27_0 (fd (use)))
-(allow vold_27_0 userdata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 metadata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 unencrypted_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 unencrypted_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 proc_drop_caches_27_0 (file (write lock append map open)))
-(allow vold_27_0 vold_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 vold_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_27_0 init_27_0 (key (write search setattr)))
-(allow vold_27_0 vold_27_0 (key (write search setattr)))
-(allow vold_27_0 self (capability (sys_nice)))
-(allow vold_27_0 self (capability (sys_chroot)))
-(allow vold_27_0 storage_file_27_0 (dir (mounton)))
-(allow vold_27_0 fuse_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_27_0 fuse_27_0 (filesystem (relabelfrom)))
-(allow vold_27_0 app_fusefs_27_0 (filesystem (relabelfrom relabelto)))
-(allow vold_27_0 app_fusefs_27_0 (filesystem (mount unmount)))
-(allow vold_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow vold_27_0 user_profile_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_27_0 misc_block_device_27_0 (blk_file (write lock append map open)))
-(neverallow base_typeattr_92_27_0 vold_data_file_27_0 (dir (write lock relabelfrom append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir audit_access execmod)))
-(neverallow base_typeattr_181_27_0 vold_data_file_27_0 (file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_181_27_0 vold_data_file_27_0 (lnk_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_181_27_0 vold_data_file_27_0 (sock_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_181_27_0 vold_data_file_27_0 (fifo_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_90_27_0 vold_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_182_27_0 vold_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_182_27_0 vold_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_182_27_0 vold_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_182_27_0 vold_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_90_27_0 restorecon_prop_27_0 (property_service (set)))
-(neverallow vold_27_0 fsck_exec_27_0 (file (execute_no_trans)))
-(allow vr_hwc_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 vr_hwc_27_0 (dir (search)))
-(allow servicemanager_27_0 vr_hwc_27_0 (file (read open)))
-(allow servicemanager_27_0 vr_hwc_27_0 (process (getattr)))
-(allow vr_hwc_27_0 surfaceflinger_27_0 (binder (call transfer)))
-(allow surfaceflinger_27_0 vr_hwc_27_0 (binder (transfer)))
-(allow vr_hwc_27_0 surfaceflinger_27_0 (fd (use)))
-(allow vr_hwc_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 vr_hwc_27_0 (binder (transfer)))
-(allow vr_hwc_27_0 system_server_27_0 (fd (use)))
-(allow vr_hwc_27_0 vr_hwc_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_183_27_0 vr_hwc_service_27_0 (service_manager (add)))
-(allow vr_hwc_27_0 hwservicemanager_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 vr_hwc_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 vr_hwc_27_0 (dir (search)))
-(allow hwservicemanager_27_0 vr_hwc_27_0 (file (read open)))
-(allow hwservicemanager_27_0 vr_hwc_27_0 (process (getattr)))
-(allow vr_hwc_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow vr_hwc_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow vr_hwc_27_0 pdx_display_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow vr_hwc_27_0 pdx_display_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
-(allow vr_hwc_27_0 pdx_display_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow vr_hwc_27_0 pdx_display_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow vr_hwc_27_0 pdx_display_client_server_type (fd (use)))
-(allow pdx_display_client_server_type vr_hwc_27_0 (fd (use)))
-(allow vr_hwc_27_0 permission_service_27_0 (service_manager (find)))
-(allow watchdogd_27_0 watchdog_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow watchdogd_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow wificond_27_0 servicemanager_27_0 (binder (call transfer)))
-(allow servicemanager_27_0 wificond_27_0 (dir (search)))
-(allow servicemanager_27_0 wificond_27_0 (file (read open)))
-(allow servicemanager_27_0 wificond_27_0 (process (getattr)))
-(allow wificond_27_0 system_server_27_0 (binder (call transfer)))
-(allow system_server_27_0 wificond_27_0 (binder (transfer)))
-(allow wificond_27_0 system_server_27_0 (fd (use)))
-(allow wificond_27_0 wificond_service_27_0 (service_manager (add find)))
-(neverallow base_typeattr_184_27_0 wificond_service_27_0 (service_manager (add)))
-(allow wificond_27_0 property_socket_27_0 (sock_file (write)))
-(allow wificond_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow wificond_27_0 wifi_prop_27_0 (property_service (set)))
-(allow wificond_27_0 wifi_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow wificond_27_0 property_socket_27_0 (sock_file (write)))
-(allow wificond_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow wificond_27_0 ctl_default_prop_27_0 (property_service (set)))
-(allow wificond_27_0 ctl_default_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow wificond_27_0 self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx wificond_27_0 self (ioctl udp_socket (0x8914)))
-(allow wificond_27_0 self (capability (net_admin net_raw)))
-(allow wificond_27_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow wificond_27_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow wificond_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
-(allow wificond_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
-(allow wificond_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow wificond_27_0 wifi_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow wificond_27_0 wifi_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow wificond_27_0 permission_service_27_0 (service_manager (find)))
-(allow wificond_27_0 dumpstate_27_0 (fd (use)))
-(allow wificond_27_0 dumpstate_27_0 (fifo_file (write)))
-(allow init_27_0 hal_audio_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_audio_default (process (transition)))
-(allow hal_audio_default hal_audio_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_audio_default (process (noatsecure)))
-(allow init_27_0 hal_audio_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_audio_default_exec process hal_audio_default)
-(typetransition hal_audio_default tmpfs_27_0 file hal_audio_default_tmpfs)
-(allow hal_audio_default hal_audio_default_tmpfs (file (read write getattr)))
-(allow hal_audio_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_bluetooth_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_bluetooth_default (process (transition)))
-(allow hal_bluetooth_default hal_bluetooth_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_bluetooth_default (process (noatsecure)))
-(allow init_27_0 hal_bluetooth_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_bluetooth_default_exec process hal_bluetooth_default)
-(typetransition hal_bluetooth_default tmpfs_27_0 file hal_bluetooth_default_tmpfs)
-(allow hal_bluetooth_default hal_bluetooth_default_tmpfs (file (read write getattr)))
-(allow hal_bluetooth_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_bootctl_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_bootctl_default (process (transition)))
-(allow hal_bootctl_default hal_bootctl_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_bootctl_default (process (noatsecure)))
-(allow init_27_0 hal_bootctl_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_bootctl_default_exec process hal_bootctl_default)
-(typetransition hal_bootctl_default tmpfs_27_0 file hal_bootctl_default_tmpfs)
-(allow hal_bootctl_default hal_bootctl_default_tmpfs (file (read write getattr)))
-(allow hal_bootctl_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_broadcastradio_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_broadcastradio_default (process (transition)))
-(allow hal_broadcastradio_default hal_broadcastradio_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_broadcastradio_default (process (noatsecure)))
-(allow init_27_0 hal_broadcastradio_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_broadcastradio_default_exec process hal_broadcastradio_default)
-(typetransition hal_broadcastradio_default tmpfs_27_0 file hal_broadcastradio_default_tmpfs)
-(allow hal_broadcastradio_default hal_broadcastradio_default_tmpfs (file (read write getattr)))
-(allow hal_broadcastradio_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_camera_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_camera_default (process (transition)))
-(allow hal_camera_default hal_camera_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_camera_default (process (noatsecure)))
-(allow init_27_0 hal_camera_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_camera_default_exec process hal_camera_default)
-(typetransition hal_camera_default tmpfs_27_0 file hal_camera_default_tmpfs)
-(allow hal_camera_default hal_camera_default_tmpfs (file (read write getattr)))
-(allow hal_camera_default tmpfs_27_0 (dir (getattr search)))
-(allow hal_camera_default fwk_sensor_hwservice_27_0 (hwservice_manager (find)))
-(allow init_27_0 hal_cas_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_cas_default (process (transition)))
-(allow hal_cas_default hal_cas_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_cas_default (process (noatsecure)))
-(allow init_27_0 hal_cas_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_cas_default_exec process hal_cas_default)
-(typetransition hal_cas_default tmpfs_27_0 file hal_cas_default_tmpfs)
-(allow hal_cas_default hal_cas_default_tmpfs (file (read write getattr)))
-(allow hal_cas_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_configstore_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_configstore_default (process (transition)))
-(allow hal_configstore_default hal_configstore_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_configstore_default (process (noatsecure)))
-(allow init_27_0 hal_configstore_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_configstore_default_exec process hal_configstore_default)
-(typetransition hal_configstore_default tmpfs_27_0 file hal_configstore_default_tmpfs)
-(allow hal_configstore_default hal_configstore_default_tmpfs (file (read write getattr)))
-(allow hal_configstore_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_contexthub_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_contexthub_default (process (transition)))
-(allow hal_contexthub_default hal_contexthub_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_contexthub_default (process (noatsecure)))
-(allow init_27_0 hal_contexthub_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_contexthub_default_exec process hal_contexthub_default)
-(typetransition hal_contexthub_default tmpfs_27_0 file hal_contexthub_default_tmpfs)
-(allow hal_contexthub_default hal_contexthub_default_tmpfs (file (read write getattr)))
-(allow hal_contexthub_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_drm_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_drm_default (process (transition)))
-(allow hal_drm_default hal_drm_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_drm_default (process (noatsecure)))
-(allow init_27_0 hal_drm_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_drm_default_exec process hal_drm_default)
-(typetransition hal_drm_default tmpfs_27_0 file hal_drm_default_tmpfs)
-(allow hal_drm_default hal_drm_default_tmpfs (file (read write getattr)))
-(allow hal_drm_default tmpfs_27_0 (dir (getattr search)))
-(allow hal_drm_default mediacodec_27_0 (fd (use)))
-(allow hal_drm_default base_typeattr_101_27_0 (fd (use)))
-(allow init_27_0 hal_dumpstate_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_dumpstate_default (process (transition)))
-(allow hal_dumpstate_default hal_dumpstate_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_dumpstate_default (process (noatsecure)))
-(allow init_27_0 hal_dumpstate_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_dumpstate_default_exec process hal_dumpstate_default)
-(typetransition hal_dumpstate_default tmpfs_27_0 file hal_dumpstate_default_tmpfs)
-(allow hal_dumpstate_default hal_dumpstate_default_tmpfs (file (read write getattr)))
-(allow hal_dumpstate_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_fingerprint_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_fingerprint_default (process (transition)))
-(allow hal_fingerprint_default hal_fingerprint_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_fingerprint_default (process (noatsecure)))
-(allow init_27_0 hal_fingerprint_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_fingerprint_default_exec process hal_fingerprint_default)
-(typetransition hal_fingerprint_default tmpfs_27_0 file hal_fingerprint_default_tmpfs)
-(allow hal_fingerprint_default hal_fingerprint_default_tmpfs (file (read write getattr)))
-(allow hal_fingerprint_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_gatekeeper_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_gatekeeper_default (process (transition)))
-(allow hal_gatekeeper_default hal_gatekeeper_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_gatekeeper_default (process (noatsecure)))
-(allow init_27_0 hal_gatekeeper_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_gatekeeper_default_exec process hal_gatekeeper_default)
-(typetransition hal_gatekeeper_default tmpfs_27_0 file hal_gatekeeper_default_tmpfs)
-(allow hal_gatekeeper_default hal_gatekeeper_default_tmpfs (file (read write getattr)))
-(allow hal_gatekeeper_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_gnss_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_gnss_default (process (transition)))
-(allow hal_gnss_default hal_gnss_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_gnss_default (process (noatsecure)))
-(allow init_27_0 hal_gnss_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_gnss_default_exec process hal_gnss_default)
-(typetransition hal_gnss_default tmpfs_27_0 file hal_gnss_default_tmpfs)
-(allow hal_gnss_default hal_gnss_default_tmpfs (file (read write getattr)))
-(allow hal_gnss_default tmpfs_27_0 (dir (getattr search)))
-(allow hal_gnss system_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow hal_gnss system_file_27_0 (file (ioctl read getattr lock map open)))
-(allow hal_gnss system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 hal_graphics_allocator_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_graphics_allocator_default (process (transition)))
-(allow hal_graphics_allocator_default hal_graphics_allocator_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_graphics_allocator_default (process (noatsecure)))
-(allow init_27_0 hal_graphics_allocator_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_graphics_allocator_default_exec process hal_graphics_allocator_default)
-(typetransition hal_graphics_allocator_default tmpfs_27_0 file hal_graphics_allocator_default_tmpfs)
-(allow hal_graphics_allocator_default hal_graphics_allocator_default_tmpfs (file (read write getattr)))
-(allow hal_graphics_allocator_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_graphics_composer_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_graphics_composer_default (process (transition)))
-(allow hal_graphics_composer_default hal_graphics_composer_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_graphics_composer_default (process (noatsecure)))
-(allow init_27_0 hal_graphics_composer_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_graphics_composer_default_exec process hal_graphics_composer_default)
-(typetransition hal_graphics_composer_default tmpfs_27_0 file hal_graphics_composer_default_tmpfs)
-(allow hal_graphics_composer_default hal_graphics_composer_default_tmpfs (file (read write getattr)))
-(allow hal_graphics_composer_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_health_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_health_default (process (transition)))
-(allow hal_health_default hal_health_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_health_default (process (noatsecure)))
-(allow init_27_0 hal_health_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_health_default_exec process hal_health_default)
-(typetransition hal_health_default tmpfs_27_0 file hal_health_default_tmpfs)
-(allow hal_health_default hal_health_default_tmpfs (file (read write getattr)))
-(allow hal_health_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_ir_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_ir_default (process (transition)))
-(allow hal_ir_default hal_ir_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_ir_default (process (noatsecure)))
-(allow init_27_0 hal_ir_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_ir_default_exec process hal_ir_default)
-(typetransition hal_ir_default tmpfs_27_0 file hal_ir_default_tmpfs)
-(allow hal_ir_default hal_ir_default_tmpfs (file (read write getattr)))
-(allow hal_ir_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_keymaster_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_keymaster_default (process (transition)))
-(allow hal_keymaster_default hal_keymaster_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_keymaster_default (process (noatsecure)))
-(allow init_27_0 hal_keymaster_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_keymaster_default_exec process hal_keymaster_default)
-(typetransition hal_keymaster_default tmpfs_27_0 file hal_keymaster_default_tmpfs)
-(allow hal_keymaster_default hal_keymaster_default_tmpfs (file (read write getattr)))
-(allow hal_keymaster_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_light_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_light_default (process (transition)))
-(allow hal_light_default hal_light_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_light_default (process (noatsecure)))
-(allow init_27_0 hal_light_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_light_default_exec process hal_light_default)
-(typetransition hal_light_default tmpfs_27_0 file hal_light_default_tmpfs)
-(allow hal_light_default hal_light_default_tmpfs (file (read write getattr)))
-(allow hal_light_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_memtrack_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_memtrack_default (process (transition)))
-(allow hal_memtrack_default hal_memtrack_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_memtrack_default (process (noatsecure)))
-(allow init_27_0 hal_memtrack_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_memtrack_default_exec process hal_memtrack_default)
-(typetransition hal_memtrack_default tmpfs_27_0 file hal_memtrack_default_tmpfs)
-(allow hal_memtrack_default hal_memtrack_default_tmpfs (file (read write getattr)))
-(allow hal_memtrack_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_nfc_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_nfc_default (process (transition)))
-(allow hal_nfc_default hal_nfc_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_nfc_default (process (noatsecure)))
-(allow init_27_0 hal_nfc_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_nfc_default_exec process hal_nfc_default)
-(typetransition hal_nfc_default tmpfs_27_0 file hal_nfc_default_tmpfs)
-(allow hal_nfc_default hal_nfc_default_tmpfs (file (read write getattr)))
-(allow hal_nfc_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 mediacodec_exec_27_0 (file (read getattr map execute open)))
-(allow init_27_0 mediacodec_27_0 (process (transition)))
-(allow mediacodec_27_0 mediacodec_exec_27_0 (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 mediacodec_27_0 (process (noatsecure)))
-(allow init_27_0 mediacodec_27_0 (process (siginh rlimitinh)))
-(typetransition init_27_0 mediacodec_exec_27_0 process mediacodec)
-(typetransition mediacodec_27_0 tmpfs_27_0 file mediacodec_tmpfs)
-(allow mediacodec_27_0 mediacodec_tmpfs (file (read write getattr)))
-(allow mediacodec_27_0 tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_power_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_power_default (process (transition)))
-(allow hal_power_default hal_power_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_power_default (process (noatsecure)))
-(allow init_27_0 hal_power_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_power_default_exec process hal_power_default)
-(typetransition hal_power_default tmpfs_27_0 file hal_power_default_tmpfs)
-(allow hal_power_default hal_power_default_tmpfs (file (read write getattr)))
-(allow hal_power_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_sensors_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_sensors_default (process (transition)))
-(allow hal_sensors_default hal_sensors_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_sensors_default (process (noatsecure)))
-(allow init_27_0 hal_sensors_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_sensors_default_exec process hal_sensors_default)
-(typetransition hal_sensors_default tmpfs_27_0 file hal_sensors_default_tmpfs)
-(allow hal_sensors_default hal_sensors_default_tmpfs (file (read write getattr)))
-(allow hal_sensors_default tmpfs_27_0 (dir (getattr search)))
-(allow hal_sensors_default fwk_scheduler_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_sensors_default hal_graphics_allocator_default (fd (use)))
-(allow hal_sensors_default ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_sensors_default sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_sensors_default self (capability2 (block_suspend)))
-(allow init_27_0 hal_tetheroffload_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_tetheroffload_default (process (transition)))
-(allow hal_tetheroffload_default hal_tetheroffload_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_tetheroffload_default (process (noatsecure)))
-(allow init_27_0 hal_tetheroffload_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_tetheroffload_default_exec process hal_tetheroffload_default)
-(typetransition hal_tetheroffload_default tmpfs_27_0 file hal_tetheroffload_default_tmpfs)
-(allow hal_tetheroffload_default hal_tetheroffload_default_tmpfs (file (read write getattr)))
-(allow hal_tetheroffload_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_thermal_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_thermal_default (process (transition)))
-(allow hal_thermal_default hal_thermal_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_thermal_default (process (noatsecure)))
-(allow init_27_0 hal_thermal_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_thermal_default_exec process hal_thermal_default)
-(typetransition hal_thermal_default tmpfs_27_0 file hal_thermal_default_tmpfs)
-(allow hal_thermal_default hal_thermal_default_tmpfs (file (read write getattr)))
-(allow hal_thermal_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_tv_cec_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_tv_cec_default (process (transition)))
-(allow hal_tv_cec_default hal_tv_cec_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_tv_cec_default (process (noatsecure)))
-(allow init_27_0 hal_tv_cec_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_tv_cec_default_exec process hal_tv_cec_default)
-(typetransition hal_tv_cec_default tmpfs_27_0 file hal_tv_cec_default_tmpfs)
-(allow hal_tv_cec_default hal_tv_cec_default_tmpfs (file (read write getattr)))
-(allow hal_tv_cec_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_tv_input_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_tv_input_default (process (transition)))
-(allow hal_tv_input_default hal_tv_input_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_tv_input_default (process (noatsecure)))
-(allow init_27_0 hal_tv_input_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_tv_input_default_exec process hal_tv_input_default)
-(typetransition hal_tv_input_default tmpfs_27_0 file hal_tv_input_default_tmpfs)
-(allow hal_tv_input_default hal_tv_input_default_tmpfs (file (read write getattr)))
-(allow hal_tv_input_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_usb_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_usb_default (process (transition)))
-(allow hal_usb_default hal_usb_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_usb_default (process (noatsecure)))
-(allow init_27_0 hal_usb_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_usb_default_exec process hal_usb_default)
-(typetransition hal_usb_default tmpfs_27_0 file hal_usb_default_tmpfs)
-(allow hal_usb_default hal_usb_default_tmpfs (file (read write getattr)))
-(allow hal_usb_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_vibrator_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_vibrator_default (process (transition)))
-(allow hal_vibrator_default hal_vibrator_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_vibrator_default (process (noatsecure)))
-(allow init_27_0 hal_vibrator_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_vibrator_default_exec process hal_vibrator_default)
-(typetransition hal_vibrator_default tmpfs_27_0 file hal_vibrator_default_tmpfs)
-(allow hal_vibrator_default hal_vibrator_default_tmpfs (file (read write getattr)))
-(allow hal_vibrator_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_vr_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_vr_default (process (transition)))
-(allow hal_vr_default hal_vr_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_vr_default (process (noatsecure)))
-(allow init_27_0 hal_vr_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_vr_default_exec process hal_vr_default)
-(typetransition hal_vr_default tmpfs_27_0 file hal_vr_default_tmpfs)
-(allow hal_vr_default hal_vr_default_tmpfs (file (read write getattr)))
-(allow hal_vr_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_wifi_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_wifi_default (process (transition)))
-(allow hal_wifi_default hal_wifi_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_wifi_default (process (noatsecure)))
-(allow init_27_0 hal_wifi_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_wifi_default_exec process hal_wifi_default)
-(typetransition hal_wifi_default tmpfs_27_0 file hal_wifi_default_tmpfs)
-(allow hal_wifi_default hal_wifi_default_tmpfs (file (read write getattr)))
-(allow hal_wifi_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_wifi_offload_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_wifi_offload_default (process (transition)))
-(allow hal_wifi_offload_default hal_wifi_offload_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_wifi_offload_default (process (noatsecure)))
-(allow init_27_0 hal_wifi_offload_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_wifi_offload_default_exec process hal_wifi_offload_default)
-(typetransition hal_wifi_offload_default tmpfs_27_0 file hal_wifi_offload_default_tmpfs)
-(allow hal_wifi_offload_default hal_wifi_offload_default_tmpfs (file (read write getattr)))
-(allow hal_wifi_offload_default tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 hal_wifi_supplicant_default_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_wifi_supplicant_default (process (transition)))
-(allow hal_wifi_supplicant_default hal_wifi_supplicant_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_wifi_supplicant_default (process (noatsecure)))
-(allow init_27_0 hal_wifi_supplicant_default (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_wifi_supplicant_default_exec process hal_wifi_supplicant_default)
-(typetransition hal_wifi_supplicant_default tmpfs_27_0 file hal_wifi_supplicant_default_tmpfs)
-(allow hal_wifi_supplicant_default hal_wifi_supplicant_default_tmpfs (file (read write getattr)))
-(allow hal_wifi_supplicant_default tmpfs_27_0 (dir (getattr search)))
-(allow hal_wifi_supplicant_default hwservicemanager_27_0 (binder (call transfer)))
-(allow hwservicemanager_27_0 hal_wifi_supplicant_default (binder (call transfer)))
-(allow hwservicemanager_27_0 hal_wifi_supplicant_default (dir (search)))
-(allow hwservicemanager_27_0 hal_wifi_supplicant_default (file (read open)))
-(allow hwservicemanager_27_0 hal_wifi_supplicant_default (process (getattr)))
-(allow hal_wifi_supplicant_default system_wifi_keystore_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_wifi_supplicant_default wifi_keystore_service_server (binder (call transfer)))
-(allow wifi_keystore_service_server hal_wifi_supplicant_default (binder (transfer)))
-(allow hal_wifi_supplicant_default wifi_keystore_service_server (fd (use)))
-(allow init_27_0 hostapd_exec (file (read getattr map execute open)))
-(allow init_27_0 hostapd (process (transition)))
-(allow hostapd hostapd_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hostapd (process (noatsecure)))
-(allow init_27_0 hostapd (process (siginh rlimitinh)))
-(typetransition init_27_0 hostapd_exec process hostapd)
-(typetransition hostapd tmpfs_27_0 file hostapd_tmpfs)
-(allow hostapd hostapd_tmpfs (file (read write getattr)))
-(allow hostapd tmpfs_27_0 (dir (getattr search)))
-(allow hostapd self (capability (net_admin net_raw)))
-(allow hostapd sysfs_27_0 (file (ioctl read getattr lock map open)))
-(allow hostapd sysfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hostapd proc_net_27_0 (file (read getattr open)))
-(allowx hostapd self (ioctl udp_socket (0x6900 0x6902)))
-(allowx hostapd self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hostapd self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hostapd self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hostapd self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hostapd self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hostapd self (netlink_route_socket (nlmsg_write)))
-(allow hostapd wifi_data_file_27_0 (file (ioctl read write getattr lock append map open)))
-(allow hostapd wifi_data_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow hostapd wifi_data_file_27_0 (file (ioctl read getattr lock map open)))
-(allow hostapd wifi_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hostapd hostapd_socket (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hostapd hostapd_socket (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_27_0 rild_exec (file (read getattr map execute open)))
-(allow init_27_0 rild_27_0 (process (transition)))
-(allow rild_27_0 rild_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 rild_27_0 (process (noatsecure)))
-(allow init_27_0 rild_27_0 (process (siginh rlimitinh)))
-(typetransition init_27_0 rild_exec process rild)
-(typetransition rild_27_0 tmpfs_27_0 file rild_tmpfs)
-(allow rild_27_0 rild_tmpfs (file (read write getattr)))
-(allow rild_27_0 tmpfs_27_0 (dir (getattr search)))
-(allow init_27_0 tee_exec (file (read getattr map execute open)))
-(allow init_27_0 tee_27_0 (process (transition)))
-(allow tee_27_0 tee_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 tee_27_0 (process (noatsecure)))
-(allow init_27_0 tee_27_0 (process (siginh rlimitinh)))
-(typetransition init_27_0 tee_exec process tee)
-(typetransition tee_27_0 tmpfs_27_0 file tee_tmpfs)
-(allow tee_27_0 tee_tmpfs (file (read write getattr)))
-(allow tee_27_0 tmpfs_27_0 (dir (getattr search)))
-(allow tee_27_0 self (capability (dac_override)))
-(allow tee_27_0 tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow tee_27_0 tee_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tee_27_0 tee_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow tee_27_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow tee_27_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow tee_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
-(allow tee_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow tee_27_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow tee_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow tee_27_0 system_data_file_27_0 (file (read getattr)))
-(allow tee_27_0 system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 vendor_toolbox_exec_27_0 (file (read getattr map execute open)))
-(allow init_27_0 vendor_modprobe (process (transition)))
-(allow vendor_modprobe vendor_toolbox_exec_27_0 (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 vendor_modprobe (process (noatsecure)))
-(allow init_27_0 vendor_modprobe (process (siginh rlimitinh)))
-(allow vendor_modprobe proc_modules_27_0 (file (ioctl read getattr lock map open)))
-(allow vendor_modprobe self (capability (sys_module)))
-(allow vendor_modprobe kernel_27_0 (key (search)))
-(allow vendor_modprobe vendor_file_27_0 (system (module_load)))
-(allow vendor_modprobe vendor_file_27_0 (dir (ioctl read getattr lock search open)))
-(allow vendor_modprobe vendor_file_27_0 (file (ioctl read getattr lock map open)))
-(allow vendor_modprobe vendor_file_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_27_0 vndservicemanager_exec (file (read getattr map execute open)))
-(allow init_27_0 vndservicemanager_27_0 (process (transition)))
-(allow vndservicemanager_27_0 vndservicemanager_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 vndservicemanager_27_0 (process (noatsecure)))
-(allow init_27_0 vndservicemanager_27_0 (process (siginh rlimitinh)))
-(typetransition init_27_0 vndservicemanager_exec process vndservicemanager)
-(typetransition vndservicemanager_27_0 tmpfs_27_0 file vndservicemanager_tmpfs)
-(allow vndservicemanager_27_0 vndservicemanager_tmpfs (file (read write getattr)))
-(allow vndservicemanager_27_0 tmpfs_27_0 (dir (getattr search)))
-(allow vndservicemanager_27_0 self (binder (set_context_mgr)))
-(allow vndservicemanager_27_0 base_typeattr_185_27_0 (binder (transfer)))
-(allow vndservicemanager_27_0 vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vndservicemanager_27_0 vndservice_contexts_file_27_0 (file (ioctl read getattr lock map open)))
-(allow vndservicemanager_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
-(allow vndservicemanager_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
-(allow vndservicemanager_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vndservicemanager_27_0 selinuxfs_27_0 (file (write lock append map open)))
-(allow vndservicemanager_27_0 kernel_27_0 (security (compute_av)))
-(allow vndservicemanager_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow adbd_27_0 property_socket_27_0 (sock_file (write)))
-(allow adbd_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow adbd_27_0 ctl_mdnsd_prop_27_0 (property_service (set)))
-(allow adbd_27_0 ctl_mdnsd_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow audioserver_27_0 bootanim_27_0 (binder (call)))
-(allow bootanim_27_0 self (process (execmem)))
-(allow bootanim_27_0 ashmem_device_27_0 (chr_file (execute)))
-(dontaudit bootanim_27_0 system_data_file_27_0 (dir (read)))
-(allow bootanim_27_0 property_socket_27_0 (sock_file (write)))
-(allow bootanim_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow bootanim_27_0 qemu_prop (property_service (set)))
-(allow bootanim_27_0 qemu_prop (file (ioctl read getattr lock map open)))
-(allow cameraserver_27_0 system_file_27_0 (dir (read open)))
-(allow cameraserver_27_0 hal_allocator (fd (use)))
-(allow domain sysfs_writable (dir (search)))
-(allow domain sysfs_writable (file (ioctl read write getattr lock append map open)))
-(allow domain qemu_device (chr_file (ioctl read write getattr lock append map open)))
-(allow domain qemu_prop (file (ioctl read getattr lock map open)))
-(allow init_27_0 goldfish_setup_exec (file (read getattr map execute open)))
-(allow init_27_0 goldfish_setup (process (transition)))
-(allow goldfish_setup goldfish_setup_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 goldfish_setup (process (noatsecure)))
-(allow init_27_0 goldfish_setup (process (siginh rlimitinh)))
-(typetransition init_27_0 goldfish_setup_exec process goldfish_setup)
-(typetransition goldfish_setup tmpfs_27_0 file goldfish_setup_tmpfs)
-(allow goldfish_setup goldfish_setup_tmpfs (file (read write getattr)))
-(allow goldfish_setup tmpfs_27_0 (dir (getattr search)))
-(allow goldfish_setup self (capability (net_admin net_raw)))
-(allow goldfish_setup self (udp_socket (ioctl create)))
-(allow goldfish_setup vendor_toolbox_exec_27_0 (file (execute_no_trans)))
-(allowx goldfish_setup self (ioctl udp_socket (0x6900 0x6902)))
-(allowx goldfish_setup self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx goldfish_setup self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow goldfish_setup sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
-(allow goldfish_setup self (capability2 (block_suspend)))
-(allow goldfish_setup vendor_shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow hal_camera_default vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_camera_default vndservicemanager_27_0 (binder (call transfer)))
-(allow vndservicemanager_27_0 hal_camera_default (dir (search)))
-(allow vndservicemanager_27_0 hal_camera_default (file (read open)))
-(allow vndservicemanager_27_0 hal_camera_default (process (getattr)))
-(allow hal_camera_default hal_graphics_mapper_hwservice_27_0 (hwservice_manager (find)))
-(allow hal_cas_default vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_cas_default vndservicemanager_27_0 (binder (call transfer)))
-(allow vndservicemanager_27_0 hal_cas_default (dir (search)))
-(allow vndservicemanager_27_0 hal_cas_default (file (read open)))
-(allow vndservicemanager_27_0 hal_cas_default (process (getattr)))
-(allow hal_drm_default vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_drm_default vndservicemanager_27_0 (binder (call transfer)))
-(allow vndservicemanager_27_0 hal_drm_default (dir (search)))
-(allow vndservicemanager_27_0 hal_drm_default (file (read open)))
-(allow vndservicemanager_27_0 hal_drm_default (process (getattr)))
-(allow init_27_0 hal_drm_widevine_exec (file (read getattr map execute open)))
-(allow init_27_0 hal_drm_widevine (process (transition)))
-(allow hal_drm_widevine hal_drm_widevine_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 hal_drm_widevine (process (noatsecure)))
-(allow init_27_0 hal_drm_widevine (process (siginh rlimitinh)))
-(typetransition init_27_0 hal_drm_widevine_exec process hal_drm_widevine)
-(typetransition hal_drm_widevine tmpfs_27_0 file hal_drm_widevine_tmpfs)
-(allow hal_drm_widevine hal_drm_widevine_tmpfs (file (read write getattr)))
-(allow hal_drm_widevine tmpfs_27_0 (dir (getattr search)))
-(allow hal_drm mediacodec_27_0 (fd (use)))
-(allow hal_drm base_typeattr_101_27_0 (fd (use)))
-(allow hal_drm_widevine vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_drm_widevine vndservicemanager_27_0 (binder (call transfer)))
-(allow vndservicemanager_27_0 hal_drm_widevine (dir (search)))
-(allow vndservicemanager_27_0 hal_drm_widevine (file (read open)))
-(allow vndservicemanager_27_0 hal_drm_widevine (process (getattr)))
-(allow hal_gnss_default vndbinder_device_27_0 (chr_file (ioctl read write open)))
-(allow hal_graphics_composer_default vndbinder_device_27_0 (chr_file (ioctl read write open)))
-(allow init_27_0 tmpfs_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(dontaudit init_27_0 kernel_27_0 (system (module_request)))
-(allow init_27_0 logcat_exec_27_0 (file (read getattr map execute open)))
-(allow init_27_0 logpersist_27_0 (process (transition)))
-(allow logpersist_27_0 logcat_exec_27_0 (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 logpersist_27_0 (process (noatsecure)))
-(allow init_27_0 logpersist_27_0 (process (siginh rlimitinh)))
-(typetransition init_27_0 logcat_exec_27_0 process logpersist)
-(allow logpersist_27_0 logdr_socket_27_0 (sock_file (write)))
-(allow logpersist_27_0 logd_27_0 (unix_stream_socket (connectto)))
-(allow logpersist_27_0 serial_device_27_0 (chr_file (write open)))
-(allow logpersist_27_0 qemu_cmdline (file (ioctl read getattr lock map open)))
-(allow mediacodec_27_0 system_file_27_0 (dir (read open)))
-(dontaudit netd_27_0 self (capability (sys_module)))
-(dontaudit netd_27_0 kernel_27_0 (system (module_request)))
-(dontaudit priv_app_27_0 firstboot_prop_27_0 (file (getattr open)))
-(dontaudit priv_app_27_0 device_27_0 (dir (read open)))
-(dontaudit priv_app_27_0 proc_interrupts_27_0 (file (read getattr open)))
-(dontaudit priv_app_27_0 proc_modules_27_0 (file (read getattr open)))
-(allow init_27_0 qemu_props_exec (file (read getattr map execute open)))
-(allow init_27_0 qemu_props (process (transition)))
-(allow qemu_props qemu_props_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_27_0 qemu_props (process (noatsecure)))
-(allow init_27_0 qemu_props (process (siginh rlimitinh)))
-(typetransition init_27_0 qemu_props_exec process qemu_props)
-(typetransition qemu_props tmpfs_27_0 file qemu_props_tmpfs)
-(allow qemu_props qemu_props_tmpfs (file (read write getattr)))
-(allow qemu_props tmpfs_27_0 (dir (getattr search)))
-(allow qemu_props property_socket_27_0 (sock_file (write)))
-(allow qemu_props init_27_0 (unix_stream_socket (connectto)))
-(allow qemu_props qemu_prop (property_service (set)))
-(allow qemu_props qemu_prop (file (ioctl read getattr lock map open)))
-(allow qemu_props property_socket_27_0 (sock_file (write)))
-(allow qemu_props init_27_0 (unix_stream_socket (connectto)))
-(allow qemu_props dalvik_prop_27_0 (property_service (set)))
-(allow qemu_props dalvik_prop_27_0 (file (ioctl read getattr lock map open)))
-(allow qemu_props property_socket_27_0 (sock_file (write)))
-(allow qemu_props init_27_0 (unix_stream_socket (connectto)))
-(allow qemu_props qemu_cmdline (property_service (set)))
-(allow qemu_props qemu_cmdline (file (ioctl read getattr lock map open)))
-(allow shell_27_0 serial_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow surfaceflinger_27_0 self (process (execmem)))
-(allow surfaceflinger_27_0 ashmem_device_27_0 (chr_file (execute)))
-(allow surfaceflinger_27_0 property_socket_27_0 (sock_file (write)))
-(allow surfaceflinger_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow surfaceflinger_27_0 qemu_prop (property_service (set)))
-(allow surfaceflinger_27_0 qemu_prop (file (ioctl read getattr lock map open)))
-(allow system_server_27_0 opengles_prop (file (ioctl read getattr lock map open)))
-(allow system_server_27_0 radio_noril_prop (file (ioctl read getattr lock map open)))
-(dontaudit vold_27_0 kernel_27_0 (system (module_request)))
-(allow zygote_27_0 property_socket_27_0 (sock_file (write)))
-(allow zygote_27_0 init_27_0 (unix_stream_socket (connectto)))
-(allow zygote_27_0 qemu_prop (property_service (set)))
-(allow zygote_27_0 qemu_prop (file (ioctl read getattr lock map open)))
-(dontaudit webview_zygote_27_0 mnt_expand_file_27_0 (dir (getattr)))
-(typetransition hal_wifi_supplicant_default wifi_data_file_27_0 dir "sockets" wpa_socket)
-(typeattribute base_typeattr_185_27_0)
-(typeattributeset base_typeattr_185_27_0 ((and (domain) ((not (coredomain init_27_0))))))
-(typeattribute base_typeattr_184_27_0)
-(typeattributeset base_typeattr_184_27_0 ((and (domain) ((not (wificond_27_0))))))
-(typeattribute base_typeattr_183_27_0)
-(typeattributeset base_typeattr_183_27_0 ((and (domain) ((not (vr_hwc_27_0))))))
-(typeattribute base_typeattr_182_27_0)
-(typeattributeset base_typeattr_182_27_0 ((and (domain) ((not (init_27_0 kernel_27_0 vold_27_0))))))
-(typeattribute base_typeattr_181_27_0)
-(typeattributeset base_typeattr_181_27_0 ((and (domain) ((not (kernel_27_0 vold_27_0))))))
-(typeattribute base_typeattr_180_27_0)
-(typeattributeset base_typeattr_180_27_0 ((and (domain) ((not (virtual_touchpad_27_0))))))
-(typeattribute base_typeattr_179_27_0)
-(typeattributeset base_typeattr_179_27_0 ((and (coredomain) ((not (init_27_0 modprobe_27_0))))))
-(typeattribute base_typeattr_178_27_0)
-(typeattributeset base_typeattr_178_27_0 ((and (domain) ((not (update_engine_27_0))))))
-(typeattribute base_typeattr_177_27_0)
-(typeattributeset base_typeattr_177_27_0 ((and (vendor_file_type) ((not (vendor_app_file_27_0 vendor_overlay_file_27_0))))))
-(typeattribute base_typeattr_176_27_0)
-(typeattributeset base_typeattr_176_27_0 ((and (domain) ((not (init_27_0 system_server_27_0 tzdatacheck_27_0))))))
-(typeattribute base_typeattr_175_27_0)
-(typeattributeset base_typeattr_175_27_0 ((and (fs_type file_type) ((not (toolbox_exec_27_0))))))
-(typeattribute base_typeattr_174_27_0)
-(typeattributeset base_typeattr_174_27_0 ((and (domain) ((not (thermalserviced_27_0))))))
-(typeattribute base_typeattr_173_27_0)
-(typeattributeset base_typeattr_173_27_0 ((and (service_manager_type) ((not (gatekeeper_service_27_0 incident_service_27_0 installd_service_27_0 netd_service_27_0 virtual_touchpad_service_27_0 vr_hwc_service_27_0))))))
-(typeattribute base_typeattr_172_27_0)
-(typeattributeset base_typeattr_172_27_0 ((and (fs_type file_type) ((not (sgdisk_exec_27_0))))))
-(typeattribute base_typeattr_171_27_0)
-(typeattributeset base_typeattr_171_27_0 ((and (domain) ((not (hwservicemanager_27_0 init_27_0 vndservicemanager_27_0))))))
-(typeattribute base_typeattr_170_27_0)
-(typeattributeset base_typeattr_170_27_0 ((and (appdomain) ((not (system_app_27_0))))))
-(typeattribute base_typeattr_169_27_0)
-(typeattributeset base_typeattr_169_27_0 ((and (data_file_type) ((not (cache_file_27_0 cache_recovery_file_27_0))))))
-(typeattribute base_typeattr_168_27_0)
-(typeattributeset base_typeattr_168_27_0 ((and (domain) ((not (radio_27_0))))))
-(typeattribute base_typeattr_167_27_0)
-(typeattributeset base_typeattr_167_27_0 ((and (core_property_type) ((not (audio_prop_27_0 config_prop_27_0 cppreopt_prop_27_0 dalvik_prop_27_0 debuggerd_prop_27_0 debug_prop_27_0 default_prop_27_0 dhcp_prop_27_0 dumpstate_prop_27_0 ffs_prop_27_0 fingerprint_prop_27_0 logd_prop_27_0 net_radio_prop_27_0 nfc_prop_27_0 pan_result_prop_27_0 persist_debug_prop_27_0 powerctl_prop_27_0 radio_prop_27_0 restorecon_prop_27_0 shell_prop_27_0 system_prop_27_0 system_radio_prop_27_0 vold_prop_27_0))))))
-(typeattribute base_typeattr_166_27_0)
-(typeattributeset base_typeattr_166_27_0 ((and (domain) ((not (performanced_27_0))))))
-(typeattribute base_typeattr_165_27_0)
-(typeattributeset base_typeattr_165_27_0 ((and (domain) ((not (init_27_0 netd_27_0))))))
-(typeattribute base_typeattr_164_27_0)
-(typeattributeset base_typeattr_164_27_0 ((and (appdomain) ((not (su_27_0))))))
-(typeattribute base_typeattr_163_27_0)
-(typeattributeset base_typeattr_163_27_0 ((and (domain) ((not (dumpstate_27_0 netd_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_162_27_0)
-(typeattributeset base_typeattr_162_27_0 ((and (domain) ((not (netd_27_0))))))
-(typeattribute base_typeattr_161_27_0)
-(typeattributeset base_typeattr_161_27_0 ((and (domain) ((not (mediaserver_27_0))))))
-(typeattribute base_typeattr_160_27_0)
-(typeattributeset base_typeattr_160_27_0 ((and (domain) ((not (mediametrics_27_0))))))
-(typeattribute base_typeattr_159_27_0)
-(typeattributeset base_typeattr_159_27_0 ((and (domain) ((not (mediaextractor_27_0))))))
-(typeattribute base_typeattr_158_27_0)
-(typeattributeset base_typeattr_158_27_0 ((and (domain) ((not (mediadrmserver_27_0))))))
-(typeattribute base_typeattr_157_27_0)
-(typeattributeset base_typeattr_157_27_0 ((and (domain) ((not (mediacodec_27_0))))))
-(typeattribute base_typeattr_156_27_0)
-(typeattributeset base_typeattr_156_27_0 ((and (domain) ((not (init_27_0 logd_27_0))))))
-(typeattribute base_typeattr_155_27_0)
-(typeattributeset base_typeattr_155_27_0 ((and (domain) ((not (crash_dump_27_0))))))
-(typeattribute base_typeattr_154_27_0)
-(typeattributeset base_typeattr_154_27_0 ((and (domain) ((not (init_27_0 keystore_27_0))))))
-(typeattribute base_typeattr_153_27_0)
-(typeattributeset base_typeattr_153_27_0 ((and (domain) ((not (keystore_27_0))))))
-(typeattribute base_typeattr_152_27_0)
-(typeattributeset base_typeattr_152_27_0 ((and (domain) ((not (servicemanager_27_0 su_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_151_27_0)
-(typeattributeset base_typeattr_151_27_0 ((and (domain) ((not (dumpstate_27_0 installd_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_150_27_0)
-(typeattributeset base_typeattr_150_27_0 ((and (domain) ((not (installd_27_0))))))
-(typeattribute base_typeattr_149_27_0)
-(typeattributeset base_typeattr_149_27_0 ((and (domain) ((not (inputflinger_27_0))))))
-(typeattribute base_typeattr_148_27_0)
-(typeattributeset base_typeattr_148_27_0 ((and (fs_type file_type) ((not (init_exec_27_0))))))
-(typeattribute base_typeattr_147_27_0)
-(typeattributeset base_typeattr_147_27_0 ((and (dev_type) ((not (kmem_device_27_0 port_device_27_0))))))
-(typeattribute base_typeattr_146_27_0)
-(typeattributeset base_typeattr_146_27_0 ((and (dev_type) ((not (device_27_0 alarm_device_27_0 ashmem_device_27_0 binder_device_27_0 hwbinder_device_27_0 dm_device_27_0 keychord_device_27_0 console_device_27_0 hw_random_device_27_0 kmem_device_27_0 port_device_27_0 ptmx_device_27_0 kmsg_device_27_0 null_device_27_0 random_device_27_0 owntty_device_27_0 zero_device_27_0 devpts_27_0))))))
-(typeattribute base_typeattr_145_27_0)
-(typeattributeset base_typeattr_145_27_0 ((and (dev_type) ((not (device_27_0 vndbinder_device_27_0 kmem_device_27_0 port_device_27_0))))))
-(typeattribute base_typeattr_144_27_0)
-(typeattributeset base_typeattr_144_27_0 ((and (fs_type) ((not (contextmount_type sdcard_type rootfs_27_0))))))
-(typeattribute base_typeattr_143_27_0)
-(typeattributeset base_typeattr_143_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0))))))
-(typeattribute base_typeattr_142_27_0)
-(typeattributeset base_typeattr_142_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0 runtime_event_log_tags_file_27_0 shell_data_file_27_0 keystore_data_file_27_0 vold_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 misc_logd_file_27_0))))))
-(typeattribute base_typeattr_141_27_0)
-(typeattributeset base_typeattr_141_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0 shell_data_file_27_0 keystore_data_file_27_0 vold_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 misc_logd_file_27_0))))))
-(typeattribute base_typeattr_140_27_0)
-(typeattributeset base_typeattr_140_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0 app_data_file_27_0 system_app_data_file_27_0 misc_logd_file_27_0))))))
-(typeattribute base_typeattr_139_27_0)
-(typeattributeset base_typeattr_139_27_0 ((and (domain) ((not (healthd_27_0))))))
-(typeattribute base_typeattr_138_27_0)
-(typeattributeset base_typeattr_138_27_0 ((and (domain) ((not (hal_wifi_supplicant_server))))))
-(typeattribute base_typeattr_137_27_0)
-(typeattributeset base_typeattr_137_27_0 ((and (domain) ((not (hal_wifi_offload_server))))))
-(typeattribute base_typeattr_136_27_0)
-(typeattributeset base_typeattr_136_27_0 ((and (domain) ((not (hal_wifi_server))))))
-(typeattribute base_typeattr_135_27_0)
-(typeattributeset base_typeattr_135_27_0 ((and (domain) ((not (hal_weaver_server))))))
-(typeattribute base_typeattr_134_27_0)
-(typeattributeset base_typeattr_134_27_0 ((and (domain) ((not (hal_vr_server))))))
-(typeattribute base_typeattr_133_27_0)
-(typeattributeset base_typeattr_133_27_0 ((and (domain) ((not (hal_vibrator_server))))))
-(typeattribute base_typeattr_132_27_0)
-(typeattributeset base_typeattr_132_27_0 ((and (domain) ((not (hal_usb_server))))))
-(typeattribute base_typeattr_131_27_0)
-(typeattributeset base_typeattr_131_27_0 ((and (domain) ((not (hal_tv_input_server))))))
-(typeattribute base_typeattr_130_27_0)
-(typeattributeset base_typeattr_130_27_0 ((and (domain) ((not (hal_tv_cec_server))))))
-(typeattribute base_typeattr_129_27_0)
-(typeattributeset base_typeattr_129_27_0 ((and (domain) ((not (hal_thermal_server))))))
-(typeattribute base_typeattr_128_27_0)
-(typeattributeset base_typeattr_128_27_0 ((and (domain) ((not (hal_telephony_server))))))
-(typeattribute base_typeattr_127_27_0)
-(typeattributeset base_typeattr_127_27_0 ((and (domain) ((not (hal_sensors_server))))))
-(typeattribute base_typeattr_126_27_0)
-(typeattributeset base_typeattr_126_27_0 ((and (domain) ((not (hal_power_server))))))
-(typeattribute base_typeattr_125_27_0)
-(typeattributeset base_typeattr_125_27_0 ((and (domain) ((not (hal_oemlock_server))))))
-(typeattribute base_typeattr_124_27_0)
-(typeattributeset base_typeattr_124_27_0 ((and (domain) ((not (hal_nfc_server))))))
-(typeattribute base_typeattr_123_27_0)
-(typeattributeset base_typeattr_123_27_0 ((and (halserverdomain) ((not (hal_dumpstate_server rild_27_0))))))
-(typeattribute base_typeattr_122_27_0)
-(typeattributeset base_typeattr_122_27_0 ((and (halserverdomain) ((not (hal_tetheroffload_server hal_wifi_server hal_wifi_supplicant_server rild_27_0))))))
-(typeattribute base_typeattr_121_27_0)
-(typeattributeset base_typeattr_121_27_0 ((and (halserverdomain) ((not (hal_bluetooth_server hal_wifi_server hal_wifi_supplicant_server rild_27_0))))))
-(typeattribute base_typeattr_120_27_0)
-(typeattributeset base_typeattr_120_27_0 ((and (domain) ((not (hal_neuralnetworks_server))))))
-(typeattribute base_typeattr_119_27_0)
-(typeattributeset base_typeattr_119_27_0 ((and (domain) ((not (hal_memtrack_server))))))
-(typeattribute base_typeattr_118_27_0)
-(typeattributeset base_typeattr_118_27_0 ((and (domain) ((not (hal_light_server))))))
-(typeattribute base_typeattr_117_27_0)
-(typeattributeset base_typeattr_117_27_0 ((and (domain) ((not (hal_keymaster_server))))))
-(typeattribute base_typeattr_116_27_0)
-(typeattributeset base_typeattr_116_27_0 ((and (domain) ((not (hal_ir_server))))))
-(typeattribute base_typeattr_115_27_0)
-(typeattributeset base_typeattr_115_27_0 ((and (domain) ((not (hal_health_server))))))
-(typeattribute base_typeattr_114_27_0)
-(typeattributeset base_typeattr_114_27_0 ((and (domain) ((not (hal_graphics_composer_server))))))
-(typeattribute base_typeattr_113_27_0)
-(typeattributeset base_typeattr_113_27_0 ((and (domain) ((not (hal_graphics_allocator_server))))))
-(typeattribute base_typeattr_112_27_0)
-(typeattributeset base_typeattr_112_27_0 ((and (domain) ((not (hal_gnss_server))))))
-(typeattribute base_typeattr_111_27_0)
-(typeattributeset base_typeattr_111_27_0 ((and (domain) ((not (hal_gatekeeper_server))))))
-(typeattribute base_typeattr_110_27_0)
-(typeattributeset base_typeattr_110_27_0 ((and (domain) ((not (hal_fingerprint_server))))))
-(typeattribute base_typeattr_109_27_0)
-(typeattributeset base_typeattr_109_27_0 ((and (domain) ((not (hal_dumpstate_server))))))
-(typeattribute base_typeattr_108_27_0)
-(typeattributeset base_typeattr_108_27_0 ((and (domain) ((not (hal_drm_server))))))
-(typeattribute base_typeattr_107_27_0)
-(typeattributeset base_typeattr_107_27_0 ((and (domain) ((not (hal_contexthub_server))))))
-(typeattribute base_typeattr_106_27_0)
-(typeattributeset base_typeattr_106_27_0 ((and (data_file_type) ((not (anr_data_file_27_0 tombstone_data_file_27_0 zoneinfo_data_file_27_0))))))
-(typeattribute base_typeattr_105_27_0)
-(typeattributeset base_typeattr_105_27_0 ((and (domain) ((not (hal_configstore_server logd_27_0 su_27_0 tombstoned_27_0))))))
-(typeattribute base_typeattr_104_27_0)
-(typeattributeset base_typeattr_104_27_0 ((and (domain) ((not (hal_configstore_server))))))
-(typeattribute base_typeattr_103_27_0)
-(typeattributeset base_typeattr_103_27_0 ((and (domain) ((not (hal_cas_server))))))
-(typeattribute base_typeattr_102_27_0)
-(typeattributeset base_typeattr_102_27_0 ((and (halserverdomain) ((not (hal_camera_server))))))
-(typeattribute base_typeattr_101_27_0)
-(typeattributeset base_typeattr_101_27_0 ((and (appdomain) ((not (isolated_app_27_0))))))
-(typeattribute base_typeattr_100_27_0)
-(typeattributeset base_typeattr_100_27_0 ((and (domain) ((not (hal_camera_server))))))
-(typeattribute base_typeattr_99_27_0)
-(typeattributeset base_typeattr_99_27_0 ((and (domain) ((not (hal_broadcastradio_server))))))
-(typeattribute base_typeattr_98_27_0)
-(typeattributeset base_typeattr_98_27_0 ((and (domain) ((not (hal_bootctl_server))))))
-(typeattribute base_typeattr_97_27_0)
-(typeattributeset base_typeattr_97_27_0 ((and (domain) ((not (hal_bluetooth_server))))))
-(typeattribute base_typeattr_96_27_0)
-(typeattributeset base_typeattr_96_27_0 ((and (halserverdomain) ((not (hal_audio_server))))))
-(typeattribute base_typeattr_95_27_0)
-(typeattributeset base_typeattr_95_27_0 ((and (domain) ((not (hal_audio_server))))))
-(typeattribute base_typeattr_94_27_0)
-(typeattributeset base_typeattr_94_27_0 ((and (domain) ((not (hal_allocator_server))))))
-(typeattribute base_typeattr_93_27_0)
-(typeattributeset base_typeattr_93_27_0 ((and (domain) ((not (gatekeeperd_27_0))))))
-(typeattribute base_typeattr_92_27_0)
-(typeattributeset base_typeattr_92_27_0 ((and (domain) ((not (vold_27_0))))))
-(typeattribute base_typeattr_91_27_0)
-(typeattributeset base_typeattr_91_27_0 ((and (fs_type file_type) ((not (fsck_exec_27_0))))))
-(typeattribute base_typeattr_90_27_0)
-(typeattributeset base_typeattr_90_27_0 ((and (domain) ((not (init_27_0 vold_27_0))))))
-(typeattribute base_typeattr_89_27_0)
-(typeattributeset base_typeattr_89_27_0 ((and (domain) ((not (fingerprintd_27_0))))))
-(typeattribute base_typeattr_88_27_0)
-(typeattributeset base_typeattr_88_27_0 ((and (domain) ((not (dumpstate_27_0 shell_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_87_27_0)
-(typeattributeset base_typeattr_87_27_0 ((and (domain) ((not (dumpstate_27_0))))))
-(typeattribute base_typeattr_86_27_0)
-(typeattributeset base_typeattr_86_27_0 ((and (service_manager_type) ((not (dumpstate_service_27_0 gatekeeper_service_27_0 incident_service_27_0 virtual_touchpad_service_27_0 vr_hwc_service_27_0))))))
-(typeattribute base_typeattr_85_27_0)
-(typeattributeset base_typeattr_85_27_0 ((and (domain) ((not (drmserver_27_0))))))
-(typeattribute base_typeattr_84_27_0)
-(typeattributeset base_typeattr_84_27_0 ((not (coredomain))))
-(typeattribute base_typeattr_83_27_0)
-(typeattributeset base_typeattr_83_27_0 ((not (rootfs_27_0 system_file_27_0 vendor_file_27_0))))
-(typeattribute base_typeattr_82_27_0)
-(typeattributeset base_typeattr_82_27_0 ((and (domain) ((not (installd_27_0 profman_27_0))))))
-(typeattribute base_typeattr_81_27_0)
-(typeattributeset base_typeattr_81_27_0 ((and (domain) ((not (dumpstate_27_0 init_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_80_27_0)
-(typeattributeset base_typeattr_80_27_0 ((not (hwservicemanager_27_0))))
-(typeattribute base_typeattr_79_27_0)
-(typeattributeset base_typeattr_79_27_0 ((not (servicemanager_27_0 vndservicemanager_27_0))))
-(typeattribute base_typeattr_78_27_0)
-(typeattributeset base_typeattr_78_27_0 ((and (domain) ((not (appdomain adbd_27_0 dumpstate_27_0 installd_27_0 uncrypt_27_0))))))
-(typeattribute base_typeattr_77_27_0)
-(typeattributeset base_typeattr_77_27_0 ((and (domain) ((not (appdomain adbd_27_0 dumpstate_27_0 init_27_0 installd_27_0 system_server_27_0 uncrypt_27_0))))))
-(typeattribute base_typeattr_76_27_0)
-(typeattributeset base_typeattr_76_27_0 ((and (domain) ((not (adbd_27_0 dumpstate_27_0 init_27_0 installd_27_0 shell_27_0 vold_27_0))))))
-(typeattribute base_typeattr_75_27_0)
-(typeattributeset base_typeattr_75_27_0 ((and (domain) ((not (installd_27_0 shell_27_0 uncrypt_27_0))))))
-(typeattribute base_typeattr_74_27_0)
-(typeattributeset base_typeattr_74_27_0 ((and (domain) ((not (appdomain installd_27_0 uncrypt_27_0))))))
-(typeattribute base_typeattr_73_27_0)
-(typeattributeset base_typeattr_73_27_0 ((and (appdomain) ((not (shell_27_0 su_27_0))))))
-(typeattribute base_typeattr_72_27_0)
-(typeattributeset base_typeattr_72_27_0 ((and (domain) ((not (runas_27_0 webview_zygote_27_0 zygote_27_0))))))
-(typeattribute base_typeattr_71_27_0)
-(typeattributeset base_typeattr_71_27_0 ((and (domain) ((not (adbd_27_0 init_27_0 runas_27_0 zygote_27_0))))))
-(typeattribute base_typeattr_70_27_0)
-(typeattributeset base_typeattr_70_27_0 ((and (domain) ((not (appdomain installd_27_0))))))
-(typeattribute base_typeattr_69_27_0)
-(typeattributeset base_typeattr_69_27_0 ((and (domain) ((not (appdomain installd_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_68_27_0)
-(typeattributeset base_typeattr_68_27_0 ((and (domain) ((not (init_27_0 installd_27_0 system_app_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_67_27_0)
-(typeattributeset base_typeattr_67_27_0 ((not (domain))))
-(typeattribute base_typeattr_66_27_0)
-(typeattributeset base_typeattr_66_27_0 ((and (domain) ((not (untrusted_app_all))))))
-(typeattribute base_typeattr_65_27_0)
-(typeattributeset base_typeattr_65_27_0 ((and (file_type) ((not (apk_data_file_27_0 app_data_file_27_0 asec_public_file_27_0))))))
-(typeattribute base_typeattr_64_27_0)
-(typeattributeset base_typeattr_64_27_0 ((and (domain) ((not (dumpstate_27_0 shell_27_0 su_27_0))))))
-(typeattribute base_typeattr_63_27_0)
-(typeattributeset base_typeattr_63_27_0 ((and (domain) ((not (dumpstate_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_62_27_0)
-(typeattributeset base_typeattr_62_27_0 ((and (domain) ((not (crash_dump_27_0 dumpstate_27_0 mediacodec_27_0 mediaextractor_27_0 system_server_27_0 tombstoned_27_0))))))
-(typeattribute base_typeattr_61_27_0)
-(typeattributeset base_typeattr_61_27_0 ((and (domain) ((not (system_server_27_0 webview_zygote_27_0))))))
-(typeattribute base_typeattr_60_27_0)
-(typeattributeset base_typeattr_60_27_0 ((and (domain) ((not (system_server_27_0))))))
-(typeattribute base_typeattr_59_27_0)
-(typeattributeset base_typeattr_59_27_0 ((and (domain) ((not (system_server_27_0 zygote_27_0))))))
-(typeattribute base_typeattr_58_27_0)
-(typeattributeset base_typeattr_58_27_0 ((and (domain) ((not (cppreopts_27_0 dex2oat_27_0 init_27_0 installd_27_0 otapreopt_slot_27_0 postinstall_dexopt_27_0 zygote_27_0))))))
-(typeattribute base_typeattr_57_27_0)
-(typeattributeset base_typeattr_57_27_0 ((and (exec_type) ((not (vendor_file_type crash_dump_exec_27_0 netutils_wrapper_exec_27_0))))))
-(typeattribute base_typeattr_56_27_0)
-(typeattributeset base_typeattr_56_27_0 ((and (domain) ((not (appdomain coredomain vendor_executes_system_violators rild_27_0))))))
-(typeattribute base_typeattr_55_27_0)
-(typeattributeset base_typeattr_55_27_0 ((and (coredomain) ((not (init_27_0))))))
-(typeattribute base_typeattr_54_27_0)
-(typeattributeset base_typeattr_54_27_0 ((and (coredomain) ((not (appdomain idmap_27_0 init_27_0 installd_27_0 system_server_27_0 zygote_27_0))))))
-(typeattribute base_typeattr_53_27_0)
-(typeattributeset base_typeattr_53_27_0 ((and (coredomain) ((not (appdomain dex2oat_27_0 idmap_27_0 init_27_0 installd_27_0 postinstall_dexopt_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_52_27_0)
-(typeattributeset base_typeattr_52_27_0 ((and (dev_type file_type) ((not (core_data_file_type coredomain_socket unlabeled_27_0))))))
-(typeattribute base_typeattr_51_27_0)
-(typeattributeset base_typeattr_51_27_0 ((and (coredomain) ((not (socket_between_core_and_vendor_violators init_27_0 ueventd_27_0))))))
-(typeattribute base_typeattr_50_27_0)
-(typeattributeset base_typeattr_50_27_0 ((and (core_data_file_type coredomain_socket unlabeled_27_0) ((not (pdx_endpoint_socket_type pdx_channel_socket_type app_data_file_27_0))))))
-(typeattribute base_typeattr_49_27_0)
-(typeattributeset base_typeattr_49_27_0 ((and (domain) ((not (netdomain coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_48_27_0)
-(typeattributeset base_typeattr_48_27_0 ((and (coredomain) ((not (incidentd_27_0 init_27_0 logd_27_0 mdnsd_27_0 netd_27_0 su_27_0 tombstoned_27_0))))))
-(typeattribute base_typeattr_47_27_0)
-(typeattributeset base_typeattr_47_27_0 ((and (domain) ((not (appdomain coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_46_27_0)
-(typeattributeset base_typeattr_46_27_0 ((and (domain) ((not (coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_45_27_0)
-(typeattributeset base_typeattr_45_27_0 ((and (coredomain) ((not (adbd_27_0 init_27_0))))))
-(typeattribute base_typeattr_44_27_0)
-(typeattributeset base_typeattr_44_27_0 ((and (coredomain) ((not (shell_27_0 su_27_0))))))
-(typeattribute base_typeattr_43_27_0)
-(typeattributeset base_typeattr_43_27_0 ((and (coredomain) ((not (shell_27_0 su_27_0 ueventd_27_0))))))
-(typeattribute base_typeattr_42_27_0)
-(typeattributeset base_typeattr_42_27_0 ((and (service_manager_type) ((not (app_api_service ephemeral_app_api_service audioserver_service_27_0 cameraserver_service_27_0 drmserver_service_27_0 keystore_service_27_0 mediaserver_service_27_0 mediametrics_service_27_0 mediaextractor_service_27_0 mediadrmserver_service_27_0 nfc_service_27_0 radio_service_27_0 surfaceflinger_service_27_0 virtual_touchpad_service_27_0 vr_hwc_service_27_0 vr_manager_service_27_0))))))
-(typeattribute base_typeattr_41_27_0)
-(typeattributeset base_typeattr_41_27_0 ((and (appdomain) ((not (coredomain))))))
-(typeattribute base_typeattr_40_27_0)
-(typeattributeset base_typeattr_40_27_0 ((and (domain) ((not (appdomain coredomain binder_in_vendor_violators))))))
-(typeattribute base_typeattr_39_27_0)
-(typeattributeset base_typeattr_39_27_0 ((and (domain) ((not (hwservicemanager_27_0 servicemanager_27_0 vndservicemanager_27_0))))))
-(typeattribute base_typeattr_38_27_0)
-(typeattributeset base_typeattr_38_27_0 ((and (domain) ((not (domain hal_bootctl init_27_0 recovery_27_0 ueventd_27_0 uncrypt_27_0 update_engine_27_0 vold_27_0))))))
-(typeattribute base_typeattr_37_27_0)
-(typeattributeset base_typeattr_37_27_0 ((and (domain) ((not (install_recovery_27_0 recovery_27_0))))))
-(typeattribute base_typeattr_36_27_0)
-(typeattributeset base_typeattr_36_27_0 ((and (domain) ((not (recovery_27_0 update_engine_27_0))))))
-(typeattribute base_typeattr_35_27_0)
-(typeattributeset base_typeattr_35_27_0 ((and (domain) ((not (init_27_0 recovery_27_0 vold_27_0))))))
-(typeattribute base_typeattr_34_27_0)
-(typeattributeset base_typeattr_34_27_0 ((and (domain) ((not (init_27_0 recovery_27_0 shell_27_0 system_server_27_0 ueventd_27_0))))))
-(typeattribute base_typeattr_33_27_0)
-(typeattributeset base_typeattr_33_27_0 ((and (domain) ((not (init_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_32_27_0)
-(typeattributeset base_typeattr_32_27_0 ((and (domain) ((not (hal_drm hal_cas adbd_27_0 dumpstate_27_0 init_27_0 mediadrmserver_27_0 recovery_27_0 shell_27_0 system_server_27_0))))))
-(typeattribute base_typeattr_31_27_0)
-(typeattributeset base_typeattr_31_27_0 ((and (fs_type) ((not (contextmount_type))))))
-(typeattribute base_typeattr_30_27_0)
-(typeattributeset base_typeattr_30_27_0 ((and (domain) ((not (kernel_27_0 recovery_27_0))))))
-(typeattribute base_typeattr_29_27_0)
-(typeattributeset base_typeattr_29_27_0 ((and (domain) ((not (shell_27_0))))))
-(typeattribute base_typeattr_28_27_0)
-(typeattributeset base_typeattr_28_27_0 ((and (data_file_type) ((not (system_data_file_27_0 apk_data_file_27_0 dalvikcache_data_file_27_0))))))
-(typeattribute base_typeattr_27_27_0)
-(typeattributeset base_typeattr_27_27_0 ((and (domain) ((not (appdomain))))))
-(typeattribute base_typeattr_26_27_0)
-(typeattributeset base_typeattr_26_27_0 ((and (fs_type) ((not (rootfs_27_0))))))
-(typeattribute base_typeattr_25_27_0)
-(typeattributeset base_typeattr_25_27_0 ((and (domain) ((not (appdomain recovery_27_0))))))
-(typeattribute base_typeattr_24_27_0)
-(typeattributeset base_typeattr_24_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0 postinstall_file_27_0))))))
-(typeattribute base_typeattr_23_27_0)
-(typeattributeset base_typeattr_23_27_0 ((and (domain) ((not (appdomain dumpstate_27_0 shell_27_0 su_27_0 webview_zygote_27_0 zygote_27_0))))))
-(typeattribute base_typeattr_22_27_0)
-(typeattributeset base_typeattr_22_27_0 ((and (fs_type) ((not (sdcard_type))))))
-(typeattribute base_typeattr_21_27_0)
-(typeattributeset base_typeattr_21_27_0 ((and (domain) ((not (init_27_0 kernel_27_0 otapreopt_chroot_27_0 recovery_27_0 update_engine_27_0 vold_27_0 zygote_27_0))))))
-(typeattribute base_typeattr_20_27_0)
-(typeattributeset base_typeattr_20_27_0 ((and (domain) ((not (init_27_0 kernel_27_0 recovery_27_0))))))
-(typeattribute base_typeattr_19_27_0)
-(typeattributeset base_typeattr_19_27_0 ((and (domain) ((not (init_27_0 ueventd_27_0))))))
-(typeattribute base_typeattr_18_27_0)
-(typeattributeset base_typeattr_18_27_0 ((and (domain) ((not (shell_27_0 ueventd_27_0))))))
-(typeattribute base_typeattr_17_27_0)
-(typeattributeset base_typeattr_17_27_0 ((and (file_type) ((not (exec_type postinstall_file_27_0))))))
-(typeattribute base_typeattr_16_27_0)
-(typeattributeset base_typeattr_16_27_0 ((and (domain) ((not (init_27_0 shell_27_0 system_server_27_0 ueventd_27_0))))))
-(typeattribute base_typeattr_15_27_0)
-(typeattributeset base_typeattr_15_27_0 ((and (domain) ((not (kernel_27_0))))))
-(typeattribute base_typeattr_14_27_0)
-(typeattributeset base_typeattr_14_27_0 ((and (domain) ((not (recovery_27_0))))))
-(typeattribute base_typeattr_13_27_0)
-(typeattributeset base_typeattr_13_27_0 ((and (domain) ((not (domain healthd_27_0 init_27_0 kernel_27_0 recovery_27_0 tee_27_0 ueventd_27_0 uncrypt_27_0))))))
-(typeattribute base_typeattr_12_27_0)
-(typeattributeset base_typeattr_12_27_0 ((and (domain) ((not (init_27_0 kernel_27_0 ueventd_27_0 vold_27_0))))))
-(typeattribute base_typeattr_11_27_0)
-(typeattributeset base_typeattr_11_27_0 ((and (domain) ((not (init_27_0 recovery_27_0))))))
-(typeattribute base_typeattr_10_27_0)
-(typeattributeset base_typeattr_10_27_0 ((all)))
-(typeattribute base_typeattr_9_27_0)
-(typeattributeset base_typeattr_9_27_0 ((and (domain) ((not (domain))))))
-(typeattribute base_typeattr_8_27_0)
-(typeattributeset base_typeattr_8_27_0 ((and (domain) ((not (coredomain))))))
-(typeattribute base_typeattr_7_27_0)
-(typeattributeset base_typeattr_7_27_0 ((and (domain) ((not (isolated_app_27_0 servicemanager_27_0 vndservicemanager_27_0))))))
-(typeattribute base_typeattr_6_27_0)
-(typeattributeset base_typeattr_6_27_0 ((and (appdomain coredomain binder_in_vendor_violators) ((not (hwservicemanager_27_0))))))
-(typeattribute base_typeattr_5_27_0)
-(typeattributeset base_typeattr_5_27_0 ((and (domain) ((not (init_27_0))))))
-(typeattribute base_typeattr_4_27_0)
-(typeattributeset base_typeattr_4_27_0 ((and (domain) ((not (display_service_server))))))
-(typeattribute base_typeattr_3_27_0)
-(typeattributeset base_typeattr_3_27_0 ((and (domain) ((not (crash_dump_27_0 init_27_0 keystore_27_0 logd_27_0))))))
-(typeattribute base_typeattr_2_27_0)
-(typeattributeset base_typeattr_2_27_0 ((and (domain) ((not (cameraserver_27_0))))))
-(typeattribute base_typeattr_1_27_0)
-(typeattributeset base_typeattr_1_27_0 ((and (domain) ((not (bufferhubd_27_0))))))
diff --git a/prebuilts/api/27.0/private/access_vectors b/prebuilts/api/27.0/private/access_vectors
deleted file mode 100644
index 14e1712..0000000
--- a/prebuilts/api/27.0/private/access_vectors
+++ /dev/null
@@ -1,717 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
- unlink
- link
- rename
- execute
- quotaon
- mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin # unused by SELinux
- syslog
- wake_alarm
- block_suspend
- audit_read
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
- open
- audit_access
- execmod
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class lnk_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class blk_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class sock_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class fifo_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
- getrlimit
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
- validate_trans
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- flow_in # deprecated
- flow_out # deprecated
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class smc_socket
-inherits socket
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
diff --git a/prebuilts/api/27.0/private/adbd.te b/prebuilts/api/27.0/private/adbd.te
deleted file mode 100644
index 47a6cbd..0000000
--- a/prebuilts/api/27.0/private/adbd.te
+++ /dev/null
@@ -1,143 +0,0 @@
-### ADB daemon
-
-typeattribute adbd coredomain;
-typeattribute adbd mlstrustedsubject;
-
-init_daemon_domain(adbd)
-
-domain_auto_trans(adbd, shell_exec, shell)
-
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
-
-# Do not sanitize the environment or open fds of the shell. Allow signaling
-# created processes.
-allow adbd shell:process { noatsecure signal };
-
-# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:capability { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
-
-# Create and use network sockets.
-net_domain(adbd)
-
-# Access /dev/usb-ffs/adb/ep0
-allow adbd functionfs:dir search;
-allow adbd functionfs:file rw_file_perms;
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
-# adb pull /data/misc/profman.
-allow adbd profman_dump_data_file:dir r_dir_perms;
-allow adbd profman_dump_data_file:file r_file_perms;
-
-# adb push/pull sdcard.
-allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
-allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-# adb pull /data/anr/traces.txt
-allow adbd anr_data_file:dir r_dir_perms;
-allow adbd anr_data_file:file r_file_perms;
-
-# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-set_prop(adbd, shell_prop)
-set_prop(adbd, powerctl_prop)
-set_prop(adbd, ffs_prop)
-
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Run /system/bin/bu
-allow adbd system_file:file rx_file_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
-# Needed for various screenshots
-hal_client_domain(adbd, hal_graphics_allocator)
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Write debugging information to /data/adb
- # when persist.adb.trace_mask is set
- # https://code.google.com/p/android/issues/detail?id=72895
- allow adbd adb_data_file:dir rw_dir_perms;
- allow adbd adb_data_file:file create_file_perms;
-')
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-allow adbd service_contexts_file:file r_file_perms;
-allow adbd file_contexts_file:file r_file_perms;
-allow adbd seapp_contexts_file:file r_file_perms;
-allow adbd property_contexts_file:file r_file_perms;
-allow adbd sepolicy_file:file r_file_perms;
-
-# Allow pulling config.gz for CTS purposes
-allow adbd config_gz:file r_file_perms;
-
-allow adbd surfaceflinger_service:service_manager find;
-allow adbd bootchart_data_file:dir search;
-allow adbd bootchart_data_file:file r_file_perms;
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow adbd storage_file:dir r_dir_perms;
-allow adbd storage_file:lnk_file r_file_perms;
-allow adbd mnt_user_file:dir r_dir_perms;
-allow adbd mnt_user_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow adbd media_rw_data_file:dir create_dir_perms;
-allow adbd media_rw_data_file:file create_file_perms;
-
-r_dir_file(adbd, apk_data_file)
-
-allow adbd rootfs:dir r_dir_perms;
-
-###
-### Neverallow rules
-###
-
-# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/prebuilts/api/27.0/private/app.te b/prebuilts/api/27.0/private/app.te
deleted file mode 100644
index c53fa36..0000000
--- a/prebuilts/api/27.0/private/app.te
+++ /dev/null
@@ -1,542 +0,0 @@
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain ashmem_device:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Place process into foreground / background
-allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file rw_file_perms;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
-allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
-# read /proc/net/xt_qtguid/stats
-r_dir_file({ appdomain -ephemeral_app}, proc_net)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-
-# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
-# as OMX HAL
-hwbinder_use({ appdomain -isolated_app })
-allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app untrusted_v2_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
-
-# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
-get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-
-# Allow app access to mediacodec (IOMX HAL)
-binder_call({ appdomain -isolated_app }, mediacodec)
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
- { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow appdomain
- domain:{
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_dnrt_socket
- } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain vold_socket:sock_file write;
-neverallow appdomain zygote_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-neverallow appdomain { domain -appdomain }:process
- { sigkill sigstop signal };
-
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
- { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { dyntransition };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
- shell_data_file:dir_file_class_set
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
- bluetooth_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- keystore_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- systemkeys_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- dhcp_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
- sysfs:dir_file_class_set write;
-neverallow appdomain
- proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
-
-# SELinux is not an API for apps to use
-neverallow { appdomain -shell } *:security { compute_av check_context };
-neverallow { appdomain -shell } *:netlink_selinux_socket *;
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
- apk_data_file
- cache_file
- cache_recovery_file
- dev_type
- rootfs
- system_file
- tmpfs
-}:lnk_file no_w_file_perms;
-
-# Denylist app domains not allowed to execute from /data
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-# Applications should use the activity model for receiving events
-neverallow {
- appdomain
- -shell # bugreport
-} input_device:chr_file ~getattr;
-
-# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
-# neverallow rules for access to Bluetooth-related data files are above.
-neverallow {
- appdomain
- -bluetooth
- -system_app
-} bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/27.0/private/app_neverallows.te b/prebuilts/api/27.0/private/app_neverallows.te
deleted file mode 100644
index a3d7d49..0000000
--- a/prebuilts/api/27.0/private/app_neverallows.te
+++ /dev/null
@@ -1,230 +0,0 @@
-###
-### neverallow rules for untrusted app domains
-###
-
-define(`all_untrusted_apps',`{
- ephemeral_app
- isolated_app
- mediaprovider
- untrusted_app
- untrusted_app_25
- untrusted_app_all
- untrusted_v2_app
-}')
-# Receive or send uevent messages.
-neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow all_untrusted_apps domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps debugfs_type:file read;
-
-# Do not allow untrusted apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow all_untrusted_apps service_manager_type:service_manager add;
-
-# Do not allow untrusted apps to use VendorBinder
-neverallow all_untrusted_apps vndbinder_device:chr_file *;
-neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
-
-# Do not allow untrusted apps to connect to the property service
-# or set properties. b/10243159
-neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
-neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
-neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
-
-# Do not allow untrusted apps to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and an untrusted app is allowed fork permission to itself.
-neverallow all_untrusted_apps mlstrustedsubject:process fork;
-
-# Do not allow untrusted apps to hard link to any files.
-# In particular, if an untrusted app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure untrusted apps never have this
-# capability.
-neverallow all_untrusted_apps file_type:file link;
-
-# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow all_untrusted_apps *:{
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
-
-# Do not allow untrusted apps access to /cache
-neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
-
-# Do not allow untrusted apps to create/unlink files outside of its sandbox,
-# internal storage or sdcard.
-# World accessible data locations allow application to fill the device
-# with unaccounted for data. This data will not get removed during
-# application un-installation.
-neverallow { all_untrusted_apps -mediaprovider } {
- fs_type
- -fuse # sdcard
- -sdcardfs # sdcard
- -vfat
- file_type
- -app_data_file # The apps sandbox itself
- -media_rw_data_file # Internal storage. Known that apps can
- # leave artfacts here after uninstall.
- -user_profile_data_file # Access to profile files
- userdebug_or_eng(`
- -method_trace_data_file # only on ro.debuggable=1
- -coredump_file # userdebug/eng only
- ')
-}:dir_file_class_set { create unlink };
-
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
-
-# Do not allow untrusted apps to directly open tun_device
-neverallow all_untrusted_apps tun_device:chr_file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow all_untrusted_apps anr_data_file:file ~{ open append };
-neverallow all_untrusted_apps anr_data_file:dir ~search;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
-
-# Avoid all access to kernel configuration
-neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
-
-# Do not allow untrusted apps access to preloads data files
-neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
-
-# Locking of files on /system could lead to denial of service attacks
-# against privileged system components
-neverallow all_untrusted_apps system_file:file lock;
-
-# Do not permit untrusted apps to perform actions on HwBinder service_manager
-# other than find actions for services listed below
-neverallow all_untrusted_apps *:hwservice_manager ~find;
-
-# Do not permit access from apps which host arbitrary code to HwBinder services,
-# except those considered sufficiently safe for access from such apps.
-# The two main reasons for this are:
-# 1. HwBinder servers do not perform client authentication because HIDL
-# currently does not expose caller UID information and, even if it did, many
-# HwBinder services either operate at a level below that of apps (e.g., HALs)
-# or must not rely on app identity for authorization. Thus, to be safe, the
-# default assumption is that every HwBinder service treats all its clients as
-# equally authorized to perform operations offered by the service.
-# 2. HAL servers (a subset of HwBinder services) contain code with higher
-# incidence rate of security issues than system/core components and have
-# access to lower layes of the stack (all the way down to hardware) thus
-# increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-# associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
-neverallow all_untrusted_apps {
- hwservice_manager_type
- -same_process_hwservice
- -coredomain_hwservice
- -hal_configstore_ISurfaceFlingerConfigs
- -hal_graphics_allocator_hwservice
- -hal_omx_hwservice
- -hal_cas_hwservice
- -untrusted_app_visible_hwservice
-}:hwservice_manager find;
-
-# Make sure that the following services are never accessible by untrusted_apps
-neverallow all_untrusted_apps {
- default_android_hwservice
- hal_audio_hwservice
- hal_bluetooth_hwservice
- hal_bootctl_hwservice
- hal_camera_hwservice
- hal_contexthub_hwservice
- hal_drm_hwservice
- hal_dumpstate_hwservice
- hal_fingerprint_hwservice
- hal_gatekeeper_hwservice
- hal_gnss_hwservice
- hal_graphics_composer_hwservice
- hal_health_hwservice
- hal_ir_hwservice
- hal_keymaster_hwservice
- hal_light_hwservice
- hal_memtrack_hwservice
- hal_neuralnetworks_hwservice
- hal_nfc_hwservice
- hal_oemlock_hwservice
- hal_power_hwservice
- hal_sensors_hwservice
- hal_telephony_hwservice
- hal_thermal_hwservice
- hal_tv_cec_hwservice
- hal_tv_input_hwservice
- hal_usb_hwservice
- hal_vibrator_hwservice
- hal_vr_hwservice
- hal_weaver_hwservice
- hal_wifi_hwservice
- hal_wifi_offload_hwservice
- hal_wifi_supplicant_hwservice
- hidl_base_hwservice
- system_net_netd_hwservice
- thermalcallback_hwservice
-}:hwservice_manager find;
-# HwBinder services offered by core components (as opposed to vendor components)
-# are considered somewhat safer due to point #2 above.
-neverallow all_untrusted_apps {
- coredomain_hwservice
- -same_process_hwservice
- -hidl_allocator_hwservice # Designed for use by any domain
- -hidl_manager_hwservice # Designed for use by any domain
- -hidl_memory_hwservice # Designed for use by any domain
- -hidl_token_hwservice # Designed for use by any domain
-}:hwservice_manager find;
-
-# SELinux is not an API for untrusted apps to use
-neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
-
-# Restrict *Binder access from apps to HAL domains. We can only do this on full
-# Treble devices where *Binder communications between apps and HALs are tightly
-# restricted.
-full_treble_only(`
- neverallow all_untrusted_apps {
- halserverdomain
- -coredomain
- -hal_configstore_server
- -hal_graphics_allocator_server
- -hal_cas_server
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -untrusted_app_visible_halserver
- }:binder { call transfer };
-')
diff --git a/prebuilts/api/27.0/private/asan_extract.te b/prebuilts/api/27.0/private/asan_extract.te
deleted file mode 100644
index 1c20d78..0000000
--- a/prebuilts/api/27.0/private/asan_extract.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# Technically not a daemon but we do want the transition from init domain to
-# asan_extract to occur.
-with_asan(`
-typeattribute asan_extract coredomain;
-init_daemon_domain(asan_extract)
-')
diff --git a/prebuilts/api/27.0/private/atrace.te b/prebuilts/api/27.0/private/atrace.te
deleted file mode 100644
index 5de9f99..0000000
--- a/prebuilts/api/27.0/private/atrace.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# Domain for atrace process spawned by boottrace service.
-
-type atrace_exec, exec_type, file_type;
-
-userdebug_or_eng(`
- type atrace, domain, coredomain, domain_deprecated;
-
- init_daemon_domain(atrace)
-
- # boottrace services uses /data/misc/boottrace/categories
- allow atrace boottrace_data_file:dir search;
- allow atrace boottrace_data_file:file r_file_perms;
-
- # Allow atrace to access tracefs.
- allow atrace debugfs_tracing:dir r_dir_perms;
- allow atrace debugfs_tracing:file rw_file_perms;
- allow atrace debugfs_tracing_debug:file rw_file_perms;
- allow atrace debugfs_trace_marker:file getattr;
-
- # atrace sets debug.atrace.* properties
- set_prop(atrace, debug_prop)
-
- # atrace pokes all the binder-enabled processes at startup.
- binder_use(atrace)
- allow atrace healthd:binder call;
- allow atrace surfaceflinger:binder call;
-')
diff --git a/prebuilts/api/27.0/private/attributes b/prebuilts/api/27.0/private/attributes
deleted file mode 100644
index fcbfecf..0000000
--- a/prebuilts/api/27.0/private/attributes
+++ /dev/null
@@ -1,9 +0,0 @@
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
diff --git a/prebuilts/api/27.0/private/audioserver.te b/prebuilts/api/27.0/private/audioserver.te
deleted file mode 100644
index 9119daa..0000000
--- a/prebuilts/api/27.0/private/audioserver.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# audioserver - audio services daemon
-
-typeattribute audioserver coredomain;
-
-type audioserver_exec, exec_type, file_type;
-init_daemon_domain(audioserver)
-
-r_dir_file(audioserver, sdcard_type)
-
-binder_use(audioserver)
-binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, appdomain)
-binder_service(audioserver)
-
-hal_client_domain(audioserver, hal_allocator)
-# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
-r_dir_file(audioserver, system_file)
-
-hal_client_domain(audioserver, hal_audio)
-
-userdebug_or_eng(`
- # used for TEE sink - pcm capture for debug.
- allow audioserver media_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:file create_file_perms;
-
- # ptrace to processes in the same domain for memory leak detection
- allow audioserver self:process ptrace;
-')
-
-add_service(audioserver, audioserver_service)
-allow audioserver appops_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-
-# Grant access to audio files to audioserver
-allow audioserver audio_data_file:dir ra_dir_perms;
-allow audioserver audio_data_file:file create_file_perms;
-
-# allow access to ALSA MMAP FDs for AAudio API
-allow audioserver audio_device:chr_file { read write };
-
-# For A2DP bridge which is loaded directly into audioserver
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
-###
-### neverallow rules
-###
-
-# audioserver should never execute any executable without a
-# domain transition
-neverallow audioserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/private/binder_in_vendor_violators.te b/prebuilts/api/27.0/private/binder_in_vendor_violators.te
deleted file mode 100644
index 4a1218e..0000000
--- a/prebuilts/api/27.0/private/binder_in_vendor_violators.te
+++ /dev/null
@@ -1 +0,0 @@
-allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/27.0/private/binderservicedomain.te b/prebuilts/api/27.0/private/binderservicedomain.te
deleted file mode 100644
index 0891ee5..0000000
--- a/prebuilts/api/27.0/private/binderservicedomain.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# Rules common to all binder service domains
-
-# Allow dumpstate and incidentd to collect information from binder services
-allow binderservicedomain { dumpstate incidentd }:fd use;
-allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
-allow binderservicedomain shell_data_file:file { getattr write };
-
-# Allow dumpsys to work from adb shell or the serial console
-allow binderservicedomain devpts:chr_file rw_file_perms;
-allow binderservicedomain console_device:chr_file rw_file_perms;
-
-# Receive and write to a pipe received over Binder from an app.
-allow binderservicedomain appdomain:fd use;
-allow binderservicedomain appdomain:fifo_file write;
-
-# allow all services to run permission checks
-allow binderservicedomain permission_service:service_manager find;
-
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore(binderservicedomain)
diff --git a/prebuilts/api/27.0/private/blkid.te b/prebuilts/api/27.0/private/blkid.te
deleted file mode 100644
index 090912b..0000000
--- a/prebuilts/api/27.0/private/blkid.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# blkid called from vold
-
-typeattribute blkid coredomain;
-
-type blkid_exec, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/private/blkid_untrusted.te b/prebuilts/api/27.0/private/blkid_untrusted.te
deleted file mode 100644
index 1256771..0000000
--- a/prebuilts/api/27.0/private/blkid_untrusted.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# blkid for untrusted block devices
-
-typeattribute blkid_untrusted coredomain;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/private/bluetooth.te b/prebuilts/api/27.0/private/bluetooth.te
deleted file mode 100644
index 451d27a..0000000
--- a/prebuilts/api/27.0/private/bluetooth.te
+++ /dev/null
@@ -1,76 +0,0 @@
-# bluetooth app
-
-typeattribute bluetooth coredomain;
-
-app_domain(bluetooth)
-net_domain(bluetooth)
-
-# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
-
-wakelock_use(bluetooth);
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
-allow bluetooth bluetooth_logs_data_file:file create_file_perms;
-
-# Socket creation under /data/misc/bluedroid.
-allow bluetooth bluetooth_socket:sock_file create_file_perms;
-
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
-
-# tethering
-allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
-allow bluetooth tun_device:chr_file rw_file_perms;
-allow bluetooth efs_file:dir search;
-
-# allow Bluetooth to access uhid device for HID profile
-allow bluetooth uhid_device:chr_file rw_file_perms;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# Allow write access to bluetooth specific properties
-set_prop(bluetooth, bluetooth_prop)
-set_prop(bluetooth, pan_result_prop)
-
-allow bluetooth audioserver_service:service_manager find;
-allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth drmserver_service:service_manager find;
-allow bluetooth mediaserver_service:service_manager find;
-allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth app_api_service:service_manager find;
-allow bluetooth system_api_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the bluetooth process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow bluetooth shell_data_file:file read;
-
-# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:capability sys_nice;
-
-hal_client_domain(bluetooth, hal_bluetooth)
-hal_client_domain(bluetooth, hal_telephony)
-
-read_runtime_log_tags(bluetooth)
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/prebuilts/api/27.0/private/bluetoothdomain.te b/prebuilts/api/27.0/private/bluetoothdomain.te
deleted file mode 100644
index fe4f0e6..0000000
--- a/prebuilts/api/27.0/private/bluetoothdomain.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow clients to use a socket provided by the bluetooth app.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/prebuilts/api/27.0/private/bootanim.te b/prebuilts/api/27.0/private/bootanim.te
deleted file mode 100644
index 8c9f6c7..0000000
--- a/prebuilts/api/27.0/private/bootanim.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bootanim coredomain;
-
-init_daemon_domain(bootanim)
diff --git a/prebuilts/api/27.0/private/bootstat.te b/prebuilts/api/27.0/private/bootstat.te
deleted file mode 100644
index 806144c..0000000
--- a/prebuilts/api/27.0/private/bootstat.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bootstat coredomain;
-
-init_daemon_domain(bootstat)
diff --git a/prebuilts/api/27.0/private/bufferhubd.te b/prebuilts/api/27.0/private/bufferhubd.te
deleted file mode 100644
index 012eb20..0000000
--- a/prebuilts/api/27.0/private/bufferhubd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bufferhubd coredomain;
-
-init_daemon_domain(bufferhubd)
diff --git a/prebuilts/api/27.0/private/cameraserver.te b/prebuilts/api/27.0/private/cameraserver.te
deleted file mode 100644
index c16c132..0000000
--- a/prebuilts/api/27.0/private/cameraserver.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute cameraserver coredomain;
-
-init_daemon_domain(cameraserver)
diff --git a/prebuilts/api/27.0/private/charger.te b/prebuilts/api/27.0/private/charger.te
deleted file mode 100644
index 65109de..0000000
--- a/prebuilts/api/27.0/private/charger.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute charger coredomain;
diff --git a/prebuilts/api/27.0/private/clatd.te b/prebuilts/api/27.0/private/clatd.te
deleted file mode 100644
index c09398d..0000000
--- a/prebuilts/api/27.0/private/clatd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute clatd coredomain;
-typeattribute clatd domain_deprecated;
diff --git a/prebuilts/api/27.0/private/compat/26.0/26.0.cil b/prebuilts/api/27.0/private/compat/26.0/26.0.cil
deleted file mode 100644
index 40bec84..0000000
--- a/prebuilts/api/27.0/private/compat/26.0/26.0.cil
+++ /dev/null
@@ -1,708 +0,0 @@
-;; private attributes removed from public types
-(typeattributeset domain_deprecated (bluetooth_26_0))
-
-;; attributes removed from current policy
-(typeattribute hal_wifi_keystore)
-(typeattribute hal_wifi_keystore_client)
-(typeattribute hal_wifi_keystore_server)
-
-;; types removed from current policy
-(type asan_reboot_prop)
-(type log_device)
-(type mediacasserver_service)
-(type tracing_shell_writable)
-(type tracing_shell_writable_debug)
-
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0 (debugfs))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0 (default_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset perfprofd_26_0 (perfprofd))
-(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_uid_time_in_state))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0 (proc_net))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0 (qtaguid_proc))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0 (sysfs))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
-(typeattributeset system_file_26_0 (system_file))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0 (untrusted_app))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/27.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/27.0/private/compat/26.0/26.0.ignore.cil
deleted file mode 100644
index 9e1eb97..0000000
--- a/prebuilts/api/27.0/private/compat/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,34 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( adbd_exec
- broadcastradio_service
- e2fs
- e2fs_exec
- hal_broadcastradio_hwservice
- hal_cas_hwservice
- hal_neuralnetworks_hwservice
- hal_tetheroffload_hwservice
- hal_wifi_offload_hwservice
- kmsg_debug_device
- mediaprovider_tmpfs
- netd_stable_secret_prop
- package_native_service
- sysfs_fs_ext4_features
- system_net_netd_hwservice
- thermal_service
- thermalcallback_hwservice
- thermalserviced
- thermalserviced_exec
- thermalserviced_tmpfs
- timezone_service
- tombstoned_java_trace_socket))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( adbd_tmpfs ))
diff --git a/prebuilts/api/27.0/private/cppreopts.te b/prebuilts/api/27.0/private/cppreopts.te
deleted file mode 100644
index 34f0d66..0000000
--- a/prebuilts/api/27.0/private/cppreopts.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute cppreopts coredomain;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/prebuilts/api/27.0/private/crash_dump.te b/prebuilts/api/27.0/private/crash_dump.te
deleted file mode 100644
index fb73f08..0000000
--- a/prebuilts/api/27.0/private/crash_dump.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute crash_dump coredomain;
diff --git a/prebuilts/api/27.0/private/dex2oat.te b/prebuilts/api/27.0/private/dex2oat.te
deleted file mode 100644
index 89c3970..0000000
--- a/prebuilts/api/27.0/private/dex2oat.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute dex2oat coredomain;
-typeattribute dex2oat domain_deprecated;
diff --git a/prebuilts/api/27.0/private/dexoptanalyzer.te b/prebuilts/api/27.0/private/dexoptanalyzer.te
deleted file mode 100644
index 1c23f57..0000000
--- a/prebuilts/api/27.0/private/dexoptanalyzer.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, exec_type, file_type;
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-#processes.
-tmpfs_domain(dexoptanalyzer)
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-allow dexoptanalyzer installd:fd use;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file r_file_perms;
-# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
-# "dontaudit...audit_access" policy line to suppress the audit access without
-# suppressing denial on actual access.
-dontaudit dexoptanalyzer app_data_file:dir audit_access;
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/prebuilts/api/27.0/private/dhcp.te b/prebuilts/api/27.0/private/dhcp.te
deleted file mode 100644
index 6a6a139..0000000
--- a/prebuilts/api/27.0/private/dhcp.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute dhcp coredomain;
-typeattribute dhcp domain_deprecated;
-
-init_daemon_domain(dhcp)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/prebuilts/api/27.0/private/dnsmasq.te b/prebuilts/api/27.0/private/dnsmasq.te
deleted file mode 100644
index 96084b4..0000000
--- a/prebuilts/api/27.0/private/dnsmasq.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute dnsmasq coredomain;
diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
deleted file mode 100644
index 999c16a..0000000
--- a/prebuilts/api/27.0/private/domain.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# Transition to crash_dump when /system/bin/crash_dump* is executed.
-# This occurs when the process crashes.
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
-allow domain crash_dump:process sigchld;
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
-neverallow {
- domain
- -vold
- -dumpstate
- -storaged
- -system_server
- userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
-
-# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/prebuilts/api/27.0/private/domain_deprecated.te b/prebuilts/api/27.0/private/domain_deprecated.te
deleted file mode 100644
index 65fd9c7..0000000
--- a/prebuilts/api/27.0/private/domain_deprecated.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# rules removed from the domain attribute
-
-# Read files already opened under /data.
-allow domain_deprecated system_data_file:file { getattr read };
-allow domain_deprecated system_data_file:lnk_file r_file_perms;
-
-# Read apk files under /data/app.
-allow domain_deprecated apk_data_file:dir { getattr search };
-allow domain_deprecated apk_data_file:file r_file_perms;
-allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
-r_dir_file(domain_deprecated, sysfs)
diff --git a/prebuilts/api/27.0/private/drmserver.te b/prebuilts/api/27.0/private/drmserver.te
deleted file mode 100644
index afe4f0a..0000000
--- a/prebuilts/api/27.0/private/drmserver.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute drmserver coredomain;
-
-init_daemon_domain(drmserver)
-
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
-
-typeattribute drmserver_socket coredomain_socket;
diff --git a/prebuilts/api/27.0/private/dumpstate.te b/prebuilts/api/27.0/private/dumpstate.te
deleted file mode 100644
index 0fe2adf..0000000
--- a/prebuilts/api/27.0/private/dumpstate.te
+++ /dev/null
@@ -1,26 +0,0 @@
-typeattribute dumpstate coredomain;
-typeattribute dumpstate domain_deprecated;
-
-init_daemon_domain(dumpstate)
-
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
-# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
-allow dumpstate system_file:file lock;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-allow dumpstate dumpstate_tmpfs:file execute;
-
-# systrace support - allow atrace to run
-allow dumpstate debugfs_tracing:dir r_dir_perms;
-allow dumpstate debugfs_tracing:file rw_file_perms;
-allow dumpstate debugfs_trace_marker:file getattr;
-allow dumpstate atrace_exec:file rx_file_perms;
-allow dumpstate storaged_exec:file rx_file_perms;
-
-# Allow dumpstate to make binder calls to storaged service
-binder_call(dumpstate, storaged)
-
-# Collect metrics on boot time created by init
-get_prop(dumpstate, boottime_prop)
diff --git a/prebuilts/api/27.0/private/ephemeral_app.te b/prebuilts/api/27.0/private/ephemeral_app.te
deleted file mode 100644
index 872892b..0000000
--- a/prebuilts/api/27.0/private/ephemeral_app.te
+++ /dev/null
@@ -1,70 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-typeattribute ephemeral_app coredomain;
-
-net_domain(ephemeral_app)
-app_domain(ephemeral_app)
-
-# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow ephemeral_app app_data_file:file {r_file_perms execute};
-
-# services
-allow ephemeral_app audioserver_service:service_manager find;
-allow ephemeral_app cameraserver_service:service_manager find;
-allow ephemeral_app mediaserver_service:service_manager find;
-allow ephemeral_app mediaextractor_service:service_manager find;
-allow ephemeral_app mediacodec_service:service_manager find;
-allow ephemeral_app mediametrics_service:service_manager find;
-allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
-allow ephemeral_app radio_service:service_manager find;
-allow ephemeral_app ephemeral_app_api_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-neverallow ephemeral_app app_data_file:file execute_no_trans;
-
-# Receive or send uevent messages.
-neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow ephemeral_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
-
-# execute gpu_device
-neverallow ephemeral_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow ephemeral_app sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/prebuilts/api/27.0/private/file.te b/prebuilts/api/27.0/private/file.te
deleted file mode 100644
index da5f9ad..0000000
--- a/prebuilts/api/27.0/private/file.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-typealias app_data_file alias platform_app_data_file;
-typealias app_data_file alias download_file;
-
-# /proc/config.gz
-type config_gz, fs_type;
diff --git a/prebuilts/api/27.0/private/file_contexts b/prebuilts/api/27.0/private/file_contexts
deleted file mode 100644
index 5369758..0000000
--- a/prebuilts/api/27.0/private/file_contexts
+++ /dev/null
@@ -1,470 +0,0 @@
-###########################################
-# Root
-/ u:object_r:rootfs:s0
-
-# Data files
-/adb_keys u:object_r:adb_keys_file:s0
-/build\.prop u:object_r:rootfs:s0
-/default\.prop u:object_r:rootfs:s0
-/fstab\..* u:object_r:rootfs:s0
-/init\..* u:object_r:rootfs:s0
-/res(/.*)? u:object_r:rootfs:s0
-/selinux_version u:object_r:rootfs:s0
-/ueventd\..* u:object_r:rootfs:s0
-/verity_key u:object_r:rootfs:s0
-
-# Executables
-/charger u:object_r:rootfs:s0
-/init u:object_r:init_exec:s0
-/sbin(/.*)? u:object_r:rootfs:s0
-
-# For kernel modules
-/lib(/.*)? u:object_r:rootfs:s0
-
-# Empty directories
-/lost\+found u:object_r:rootfs:s0
-/acct u:object_r:cgroup:s0
-/config u:object_r:rootfs:s0
-/mnt u:object_r:tmpfs:s0
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/proc u:object_r:rootfs:s0
-/root u:object_r:rootfs:s0
-/sys u:object_r:sysfs:s0
-
-# Symlinks
-/bugreports u:object_r:rootfs:s0
-/d u:object_r:rootfs:s0
-/etc u:object_r:rootfs:s0
-/sdcard u:object_r:rootfs:s0
-
-# SELinux policy files
-/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/plat_file_contexts u:object_r:file_contexts_file:s0
-/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
-/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/plat_property_contexts u:object_r:property_contexts_file:s0
-/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/seapp_contexts u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/sepolicy u:object_r:sepolicy_file:s0
-/plat_service_contexts u:object_r:service_contexts_file:s0
-/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
-##########################
-# Devices
-#
-/dev(/.*)? u:object_r:device:s0
-/dev/akm8973.* u:object_r:sensors_device:s0
-/dev/accelerometer u:object_r:sensors_device:s0
-/dev/adf[0-9]* u:object_r:graphics_device:s0
-/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/alarm u:object_r:alarm_device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/audio.* u:object_r:audio_device:s0
-/dev/binder u:object_r:binder_device:s0
-/dev/block(/.*)? u:object_r:block_device:s0
-/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
-/dev/block/loop[0-9]* u:object_r:loop_device:s0
-/dev/block/vold/.+ u:object_r:vold_device:s0
-/dev/block/ram[0-9]* u:object_r:ram_device:s0
-/dev/block/zram[0-9]* u:object_r:ram_device:s0
-/dev/bus/usb(.*)? u:object_r:usb_device:s0
-/dev/cam u:object_r:camera_device:s0
-/dev/console u:object_r:console_device:s0
-/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
-/dev/memcg(/.*)? u:object_r:cgroup:s0
-/dev/device-mapper u:object_r:dm_device:s0
-/dev/eac u:object_r:audio_device:s0
-/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
-/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
-/dev/full u:object_r:full_device:s0
-/dev/fuse u:object_r:fuse_device:s0
-/dev/graphics(/.*)? u:object_r:graphics_device:s0
-/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
-/dev/input(/.*)? u:object_r:input_device:s0
-/dev/iio:device[0-9]+ u:object_r:iio_device:s0
-/dev/ion u:object_r:ion_device:s0
-/dev/keychord u:object_r:keychord_device:s0
-/dev/kmem u:object_r:kmem_device:s0
-/dev/loop-control u:object_r:loop_control_device:s0
-/dev/mem u:object_r:kmem_device:s0
-/dev/modem.* u:object_r:radio_device:s0
-/dev/mtd(/.*)? u:object_r:mtd_device:s0
-/dev/mtp_usb u:object_r:mtp_device:s0
-/dev/pmsg0 u:object_r:pmsg_device:s0
-/dev/pn544 u:object_r:nfc_device:s0
-/dev/port u:object_r:port_device:s0
-/dev/ppp u:object_r:ppp_device:s0
-/dev/ptmx u:object_r:ptmx_device:s0
-/dev/pvrsrvkm u:object_r:gpu_device:s0
-/dev/kmsg u:object_r:kmsg_device:s0
-/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
-/dev/null u:object_r:null_device:s0
-/dev/nvhdcp1 u:object_r:video_device:s0
-/dev/random u:object_r:random_device:s0
-/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
-/dev/rproc_user u:object_r:rpmsg_device:s0
-/dev/rtc[0-9] u:object_r:rtc_device:s0
-/dev/snd(/.*)? u:object_r:audio_device:s0
-/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
-/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
-/dev/socket(/.*)? u:object_r:socket_device:s0
-/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/cryptd u:object_r:vold_socket:s0
-/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
-/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
-/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
-/dev/socket/lmkd u:object_r:lmkd_socket:s0
-/dev/socket/logd u:object_r:logd_socket:s0
-/dev/socket/logdr u:object_r:logdr_socket:s0
-/dev/socket/logdw u:object_r:logdw_socket:s0
-/dev/socket/mdns u:object_r:mdns_socket:s0
-/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd u:object_r:mtpd_socket:s0
-/dev/socket/netd u:object_r:netd_socket:s0
-/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
-/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
-/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
-/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
-/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
-/dev/socket/property_service u:object_r:property_socket:s0
-/dev/socket/racoon u:object_r:racoon_socket:s0
-/dev/socket/rild u:object_r:rild_socket:s0
-/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
-/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
-/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
-/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
-/dev/socket/vold u:object_r:vold_socket:s0
-/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
-/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
-/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
-/dev/socket/zygote u:object_r:zygote_socket:s0
-/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/spdif_out.* u:object_r:audio_device:s0
-/dev/tegra.* u:object_r:video_device:s0
-/dev/tty u:object_r:owntty_device:s0
-/dev/tty[0-9]* u:object_r:tty_device:s0
-/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:random_device:s0
-/dev/usb_accessory u:object_r:usbaccessory_device:s0
-/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
-/dev/video[0-9]* u:object_r:video_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
-/dev/watchdog u:object_r:watchdog_device:s0
-/dev/xt_qtaguid u:object_r:qtaguid_device:s0
-/dev/zero u:object_r:zero_device:s0
-/dev/__properties__ u:object_r:properties_device:s0
-#############################
-# System files
-#
-/system(/.*)? u:object_r:system_file:s0
-/system/bin/atrace u:object_r:atrace_exec:s0
-/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
-/system/bin/mke2fs u:object_r:e2fs_exec:s0
-/system/bin/e2fsck -- u:object_r:fsck_exec:s0
-/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/make_f2fs -- u:object_r:fsck_exec:s0
-/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
-/system/bin/tune2fs -- u:object_r:fsck_exec:s0
-/system/bin/toolbox -- u:object_r:toolbox_exec:s0
-/system/bin/toybox -- u:object_r:toolbox_exec:s0
-/system/bin/logcat -- u:object_r:logcat_exec:s0
-/system/bin/logcatd -- u:object_r:logcat_exec:s0
-/system/bin/sh -- u:object_r:shell_exec:s0
-/system/bin/run-as -- u:object_r:runas_exec:s0
-/system/bin/bootanimation u:object_r:bootanim_exec:s0
-/system/bin/bootstat u:object_r:bootstat_exec:s0
-/system/bin/app_process32 u:object_r:zygote_exec:s0
-/system/bin/app_process64 u:object_r:zygote_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
-/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
-/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
-/system/bin/performanced u:object_r:performanced_exec:s0
-/system/bin/drmserver u:object_r:drmserver_exec:s0
-/system/bin/dumpstate u:object_r:dumpstate_exec:s0
-/system/bin/incident u:object_r:incident_exec:s0
-/system/bin/incidentd u:object_r:incidentd_exec:s0
-/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
-/system/bin/vold u:object_r:vold_exec:s0
-/system/bin/netd u:object_r:netd_exec:s0
-/system/bin/wificond u:object_r:wificond_exec:s0
-/system/bin/audioserver u:object_r:audioserver_exec:s0
-/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
-/system/bin/mediaserver u:object_r:mediaserver_exec:s0
-/system/bin/mediametrics u:object_r:mediametrics_exec:s0
-/system/bin/cameraserver u:object_r:cameraserver_exec:s0
-/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mdnsd u:object_r:mdnsd_exec:s0
-/system/bin/installd u:object_r:installd_exec:s0
-/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
-/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
-/system/bin/keystore u:object_r:keystore_exec:s0
-/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
-/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
-/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
-/system/bin/tombstoned u:object_r:tombstoned_exec:s0
-/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
-/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
-/system/bin/sdcard u:object_r:sdcardd_exec:s0
-/system/bin/dhcpcd u:object_r:dhcp_exec:s0
-/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
-/system/bin/mtpd u:object_r:mtp_exec:s0
-/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/racoon u:object_r:racoon_exec:s0
-/system/xbin/su u:object_r:su_exec:s0
-/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
-/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
-/system/bin/lmkd u:object_r:lmkd_exec:s0
-/system/bin/inputflinger u:object_r:inputflinger_exec:s0
-/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/uncrypt u:object_r:uncrypt_exec:s0
-/system/bin/update_verifier u:object_r:update_verifier_exec:s0
-/system/bin/logwrapper u:object_r:system_file:s0
-/system/bin/vdc u:object_r:vdc_exec:s0
-/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
-/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
-/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
-# patchoat executable has (essentially) the same requirements as dex2oat.
-/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/profman u:object_r:profman_exec:s0
-/system/bin/sgdisk u:object_r:sgdisk_exec:s0
-/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
-/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/bspatch u:object_r:update_engine_exec:s0
-/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
-/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
-/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
-/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
-/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
-/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
-/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
-/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
-/system/bin/adbd u:object_r:adbd_exec:s0
-
-#############################
-# Vendor files
-#
-/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
-/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
-/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
-
-/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-# TODO: b/36790901 move this to /vendor/etc
-/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
-/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-# HAL location
-/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
-/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/vendor/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
-#############################
-# OEM and ODM files
-#
-/odm(/.*)? u:object_r:system_file:s0
-/oem(/.*)? u:object_r:oemfs:s0
-
-
-#############################
-# Data files
-#
-# NOTE: When modifying existing label rules, changes may also need to
-# propagate to the "Expanded data files" section.
-#
-/data(/.*)? u:object_r:system_data_file:s0
-/data/.layout_version u:object_r:install_data_file:s0
-/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
-/data/backup(/.*)? u:object_r:backup_data_file:s0
-/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
-/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
-/data/drm(/.*)? u:object_r:drm_data_file:s0
-/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
-/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/ota(/.*)? u:object_r:ota_data_file:s0
-/data/ota_package(/.*)? u:object_r:ota_package_file:s0
-/data/adb(/.*)? u:object_r:adb_data_file:s0
-/data/anr(/.*)? u:object_r:anr_data_file:s0
-/data/app(/.*)? u:object_r:apk_data_file:s0
-/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
-/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/data/media(/.*)? u:object_r:media_rw_data_file:s0
-/data/mediadrm(/.*)? u:object_r:media_data_file:s0
-/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
-/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
-/data/property(/.*)? u:object_r:property_data_file:s0
-/data/preloads(/.*)? u:object_r:preloads_data_file:s0
-/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
-/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
-
-# Misc data
-/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
-/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
-/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
-/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
-/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
-/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
-/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
-/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
-/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
-/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
-/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
-/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
-/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
-/data/misc/media(/.*)? u:object_r:media_data_file:s0
-/data/misc/net(/.*)? u:object_r:net_data_file:s0
-/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
-/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
-/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
-/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
-/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
-/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
-/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
-/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
-/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
-/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
-/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
-/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
-/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
-/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
-/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
-# TODO(calin) label profile reference differently so that only
-# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
-
-# Fingerprint data
-/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
-
-# Bootchart data
-/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
-
-#############################
-# Expanded data files
-#
-/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
-/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
-/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
-
-# coredump directory for userdebug/eng devices
-/cores(/.*)? u:object_r:coredump_file:s0
-
-# Wallpaper files
-/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
-
-# Ringtone files
-/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
-
-# ShortcutManager icons, e.g.
-# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
-/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
-
-# User icon files
-/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
-
-#############################
-# efs files
-#
-/efs(/.*)? u:object_r:efs_file:s0
-
-#############################
-# Cache files
-#
-/cache(/.*)? u:object_r:cache_file:s0
-/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-/data/cache(/.*)? u:object_r:cache_file:s0
-/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-#############################
-# asec containers
-/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
-/data/app-asec(/.*)? u:object_r:asec_image_file:s0
-
-#############################
-# external storage
-/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
-/mnt/user(/.*)? u:object_r:mnt_user_file:s0
-/mnt/runtime(/.*)? u:object_r:storage_file:s0
-/storage(/.*)? u:object_r:storage_file:s0
diff --git a/prebuilts/api/27.0/private/file_contexts_asan b/prebuilts/api/27.0/private/file_contexts_asan
deleted file mode 100644
index 0401ffe..0000000
--- a/prebuilts/api/27.0/private/file_contexts_asan
+++ /dev/null
@@ -1,9 +0,0 @@
-/data/asan/system/lib(/.*)? u:object_r:system_file:s0
-/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
-/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
-/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
-/system/bin/asan_extract u:object_r:asan_extract_exec:s0
-/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
-/system/bin/asan/app_process u:object_r:zygote_exec:s0
-/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
-/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/prebuilts/api/27.0/private/fingerprintd.te b/prebuilts/api/27.0/private/fingerprintd.te
deleted file mode 100644
index 0c1dfaa..0000000
--- a/prebuilts/api/27.0/private/fingerprintd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute fingerprintd coredomain;
-typeattribute fingerprintd domain_deprecated;
-
-init_daemon_domain(fingerprintd)
diff --git a/prebuilts/api/27.0/private/fs_use b/prebuilts/api/27.0/private/fs_use
deleted file mode 100644
index 4bd1112..0000000
--- a/prebuilts/api/27.0/private/fs_use
+++ /dev/null
@@ -1,23 +0,0 @@
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-fs_use_xattr f2fs u:object_r:labeledfs:s0;
-fs_use_xattr squashfs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
diff --git a/prebuilts/api/27.0/private/fsck.te b/prebuilts/api/27.0/private/fsck.te
deleted file mode 100644
index e846797..0000000
--- a/prebuilts/api/27.0/private/fsck.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute fsck coredomain;
-typeattribute fsck domain_deprecated;
-
-init_daemon_domain(fsck)
diff --git a/prebuilts/api/27.0/private/fsck_untrusted.te b/prebuilts/api/27.0/private/fsck_untrusted.te
deleted file mode 100644
index 2a1a39f..0000000
--- a/prebuilts/api/27.0/private/fsck_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute fsck_untrusted coredomain;
-typeattribute fsck_untrusted domain_deprecated;
diff --git a/prebuilts/api/27.0/private/gatekeeperd.te b/prebuilts/api/27.0/private/gatekeeperd.te
deleted file mode 100644
index 5e4d0a2..0000000
--- a/prebuilts/api/27.0/private/gatekeeperd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute gatekeeperd coredomain;
-
-init_daemon_domain(gatekeeperd)
diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
deleted file mode 100644
index e77a39b..0000000
--- a/prebuilts/api/27.0/private/genfs_contexts
+++ /dev/null
@@ -1,122 +0,0 @@
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-genfscon proc /config.gz u:object_r:config_gz:s0
-genfscon proc /interrupts u:object_r:proc_interrupts:s0
-genfscon proc /iomem u:object_r:proc_iomem:s0
-genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /misc u:object_r:proc_misc:s0
-genfscon proc /modules u:object_r:proc_modules:s0
-genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
-genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
-genfscon proc /softirqs u:object_r:proc_timer:s0
-genfscon proc /stat u:object_r:proc_stat:s0
-genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
-genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
-genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
-genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
-genfscon proc /sys/net u:object_r:proc_net:s0
-genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
-genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
-genfscon proc /timer_list u:object_r:proc_timer:s0
-genfscon proc /timer_stats u:object_r:proc_timer:s0
-genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
-genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
-genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
-genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
-genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
-genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
-genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
-
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
-genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
-genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
-genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
-genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
-genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
-genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
-genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
-genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
-genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
-genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-
-genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
-genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
-genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
-genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
-genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
-
-genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/regulator/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/irq/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
-
-genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/regulator/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/irq/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
-
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:vfat:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon tracefs / u:object_r:debugfs_tracing:s0
-genfscon fuse / u:object_r:fuse:s0
-genfscon configfs / u:object_r:configfs:s0
-genfscon sdcardfs / u:object_r:sdcardfs:s0
-genfscon pstore / u:object_r:pstorefs:s0
-genfscon functionfs / u:object_r:functionfs:s0
-genfscon usbfs / u:object_r:usbfs:s0
-genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
diff --git a/prebuilts/api/27.0/private/hal_allocator_default.te b/prebuilts/api/27.0/private/hal_allocator_default.te
deleted file mode 100644
index 49ef178..0000000
--- a/prebuilts/api/27.0/private/hal_allocator_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_allocator_default, domain, coredomain;
-hal_server_domain(hal_allocator_default, hal_allocator)
-
-type hal_allocator_default_exec, exec_type, file_type;
-init_daemon_domain(hal_allocator_default)
diff --git a/prebuilts/api/27.0/private/halclientdomain.te b/prebuilts/api/27.0/private/halclientdomain.te
deleted file mode 100644
index 9dcd3ee..0000000
--- a/prebuilts/api/27.0/private/halclientdomain.te
+++ /dev/null
@@ -1,13 +0,0 @@
-###
-### Rules for all domains which are clients of a HAL
-###
-
-# Find out whether a HAL in passthrough/in-process mode or
-# binderized/out-of-process mode
-hwbinder_use(halclientdomain)
-
-# Used to wait for hwservicemanager
-get_prop(halclientdomain, hwservicemanager_prop)
-
-# Wait for HAL server to be up (used by getService)
-allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/private/halserverdomain.te b/prebuilts/api/27.0/private/halserverdomain.te
deleted file mode 100644
index f36e0e7..0000000
--- a/prebuilts/api/27.0/private/halserverdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which offer a HAL service over HwBinder
-###
-
-# Register the HAL service with hwservicemanager
-hwbinder_use(halserverdomain)
-
-# Find HAL implementations
-allow halserverdomain system_file:dir r_dir_perms;
-
-# Used to wait for hwservicemanager
-get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/prebuilts/api/27.0/private/healthd.te b/prebuilts/api/27.0/private/healthd.te
deleted file mode 100644
index 0693a3a..0000000
--- a/prebuilts/api/27.0/private/healthd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow callback to storaged batteryproperties listener
-binder_call(healthd, storaged)
diff --git a/prebuilts/api/27.0/private/hwservice_contexts b/prebuilts/api/27.0/private/hwservice_contexts
deleted file mode 100644
index e304495..0000000
--- a/prebuilts/api/27.0/private/hwservice_contexts
+++ /dev/null
@@ -1,57 +0,0 @@
-android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
-android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
-android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
-android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
-android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
-android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
-android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
-android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
-android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
-android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
-android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
-android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
-android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
-android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
-android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
-android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
-android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
-android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
-android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
-android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
-android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
-android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
-android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0
-android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
-android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
-android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
-android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
-android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
-android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
-android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
-android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
-android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
-android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
-android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
-android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
-android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
-android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
-android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
-android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
-android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
-android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
-android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/prebuilts/api/27.0/private/hwservicemanager.te b/prebuilts/api/27.0/private/hwservicemanager.te
deleted file mode 100644
index a43eb02..0000000
--- a/prebuilts/api/27.0/private/hwservicemanager.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/prebuilts/api/27.0/private/idmap.te b/prebuilts/api/27.0/private/idmap.te
deleted file mode 100644
index 73abf35..0000000
--- a/prebuilts/api/27.0/private/idmap.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute idmap coredomain;
diff --git a/prebuilts/api/27.0/private/incident.te b/prebuilts/api/27.0/private/incident.te
deleted file mode 100644
index b910dde..0000000
--- a/prebuilts/api/27.0/private/incident.te
+++ /dev/null
@@ -1,25 +0,0 @@
-typeattribute incident coredomain;
-
-type incident_exec, exec_type, file_type;
-
-# switch to incident domain for incident command
-domain_auto_trans(shell, incident_exec, incident)
-
-# allow incident access to stdout from its parent shell.
-allow incident shell:fd use;
-
-# allow incident to communicate use, read and write over the adb
-# connection.
-allow incident adbd:fd use;
-allow incident adbd:unix_stream_socket { read write };
-
-# allow adbd to reap incident
-allow incident adbd:process { sigchld };
-
-# Allow the incident command to talk to the incidentd over the binder, and get
-# back the incident report data from a ParcelFileDescriptor.
-binder_use(incident)
-allow incident incident_service:service_manager find;
-binder_call(incident, incidentd)
-allow incident incidentd:fifo_file write;
-
diff --git a/prebuilts/api/27.0/private/incidentd.te b/prebuilts/api/27.0/private/incidentd.te
deleted file mode 100644
index 64e174f..0000000
--- a/prebuilts/api/27.0/private/incidentd.te
+++ /dev/null
@@ -1,110 +0,0 @@
-typeattribute incidentd coredomain;
-
-init_daemon_domain(incidentd)
-type incidentd_exec, exec_type, file_type;
-binder_use(incidentd)
-wakelock_use(incidentd)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
-
-# Allow incidentd to scan through /proc/pid for all processes
-r_dir_file(incidentd, domain)
-
-allow incidentd self:capability {
- # Send signals to processes
- kill
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow incidentd system_file:file execute_no_trans;
-allow incidentd toolbox_exec:file rx_file_perms;
-
-# Create and write into /data/misc/incidents
-allow incidentd incident_data_file:dir rw_dir_perms;
-allow incidentd incident_data_file:file create_file_perms;
-
-# Get process attributes
-# TODO allow incidentd domain:process getattr;
-
-# Signal java processes to dump their stack and get the results
-# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir rw_dir_perms;
-# TODO allow incidentd anr_data_file:file create_file_perms;
-
-# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in incidentd/utils.c
-allow incidentd {
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:process signal;
-
-# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, binderservicedomain)
-binder_call(incidentd, appdomain)
-
-# Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
-
-# Run a shell.
-allow incidentd shell_exec:file rx_file_perms;
-
-# logd access - work to be done is a PII safe log (possibly an event log?)
-# TODO read_logd(incidentd)
-# TODO control_logd(incidentd)
-
-# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
-allow incidentd {
- system_server_service
- app_api_service
- system_api_service
-}:service_manager find;
-
-# Only incidentd can publish the binder service
-add_service(incidentd, incident_service)
-
-# Allow pipes from (and only from) incident
-allow incidentd incident:fd use;
-allow incidentd incident:fifo_file write;
-
-# Allow incident to call back to incident with status updates.
-binder_call(incidentd, incident)
-
-###
-### neverallow rules
-###
-
-# only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
-
-# only incidentd and the other root services in limited circumstances
-# can get to the files in /data/misc/incidents
-#
-# write, execute, append are forbidden almost everywhere
-neverallow { domain -incidentd -init -vold } incident_data_file:file {
- w_file_perms
- x_file_perms
- create
- rename
- setattr
- unlink
- append
-};
-# read is also allowed by system_server, for when the file is handed to dropbox
-neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
-# limited access to the directory itself
-neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
-
diff --git a/prebuilts/api/27.0/private/init.te b/prebuilts/api/27.0/private/init.te
deleted file mode 100644
index 5c23f66..0000000
--- a/prebuilts/api/27.0/private/init.te
+++ /dev/null
@@ -1,26 +0,0 @@
-typeattribute init coredomain;
-
-tmpfs_domain(init)
-
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, charger)
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-domain_auto_trans(init, e2fs_exec, e2fs)
-recovery_only(`
- domain_trans(init, rootfs, adbd)
- domain_trans(init, rootfs, recovery)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
-domain_trans(init, { rootfs toolbox_exec }, modprobe)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
- domain_auto_trans(init, logcat_exec, logpersist)
-')
-
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit init sysfs:dir write;
diff --git a/prebuilts/api/27.0/private/initial_sid_contexts b/prebuilts/api/27.0/private/initial_sid_contexts
deleted file mode 100644
index 9819051..0000000
--- a/prebuilts/api/27.0/private/initial_sid_contexts
+++ /dev/null
@@ -1,27 +0,0 @@
-sid kernel u:r:kernel:s0
-sid security u:object_r:kernel:s0
-sid unlabeled u:object_r:unlabeled:s0
-sid fs u:object_r:labeledfs:s0
-sid file u:object_r:unlabeled:s0
-sid file_labels u:object_r:unlabeled:s0
-sid init u:object_r:unlabeled:s0
-sid any_socket u:object_r:unlabeled:s0
-sid port u:object_r:port:s0
-sid netif u:object_r:netif:s0
-sid netmsg u:object_r:unlabeled:s0
-sid node u:object_r:node:s0
-sid igmp_packet u:object_r:unlabeled:s0
-sid icmp_socket u:object_r:unlabeled:s0
-sid tcp_socket u:object_r:unlabeled:s0
-sid sysctl_modprobe u:object_r:unlabeled:s0
-sid sysctl u:object_r:proc:s0
-sid sysctl_fs u:object_r:unlabeled:s0
-sid sysctl_kernel u:object_r:unlabeled:s0
-sid sysctl_net u:object_r:unlabeled:s0
-sid sysctl_net_unix u:object_r:unlabeled:s0
-sid sysctl_vm u:object_r:unlabeled:s0
-sid sysctl_dev u:object_r:unlabeled:s0
-sid kmod u:object_r:unlabeled:s0
-sid policy u:object_r:unlabeled:s0
-sid scmp_packet u:object_r:unlabeled:s0
-sid devnull u:object_r:null_device:s0
diff --git a/prebuilts/api/27.0/private/initial_sids b/prebuilts/api/27.0/private/initial_sids
deleted file mode 100644
index 91ac816..0000000
--- a/prebuilts/api/27.0/private/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/prebuilts/api/27.0/private/inputflinger.te b/prebuilts/api/27.0/private/inputflinger.te
deleted file mode 100644
index 9696b49..0000000
--- a/prebuilts/api/27.0/private/inputflinger.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute inputflinger coredomain;
-
-init_daemon_domain(inputflinger)
diff --git a/prebuilts/api/27.0/private/install_recovery.te b/prebuilts/api/27.0/private/install_recovery.te
deleted file mode 100644
index b79d683..0000000
--- a/prebuilts/api/27.0/private/install_recovery.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute install_recovery coredomain;
-
-init_daemon_domain(install_recovery)
diff --git a/prebuilts/api/27.0/private/installd.te b/prebuilts/api/27.0/private/installd.te
deleted file mode 100644
index d726e7d..0000000
--- a/prebuilts/api/27.0/private/installd.te
+++ /dev/null
@@ -1,19 +0,0 @@
-typeattribute installd coredomain;
-typeattribute installd domain_deprecated;
-
-init_daemon_domain(installd)
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
-# Create /data/.layout_version.* file
-type_transition installd system_data_file:file install_data_file;
diff --git a/prebuilts/api/27.0/private/isolated_app.te b/prebuilts/api/27.0/private/isolated_app.te
deleted file mode 100644
index fbfb8a5..0000000
--- a/prebuilts/api/27.0/private/isolated_app.te
+++ /dev/null
@@ -1,108 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-typeattribute isolated_app coredomain;
-
-app_domain(isolated_app)
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
-# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
-# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
-# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
-
-# For webviews, isolated_app processes can be forked from the webview_zygote
-# in addition to the zygote. Allow access to resources inherited from the
-# webview_zygote process. These rules are specialized copies of the ones in app.te.
-# Inherit FDs from the webview_zygote.
-allow isolated_app webview_zygote:fd use;
-# Notify webview_zygote of child death.
-allow isolated_app webview_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app webview_zygote:unix_dgram_socket write;
-# Read system properties managed by webview_zygote.
-allow isolated_app webview_zygote_tmpfs:file read;
-
-# TODO (b/63631799) fix this access
-# suppress denials to /data/local/tmp
-dontaudit isolated_app shell_data_file:dir search;
-
-#####
-##### Neverallow
-#####
-
-# Do not allow isolated_app to directly open tun_device
-neverallow isolated_app tun_device:chr_file open;
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# Isolated apps must not be permitted to use HwBinder
-neverallow isolated_app hwbinder_device:chr_file *;
-neverallow isolated_app *:hwservice_manager *;
-
-# Isolated apps must not be permitted to use VndBinder
-neverallow isolated_app vndbinder_device:chr_file *;
-
-# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
-neverallow isolated_app *:service_manager ~find;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
-neverallow isolated_app {
- service_manager_type
- -activity_service
- -display_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote_socket:sock_file write;
diff --git a/prebuilts/api/27.0/private/kernel.te b/prebuilts/api/27.0/private/kernel.te
deleted file mode 100644
index a4e6ebe..0000000
--- a/prebuilts/api/27.0/private/kernel.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute kernel coredomain;
-
-domain_auto_trans(kernel, init_exec, init)
diff --git a/prebuilts/api/27.0/private/keys.conf b/prebuilts/api/27.0/private/keys.conf
deleted file mode 100644
index 7a307b5..0000000
--- a/prebuilts/api/27.0/private/keys.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
-# name it after the base file name of the pem file.
-#
-# Each tag (section) then allows one to specify any string found in
-# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
-#
-
-[@PLATFORM]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
-
-[@MEDIA]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
-
-[@SHARED]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
-
-# Example of ALL TARGET_BUILD_VARIANTS
-[@RELEASE]
-ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-
diff --git a/prebuilts/api/27.0/private/keystore.te b/prebuilts/api/27.0/private/keystore.te
deleted file mode 100644
index 1e56338..0000000
--- a/prebuilts/api/27.0/private/keystore.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute keystore coredomain;
-typeattribute keystore domain_deprecated;
-
-init_daemon_domain(keystore)
-
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# Offer the Wifi Keystore HwBinder service
-typeattribute keystore wifi_keystore_service_server;
-add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/prebuilts/api/27.0/private/lmkd.te b/prebuilts/api/27.0/private/lmkd.te
deleted file mode 100644
index a07ce87..0000000
--- a/prebuilts/api/27.0/private/lmkd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute lmkd coredomain;
-
-init_daemon_domain(lmkd)
diff --git a/prebuilts/api/27.0/private/logd.te b/prebuilts/api/27.0/private/logd.te
deleted file mode 100644
index 4338e40..0000000
--- a/prebuilts/api/27.0/private/logd.te
+++ /dev/null
@@ -1,39 +0,0 @@
-typeattribute logd coredomain;
-
-init_daemon_domain(logd)
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow logd {
- file_type
- -logd_tmpfs
- -runtime_event_log_tags_file
- userdebug_or_eng(`-coredump_file -misc_logd_file')
-}:file { create write append };
-
-# protect the event-log-tags file
-neverallow {
- domain
- -appdomain # covered below
- -bootstat
- -dumpstate
- -init
- -logd
- userdebug_or_eng(`-logpersist')
- -servicemanager
- -system_server
- -surfaceflinger
- -zygote
-} runtime_event_log_tags_file:file no_rw_file_perms;
-
-neverallow {
- appdomain
- -bluetooth
- -platform_app
- -priv_app
- -radio
- -shell
- userdebug_or_eng(`-su')
- -system_app
-} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/prebuilts/api/27.0/private/logpersist.te b/prebuilts/api/27.0/private/logpersist.te
deleted file mode 100644
index 70e3198..0000000
--- a/prebuilts/api/27.0/private/logpersist.te
+++ /dev/null
@@ -1,24 +0,0 @@
-typeattribute logpersist coredomain;
-
-# android debug log storage in logpersist domains (eng and userdebug only)
-userdebug_or_eng(`
-
- r_dir_file(logpersist, cgroup)
-
- allow logpersist misc_logd_file:file create_file_perms;
- allow logpersist misc_logd_file:dir rw_dir_perms;
-
- allow logpersist self:capability sys_nice;
- allow logpersist pstorefs:dir search;
- allow logpersist pstorefs:file r_file_perms;
-
- control_logd(logpersist)
- unix_socket_connect(logpersist, logdr, logd)
- read_runtime_log_tags(logpersist)
-
-')
-
-# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/27.0/private/mac_permissions.xml b/prebuilts/api/27.0/private/mac_permissions.xml
deleted file mode 100644
index 1fcd2a4..0000000
--- a/prebuilts/api/27.0/private/mac_permissions.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
- * A signature is a hex encoded X.509 certificate or a tag defined in
- keys.conf and is required for each signer tag. The signature can
- either appear as a set of attached cert child tags or as an attribute.
- * A signer tag must contain a seinfo tag XOR multiple package stanzas.
- * Each signer/package tag is allowed to contain one seinfo tag. This tag
- represents additional info that each app can use in setting a SELinux security
- context on the eventual process as well as the apps data directory.
- * seinfo assignments are made according to the following rules:
- - Stanzas with package name refinements will be checked first.
- - Stanzas w/o package name refinements will be checked second.
- - The "default" seinfo label is automatically applied.
-
- * valid stanzas can take one of the following forms:
-
- // single cert protecting seinfo
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- // multiple certs protecting seinfo (all contained certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <seinfo value="platform" />
- </signer>
-
- // single cert protecting explicitly named app
- <signer signature="@PLATFORM" >
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
-
- // multiple certs protecting explicitly named app (all certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
--->
-
- <!-- Platform dev key in AOSP -->
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- <!-- Media key in AOSP -->
- <signer signature="@MEDIA" >
- <seinfo value="media" />
- </signer>
-
-</policy>
diff --git a/prebuilts/api/27.0/private/mdnsd.te b/prebuilts/api/27.0/private/mdnsd.te
deleted file mode 100644
index 96259e2..0000000
--- a/prebuilts/api/27.0/private/mdnsd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# mdns daemon
-
-typeattribute mdnsd coredomain;
-typeattribute mdnsd mlstrustedsubject;
-
-type mdnsd_exec, exec_type, file_type;
-init_daemon_domain(mdnsd)
-
-net_domain(mdnsd)
-
-# Read from /proc/net
-r_dir_file(mdnsd, proc_net)
diff --git a/prebuilts/api/27.0/private/mediadrmserver.te b/prebuilts/api/27.0/private/mediadrmserver.te
deleted file mode 100644
index 4e511a8..0000000
--- a/prebuilts/api/27.0/private/mediadrmserver.te
+++ /dev/null
@@ -1,8 +0,0 @@
-typeattribute mediadrmserver coredomain;
-
-init_daemon_domain(mediadrmserver)
-
-# allocate and use graphic buffers
-hal_client_domain(mediadrmserver, hal_graphics_allocator)
-auditallow mediadrmserver hal_graphics_allocator_server:binder call;
-
diff --git a/prebuilts/api/27.0/private/mediaextractor.te b/prebuilts/api/27.0/private/mediaextractor.te
deleted file mode 100644
index c1a8521..0000000
--- a/prebuilts/api/27.0/private/mediaextractor.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediaextractor coredomain;
-
-init_daemon_domain(mediaextractor)
diff --git a/prebuilts/api/27.0/private/mediametrics.te b/prebuilts/api/27.0/private/mediametrics.te
deleted file mode 100644
index f8b2fa5..0000000
--- a/prebuilts/api/27.0/private/mediametrics.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediametrics coredomain;
-
-init_daemon_domain(mediametrics)
diff --git a/prebuilts/api/27.0/private/mediaprovider.te b/prebuilts/api/27.0/private/mediaprovider.te
deleted file mode 100644
index 63f56c8..0000000
--- a/prebuilts/api/27.0/private/mediaprovider.te
+++ /dev/null
@@ -1,35 +0,0 @@
-###
-### A domain for android.process.media, which contains both
-### MediaProvider and DownloadProvider and associated services.
-###
-
-typeattribute mediaprovider coredomain;
-app_domain(mediaprovider)
-
-# DownloadProvider accesses the network.
-net_domain(mediaprovider)
-
-# DownloadProvider uses /cache.
-allow mediaprovider cache_file:dir create_dir_perms;
-allow mediaprovider cache_file:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow mediaprovider cache_file:lnk_file r_file_perms;
-
-allow mediaprovider app_api_service:service_manager find;
-allow mediaprovider audioserver_service:service_manager find;
-allow mediaprovider drmserver_service:service_manager find;
-allow mediaprovider mediaserver_service:service_manager find;
-allow mediaprovider surfaceflinger_service:service_manager find;
-
-# Allow MediaProvider to read/write cached ringtones (opened by system).
-allow mediaprovider ringtone_file:file { getattr read write };
-
-# MtpServer uses /dev/mtp_usb
-allow mediaprovider mtp_device:chr_file rw_file_perms;
-
-# MtpServer uses /dev/usb-ffs/mtp
-allow mediaprovider functionfs:dir search;
-allow mediaprovider functionfs:file rw_file_perms;
-
-# MtpServer sets sys.usb.ffs.mtp.ready
-set_prop(mediaprovider, ffs_prop)
diff --git a/prebuilts/api/27.0/private/mediaserver.te b/prebuilts/api/27.0/private/mediaserver.te
deleted file mode 100644
index a9b85be..0000000
--- a/prebuilts/api/27.0/private/mediaserver.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute mediaserver coredomain;
-
-init_daemon_domain(mediaserver)
-
-# allocate and use graphic buffers
-hal_client_domain(mediaserver, hal_graphics_allocator)
-
-# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
-# of OMX HAL.
-allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/private/mls b/prebuilts/api/27.0/private/mls
deleted file mode 100644
index a561de1..0000000
--- a/prebuilts/api/27.0/private/mls
+++ /dev/null
@@ -1,100 +0,0 @@
-#################################################
-# MLS policy constraints
-#
-
-#
-# Process constraints
-#
-
-# Process transition: Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations: Require equivalence unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
- (l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Sockets inherit the range of their creator.
-mlsconstrain socket_class_set { create relabelfrom relabelto }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be equivalent to the receiver unless one of them
-# is trusted.
-mlsconstrain unix_dgram_socket { sendto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect: Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain dir_file_class_set { create relabelfrom relabelto }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be equivalent to the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a domain type, so that processes can communicate via unnamed pipes
-# passed by binder or local socket IPC.
-mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/prebuilts/api/27.0/private/mls_decl b/prebuilts/api/27.0/private/mls_decl
deleted file mode 100644
index dd53bea..0000000
--- a/prebuilts/api/27.0/private/mls_decl
+++ /dev/null
@@ -1,10 +0,0 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
diff --git a/prebuilts/api/27.0/private/mls_macros b/prebuilts/api/27.0/private/mls_macros
deleted file mode 100644
index 83e0542..0000000
--- a/prebuilts/api/27.0/private/mls_macros
+++ /dev/null
@@ -1,54 +0,0 @@
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-define(`decl_sens',`dnl
-sensitivity s$1;
-ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
-')
-
-define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
-
-define(`gen_sens',`
-# Each sensitivity has a name and zero or more aliases.
-decl_sens(0,decr($1))
-
-# Define the ordering of the sensitivity levels (least to greatest)
-dominance { gen_dominance(0,decr($1)) }
-')
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-define(`decl_levels',`dnl
-level s$1:c0.c$3;
-ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
-')
-
-define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
-
-########################################
-#
-# Basic level names for system low and high
-#
-define(`mls_systemlow',`s0')
-define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/prebuilts/api/27.0/private/modprobe.te b/prebuilts/api/27.0/private/modprobe.te
deleted file mode 100644
index 9858675..0000000
--- a/prebuilts/api/27.0/private/modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute modprobe coredomain;
diff --git a/prebuilts/api/27.0/private/mtp.te b/prebuilts/api/27.0/private/mtp.te
deleted file mode 100644
index 3cfda0b..0000000
--- a/prebuilts/api/27.0/private/mtp.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute mtp coredomain;
-typeattribute mtp domain_deprecated;
-
-init_daemon_domain(mtp)
diff --git a/prebuilts/api/27.0/private/net.te b/prebuilts/api/27.0/private/net.te
deleted file mode 100644
index f16daf9..0000000
--- a/prebuilts/api/27.0/private/net.te
+++ /dev/null
@@ -1,24 +0,0 @@
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/prebuilts/api/27.0/private/netd.te b/prebuilts/api/27.0/private/netd.te
deleted file mode 100644
index 3a824af..0000000
--- a/prebuilts/api/27.0/private/netd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute netd coredomain;
-typeattribute netd domain_deprecated;
-
-init_daemon_domain(netd)
-
-# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-
-# Allow netd to start clatd in its own domain
-domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/prebuilts/api/27.0/private/netutils_wrapper.te b/prebuilts/api/27.0/private/netutils_wrapper.te
deleted file mode 100644
index f7fe32a..0000000
--- a/prebuilts/api/27.0/private/netutils_wrapper.te
+++ /dev/null
@@ -1,28 +0,0 @@
-typeattribute netutils_wrapper coredomain;
-
-r_dir_file(netutils_wrapper, system_file);
-
-# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:capability net_raw;
-
-allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
-allow netutils_wrapper self:rawip_socket create_socket_perms;
-allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:capability net_admin;
-# ip utils need everything but ioctl
-allow netutils_wrapper self:netlink_route_socket ~ioctl;
-allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
-
-# For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
-allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
-
-# For /data/misc/net access to ndc and ip
-r_dir_file(netutils_wrapper, net_data_file)
-
-domain_auto_trans({
- domain
- -coredomain
- -appdomain
-}, netutils_wrapper_exec, netutils_wrapper)
diff --git a/prebuilts/api/27.0/private/nfc.te b/prebuilts/api/27.0/private/nfc.te
deleted file mode 100644
index b41558c..0000000
--- a/prebuilts/api/27.0/private/nfc.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# nfc subsystem
-typeattribute nfc coredomain;
-app_domain(nfc)
-net_domain(nfc)
-
-binder_service(nfc)
-add_service(nfc, nfc_service)
-
-hal_client_domain(nfc, hal_nfc)
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-
-# SoundPool loading and playback
-allow nfc audioserver_service:service_manager find;
-allow nfc drmserver_service:service_manager find;
-allow nfc mediacodec_service:service_manager find;
-allow nfc mediametrics_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
-allow nfc mediaserver_service:service_manager find;
-
-allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
-allow nfc app_api_service:service_manager find;
-allow nfc system_api_service:service_manager find;
-allow nfc vr_manager_service:service_manager find;
-
-set_prop(nfc, nfc_prop);
-
-# already open bugreport file descriptors may be shared with
-# the nfc process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow nfc shell_data_file:file read;
diff --git a/prebuilts/api/27.0/private/otapreopt_chroot.te b/prebuilts/api/27.0/private/otapreopt_chroot.te
deleted file mode 100644
index 1f69931..0000000
--- a/prebuilts/api/27.0/private/otapreopt_chroot.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute otapreopt_chroot coredomain;
-
-# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/prebuilts/api/27.0/private/otapreopt_slot.te b/prebuilts/api/27.0/private/otapreopt_slot.te
deleted file mode 100644
index 98b93d4..0000000
--- a/prebuilts/api/27.0/private/otapreopt_slot.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute otapreopt_slot coredomain;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
diff --git a/prebuilts/api/27.0/private/performanced.te b/prebuilts/api/27.0/private/performanced.te
deleted file mode 100644
index 792826e..0000000
--- a/prebuilts/api/27.0/private/performanced.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute performanced coredomain;
-
-init_daemon_domain(performanced)
diff --git a/prebuilts/api/27.0/private/perfprofd.te b/prebuilts/api/27.0/private/perfprofd.te
deleted file mode 100644
index a655f1d..0000000
--- a/prebuilts/api/27.0/private/perfprofd.te
+++ /dev/null
@@ -1,5 +0,0 @@
-userdebug_or_eng(`
- typeattribute perfprofd coredomain;
- typeattribute perfprofd domain_deprecated;
- init_daemon_domain(perfprofd)
-')
diff --git a/prebuilts/api/27.0/private/platform_app.te b/prebuilts/api/27.0/private/platform_app.te
deleted file mode 100644
index 2aa7dc9..0000000
--- a/prebuilts/api/27.0/private/platform_app.te
+++ /dev/null
@@ -1,73 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-typeattribute platform_app coredomain;
-typeattribute platform_app domain_deprecated;
-
-app_domain(platform_app)
-
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-# Read from /data/local/tmp or /data/data/com.android.shell.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-
-# Access to /data/media.
-allow platform_app media_rw_data_file:dir create_dir_perms;
-allow platform_app media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
-
-# com.android.systemui
-allow platform_app rootfs:dir getattr;
-
-allow platform_app audioserver_service:service_manager find;
-allow platform_app cameraserver_service:service_manager find;
-allow platform_app drmserver_service:service_manager find;
-allow platform_app mediaserver_service:service_manager find;
-allow platform_app mediametrics_service:service_manager find;
-allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediacodec_service:service_manager find;
-allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app persistent_data_block_service:service_manager find;
-allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
-allow platform_app app_api_service:service_manager find;
-allow platform_app system_api_service:service_manager find;
-allow platform_app vr_manager_service:service_manager find;
-
-# Access to /data/preloads
-allow platform_app preloads_data_file:file r_file_perms;
-allow platform_app preloads_data_file:dir r_dir_perms;
-allow platform_app preloads_media_file:file r_file_perms;
-allow platform_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(platform_app)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as platform_app
-neverallow platform_app fuse_device:chr_file *;
diff --git a/prebuilts/api/27.0/private/policy_capabilities b/prebuilts/api/27.0/private/policy_capabilities
deleted file mode 100644
index ab55c15..0000000
--- a/prebuilts/api/27.0/private/policy_capabilities
+++ /dev/null
@@ -1,13 +0,0 @@
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
-
-# Enable separate security classes for
-# all network address families previously
-# mapped to the socket class and for
-# ICMP and SCTP sockets previously mapped
-# to the rawip_socket class.
-policycap extended_socket_class;
-
diff --git a/prebuilts/api/27.0/private/port_contexts b/prebuilts/api/27.0/private/port_contexts
deleted file mode 100644
index b473c0c..0000000
--- a/prebuilts/api/27.0/private/port_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# portcon statements go here, e.g.
-# portcon tcp 80 u:object_r:http_port:s0
-
diff --git a/prebuilts/api/27.0/private/postinstall.te b/prebuilts/api/27.0/private/postinstall.te
deleted file mode 100644
index 363e362..0000000
--- a/prebuilts/api/27.0/private/postinstall.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute postinstall coredomain;
-
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/prebuilts/api/27.0/private/postinstall_dexopt.te b/prebuilts/api/27.0/private/postinstall_dexopt.te
deleted file mode 100644
index ff5fe87..0000000
--- a/prebuilts/api/27.0/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute postinstall_dexopt coredomain;
-
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/prebuilts/api/27.0/private/ppp.te b/prebuilts/api/27.0/private/ppp.te
deleted file mode 100644
index 9b301f4..0000000
--- a/prebuilts/api/27.0/private/ppp.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute ppp coredomain;
-typeattribute ppp domain_deprecated;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/prebuilts/api/27.0/private/preopt2cachename.te b/prebuilts/api/27.0/private/preopt2cachename.te
deleted file mode 100644
index d10f767..0000000
--- a/prebuilts/api/27.0/private/preopt2cachename.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute preopt2cachename coredomain;
diff --git a/prebuilts/api/27.0/private/priv_app.te b/prebuilts/api/27.0/private/priv_app.te
deleted file mode 100644
index 60fb411..0000000
--- a/prebuilts/api/27.0/private/priv_app.te
+++ /dev/null
@@ -1,159 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-typeattribute priv_app coredomain;
-app_domain(priv_app)
-
-# Access the network.
-net_domain(priv_app)
-# Access bluetooth.
-bluetooth_domain(priv_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
-create_pty(priv_app)
-
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-
-# Some apps ship with shared libraries that they write out
-# to their sandbox directory and then dlopen().
-allow priv_app app_data_file:file execute;
-
-allow priv_app audioserver_service:service_manager find;
-allow priv_app cameraserver_service:service_manager find;
-allow priv_app drmserver_service:service_manager find;
-allow priv_app mediacodec_service:service_manager find;
-allow priv_app mediametrics_service:service_manager find;
-allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediaextractor_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app nfc_service:service_manager find;
-allow priv_app oem_lock_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-allow priv_app persistent_data_block_service:service_manager find;
-allow priv_app recovery_service:service_manager find;
-
-# Write to /cache.
-allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow priv_app cache_file:lnk_file r_file_perms;
-
-# Write to /data/ota_package for OTA packages.
-allow priv_app ota_package_file:dir rw_dir_perms;
-allow priv_app ota_package_file:file create_file_perms;
-
-# Access to /data/media.
-allow priv_app media_rw_data_file:dir create_dir_perms;
-allow priv_app media_rw_data_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow priv_app shell_data_file:file r_file_perms;
-allow priv_app shell_data_file:dir r_dir_perms;
-
-# Allow verifier to access staged apks.
-allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow priv_app anr_data_file:file r_file_perms;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow priv_app perfprofd_data_file:file r_file_perms;
- allow priv_app perfprofd_data_file:dir r_dir_perms;
-')
-
-# For AppFuse.
-allow priv_app vold:fd use;
-allow priv_app fuse_device:chr_file { read write };
-
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
-r_dir_file(priv_app, rootfs)
-
-# Allow GMS core to open kernel config for OTA matching through libvintf
-allow priv_app config_gz:file { open read getattr };
-
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(priv_app, update_engine)
-allow priv_app update_engine_service:service_manager find;
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(priv_app, storaged)
-allow priv_app storaged_service:service_manager find;
-
-# Allow Phone to read/write cached ringtones (opened by system).
-allow priv_app ringtone_file:file { getattr read write };
-
-# Access to /data/preloads
-allow priv_app preloads_data_file:file r_file_perms;
-allow priv_app preloads_data_file:dir r_dir_perms;
-allow priv_app preloads_media_file:file r_file_perms;
-allow priv_app preloads_media_file:dir r_dir_perms;
-
-# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
-allow priv_app keystore:keystore_key gen_unique_id;
-
-# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
-allow priv_app selinuxfs:file r_file_perms;
-
-read_runtime_log_tags(priv_app)
-
-# suppress denials when safetynet scans /system
-dontaudit priv_app exec_type:file getattr;
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow priv_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow priv_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
-
-# Do not allow privileged apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow priv_app service_manager_type:service_manager add;
-
-# Do not allow privileged apps to connect to the property service
-# or set properties. b/10243159
-neverallow priv_app property_socket:sock_file write;
-neverallow priv_app init:unix_stream_socket connectto;
-neverallow priv_app property_type:property_service set;
-
-# Do not allow priv_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and priv_app is allowed fork permission to itself.
-neverallow priv_app mlstrustedsubject:process fork;
-
-# Do not allow priv_app to hard link to any files.
-# In particular, if priv_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure priv_app never has this
-# capability.
-neverallow priv_app file_type:file link;
diff --git a/prebuilts/api/27.0/private/profman.te b/prebuilts/api/27.0/private/profman.te
deleted file mode 100644
index f61d05e..0000000
--- a/prebuilts/api/27.0/private/profman.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute profman coredomain;
diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts
deleted file mode 100644
index 8eb2f28..0000000
--- a/prebuilts/api/27.0/private/property_contexts
+++ /dev/null
@@ -1,114 +0,0 @@
-##########################
-# property service keys
-#
-#
-net.rmnet u:object_r:net_radio_prop:s0
-net.gprs u:object_r:net_radio_prop:s0
-net.ppp u:object_r:net_radio_prop:s0
-net.qmi u:object_r:net_radio_prop:s0
-net.lte u:object_r:net_radio_prop:s0
-net.cdma u:object_r:net_radio_prop:s0
-net.dns u:object_r:net_dns_prop:s0
-sys.usb.config u:object_r:system_radio_prop:s0
-ril. u:object_r:radio_prop:s0
-ro.ril. u:object_r:radio_prop:s0
-gsm. u:object_r:radio_prop:s0
-persist.radio u:object_r:radio_prop:s0
-
-net. u:object_r:system_prop:s0
-dev. u:object_r:system_prop:s0
-ro.runtime. u:object_r:system_prop:s0
-ro.runtime.firstboot u:object_r:firstboot_prop:s0
-hw. u:object_r:system_prop:s0
-ro.hw. u:object_r:system_prop:s0
-sys. u:object_r:system_prop:s0
-sys.cppreopt u:object_r:cppreopt_prop:s0
-sys.powerctl u:object_r:powerctl_prop:s0
-sys.usb.ffs. u:object_r:ffs_prop:s0
-service. u:object_r:system_prop:s0
-dhcp. u:object_r:dhcp_prop:s0
-dhcp.bt-pan.result u:object_r:pan_result_prop:s0
-bluetooth. u:object_r:bluetooth_prop:s0
-
-debug. u:object_r:debug_prop:s0
-debug.db. u:object_r:debuggerd_prop:s0
-dumpstate. u:object_r:dumpstate_prop:s0
-dumpstate.options u:object_r:dumpstate_options_prop:s0
-log. u:object_r:log_prop:s0
-log.tag u:object_r:log_tag_prop:s0
-log.tag.WifiHAL u:object_r:wifi_log_prop:s0
-security.perf_harden u:object_r:shell_prop:s0
-service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
-
-persist.audio. u:object_r:audio_prop:s0
-persist.bluetooth. u:object_r:bluetooth_prop:s0
-persist.debug. u:object_r:persist_debug_prop:s0
-persist.logd. u:object_r:logd_prop:s0
-persist.logd.security u:object_r:device_logging_prop:s0
-persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-persist.log.tag u:object_r:log_tag_prop:s0
-persist.mmc. u:object_r:mmc_prop:s0
-persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
-persist.sys. u:object_r:system_prop:s0
-persist.sys.safemode u:object_r:safemode_prop:s0
-ro.sys.safemode u:object_r:safemode_prop:s0
-persist.sys.audit_safemode u:object_r:safemode_prop:s0
-persist.service. u:object_r:system_prop:s0
-persist.service.bdroid. u:object_r:bluetooth_prop:s0
-persist.security. u:object_r:system_prop:s0
-persist.vendor.overlay. u:object_r:overlay_prop:s0
-ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
-ro.boottime. u:object_r:boottime_prop:s0
-ro.serialno u:object_r:serialno_prop:s0
-ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
-ro.boot.serialno u:object_r:serialno_prop:s0
-ro.bt. u:object_r:bluetooth_prop:s0
-
-# Boolean property set by system server upon boot indicating
-# if device owner is provisioned.
-ro.device_owner u:object_r:device_logging_prop:s0
-
-# selinux non-persistent properties
-selinux.restorecon_recursive u:object_r:restorecon_prop:s0
-
-# default property context
-* u:object_r:default_prop:s0
-
-# data partition encryption properties
-vold. u:object_r:vold_prop:s0
-ro.crypto. u:object_r:vold_prop:s0
-
-# ro.build.fingerprint is either set in /system/build.prop, or is
-# set at runtime by system_server.
-ro.build.fingerprint u:object_r:fingerprint_prop:s0
-
-ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
-
-# ctl properties
-ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
-ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
-ctl.bugreport u:object_r:ctl_bugreport_prop:s0
-ctl.console u:object_r:ctl_console_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
-
-# NFC properties
-nfc. u:object_r:nfc_prop:s0
-
-# These properties are not normally set by processes other than init.
-# They are only distinguished here for setting by qemu-props on the
-# emulator/goldfish.
-config. u:object_r:config_prop:s0
-ro.config. u:object_r:config_prop:s0
-dalvik. u:object_r:dalvik_prop:s0
-ro.dalvik. u:object_r:dalvik_prop:s0
-
-# Shared between system server and wificond
-wlan. u:object_r:wifi_prop:s0
-
-# hwservicemanager properties
-hwservicemanager. u:object_r:hwservicemanager_prop:s0
diff --git a/prebuilts/api/27.0/private/racoon.te b/prebuilts/api/27.0/private/racoon.te
deleted file mode 100644
index 42ea7c9..0000000
--- a/prebuilts/api/27.0/private/racoon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)
diff --git a/prebuilts/api/27.0/private/radio.te b/prebuilts/api/27.0/private/radio.te
deleted file mode 100644
index 83b5b41..0000000
--- a/prebuilts/api/27.0/private/radio.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute radio coredomain;
-typeattribute radio domain_deprecated;
-
-app_domain(radio)
-
-read_runtime_log_tags(radio)
diff --git a/prebuilts/api/27.0/private/recovery.te b/prebuilts/api/27.0/private/recovery.te
deleted file mode 100644
index b7b2847..0000000
--- a/prebuilts/api/27.0/private/recovery.te
+++ /dev/null
@@ -1,2 +0,0 @@
-typeattribute recovery coredomain;
-typeattribute recovery domain_deprecated;
diff --git a/prebuilts/api/27.0/private/recovery_persist.te b/prebuilts/api/27.0/private/recovery_persist.te
deleted file mode 100644
index 1fdd758..0000000
--- a/prebuilts/api/27.0/private/recovery_persist.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute recovery_persist coredomain;
-
-init_daemon_domain(recovery_persist)
-
-# recovery_persist is not allowed to write anywhere other than recovery_data_file
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/27.0/private/recovery_refresh.te b/prebuilts/api/27.0/private/recovery_refresh.te
deleted file mode 100644
index 327098d..0000000
--- a/prebuilts/api/27.0/private/recovery_refresh.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute recovery_refresh coredomain;
-
-init_daemon_domain(recovery_refresh)
-
-# recovery_refresh is not allowed to write anywhere
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/27.0/private/roles_decl b/prebuilts/api/27.0/private/roles_decl
deleted file mode 100644
index c84fcba..0000000
--- a/prebuilts/api/27.0/private/roles_decl
+++ /dev/null
@@ -1 +0,0 @@
-role r;
diff --git a/prebuilts/api/27.0/private/runas.te b/prebuilts/api/27.0/private/runas.te
deleted file mode 100644
index 73a91ff..0000000
--- a/prebuilts/api/27.0/private/runas.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute runas coredomain;
-typeattribute runas domain_deprecated;
-
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
diff --git a/prebuilts/api/27.0/private/sdcardd.te b/prebuilts/api/27.0/private/sdcardd.te
deleted file mode 100644
index ac6bb4e..0000000
--- a/prebuilts/api/27.0/private/sdcardd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute sdcardd coredomain;
-typeattribute sdcardd domain_deprecated;
-
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/prebuilts/api/27.0/private/seapp_contexts b/prebuilts/api/27.0/private/seapp_contexts
deleted file mode 100644
index a97fc70..0000000
--- a/prebuilts/api/27.0/private/seapp_contexts
+++ /dev/null
@@ -1,110 +0,0 @@
-# Input selectors:
-# isSystemServer (boolean)
-# isEphemeralApp (boolean)
-# isV2App (boolean)
-# isOwner (boolean)
-# user (string)
-# seinfo (string)
-# name (string)
-# path (string)
-# isPrivApp (boolean)
-# minTargetSdkVersion (unsigned integer)
-# isSystemServer=true can only be used once.
-# An unspecified isSystemServer defaults to false.
-# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
-# isV2App=true will match apps in the v2 app sandbox.
-# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
-# isPrivApp=true will only match for applications preinstalled in
-# /system/priv-app.
-# minTargetSdkVersion will match applications with a targetSdkVersion
-# greater than or equal to the specified value. If unspecified,
-# it has a default value of 0.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
-#
-# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
-# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
-# (3) Specified isV2App= before unspecified isV2App= boolean.
-# (4) Specified isOwner= before unspecified isOwner= boolean.
-# (5) Specified user= string before unspecified user= string.
-# (6) Fixed user= string before user= prefix (i.e. ending in *).
-# (7) Longer user= prefix before shorter user= prefix.
-# (8) Specified seinfo= string before unspecified seinfo= string.
-# ':' character is reserved and may not be used.
-# (9) Specified name= string before unspecified name= string.
-# (10) Specified path= string before unspecified path= string.
-# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
-# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
-#
-# Outputs:
-# domain (string)
-# type (string)
-# levelFrom (string; one of none, all, app, or user)
-# level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
-# levelFrom=user is only supported for _app or _isolated UIDs.
-# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
-#
-#
-# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
-# rules are lines beginning with the keyword neverallow. Full support for PCRE
-# regular expressions exists on all input and output selectors. Neverallow
-# rules are never output to the built seapp_contexts file. Like all keywords,
-# neverallows are case-insensitive. A neverallow is asserted when all key value
-# inputs are matched on a key value rule line.
-#
-
-# only the system server can be in system_server domain
-neverallow isSystemServer=false domain=system_server
-neverallow isSystemServer="" domain=system_server
-
-# system domains should never be assigned outside of system uid
-neverallow user=((?!system).)* domain=system_app
-neverallow user=((?!system).)* type=system_app_data_file
-
-# anything with a non-known uid with a specified name should have a specified seinfo
-neverallow user=_app name=.* seinfo=""
-neverallow user=_app name=.* seinfo=default
-
-# neverallow shared relro to any other domain
-# and neverallow any other uid into shared_relro
-neverallow user=shared_relro domain=((?!shared_relro).)*
-neverallow user=((?!shared_relro).)* domain=shared_relro
-
-# neverallow non-isolated uids into isolated_app domain
-# and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
-neverallow user=((?!_isolated).)* domain=isolated_app
-
-# uid shell should always be in shell domain, however non-shell
-# uid's can be in shell domain
-neverallow user=shell domain=((?!shell).)*
-
-# Ephemeral Apps must run in the ephemeral_app domain
-neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
-
-isSystemServer=true domain=system_server
-user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=nfc seinfo=platform domain=nfc type=nfc_data_file
-user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
-user=_isolated domain=isolated_app levelFrom=user
-user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
-user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
-user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
-user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/prebuilts/api/27.0/private/security_classes b/prebuilts/api/27.0/private/security_classes
deleted file mode 100644
index 2cfc768..0000000
--- a/prebuilts/api/27.0/private/security_classes
+++ /dev/null
@@ -1,145 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-class smc_socket
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Keystore Key
-class keystore_key # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/prebuilts/api/27.0/private/service_contexts b/prebuilts/api/27.0/private/service_contexts
deleted file mode 100644
index a82243f..0000000
--- a/prebuilts/api/27.0/private/service_contexts
+++ /dev/null
@@ -1,174 +0,0 @@
-accessibility u:object_r:accessibility_service:s0
-account u:object_r:account_service:s0
-activity u:object_r:activity_service:s0
-alarm u:object_r:alarm_service:s0
-android.os.UpdateEngineService u:object_r:update_engine_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
-appops u:object_r:appops_service:s0
-appwidget u:object_r:appwidget_service:s0
-assetatlas u:object_r:assetatlas_service:s0
-audio u:object_r:audio_service:s0
-autofill u:object_r:autofill_service:s0
-backup u:object_r:backup_service:s0
-batteryproperties u:object_r:batteryproperties_service:s0
-batterystats u:object_r:batterystats_service:s0
-battery u:object_r:battery_service:s0
-bluetooth_manager u:object_r:bluetooth_manager_service:s0
-bluetooth u:object_r:bluetooth_service:s0
-broadcastradio u:object_r:broadcastradio_service:s0
-carrier_config u:object_r:radio_service:s0
-clipboard u:object_r:clipboard_service:s0
-com.android.net.IProxyService u:object_r:IProxyService_service:s0
-commontime_management u:object_r:commontime_management_service:s0
-common_time.clock u:object_r:mediaserver_service:s0
-common_time.config u:object_r:mediaserver_service:s0
-companiondevice u:object_r:companion_device_service:s0
-connectivity u:object_r:connectivity_service:s0
-connmetrics u:object_r:connmetrics_service:s0
-consumer_ir u:object_r:consumer_ir_service:s0
-content u:object_r:content_service:s0
-contexthub u:object_r:contexthub_service:s0
-country_detector u:object_r:country_detector_service:s0
-coverage u:object_r:coverage_service:s0
-cpuinfo u:object_r:cpuinfo_service:s0
-dbinfo u:object_r:dbinfo_service:s0
-device_policy u:object_r:device_policy_service:s0
-device_identifiers u:object_r:device_identifiers_service:s0
-deviceidle u:object_r:deviceidle_service:s0
-devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
-diskstats u:object_r:diskstats_service:s0
-display.qservice u:object_r:surfaceflinger_service:s0
-display u:object_r:display_service:s0
-netd_listener u:object_r:netd_listener_service:s0
-DockObserver u:object_r:DockObserver_service:s0
-dreams u:object_r:dreams_service:s0
-drm.drmManager u:object_r:drmserver_service:s0
-dropbox u:object_r:dropbox_service:s0
-dumpstate u:object_r:dumpstate_service:s0
-econtroller u:object_r:radio_service:s0
-ethernet u:object_r:ethernet_service:s0
-fingerprint u:object_r:fingerprint_service:s0
-font u:object_r:font_service:s0
-android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
-gfxinfo u:object_r:gfxinfo_service:s0
-graphicsstats u:object_r:graphicsstats_service:s0
-gpu u:object_r:gpu_service:s0
-hardware u:object_r:hardware_service:s0
-hardware_properties u:object_r:hardware_properties_service:s0
-hdmi_control u:object_r:hdmi_control_service:s0
-incident u:object_r:incident_service:s0
-inputflinger u:object_r:inputflinger_service:s0
-input_method u:object_r:input_method_service:s0
-input u:object_r:input_service:s0
-installd u:object_r:installd_service:s0
-iphonesubinfo_msim u:object_r:radio_service:s0
-iphonesubinfo2 u:object_r:radio_service:s0
-iphonesubinfo u:object_r:radio_service:s0
-ims u:object_r:radio_service:s0
-imms u:object_r:imms_service:s0
-ipsec u:object_r:ipsec_service:s0
-isms_msim u:object_r:radio_service:s0
-isms2 u:object_r:radio_service:s0
-isms u:object_r:radio_service:s0
-isub u:object_r:radio_service:s0
-jobscheduler u:object_r:jobscheduler_service:s0
-launcherapps u:object_r:launcherapps_service:s0
-location u:object_r:location_service:s0
-lock_settings u:object_r:lock_settings_service:s0
-media.aaudio u:object_r:audioserver_service:s0
-media.audio_flinger u:object_r:audioserver_service:s0
-media.audio_policy u:object_r:audioserver_service:s0
-media.camera u:object_r:cameraserver_service:s0
-media.camera.proxy u:object_r:cameraproxy_service:s0
-media.log u:object_r:audioserver_service:s0
-media.player u:object_r:mediaserver_service:s0
-media.metrics u:object_r:mediametrics_service:s0
-media.extractor u:object_r:mediaextractor_service:s0
-media.codec u:object_r:mediacodec_service:s0
-media.resource_manager u:object_r:mediaserver_service:s0
-media.sound_trigger_hw u:object_r:audioserver_service:s0
-media.drm u:object_r:mediadrmserver_service:s0
-media_projection u:object_r:media_projection_service:s0
-media_resource_monitor u:object_r:media_session_service:s0
-media_router u:object_r:media_router_service:s0
-media_session u:object_r:media_session_service:s0
-meminfo u:object_r:meminfo_service:s0
-midi u:object_r:midi_service:s0
-mount u:object_r:mount_service:s0
-netd u:object_r:netd_service:s0
-netpolicy u:object_r:netpolicy_service:s0
-netstats u:object_r:netstats_service:s0
-network_management u:object_r:network_management_service:s0
-network_score u:object_r:network_score_service:s0
-network_time_update_service u:object_r:network_time_update_service:s0
-nfc u:object_r:nfc_service:s0
-notification u:object_r:notification_service:s0
-oem_lock u:object_r:oem_lock_service:s0
-otadexopt u:object_r:otadexopt_service:s0
-overlay u:object_r:overlay_service:s0
-package u:object_r:package_service:s0
-package_native u:object_r:package_native_service:s0
-permission u:object_r:permission_service:s0
-persistent_data_block u:object_r:persistent_data_block_service:s0
-phone_msim u:object_r:radio_service:s0
-phone1 u:object_r:radio_service:s0
-phone2 u:object_r:radio_service:s0
-phone u:object_r:radio_service:s0
-pinner u:object_r:pinner_service:s0
-power u:object_r:power_service:s0
-print u:object_r:print_service:s0
-processinfo u:object_r:processinfo_service:s0
-procstats u:object_r:procstats_service:s0
-radio.phonesubinfo u:object_r:radio_service:s0
-radio.phone u:object_r:radio_service:s0
-radio.sms u:object_r:radio_service:s0
-recovery u:object_r:recovery_service:s0
-restrictions u:object_r:restrictions_service:s0
-rttmanager u:object_r:rttmanager_service:s0
-samplingprofiler u:object_r:samplingprofiler_service:s0
-scheduling_policy u:object_r:scheduling_policy_service:s0
-search u:object_r:search_service:s0
-sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
-sensorservice u:object_r:sensorservice_service:s0
-serial u:object_r:serial_service:s0
-servicediscovery u:object_r:servicediscovery_service:s0
-settings u:object_r:settings_service:s0
-shortcut u:object_r:shortcut_service:s0
-simphonebook_msim u:object_r:radio_service:s0
-simphonebook2 u:object_r:radio_service:s0
-simphonebook u:object_r:radio_service:s0
-sip u:object_r:radio_service:s0
-soundtrigger u:object_r:voiceinteraction_service:s0
-statusbar u:object_r:statusbar_service:s0
-storaged u:object_r:storaged_service:s0
-storagestats u:object_r:storagestats_service:s0
-SurfaceFlinger u:object_r:surfaceflinger_service:s0
-task u:object_r:task_service:s0
-telecom u:object_r:telecom_service:s0
-telephony.registry u:object_r:registry_service:s0
-textclassification u:object_r:textclassification_service:s0
-textservices u:object_r:textservices_service:s0
-timezone u:object_r:timezone_service:s0
-thermalservice u:object_r:thermal_service:s0
-trust u:object_r:trust_service:s0
-tv_input u:object_r:tv_input_service:s0
-uimode u:object_r:uimode_service:s0
-updatelock u:object_r:updatelock_service:s0
-usagestats u:object_r:usagestats_service:s0
-usb u:object_r:usb_service:s0
-user u:object_r:user_service:s0
-vibrator u:object_r:vibrator_service:s0
-virtual_touchpad u:object_r:virtual_touchpad_service:s0
-voiceinteraction u:object_r:voiceinteraction_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrmanager u:object_r:vr_manager_service:s0
-wallpaper u:object_r:wallpaper_service:s0
-webviewupdate u:object_r:webviewupdate_service:s0
-wifip2p u:object_r:wifip2p_service:s0
-wifiscanner u:object_r:wifiscanner_service:s0
-wifi u:object_r:wifi_service:s0
-wificond u:object_r:wificond_service:s0
-wifiaware u:object_r:wifiaware_service:s0
-window u:object_r:window_service:s0
-* u:object_r:default_android_service:s0
diff --git a/prebuilts/api/27.0/private/servicemanager.te b/prebuilts/api/27.0/private/servicemanager.te
deleted file mode 100644
index 9f675a2..0000000
--- a/prebuilts/api/27.0/private/servicemanager.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-read_runtime_log_tags(servicemanager)
diff --git a/prebuilts/api/27.0/private/sgdisk.te b/prebuilts/api/27.0/private/sgdisk.te
deleted file mode 100644
index a17342e..0000000
--- a/prebuilts/api/27.0/private/sgdisk.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute sgdisk coredomain;
diff --git a/prebuilts/api/27.0/private/shared_relro.te b/prebuilts/api/27.0/private/shared_relro.te
deleted file mode 100644
index 8d06294..0000000
--- a/prebuilts/api/27.0/private/shared_relro.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute shared_relro coredomain;
-typeattribute shared_relro domain_deprecated;
-
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
diff --git a/prebuilts/api/27.0/private/shell.te b/prebuilts/api/27.0/private/shell.te
deleted file mode 100644
index 5299532..0000000
--- a/prebuilts/api/27.0/private/shell.te
+++ /dev/null
@@ -1,28 +0,0 @@
-typeattribute shell coredomain;
-
-# allow shell input injection
-allow shell uhid_device:chr_file rw_file_perms;
-
-# systrace support - allow atrace to run
-allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file rw_file_perms;
-allow shell debugfs_trace_marker:file getattr;
-allow shell atrace_exec:file rx_file_perms;
-
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
-userdebug_or_eng(`
- allow shell debugfs_tracing_debug:file rw_file_perms;
-')
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# allow shell to call dumpsys storaged
-binder_call(shell, storaged)
-
-# Perform SELinux access checks, needed for CTS
-selinux_check_access(shell)
-selinux_check_context(shell)
diff --git a/prebuilts/api/27.0/private/slideshow.te b/prebuilts/api/27.0/private/slideshow.te
deleted file mode 100644
index 7dfa994..0000000
--- a/prebuilts/api/27.0/private/slideshow.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute slideshow coredomain;
diff --git a/prebuilts/api/27.0/private/storaged.te b/prebuilts/api/27.0/private/storaged.te
deleted file mode 100644
index 20377e0..0000000
--- a/prebuilts/api/27.0/private/storaged.te
+++ /dev/null
@@ -1,57 +0,0 @@
-# storaged daemon
-type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, exec_type, file_type;
-
-init_daemon_domain(storaged)
-
-# Read access to pseudo filesystems
-r_dir_file(storaged, sysfs_type)
-r_dir_file(storaged, proc_net)
-r_dir_file(storaged, domain)
-
-# Read /proc/uid_io/stats
-allow storaged proc_uid_io_stats:file r_file_perms;
-
-# Read /data/system/packages.list
-allow storaged system_data_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
-')
-
-# Needed to provide debug dump output via dumpsys pipes.
-allow storaged shell:fd use;
-allow storaged shell:fifo_file write;
-
-# Needed for GMScore to call dumpsys storaged
-allow storaged priv_app:fd use;
-allow storaged app_data_file:file write;
-allow storaged permission_service:service_manager find;
-
-# Binder permissions
-add_service(storaged, storaged_service)
-
-binder_use(storaged)
-binder_call(storaged, system_server)
-
-# use batteryproperties service
-allow storaged batteryproperties_service:service_manager find;
-binder_call(storaged, healthd)
-
-# Implements a dumpsys interface.
-allow storaged dumpstate:fd use;
-
-# use a subset of the package manager service
-allow storaged package_native_service:service_manager find;
-
-# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
-# running as root. See b/35323867 #3.
-dontaudit storaged self:capability dac_override;
-
-###
-### neverallow
-###
-neverallow storaged domain:process ptrace;
-neverallow storaged self:capability_class_set *;
diff --git a/prebuilts/api/27.0/private/su.te b/prebuilts/api/27.0/private/su.te
deleted file mode 100644
index d42bf61..0000000
--- a/prebuilts/api/27.0/private/su.te
+++ /dev/null
@@ -1,20 +0,0 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
-
- domain_auto_trans(shell, su_exec, su)
- # Allow dumpstate to call su on userdebug / eng builds to collect
- # additional information.
- domain_auto_trans(dumpstate, su_exec, su)
-
- # Make sure that dumpstate runs the same from the "su" domain as
- # from the "init" domain.
- domain_auto_trans(su, dumpstate_exec, dumpstate)
-
- # Put the incident command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, incident_exec, incident)
-
-# su is also permissive to permit setenforce.
- permissive su;
-
- app_domain(su)
-')
diff --git a/prebuilts/api/27.0/private/surfaceflinger.te b/prebuilts/api/27.0/private/surfaceflinger.te
deleted file mode 100644
index b33035e..0000000
--- a/prebuilts/api/27.0/private/surfaceflinger.te
+++ /dev/null
@@ -1,109 +0,0 @@
-# surfaceflinger - display compositor service
-
-typeattribute surfaceflinger coredomain;
-
-type surfaceflinger_exec, exec_type, file_type;
-init_daemon_domain(surfaceflinger)
-
-typeattribute surfaceflinger mlstrustedsubject;
-typeattribute surfaceflinger display_service_server;
-
-read_runtime_log_tags(surfaceflinger)
-
-# Perform HwBinder IPC.
-hal_client_domain(surfaceflinger, hal_graphics_allocator)
-hal_client_domain(surfaceflinger, hal_graphics_composer)
-hal_client_domain(surfaceflinger, hal_configstore)
-allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
-binder_call(surfaceflinger, bootanim)
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger app_data_file:file { read write };
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow surfaceflinger adbd:unix_stream_socket { read write getattr };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-allow surfaceflinger tee_device:chr_file rw_file_perms;
-
-
-# media.player service
-add_service(surfaceflinger, gpu_service)
-
-# do not use add_service() as hal_graphics_composer_default may be the
-# provider as well
-#add_service(surfaceflinger, surfaceflinger_service)
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger vr_manager_service:service_manager find;
-allow surfaceflinger window_service:service_manager find;
-
-
-# allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, sysfs_type)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger ion_device:chr_file r_file_perms;
-
-# pdx IPC
-pdx_server(surfaceflinger, display_client)
-pdx_server(surfaceflinger, display_manager)
-pdx_server(surfaceflinger, display_screenshot)
-pdx_server(surfaceflinger, display_vsync)
-
-pdx_client(surfaceflinger, bufferhub_client)
-pdx_client(surfaceflinger, performance_client)
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/prebuilts/api/27.0/private/system_app.te b/prebuilts/api/27.0/private/system_app.te
deleted file mode 100644
index 4741479..0000000
--- a/prebuilts/api/27.0/private/system_app.te
+++ /dev/null
@@ -1,95 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-typeattribute system_app coredomain;
-typeattribute system_app domain_deprecated;
-
-app_domain(system_app)
-net_domain(system_app)
-binder_service(system_app)
-
-# android.ui and system.ui
-allow system_app rootfs:dir getattr;
-
-# Read and write /data/data subdirectory.
-allow system_app system_app_data_file:dir create_dir_perms;
-allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-# Read and write to /data/misc/user.
-allow system_app misc_user_data_file:dir create_dir_perms;
-allow system_app misc_user_data_file:file create_file_perms;
-
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Read icon file.
-allow system_app icon_file:file r_file_perms;
-
-# Write to properties
-set_prop(system_app, bluetooth_prop)
-set_prop(system_app, debug_prop)
-set_prop(system_app, system_prop)
-set_prop(system_app, logd_prop)
-set_prop(system_app, net_radio_prop)
-set_prop(system_app, system_radio_prop)
-set_prop(system_app, log_tag_prop)
-userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
-auditallow system_app net_radio_prop:property_service set;
-auditallow system_app system_radio_prop:property_service set;
-
-# ctl interface
-set_prop(system_app, ctl_default_prop)
-set_prop(system_app, ctl_bugreport_prop)
-
-# Create /data/anr/traces.txt.
-allow system_app anr_data_file:dir ra_dir_perms;
-allow system_app anr_data_file:file create_file_perms;
-
-# Settings need to access app name and icon from asec
-allow system_app asec_apk_file:file r_file_perms;
-
-# Allow system apps to interact with incidentd
-binder_call(system_app, incidentd)
-
-allow system_app servicemanager:service_manager list;
-# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-control_logd(system_app)
-read_runtime_log_tags(system_app)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as system_app
-neverallow system_app fuse_device:chr_file *;
diff --git a/prebuilts/api/27.0/private/system_server.te b/prebuilts/api/27.0/private/system_server.te
deleted file mode 100644
index 3a5b53b..0000000
--- a/prebuilts/api/27.0/private/system_server.te
+++ /dev/null
@@ -1,771 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-
-typeattribute system_server coredomain;
-typeattribute system_server domain_deprecated;
-typeattribute system_server mlstrustedsubject;
-
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
-# Create a socket for connections from crash_dump.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-
-allow system_server zygote_tmpfs:file read;
-
-# For art.
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file r_file_perms;
-
-# When running system server under --invoke-with, we'll try to load the boot image under the
-# system server domain, following links to the system partition.
-with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
-
-# /data/resource-cache
-allow system_server resourcecache_data_file:file r_file_perms;
-allow system_server resourcecache_data_file:dir r_dir_perms;
-
-# ptrace to processes in the same domain for debugging crashes.
-allow system_server self:process ptrace;
-
-# Read and delete last_reboot_reason file
-allow system_server reboot_data_file:file { rename r_file_perms unlink };
-allow system_server reboot_data_file:dir { write search open remove_name };
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-
-# May kill zygote on crashes.
-allow system_server zygote:process sigkill;
-allow system_server crash_dump:process sigkill;
-
-# Read /system/bin/app_process.
-allow system_server zygote_exec:file r_file_perms;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
-bluetooth_domain(system_server)
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:capability {
- ipc_lock
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_nice
- sys_ptrace
- sys_time
- sys_tty_config
-};
-
-wakelock_use(system_server)
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
-
-# Create and share netlink_netfilter_sockets for tetheroffload.
-allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms_no_ioctl;
-allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# libvintf reads the kernel config to verify vendor interface compatibility.
-allow system_server config_gz:file { read open };
-
-# Use generic "sockets" where the address family is not known
-# to the kernel. The ioctl permission is specifically omitted here, but may
-# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
-
-# Set and get routes directly via netlink.
-allow system_server self:netlink_route_socket nlmsg_write;
-
-# Kill apps.
-allow system_server appdomain:process { getpgid sigkill signal };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server audioserver:process { getsched setsched };
-allow system_server hal_audio:process { getsched setsched };
-allow system_server hal_bluetooth:process { getsched setsched };
-allow system_server cameraserver:process { getsched setsched };
-allow system_server hal_camera:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-allow system_server bootanim:process { getsched setsched };
-
-# Allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns
-allow system_server cameraserver:file w_file_perms;
-
-# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-# within system_server to keep track of memory and CPU usage for
-# all processes on the device. In addition, /proc/pid files access is needed
-# for dumping stack traces of native processes.
-r_dir_file(system_server, domain)
-
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system_server qtaguid_proc:file rw_file_perms;
-allow system_server qtaguid_device:chr_file rw_file_perms;
-
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
-# Write /proc/uid_cputime/remove_uid_range.
-allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
-
-# Write /proc/uid_procstat/set.
-allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-
-# Read /proc/uid_time_in_state.
-allow system_server proc_uid_time_in_state:file r_file_perms;
-
-# Write to /proc/sysrq-trigger.
-allow system_server proc_sysrq:file rw_file_perms;
-
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
-# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-
-# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms_no_ioctl;
-
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms_no_ioctl;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, netd, netd)
-unix_socket_connect(system_server, vold, vold)
-unix_socket_connect(system_server, webview_zygote, webview_zygote)
-unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
-unix_socket_connect(system_server, uncrypt, uncrypt)
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-# Perform Binder IPC.
-binder_use(system_server)
-binder_call(system_server, appdomain)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, dumpstate)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, installd)
-binder_call(system_server, incidentd)
-binder_call(system_server, netd)
-binder_call(system_server, wificond)
-binder_service(system_server)
-
-# Use HALs
-hal_client_domain(system_server, hal_allocator)
-hal_client_domain(system_server, hal_broadcastradio)
-hal_client_domain(system_server, hal_configstore)
-hal_client_domain(system_server, hal_contexthub)
-hal_client_domain(system_server, hal_fingerprint)
-hal_client_domain(system_server, hal_gnss)
-hal_client_domain(system_server, hal_graphics_allocator)
-hal_client_domain(system_server, hal_ir)
-hal_client_domain(system_server, hal_light)
-hal_client_domain(system_server, hal_memtrack)
-hal_client_domain(system_server, hal_neuralnetworks)
-hal_client_domain(system_server, hal_oemlock)
-allow system_server hal_omx_hwservice:hwservice_manager find;
-allow system_server hidl_token_hwservice:hwservice_manager find;
-hal_client_domain(system_server, hal_power)
-hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_tetheroffload)
-hal_client_domain(system_server, hal_thermal)
-hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_input)
-hal_client_domain(system_server, hal_usb)
-hal_client_domain(system_server, hal_vibrator)
-hal_client_domain(system_server, hal_vr)
-hal_client_domain(system_server, hal_weaver)
-hal_client_domain(system_server, hal_wifi)
-hal_client_domain(system_server, hal_wifi_offload)
-hal_client_domain(system_server, hal_wifi_supplicant)
-
-binder_call(system_server, mediacodec)
-
-# Talk with graphics composer fences
-allow system_server hal_graphics_composer:fd use;
-
-# Use RenderScript always-passthrough HAL
-allow system_server hal_renderscript_hwservice:hwservice_manager find;
-
-# Offer HwBinder services
-add_hwservice(system_server, fwk_scheduler_hwservice)
-add_hwservice(system_server, fwk_sensor_hwservice)
-
-# Talk to tombstoned to get ANR traces.
-unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
-
-# List HAL interfaces to get ANR traces.
-allow system_server hwservicemanager:hwservice_manager list;
-
-# Send signals to trigger ANR traces.
-allow system_server {
- # This is derived from the list that system server defines as interesting native processes
- # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediaserver
- mediametrics
- sdcardd
- surfaceflinger
-
- # This list comes from HAL_INTERFACES_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_graphics_composer_server
- hal_sensors_server
- hal_vr_server
- mediacodec # TODO(b/36375899): hal_omx_server
-}:process { signal };
-
-# Use sockets received over binder from various services.
-allow system_server audioserver:tcp_socket rw_socket_perms;
-allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server mediaserver:tcp_socket rw_socket_perms;
-allow system_server mediaserver:udp_socket rw_socket_perms;
-
-# Use sockets received over binder from various services.
-allow system_server mediadrmserver:tcp_socket rw_socket_perms;
-allow system_server mediadrmserver:udp_socket rw_socket_perms;
-
-# Get file context
-allow system_server file_contexts_file:file r_file_perms;
-# access for mac_permissions
-allow system_server mac_perms_file: file r_file_perms;
-# Check SELinux permissions.
-selinux_check_access(system_server)
-
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
-allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
-allow system_server sysfs_mac_address:file r_file_perms;
-allow system_server sysfs_thermal:dir search;
-allow system_server sysfs_thermal:file r_file_perms;
-
-# TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file { write append };
-
-# TODO: added to match above sysfs rule. Remove me?
-allow system_server sysfs_usb:file w_file_perms;
-
-# Access devices.
-allow system_server device:dir r_dir_perms;
-allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server alarm_device:chr_file rw_file_perms;
-allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server iio_device:chr_file rw_file_perms;
-allow system_server input_device:dir r_dir_perms;
-allow system_server input_device:chr_file rw_file_perms;
-allow system_server radio_device:chr_file r_file_perms;
-allow system_server tty_device:chr_file rw_file_perms;
-allow system_server usbaccessory_device:chr_file rw_file_perms;
-allow system_server video_device:dir r_dir_perms;
-allow system_server video_device:chr_file rw_file_perms;
-allow system_server adbd_socket:sock_file rw_file_perms;
-allow system_server rtc_device:chr_file rw_file_perms;
-allow system_server audio_device:dir r_dir_perms;
-
-# write access needed for MIDI
-allow system_server audio_device:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file rw_file_perms;
-
-# Manage system data files.
-allow system_server system_data_file:dir create_dir_perms;
-allow system_server system_data_file:notdevfile_class_set create_file_perms;
-allow system_server keychain_data_file:dir create_dir_perms;
-allow system_server keychain_data_file:file create_file_perms;
-allow system_server keychain_data_file:lnk_file create_file_perms;
-
-# Manage /data/app.
-allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
-allow system_server apk_tmp_file:dir create_dir_perms;
-allow system_server apk_tmp_file:file create_file_perms;
-
-# Access /vendor/app
-r_dir_file(system_server, vendor_app_file)
-
-# Access /vendor/app
-r_dir_file(system_server, vendor_overlay_file)
-
-# Manage /data/app-private.
-allow system_server apk_private_data_file:dir create_dir_perms;
-allow system_server apk_private_data_file:file create_file_perms;
-allow system_server apk_private_tmp_file:dir create_dir_perms;
-allow system_server apk_private_tmp_file:file create_file_perms;
-
-# Manage files within asec containers.
-allow system_server asec_apk_file:dir create_dir_perms;
-allow system_server asec_apk_file:file create_file_perms;
-allow system_server asec_public_file:file create_file_perms;
-
-# Manage /data/anr.
-#
-# TODO: Some of these permissions can be withdrawn once we've switched to the
-# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
-# the system_server should never need to create a new anr_data_file:file or write
-# to one, but it will still need to read and append to existing files.
-allow system_server anr_data_file:dir create_dir_perms;
-allow system_server anr_data_file:file create_file_perms;
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow system_server to connect and write to the tombstoned java trace socket in
-# order to dump its traces. Also allow the system server to write its traces to
-# dumpstate during bugreport capture.
-unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
-allow system_server tombstoned:fd use;
-allow system_server dumpstate:fifo_file append;
-
-# Read /data/misc/incidents - only read. The fd will be sent over binder,
-# with no DAC access to it, for dropbox to read.
-allow system_server incident_data_file:file read;
-
-# Manage /data/backup.
-allow system_server backup_data_file:dir create_dir_perms;
-allow system_server backup_data_file:file create_file_perms;
-
-# Write to /data/system/heapdump
-allow system_server heapdump_data_file:dir rw_dir_perms;
-allow system_server heapdump_data_file:file create_file_perms;
-
-# Manage /data/misc/adb.
-allow system_server adb_keys_file:dir create_dir_perms;
-allow system_server adb_keys_file:file create_file_perms;
-
-# Manage /data/misc/sms.
-# TODO: Split into a separate type?
-allow system_server radio_data_file:dir create_dir_perms;
-allow system_server radio_data_file:file create_file_perms;
-
-# Manage /data/misc/systemkeys.
-allow system_server systemkeys_data_file:dir create_dir_perms;
-allow system_server systemkeys_data_file:file create_file_perms;
-
-# Manage /data/misc/textclassifier.
-allow system_server textclassifier_data_file:dir create_dir_perms;
-allow system_server textclassifier_data_file:file create_file_perms;
-
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Manage /data/misc/vpn.
-allow system_server vpn_data_file:dir create_dir_perms;
-allow system_server vpn_data_file:file create_file_perms;
-
-# Manage /data/misc/wifi.
-allow system_server wifi_data_file:dir create_dir_perms;
-allow system_server wifi_data_file:file create_file_perms;
-
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
-# Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
-# Also permit for unlabeled /data/data subdirectories and
-# for unlabeled asec containers on upgrades from 4.2.
-allow system_server unlabeled:dir r_dir_perms;
-# Read pkg.apk file before it has been relabeled by vold.
-allow system_server unlabeled:file r_file_perms;
-
-# Populate com.android.providers.settings/databases/settings.db.
-allow system_server system_app_data_file:dir create_dir_perms;
-allow system_server system_app_data_file:file create_file_perms;
-
-# Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
-
-# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
-
-# Receive and use open /data/media files passed over binder IPC.
-# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
-
-# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms rename unlink };
-
-# Backup of wallpaper imagery uses temporary hard links to avoid data churn
-allow system_server { system_data_file wallpaper_file }:file link;
-
-# ShortcutManager icons
-allow system_server system_data_file:dir relabelfrom;
-allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
-allow system_server shortcut_manager_icons:file create_file_perms;
-
-# Manage ringtones.
-allow system_server ringtone_file:dir { create_dir_perms relabelto };
-allow system_server ringtone_file:file create_file_perms;
-
-# Relabel icon file.
-allow system_server icon_file:file relabelto;
-allow system_server icon_file:file { rw_file_perms unlink };
-
-# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
-allow system_server system_data_file:dir relabelfrom;
-
-# Property Service write
-set_prop(system_server, system_prop)
-set_prop(system_server, safemode_prop)
-set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_radio_prop)
-set_prop(system_server, net_dns_prop)
-set_prop(system_server, system_radio_prop)
-set_prop(system_server, debug_prop)
-set_prop(system_server, powerctl_prop)
-set_prop(system_server, fingerprint_prop)
-set_prop(system_server, device_logging_prop)
-set_prop(system_server, dumpstate_options_prop)
-set_prop(system_server, overlay_prop)
-userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
-
-# ctl interface
-set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_bugreport_prop)
-
-# cppreopt property
-set_prop(system_server, cppreopt_prop)
-
-# Collect metrics on boot time created by init
-get_prop(system_server, boottime_prop)
-
-# Read device's serial number from system properties
-get_prop(system_server, serialno_prop)
-
-# Read/write the property which keeps track of whether this is the first start of system_server
-set_prop(system_server, firstboot_prop)
-
-# Create a socket for connections from debuggerd.
-allow system_server system_ndebug_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system_server cache_file:lnk_file r_file_perms;
-allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
-allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
-allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_control:file rw_file_perms;
-
-# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-
-# BackupManagerService needs to manipulate backup data files
-allow system_server cache_backup_file:dir rw_dir_perms;
-allow system_server cache_backup_file:file create_file_perms;
-# LocalTransport works inside /cache/backup
-allow system_server cache_private_backup_file:dir create_dir_perms;
-allow system_server cache_private_backup_file:file create_file_perms;
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file rw_file_perms;
-allow system_server usb_device:dir r_dir_perms;
-
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
-# Read and delete files under /dev/fscklogs.
-r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Read from log daemon.
-read_logd(system_server)
-read_runtime_log_tags(system_server)
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow system_server pstorefs:dir r_dir_perms;
-allow system_server pstorefs:file r_file_perms;
-
-# /sys access
-allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
-
-add_service(system_server, system_server_service);
-allow system_server audioserver_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server cameraserver_service:service_manager find;
-allow system_server drmserver_service:service_manager find;
-allow system_server dumpstate_service:service_manager find;
-allow system_server fingerprintd_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
-allow system_server incident_service:service_manager find;
-allow system_server installd_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server mediaserver_service:service_manager find;
-allow system_server mediametrics_service:service_manager find;
-allow system_server mediaextractor_service:service_manager find;
-allow system_server mediacodec_service:service_manager find;
-allow system_server mediadrmserver_service:service_manager find;
-allow system_server netd_service:service_manager find;
-allow system_server nfc_service:service_manager find;
-allow system_server radio_service:service_manager find;
-allow system_server surfaceflinger_service:service_manager find;
-allow system_server wificond_service:service_manager find;
-
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
-# Allow system server to search and write to the persistent factory reset
-# protection partition. This block device does not get wiped in a factory reset.
-allow system_server block_device:dir search;
-allow system_server frp_block_device:blk_file rw_file_perms;
-
-# Clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
-
-# /oem access
-r_dir_file(system_server, oemfs)
-
-# Allow resolving per-user storage symlinks
-allow system_server { mnt_user_file storage_file }:dir { getattr search };
-allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
-
-# Allow statfs() on storage devices, which happens fast enough that
-# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
-
-# Traverse into expanded storage
-allow system_server mnt_expand_file:dir r_dir_perms;
-
-# Allow system process to relabel the fingerprint directory after mkdir
-# and delete the directory and files when no longer needed
-allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
-allow system_server fingerprintd_data_file:file { getattr unlink };
-
-# Allow system process to read network MAC address
-allow system_server sysfs_mac_address:file r_file_perms;
-
-userdebug_or_eng(`
- # Allow system server to create and write method traces in /data/misc/trace.
- allow system_server method_trace_data_file:dir w_dir_perms;
- allow system_server method_trace_data_file:file { create w_file_perms };
-
- # Allow system server to read dmesg
- allow system_server kernel:system syslog_read;
-')
-
-# For AppFuse.
-allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
-
-# For configuring sdcardfs
-allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open unlink write };
-
-# Connect to adbd and use a socket transferred from it.
-# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Allow invoking tools like "timeout"
-allow system_server toolbox_exec:file rx_file_perms;
-
-# Postinstall
-#
-# For OTA dexopt, allow calls coming from postinstall.
-binder_call(system_server, postinstall)
-
-allow system_server postinstall:fifo_file write;
-allow system_server update_engine:fd use;
-allow system_server update_engine:fifo_file write;
-
-# Access to /data/preloads
-allow system_server preloads_data_file:file { r_file_perms unlink };
-allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow system_server preloads_media_file:file { r_file_perms unlink };
-allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-r_dir_file(system_server, cgroup)
-allow system_server ion_device:chr_file r_file_perms;
-
-r_dir_file(system_server, proc)
-r_dir_file(system_server, proc_meminfo)
-r_dir_file(system_server, proc_net)
-r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
-
-### Rules needed when Light HAL runs inside system_server process.
-### These rules should eventually be granted only when needed.
-allow system_server sysfs_leds:lnk_file read;
-allow system_server sysfs_leds:file rw_file_perms;
-allow system_server sysfs_leds:dir r_dir_perms;
-###
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow system_server debugfs_tracing_instances:dir search;
-allow system_server debugfs_wifi_tracing:dir search;
-allow system_server debugfs_wifi_tracing:file rw_file_perms;
-
-# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
-# asanwrapper.
-with_asan(`
- allow system_server shell_exec:file rx_file_perms;
- allow system_server asanwrapper_exec:file rx_file_perms;
- allow system_server zygote_exec:file rx_file_perms;
-')
-
-###
-### Neverallow rules
-###
-### system_server should NEVER do any of this
-
-# Do not allow opening files from external storage as unsafe ejection
-# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
-
-# system server should never be operating on zygote spawned app data
-# files directly. Rather, they should always be passed via a
-# file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
-
-# Forking and execing is inherently dangerous and racy. See, for
-# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
-# Prevent the addition of new file execs to stop the problem from
-# getting worse. b/28035297
-neverallow system_server {
- file_type
- -toolbox_exec
- -logcat_exec
- with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
-}:file execute_no_trans;
-
-# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
-neverallow system_server *:process dyntransition;
-
-# Only allow crash_dump to connect to system_ndebug_socket.
-neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
-
-# system_server should never be executing dex2oat. This is either
-# a bug (for example, bug 16317188), or represents an attempt by
-# system server to dynamically load a dex file, something we do not
-# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
-
-# system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
- data_file_type
- -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
-
-# The only block device system_server should be accessing is
-# the frp_block_device. This helps avoid a system_server to root
-# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
-
-# system_server should never use JIT functionality
-neverallow system_server self:process execmem;
-neverallow system_server ashmem_device:chr_file execute;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow system_server system_server_tmpfs:file execute;
-
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
-# No ptracing others
-neverallow system_server { domain -system_server }:process ptrace;
-
-# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
-# file read access. However, that is now unnecessary (b/34951864)
-# This neverallow can be removed after b/34951864 is fixed.
-neverallow system_server system_server:capability sys_resource;
diff --git a/prebuilts/api/27.0/private/technical_debt.cil b/prebuilts/api/27.0/private/technical_debt.cil
deleted file mode 100644
index 974f328..0000000
--- a/prebuilts/api/27.0/private/technical_debt.cil
+++ /dev/null
@@ -1,33 +0,0 @@
-; THIS IS A WORKAROUND for the current limitations of the module policy language
-; This should be used sparingly until we figure out a saner way to achieve the
-; stuff below, for example, by improving typeattribute statement of module
-; language.
-;
-; NOTE: This file has no effect on recovery policy.
-
-; Apps, except isolated apps, are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_allocator_client;
-; typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
-(typeattributeset halclientdomain (hal_allocator_client))
-
-; Apps, except isolated apps, are clients of Configstore HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Graphics Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Cas HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
-
-; Domains hosting Camera HAL implementations are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute hal_camera hal_allocator_client;
-(typeattributeset hal_allocator_client (hal_camera))
diff --git a/prebuilts/api/27.0/private/thermalserviced.te b/prebuilts/api/27.0/private/thermalserviced.te
deleted file mode 100644
index 1a09e20..0000000
--- a/prebuilts/api/27.0/private/thermalserviced.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute thermalserviced coredomain;
-
-init_daemon_domain(thermalserviced)
-
diff --git a/prebuilts/api/27.0/private/tombstoned.te b/prebuilts/api/27.0/private/tombstoned.te
deleted file mode 100644
index 305f9d0..0000000
--- a/prebuilts/api/27.0/private/tombstoned.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tombstoned coredomain;
-
-init_daemon_domain(tombstoned)
diff --git a/prebuilts/api/27.0/private/toolbox.te b/prebuilts/api/27.0/private/toolbox.te
deleted file mode 100644
index a2b958d..0000000
--- a/prebuilts/api/27.0/private/toolbox.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute toolbox coredomain;
-
-init_daemon_domain(toolbox)
diff --git a/prebuilts/api/27.0/private/tzdatacheck.te b/prebuilts/api/27.0/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/prebuilts/api/27.0/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/prebuilts/api/27.0/private/ueventd.te b/prebuilts/api/27.0/private/ueventd.te
deleted file mode 100644
index 0df587f..0000000
--- a/prebuilts/api/27.0/private/ueventd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute ueventd coredomain;
-typeattribute ueventd domain_deprecated;
-
-tmpfs_domain(ueventd)
diff --git a/prebuilts/api/27.0/private/uncrypt.te b/prebuilts/api/27.0/private/uncrypt.te
deleted file mode 100644
index fde686b..0000000
--- a/prebuilts/api/27.0/private/uncrypt.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute uncrypt coredomain;
-typeattribute uncrypt domain_deprecated;
-
-init_daemon_domain(uncrypt)
diff --git a/prebuilts/api/27.0/private/untrusted_app.te b/prebuilts/api/27.0/private/untrusted_app.te
deleted file mode 100644
index 93a73f1..0000000
--- a/prebuilts/api/27.0/private/untrusted_app.te
+++ /dev/null
@@ -1,37 +0,0 @@
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-typeattribute untrusted_app coredomain;
-
-app_domain(untrusted_app)
-untrusted_app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
-
-neverallow untrusted_app system_server:udp_socket {
- accept append bind create getopt ioctl listen lock name_bind
- relabelfrom relabelto setattr setopt shutdown };
diff --git a/prebuilts/api/27.0/private/untrusted_app_25.te b/prebuilts/api/27.0/private/untrusted_app_25.te
deleted file mode 100644
index 3fa79ef..0000000
--- a/prebuilts/api/27.0/private/untrusted_app_25.te
+++ /dev/null
@@ -1,46 +0,0 @@
-###
-### Untrusted_app_25
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion <= 25.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-typeattribute untrusted_app_25 coredomain;
-
-app_domain(untrusted_app_25)
-untrusted_app_domain(untrusted_app_25)
-net_domain(untrusted_app_25)
-bluetooth_domain(untrusted_app_25)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_25)
-
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
-# b/35917228 - /proc/misc access
-# This will go away in a future Android release
-allow untrusted_app_25 proc_misc:file r_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
diff --git a/prebuilts/api/27.0/private/untrusted_app_all.te b/prebuilts/api/27.0/private/untrusted_app_all.te
deleted file mode 100644
index cce589e..0000000
--- a/prebuilts/api/27.0/private/untrusted_app_all.te
+++ /dev/null
@@ -1,108 +0,0 @@
-###
-### Untrusted_app_all.
-###
-### This file defines the rules shared by all untrusted app domains except
-### apps which target the v2 security sandbox (ephemeral_app for instant apps,
-### untrusted_v2_app for fully installed v2 apps).
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_all attribute is assigned to all default
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### attribute is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-### Note that rules that should apply to all untrusted apps must be in app.te or also
-### added to untrusted_v2_app.te and ephemeral_app.te.
-
-# Legacy text relocations
-allow untrusted_app_all apk_data_file:file execmod;
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
-
-# ASEC
-allow untrusted_app_all asec_apk_file:file r_file_perms;
-allow untrusted_app_all asec_apk_file:dir r_dir_perms;
-# Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute execmod };
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app_all shell_data_file:file r_file_perms;
-allow untrusted_app_all shell_data_file:dir r_dir_perms;
-
-# Allow to read staged apks.
-allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app_all system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
-allow untrusted_app_all media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_app_all servicemanager:service_manager list;
-
-allow untrusted_app_all audioserver_service:service_manager find;
-allow untrusted_app_all cameraserver_service:service_manager find;
-allow untrusted_app_all drmserver_service:service_manager find;
-allow untrusted_app_all mediaserver_service:service_manager find;
-allow untrusted_app_all mediaextractor_service:service_manager find;
-allow untrusted_app_all mediacodec_service:service_manager find;
-allow untrusted_app_all mediametrics_service:service_manager find;
-allow untrusted_app_all mediadrmserver_service:service_manager find;
-allow untrusted_app_all nfc_service:service_manager find;
-allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all surfaceflinger_service:service_manager find;
-allow untrusted_app_all app_api_service:service_manager find;
-allow untrusted_app_all vr_manager_service:service_manager find;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow untrusted_app_all perfprofd_data_file:file r_file_perms;
- allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
-')
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app_all self:process ptrace;
-
-# Cts: HwRngTest
-allow untrusted_app_all sysfs_hwrandom:dir search;
-allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
-
-# Allow apps to view preloaded media content
-allow untrusted_app_all preloads_media_file:dir r_dir_perms;
-allow untrusted_app_all preloads_media_file:file r_file_perms;
-allow untrusted_app_all preloads_data_file:dir search;
-
-# Allow untrusted apps read / execute access to /vendor/app for there can
-# be pre-installed vendor apps that package a library within themselves.
-# TODO (b/37784178) Consider creating a special type for /vendor/app installed
-# apps.
-allow untrusted_app_all vendor_app_file:dir { open getattr read search };
-allow untrusted_app_all vendor_app_file:file { open getattr read execute };
-allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/prebuilts/api/27.0/private/untrusted_v2_app.te b/prebuilts/api/27.0/private/untrusted_v2_app.te
deleted file mode 100644
index 7ed3881..0000000
--- a/prebuilts/api/27.0/private/untrusted_v2_app.te
+++ /dev/null
@@ -1,42 +0,0 @@
-###
-### Untrusted v2 sandbox apps.
-###
-
-typeattribute untrusted_v2_app coredomain;
-
-app_domain(untrusted_v2_app)
-net_domain(untrusted_v2_app)
-bluetooth_domain(untrusted_v2_app)
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_v2_app system_app_data_file:file { read write getattr };
-
-# Access to /data/media.
-allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
-allow untrusted_v2_app media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_v2_app mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_v2_app servicemanager:service_manager list;
-
-allow untrusted_v2_app audioserver_service:service_manager find;
-allow untrusted_v2_app cameraserver_service:service_manager find;
-allow untrusted_v2_app drmserver_service:service_manager find;
-allow untrusted_v2_app mediaserver_service:service_manager find;
-allow untrusted_v2_app mediaextractor_service:service_manager find;
-allow untrusted_v2_app mediacodec_service:service_manager find;
-allow untrusted_v2_app mediametrics_service:service_manager find;
-allow untrusted_v2_app mediadrmserver_service:service_manager find;
-allow untrusted_v2_app nfc_service:service_manager find;
-allow untrusted_v2_app radio_service:service_manager find;
-allow untrusted_v2_app surfaceflinger_service:service_manager find;
-# TODO: potentially provide a tighter list of services here
-allow untrusted_v2_app app_api_service:service_manager find;
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_v2_app self:process ptrace;
diff --git a/prebuilts/api/27.0/private/update_engine.te b/prebuilts/api/27.0/private/update_engine.te
deleted file mode 100644
index f460272..0000000
--- a/prebuilts/api/27.0/private/update_engine.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute update_engine coredomain;
-typeattribute update_engine domain_deprecated;
-
-init_daemon_domain(update_engine);
diff --git a/prebuilts/api/27.0/private/update_engine_common.te b/prebuilts/api/27.0/private/update_engine_common.te
deleted file mode 100644
index a7fb584..0000000
--- a/prebuilts/api/27.0/private/update_engine_common.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/prebuilts/api/27.0/private/update_verifier.te b/prebuilts/api/27.0/private/update_verifier.te
deleted file mode 100644
index 1b934d9..0000000
--- a/prebuilts/api/27.0/private/update_verifier.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute update_verifier coredomain;
-
-init_daemon_domain(update_verifier)
diff --git a/prebuilts/api/27.0/private/users b/prebuilts/api/27.0/private/users
deleted file mode 100644
index 51b7b57..0000000
--- a/prebuilts/api/27.0/private/users
+++ /dev/null
@@ -1 +0,0 @@
-user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/prebuilts/api/27.0/private/vdc.te b/prebuilts/api/27.0/private/vdc.te
deleted file mode 100644
index bc7409e..0000000
--- a/prebuilts/api/27.0/private/vdc.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute vdc coredomain;
-
-init_daemon_domain(vdc)
diff --git a/prebuilts/api/27.0/private/virtual_touchpad.te b/prebuilts/api/27.0/private/virtual_touchpad.te
deleted file mode 100644
index e735172..0000000
--- a/prebuilts/api/27.0/private/virtual_touchpad.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute virtual_touchpad coredomain;
-
-init_daemon_domain(virtual_touchpad)
diff --git a/prebuilts/api/27.0/private/vold.te b/prebuilts/api/27.0/private/vold.te
deleted file mode 100644
index f2416f8..0000000
--- a/prebuilts/api/27.0/private/vold.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute vold coredomain;
-typeattribute vold domain_deprecated;
-
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/prebuilts/api/27.0/private/vr_hwc.te b/prebuilts/api/27.0/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/prebuilts/api/27.0/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/prebuilts/api/27.0/private/watchdogd.te b/prebuilts/api/27.0/private/watchdogd.te
deleted file mode 100644
index 36dd30f..0000000
--- a/prebuilts/api/27.0/private/watchdogd.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute watchdogd coredomain;
diff --git a/prebuilts/api/27.0/private/webview_zygote.te b/prebuilts/api/27.0/private/webview_zygote.te
deleted file mode 100644
index 3c5403b..0000000
--- a/prebuilts/api/27.0/private/webview_zygote.te
+++ /dev/null
@@ -1,120 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-typeattribute webview_zygote coredomain;
-
-# The webview_zygote needs to be able to transition domains.
-typeattribute webview_zygote mlstrustedsubject;
-
-# When init launches the WebView zygote's executable, transition the
-# resulting process into webview_zygote domain.
-init_daemon_domain(webview_zygote)
-
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
-# Access to the WebView relro file.
-allow webview_zygote shared_relro_file:dir search;
-allow webview_zygote shared_relro_file:file r_file_perms;
-
-# Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
-# Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
-# Switch SELinux context to app domains.
-allow webview_zygote self:process setcurrent;
-allow webview_zygote isolated_app:process dyntransition;
-
-# For art.
-allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
-allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
-
-# Allow webview_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow webview_zygote debugfs_trace_marker:file getattr;
-
-# Allow webview_zygote to manage the pgroup of its children.
-allow webview_zygote system_server:process getpgid;
-
-# Interaction between the webview_zygote and its children.
-allow webview_zygote isolated_app:process setpgid;
-
-# TODO (b/63631799) fix this access
-# Suppress denials to storage. Webview zygote should not be accessing.
-dontaudit webview_zygote mnt_expand_file:dir getattr;
-
-# Get seapp_contexts
-allow webview_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(webview_zygote)
-# Check SELinux permissions.
-selinux_check_access(webview_zygote)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow webview_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow webview_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for init to exec() us.
-neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow webview_zygote property_socket:sock_file write;
-neverallow webview_zygote property_type:property_service set;
-
-# Should not have any access to app data files.
-neverallow webview_zygote {
- app_data_file
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
-}:file { rwx_file_perms };
-
-neverallow webview_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow webview_zygote access to /cache.
-neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
-neverallow webview_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow webview_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
-} *;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/27.0/private/wificond.te b/prebuilts/api/27.0/private/wificond.te
deleted file mode 100644
index cc76447..0000000
--- a/prebuilts/api/27.0/private/wificond.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute wificond coredomain;
-
-init_daemon_domain(wificond)
-hal_client_domain(wificond, hal_wifi_offload)
diff --git a/prebuilts/api/27.0/private/zygote.te b/prebuilts/api/27.0/private/zygote.te
deleted file mode 100644
index daabbc0..0000000
--- a/prebuilts/api/27.0/private/zygote.te
+++ /dev/null
@@ -1,134 +0,0 @@
-# zygote
-typeattribute zygote coredomain;
-typeattribute zygote domain_deprecated;
-typeattribute zygote mlstrustedsubject;
-
-init_daemon_domain(zygote)
-
-read_runtime_log_tags(zygote)
-
-# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
-
-# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
-
-# Switch SELinux context to app domains.
-allow zygote self:process setcurrent;
-allow zygote system_server:process dyntransition;
-allow zygote appdomain:process dyntransition;
-
-# Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
-
-# Move children into the peer process group.
-allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-
-# Read system data.
-allow zygote system_data_file:dir r_dir_perms;
-allow zygote system_data_file:file r_file_perms;
-
-# Write to /data/dalvik-cache.
-allow zygote dalvikcache_data_file:dir create_dir_perms;
-allow zygote dalvikcache_data_file:file create_file_perms;
-
-# Create symlinks in /data/dalvik-cache.
-allow zygote dalvikcache_data_file:lnk_file create_file_perms;
-
-# Write to /data/resource-cache.
-allow zygote resourcecache_data_file:dir rw_dir_perms;
-allow zygote resourcecache_data_file:file create_file_perms;
-
-# When WITH_DEXPREOPT is true, the zygote does not load executable content from
-# /data/dalvik-cache.
-allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
-
-# Execute idmap and dex2oat within zygote's own domain.
-# TODO: Should either of these be transitioned to the same domain
-# used by installd or stay in-domain for zygote?
-allow zygote idmap_exec:file rx_file_perms;
-allow zygote dex2oat_exec:file rx_file_perms;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(zygote, vendor_overlay_file)
-
-# Control cgroups.
-allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote self:capability sys_admin;
-
-# Allow zygote to stat the files that it opens. The zygote must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow zygote pmsg_device:chr_file getattr;
-allow zygote debugfs_trace_marker:file getattr;
-
-# Get seapp_contexts
-allow zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(zygote)
-# Check SELinux permissions.
-selinux_check_access(zygote)
-
-# Native bridge functionality requires that zygote replaces
-# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
-allow zygote proc_cpuinfo:file mounton;
-
-# Allow remounting rootfs as MS_SLAVE.
-allow zygote rootfs:dir mounton;
-allow zygote tmpfs:filesystem { mount unmount };
-allow zygote fuse:filesystem { unmount };
-allow zygote sdcardfs:filesystem { unmount };
-
-# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir create_dir_perms;
-allow zygote mnt_user_file:lnk_file create_file_perms;
-# Allowed to mount user-specific storage into place
-allow zygote storage_file:dir { search mounton };
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file rx_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
-
-# Root fs.
-r_dir_file(zygote, rootfs)
-
-# System file accesses.
-r_dir_file(zygote, system_file)
-
-userdebug_or_eng(`
- # Allow zygote to create and write method traces in /data/misc/trace.
- allow zygote method_trace_data_file:dir w_dir_perms;
- allow zygote method_trace_data_file:file { create w_file_perms };
-')
-
-allow zygote ion_device:chr_file r_file_perms;
-allow zygote tmpfs:dir r_dir_perms;
-
-# Let the zygote access overlays so it can initialize the AssetManager.
-get_prop(zygote, overlay_prop)
-
-###
-### neverallow rules
-###
-
-# Ensure that all types assigned to app processes are included
-# in the appdomain attribute, so that all allow and neverallow rules
-# written on appdomain are applied to all app processes.
-# This is achieved by ensuring that it is impossible for zygote to
-# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
-
-# Zygote should never execute anything from /data except for /data/dalvik-cache files.
-neverallow zygote {
- data_file_type
- -dalvikcache_data_file # map PROT_EXEC
-}:file no_x_file_perms;
-
-# Do not allow access to Bluetooth-related system properties and files
-neverallow zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/27.0/public/adbd.te b/prebuilts/api/27.0/public/adbd.te
deleted file mode 100644
index 95854c0..0000000
--- a/prebuilts/api/27.0/public/adbd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type adbd, domain;
-type adbd_exec, exec_type, file_type;
diff --git a/prebuilts/api/27.0/public/asan_extract.te b/prebuilts/api/27.0/public/asan_extract.te
deleted file mode 100644
index 15c5a09..0000000
--- a/prebuilts/api/27.0/public/asan_extract.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# asan_extract
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-with_asan(`
- type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type;
-
- # Allow asan_extract to execute itself using #!/system/bin/sh
- allow asan_extract shell_exec:file rx_file_perms;
-
- # We execute log, rm, gzip and tar.
- allow asan_extract toolbox_exec:file rx_file_perms;
- allow asan_extract system_file:file execute_no_trans;
-
- # asan_extract deletes old /data/lib.
- allow asan_extract system_file:dir { open read remove_name rmdir write };
- allow asan_extract system_file:file unlink;
-
- # asan_extract untars ASAN libraries into /data.
- allow asan_extract system_data_file:dir create_dir_perms ;
- allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
-
- # Relabel the libraries with restorecon.
- allow asan_extract file_contexts_file:file r_file_perms;
- allow asan_extract system_data_file:{ dir file } relabelfrom;
- allow asan_extract system_file:dir { relabelto setattr };
- allow asan_extract system_file:file relabelto;
-
- # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
- allow asan_extract system_data_file:file execute;
-
- # We need to signal a reboot when done.
- set_prop(asan_extract, powerctl_prop)
-')
diff --git a/prebuilts/api/27.0/public/attributes b/prebuilts/api/27.0/public/attributes
deleted file mode 100644
index fa8a6a6..0000000
--- a/prebuilts/api/27.0/public/attributes
+++ /dev/null
@@ -1,430 +0,0 @@
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# in tools/checkfc.c
-attribute dev_type;
-
-# All types used for processes.
-attribute domain;
-
-# All types used for filesystems.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute fs_type;
-
-# All types used for context= mounts.
-attribute contextmount_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-expandattribute data_file_type false;
-# All types in /data, not in /data/vendor
-attribute core_data_file_type;
-# All types in /vendor
-attribute vendor_file_type;
-
-# All types use for sysfs files.
-attribute sysfs_type;
-
-# All types use for debugfs files.
-attribute debugfs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-# On change, update CHECK_PC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute property_type;
-
-# All properties defined in core SELinux policy. Should not be
-# used by device specific properties
-attribute core_property_type;
-
-# All properties used to configure log filtering.
-attribute log_property_type;
-
-# All service_manager types created by system_server
-attribute system_server_service;
-
-# services which should be available to all but isolated apps
-attribute app_api_service;
-
-# services which should be available to all ephemeral apps
-attribute ephemeral_app_api_service;
-
-# services which export only system_api
-attribute system_api_service;
-
-# All types used for services managed by servicemanager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All types used for services managed by hwservicemanager
-attribute hwservice_manager_type;
-
-# All HwBinder services guaranteed to be passthrough. These services always run
-# in the process of their clients, and thus operate with the same access as
-# their clients.
-attribute same_process_hwservice;
-
-# All HwBinder services guaranteed to be offered only by core domain components
-attribute coredomain_hwservice;
-
-# All types used for services managed by vndservicemanager
-attribute vndservice_manager_type;
-
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All third party apps.
-attribute untrusted_app_all;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
-
-# update_engine related domains that need to apply an update and run
-# postinstall. This includes the background daemon and the sideload tool from
-# recovery for A/B devices.
-attribute update_engine_common;
-
-# All core domains (as opposed to vendor/device-specific domains)
-attribute coredomain;
-
-# All socket devices owned by core domain components
-attribute coredomain_socket;
-
-# All vendor domains which violate the requirement of not using Binder
-# TODO(b/35870313): Remove this once there are no violations
-attribute binder_in_vendor_violators;
-expandattribute binder_in_vendor_violators false;
-
-# All vendor domains which violate the requirement of not using sockets for
-# communicating with core components
-# TODO(b/36577153): Remove this once there are no violations
-attribute socket_between_core_and_vendor_violators;
-expandattribute socket_between_core_and_vendor_violators false;
-
-# All vendor domains which violate the requirement of not executing
-# system processes
-# TODO(b/36463595)
-attribute vendor_executes_system_violators;
-expandattribute vendor_executes_system_violators false;
-
-# hwservices that are accessible from untrusted applications
-# WARNING: Use of this attribute should be avoided unless
-# absolutely necessary. It is a temporary allowance to aid the
-# transition to treble and will be removed in a future platform
-# version, requiring all hwservices that are labeled with this
-# attribute to be submitted to AOSP in order to maintain their
-# app-visibility.
-attribute untrusted_app_visible_hwservice;
-expandattribute untrusted_app_visible_hwservice false;
-
-# halserver domains that are accessible to untrusted applications. These
-# domains are typically those hosting hwservices attributed by the
-# untrusted_app_visible_hwservice.
-# WARNING: Use of this attribute should be avoided unless absolutely necessary.
-# It is a temporary allowance to aid the transition to treble and will be
-# removed in the future platform version, requiring all halserver domains that
-# are labeled with this attribute to be submitted to AOSP in order to maintain
-# their app-visibility.
-attribute untrusted_app_visible_halserver;
-expandattribute untrusted_app_visible_halserver false;
-
-# PDX services
-attribute pdx_endpoint_dir_type;
-attribute pdx_endpoint_socket_type;
-expandattribute pdx_endpoint_socket_type false;
-attribute pdx_channel_socket_type;
-expandattribute pdx_channel_socket_type false;
-
-pdx_service_attributes(display_client)
-pdx_service_attributes(display_manager)
-pdx_service_attributes(display_screenshot)
-pdx_service_attributes(display_vsync)
-pdx_service_attributes(performance_client)
-pdx_service_attributes(bufferhub_client)
-
-# All HAL servers
-attribute halserverdomain;
-# All HAL clients
-attribute halclientdomain;
-expandattribute halclientdomain true;
-
-# HALs
-attribute hal_allocator;
-expandattribute hal_allocator true;
-attribute hal_allocator_client;
-expandattribute hal_allocator_client true;
-attribute hal_allocator_server;
-expandattribute hal_allocator_server false;
-attribute hal_audio;
-expandattribute hal_audio false;
-attribute hal_audio_client;
-expandattribute hal_audio_client true;
-attribute hal_audio_server;
-expandattribute hal_audio_server false;
-attribute hal_bluetooth;
-expandattribute hal_bluetooth true;
-attribute hal_bluetooth_client;
-expandattribute hal_bluetooth_client true;
-attribute hal_bluetooth_server;
-expandattribute hal_bluetooth_server false;
-attribute hal_bootctl;
-expandattribute hal_bootctl false;
-attribute hal_bootctl_client;
-expandattribute hal_bootctl_client true;
-attribute hal_bootctl_server;
-expandattribute hal_bootctl_server false;
-attribute hal_broadcastradio;
-expandattribute hal_broadcastradio true;
-attribute hal_broadcastradio_client;
-expandattribute hal_broadcastradio_client true;
-attribute hal_broadcastradio_server;
-expandattribute hal_broadcastradio_server false;
-attribute hal_camera;
-expandattribute hal_camera false;
-attribute hal_camera_client;
-expandattribute hal_camera_client true;
-attribute hal_camera_server;
-expandattribute hal_camera_server false;
-attribute hal_configstore;
-expandattribute hal_configstore true;
-attribute hal_configstore_client;
-expandattribute hal_configstore_client true;
-attribute hal_configstore_server;
-expandattribute hal_configstore_server false;
-attribute hal_contexthub;
-expandattribute hal_contexthub true;
-attribute hal_contexthub_client;
-expandattribute hal_contexthub_client true;
-attribute hal_contexthub_server;
-expandattribute hal_contexthub_server false;
-attribute hal_drm;
-expandattribute hal_drm false;
-attribute hal_drm_client;
-expandattribute hal_drm_client true;
-attribute hal_drm_server;
-expandattribute hal_drm_server false;
-attribute hal_cas;
-expandattribute hal_cas false;
-attribute hal_cas_client;
-expandattribute hal_cas_client true;
-attribute hal_cas_server;
-expandattribute hal_cas_server false;
-attribute hal_dumpstate;
-expandattribute hal_dumpstate true;
-attribute hal_dumpstate_client;
-expandattribute hal_dumpstate_client true;
-attribute hal_dumpstate_server;
-expandattribute hal_dumpstate_server false;
-attribute hal_fingerprint;
-expandattribute hal_fingerprint true;
-attribute hal_fingerprint_client;
-expandattribute hal_fingerprint_client true;
-attribute hal_fingerprint_server;
-expandattribute hal_fingerprint_server false;
-attribute hal_gatekeeper;
-expandattribute hal_gatekeeper true;
-attribute hal_gatekeeper_client;
-expandattribute hal_gatekeeper_client true;
-attribute hal_gatekeeper_server;
-expandattribute hal_gatekeeper_server false;
-attribute hal_gnss;
-expandattribute hal_gnss true;
-attribute hal_gnss_client;
-expandattribute hal_gnss_client true;
-attribute hal_gnss_server;
-expandattribute hal_gnss_server false;
-attribute hal_graphics_allocator;
-expandattribute hal_graphics_allocator true;
-attribute hal_graphics_allocator_client;
-expandattribute hal_graphics_allocator_client true;
-attribute hal_graphics_allocator_server;
-expandattribute hal_graphics_allocator_server false;
-attribute hal_graphics_composer;
-expandattribute hal_graphics_composer true;
-attribute hal_graphics_composer_client;
-expandattribute hal_graphics_composer_client true;
-attribute hal_graphics_composer_server;
-expandattribute hal_graphics_composer_server false;
-attribute hal_health;
-expandattribute hal_health true;
-attribute hal_health_client;
-expandattribute hal_health_client true;
-attribute hal_health_server;
-expandattribute hal_health_server false;
-attribute hal_ir;
-expandattribute hal_ir true;
-attribute hal_ir_client;
-expandattribute hal_ir_client true;
-attribute hal_ir_server;
-expandattribute hal_ir_server false;
-attribute hal_keymaster;
-expandattribute hal_keymaster true;
-attribute hal_keymaster_client;
-expandattribute hal_keymaster_client true;
-attribute hal_keymaster_server;
-expandattribute hal_keymaster_server false;
-attribute hal_light;
-expandattribute hal_light true;
-attribute hal_light_client;
-expandattribute hal_light_client true;
-attribute hal_light_server;
-expandattribute hal_light_server false;
-attribute hal_memtrack;
-expandattribute hal_memtrack true;
-attribute hal_memtrack_client;
-expandattribute hal_memtrack_client true;
-attribute hal_memtrack_server;
-expandattribute hal_memtrack_server false;
-attribute hal_neuralnetworks;
-expandattribute hal_neuralnetworks true;
-attribute hal_neuralnetworks_client;
-expandattribute hal_neuralnetworks_client true;
-attribute hal_neuralnetworks_server;
-expandattribute hal_neuralnetworks_server false;
-attribute hal_nfc;
-expandattribute hal_nfc true;
-attribute hal_nfc_client;
-expandattribute hal_nfc_client true;
-attribute hal_nfc_server;
-expandattribute hal_nfc_server false;
-attribute hal_oemlock;
-expandattribute hal_oemlock true;
-attribute hal_oemlock_client;
-expandattribute hal_oemlock_client true;
-attribute hal_oemlock_server;
-expandattribute hal_oemlock_server false;
-attribute hal_power;
-expandattribute hal_power true;
-attribute hal_power_client;
-expandattribute hal_power_client true;
-attribute hal_power_server;
-expandattribute hal_power_server false;
-attribute hal_sensors;
-expandattribute hal_sensors true;
-attribute hal_sensors_client;
-expandattribute hal_sensors_client true;
-attribute hal_sensors_server;
-expandattribute hal_sensors_server false;
-attribute hal_telephony;
-expandattribute hal_telephony true;
-attribute hal_telephony_client;
-expandattribute hal_telephony_client true;
-attribute hal_telephony_server;
-expandattribute hal_telephony_server false;
-attribute hal_tetheroffload;
-expandattribute hal_tetheroffload true;
-attribute hal_tetheroffload_client;
-expandattribute hal_tetheroffload_client true;
-attribute hal_tetheroffload_server;
-expandattribute hal_tetheroffload_server false;
-attribute hal_thermal;
-expandattribute hal_thermal true;
-attribute hal_thermal_client;
-expandattribute hal_thermal_client true;
-attribute hal_thermal_server;
-expandattribute hal_thermal_server false;
-attribute hal_tv_cec;
-expandattribute hal_tv_cec true;
-attribute hal_tv_cec_client;
-expandattribute hal_tv_cec_client true;
-attribute hal_tv_cec_server;
-expandattribute hal_tv_cec_server false;
-attribute hal_tv_input;
-expandattribute hal_tv_input true;
-attribute hal_tv_input_client;
-expandattribute hal_tv_input_client true;
-attribute hal_tv_input_server;
-expandattribute hal_tv_input_server false;
-attribute hal_usb;
-expandattribute hal_usb true;
-attribute hal_usb_client;
-expandattribute hal_usb_client true;
-attribute hal_usb_server;
-expandattribute hal_usb_server false;
-attribute hal_vibrator;
-expandattribute hal_vibrator true;
-attribute hal_vibrator_client;
-expandattribute hal_vibrator_client true;
-attribute hal_vibrator_server;
-expandattribute hal_vibrator_server false;
-attribute hal_vr;
-expandattribute hal_vr true;
-attribute hal_vr_client;
-expandattribute hal_vr_client true;
-attribute hal_vr_server;
-expandattribute hal_vr_server false;
-attribute hal_weaver;
-expandattribute hal_weaver true;
-attribute hal_weaver_client;
-expandattribute hal_weaver_client true;
-attribute hal_weaver_server;
-expandattribute hal_weaver_server false;
-attribute hal_wifi;
-expandattribute hal_wifi true;
-attribute hal_wifi_client;
-expandattribute hal_wifi_client true;
-attribute hal_wifi_server;
-expandattribute hal_wifi_server false;
-attribute hal_wifi_offload;
-expandattribute hal_wifi_offload true;
-attribute hal_wifi_offload_client;
-expandattribute hal_wifi_offload_client true;
-attribute hal_wifi_offload_server;
-expandattribute hal_wifi_offload_server false;
-attribute hal_wifi_supplicant;
-expandattribute hal_wifi_supplicant true;
-attribute hal_wifi_supplicant_client;
-expandattribute hal_wifi_supplicant_client true;
-attribute hal_wifi_supplicant_server;
-expandattribute hal_wifi_supplicant_server false;
-
-# HwBinder services offered across the core-vendor boundary
-#
-# We annotate server domains with x_server to loosen the coupling between
-# system and vendor images. For example, it should be possible to move a service
-# from one core domain to another, without having to update the vendor image
-# which contains clients of this service.
-
-attribute display_service_server;
-attribute wifi_keystore_service_server;
diff --git a/prebuilts/api/27.0/public/audioserver.te b/prebuilts/api/27.0/public/audioserver.te
deleted file mode 100644
index 9a72858..0000000
--- a/prebuilts/api/27.0/public/audioserver.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# audioserver - audio services daemon
-type audioserver, domain;
diff --git a/prebuilts/api/27.0/public/blkid.te b/prebuilts/api/27.0/public/blkid.te
deleted file mode 100644
index dabe014..0000000
--- a/prebuilts/api/27.0/public/blkid.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid called from vold
-type blkid, domain;
diff --git a/prebuilts/api/27.0/public/blkid_untrusted.te b/prebuilts/api/27.0/public/blkid_untrusted.te
deleted file mode 100644
index 4be4c0c..0000000
--- a/prebuilts/api/27.0/public/blkid_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid for untrusted block devices
-type blkid_untrusted, domain;
diff --git a/prebuilts/api/27.0/public/bluetooth.te b/prebuilts/api/27.0/public/bluetooth.te
deleted file mode 100644
index 9b3442a..0000000
--- a/prebuilts/api/27.0/public/bluetooth.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# bluetooth subsystem
-type bluetooth, domain;
diff --git a/prebuilts/api/27.0/public/bootanim.te b/prebuilts/api/27.0/public/bootanim.te
deleted file mode 100644
index 1a265f9..0000000
--- a/prebuilts/api/27.0/public/bootanim.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# bootanimation oneshot service
-type bootanim, domain;
-type bootanim_exec, exec_type, file_type;
-
-hal_client_domain(bootanim, hal_configstore)
-hal_client_domain(bootanim, hal_graphics_allocator)
-hal_client_domain(bootanim, hal_graphics_composer)
-
-binder_use(bootanim)
-binder_call(bootanim, surfaceflinger)
-binder_call(bootanim, audioserver)
-
-hwbinder_use(bootanim)
-
-allow bootanim gpu_device:chr_file rw_file_perms;
-
-# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
-
-allow bootanim audio_device:dir r_dir_perms;
-allow bootanim audio_device:chr_file rw_file_perms;
-
-allow bootanim audioserver_service:service_manager find;
-allow bootanim surfaceflinger_service:service_manager find;
-
-# Allow access to ion memory allocation device
-allow bootanim ion_device:chr_file rw_file_perms;
-allow bootanim hal_graphics_allocator:fd use;
-
-# Fences
-allow bootanim hal_graphics_composer:fd use;
-
-# Read access to pseudo filesystems.
-r_dir_file(bootanim, proc)
-allow bootanim proc_meminfo:file r_file_perms;
-r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, cgroup)
-
-# System file accesses.
-allow bootanim system_file:dir r_dir_perms;
diff --git a/prebuilts/api/27.0/public/bootstat.te b/prebuilts/api/27.0/public/bootstat.te
deleted file mode 100644
index f5c7268..0000000
--- a/prebuilts/api/27.0/public/bootstat.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# bootstat command
-type bootstat, domain;
-type bootstat_exec, exec_type, file_type;
-
-read_runtime_log_tags(bootstat)
-
-# Allow persistent storage in /data/misc/bootstat.
-allow bootstat bootstat_data_file:dir rw_dir_perms;
-allow bootstat bootstat_data_file:file create_file_perms;
-
-# Read access to pseudo filesystems (for /proc/uptime).
-r_dir_file(bootstat, proc)
-
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
diff --git a/prebuilts/api/27.0/public/bufferhubd.te b/prebuilts/api/27.0/public/bufferhubd.te
deleted file mode 100644
index 274c271..0000000
--- a/prebuilts/api/27.0/public/bufferhubd.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# bufferhubd
-type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, exec_type, file_type;
-
-hal_client_domain(bufferhubd, hal_graphics_allocator)
-
-pdx_server(bufferhubd, bufferhub_client)
-pdx_client(bufferhubd, performance_client)
-
-# Access the GPU.
-allow bufferhubd gpu_device:chr_file rw_file_perms;
-
-# Access /dev/ion
-allow bufferhubd ion_device:chr_file r_file_perms;
-
-# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
-# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
-# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use pdx_client macro.
-allow bufferhubd mediacodec:fd use;
diff --git a/prebuilts/api/27.0/public/cameraserver.te b/prebuilts/api/27.0/public/cameraserver.te
deleted file mode 100644
index 0dd4a80..0000000
--- a/prebuilts/api/27.0/public/cameraserver.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# cameraserver - camera daemon
-type cameraserver, domain;
-type cameraserver_exec, exec_type, file_type;
-
-binder_use(cameraserver)
-binder_call(cameraserver, binderservicedomain)
-binder_call(cameraserver, appdomain)
-binder_service(cameraserver)
-
-hal_client_domain(cameraserver, hal_camera)
-
-hal_client_domain(cameraserver, hal_graphics_allocator)
-
-allow cameraserver ion_device:chr_file rw_file_perms;
-
-# Talk with graphics composer fences
-allow cameraserver hal_graphics_composer:fd use;
-
-add_service(cameraserver, cameraserver_service)
-allow cameraserver appops_service:service_manager find;
-allow cameraserver audioserver_service:service_manager find;
-allow cameraserver batterystats_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
-allow cameraserver surfaceflinger_service:service_manager find;
-
-allow cameraserver hidl_token_hwservice:hwservice_manager find;
-
-###
-### neverallow rules
-###
-
-# cameraserver should never execute any executable without a
-# domain transition
-neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/public/charger.te b/prebuilts/api/27.0/public/charger.te
deleted file mode 100644
index 4b20d1d..0000000
--- a/prebuilts/api/27.0/public/charger.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# charger seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type charger, domain;
-
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, sysfs_type)
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-
-allow charger self:capability { sys_tty_config };
-allow charger self:capability sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Write to /sys/power/state
-# TODO: Split into a separate type?
-allow charger sysfs:file write;
-
-allow charger sysfs_batteryinfo:file r_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
diff --git a/prebuilts/api/27.0/public/clatd.te b/prebuilts/api/27.0/public/clatd.te
deleted file mode 100644
index 212b76e..0000000
--- a/prebuilts/api/27.0/public/clatd.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# 464xlat daemon
-type clatd, domain;
-type clatd_exec, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net)
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:capability { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/27.0/public/cppreopts.te b/prebuilts/api/27.0/public/cppreopts.te
deleted file mode 100644
index 8cbf801..0000000
--- a/prebuilts/api/27.0/public/cppreopts.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, exec_type, file_type;
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/27.0/public/crash_dump.te b/prebuilts/api/27.0/public/crash_dump.te
deleted file mode 100644
index c101b34..0000000
--- a/prebuilts/api/27.0/public/crash_dump.te
+++ /dev/null
@@ -1,63 +0,0 @@
-type crash_dump, domain;
-type crash_dump_exec, exec_type, file_type;
-
-allow crash_dump {
- domain
- -init
- -crash_dump
- -keystore
- -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:capability { sys_ptrace };
-
-userdebug_or_eng(`
- allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-
- # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
- allow crash_dump kmsg_debug_device:chr_file { open append };
-')
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Write to the IPC pipe inherited from crashing processes.
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { write append };
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow crash_dump dalvikcache_data_file:dir { search getattr };
-allow crash_dump dalvikcache_data_file:file r_file_perms;
-
-# Read APK files.
-r_dir_file(crash_dump, apk_data_file);
-
-# Read all /vendor
-r_dir_file(crash_dump, { vendor_file same_process_hal_file })
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Talk to ActivityManager.
-unix_socket_connect(crash_dump, system_ndebug, system_server)
-
-# Append to ANR files.
-allow crash_dump anr_data_file:file { append getattr };
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-read_logd(crash_dump)
-
-###
-### neverallow assertions
-###
-
-# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
-# Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/prebuilts/api/27.0/public/device.te b/prebuilts/api/27.0/public/device.te
deleted file mode 100644
index 475948d..0000000
--- a/prebuilts/api/27.0/public/device.te
+++ /dev/null
@@ -1,103 +0,0 @@
-# Device types
-type device, dev_type, fs_type;
-type alarm_device, dev_type, mlstrustedobject;
-type ashmem_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
-type audio_timer_device, dev_type;
-type audio_seq_device, dev_type;
-type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
-type vndbinder_device, dev_type;
-type block_device, dev_type;
-type camera_device, dev_type;
-type dm_device, dev_type;
-type keychord_device, dev_type;
-type loop_control_device, dev_type;
-type loop_device, dev_type;
-type pmsg_device, dev_type, mlstrustedobject;
-type radio_device, dev_type;
-type ram_device, dev_type;
-type rtc_device, dev_type;
-type vold_device, dev_type;
-type console_device, dev_type;
-type cpuctl_device, dev_type;
-type fscklogs, dev_type;
-type full_device, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type kmem_device, dev_type;
-type port_device, dev_type;
-type mtd_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type;
-type kmsg_debug_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type, mlstrustedobject;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
-type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type video_device, dev_type;
-type vcs_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type, mlstrustedobject;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type;
-type uio_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type, mlstrustedobject;
-type usb_device, dev_type, mlstrustedobject;
-type properties_device, dev_type;
-type properties_serial, dev_type;
-type i2c_device, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type;
-
-# factory reset protection block device
-type frp_block_device, dev_type;
-
-# System block device mounted on /system.
-type system_block_device, dev_type;
-
-# Recovery block device.
-type recovery_block_device, dev_type;
-
-# boot block device.
-type boot_block_device, dev_type;
-
-# Userdata block device mounted on /data.
-type userdata_block_device, dev_type;
-
-# Cache block device mounted on /cache.
-type cache_block_device, dev_type;
-
-# Block device for any swap partition.
-type swap_block_device, dev_type;
-
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-type metadata_block_device, dev_type;
-
-# The 'misc' partition used by recovery and A/B.
-type misc_block_device, dev_type;
diff --git a/prebuilts/api/27.0/public/dex2oat.te b/prebuilts/api/27.0/public/dex2oat.te
deleted file mode 100644
index 47f3bcb..0000000
--- a/prebuilts/api/27.0/public/dex2oat.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# dex2oat
-type dex2oat, domain;
-type dex2oat_exec, exec_type, file_type;
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
-
-allow dex2oat tmpfs:file { read getattr };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat dalvikcache_data_file:lnk_file read;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat app_data_file:file { getattr read write lock };
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-allow dex2oat postinstall_file:dir { getattr search };
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file read;
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/27.0/public/dhcp.te b/prebuilts/api/27.0/public/dhcp.te
deleted file mode 100644
index 2b54b7f..0000000
--- a/prebuilts/api/27.0/public/dhcp.te
+++ /dev/null
@@ -1,30 +0,0 @@
-type dhcp, domain;
-type dhcp_exec, exec_type, file_type;
-
-net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms_no_ioctl;
-allow dhcp self:netlink_route_socket nlmsg_write;
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
-
-# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
-allow dhcp toolbox_exec:file rx_file_perms;
-
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
-
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
-
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/prebuilts/api/27.0/public/display_service_server.te b/prebuilts/api/27.0/public/display_service_server.te
deleted file mode 100644
index c5839fa..0000000
--- a/prebuilts/api/27.0/public/display_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/prebuilts/api/27.0/public/dnsmasq.te b/prebuilts/api/27.0/public/dnsmasq.te
deleted file mode 100644
index ccac69a..0000000
--- a/prebuilts/api/27.0/public/dnsmasq.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# DNS, DHCP services
-type dnsmasq, domain;
-type dnsmasq_exec, exec_type, file_type;
-
-net_domain(dnsmasq)
-allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
-
-# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
-
-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
-
-allow dnsmasq dhcp_data_file:dir w_dir_perms;
-allow dnsmasq dhcp_data_file:file create_file_perms;
-
-# Inherit and use open files from netd.
-allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
-allow dnsmasq netd:netlink_nflog_socket { read write };
-allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { read write };
-allow dnsmasq netd:unix_dgram_socket { read write };
-allow dnsmasq netd:udp_socket { read write };
diff --git a/prebuilts/api/27.0/public/domain.te b/prebuilts/api/27.0/public/domain.te
deleted file mode 100644
index e9ae56c..0000000
--- a/prebuilts/api/27.0/public/domain.te
+++ /dev/null
@@ -1,1021 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
- # Same as adbd rules above, except allow su to do the same thing
- allow domain su:unix_stream_socket connectto;
- allow domain su:fd use;
- allow domain su:unix_stream_socket { getattr getopt read write shutdown };
-
- allow { domain -init } su:binder { call transfer };
- allow { domain -init } su:fd use;
-
- # Running something like "pm dump com.android.bluetooth" requires
- # fifo writes
- allow domain su:fifo_file { write getattr };
-
- # allow "gdbserver --attach" to work for su.
- allow domain su:process sigchld;
-
- # Allow writing coredumps to /cores/*
- allow domain coredump_file:file create_file_perms;
- allow domain coredump_file:dir ra_dir_perms;
-')
-
-# Root fs.
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
- coredomain
- appdomain
- binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
-allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-get_prop(domain, core_property_type)
-# Let everyone read log properties, so that liblog can avoid sending unloggable
-# messages to logd.
-get_prop(domain, log_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts_file:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# System file accesses.
-allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr map };
-allow domain system_file:lnk_file { getattr read };
-
-# Make sure system/vendor split doesn not affect non-treble
-# devices
-not_full_treble(`
- allow domain vendor_file_type:dir { search getattr };
- allow domain vendor_file_type:file { execute read open getattr map };
- allow domain vendor_file_type:lnk_file { getattr read };
-')
-
-# All domains are allowed to open and read directories
-# that contain HAL implementations (e.g. passthrough
-# HALs require clients to have these permissions)
-allow domain vendor_hal_file:dir r_dir_perms;
-
-# Everyone can read and execute all same process HALs
-allow domain same_process_hal_file:dir r_dir_perms;
-allow domain same_process_hal_file:file { execute read open getattr map };
-
-# Any process can load vndk-sp libraries, which are system libraries
-# used by same process HALs
-allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr map };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr };
-
-full_treble_only(`
- # Allow all domains to be able to follow /system/vendor symlink
- allow domain vendor_file:lnk_file { getattr open read };
-
- # This is required to be able to search & read /vendor/lib64
- # in order to lookup vendor libraries. The execute permission
- # for coredomains is granted *only* for same process HALs
- allow domain vendor_file:dir { getattr search };
-
- # Allow reading and executing out of /vendor to all vendor domains
- allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
- allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
- allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-')
-
-# read and stat any sysfs symlinks
-allow domain sysfs:lnk_file { getattr read };
-
-# libc references /data/misc/zoneinfo for timezone related information
-# This directory is considered to be a VNDK-stable
-r_dir_file(domain, zoneinfo_data_file)
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-r_dir_file(domain, sysfs_usb);
-
-# files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
-allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_file. Vendor components need the search
-# permission on system_data_file for path traversal to /data/vendor.
-allow domain system_data_file:dir search;
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# jemalloc needs to read /proc/sys/vm/overcommit_memory
-allow domain proc_overcommit_memory:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to a allowlist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
-allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only allowlisted ioctls.
-# Note that granting this allowlist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
-# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:service_manager { add find };
-
-# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
-with_asan(`allow domain system_data_file:dir getattr;')
-
-###
-### neverallow rules
-###
-
-# All socket ioctls must be restricted to a allowlist.
-neverallowxperm domain domain:socket_class_set ioctl { 0 };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init or recovery to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these allowlisted domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
- -vold
-} self:capability mknod;
-
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
-} self:capability sys_rawio;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
-
-# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only init, ueventd, shell and system_server should be able to access HW RNG
-neverallow {
- domain
- -init
- -shell # For CTS and is restricted to getattr in shell.te
- -system_server
- -ueventd
-} hw_random_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
- domain
- -shell # For CTS and is restricted to getattr in shell.te
- -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
-#Ensure that nothing in userspace can access /dev/port
-neverallow {
- domain
- -shell # Shell user should not have any abilities outside of getattr
- -ueventd
-} port_device:chr_file *;
-neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append open read write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-neverallow domain device:chr_file { open read write };
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
-#
-neverallow {
- domain
- -appdomain
- with_asan(`-asan_extract')
- -dumpstate
- -shell
- userdebug_or_eng(`-su')
- -webview_zygote
- -zygote
-} {
- file_type
- -system_file
- -vendor_file_type
- -exec_type
- -postinstall_file
-}:file execute;
-
-neverallow {
- domain
- -appdomain # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
-} { fs_type -rootfs }:file execute;
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Only recovery should be doing writes to /system & /vendor
-neverallow {
- domain
- -recovery
- with_asan(`-asan_extract')
-} {
- system_file
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow { domain -recovery } contextmount_type:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
-
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
-
-# Do not allow reading device's serial number from system properties except form
-# a few allowlisted domains.
-neverallow {
- domain
- -adbd
- -dumpstate
- -hal_drm
- -hal_cas
- -init
- -mediadrmserver
- -recovery
- -shell
- -system_server
-} serialno_prop:file r_file_perms;
-
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
-
-neverallow {
- domain
- -init
- -recovery
- -system_server
- -shell # Shell is further restricted in shell.te
- -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file no_rw_file_perms;
-
-# The metadata block device is set aside for device encryption and
-# verified boot metadata. It may be reset at will and should not
-# be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
- { append link rename write open read ioctl lock };
-
-# No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
-
-# No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
-
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -hal_bootctl
- -init
- -uncrypt
- -update_engine
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } binder_device:chr_file rw_file_perms;
- neverallow {
- domain
- -coredomain
- -appdomain # restrictions for vendor apps are declared lower down
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } service_manager_type:service_manager find;
- # Vendor apps are permited to use only stable public services. If they were to use arbitrary
- # services which can change any time framework/core is updated, breakage is likely.
- neverallow {
- appdomain
- -coredomain
- } {
- service_manager_type
- -app_api_service
- -ephemeral_app_api_service
- -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
- -cameraserver_service
- -drmserver_service
- -keystore_service
- -mediadrmserver_service
- -mediaextractor_service
- -mediametrics_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -virtual_touchpad_service
- -vr_hwc_service
- -vr_manager_service
- }:service_manager find;
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } servicemanager:binder { call transfer };
-')
-
-# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- -ueventd # uevent is granted create for this device, but we still neverallow I/O below
- } vndbinder_device:chr_file rw_file_perms;
- neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservice_manager_type:service_manager *;
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservicemanager:binder *;
-')
-
-# On full TREBLE devices, socket communications between core components and vendor components are
-# not permitted.
-full_treble_only(`
- # Most general rules first, more specific rules below.
-
- # Core domains are not permitted to initiate communications to vendor domain sockets.
- # We are not restricting the use of already established sockets because it is fine for a process
- # to obtain an already established socket via some public/official/stable API and then exchange
- # data with its peer over that socket. The wire format in this scenario is dicatated by the API
- # and thus does not break the core-vendor separation.
- neverallow_establish_socket_comms({
- coredomain
- -init
- -adbd
- }, {
- domain
- -coredomain
- -socket_between_core_and_vendor_violators
- });
- # Vendor domains are not permitted to initiate communications to core domain sockets
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
- -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
- });
-
- # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -netdomain
- -socket_between_core_and_vendor_violators
- }, netd);
-
- # Vendor domains are not permitted to initiate create/open sockets owned by core domains
- neverallow {
- domain
- -coredomain
- -appdomain # appdomain restrictions below
- -socket_between_core_and_vendor_violators
- } {
- coredomain_socket
- core_data_file_type
- unlabeled # used only by core domains
- }:sock_file ~{ append getattr ioctl read write };
- neverallow {
- appdomain
- -coredomain
- } {
- coredomain_socket
- unlabeled # used only by core domains
- core_data_file_type
- -app_data_file
- -pdx_endpoint_socket_type # used by VR layer
- -pdx_channel_socket_type # used by VR layer
- }:sock_file ~{ append getattr ioctl read write };
-
- # Core domains are not permitted to create/open sockets owned by vendor domains
- neverallow {
- coredomain
- -init
- -ueventd
- -socket_between_core_and_vendor_violators
- } {
- file_type
- dev_type
- -coredomain_socket
- -core_data_file_type
- -unlabeled
- }:sock_file ~{ append getattr ioctl read write };
-')
-
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
-full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- -postinstall_dexopt
- -system_server
- } vendor_app_file:dir { open read getattr search };
-
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- -postinstall_dexopt
- -system_server
- } vendor_app_file:{ file lnk_file } r_file_perms;
-
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -zygote
- } vendor_overlay_file:dir { getattr open read search };
-
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -zygote
- } vendor_overlay_file:{ file lnk_file } r_file_perms;
-
- # Non-vendor domains are not allowed to file execute shell
- # from vendor
- neverallow {
- coredomain
- -init
- } vendor_shell_exec:file { execute execute_no_trans };
-
- # Do not allow vendor components to execute files from system
- # except for the ones allowlist here.
- neverallow {
- domain
- -coredomain
- -appdomain
- -rild
- -vendor_executes_system_violators
- } {
- exec_type
- -vendor_file_type
- -crash_dump_exec
- -netutils_wrapper_exec
- }:file { entrypoint execute execute_no_trans };
-')
-
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote_socket:sock_file write;
-
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -system_server
-
- # Processes that can't exec crash_dump
- -mediacodec
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
-# Never allow anyone except dumpstate or the system server to connect or write to
-# the tombstoned intercept socket.
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
- file_type
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# prohibit non-zygote spawned processes from using shared libraries
-# with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_all } file_type:file execmod;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
-
-# Services should respect app sandboxes
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
- -zygote
-} shell:process { transition dyntransition };
-
-# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su')
-}:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -appdomain
- -installd
- -uncrypt # TODO: see if we can remove
-} app_data_file:lnk_file read;
-
-neverallow {
- domain
- -shell
- userdebug_or_eng(`-uncrypt')
- -installd
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowlisted domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -init
- -installd
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
-
-# servicemanager and vndservicemanager are the only processes which handle the
-# service_manager list request
-neverallow * ~{
- servicemanager
- vndservicemanager
- }:service_manager list;
-
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-
-# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
-neverallow {
- domain
- -installd
- -profman
-} profman_exec:file no_x_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file rootfs }:system module_load;
-
-# Only allow filesystem caps to be set at build time or
-# during upgrade by recovery.
-neverallow {
- domain
- -recovery
-} self:capability setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
diff --git a/prebuilts/api/27.0/public/drmserver.te b/prebuilts/api/27.0/public/drmserver.te
deleted file mode 100644
index f752c13..0000000
--- a/prebuilts/api/27.0/public/drmserver.te
+++ /dev/null
@@ -1,58 +0,0 @@
-# drmserver - DRM service
-type drmserver, domain;
-type drmserver_exec, exec_type, file_type;
-
-typeattribute drmserver mlstrustedsubject;
-
-net_domain(drmserver)
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
-binder_service(drmserver)
-# Inherit or receive open files from system_server.
-allow drmserver system_server:fd use;
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
-r_dir_file(drmserver, efs_file)
-
-type drmserver_socket, file_type;
-
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket. Not.
-allow drmserver apk_data_file:dir rw_dir_perms;
-allow drmserver drmserver_socket:sock_file create_file_perms;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-r_dir_file(drmserver, media_rw_data_file)
-
-# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
-
-# /oem access
-allow drmserver oemfs:dir search;
-allow drmserver oemfs:file r_file_perms;
-
-add_service(drmserver, drmserver_service)
-allow drmserver permission_service:service_manager find;
-
-selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, system_file)
diff --git a/prebuilts/api/27.0/public/dumpstate.te b/prebuilts/api/27.0/public/dumpstate.te
deleted file mode 100644
index f6d6a0a..0000000
--- a/prebuilts/api/27.0/public/dumpstate.te
+++ /dev/null
@@ -1,250 +0,0 @@
-# dumpstate
-type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, exec_type, file_type;
-
-net_domain(dumpstate)
-binder_use(dumpstate)
-wakelock_use(dumpstate)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-r_dir_file(dumpstate, domain)
-
-allow dumpstate self:capability {
- # Send signals to processes
- kill
- # Run iptables
- net_raw
- net_admin
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
-allow dumpstate toolbox_exec:file rx_file_perms;
-
-# hidl searches for files in /system/lib(64)/hw/
-allow dumpstate system_file:dir r_dir_perms;
-
-# Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
-allow dumpstate anr_data_file:dir rw_dir_perms;
-allow dumpstate anr_data_file:file create_file_perms;
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file r_file_perms;
-
-# Read dmesg
-allow dumpstate self:capability2 syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Read /sys/fs/pstore/console-ramoops
-allow dumpstate pstorefs:dir r_dir_perms;
-allow dumpstate pstorefs:file r_file_perms;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server }:process signal;
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- # This list comes from native_processes_to_dump in dumpstate/utils.c
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-
- # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_graphics_composer_server
- hal_sensors_server
- hal_vr_server
- mediacodec # TODO(b/36375899): hal_omx_server
-}:process signal;
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-
-# TODO: added to match above sysfs rule. Remove me?
-allow dumpstate sysfs_usb:file w_file_perms;
-
-# Other random bits of data we want to collect
-allow dumpstate qtaguid_proc:file r_file_perms;
-allow dumpstate debugfs:file r_file_perms;
-
-# df for
-allow dumpstate {
- block_device
- cache_file
- rootfs
- selinuxfs
- storage_file
- tmpfs
-}:dir { search getattr };
-allow dumpstate fuse_device:chr_file getattr;
-allow dumpstate { dm_device cache_block_device }:blk_file getattr;
-allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
-
-# Read /dev/cpuctl and /dev/cpuset
-r_dir_file(dumpstate, cgroup)
-
-# Allow dumpstate to make binder calls to any binder service
-binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
-
-hal_client_domain(dumpstate, hal_dumpstate)
-hal_client_domain(dumpstate, hal_graphics_allocator)
-# Vibrate the device after we are done collecting the bugreport
-hal_client_domain(dumpstate, hal_vibrator)
-# For passthrough mode:
-allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir create_dir_perms;
-allow dumpstate shell_data_file:file create_file_perms;
-
-# Run a shell.
-allow dumpstate shell_exec:file rx_file_perms;
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file rx_file_perms;
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:dir { search getattr };
-allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
-allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
-
-# For Bluetooth
-allow dumpstate bluetooth_data_file:dir search;
-allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
-allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
-# logd access
-read_logd(dumpstate)
-control_logd(dumpstate)
-read_runtime_log_tags(dumpstate)
-
-# Read files in /proc
-allow dumpstate proc_meminfo:file r_file_perms;
-allow dumpstate proc_net:file r_file_perms;
-r_dir_file(dumpstate, proc)
-
-# Read network state info files.
-allow dumpstate net_data_file:dir search;
-allow dumpstate net_data_file:file r_file_perms;
-
-# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Access /data/tombstones.
-allow dumpstate tombstone_data_file:dir r_dir_perms;
-allow dumpstate tombstone_data_file:file r_file_perms;
-
-# Access /cache/recovery
-allow dumpstate cache_recovery_file:dir r_dir_perms;
-allow dumpstate cache_recovery_file:file r_file_perms;
-
-# Access /data/misc/recovery
-allow dumpstate recovery_data_file:dir r_dir_perms;
-allow dumpstate recovery_data_file:file r_file_perms;
-
-# Access /data/misc/profiles/{cur,ref}/
-userdebug_or_eng(`
- allow dumpstate user_profile_data_file:dir r_dir_perms;
- allow dumpstate user_profile_data_file:file r_file_perms;
-')
-
-# Access /data/misc/logd
-userdebug_or_eng(`
- allow dumpstate misc_logd_file:dir r_dir_perms;
- allow dumpstate misc_logd_file:file r_file_perms;
-')
-
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-allow dumpstate servicemanager:service_manager list;
-allow dumpstate hwservicemanager:hwservice_manager list;
-
-allow dumpstate devpts:chr_file rw_file_perms;
-
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow dumpstate media_rw_data_file:dir getattr;
-allow dumpstate proc_interrupts:file r_file_perms;
-allow dumpstate proc_zoneinfo:file r_file_perms;
-
-# Create a service for talking back to system_server
-add_service(dumpstate, dumpstate_service)
-
-# use /dev/ion for screen capture
-allow dumpstate ion_device:chr_file r_file_perms;
-
-# read default labeled files in /sys
-r_dir_file(dumpstate, sysfs)
-
-# Allow dumpstate to run top
-allow dumpstate proc_stat:file r_file_perms;
-
-# Allow dumpstate to read backlight details
-allow dumpstate sysfs_leds:lnk_file r_file_perms;
-allow dumpstate sysfs_leds:file r_file_perms;
-allow dumpstate sysfs_leds:dir search;
-
-# Allow dumpstate to talk to installd over binder
-binder_call(dumpstate, installd);
-
-# Allow dumpstate to run ip xfrm policy
-allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-###
-### neverallow rules
-###
-
-# dumpstate has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow dumpstate *:process ptrace;
-
-# only system_server, dumpstate and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
-
-# Dumpstate should not be writing to any generically labeled sysfs files.
-# Create a specific label for the file type
-neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/prebuilts/api/27.0/public/e2fs.te b/prebuilts/api/27.0/public/e2fs.te
deleted file mode 100644
index 30a815a..0000000
--- a/prebuilts/api/27.0/public/e2fs.te
+++ /dev/null
@@ -1,15 +0,0 @@
-type e2fs, domain, coredomain;
-type e2fs_exec, exec_type, file_type;
-
-allow e2fs block_device:blk_file getattr;
-allow e2fs block_device:dir search;
-allow e2fs userdata_block_device:blk_file rw_file_perms;
-
-# access /proc/filesystems
-allow e2fs proc:file r_file_perms;
-
-# access /sys/fs/ext4/features
-allow e2fs sysfs_fs_ext4_features:file r_file_perms;
-
-# access sselinux context files
-allow e2fs file_contexts_file:file { getattr open read };
diff --git a/prebuilts/api/27.0/public/ephemeral_app.te b/prebuilts/api/27.0/public/ephemeral_app.te
deleted file mode 100644
index dc39a22..0000000
--- a/prebuilts/api/27.0/public/ephemeral_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-type ephemeral_app, domain;
diff --git a/prebuilts/api/27.0/public/file.te b/prebuilts/api/27.0/public/file.te
deleted file mode 100644
index bcdc461..0000000
--- a/prebuilts/api/27.0/public/file.te
+++ /dev/null
@@ -1,347 +0,0 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type;
-type proc_drop_caches, fs_type;
-type proc_overcommit_memory, fs_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type;
-type sysfs_usermodehelper, fs_type, sysfs_type;
-type qtaguid_proc, fs_type, mlstrustedobject;
-type proc_bluetooth_writable, fs_type;
-type proc_cpuinfo, fs_type;
-type proc_interrupts, fs_type;
-type proc_iomem, fs_type;
-type proc_meminfo, fs_type;
-type proc_misc, fs_type;
-type proc_modules, fs_type;
-type proc_net, fs_type;
-type proc_perf, fs_type;
-type proc_stat, fs_type;
-type proc_sysrq, fs_type;
-type proc_timer, fs_type;
-type proc_tty_drivers, fs_type;
-type proc_uid_cputime_showstat, fs_type;
-type proc_uid_cputime_removeuid, fs_type;
-type proc_uid_io_stats, fs_type;
-type proc_uid_procstat_set, fs_type;
-type proc_uid_time_in_state, fs_type;
-type proc_zoneinfo, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
-type cgroup, fs_type, mlstrustedobject;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_leds, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_mac_address, fs_type, sysfs_type;
-type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
-type sysfs_fs_ext4_features, sysfs_type, fs_type;
-type configfs, fs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-# /sys/module/wlan/parameters/fwpath
-type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-
-type sysfs_thermal, sysfs_type, fs_type;
-
-type sysfs_zram, fs_type, sysfs_type;
-type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
-type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type, debugfs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
-
-type pstorefs, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type oemfs, fs_type, contextmount_type;
-type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-
-# Default type for anything under /system.
-type system_file, file_type;
-
-# Default type for directories search for
-# HAL implementations
-type vendor_hal_file, vendor_file_type, file_type;
-# Default type for under /vendor or /system/vendor
-type vendor_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/app
-type vendor_app_file, vendor_file_type, file_type;
-# Default type for everything under /vendor/etc/
-type vendor_configs_file, vendor_file_type, file_type;
-# Default type for all *same process* HALs.
-# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
-type same_process_hal_file, vendor_file_type, file_type;
-# Default type for vndk-sp libs. /vendor/lib/vndk-sp
-type vndk_sp_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/framework
-type vendor_framework_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/overlay
-type vendor_overlay_file, vendor_file_type, file_type;
-
-# Speedup access for trusted applications to the runtime event tags
-type runtime_event_log_tags_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, exec_type, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type, core_data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
-# /data/.layout_version or other installd-created files that
-# are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type, core_data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type, core_data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type, core_data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, core_data_file_type;
-type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type, core_data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota
-type ota_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota_package
-type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/property
-type property_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/preloads
-type preloads_data_file, file_type, data_file_type, core_data_file_type;
-# /data/preloads/media
-type preloads_media_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/dhcp and /data/misc/dhcp-6.8.2
-type dhcp_data_file, file_type, data_file_type, core_data_file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_expand_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
-type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
-type bootstat_data_file, file_type, data_file_type, core_data_file_type;
-type boottrace_data_file, file_type, data_file_type, core_data_file_type;
-type camera_data_file, file_type, data_file_type, core_data_file_type;
-type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
-type incident_data_file, file_type, data_file_type, core_data_file_type;
-type keychain_data_file, file_type, data_file_type, core_data_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
-type media_data_file, file_type, data_file_type, core_data_file_type;
-type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type, core_data_file_type;
-type net_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type, core_data_file_type;
-type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type;
-type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
-type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
-type vpn_data_file, file_type, data_file_type, core_data_file_type;
-type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
-type vold_data_file, file_type, data_file_type, core_data_file_type;
-type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tee_data_file, file_type, data_file_type;
-type update_engine_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-# Default type for anything under /cache
-type cache_file, file_type, data_file_type, mlstrustedobject;
-# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, data_file_type, mlstrustedobject;
-# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type, data_file_type;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, data_file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for user icon file.
-type icon_file, file_type, data_file_type, core_data_file_type;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type, core_data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type, core_data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-
-# Socket types
-type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, data_file_type, coredomain_socket;
-type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
-type dumpstate_socket, file_type, coredomain_socket;
-type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
-type lmkd_socket, file_type, coredomain_socket;
-type logd_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type mdns_socket, file_type, coredomain_socket;
-type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type, data_file_type;
-type mtpd_socket, file_type, coredomain_socket;
-type netd_socket, file_type, coredomain_socket;
-type property_socket, file_type, coredomain_socket, mlstrustedobject;
-type racoon_socket, file_type, coredomain_socket;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, data_file_type, coredomain_socket;
-type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_java_trace_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type uncrypt_socket, file_type, coredomain_socket;
-type vold_socket, file_type, coredomain_socket;
-type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type;
-type zygote_socket, file_type, coredomain_socket;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# PDX endpoint types
-type pdx_display_dir, pdx_endpoint_dir_type, file_type;
-type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
-
-pdx_service_socket_types(display_client, pdx_display_dir)
-pdx_service_socket_types(display_manager, pdx_display_dir)
-pdx_service_socket_types(display_screenshot, pdx_display_dir)
-pdx_service_socket_types(display_vsync, pdx_display_dir)
-pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
-
-# file_contexts files
-type file_contexts_file, file_type;
-
-# mac_permissions file
-type mac_perms_file, file_type;
-
-# property_contexts file
-type property_contexts_file, file_type;
-
-# seapp_contexts file
-type seapp_contexts_file, file_type;
-
-# sepolicy files binary and others
-type sepolicy_file, file_type;
-
-# service_contexts file
-type service_contexts_file, file_type;
-
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, file_type;
-
-# hwservice_contexts file
-type hwservice_contexts_file, file_type;
-
-# vndservice_contexts file
-type vndservice_contexts_file, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow cgroup tmpfs:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-
-# asanwrapper (run a sanitized app_process, to be used with wrap properties)
-with_asan(`type asanwrapper_exec, exec_type, file_type;')
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-# type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
diff --git a/prebuilts/api/27.0/public/fingerprintd.te b/prebuilts/api/27.0/public/fingerprintd.te
deleted file mode 100644
index 5dd18a3..0000000
--- a/prebuilts/api/27.0/public/fingerprintd.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type fingerprintd, domain;
-type fingerprintd_exec, exec_type, file_type;
-
-binder_use(fingerprintd)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow fingerprintd system_file:dir r_dir_perms;
-
-# need to find KeyStore and add self
-add_service(fingerprintd, fingerprintd_service)
-
-# allow HAL module to read dir contents
-allow fingerprintd fingerprintd_data_file:file { create_file_perms };
-
-# allow HAL module to read/write/unlink contents of this dir
-allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
-
-# Need to add auth tokens to KeyStore
-use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
-
-# For permissions checking
-binder_call(fingerprintd, system_server);
-allow fingerprintd permission_service:service_manager find;
-
-r_dir_file(fingerprintd, cgroup)
-r_dir_file(fingerprintd, sysfs_type)
-allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/27.0/public/fsck.te b/prebuilts/api/27.0/public/fsck.te
deleted file mode 100644
index b682a87..0000000
--- a/prebuilts/api/27.0/public/fsck.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# Any fsck program run by init
-type fsck, domain;
-type fsck_exec, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow fsck tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
-
-# Run fsck on certain block devices
-allow fsck block_device:dir search;
-allow fsck userdata_block_device:blk_file rw_file_perms;
-allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck dm_device:blk_file rw_file_perms;
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck dev_type:blk_file getattr;
-
-r_dir_file(fsck, proc)
-allow fsck rootfs:dir r_dir_perms;
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow fsck {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- vold_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
-neverallow * fsck:process dyntransition;
-neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/public/fsck_untrusted.te b/prebuilts/api/27.0/public/fsck_untrusted.te
deleted file mode 100644
index e2aceb8..0000000
--- a/prebuilts/api/27.0/public/fsck_untrusted.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck_untrusted vold:fd use;
-allow fsck_untrusted vold:fifo_file { read write getattr };
-
-# Run fsck on vold block devices
-allow fsck_untrusted block_device:dir search;
-allow fsck_untrusted vold_device:blk_file rw_file_perms;
-
-r_dir_file(fsck_untrusted, proc)
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck_untrusted dev_type:blk_file getattr;
-
-###
-### neverallow rules
-###
-
-# Untrusted fsck should never be run on block devices holding sensitive data
-neverallow fsck_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow * fsck_untrusted:process dyntransition;
-neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/public/gatekeeperd.te b/prebuilts/api/27.0/public/gatekeeperd.te
deleted file mode 100644
index 2fc3627..0000000
--- a/prebuilts/api/27.0/public/gatekeeperd.te
+++ /dev/null
@@ -1,39 +0,0 @@
-type gatekeeperd, domain;
-type gatekeeperd_exec, exec_type, file_type;
-
-# gatekeeperd
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-
-### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
-### These rules should eventually be granted only when needed.
-allow gatekeeperd tee_device:chr_file rw_file_perms;
-allow gatekeeperd ion_device:chr_file r_file_perms;
-# Load HAL implementation
-allow gatekeeperd system_file:dir r_dir_perms;
-###
-
-### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
-### These rules should eventually be granted only when needed.
-hal_client_domain(gatekeeperd, hal_gatekeeper)
-###
-
-# need to find KeyStore and add self
-add_service(gatekeeperd, gatekeeper_service)
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-# For hardware properties retrieval
-allow gatekeeperd hardware_properties_service:service_manager find;
-
-r_dir_file(gatekeeperd, cgroup)
diff --git a/prebuilts/api/27.0/public/global_macros b/prebuilts/api/27.0/public/global_macros
deleted file mode 100644
index bcfb686..0000000
--- a/prebuilts/api/27.0/public/global_macros
+++ /dev/null
@@ -1,48 +0,0 @@
-#####################################
-# Common groupings of object classes.
-#
-define(`capability_class_set', `{ capability capability2 }')
-
-define(`devfile_class_set', `{ chr_file blk_file }')
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
-define(`dir_file_class_set', `{ dir file_class_set }')
-
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-
-define(`ipc_class_set', `{ sem msgq shm ipc }')
-
-#####################################
-# Common groupings of permissions.
-#
-define(`x_file_perms', `{ getattr execute execute_no_trans map }')
-define(`r_file_perms', `{ getattr open read ioctl lock map }')
-define(`w_file_perms', `{ open append write lock map }')
-define(`rx_file_perms', `{ r_file_perms x_file_perms }')
-define(`ra_file_perms', `{ r_file_perms append }')
-define(`rw_file_perms', `{ r_file_perms w_file_perms }')
-define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
-
-define(`r_dir_perms', `{ open getattr read search ioctl lock }')
-define(`w_dir_perms', `{ open search write add_name remove_name lock }')
-define(`ra_dir_perms', `{ r_dir_perms add_name write }')
-define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
-
-define(`r_ipc_perms', `{ getattr read associate unix_read }')
-define(`w_ipc_perms', `{ write unix_write }')
-define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
-define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
-
-#####################################
-# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`create_socket_perms', `{ create rw_socket_perms }')
-define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/prebuilts/api/27.0/public/hal_allocator.te b/prebuilts/api/27.0/public/hal_allocator.te
deleted file mode 100644
index 646cebd..0000000
--- a/prebuilts/api/27.0/public/hal_allocator.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_allocator_client, hal_allocator_server)
-
-add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
-allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
-allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_audio.te b/prebuilts/api/27.0/public/hal_audio.te
deleted file mode 100644
index 33330bf..0000000
--- a/prebuilts/api/27.0/public/hal_audio.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audio_client, hal_audio_server)
-binder_call(hal_audio_server, hal_audio_client)
-
-add_hwservice(hal_audio_server, hal_audio_hwservice)
-allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
-
-allow hal_audio ion_device:chr_file r_file_perms;
-
-userdebug_or_eng(`
- # used for pcm capture for debug.
- allow hal_audio audiohal_data_file:dir create_dir_perms;
- allow hal_audio audiohal_data_file:file create_file_perms;
-')
-
-r_dir_file(hal_audio, proc)
-allow hal_audio audio_device:dir r_dir_perms;
-allow hal_audio audio_device:chr_file rw_file_perms;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_audio shell:fd use;
-allow hal_audio shell:fifo_file write;
-allow hal_audio dumpstate:fd use;
-allow hal_audio dumpstate:fifo_file write;
-
-###
-### neverallow rules
-###
-
-# Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
-
-# Should never need network access.
-# Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/prebuilts/api/27.0/public/hal_bluetooth.te b/prebuilts/api/27.0/public/hal_bluetooth.te
deleted file mode 100644
index 2394e2e..0000000
--- a/prebuilts/api/27.0/public/hal_bluetooth.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_bluetooth_client, hal_bluetooth_server)
-binder_call(hal_bluetooth_server, hal_bluetooth_client)
-
-add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
-allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
-
-wakelock_use(hal_bluetooth);
-
-# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:capability net_admin;
-
-# bluetooth factory file accesses.
-r_dir_file(hal_bluetooth, bluetooth_efs_file)
-
-allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(hal_bluetooth, sysfs_type)
-allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:capability2 wake_alarm;
-
-# Allow write access to bluetooth-specific properties
-set_prop(hal_bluetooth, bluetooth_prop)
-
-# /proc access (bluesleep etc.).
-allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_bluetooth self:capability sys_nice;
diff --git a/prebuilts/api/27.0/public/hal_bootctl.te b/prebuilts/api/27.0/public/hal_bootctl.te
deleted file mode 100644
index 8b240b1..0000000
--- a/prebuilts/api/27.0/public/hal_bootctl.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_bootctl_client, hal_bootctl_server)
-binder_call(hal_bootctl_server, hal_bootctl_client)
-
-add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
-allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_broadcastradio.te b/prebuilts/api/27.0/public/hal_broadcastradio.te
deleted file mode 100644
index 24d4908..0000000
--- a/prebuilts/api/27.0/public/hal_broadcastradio.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
-
-add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
-allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_camera.te b/prebuilts/api/27.0/public/hal_camera.te
deleted file mode 100644
index 413a057..0000000
--- a/prebuilts/api/27.0/public/hal_camera.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# HwBinder IPC from clients to server and callbacks
-binder_call(hal_camera_client, hal_camera_server)
-binder_call(hal_camera_server, hal_camera_client)
-
-add_hwservice(hal_camera_server, hal_camera_hwservice)
-allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
-
-# access /data/misc/camera
-allow hal_camera camera_data_file:dir create_dir_perms;
-allow hal_camera camera_data_file:file create_file_perms;
-
-allow hal_camera video_device:dir r_dir_perms;
-allow hal_camera video_device:chr_file rw_file_perms;
-allow hal_camera camera_device:chr_file rw_file_perms;
-allow hal_camera ion_device:chr_file rw_file_perms;
-# Both the client and the server need to use the graphics allocator
-allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
-
-# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
-allow hal_camera { appdomain -isolated_app }:fd use;
-allow hal_camera surfaceflinger:fd use;
-allow hal_camera hal_allocator_server:fd use;
-
-###
-### neverallow rules
-###
-
-# hal_camera should never execute any executable without a
-# domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
-
-# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only camera HAL may directly access the camera hardware
-neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/prebuilts/api/27.0/public/hal_cas.te b/prebuilts/api/27.0/public/hal_cas.te
deleted file mode 100644
index fd5d63b..0000000
--- a/prebuilts/api/27.0/public/hal_cas.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_cas_client, hal_cas_server)
-binder_call(hal_cas_server, hal_cas_client)
-
-add_hwservice(hal_cas_server, hal_cas_hwservice)
-allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
-allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_cas, serialno_prop)
-
-# Read files already opened under /data
-allow hal_cas system_data_file:dir { search getattr };
-allow hal_cas system_data_file:file { getattr read };
-allow hal_cas system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems
-r_dir_file(hal_cas, cgroup)
-allow hal_cas cgroup:dir { search write };
-allow hal_cas cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_cas ion_device:chr_file rw_file_perms;
-allow hal_cas hal_graphics_allocator:fd use;
-
-allow hal_cas tee_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# hal_cas should never execute any executable without a
-# domain transition
-neverallow hal_cas { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/27.0/public/hal_configstore.te b/prebuilts/api/27.0/public/hal_configstore.te
deleted file mode 100644
index d5f2ef6..0000000
--- a/prebuilts/api/27.0/public/hal_configstore.te
+++ /dev/null
@@ -1,64 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_configstore_client, hal_configstore_server)
-
-allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
-add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
-# As opposed to the rules of most other HALs, the different services exposed by
-# this HAL should be restricted to different clients. Thus, the allow rules for
-# clients are defined in the .te files of the clients.
-
-# hal_configstore runs with a strict seccomp filter. Use crash_dump's
-# fallback path to collect crash data.
-crash_dump_fallback(hal_configstore_server)
-
-###
-### neverallow rules
-###
-
-# Should never execute an executable without a domain transition
-neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
-
-# Should never need network access. Disallow sockets except for
-# for unix stream/dgram sockets used for logging/debugging.
-neverallow hal_configstore_server domain:{
- rawip_socket tcp_socket udp_socket
- netlink_route_socket netlink_selinux_socket
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
-neverallow hal_configstore_server {
- domain
- -hal_configstore_server
- -logd
- userdebug_or_eng(`-su')
- -tombstoned
-}:{ unix_dgram_socket unix_stream_socket } *;
-
-# Should never need access to anything on /data
-neverallow hal_configstore_server {
- data_file_type
- -anr_data_file # for crash dump collection
- -tombstone_data_file # for crash dump collection
- -zoneinfo_data_file # granted to domain
-}:{ file fifo_file sock_file } *;
-
-# Should never need sdcard access
-neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
-
-# Do not permit access to service_manager and vndservice_manager
-neverallow hal_configstore_server *:service_manager *;
-
-# No privileged capabilities
-neverallow hal_configstore_server self:capability_class_set *;
-
-# No ptracing other processes
-neverallow hal_configstore_server *:process ptrace;
-
-# no relabeling
-neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/prebuilts/api/27.0/public/hal_contexthub.te b/prebuilts/api/27.0/public/hal_contexthub.te
deleted file mode 100644
index f11bfc8..0000000
--- a/prebuilts/api/27.0/public/hal_contexthub.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_contexthub_client, hal_contexthub_server)
-binder_call(hal_contexthub_server, hal_contexthub_client)
-
-add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
-allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_drm.te b/prebuilts/api/27.0/public/hal_drm.te
deleted file mode 100644
index 5a6bf5c..0000000
--- a/prebuilts/api/27.0/public/hal_drm.te
+++ /dev/null
@@ -1,60 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_drm_client, hal_drm_server)
-binder_call(hal_drm_server, hal_drm_client)
-
-add_hwservice(hal_drm_server, hal_drm_hwservice)
-allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
-
-allow hal_drm hidl_memory_hwservice:hwservice_manager find;
-
-# Required by Widevine DRM (b/22990512)
-allow hal_drm self:process execmem;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_drm, serialno_prop)
-
-# System file accesses
-allow hal_drm system_file:dir r_dir_perms;
-allow hal_drm system_file:file r_file_perms;
-allow hal_drm system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data
-allow hal_drm system_data_file:dir { search getattr };
-allow hal_drm system_data_file:file { getattr read };
-allow hal_drm system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems
-r_dir_file(hal_drm, cgroup)
-allow hal_drm cgroup:dir { search write };
-allow hal_drm cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_drm ion_device:chr_file rw_file_perms;
-allow hal_drm hal_graphics_allocator:fd use;
-
-# Allow access to fds allocated by mediaserver
-allow hal_drm mediaserver:fd use;
-
-# Allow access to app_data and media_data_files
-allow hal_drm media_data_file:dir create_dir_perms;
-allow hal_drm media_data_file:file create_file_perms;
-allow hal_drm media_data_file:file { getattr read };
-
-allow hal_drm sysfs:file r_file_perms;
-
-allow hal_drm tee_device:chr_file rw_file_perms;
-
-# only allow unprivileged socket ioctl commands
-allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-###
-### neverallow rules
-###
-
-# hal_drm should never execute any executable without a
-# domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/27.0/public/hal_dumpstate.te b/prebuilts/api/27.0/public/hal_dumpstate.te
deleted file mode 100644
index 2853567..0000000
--- a/prebuilts/api/27.0/public/hal_dumpstate.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_dumpstate_client, hal_dumpstate_server)
-binder_call(hal_dumpstate_server, hal_dumpstate_client)
-
-add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
-allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
-
-# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
-allow hal_dumpstate shell_data_file:file write;
-# allow reading /proc/interrupts for all hal impls
-allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_fingerprint.te b/prebuilts/api/27.0/public/hal_fingerprint.te
deleted file mode 100644
index bef9f55..0000000
--- a/prebuilts/api/27.0/public/hal_fingerprint.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_fingerprint_client, hal_fingerprint_server)
-binder_call(hal_fingerprint_server, hal_fingerprint_client)
-
-add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
-allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
-
-# allow HAL module to read dir contents
-allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
-
-# allow HAL module to read/write/unlink contents of this dir
-allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
-
-# For memory allocation
-allow hal_fingerprint ion_device:chr_file r_file_perms;
-
-r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, sysfs)
diff --git a/prebuilts/api/27.0/public/hal_gatekeeper.te b/prebuilts/api/27.0/public/hal_gatekeeper.te
deleted file mode 100644
index 123acf5..0000000
--- a/prebuilts/api/27.0/public/hal_gatekeeper.te
+++ /dev/null
@@ -1,8 +0,0 @@
-binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
-
-add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
-
-# TEE access.
-allow hal_gatekeeper tee_device:chr_file rw_file_perms;
-allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_gnss.te b/prebuilts/api/27.0/public/hal_gnss.te
deleted file mode 100644
index b59cd1d..0000000
--- a/prebuilts/api/27.0/public/hal_gnss.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_gnss_client, hal_gnss_server)
-binder_call(hal_gnss_server, hal_gnss_client)
-
-add_hwservice(hal_gnss_server, hal_gnss_hwservice)
-allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_graphics_allocator.te b/prebuilts/api/27.0/public/hal_graphics_allocator.te
deleted file mode 100644
index f56e8f6..0000000
--- a/prebuilts/api/27.0/public/hal_graphics_allocator.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
-
-add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
-allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
-allow hal_graphics_allocator ion_device:chr_file r_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:capability sys_nice;
diff --git a/prebuilts/api/27.0/public/hal_graphics_composer.te b/prebuilts/api/27.0/public/hal_graphics_composer.te
deleted file mode 100644
index 287037c..0000000
--- a/prebuilts/api/27.0/public/hal_graphics_composer.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
-binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-
-add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
-allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
-
-# Coordinate with hal_graphics_mapper
-allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
-allow hal_graphics_composer ion_device:chr_file r_file_perms;
-allow hal_graphics_composer hal_graphics_allocator:fd use;
-
-# Access /dev/graphics/fb0.
-allow hal_graphics_composer graphics_device:dir search;
-allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
-
-# Fences
-allow hal_graphics_composer system_server:fd use;
-allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer appdomain:fd use;
-
-# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:capability sys_nice;
diff --git a/prebuilts/api/27.0/public/hal_health.te b/prebuilts/api/27.0/public/hal_health.te
deleted file mode 100644
index c19c5f1..0000000
--- a/prebuilts/api/27.0/public/hal_health.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_client, hal_health_server)
-binder_call(hal_health_server, hal_health_client)
-
-add_hwservice(hal_health_server, hal_health_hwservice)
-allow hal_health_client hal_health_hwservice:hwservice_manager find;
-
-# Read access to system files for HALs in
-# /{system,vendor,odm}/lib[64]/hw/ in order
-# to be able to open the hal implementation .so files
-r_dir_file(hal_health, system_file)
diff --git a/prebuilts/api/27.0/public/hal_ir.te b/prebuilts/api/27.0/public/hal_ir.te
deleted file mode 100644
index b1bfdd8..0000000
--- a/prebuilts/api/27.0/public/hal_ir.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_ir_client, hal_ir_server)
-binder_call(hal_ir_server, hal_ir_client)
-
-add_hwservice(hal_ir_server, hal_ir_hwservice)
-allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_keymaster.te b/prebuilts/api/27.0/public/hal_keymaster.te
deleted file mode 100644
index dc5f6d0..0000000
--- a/prebuilts/api/27.0/public/hal_keymaster.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_keymaster_client, hal_keymaster_server)
-
-add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
-allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
-
-allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_light.te b/prebuilts/api/27.0/public/hal_light.te
deleted file mode 100644
index 5b93dd1..0000000
--- a/prebuilts/api/27.0/public/hal_light.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_light_client, hal_light_server)
-binder_call(hal_light_server, hal_light_client)
-
-add_hwservice(hal_light_server, hal_light_hwservice)
-allow hal_light_client hal_light_hwservice:hwservice_manager find;
-
-allow hal_light sysfs_leds:lnk_file read;
-allow hal_light sysfs_leds:file rw_file_perms;
-allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/prebuilts/api/27.0/public/hal_memtrack.te b/prebuilts/api/27.0/public/hal_memtrack.te
deleted file mode 100644
index b2cc9cd..0000000
--- a/prebuilts/api/27.0/public/hal_memtrack.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_memtrack_client, hal_memtrack_server)
-
-add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
-allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_neuralnetworks.te b/prebuilts/api/27.0/public/hal_neuralnetworks.te
deleted file mode 100644
index c697ac2..0000000
--- a/prebuilts/api/27.0/public/hal_neuralnetworks.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
-binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
-
-add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
-allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
-allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
-allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/prebuilts/api/27.0/public/hal_neverallows.te b/prebuilts/api/27.0/public/hal_neverallows.te
deleted file mode 100644
index 036e1d2..0000000
--- a/prebuilts/api/27.0/public/hal_neverallows.te
+++ /dev/null
@@ -1,52 +0,0 @@
-# only HALs responsible for network hardware should have privileged
-# network capabilities
-neverallow {
- halserverdomain
- -hal_bluetooth_server
- -hal_wifi_server
- -hal_wifi_supplicant_server
- -rild
-} self:capability { net_admin net_raw };
-
-# Unless a HAL's job is to communicate over the network, or control network
-# hardware, it should not be using network sockets.
-neverallow {
- halserverdomain
- -hal_tetheroffload_server
- -hal_wifi_server
- -hal_wifi_supplicant_server
- -rild
-} domain:{ tcp_socket udp_socket rawip_socket } *;
-
-###
-# HALs are defined as an attribute and so a given domain could hypothetically
-# have multiple HALs in it (or even all of them) with the subsequent policy of
-# the domain comprised of the union of all the HALs.
-#
-# This is a problem because
-# 1) Security sensitive components should only be accessed by specific HALs.
-# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
-# the platform.
-# 3) The platform cannot reason about defense in depth if there are
-# monolithic domains etc.
-#
-# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
-# its OK for them to share a process its not OK with them to share processes
-# with other hals.
-#
-# The following neverallow rules, in conjuntion with CTS tests, assert that
-# these security principles are adhered to.
-#
-# Do not allow a hal to exec another process without a domain transition.
-# TODO remove exemptions.
-neverallow {
- halserverdomain
- -hal_dumpstate_server
- -rild
-} { file_type fs_type }:file execute_no_trans;
-# Do not allow a process other than init to transition into a HAL domain.
-neverallow { domain -init } halserverdomain:process transition;
-# Only allow transitioning to a domain by running its executable. Do not
-# allow transitioning into a HAL domain by use of seclabel in an
-# init.*.rc script.
-neverallow * halserverdomain:process dyntransition;
diff --git a/prebuilts/api/27.0/public/hal_nfc.te b/prebuilts/api/27.0/public/hal_nfc.te
deleted file mode 100644
index a027c48..0000000
--- a/prebuilts/api/27.0/public/hal_nfc.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_nfc_client, hal_nfc_server)
-binder_call(hal_nfc_server, hal_nfc_client)
-
-add_hwservice(hal_nfc_server, hal_nfc_hwservice)
-allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
-
-# Set NFC properties (used by bcm2079x HAL).
-set_prop(hal_nfc, nfc_prop)
-
-# NFC device access.
-allow hal_nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_oemlock.te b/prebuilts/api/27.0/public/hal_oemlock.te
deleted file mode 100644
index 3fb5a18..0000000
--- a/prebuilts/api/27.0/public/hal_oemlock.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_oemlock_client, hal_oemlock_server)
-
-add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
-allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_power.te b/prebuilts/api/27.0/public/hal_power.te
deleted file mode 100644
index fcba3d2..0000000
--- a/prebuilts/api/27.0/public/hal_power.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_client, hal_power_server)
-binder_call(hal_power_server, hal_power_client)
-
-add_hwservice(hal_power_server, hal_power_hwservice)
-allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_sensors.te b/prebuilts/api/27.0/public/hal_sensors.te
deleted file mode 100644
index 068c93b..0000000
--- a/prebuilts/api/27.0/public/hal_sensors.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_sensors_client, hal_sensors_server)
-
-add_hwservice(hal_sensors_server, hal_sensors_hwservice)
-allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
-
-# Allow sensor hals to access ashmem memory allocated by apps
-allow hal_sensors { appdomain -isolated_app }:fd use;
-
-# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
-# fd is passed in from framework sensorservice HAL.
-allow hal_sensors hal_allocator:fd use;
-
-# allow to run with real-time scheduling policy
-allow hal_sensors self:capability sys_nice;
diff --git a/prebuilts/api/27.0/public/hal_telephony.te b/prebuilts/api/27.0/public/hal_telephony.te
deleted file mode 100644
index 41cfd4b..0000000
--- a/prebuilts/api/27.0/public/hal_telephony.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_telephony_client, hal_telephony_server)
-binder_call(hal_telephony_server, hal_telephony_client)
-
-add_hwservice(hal_telephony_server, hal_telephony_hwservice)
-allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
-
diff --git a/prebuilts/api/27.0/public/hal_tetheroffload.te b/prebuilts/api/27.0/public/hal_tetheroffload.te
deleted file mode 100644
index 48d67a2..0000000
--- a/prebuilts/api/27.0/public/hal_tetheroffload.te
+++ /dev/null
@@ -1,8 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
-binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
-
-allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
-
-# allow the client to pass the server already open netlink sockets
-allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/prebuilts/api/27.0/public/hal_thermal.te b/prebuilts/api/27.0/public/hal_thermal.te
deleted file mode 100644
index b1764f1..0000000
--- a/prebuilts/api/27.0/public/hal_thermal.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_thermal_client, hal_thermal_server)
-binder_call(hal_thermal_server, hal_thermal_client)
-
-add_hwservice(hal_thermal_server, hal_thermal_hwservice)
-allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_tv_cec.te b/prebuilts/api/27.0/public/hal_tv_cec.te
deleted file mode 100644
index 7719cae..0000000
--- a/prebuilts/api/27.0/public/hal_tv_cec.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_cec_client, hal_tv_cec_server)
-binder_call(hal_tv_cec_server, hal_tv_cec_client)
-
-add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
-allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_tv_input.te b/prebuilts/api/27.0/public/hal_tv_input.te
deleted file mode 100644
index 31a0067..0000000
--- a/prebuilts/api/27.0/public/hal_tv_input.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_input_client, hal_tv_input_server)
-binder_call(hal_tv_input_server, hal_tv_input_client)
-
-add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
-allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_usb.te b/prebuilts/api/27.0/public/hal_usb.te
deleted file mode 100644
index 9cfd516..0000000
--- a/prebuilts/api/27.0/public/hal_usb.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_client, hal_usb_server)
-binder_call(hal_usb_server, hal_usb_client)
-
-add_hwservice(hal_usb_server, hal_usb_hwservice)
-allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
-
-allow hal_usb self:netlink_kobject_uevent_socket create;
-allow hal_usb self:netlink_kobject_uevent_socket setopt;
-allow hal_usb self:netlink_kobject_uevent_socket bind;
-allow hal_usb self:netlink_kobject_uevent_socket read;
-allow hal_usb sysfs:dir open;
-allow hal_usb sysfs:dir read;
-allow hal_usb sysfs:file read;
-allow hal_usb sysfs:file open;
-allow hal_usb sysfs:file write;
-allow hal_usb sysfs:file getattr;
-
diff --git a/prebuilts/api/27.0/public/hal_vibrator.te b/prebuilts/api/27.0/public/hal_vibrator.te
deleted file mode 100644
index c8612d7..0000000
--- a/prebuilts/api/27.0/public/hal_vibrator.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_vibrator_client, hal_vibrator_server)
-
-add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
-allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
-
-# vibrator sysfs rw access
-allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_vr.te b/prebuilts/api/27.0/public/hal_vr.te
deleted file mode 100644
index 3cb392d..0000000
--- a/prebuilts/api/27.0/public/hal_vr.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vr_client, hal_vr_server)
-binder_call(hal_vr_server, hal_vr_client)
-
-add_hwservice(hal_vr_server, hal_vr_hwservice)
-allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_weaver.te b/prebuilts/api/27.0/public/hal_weaver.te
deleted file mode 100644
index b80ba29..0000000
--- a/prebuilts/api/27.0/public/hal_weaver.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_weaver_client, hal_weaver_server)
-
-add_hwservice(hal_weaver_server, hal_weaver_hwservice)
-allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_wifi.te b/prebuilts/api/27.0/public/hal_wifi.te
deleted file mode 100644
index a01805d..0000000
--- a/prebuilts/api/27.0/public/hal_wifi.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_client, hal_wifi_server)
-binder_call(hal_wifi_server, hal_wifi_client)
-
-add_hwservice(hal_wifi_server, hal_wifi_hwservice)
-allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
-
-r_dir_file(hal_wifi, proc_net)
-r_dir_file(hal_wifi, sysfs_type)
-
-set_prop(hal_wifi, wifi_prop)
-
-# allow hal wifi set interfaces up and down
-allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
-
-allow hal_wifi self:capability { net_admin net_raw };
-# allow hal_wifi to speak to nl80211 in the kernel
-allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
-# hal_wifi writes firmware paths to this file.
-allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
-# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
-allow hal_wifi proc_modules:file { getattr open read };
diff --git a/prebuilts/api/27.0/public/hal_wifi_offload.te b/prebuilts/api/27.0/public/hal_wifi_offload.te
deleted file mode 100644
index dc0cf5a..0000000
--- a/prebuilts/api/27.0/public/hal_wifi_offload.te
+++ /dev/null
@@ -1,9 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
-binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
-
-add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
-allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
-
-r_dir_file(hal_wifi_offload, proc_net)
-r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/prebuilts/api/27.0/public/hal_wifi_supplicant.te b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
deleted file mode 100644
index 028440c..0000000
--- a/prebuilts/api/27.0/public/hal_wifi_supplicant.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
-binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
-
-add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
-allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
-allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
-
-allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
-allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
-allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:packet_socket create_socket_perms;
-allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-
-# Create a socket for receiving info from wpa
-allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
-allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
-userdebug_or_eng(`
- unix_socket_send(hal_wifi_supplicant, wpa, su)
-')
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/prebuilts/api/27.0/public/healthd.te b/prebuilts/api/27.0/public/healthd.te
deleted file mode 100644
index c0a7bec..0000000
--- a/prebuilts/api/27.0/public/healthd.te
+++ /dev/null
@@ -1,63 +0,0 @@
-# healthd - battery/charger monitoring service daemon
-type healthd, domain;
-type healthd_exec, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs_type)
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-
-# Read access to system files for passthrough HALs in
-# /{system,vendor,odm}/lib[64]/hw/
-r_dir_file(healthd, system_file)
-
-allow healthd self:capability { sys_tty_config };
-allow healthd self:capability sys_boot;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-binder_use(healthd)
-binder_service(healthd)
-binder_call(healthd, system_server)
-hal_client_domain(healthd, hal_health)
-
-# Write to state file.
-# TODO: Split into a separate type?
-allow healthd sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-allow healthd sysfs_batteryinfo:file r_file_perms;
-
-r_dir_file(healthd, sysfs_type)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd self:process execmem;
-allow healthd proc_sysrq:file rw_file_perms;
-
-add_service(healthd, batteryproperties_service)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
diff --git a/prebuilts/api/27.0/public/hwservice.te b/prebuilts/api/27.0/public/hwservice.te
deleted file mode 100644
index 97b9b8d..0000000
--- a/prebuilts/api/27.0/public/hwservice.te
+++ /dev/null
@@ -1,52 +0,0 @@
-type default_android_hwservice, hwservice_manager_type;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_audio_hwservice, hwservice_manager_type;
-type hal_bluetooth_hwservice, hwservice_manager_type;
-type hal_bootctl_hwservice, hwservice_manager_type;
-type hal_broadcastradio_hwservice, hwservice_manager_type;
-type hal_camera_hwservice, hwservice_manager_type;
-type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_contexthub_hwservice, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_cas_hwservice, hwservice_manager_type;
-type hal_dumpstate_hwservice, hwservice_manager_type;
-type hal_fingerprint_hwservice, hwservice_manager_type;
-type hal_gatekeeper_hwservice, hwservice_manager_type;
-type hal_gnss_hwservice, hwservice_manager_type;
-type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_composer_hwservice, hwservice_manager_type;
-type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_health_hwservice, hwservice_manager_type;
-type hal_ir_hwservice, hwservice_manager_type;
-type hal_keymaster_hwservice, hwservice_manager_type;
-type hal_light_hwservice, hwservice_manager_type;
-type hal_memtrack_hwservice, hwservice_manager_type;
-type hal_neuralnetworks_hwservice, hwservice_manager_type;
-type hal_nfc_hwservice, hwservice_manager_type;
-type hal_oemlock_hwservice, hwservice_manager_type;
-type hal_omx_hwservice, hwservice_manager_type;
-type hal_power_hwservice, hwservice_manager_type;
-type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_sensors_hwservice, hwservice_manager_type;
-type hal_telephony_hwservice, hwservice_manager_type;
-type hal_tetheroffload_hwservice, hwservice_manager_type;
-type hal_thermal_hwservice, hwservice_manager_type;
-type hal_tv_cec_hwservice, hwservice_manager_type;
-type hal_tv_input_hwservice, hwservice_manager_type;
-type hal_usb_hwservice, hwservice_manager_type;
-type hal_vibrator_hwservice, hwservice_manager_type;
-type hal_vr_hwservice, hwservice_manager_type;
-type hal_weaver_hwservice, hwservice_manager_type;
-type hal_wifi_hwservice, hwservice_manager_type;
-type hal_wifi_offload_hwservice, hwservice_manager_type;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
-type thermalcallback_hwservice, hwservice_manager_type;
diff --git a/prebuilts/api/27.0/public/hwservicemanager.te b/prebuilts/api/27.0/public/hwservicemanager.te
deleted file mode 100644
index 1ffd2a6..0000000
--- a/prebuilts/api/27.0/public/hwservicemanager.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# hwservicemanager - the Binder context manager for HAL services
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-set_prop(hwservicemanager, hwservicemanager_prop)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
diff --git a/prebuilts/api/27.0/public/idmap.te b/prebuilts/api/27.0/public/idmap.te
deleted file mode 100644
index 1c32f8f..0000000
--- a/prebuilts/api/27.0/public/idmap.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# idmap, when executed by installd
-type idmap, domain;
-type idmap_exec, exec_type, file_type;
-
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
-
-# Open and read from target and overlay apk files passed by argument.
-allow idmap apk_data_file:file r_file_perms;
-allow idmap apk_data_file:dir search;
-
-# Allow apps access to /vendor/app
-r_dir_file(idmap, vendor_app_file)
-
-# Allow apps access to /vendor/overlay
-r_dir_file(idmap, vendor_overlay_file)
diff --git a/prebuilts/api/27.0/public/incident.te b/prebuilts/api/27.0/public/incident.te
deleted file mode 100644
index ce57bf6..0000000
--- a/prebuilts/api/27.0/public/incident.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# The incident command is used to call into the incidentd service to
-# take an incident report (binary, shared bugreport), download incident
-# reports that have already been taken, and monitor for new ones.
-# It doesn't do anything else.
-
-# incident
-type incident, domain;
-
diff --git a/prebuilts/api/27.0/public/incidentd.te b/prebuilts/api/27.0/public/incidentd.te
deleted file mode 100644
index b03249c..0000000
--- a/prebuilts/api/27.0/public/incidentd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# incidentd
-type incidentd, domain;
-
diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te
deleted file mode 100644
index e6162a9..0000000
--- a/prebuilts/api/27.0/public/init.te
+++ /dev/null
@@ -1,434 +0,0 @@
-# init is its own domain.
-type init, domain, mlstrustedsubject;
-
-# The init domain is entered by execing init.
-type init_exec, exec_type, file_type;
-
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-#
-# init direct restorecon calls.
-#
-# /dev/kmsg
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { write relabelto };
-# /dev/kmsg_debug
-userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { write relabelto };
-')
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { create_file_perms relabelto };
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto };
-# /dev/socket
-allow init { device socket_device }:dir relabelto;
-# /dev/random, /dev/urandom
-allow init random_device:chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init system_block_device:{ blk_file lnk_file } relabelto;
-
-# setrlimit
-allow init self:capability sys_resource;
-
-# Remove /dev/.booting, created before initial policy load or restorecon /dev.
-allow init tmpfs:file unlink;
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Create /dev/fscklogs files.
-allow init fscklogs:file create_file_perms;
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:capability sys_admin;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-r_dir_file(init, cgroup)
-allow init cpuctl_device:dir { create mounton };
-
-# /config
-allow init configfs:dir mounton;
-allow init configfs:dir create_dir_perms;
-allow init configfs:{ file lnk_file } create_file_perms;
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:capability dac_override;
-
-# Set system clock.
-allow init self:capability sys_time;
-
-allow init self:capability { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init fs_type:filesystem ~relabelto;
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:capability { chown fowner fsetid };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -misc_logd_file
- -system_app_data_file
- -system_file
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -app_data_file
- -runtime_event_log_tags_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -keystore_data_file
- -misc_logd_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -vendor_file_type
- -vold_data_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init cache_file:lnk_file r_file_perms;
-
-allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
-
-# Setup and control wifi event tracing (see wifi-events.rc)
-allow init debugfs_tracing_instances:dir create_dir_perms;
-allow init debugfs_tracing_instances:file w_file_perms;
-allow init debugfs_wifi_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
-
-# init should not be able to read or open generic devices
-# TODO: auditing to see if this can be deleted entirely
-allow init {
- dev_type
- -kmem_device
- -port_device
- -device
- -vndbinder_device
- }:chr_file { read open };
-auditallow init {
- dev_type
- -alarm_device
- -ashmem_device
- -binder_device
- -console_device
- -device
- -devpts
- -dm_device
- -hwbinder_device
- -hw_random_device
- -keychord_device
- -kmem_device
- -kmsg_device
- -null_device
- -owntty_device
- -port_device
- -ptmx_device
- -random_device
- -zero_device
-}:chr_file { read open };
-
-# chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file setattr;
-
-# Unlabeled file access for upgrades from 4.2.
-allow init unlabeled:dir { create_dir_perms relabelfrom };
-allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:capability2 syslog;
-
-# Set usermodehelpers and /proc security settings.
-allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-allow init proc_security:file rw_file_perms;
-
-# Write to /proc/sys/kernel/panic_on_oops.
-r_dir_file(init, proc)
-allow init proc:file w_file_perms;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(init, proc_net)
-allow init proc_net:file w_file_perms;
-allow init self:capability net_admin;
-
-# Write to /proc/sysrq-trigger.
-allow init proc_sysrq:file w_file_perms;
-
-# Read /proc/stat for bootchart.
-allow init proc_stat:file r_file_perms;
-
-# Reboot.
-allow init self:capability sys_boot;
-
-# Write to sysfs nodes.
-allow init sysfs_type:dir r_dir_perms;
-allow init sysfs_type:lnk_file read;
-allow init sysfs_type:file rw_file_perms;
-
-# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
-# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
-allow init misc_logd_file:file { open create getattr setattr write };
-
-# Support "adb shell stop"
-allow init self:capability kill;
-allow init domain:process { getpgid sigkill signal };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates vold's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init vold_data_file:dir { open create read getattr setattr search };
-allow init vold_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:capability { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind setopt };
-allow init domain:unix_dgram_socket { create bind setopt };
-
-# Create /data/property and files within it.
-allow init property_data_file:dir create_dir_perms;
-allow init property_data_file:file create_file_perms;
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:capability audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:capability net_raw;
-
-# This line seems suspect, as it should not really need to
-# set scheduling parameters for a kernel domain task.
-allow init kernel:process setsched;
-
-# swapon() needs write access to swap device
-# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
-allow init swap_block_device:blk_file rw_file_perms;
-
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# keychord configuration
-allow init self:capability sys_tty_config;
-allow init keychord_device:chr_file rw_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# Access metadata block device for storing dm-verity state
-allow init metadata_block_device:blk_file rw_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops to detect restarts caused
-# by dm-verity detecting corrupted blocks
-allow init pstorefs:dir search;
-allow init pstorefs:file r_file_perms;
-allow init kernel:system syslog_read;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-# Allow init to create /data/unencrypted
-allow init unencrypted_data_file:dir create_dir_perms;
-
-# Allow init to write to /proc/sys/vm/overcommit_memory
-allow init proc_overcommit_memory:file { write };
-
-unix_socket_connect(init, vold, vold)
-
-# Raw writes to misc block device
-allow init misc_block_device:blk_file w_file_perms;
-
-r_dir_file(init, system_file)
-r_dir_file(init, vendor_file_type)
-allow init proc_meminfo:file r_file_perms;
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# For init to be able to run shell scripts from vendor
-allow init vendor_shell_exec:file execute;
-
-###
-### neverallow rules
-###
-
-# The init domain is only entered via an exec based transition from the
-# kernel domain, never via setcon().
-neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
-neverallow init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow init shell_data_file:lnk_file read;
-neverallow init app_data_file:lnk_file read;
-
-# init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
-
-# Init never adds or uses services via service_manager.
-neverallow init service_manager_type:service_manager { add find };
-neverallow init servicemanager:service_manager list;
-
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow init shell_data_file:dir { write add_name remove_name };
diff --git a/prebuilts/api/27.0/public/inputflinger.te b/prebuilts/api/27.0/public/inputflinger.te
deleted file mode 100644
index e5f12a0..0000000
--- a/prebuilts/api/27.0/public/inputflinger.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# inputflinger
-type inputflinger, domain;
-type inputflinger_exec, exec_type, file_type;
-
-binder_use(inputflinger)
-binder_service(inputflinger)
-
-binder_call(inputflinger, system_server)
-
-wakelock_use(inputflinger)
-
-add_service(inputflinger, inputflinger_service)
-allow inputflinger input_device:dir r_dir_perms;
-allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)
diff --git a/prebuilts/api/27.0/public/install_recovery.te b/prebuilts/api/27.0/public/install_recovery.te
deleted file mode 100644
index 2115663..0000000
--- a/prebuilts/api/27.0/public/install_recovery.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain;
-type install_recovery_exec, exec_type, file_type;
-
-allow install_recovery self:capability dac_override;
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/prebuilts/api/27.0/public/installd.te b/prebuilts/api/27.0/public/installd.te
deleted file mode 100644
index 939a481..0000000
--- a/prebuilts/api/27.0/public/installd.te
+++ /dev/null
@@ -1,159 +0,0 @@
-# installer daemon
-type installd, domain;
-type installd_exec, exec_type, file_type;
-typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
-
-# Allow labeling of files under /data/app/com.example/oat/
-allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file { relabelto link };
-
-# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-
-allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
-allow installd oemfs:dir r_dir_perms;
-allow installd oemfs:file r_file_perms;
-allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
-allow installd mnt_expand_file:dir { search getattr };
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-
-r_dir_file(installd, rootfs)
-# Scan through APKs in /system/app and /system/priv-app
-r_dir_file(installd, system_file)
-# Scan through APKs in /vendor/app
-r_dir_file(installd, vendor_app_file)
-# Scan through Runtime Resource Overlay APKs in /vendor/overlay
-r_dir_file(installd, vendor_overlay_file)
-# Get file context
-allow installd file_contexts_file:file r_file_perms;
-# Get seapp_context
-allow installd seapp_contexts_file:file r_file_perms;
-
-# Search /data/app-asec and stat files in it.
-allow installd asec_image_file:dir search;
-allow installd asec_image_file:file getattr;
-
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
-# and lib symlinks before the setfilecon call. May want to
-# move symlink creation after setfilecon in installd.
-allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create setattr unlink };
-
-# Upgrade /data/media for multi-user if necessary.
-allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file { getattr unlink };
-# restorecon new /data/media directory.
-allow installd system_data_file:dir relabelfrom;
-allow installd media_rw_data_file:dir relabelto;
-
-# Delete /data/media files through sdcardfs, instead of going behind its back
-allow installd tmpfs:dir r_dir_perms;
-allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
-
-# Upgrade /data/misc/keychain for multi-user if necessary.
-allow installd misc_user_data_file:dir create_dir_perms;
-allow installd misc_user_data_file:file create_file_perms;
-allow installd keychain_data_file:dir create_dir_perms;
-allow installd keychain_data_file:file {r_file_perms unlink};
-
-# Create /data/.layout_version.* file
-allow installd install_data_file:file create_file_perms;
-
-# Create files under /data/dalvik-cache.
-allow installd dalvikcache_data_file:dir create_dir_perms;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd dalvikcache_data_file:lnk_file getattr;
-
-# Create files under /data/resource-cache.
-allow installd resourcecache_data_file:dir rw_dir_perms;
-allow installd resourcecache_data_file:file create_file_perms;
-
-# Upgrade from unlabeled userdata.
-# Just need enough to remove and/or relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
-# Read pkg.apk file for input during dexopt.
-allow installd unlabeled:file r_file_perms;
-
-# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it and to unlink removed package files.
-# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
-
-# Manage /data/data subdirectories, including initially labeling them
-# upon creation via setfilecon or running restorecon_recursive,
-# setting owner/mode, creating symlinks within them, and deleting them
-# upon package uninstall.
-# Types extracted from seapp_contexts type= fields.
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
-}:dir { create_dir_perms relabelfrom relabelto };
-
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
-}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
-# Files created/updated by profman dumps.
-allow installd profman_dump_data_file:dir { search add_name write };
-allow installd profman_dump_data_file:file { create setattr open write };
-
-# Create and use pty created by android_fork_execvp().
-allow installd devpts:chr_file rw_file_perms;
-
-# execute toybox for app relocation
-allow installd toolbox_exec:file rx_file_perms;
-
-# Allow installd to publish a binder service and make binder calls.
-binder_use(installd)
-add_service(installd, installd_service)
-allow installd dumpstate:fifo_file { getattr write };
-
-# Allow installd to call into the system server so it can check permissions.
-binder_call(installd, system_server)
-allow installd permission_service:service_manager find;
-
-# Allow installd to read and write quotas
-allow installd block_device:dir { search };
-allow installd labeledfs:filesystem { quotaget quotamod };
-
-# Allow installd to delete from /data/preloads when trimming data caches
-# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
-allow installd preloads_data_file:file { r_file_perms unlink };
-allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow installd preloads_media_file:file { r_file_perms unlink };
-allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-###
-### Neverallow rules
-###
-
-# only system_server, installd and dumpstate may interact with installd over binder
-neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } installd:binder call;
-neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/prebuilts/api/27.0/public/ioctl_defines b/prebuilts/api/27.0/public/ioctl_defines
deleted file mode 100644
index a1cd0b9..0000000
--- a/prebuilts/api/27.0/public/ioctl_defines
+++ /dev/null
@@ -1,2694 +0,0 @@
-define(`FIBMAP', `0x00000001')
-define(`FIGETBSZ', `0x00000002')
-define(`FDCLRPRM', `0x00000241')
-define(`FDMSGON', `0x00000245')
-define(`FDMSGOFF', `0x00000246')
-define(`FDFMTBEG', `0x00000247')
-define(`FDFMTEND', `0x00000249')
-define(`FDSETEMSGTRESH', `0x0000024a')
-define(`FDFLUSH', `0x0000024b')
-define(`FDRESET', `0x00000254')
-define(`FDWERRORCLR', `0x00000256')
-define(`FDRAWCMD', `0x00000258')
-define(`FDTWADDLE', `0x00000259')
-define(`FDEJECT', `0x0000025a')
-define(`HDIO_GETGEO', `0x00000301')
-define(`HDIO_GET_UNMASKINTR', `0x00000302')
-define(`HDIO_GET_MULTCOUNT', `0x00000304')
-define(`HDIO_GET_QDMA', `0x00000305')
-define(`HDIO_SET_XFER', `0x00000306')
-define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
-define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
-define(`HDIO_GET_32BIT', `0x00000309')
-define(`HDIO_GET_NOWERR', `0x0000030a')
-define(`HDIO_GET_DMA', `0x0000030b')
-define(`HDIO_GET_NICE', `0x0000030c')
-define(`HDIO_GET_IDENTITY', `0x0000030d')
-define(`HDIO_GET_WCACHE', `0x0000030e')
-define(`HDIO_GET_ACOUSTIC', `0x0000030f')
-define(`HDIO_GET_ADDRESS', `0x00000310')
-define(`HDIO_GET_BUSSTATE', `0x0000031a')
-define(`HDIO_TRISTATE_HWIF', `0x0000031b')
-define(`HDIO_DRIVE_RESET', `0x0000031c')
-define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
-define(`HDIO_DRIVE_TASK', `0x0000031e')
-define(`HDIO_DRIVE_CMD', `0x0000031f')
-define(`HDIO_SET_MULTCOUNT', `0x00000321')
-define(`HDIO_SET_UNMASKINTR', `0x00000322')
-define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
-define(`HDIO_SET_32BIT', `0x00000324')
-define(`HDIO_SET_NOWERR', `0x00000325')
-define(`HDIO_SET_DMA', `0x00000326')
-define(`HDIO_SET_PIO_MODE', `0x00000327')
-define(`HDIO_SCAN_HWIF', `0x00000328')
-define(`HDIO_SET_NICE', `0x00000329')
-define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
-define(`HDIO_SET_WCACHE', `0x0000032b')
-define(`HDIO_SET_ACOUSTIC', `0x0000032c')
-define(`HDIO_SET_BUSSTATE', `0x0000032d')
-define(`HDIO_SET_QDMA', `0x0000032e')
-define(`HDIO_SET_ADDRESS', `0x0000032f')
-define(`IOCTL_VMCI_VERSION', `0x0000079f')
-define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
-define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
-define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
-define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
-define(`IOCTL_VMCI_VERSION2', `0x000007a7')
-define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
-define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
-define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
-define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
-define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
-define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
-define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
-define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
-define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
-define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
-define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
-define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
-define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
-define(`RAID_AUTORUN', `0x00000914')
-define(`CLEAR_ARRAY', `0x00000920')
-define(`HOT_REMOVE_DISK', `0x00000922')
-define(`SET_DISK_INFO', `0x00000924')
-define(`WRITE_RAID_INFO', `0x00000925')
-define(`UNPROTECT_ARRAY', `0x00000926')
-define(`PROTECT_ARRAY', `0x00000927')
-define(`HOT_ADD_DISK', `0x00000928')
-define(`SET_DISK_FAULTY', `0x00000929')
-define(`HOT_GENERATE_ERROR', `0x0000092a')
-define(`STOP_ARRAY', `0x00000932')
-define(`STOP_ARRAY_RO', `0x00000933')
-define(`RESTART_ARRAY_RW', `0x00000934')
-define(`BLKROSET', `0x0000125d')
-define(`BLKROGET', `0x0000125e')
-define(`BLKRRPART', `0x0000125f')
-define(`BLKGETSIZE', `0x00001260')
-define(`BLKFLSBUF', `0x00001261')
-define(`BLKRASET', `0x00001262')
-define(`BLKRAGET', `0x00001263')
-define(`BLKFRASET', `0x00001264')
-define(`BLKFRAGET', `0x00001265')
-define(`BLKSECTSET', `0x00001266')
-define(`BLKSECTGET', `0x00001267')
-define(`BLKSSZGET', `0x00001268')
-define(`BLKPG', `0x00001269')
-define(`BLKTRACESTART', `0x00001274')
-define(`BLKTRACESTOP', `0x00001275')
-define(`BLKTRACETEARDOWN', `0x00001276')
-define(`BLKDISCARD', `0x00001277')
-define(`BLKIOMIN', `0x00001278')
-define(`BLKIOOPT', `0x00001279')
-define(`BLKALIGNOFF', `0x0000127a')
-define(`BLKPBSZGET', `0x0000127b')
-define(`BLKDISCARDZEROES', `0x0000127c')
-define(`BLKSECDISCARD', `0x0000127d')
-define(`BLKROTATIONAL', `0x0000127e')
-define(`BLKZEROOUT', `0x0000127f')
-define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
-define(`SG_SET_TIMEOUT', `0x00002201')
-define(`SG_GET_TIMEOUT', `0x00002202')
-define(`SG_EMULATED_HOST', `0x00002203')
-define(`SG_SET_TRANSFORM', `0x00002204')
-define(`SG_GET_TRANSFORM', `0x00002205')
-define(`SG_GET_COMMAND_Q', `0x00002270')
-define(`SG_SET_COMMAND_Q', `0x00002271')
-define(`SG_GET_RESERVED_SIZE', `0x00002272')
-define(`SG_SET_RESERVED_SIZE', `0x00002275')
-define(`SG_GET_SCSI_ID', `0x00002276')
-define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
-define(`SG_GET_LOW_DMA', `0x0000227a')
-define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
-define(`SG_GET_PACK_ID', `0x0000227c')
-define(`SG_GET_NUM_WAITING', `0x0000227d')
-define(`SG_SET_DEBUG', `0x0000227e')
-define(`SG_GET_SG_TABLESIZE', `0x0000227f')
-define(`SG_GET_VERSION_NUM', `0x00002282')
-define(`SG_NEXT_CMD_LEN', `0x00002283')
-define(`SG_SCSI_RESET', `0x00002284')
-define(`SG_IO', `0x00002285')
-define(`SG_GET_REQUEST_TABLE', `0x00002286')
-define(`SG_SET_KEEP_ORPHAN', `0x00002287')
-define(`SG_GET_KEEP_ORPHAN', `0x00002288')
-define(`SG_GET_ACCESS_COUNT', `0x00002289')
-define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
-define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
-define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
-define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
-define(`PERF_EVENT_IOC_RESET', `0x00002403')
-define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
-define(`SNAPSHOT_FREEZE', `0x00003301')
-define(`SNAPSHOT_UNFREEZE', `0x00003302')
-define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
-define(`SNAPSHOT_FREE', `0x00003305')
-define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
-define(`SNAPSHOT_S2RAM', `0x0000330b')
-define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
-define(`SNAPSHOT_POWER_OFF', `0x00003310')
-define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
-define(`VFIO_GET_API_VERSION', `0x00003b64')
-define(`VFIO_CHECK_EXTENSION', `0x00003b65')
-define(`VFIO_SET_IOMMU', `0x00003b66')
-define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
-define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
-define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
-define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
-define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
-define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
-define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
-define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
-define(`VFIO_DEVICE_RESET', `0x00003b6f')
-define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
-define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
-define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
-define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
-define(`VFIO_IOMMU_ENABLE', `0x00003b73')
-define(`VFIO_IOMMU_DISABLE', `0x00003b74')
-define(`VFIO_EEH_PE_OP', `0x00003b79')
-define(`AGPIOC_ACQUIRE', `0x00004101')
-define(`APM_IOC_STANDBY', `0x00004101')
-define(`AGPIOC_RELEASE', `0x00004102')
-define(`APM_IOC_SUSPEND', `0x00004102')
-define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
-define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
-define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
-define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
-define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
-define(`SNDRV_PCM_IOCTL_START', `0x00004142')
-define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
-define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
-define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
-define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
-define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
-define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
-define(`PMU_IOC_SLEEP', `0x00004200')
-define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
-define(`CCISS_REVALIDVOLS', `0x0000420a')
-define(`CCISS_DEREGDISK', `0x0000420c')
-define(`CCISS_REGNEWD', `0x0000420e')
-define(`CCISS_RESCANDISK', `0x00004210')
-define(`SNDCTL_COPR_RESET', `0x00004300')
-define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
-define(`SNDRV_COMPRESS_RESUME', `0x00004331')
-define(`SNDRV_COMPRESS_START', `0x00004332')
-define(`SNDRV_COMPRESS_STOP', `0x00004333')
-define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
-define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
-define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
-define(`IOCTL_EVTCHN_RESET', `0x00004505')
-define(`FBIOGET_VSCREENINFO', `0x00004600')
-define(`FBIOPUT_VSCREENINFO', `0x00004601')
-define(`FBIOGET_FSCREENINFO', `0x00004602')
-define(`FBIOGETCMAP', `0x00004604')
-define(`FBIOPUTCMAP', `0x00004605')
-define(`FBIOPAN_DISPLAY', `0x00004606')
-define(`FBIOGET_CON2FBMAP', `0x0000460f')
-define(`FBIOPUT_CON2FBMAP', `0x00004610')
-define(`FBIOBLANK', `0x00004611')
-define(`FBIO_ALLOC', `0x00004613')
-define(`FBIO_FREE', `0x00004614')
-define(`FBIOGET_GLYPH', `0x00004615')
-define(`FBIOGET_HWCINFO', `0x00004616')
-define(`FBIOPUT_MODEINFO', `0x00004617')
-define(`FBIOGET_DISPINFO', `0x00004618')
-define(`FBIO_WAITEVENT', `0x00004688')
-define(`GSMIOC_DISABLE_NET', `0x00004703')
-define(`HIDIOCAPPLICATION', `0x00004802')
-define(`HIDIOCINITREPORT', `0x00004805')
-define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
-define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
-define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
-define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
-define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
-define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
-define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
-define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
-define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
-define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
-define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
-define(`IIOCNETAIF', `0x00004901')
-define(`IIOCNETDIF', `0x00004902')
-define(`IIOCNETSCF', `0x00004903')
-define(`IIOCNETGCF', `0x00004904')
-define(`IIOCNETANM', `0x00004905')
-define(`IIOCNETDNM', `0x00004906')
-define(`IIOCNETGNM', `0x00004907')
-define(`IIOCGETSET', `0x00004908')
-define(`IIOCSETSET', `0x00004909')
-define(`IIOCSETVER', `0x0000490a')
-define(`IIOCNETHUP', `0x0000490b')
-define(`IIOCSETGST', `0x0000490c')
-define(`IIOCSETBRJ', `0x0000490d')
-define(`IIOCSIGPRF', `0x0000490e')
-define(`IIOCGETPRF', `0x0000490f')
-define(`IIOCSETPRF', `0x00004910')
-define(`IIOCGETMAP', `0x00004911')
-define(`IIOCSETMAP', `0x00004912')
-define(`IIOCNETASL', `0x00004913')
-define(`IIOCNETDIL', `0x00004914')
-define(`IIOCGETCPS', `0x00004915')
-define(`IIOCGETDVR', `0x00004916')
-define(`IIOCNETLCR', `0x00004917')
-define(`IIOCNETDWRSET', `0x00004918')
-define(`IIOCNETALN', `0x00004920')
-define(`IIOCNETDLN', `0x00004921')
-define(`IIOCNETGPN', `0x00004922')
-define(`IIOCDBGVAR', `0x0000497f')
-define(`IIOCDRVCTL', `0x00004980')
-define(`ION_IOC_TEST_SET_FD', `0x000049f0')
-define(`KIOCSOUND', `0x00004b2f')
-define(`KDMKTONE', `0x00004b30')
-define(`KDGETLED', `0x00004b31')
-define(`KDSETLED', `0x00004b32')
-define(`KDGKBTYPE', `0x00004b33')
-define(`KDADDIO', `0x00004b34')
-define(`KDDELIO', `0x00004b35')
-define(`KDENABIO', `0x00004b36')
-define(`KDDISABIO', `0x00004b37')
-define(`KDSETMODE', `0x00004b3a')
-define(`KDGETMODE', `0x00004b3b')
-define(`KDMAPDISP', `0x00004b3c')
-define(`KDUNMAPDISP', `0x00004b3d')
-define(`GIO_SCRNMAP', `0x00004b40')
-define(`PIO_SCRNMAP', `0x00004b41')
-define(`KDGKBMODE', `0x00004b44')
-define(`KDSKBMODE', `0x00004b45')
-define(`KDGKBENT', `0x00004b46')
-define(`KDSKBENT', `0x00004b47')
-define(`KDGKBSENT', `0x00004b48')
-define(`KDSKBSENT', `0x00004b49')
-define(`KDGKBDIACR', `0x00004b4a')
-define(`KDSKBDIACR', `0x00004b4b')
-define(`KDGETKEYCODE', `0x00004b4c')
-define(`KDSETKEYCODE', `0x00004b4d')
-define(`KDSIGACCEPT', `0x00004b4e')
-define(`KDKBDREP', `0x00004b52')
-define(`GIO_FONT', `0x00004b60')
-define(`PIO_FONT', `0x00004b61')
-define(`KDGKBMETA', `0x00004b62')
-define(`KDSKBMETA', `0x00004b63')
-define(`KDGKBLED', `0x00004b64')
-define(`KDSKBLED', `0x00004b65')
-define(`GIO_UNIMAP', `0x00004b66')
-define(`PIO_UNIMAP', `0x00004b67')
-define(`PIO_UNIMAPCLR', `0x00004b68')
-define(`GIO_UNISCRNMAP', `0x00004b69')
-define(`PIO_UNISCRNMAP', `0x00004b6a')
-define(`GIO_FONTX', `0x00004b6b')
-define(`PIO_FONTX', `0x00004b6c')
-define(`PIO_FONTRESET', `0x00004b6d')
-define(`GIO_CMAP', `0x00004b70')
-define(`PIO_CMAP', `0x00004b71')
-define(`KDFONTOP', `0x00004b72')
-define(`KDGKBDIACRUC', `0x00004bfa')
-define(`KDSKBDIACRUC', `0x00004bfb')
-define(`LOOP_SET_FD', `0x00004c00')
-define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_SET_STATUS', `0x00004c02')
-define(`LOOP_GET_STATUS', `0x00004c03')
-define(`LOOP_SET_STATUS64', `0x00004c04')
-define(`LOOP_GET_STATUS64', `0x00004c05')
-define(`LOOP_CHANGE_FD', `0x00004c06')
-define(`LOOP_SET_CAPACITY', `0x00004c07')
-define(`LOOP_CTL_ADD', `0x00004c80')
-define(`LOOP_CTL_REMOVE', `0x00004c81')
-define(`LOOP_CTL_GET_FREE', `0x00004c82')
-define(`MTDFILEMODE', `0x00004d13')
-define(`NVME_IOCTL_ID', `0x00004e40')
-define(`UBI_IOCVOLRMBLK', `0x00004f08')
-define(`OMAPFB_SYNC_GFX', `0x00004f25')
-define(`OMAPFB_VSYNC', `0x00004f26')
-define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
-define(`OMAPFB_WAITFORGO', `0x00004f3c')
-define(`SNDCTL_DSP_RESET', `0x00005000')
-define(`SNDCTL_DSP_SYNC', `0x00005001')
-define(`SNDCTL_DSP_POST', `0x00005008')
-define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
-define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
-define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
-define(`SNDCTL_SEQ_RESET', `0x00005100')
-define(`SNDCTL_SEQ_SYNC', `0x00005101')
-define(`SNDCTL_SEQ_PANIC', `0x00005111')
-define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
-define(`RNDZAPENTCNT', `0x00005204')
-define(`RNDCLEARPOOL', `0x00005206')
-define(`CDROMPAUSE', `0x00005301')
-define(`CDROMRESUME', `0x00005302')
-define(`CDROMPLAYMSF', `0x00005303')
-define(`CDROMPLAYTRKIND', `0x00005304')
-define(`CDROMREADTOCHDR', `0x00005305')
-define(`CDROMREADTOCENTRY', `0x00005306')
-define(`CDROMSTOP', `0x00005307')
-define(`CDROMSTART', `0x00005308')
-define(`CDROMEJECT', `0x00005309')
-define(`CDROMVOLCTRL', `0x0000530a')
-define(`CDROMSUBCHNL', `0x0000530b')
-define(`CDROMREADMODE2', `0x0000530c')
-define(`CDROMREADMODE1', `0x0000530d')
-define(`CDROMREADAUDIO', `0x0000530e')
-define(`CDROMEJECT_SW', `0x0000530f')
-define(`CDROMMULTISESSION', `0x00005310')
-define(`CDROM_GET_MCN', `0x00005311')
-define(`CDROMRESET', `0x00005312')
-define(`CDROMVOLREAD', `0x00005313')
-define(`CDROMREADRAW', `0x00005314')
-define(`CDROMREADCOOKED', `0x00005315')
-define(`CDROMSEEK', `0x00005316')
-define(`CDROMPLAYBLK', `0x00005317')
-define(`CDROMREADALL', `0x00005318')
-define(`CDROMCLOSETRAY', `0x00005319')
-define(`CDROMGETSPINDOWN', `0x0000531d')
-define(`CDROMSETSPINDOWN', `0x0000531e')
-define(`CDROM_SET_OPTIONS', `0x00005320')
-define(`CDROM_CLEAR_OPTIONS', `0x00005321')
-define(`CDROM_SELECT_SPEED', `0x00005322')
-define(`CDROM_SELECT_DISC', `0x00005323')
-define(`CDROM_MEDIA_CHANGED', `0x00005325')
-define(`CDROM_DRIVE_STATUS', `0x00005326')
-define(`CDROM_DISC_STATUS', `0x00005327')
-define(`CDROM_CHANGER_NSLOTS', `0x00005328')
-define(`CDROM_LOCKDOOR', `0x00005329')
-define(`CDROM_DEBUG', `0x00005330')
-define(`CDROM_GET_CAPABILITY', `0x00005331')
-define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
-define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
-define(`CDROMAUDIOBUFSIZ', `0x00005382')
-define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
-define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
-define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
-define(`SCSI_IOCTL_GET_PCI', `0x00005387')
-define(`DVD_READ_STRUCT', `0x00005390')
-define(`DVD_WRITE_STRUCT', `0x00005391')
-define(`DVD_AUTH', `0x00005392')
-define(`CDROM_SEND_PACKET', `0x00005393')
-define(`CDROM_NEXT_WRITABLE', `0x00005394')
-define(`CDROM_LAST_WRITTEN', `0x00005395')
-define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
-define(`SNDCTL_TMR_START', `0x00005402')
-define(`TCSETS', `0x00005402')
-define(`SNDCTL_TMR_STOP', `0x00005403')
-define(`TCSETSW', `0x00005403')
-define(`SNDCTL_TMR_CONTINUE', `0x00005404')
-define(`TCSETSF', `0x00005404')
-define(`TCGETA', `0x00005405')
-define(`TCSETA', `0x00005406')
-define(`TCSETAW', `0x00005407')
-define(`TCSETAF', `0x00005408')
-define(`TCSBRK', `0x00005409')
-define(`TCXONC', `0x0000540a')
-define(`TCFLSH', `0x0000540b')
-define(`TIOCEXCL', `0x0000540c')
-define(`TIOCNXCL', `0x0000540d')
-define(`TIOCSCTTY', `0x0000540e')
-define(`TIOCGPGRP', `0x0000540f')
-define(`TIOCSPGRP', `0x00005410')
-define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
-define(`TIOCSTI', `0x00005412')
-define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
-define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
-define(`TIOCMGET', `0x00005415')
-define(`TIOCMBIS', `0x00005416')
-define(`TIOCMBIC', `0x00005417')
-define(`TIOCMSET', `0x00005418')
-define(`TIOCGSOFTCAR', `0x00005419')
-define(`TIOCSSOFTCAR', `0x0000541a')
-define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
-define(`TIOCLINUX', `0x0000541c')
-define(`TIOCCONS', `0x0000541d')
-define(`TIOCGSERIAL', `0x0000541e')
-define(`TIOCSSERIAL', `0x0000541f')
-define(`TIOCPKT', `0x00005420')
-define(`FIONBIO', `0x00005421')
-define(`TIOCNOTTY', `0x00005422')
-define(`TIOCSETD', `0x00005423')
-define(`TIOCGETD', `0x00005424')
-define(`TCSBRKP', `0x00005425')
-define(`TIOCSBRK', `0x00005427')
-define(`TIOCCBRK', `0x00005428')
-define(`TIOCGSID', `0x00005429')
-define(`TIOCGRS485', `0x0000542e')
-define(`TIOCSRS485', `0x0000542f')
-define(`TCGETX', `0x00005432')
-define(`TCSETX', `0x00005433')
-define(`TCSETXF', `0x00005434')
-define(`TCSETXW', `0x00005435')
-define(`TIOCVHANGUP', `0x00005437')
-define(`FIONCLEX', `0x00005450')
-define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
-define(`FIOASYNC', `0x00005452')
-define(`TIOCSERCONFIG', `0x00005453')
-define(`TIOCSERGWILD', `0x00005454')
-define(`TIOCSERSWILD', `0x00005455')
-define(`TIOCGLCKTRMIOS', `0x00005456')
-define(`TIOCSLCKTRMIOS', `0x00005457')
-define(`TIOCSERGSTRUCT', `0x00005458')
-define(`TIOCSERGETLSR', `0x00005459')
-define(`TIOCSERGETMULTI', `0x0000545a')
-define(`TIOCSERSETMULTI', `0x0000545b')
-define(`TIOCMIWAIT', `0x0000545c')
-define(`TIOCGICOUNT', `0x0000545d')
-define(`FIOQSIZE', `0x00005460')
-define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
-define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
-define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
-define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
-define(`UI_DEV_CREATE', `0x00005501')
-define(`UI_DEV_DESTROY', `0x00005502')
-define(`USBDEVFS_DISCARDURB', `0x0000550b')
-define(`USBDEVFS_RESET', `0x00005514')
-define(`USBDEVFS_DISCONNECT', `0x00005516')
-define(`USBDEVFS_CONNECT', `0x00005517')
-define(`VT_OPENQRY', `0x00005600')
-define(`VIDIOC_RESERVED', `0x00005601')
-define(`VT_GETMODE', `0x00005601')
-define(`VT_SETMODE', `0x00005602')
-define(`VT_GETSTATE', `0x00005603')
-define(`VT_SENDSIG', `0x00005604')
-define(`VT_RELDISP', `0x00005605')
-define(`VT_ACTIVATE', `0x00005606')
-define(`VT_WAITACTIVE', `0x00005607')
-define(`VT_DISALLOCATE', `0x00005608')
-define(`VT_RESIZE', `0x00005609')
-define(`VT_RESIZEX', `0x0000560a')
-define(`VT_LOCKSWITCH', `0x0000560b')
-define(`VT_UNLOCKSWITCH', `0x0000560c')
-define(`VT_GETHIFONTMASK', `0x0000560d')
-define(`VT_WAITEVENT', `0x0000560e')
-define(`VT_SETACTIVATE', `0x0000560f')
-define(`VIDIOC_LOG_STATUS', `0x00005646')
-define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
-define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
-define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
-define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
-define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
-define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
-define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
-define(`ANDROID_ALARM_WAIT', `0x00006101')
-define(`NS_ADJBUFLEV', `0x00006163')
-define(`SIOCSIFATMTCP', `0x00006180')
-define(`ATMTCP_CREATE', `0x0000618e')
-define(`ATMTCP_REMOVE', `0x0000618f')
-define(`ATMLEC_CTRL', `0x000061d0')
-define(`ATMLEC_DATA', `0x000061d1')
-define(`ATMLEC_MCAST', `0x000061d2')
-define(`ATMMPC_CTRL', `0x000061d8')
-define(`ATMMPC_DATA', `0x000061d9')
-define(`SIOCMKCLIP', `0x000061e0')
-define(`ATMARPD_CTRL', `0x000061e1')
-define(`ATMARP_MKIP', `0x000061e2')
-define(`ATMARP_SETENTRY', `0x000061e3')
-define(`ATMARP_ENCAP', `0x000061e5')
-define(`ATMSIGD_CTRL', `0x000061f0')
-define(`BT819_FIFO_RESET_LOW', `0x00006200')
-define(`BT819_FIFO_RESET_HIGH', `0x00006201')
-define(`CM_IOCSRDR', `0x00006303')
-define(`CM_IOCARDOFF', `0x00006304')
-define(`BC_REGISTER_LOOPER', `0x0000630b')
-define(`BC_ENTER_LOOPER', `0x0000630c')
-define(`BC_EXIT_LOOPER', `0x0000630d')
-define(`CHIOINITELEM', `0x00006311')
-define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
-define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
-define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
-define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
-define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
-define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
-define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
-define(`DRM_IOCTL_I915_FLIP', `0x00006442')
-define(`DRM_IOCTL_MGA_RESET', `0x00006442')
-define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
-define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
-define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
-define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
-define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
-define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
-define(`DRM_IOCTL_I810_SWAP', `0x00006446')
-define(`DRM_IOCTL_R128_RESET', `0x00006446')
-define(`DRM_IOCTL_R128_SWAP', `0x00006447')
-define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
-define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
-define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
-define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
-define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
-define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
-define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
-define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
-define(`DRM_IOCTL_R128_FLIP', `0x00006453')
-define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
-define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
-define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
-define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
-define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
-define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
-define(`GADGETFS_FIFO_STATUS', `0x00006701')
-define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
-define(`GADGETFS_FIFO_FLUSH', `0x00006702')
-define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
-define(`GADGETFS_CLEAR_HALT', `0x00006703')
-define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
-define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
-define(`HPET_IE_ON', `0x00006801')
-define(`HPET_IE_OFF', `0x00006802')
-define(`HPET_EPI', `0x00006804')
-define(`HPET_DPI', `0x00006805')
-define(`LIRC_NOTIFY_DECODE', `0x00006920')
-define(`LIRC_SETUP_START', `0x00006921')
-define(`LIRC_SETUP_END', `0x00006922')
-define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
-define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
-define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
-define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
-define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
-define(`KYRO_IOCTL_STRIDE', `0x00006b05')
-define(`HSC_RESET', `0x00006b10')
-define(`HSC_SET_PM', `0x00006b11')
-define(`HSC_SEND_BREAK', `0x00006b12')
-define(`MMTIMER_GETOFFSET', `0x00006d00')
-define(`MGSL_IOCSTXIDLE', `0x00006d02')
-define(`MGSL_IOCGTXIDLE', `0x00006d03')
-define(`MGSL_IOCTXENABLE', `0x00006d04')
-define(`MMTIMER_GETBITS', `0x00006d04')
-define(`MGSL_IOCRXENABLE', `0x00006d05')
-define(`MGSL_IOCTXABORT', `0x00006d06')
-define(`MMTIMER_MMAPAVAIL', `0x00006d06')
-define(`MGSL_IOCGSTATS', `0x00006d07')
-define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
-define(`MGSL_IOCSIF', `0x00006d0a')
-define(`MGSL_IOCGIF', `0x00006d0b')
-define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
-define(`MGSL_IOCSXSYNC', `0x00006d13')
-define(`MGSL_IOCGXSYNC', `0x00006d14')
-define(`MGSL_IOCSXCTRL', `0x00006d15')
-define(`MGSL_IOCGXCTRL', `0x00006d16')
-define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
-define(`AUDIO_STOP', `0x00006f01')
-define(`AUDIO_PLAY', `0x00006f02')
-define(`AUDIO_PAUSE', `0x00006f03')
-define(`AUDIO_CONTINUE', `0x00006f04')
-define(`AUDIO_SELECT_SOURCE', `0x00006f05')
-define(`AUDIO_SET_MUTE', `0x00006f06')
-define(`AUDIO_SET_AV_SYNC', `0x00006f07')
-define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
-define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
-define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
-define(`AUDIO_SET_ID', `0x00006f0d')
-define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
-define(`AUDIO_SET_EXT_ID', `0x00006f10')
-define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
-define(`VIDEO_STOP', `0x00006f15')
-define(`VIDEO_PLAY', `0x00006f16')
-define(`VIDEO_FREEZE', `0x00006f17')
-define(`VIDEO_CONTINUE', `0x00006f18')
-define(`VIDEO_SELECT_SOURCE', `0x00006f19')
-define(`VIDEO_SET_BLANK', `0x00006f1a')
-define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
-define(`VIDEO_FAST_FORWARD', `0x00006f1f')
-define(`VIDEO_SLOWMOTION', `0x00006f20')
-define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
-define(`VIDEO_SET_ID', `0x00006f23')
-define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
-define(`VIDEO_SET_FORMAT', `0x00006f25')
-define(`VIDEO_SET_SYSTEM', `0x00006f26')
-define(`DMX_START', `0x00006f29')
-define(`DMX_STOP', `0x00006f2a')
-define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
-define(`NET_REMOVE_IF', `0x00006f35')
-define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
-define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
-define(`FE_DISEQC_SEND_BURST', `0x00006f41')
-define(`FE_SET_TONE', `0x00006f42')
-define(`FE_SET_VOLTAGE', `0x00006f43')
-define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
-define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
-define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
-define(`CA_RESET', `0x00006f80')
-define(`RTC_AIE_ON', `0x00007001')
-define(`RTC_AIE_OFF', `0x00007002')
-define(`RTC_UIE_ON', `0x00007003')
-define(`PHN_NOT_OH', `0x00007004')
-define(`RTC_UIE_OFF', `0x00007004')
-define(`RTC_PIE_ON', `0x00007005')
-define(`RTC_PIE_OFF', `0x00007006')
-define(`RTC_WIE_ON', `0x0000700f')
-define(`RTC_WIE_OFF', `0x00007010')
-define(`RTC_VL_CLR', `0x00007014')
-define(`NVRAM_INIT', `0x00007040')
-define(`NVRAM_SETCKS', `0x00007041')
-define(`PPCLAIM', `0x0000708b')
-define(`PPRELEASE', `0x0000708c')
-define(`PPYIELD', `0x0000708d')
-define(`PPEXCL', `0x0000708f')
-define(`PHONE_CAPABILITIES', `0x00007180')
-define(`PHONE_RING', `0x00007183')
-define(`PHONE_HOOKSTATE', `0x00007184')
-define(`OLD_PHONE_RING_START', `0x00007187')
-define(`PHONE_RING_STOP', `0x00007188')
-define(`PHONE_REC_START', `0x0000718a')
-define(`PHONE_REC_STOP', `0x0000718b')
-define(`PHONE_REC_LEVEL', `0x0000718f')
-define(`PHONE_PLAY_START', `0x00007191')
-define(`PHONE_PLAY_STOP', `0x00007192')
-define(`PHONE_PLAY_LEVEL', `0x00007195')
-define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
-define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
-define(`PHONE_GET_TONE_STATE', `0x000071a0')
-define(`PHONE_BUSY', `0x000071a1')
-define(`PHONE_RINGBACK', `0x000071a2')
-define(`PHONE_DIALTONE', `0x000071a3')
-define(`PHONE_CPT_STOP', `0x000071a4')
-define(`PHONE_PSTN_GET_STATE', `0x000071a5')
-define(`PHONE_PSTN_LINETEST', `0x000071a8')
-define(`IXJCTL_DSP_RESET', `0x000071c0')
-define(`IXJCTL_DSP_IDLE', `0x000071c5')
-define(`IXJCTL_TESTRAM', `0x000071c6')
-define(`IXJCTL_AEC_STOP', `0x000071cc')
-define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
-define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
-define(`IXJCTL_PLAY_CID', `0x000071d7')
-define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
-define(`BR_OK', `0x00007201')
-define(`BR_DEAD_REPLY', `0x00007205')
-define(`BR_TRANSACTION_COMPLETE', `0x00007206')
-define(`BR_NOOP', `0x0000720c')
-define(`BR_SPAWN_LOOPER', `0x0000720d')
-define(`BR_FINISHED', `0x0000720e')
-define(`BR_FAILED_REPLY', `0x00007211')
-define(`MEYEIOC_STILLCAPT', `0x000076c4')
-define(`ASHMEM_GET_SIZE', `0x00007704')
-define(`ASHMEM_GET_PROT_MASK', `0x00007706')
-define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
-define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
-define(`FIOSETOWN', `0x00008901')
-define(`SIOCSPGRP', `0x00008902')
-define(`FIOGETOWN', `0x00008903')
-define(`SIOCGPGRP', `0x00008904')
-define(`SIOCATMARK', `0x00008905')
-define(`SIOCGSTAMP', `0x00008906')
-define(`SIOCGSTAMPNS', `0x00008907')
-define(`SIOCADDRT', `0x0000890b')
-define(`SIOCDELRT', `0x0000890c')
-define(`SIOCRTMSG', `0x0000890d')
-define(`SIOCGIFNAME', `0x00008910')
-define(`SIOCSIFLINK', `0x00008911')
-define(`SIOCGIFCONF', `0x00008912')
-define(`SIOCGIFFLAGS', `0x00008913')
-define(`SIOCSIFFLAGS', `0x00008914')
-define(`SIOCGIFADDR', `0x00008915')
-define(`SIOCSIFADDR', `0x00008916')
-define(`SIOCGIFDSTADDR', `0x00008917')
-define(`SIOCSIFDSTADDR', `0x00008918')
-define(`SIOCGIFBRDADDR', `0x00008919')
-define(`SIOCSIFBRDADDR', `0x0000891a')
-define(`SIOCGIFNETMASK', `0x0000891b')
-define(`SIOCSIFNETMASK', `0x0000891c')
-define(`SIOCGIFMETRIC', `0x0000891d')
-define(`SIOCSIFMETRIC', `0x0000891e')
-define(`SIOCGIFMEM', `0x0000891f')
-define(`SIOCSIFMEM', `0x00008920')
-define(`SIOCGIFMTU', `0x00008921')
-define(`SIOCSIFMTU', `0x00008922')
-define(`SIOCSIFNAME', `0x00008923')
-define(`SIOCSIFHWADDR', `0x00008924')
-define(`SIOCGIFENCAP', `0x00008925')
-define(`SIOCSIFENCAP', `0x00008926')
-define(`SIOCGIFHWADDR', `0x00008927')
-define(`SIOCGIFSLAVE', `0x00008929')
-define(`SIOCSIFSLAVE', `0x00008930')
-define(`SIOCADDMULTI', `0x00008931')
-define(`SIOCDELMULTI', `0x00008932')
-define(`SIOCGIFINDEX', `0x00008933')
-define(`SIOCSIFPFLAGS', `0x00008934')
-define(`SIOCGIFPFLAGS', `0x00008935')
-define(`SIOCDIFADDR', `0x00008936')
-define(`SIOCSIFHWBROADCAST', `0x00008937')
-define(`SIOCGIFCOUNT', `0x00008938')
-define(`SIOCKILLADDR', `0x00008939')
-define(`SIOCGIFBR', `0x00008940')
-define(`SIOCSIFBR', `0x00008941')
-define(`SIOCGIFTXQLEN', `0x00008942')
-define(`SIOCSIFTXQLEN', `0x00008943')
-define(`SIOCETHTOOL', `0x00008946')
-define(`SIOCGMIIPHY', `0x00008947')
-define(`SIOCGMIIREG', `0x00008948')
-define(`SIOCSMIIREG', `0x00008949')
-define(`SIOCWANDEV', `0x0000894a')
-define(`SIOCOUTQNSD', `0x0000894b')
-define(`SIOCDARP', `0x00008953')
-define(`SIOCGARP', `0x00008954')
-define(`SIOCSARP', `0x00008955')
-define(`SIOCDRARP', `0x00008960')
-define(`SIOCGRARP', `0x00008961')
-define(`SIOCSRARP', `0x00008962')
-define(`SIOCGIFMAP', `0x00008970')
-define(`SIOCSIFMAP', `0x00008971')
-define(`SIOCADDDLCI', `0x00008980')
-define(`SIOCDELDLCI', `0x00008981')
-define(`SIOCGIFVLAN', `0x00008982')
-define(`SIOCSIFVLAN', `0x00008983')
-define(`SIOCBONDENSLAVE', `0x00008990')
-define(`SIOCBONDRELEASE', `0x00008991')
-define(`SIOCBONDSETHWADDR', `0x00008992')
-define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
-define(`SIOCBONDINFOQUERY', `0x00008994')
-define(`SIOCBONDCHANGEACTIVE', `0x00008995')
-define(`SIOCBRADDBR', `0x000089a0')
-define(`SIOCBRDELBR', `0x000089a1')
-define(`SIOCBRADDIF', `0x000089a2')
-define(`SIOCBRDELIF', `0x000089a3')
-define(`SIOCSHWTSTAMP', `0x000089b0')
-define(`SIOCGHWTSTAMP', `0x000089b1')
-define(`SIOCPROTOPRIVATE', `0x000089e0')
-define(`SIOCPROTOPRIVATE_1', `0x000089e1')
-define(`SIOCPROTOPRIVATE_2', `0x000089e2')
-define(`SIOCPROTOPRIVATE_3', `0x000089e3')
-define(`SIOCPROTOPRIVATE_4', `0x000089e4')
-define(`SIOCPROTOPRIVATE_5', `0x000089e5')
-define(`SIOCPROTOPRIVATE_6', `0x000089e6')
-define(`SIOCPROTOPRIVATE_7', `0x000089e7')
-define(`SIOCPROTOPRIVATE_8', `0x000089e8')
-define(`SIOCPROTOPRIVATE_9', `0x000089e9')
-define(`SIOCPROTOPRIVATE_A', `0x000089ea')
-define(`SIOCPROTOPRIVATE_B', `0x000089eb')
-define(`SIOCPROTOPRIVATE_C', `0x000089ec')
-define(`SIOCPROTOPRIVATE_D', `0x000089ed')
-define(`SIOCPROTOPRIVATE_E', `0x000089ee')
-define(`SIOCPROTOPRIVLAST', `0x000089ef')
-define(`SIOCDEVPRIVATE', `0x000089f0')
-define(`SIOCDEVPRIVATE_1', `0x000089f1')
-define(`SIOCDEVPRIVATE_2', `0x000089f2')
-define(`SIOCDEVPRIVATE_3', `0x000089f3')
-define(`SIOCDEVPRIVATE_4', `0x000089f4')
-define(`SIOCDEVPRIVATE_5', `0x000089f5')
-define(`SIOCDEVPRIVATE_6', `0x000089f6')
-define(`SIOCDEVPRIVATE_7', `0x000089f7')
-define(`SIOCDEVPRIVATE_8', `0x000089f8')
-define(`SIOCDEVPRIVATE_9', `0x000089f9')
-define(`SIOCDEVPRIVATE_A', `0x000089fa')
-define(`SIOCDEVPRIVATE_B', `0x000089fb')
-define(`SIOCDEVPRIVATE_C', `0x000089fc')
-define(`SIOCDEVPRIVATE_D', `0x000089fd')
-define(`SIOCDEVPRIVATE_E', `0x000089fe')
-define(`SIOCDEVPRIVLAST', `0x000089ff')
-define(`SIOCIWFIRST', `0x00008b00')
-define(`SIOCSIWCOMMIT', `0x00008b00')
-define(`SIOCGIWNAME', `0x00008b01')
-define(`SIOCSIWNWID', `0x00008b02')
-define(`SIOCGIWNWID', `0x00008b03')
-define(`SIOCSIWFREQ', `0x00008b04')
-define(`SIOCGIWFREQ', `0x00008b05')
-define(`SIOCSIWMODE', `0x00008b06')
-define(`SIOCGIWMODE', `0x00008b07')
-define(`SIOCSIWSENS', `0x00008b08')
-define(`SIOCGIWSENS', `0x00008b09')
-define(`SIOCSIWRANGE', `0x00008b0a')
-define(`SIOCGIWRANGE', `0x00008b0b')
-define(`SIOCSIWPRIV', `0x00008b0c')
-define(`SIOCGIWPRIV', `0x00008b0d')
-define(`SIOCSIWSTATS', `0x00008b0e')
-define(`SIOCGIWSTATS', `0x00008b0f')
-define(`SIOCSIWSPY', `0x00008b10')
-define(`SIOCGIWSPY', `0x00008b11')
-define(`SIOCSIWTHRSPY', `0x00008b12')
-define(`SIOCGIWTHRSPY', `0x00008b13')
-define(`SIOCSIWAP', `0x00008b14')
-define(`SIOCGIWAP', `0x00008b15')
-define(`SIOCSIWMLME', `0x00008b16')
-define(`SIOCGIWAPLIST', `0x00008b17')
-define(`SIOCSIWSCAN', `0x00008b18')
-define(`SIOCGIWSCAN', `0x00008b19')
-define(`SIOCSIWESSID', `0x00008b1a')
-define(`SIOCGIWESSID', `0x00008b1b')
-define(`SIOCSIWNICKN', `0x00008b1c')
-define(`SIOCGIWNICKN', `0x00008b1d')
-define(`SIOCSIWRATE', `0x00008b20')
-define(`SIOCGIWRATE', `0x00008b21')
-define(`SIOCSIWRTS', `0x00008b22')
-define(`SIOCGIWRTS', `0x00008b23')
-define(`SIOCSIWFRAG', `0x00008b24')
-define(`SIOCGIWFRAG', `0x00008b25')
-define(`SIOCSIWTXPOW', `0x00008b26')
-define(`SIOCGIWTXPOW', `0x00008b27')
-define(`SIOCSIWRETRY', `0x00008b28')
-define(`SIOCGIWRETRY', `0x00008b29')
-define(`SIOCSIWENCODE', `0x00008b2a')
-define(`SIOCGIWENCODE', `0x00008b2b')
-define(`SIOCSIWPOWER', `0x00008b2c')
-define(`SIOCGIWPOWER', `0x00008b2d')
-define(`SIOCSIWGENIE', `0x00008b30')
-define(`SIOCGIWGENIE', `0x00008b31')
-define(`SIOCSIWAUTH', `0x00008b32')
-define(`SIOCGIWAUTH', `0x00008b33')
-define(`SIOCSIWENCODEEXT', `0x00008b34')
-define(`SIOCGIWENCODEEXT', `0x00008b35')
-define(`SIOCSIWPMKSA', `0x00008b36')
-define(`SIOCIWFIRSTPRIV', `0x00008be0')
-define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
-define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
-define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
-define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
-define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
-define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
-define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
-define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
-define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
-define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
-define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
-define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
-define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
-define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
-define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
-define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
-define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
-define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
-define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
-define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
-define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
-define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
-define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
-define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
-define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
-define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
-define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
-define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
-define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
-define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
-define(`SIOCIWLASTPRIV', `0x00008bff')
-define(`AUTOFS_IOC_READY', `0x00009360')
-define(`AUTOFS_IOC_FAIL', `0x00009361')
-define(`AUTOFS_IOC_CATATONIC', `0x00009362')
-define(`BTRFS_IOC_TRANS_START', `0x00009406')
-define(`BTRFS_IOC_TRANS_END', `0x00009407')
-define(`BTRFS_IOC_SYNC', `0x00009408')
-define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
-define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
-define(`NBD_SET_SOCK', `0x0000ab00')
-define(`NBD_SET_BLKSIZE', `0x0000ab01')
-define(`NBD_SET_SIZE', `0x0000ab02')
-define(`NBD_DO_IT', `0x0000ab03')
-define(`NBD_CLEAR_SOCK', `0x0000ab04')
-define(`NBD_CLEAR_QUE', `0x0000ab05')
-define(`NBD_PRINT_DEBUG', `0x0000ab06')
-define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
-define(`NBD_DISCONNECT', `0x0000ab08')
-define(`NBD_SET_TIMEOUT', `0x0000ab09')
-define(`NBD_SET_FLAGS', `0x0000ab0a')
-define(`RAW_SETBIND', `0x0000ac00')
-define(`RAW_GETBIND', `0x0000ac01')
-define(`KVM_GET_API_VERSION', `0x0000ae00')
-define(`KVM_CREATE_VM', `0x0000ae01')
-define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
-define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
-define(`KVM_CHECK_EXTENSION', `0x0000ae03')
-define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
-define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
-define(`LOGGER_FLUSH_LOG', `0x0000ae04')
-define(`LOGGER_GET_VERSION', `0x0000ae05')
-define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
-define(`LOGGER_SET_VERSION', `0x0000ae06')
-define(`KVM_CREATE_VCPU', `0x0000ae41')
-define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
-define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
-define(`KVM_SET_TSS_ADDR', `0x0000ae47')
-define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
-define(`KVM_CREATE_PIT', `0x0000ae64')
-define(`KVM_REINJECT_CONTROL', `0x0000ae71')
-define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
-define(`KVM_RUN', `0x0000ae80')
-define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
-define(`KVM_NMI', `0x0000ae9a')
-define(`KVM_SET_TSC_KHZ', `0x0000aea2')
-define(`KVM_GET_TSC_KHZ', `0x0000aea3')
-define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
-define(`VHOST_SET_OWNER', `0x0000af01')
-define(`VHOST_RESET_OWNER', `0x0000af02')
-define(`PPPOEIOCDFWD', `0x0000b101')
-define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
-define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
-define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
-define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
-define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
-define(`MFB_SET_ALPHA', `0x40014d00')
-define(`MFB_SET_GAMMA', `0x40014d01')
-define(`MFB_SET_BRIGHTNESS', `0x40014d03')
-define(`SPI_IOC_WR_MODE', `0x40016b01')
-define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
-define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
-define(`PPWCONTROL', `0x40017084')
-define(`PPWDATA', `0x40017086')
-define(`PPWCTLONIRQ', `0x40017092')
-define(`PHONE_MAXRINGS', `0x40017185')
-define(`PHONE_PLAY_TONE', `0x4001719b')
-define(`SONYPI_IOCSBRT', `0x40017600')
-define(`SONYPI_IOCSBLUE', `0x40017609')
-define(`SONYPI_IOCSFAN', `0x4001760b')
-define(`ATM_SETBACKEND', `0x400261f2')
-define(`ATM_NEWBACKENDIF', `0x400261f3')
-define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
-define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
-define(`DMX_ADD_PID', `0x40026f33')
-define(`DMX_REMOVE_PID', `0x40026f34')
-define(`PPFCONTROL', `0x4002708e')
-define(`PHONE_RING_CADENCE', `0x40027186')
-define(`SET_BITMAP_FILE', `0x4004092b')
-define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
-define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
-define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
-define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
-define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
-define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
-define(`BLKI2OSRSTRAT', `0x40043203')
-define(`BLKI2OSWSTRAT', `0x40043204')
-define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
-define(`PTP_ENABLE_PPS', `0x40043d04')
-define(`SYNC_IOC_WAIT', `0x40043e00')
-define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
-define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
-define(`AGPIOC_DEALLOCATE', `0x40044107')
-define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
-define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
-define(`CCISS_REGNEWDISK', `0x4004420d')
-define(`EVIOCRMFF', `0x40044581')
-define(`EVIOCGRAB', `0x40044590')
-define(`EVIOCREVOKE', `0x40044591')
-define(`EVIOCSCLOCKID', `0x400445a0')
-define(`FBIOPUT_CONTRAST', `0x40044602')
-define(`FBIPUT_BRIGHTNESS', `0x40044603')
-define(`FBIPUT_COLOR', `0x40044606')
-define(`FBIPUT_HSYNC', `0x40044609')
-define(`FBIPUT_VSYNC', `0x4004460a')
-define(`FBIO_WAITFORVSYNC', `0x40044620')
-define(`SSTFB_SET_VGAPASS', `0x400446dd')
-define(`HIDIOCSFLAG', `0x4004480f')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
-define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
-define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
-define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
-define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
-define(`HCIDEVUP', `0x400448c9')
-define(`HCIDEVDOWN', `0x400448ca')
-define(`HCIDEVRESET', `0x400448cb')
-define(`HCIDEVRESTAT', `0x400448cc')
-define(`HCISETRAW', `0x400448dc')
-define(`HCISETSCAN', `0x400448dd')
-define(`HCISETAUTH', `0x400448de')
-define(`HCISETENCRYPT', `0x400448df')
-define(`HCISETPTYPE', `0x400448e0')
-define(`HCISETLINKPOL', `0x400448e1')
-define(`HCISETLINKMODE', `0x400448e2')
-define(`HCISETACLMTU', `0x400448e3')
-define(`HCISETSCOMTU', `0x400448e4')
-define(`HCIBLOCKADDR', `0x400448e6')
-define(`HCIUNBLOCKADDR', `0x400448e7')
-define(`MFB_SET_PIXFMT', `0x40044d08')
-define(`OTPGETREGIONCOUNT', `0x40044d0e')
-define(`UBI_IOCEBER', `0x40044f01')
-define(`UBI_IOCEBCH', `0x40044f02')
-define(`UBI_IOCEBUNMAP', `0x40044f04')
-define(`OMAPFB_MIRROR', `0x40044f1f')
-define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
-define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
-define(`OMAPFB_LCD_TEST', `0x40044f2d')
-define(`OMAPFB_CTRL_TEST', `0x40044f2e')
-define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
-define(`SNDCTL_DSP_PROFILE', `0x40045017')
-define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
-define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
-define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
-define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
-define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
-define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
-define(`RNDADDTOENTCNT', `0x40045201')
-define(`SAA6588_CMD_CLOSE', `0x40045202')
-define(`RFCOMMCREATEDEV', `0x400452c8')
-define(`RFCOMMRELEASEDEV', `0x400452c9')
-define(`RFCOMMSTEALDLC', `0x400452dc')
-define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
-define(`SNDCTL_TMR_METRONOME', `0x40045407')
-define(`SNDCTL_TMR_SELECT', `0x40045408')
-define(`TIOCSPTLCK', `0x40045431')
-define(`TIOCSIG', `0x40045436')
-define(`TUNSETNOCSUM', `0x400454c8')
-define(`TUNSETDEBUG', `0x400454c9')
-define(`TUNSETIFF', `0x400454ca')
-define(`TUNSETPERSIST', `0x400454cb')
-define(`TUNSETOWNER', `0x400454cc')
-define(`TUNSETLINK', `0x400454cd')
-define(`TUNSETGROUP', `0x400454ce')
-define(`TUNSETOFFLOAD', `0x400454d0')
-define(`TUNSETTXFILTER', `0x400454d1')
-define(`TUNSETSNDBUF', `0x400454d4')
-define(`TUNSETVNETHDRSZ', `0x400454d8')
-define(`TUNSETQUEUE', `0x400454d9')
-define(`TUNSETIFINDEX', `0x400454da')
-define(`TUNSETVNETLE', `0x400454dc')
-define(`USBDEVFS_REAPURB32', `0x4004550c')
-define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
-define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
-define(`UI_SET_EVBIT', `0x40045564')
-define(`UI_SET_KEYBIT', `0x40045565')
-define(`UI_SET_RELBIT', `0x40045566')
-define(`UI_SET_ABSBIT', `0x40045567')
-define(`UI_SET_MSCBIT', `0x40045568')
-define(`UI_SET_LEDBIT', `0x40045569')
-define(`UI_SET_SNDBIT', `0x4004556a')
-define(`UI_SET_FFBIT', `0x4004556b')
-define(`UI_SET_SWBIT', `0x4004556d')
-define(`UI_SET_PROPBIT', `0x4004556e')
-define(`VIDIOC_OVERLAY', `0x4004560e')
-define(`VIDIOC_STREAMON', `0x40045612')
-define(`VIDIOC_STREAMOFF', `0x40045613')
-define(`VIDIOC_S_PRIORITY', `0x40045644')
-define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
-define(`SW_SYNC_IOC_INC', `0x40045701')
-define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
-define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
-define(`SONET_SETFRAMING', `0x40046115')
-define(`ATM_SETSC', `0x400461f1')
-define(`ATM_DROPPARTY', `0x400461f5')
-define(`BINDER_SET_MAX_THREADS', `0x40046205')
-define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
-define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
-define(`BINDER_THREAD_EXIT', `0x40046208')
-define(`BC_ACQUIRE_RESULT', `0x40046302')
-define(`BC_INCREFS', `0x40046304')
-define(`BC_ACQUIRE', `0x40046305')
-define(`CHIOSPICKER', `0x40046305')
-define(`BC_RELEASE', `0x40046306')
-define(`BC_DECREFS', `0x40046307')
-define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
-define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
-define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
-define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
-define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
-define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
-define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
-define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
-define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
-define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
-define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
-define(`VIDIOC_INT_RESET', `0x40046466')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
-define(`FS_IOC32_SETFLAGS', `0x40046602')
-define(`LIRC_SET_SEND_MODE', `0x40046911')
-define(`LIRC_SET_REC_MODE', `0x40046912')
-define(`LIRC_SET_SEND_CARRIER', `0x40046913')
-define(`LIRC_SET_REC_CARRIER', `0x40046914')
-define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
-define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
-define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
-define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
-define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
-define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
-define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
-define(`LIRC_SET_REC_FILTER', `0x4004691c')
-define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
-define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
-define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
-define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
-define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
-define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
-define(`SPI_IOC_WR_MODE32', `0x40046b05')
-define(`MSMFB_GRP_DISP', `0x40046d01')
-define(`MSMFB_BLIT', `0x40046d02')
-define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
-define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
-define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
-define(`UBI_IOCRMVOL', `0x40046f01')
-define(`DMX_SET_SOURCE', `0x40046f31')
-define(`UBI_IOCDET', `0x40046f41')
-define(`PPSETMODE', `0x40047080')
-define(`PPDATADIR', `0x40047090')
-define(`PPNEGOT', `0x40047091')
-define(`PPSETPHASE', `0x40047094')
-define(`PPSETFLAGS', `0x4004709b')
-define(`PHONE_REC_CODEC', `0x40047189')
-define(`PHONE_REC_DEPTH', `0x4004718c')
-define(`PHONE_FRAME', `0x4004718d')
-define(`PHONE_REC_VOLUME', `0x4004718e')
-define(`PHONE_PLAY_CODEC', `0x40047190')
-define(`PHONE_PLAY_DEPTH', `0x40047193')
-define(`PHONE_PLAY_VOLUME', `0x40047194')
-define(`PHONE_DTMF_OOB', `0x40047199')
-define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
-define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
-define(`PHONE_PSTN_SET_STATE', `0x400471a4')
-define(`PHONE_WINK_DURATION', `0x400471a6')
-define(`PHONE_VAD', `0x400471a9')
-define(`PHONE_WINK', `0x400471aa')
-define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
-define(`IXJCTL_AEC_START', `0x400471cb')
-define(`IXJCTL_SET_LED', `0x400471ce')
-define(`IXJCTL_MIXER', `0x400471cf')
-define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
-define(`IXJCTL_PORT', `0x400471d1')
-define(`IXJCTL_DAA_AGAIN', `0x400471d2')
-define(`IXJCTL_POTS_PSTN', `0x400471d5')
-define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
-define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
-define(`IXJCTL_HZ', `0x400471e0')
-define(`IXJCTL_RATE', `0x400471e1')
-define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
-define(`IXJCTL_SC_RXG', `0x400471ea')
-define(`IXJCTL_SC_TXG', `0x400471eb')
-define(`IXJCTL_INTERCOM_START', `0x400471fd')
-define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
-define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
-define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
-define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
-define(`FS_IOC32_SETVERSION', `0x40047602')
-define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
-define(`OSIOCSNETADDR', `0x400489e0')
-define(`SIOCSNETADDR', `0x400489e0')
-define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
-define(`BTRFS_IOC_CLONE', `0x40049409')
-define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
-define(`KVM_INTERRUPT', `0x4004ae86')
-define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
-define(`KVM_SET_MP_STATE', `0x4004ae99')
-define(`VHOST_SET_LOG_FD', `0x4004af07')
-define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
-define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
-define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
-define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
-define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
-define(`SISFB_SET_LOCK', `0x4004f306')
-define(`GIGASET_BRKCHARS', `0x40064702')
-define(`MEYEIOC_S_PARAMS', `0x400676c1')
-define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
-define(`BLKBSZSET', `0x40081271')
-define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
-define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
-define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
-define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
-define(`AGPIOC_SETUP', `0x40084103')
-define(`AGPIOC_RESERVE', `0x40084104')
-define(`AGPIOC_PROTECT', `0x40084105')
-define(`AGPIOC_BIND', `0x40084108')
-define(`AGPIOC_UNBIND', `0x40084109')
-define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
-define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
-define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
-define(`CCISS_SETINTINFO', `0x40084203')
-define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
-define(`EVIOCSREP', `0x40084503')
-define(`EVIOCSKEYCODE', `0x40084504')
-define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
-define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
-define(`MEMERASE', `0x40084d02')
-define(`MFB_SET_AOID', `0x40084d04')
-define(`MEMLOCK', `0x40084d05')
-define(`MEMUNLOCK', `0x40084d06')
-define(`MEMGETBADBLOCK', `0x40084d0b')
-define(`MEMSETBADBLOCK', `0x40084d0c')
-define(`UBI_IOCVOLUP', `0x40084f00')
-define(`UBI_IOCEBMAP', `0x40084f03')
-define(`OMAPFB_SETUP_MEM', `0x40084f37')
-define(`OMAPFB_QUERY_MEM', `0x40084f38')
-define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
-define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
-define(`RNDADDENTROPY', `0x40085203')
-define(`TFD_IOC_SET_TICKS', `0x40085400')
-define(`USBDEVFS_REAPURB', `0x4008550c')
-define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
-define(`USBDEVFS_CONNECTINFO', `0x40085511')
-define(`UI_SET_PHYS', `0x4008556c')
-define(`VIDIOC_S_STD', `0x40085618')
-define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
-define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
-define(`CM_IOCSPTS', `0x40086302')
-define(`BC_FREE_BUFFER', `0x40086303')
-define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
-define(`BC_DEAD_BINDER_DONE', `0x40086310')
-define(`CM_IOSDBGLVL', `0x400863fa')
-define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
-define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
-define(`DRM_IOCTL_CONTROL', `0x40086414')
-define(`DRM_IOCTL_MOD_CTX', `0x40086422')
-define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
-define(`DRM_IOCTL_NEW_CTX', `0x40086425')
-define(`DRM_IOCTL_LOCK', `0x4008642a')
-define(`DRM_IOCTL_UNLOCK', `0x4008642b')
-define(`DRM_IOCTL_FINISH', `0x4008642c')
-define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
-define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
-define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
-define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
-define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
-define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
-define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
-define(`DRM_IOCTL_I915_FREE', `0x40086449')
-define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
-define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
-define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
-define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
-define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
-define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
-define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
-define(`FS_IOC_SETFLAGS', `0x40086602')
-define(`HPET_IRQFREQ', `0x40086806')
-define(`MTIOCTOP', `0x40086d01')
-define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
-define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
-define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
-define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
-define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
-define(`AUDIO_SET_MIXER', `0x40086f0e')
-define(`VIDEO_SET_SPU', `0x40086f32')
-define(`CA_SET_PID', `0x40086f87')
-define(`PHN_SET_REG', `0x40087001')
-define(`PHN_SET_REGS', `0x40087003')
-define(`PHN_SETREG', `0x40087006')
-define(`RTC_IRQP_SET', `0x4008700c')
-define(`RTC_EPOCH_SET', `0x4008700e')
-define(`PPS_SETPARAMS', `0x400870a2')
-define(`PPS_KC_BIND', `0x400870a5')
-define(`SPIOCSTYPE', `0x40087101')
-define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
-define(`PHONE_RING_START', `0x40087187')
-define(`IXJCTL_SET_FILTER', `0x400871c7')
-define(`IXJCTL_INIT_TONE', `0x400871c9')
-define(`IXJCTL_TONE_CADENCE', `0x400871ca')
-define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
-define(`IXJCTL_CIDCW', `0x400871d9')
-define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
-define(`IXJCTL_SIGCTL', `0x400871e9')
-define(`FS_IOC_SETVERSION', `0x40087602')
-define(`ASHMEM_SET_SIZE', `0x40087703')
-define(`ASHMEM_SET_PROT_MASK', `0x40087705')
-define(`ASHMEM_PIN', `0x40087707')
-define(`ASHMEM_UNPIN', `0x40087708')
-define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
-define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
-define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
-define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
-define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
-define(`KVM_IRQ_LINE', `0x4008ae61')
-define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
-define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
-define(`KVM_SET_MSRS', `0x4008ae89')
-define(`KVM_SET_CPUID', `0x4008ae8a')
-define(`KVM_SET_CPUID2', `0x4008ae90')
-define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
-define(`KVM_S390_STORE_STATUS', `0x4008ae95')
-define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
-define(`VHOST_SET_FEATURES', `0x4008af00')
-define(`VHOST_SET_MEM_TABLE', `0x4008af03')
-define(`VHOST_SET_LOG_BASE', `0x4008af04')
-define(`VHOST_SET_VRING_NUM', `0x4008af10')
-define(`VHOST_SET_VRING_BASE', `0x4008af12')
-define(`VHOST_SET_VRING_KICK', `0x4008af20')
-define(`VHOST_SET_VRING_CALL', `0x4008af21')
-define(`VHOST_SET_VRING_ERR', `0x4008af22')
-define(`VHOST_NET_SET_BACKEND', `0x4008af30')
-define(`PPPOEIOCSFWD', `0x4008b100')
-define(`IOW_WRITE', `0x4008c001')
-define(`IOW_READ', `0x4008c002')
-define(`REISERFS_IOC_UNPACK', `0x4008cd01')
-define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
-define(`FDFMTTRK', `0x400c0248')
-define(`RUN_ARRAY', `0x400c0930')
-define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
-define(`CAPI_REGISTER', `0x400c4301')
-define(`HIDIOCGREPORT', `0x400c4807')
-define(`HIDIOCSREPORT', `0x400c4808')
-define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
-define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
-define(`OTPGETREGIONINFO', `0x400c4d0f')
-define(`UI_END_FF_ERASE', `0x400c55cb')
-define(`CHIOPOSITION', `0x400c6303')
-define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
-define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
-define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
-define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
-define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
-define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
-define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
-define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
-define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
-define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
-define(`I2OEVTREG', `0x400c690a')
-define(`HSC_SET_RX', `0x400c6b13')
-define(`HSC_GET_RX', `0x400c6b14')
-define(`NCP_IOC_GETROOT', `0x400c6e08')
-define(`UBI_IOCRSVOL', `0x400c6f02')
-define(`AUDIO_SET_KARAOKE', `0x400c6f12')
-define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
-define(`MBXFB_IOCS_REG', `0x400cf404')
-define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
-define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
-define(`PTP_EXTTS_REQUEST', `0x40103d02')
-define(`CCISS_SETNODENAME', `0x40104205')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
-define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
-define(`MTRRIOC_SET_ENTRY', `0x40104d01')
-define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
-define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
-define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
-define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
-define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
-define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
-define(`MEMERASE64', `0x40104d14')
-define(`UBI_IOCSETVOLPROP', `0x40104f06')
-define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
-define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
-define(`TUNATTACHFILTER', `0x401054d5')
-define(`TUNDETACHFILTER', `0x401054d6')
-define(`ANDROID_ALARM_SET_RTC', `0x40106105')
-define(`IDT77105_GETSTAT', `0x40106132')
-define(`IDT77105_GETSTATZ', `0x40106133')
-define(`ATM_GETSTAT', `0x40106150')
-define(`ATM_GETSTATZ', `0x40106151')
-define(`ATM_GETLOOP', `0x40106152')
-define(`ATM_SETLOOP', `0x40106153')
-define(`ATM_QUERYLOOP', `0x40106154')
-define(`ENI_MEMDUMP', `0x40106160')
-define(`HE_GET_REG', `0x40106160')
-define(`ZATM_GETPOOL', `0x40106161')
-define(`NS_SETBUFLEV', `0x40106162')
-define(`ZATM_GETPOOLZ', `0x40106162')
-define(`ZATM_SETPOOL', `0x40106163')
-define(`ENI_SETMULT', `0x40106167')
-define(`ATM_GETLINKRATE', `0x40106181')
-define(`ATM_GETNAMES', `0x40106183')
-define(`ATM_GETTYPE', `0x40106184')
-define(`ATM_GETESI', `0x40106185')
-define(`ATM_GETADDR', `0x40106186')
-define(`ATM_RSTADDR', `0x40106187')
-define(`ATM_ADDADDR', `0x40106188')
-define(`ATM_DELADDR', `0x40106189')
-define(`ATM_GETCIRANGE', `0x4010618a')
-define(`ATM_SETCIRANGE', `0x4010618b')
-define(`ATM_SETESI', `0x4010618c')
-define(`ATM_SETESIF', `0x4010618d')
-define(`ATM_ADDLECSADDR', `0x4010618e')
-define(`ATM_DELLECSADDR', `0x4010618f')
-define(`ATM_GETLECSADDR', `0x40106190')
-define(`ATM_ADDPARTY', `0x401061f4')
-define(`BC_INCREFS_DONE', `0x40106308')
-define(`CHIOGSTATUS', `0x40106308')
-define(`BC_ACQUIRE_DONE', `0x40106309')
-define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
-define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
-define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
-define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
-define(`DRM_IOCTL_AGP_BIND', `0x40106436')
-define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
-define(`DRM_IOCTL_SG_FREE', `0x40106439')
-define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
-define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
-define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
-define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
-define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
-define(`DRM_IOCTL_I810_COPY', `0x40106447')
-define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
-define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
-define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
-define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
-define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
-define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
-define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
-define(`TUNER_SET_CONFIG', `0x4010645c')
-define(`HSC_SET_TX', `0x40106b15')
-define(`HSC_GET_TX', `0x40106b16')
-define(`MGSL_IOCSGPIO', `0x40106d10')
-define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
-define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
-define(`VIDEO_STILLPICTURE', `0x40106f1e')
-define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
-define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
-define(`FE_SET_PROPERTY', `0x40106f52')
-define(`CA_SET_DESCR', `0x40106f86')
-define(`PPSETTIME', `0x40107096')
-define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
-define(`GENWQE_WRITE_REG64', `0x4010a51f')
-define(`GENWQE_WRITE_REG32', `0x4010a521')
-define(`GENWQE_WRITE_REG16', `0x4010a523')
-define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
-define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
-define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
-define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
-define(`KVM_S390_INTERRUPT', `0x4010ae94')
-define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
-define(`KVM_DIRTY_TLB', `0x4010aeaa')
-define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
-define(`KVM_GET_ONE_REG', `0x4010aeab')
-define(`KVM_SET_ONE_REG', `0x4010aeac')
-define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
-define(`FDSETMAXERRS', `0x4014024c')
-define(`ADD_NEW_DISK', `0x40140921')
-define(`SNDCTL_COPR_WDATA', `0x40144304')
-define(`SNDCTL_COPR_WCODE', `0x40144305')
-define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
-define(`VIDIOC_S_CROP', `0x4014563c')
-define(`CHIOMOVE', `0x40146301')
-define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
-define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
-define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
-define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
-define(`DMX_SET_PES_FILTER', `0x40146f2c')
-define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
-define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
-define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
-define(`HIDIOCSUSAGE', `0x4018480c')
-define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
-define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
-define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
-define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
-define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
-define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
-define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
-define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
-define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
-define(`UBI_IOCATT', `0x40186f40')
-define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
-define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
-define(`KVM_S390_UCAS_MAP', `0x4018ae50')
-define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
-define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
-define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
-define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
-define(`MBXFB_IOCS_ALPHA', `0x4018f402')
-define(`BR2684_SETFILT', `0x401c6190')
-define(`CHIOEXCHANGE', `0x401c6302')
-define(`FDSETPRM', `0x40200242')
-define(`FDDEFPRM', `0x40200243')
-define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
-define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
-define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
-define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
-define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
-define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
-define(`DRM_IOCTL_AGP_FREE', `0x40206435')
-define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
-define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
-define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
-define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
-define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
-define(`DRM_IOCTL_I810_MC', `0x4020644c')
-define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
-define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
-define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
-define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
-define(`OSD_SEND_CMD', `0x40206fa0')
-define(`RTC_PLL_SET', `0x40207012')
-define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
-define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
-define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
-define(`KVM_IRQFD', `0x4020ae76')
-define(`KVM_SIGNAL_MSI', `0x4020aea5')
-define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
-define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
-define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
-define(`JSIOCSCORR', `0x40246a21')
-define(`FE_SET_FRONTEND', `0x40246f4c')
-define(`RTC_ALM_SET', `0x40247007')
-define(`RTC_SET_TIME', `0x4024700a')
-define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
-define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
-define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
-define(`EVIOCSKEYCODE_V2', `0x40284504')
-define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
-define(`DRM_IOCTL_RM_MAP', `0x4028641b')
-define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
-define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
-define(`PHN_SETREGS', `0x40287008')
-define(`RTC_WKALM_SET', `0x4028700f')
-define(`VHOST_SET_VRING_ADDR', `0x4028af11')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
-define(`TCSETS2', `0x402c542b')
-define(`TCSETSW2', `0x402c542c')
-define(`TCSETSF2', `0x402c542d')
-define(`VIDIOC_S_FREQUENCY', `0x402c5639')
-define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
-define(`EVIOCSFF', `0x40304580')
-define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
-define(`VIDIOC_S_FBUF', `0x4030560b')
-define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
-define(`CHIOSVOLTAG', `0x40306312')
-define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
-define(`MGSL_IOCSPARAMS', `0x40306d00')
-define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
-define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
-define(`KVM_SET_CLOCK', `0x4030ae7b')
-define(`GSMIOC_ENABLE_NET', `0x40344702')
-define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
-define(`VIDIOC_S_AUDIO', `0x40345622')
-define(`VIDIOC_S_AUDOUT', `0x40345632')
-define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
-define(`PTP_PEROUT_REQUEST', `0x40383d03')
-define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
-define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
-define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
-define(`DMX_SET_FILTER', `0x403c6f2b')
-define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
-define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
-define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
-define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
-define(`BC_TRANSACTION', `0x40406300')
-define(`BC_REPLY', `0x40406301')
-define(`DRM_IOCTL_I810_INIT', `0x40406440')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
-define(`JSIOCSAXMAP', `0x40406a31')
-define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
-define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
-define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
-define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
-define(`KVM_CREATE_PIT2', `0x4040ae77')
-define(`KVM_IOEVENTFD', `0x4040ae79')
-define(`KVM_X86_SET_MCE', `0x4040ae9e')
-define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
-define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
-define(`CXL_IOCTL_START_WORK', `0x4040ca00')
-define(`OMAPFB_SETUP_PLANE', `0x40444f34')
-define(`OMAPFB_QUERY_PLANE', `0x40444f35')
-define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
-define(`VIDIOC_S_MODULATOR', `0x40445637')
-define(`DRM_IOCTL_I915_INIT', `0x40446440')
-define(`SET_ARRAY_INFO', `0x40480923')
-define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
-define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
-define(`BTRFS_IOC_SEND', `0x40489426')
-define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
-define(`GSMIOC_SETCONF', `0x404c4701')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
-define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
-define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
-define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
-define(`VIDIOC_S_TUNER', `0x4054561e')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
-define(`PTP_PIN_SETFUNC', `0x40603d07')
-define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
-define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
-define(`UI_END_FF_UPLOAD', `0x406855c9')
-define(`KVM_ENABLE_CAP', `0x4068aea3')
-define(`CHIOGELEM', `0x406c6310')
-define(`KVM_SET_PIT2', `0x4070aea0')
-define(`DRM_IOCTL_R128_INIT', `0x40786440')
-define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
-define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
-define(`FDSETDRVPRM', `0x40800290')
-define(`UBI_IOCVOLCRBLK', `0x40804f07')
-define(`DRM_IOCTL_MGA_INIT', `0x40806440')
-define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
-define(`KVM_SET_DEBUGREGS', `0x4080aea2')
-define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
-define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
-define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
-define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
-define(`KVM_SET_REGS', `0x4090ae82')
-define(`UBI_IOCMKVOL', `0x40986f00')
-define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
-define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
-define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
-define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
-define(`ASHMEM_SET_NAME', `0x41007701')
-define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
-define(`USBDEVFS_GETDRIVER', `0x41045508')
-define(`CA_SEND_MSG', `0x410c6f85')
-define(`KVM_SET_SREGS', `0x4138ae84')
-define(`KVM_SET_XCRS', `0x4188aea7')
-define(`KVM_SET_FPU', `0x41a0ae8d')
-define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
-define(`PTP_SYS_OFFSET', `0x43403d05')
-define(`JSIOCSBTNMAP', `0x44006a33')
-define(`KVM_SET_LAPIC', `0x4400ae8f')
-define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
-define(`BTRFS_IOC_DEFRAG', `0x50009402')
-define(`BTRFS_IOC_RESIZE', `0x50009403')
-define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
-define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
-define(`BTRFS_IOC_RM_DEV', `0x5000940b')
-define(`BTRFS_IOC_BALANCE', `0x5000940c')
-define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
-define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
-define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
-define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
-define(`KVM_SET_XSAVE', `0x5000aea5')
-define(`HIDIOCSUSAGES', `0x501c4814')
-define(`UBI_IOCRNVOL', `0x51106f03')
-define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
-define(`MFB_GET_ALPHA', `0x80014d00')
-define(`MFB_GET_GAMMA', `0x80014d01')
-define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
-define(`JSIOCGAXES', `0x80016a11')
-define(`JSIOCGBUTTONS', `0x80016a12')
-define(`SPI_IOC_RD_MODE', `0x80016b01')
-define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
-define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
-define(`PPRSTATUS', `0x80017081')
-define(`PPRCONTROL', `0x80017083')
-define(`PPRDATA', `0x80017085')
-define(`SONYPI_IOCGBRT', `0x80017600')
-define(`SONYPI_IOCGBATFLAGS', `0x80017607')
-define(`SONYPI_IOCGBLUE', `0x80017608')
-define(`SONYPI_IOCGFAN', `0x8001760a')
-define(`SONYPI_IOCGTEMP', `0x8001760c')
-define(`CAPI_GET_ERRCODE', `0x80024321')
-define(`CAPI_INSTALLED', `0x80024322')
-define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
-define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
-define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
-define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
-define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
-define(`FE_READ_SNR', `0x80026f48')
-define(`SONYPI_IOCGBAT1CAP', `0x80027602')
-define(`SONYPI_IOCGBAT1REM', `0x80027603')
-define(`SONYPI_IOCGBAT2CAP', `0x80027604')
-define(`SONYPI_IOCGBAT2REM', `0x80027605')
-define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
-define(`BLKI2OGRSTRAT', `0x80043201')
-define(`BLKI2OGWSTRAT', `0x80043202')
-define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
-define(`CCISS_GETHEARTBEAT', `0x80044206')
-define(`CCISS_GETBUSTYPES', `0x80044207')
-define(`CCISS_GETFIRMVER', `0x80044208')
-define(`CCISS_GETDRIVVER', `0x80044209')
-define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
-define(`CAPI_GET_FLAGS', `0x80044323')
-define(`CAPI_SET_FLAGS', `0x80044324')
-define(`CAPI_CLR_FLAGS', `0x80044325')
-define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
-define(`CAPI_NCCI_GETUNIT', `0x80044327')
-define(`EVIOCGVERSION', `0x80044501')
-define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
-define(`EVIOCGEFFECTS', `0x80044584')
-define(`FBIOGET_CONTRAST', `0x80044601')
-define(`FBIGET_BRIGHTNESS', `0x80044603')
-define(`FBIGET_COLOR', `0x80044605')
-define(`SSTFB_GET_VGAPASS', `0x800446dd')
-define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
-define(`HIDIOCGRDESCSIZE', `0x80044801')
-define(`HIDIOCGVERSION', `0x80044801')
-define(`HIDIOCGFLAG', `0x8004480e')
-define(`HDA_IOCTL_PVERSION', `0x80044810')
-define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
-define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
-define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
-define(`HCIGETDEVLIST', `0x800448d2')
-define(`HCIGETDEVINFO', `0x800448d3')
-define(`HCIGETCONNLIST', `0x800448d4')
-define(`HCIGETCONNINFO', `0x800448d5')
-define(`HCIGETAUTHINFO', `0x800448d7')
-define(`HCIINQUIRY', `0x800448f0')
-define(`ROCCATIOCGREPSIZE', `0x800448f1')
-define(`IMADDTIMER', `0x80044940')
-define(`IMDELTIMER', `0x80044941')
-define(`IMGETVERSION', `0x80044942')
-define(`IMGETCOUNT', `0x80044943')
-define(`IMGETDEVINFO', `0x80044944')
-define(`IMCTRLREQ', `0x80044945')
-define(`IMCLEAR_L2', `0x80044946')
-define(`IMHOLD_L1', `0x80044948')
-define(`MCE_GET_RECORD_LEN', `0x80044d01')
-define(`MCE_GET_LOG_LEN', `0x80044d02')
-define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
-define(`MEMGETREGIONCOUNT', `0x80044d07')
-define(`MFB_GET_PIXFMT', `0x80044d08')
-define(`OTPSELECT', `0x80044d0d')
-define(`OSS_GETVERSION', `0x80044d76')
-define(`UBI_IOCEBISMAP', `0x80044f05')
-define(`SOUND_PCM_READ_RATE', `0x80045002')
-define(`SOUND_PCM_READ_BITS', `0x80045005')
-define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
-define(`SOUND_PCM_READ_FILTER', `0x80045007')
-define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
-define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
-define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
-define(`SNDCTL_DSP_GETODELAY', `0x80045017')
-define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
-define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
-define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
-define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
-define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
-define(`SNDCTL_SEQ_GETTIME', `0x80045113')
-define(`RNDGETENTCNT', `0x80045200')
-define(`SAA6588_CMD_READ', `0x80045203')
-define(`SAA6588_CMD_POLL', `0x80045204')
-define(`RFCOMMGETDEVLIST', `0x800452d2')
-define(`RFCOMMGETDEVINFO', `0x800452d3')
-define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
-define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
-define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
-define(`TIOCGPTN', `0x80045430')
-define(`TIOCGDEV', `0x80045432')
-define(`TIOCGPKT', `0x80045438')
-define(`TIOCGPTLCK', `0x80045439')
-define(`TIOCGEXCL', `0x80045440')
-define(`TUNGETFEATURES', `0x800454cf')
-define(`TUNGETIFF', `0x800454d2')
-define(`TUNGETSNDBUF', `0x800454d3')
-define(`TUNGETVNETHDRSZ', `0x800454d7')
-define(`TUNGETVNETLE', `0x800454dd')
-define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
-define(`USBDEVFS_RESETEP', `0x80045503')
-define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
-define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
-define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
-define(`USBDEVFS_CLEAR_HALT', `0x80045515')
-define(`USBDEVFS_CLAIM_PORT', `0x80045518')
-define(`USBDEVFS_RELEASE_PORT', `0x80045519')
-define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
-define(`UI_GET_VERSION', `0x8004552d')
-define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
-define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
-define(`VIDIOC_G_INPUT', `0x80045626')
-define(`VIDIOC_G_OUTPUT', `0x8004562e')
-define(`VIDIOC_G_PRIORITY', `0x80045643')
-define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
-define(`WDIOC_GETSTATUS', `0x80045701')
-define(`WDIOC_GETBOOTSTATUS', `0x80045702')
-define(`WDIOC_GETTEMP', `0x80045703')
-define(`WDIOC_SETOPTIONS', `0x80045704')
-define(`WDIOC_KEEPALIVE', `0x80045705')
-define(`WDIOC_GETTIMEOUT', `0x80045707')
-define(`WDIOC_GETPRETIMEOUT', `0x80045709')
-define(`WDIOC_GETTIMELEFT', `0x8004570a')
-define(`SONET_GETDIAG', `0x80046114')
-define(`SONET_GETFRAMING', `0x80046116')
-define(`CHIOGPICKER', `0x80046304')
-define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
-define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
-define(`FS_IOC32_GETFLAGS', `0x80046601')
-define(`LIRC_GET_FEATURES', `0x80046900')
-define(`LIRC_GET_SEND_MODE', `0x80046901')
-define(`LIRC_GET_REC_MODE', `0x80046902')
-define(`LIRC_GET_SEND_CARRIER', `0x80046903')
-define(`LIRC_GET_REC_CARRIER', `0x80046904')
-define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
-define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
-define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
-define(`I2OVALIDATE', `0x80046908')
-define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
-define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
-define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
-define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
-define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
-define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
-define(`LIRC_GET_LENGTH', `0x8004690f')
-define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
-define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
-define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
-define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
-define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
-define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
-define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
-define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
-define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
-define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
-define(`I8K_BIOS_VERSION', `0x80046980')
-define(`I8K_MACHINE_ID', `0x80046981')
-define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
-define(`JSIOCGVERSION', `0x80046a01')
-define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
-define(`SPI_IOC_RD_MODE32', `0x80046b05')
-define(`UDF_GETEASIZE', `0x80046c40')
-define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
-define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
-define(`SISFB_GET_INFO_OLD', `0x80046ef8')
-define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
-define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
-define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
-define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
-define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
-define(`FE_READ_STATUS', `0x80046f45')
-define(`FE_READ_BER', `0x80046f46')
-define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
-define(`RTC_VL_READ', `0x80047013')
-define(`PPCLRIRQ', `0x80047093')
-define(`PPGETMODES', `0x80047097')
-define(`PPGETMODE', `0x80047098')
-define(`PPGETPHASE', `0x80047099')
-define(`PPGETFLAGS', `0x8004709a')
-define(`PHONE_DTMF_READY', `0x80047196')
-define(`PHONE_GET_DTMF', `0x80047197')
-define(`PHONE_GET_DTMF_ASCII', `0x80047198')
-define(`PHONE_EXCEPTION', `0x8004719a')
-define(`IXJCTL_CARDTYPE', `0x800471c1')
-define(`IXJCTL_SERIAL', `0x800471c2')
-define(`IXJCTL_DSP_TYPE', `0x800471c3')
-define(`IXJCTL_DSP_VERSION', `0x800471c4')
-define(`IXJCTL_VMWI', `0x800471d8')
-define(`BR_ERROR', `0x80047200')
-define(`BR_ACQUIRE_RESULT', `0x80047204')
-define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
-define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
-define(`FS_IOC32_GETVERSION', `0x80047601')
-define(`MEYEIOC_STILLJCAPT', `0x800476c5')
-define(`OSIOCGNETADDR', `0x800489e1')
-define(`SIOCGNETADDR', `0x800489e1')
-define(`AUTOFS_IOC_PROTOVER', `0x80049363')
-define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
-define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
-define(`GENWQE_GET_CARD_STATE', `0x8004a524')
-define(`KVM_GET_MP_STATE', `0x8004ae98')
-define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
-define(`SISFB_GET_INFO_SIZE', `0x8004f300')
-define(`SISFB_GET_VBRSTATUS', `0x8004f302')
-define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
-define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
-define(`SONET_GETFRSENSE', `0x80066117')
-define(`MEYEIOC_G_PARAMS', `0x800676c0')
-define(`BLKBSZGET', `0x80081270')
-define(`BLKGETSIZE64', `0x80081272')
-define(`PERF_EVENT_IOC_ID', `0x80082407')
-define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
-define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
-define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
-define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
-define(`AGPIOC_INFO', `0x80084100')
-define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
-define(`CCISS_GETPCIINFO', `0x80084201')
-define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
-define(`CCISS_GETINTINFO', `0x80084202')
-define(`PMU_IOC_GET_MODEL', `0x80084203')
-define(`PMU_IOC_HAS_ADB', `0x80084204')
-define(`PMU_IOC_CAN_SLEEP', `0x80084205')
-define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
-define(`EVIOCGID', `0x80084502')
-define(`EVIOCGREP', `0x80084503')
-define(`EVIOCGKEYCODE', `0x80084504')
-define(`FBIO_GETCONTROL2', `0x80084689')
-define(`HIDIOCGRAWINFO', `0x80084803')
-define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
-define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
-define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
-define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
-define(`MFB_GET_AOID', `0x80084d04')
-define(`MEMISLOCKED', `0x80084d17')
-define(`RNDGETPOOL', `0x80085202')
-define(`USBDEVFS_SETINTERFACE', `0x80085504')
-define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
-define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
-define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
-define(`VIDIOC_G_STD', `0x80085617')
-define(`VIDIOC_QUERYSTD', `0x8008563f')
-define(`CM_IOCGSTATUS', `0x80086300')
-define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
-define(`FS_IOC_GETFLAGS', `0x80086601')
-define(`I2OPASSTHRU32', `0x8008690c')
-define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
-define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
-define(`I8K_POWER_STATUS', `0x80086982')
-define(`I8K_FN_STATUS', `0x80086983')
-define(`I8K_GET_TEMP', `0x80086984')
-define(`UDF_GETEABLOCK', `0x80086c41')
-define(`UDF_GETVOLIDENT', `0x80086c42')
-define(`MMTIMER_GETRES', `0x80086d01')
-define(`MMTIMER_GETFREQ', `0x80086d02')
-define(`MTIOCPOS', `0x80086d03')
-define(`MMTIMER_GETCOUNTER', `0x80086d09')
-define(`NILFS_IOCTL_SYNC', `0x80086e8a')
-define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
-define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
-define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
-define(`AUDIO_GET_PTS', `0x80086f13')
-define(`DMX_GET_CAPS', `0x80086f30')
-define(`VIDEO_GET_PTS', `0x80086f39')
-define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
-define(`CA_GET_DESCR_INFO', `0x80086f83')
-define(`RTC_IRQP_READ', `0x8008700b')
-define(`RTC_EPOCH_READ', `0x8008700d')
-define(`PPS_GETPARAMS', `0x800870a1')
-define(`PPS_GETCAP', `0x800870a3')
-define(`PHONE_CAPABILITIES_LIST', `0x80087181')
-define(`IXJCTL_CID', `0x800871d4')
-define(`IXJCTL_VERSION', `0x800871da')
-define(`IXJCTL_FRAMES_READ', `0x800871e2')
-define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
-define(`IXJCTL_READ_WAIT', `0x800871e4')
-define(`IXJCTL_WRITE_WAIT', `0x800871e5')
-define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
-define(`BR_DEAD_BINDER', `0x8008720f')
-define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
-define(`FS_IOC_GETVERSION', `0x80087601')
-define(`BTRFS_IOC_START_SYNC', `0x80089418')
-define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
-define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
-define(`KVM_ALLOCATE_RMA', `0x8008aea9')
-define(`VHOST_GET_FEATURES', `0x8008af00')
-define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
-define(`DMX_GET_PES_PIDS', `0x800a6f2f')
-define(`RAID_VERSION', `0x800c0910')
-define(`CCISS_GETLUNINFO', `0x800c4211')
-define(`OTPLOCK', `0x800c4d10')
-define(`OMAPFB_GET_CAPS', `0x800c4f2a')
-define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
-define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
-define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
-define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
-define(`NCP_IOC_SETROOT', `0x800c6e08')
-define(`VIDEO_GET_SIZE', `0x800c6f37')
-define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
-define(`CA_GET_SLOT_INFO', `0x800c6f82')
-define(`FDGETDRVTYP', `0x8010020f')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
-define(`CCISS_GETNODENAME', `0x80104204')
-define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
-define(`ECCGETSTATS', `0x80104d12')
-define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
-define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
-define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
-define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
-define(`TUNGETFILTER', `0x801054db')
-define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
-define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
-define(`I2OPASSTHRU', `0x8010690c')
-define(`MGSL_IOCGGPIO', `0x80106d11')
-define(`NCP_IOC_NCPREQUEST', `0x80106e01')
-define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
-define(`FE_GET_PROPERTY', `0x80106f53')
-define(`CA_GET_CAP', `0x80106f81')
-define(`OSD_GET_CAPABILITY', `0x80106fa1')
-define(`PPGETTIME', `0x80107095')
-define(`BR_INCREFS', `0x80107207')
-define(`BR_ACQUIRE', `0x80107208')
-define(`BR_RELEASE', `0x80107209')
-define(`BR_DECREFS', `0x8010720a')
-define(`GENWQE_READ_REG64', `0x8010a51e')
-define(`GENWQE_READ_REG32', `0x8010a520')
-define(`GENWQE_READ_REG16', `0x8010a522')
-define(`FDGETMAXERRS', `0x8014020e')
-define(`GET_DISK_INFO', `0x80140912')
-define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
-define(`CHIOGPARAMS', `0x80146306')
-define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
-define(`VIDEO_GET_STATUS', `0x80146f1b')
-define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
-define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
-define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
-define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
-define(`IMSETDEVNAME', `0x80184947')
-define(`OMAPFB_MEMORY_READ', `0x80184f3a')
-define(`HPET_INFO', `0x80186803')
-define(`NCP_IOC_SIGN_INIT', `0x80186e05')
-define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
-define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
-define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
-define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
-define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
-define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
-define(`MBXFB_IOCG_ALPHA', `0x8018f401')
-define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
-define(`HIDIOCGDEVINFO', `0x801c4803')
-define(`FDGETPRM', `0x80200204')
-define(`FBIOGET_VBLANK', `0x80204612')
-define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
-define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
-define(`MEMGETINFO', `0x80204d01')
-define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
-define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
-define(`I2OGETIOPS', `0x80206900')
-define(`AUDIO_GET_STATUS', `0x80206f0a')
-define(`VIDEO_GET_EVENT', `0x80206f1c')
-define(`RTC_PLL_GET', `0x80207011')
-define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
-define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
-define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
-define(`SONET_GETSTAT', `0x80246110')
-define(`SONET_GETSTATZ', `0x80246111')
-define(`JSIOCGCORR', `0x80246a22')
-define(`FE_GET_FRONTEND', `0x80246f4d')
-define(`RTC_ALM_READ', `0x80247008')
-define(`RTC_RD_TIME', `0x80247009')
-define(`FDGETFDCSTAT', `0x80280215')
-define(`FDWERRORGET', `0x80280217')
-define(`EVIOCGKEYCODE_V2', `0x80284504')
-define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
-define(`WDIOC_GETSUPPORT', `0x80285700')
-define(`IPMICTL_SEND_COMMAND', `0x8028690d')
-define(`FE_GET_EVENT', `0x80286f4e')
-define(`RTC_WKALM_RD', `0x80287010')
-define(`IOW_GETINFO', `0x8028c003')
-define(`USBDEVFS_SUBMITURB32', `0x802a550a')
-define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
-define(`TCGETS2', `0x802c542a')
-define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
-define(`VIDIOC_G_FBUF', `0x8030560a')
-define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
-define(`MGSL_IOCGPARAMS', `0x80306d01')
-define(`MTIOCGET', `0x80306d02')
-define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
-define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
-define(`KVM_GET_CLOCK', `0x8030ae7c')
-define(`VIDIOC_G_AUDIO', `0x80345621')
-define(`VIDIOC_G_AUDOUT', `0x80345631')
-define(`USBDEVFS_SUBMITURB', `0x8038550a')
-define(`DRM_IOCTL_AGP_INFO', `0x80386433')
-define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
-define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
-define(`JSIOCGAXMAP', `0x80406a32')
-define(`BR_TRANSACTION', `0x80407202')
-define(`BR_REPLY', `0x80407203')
-define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
-define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
-define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
-define(`GET_ARRAY_INFO', `0x80480911')
-define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
-define(`KVM_SET_PIT', `0x8048ae66')
-define(`GSMIOC_GETCONF', `0x804c4700')
-define(`FDGETDRVSTAT', `0x80500212')
-define(`FDPOLLDRVSTAT', `0x80500213')
-define(`PTP_CLOCK_GETCAPS', `0x80503d01')
-define(`SOUND_MIXER_INFO', `0x805c4d65')
-define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
-define(`VIDIOC_QUERYCAP', `0x80685600')
-define(`I2OEVTGET', `0x8068690b')
-define(`CHIOGVPARAMS', `0x80706313')
-define(`KVM_GET_PIT2', `0x8070ae9f')
-define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
-define(`FDGETDRVPRM', `0x80800211')
-define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
-define(`KVM_GET_DEBUGREGS', `0x8080aea1')
-define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_DQEVENT', `0x80885659')
-define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
-define(`KVM_GET_REGS', `0x8090ae81')
-define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
-define(`FE_GET_INFO', `0x80a86f3d')
-define(`MEMGETOOBSEL', `0x80c84d0a')
-define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
-define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
-define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
-define(`DRM_IOCTL_GET_STATS', `0x80f86406')
-define(`ASHMEM_GET_NAME', `0x81007702')
-define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
-define(`HIDIOCGSTRING', `0x81044804')
-define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
-define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
-define(`CA_GET_MSG', `0x810c6f84')
-define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
-define(`SISFB_GET_INFO', `0x811cf301')
-define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
-define(`KVM_GET_SREGS', `0x8138ae83')
-define(`ECCGETLAYOUT', `0x81484d11')
-define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
-define(`KVM_GET_XCRS', `0x8188aea6')
-define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
-define(`KVM_GET_FPU', `0x81a0ae8c')
-define(`KVM_SET_IRQCHIP', `0x8208ae63')
-define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
-define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
-define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
-define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
-define(`JSIOCGBTNMAP', `0x84006a34')
-define(`BTRFS_IOC_FS_INFO', `0x8400941f')
-define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
-define(`KVM_GET_LAPIC', `0x8400ae8e')
-define(`VIDEO_GET_NAVI', `0x84046f34')
-define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
-define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
-define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
-define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
-define(`GET_BITMAP_FILE', `0x90000915')
-define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
-define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
-define(`KVM_GET_XSAVE', `0x9000aea4')
-define(`HIDIOCGRDESC', `0x90044802')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
-define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
-define(`CAPI_GET_MANUFACTURER', `0xc0044306')
-define(`CAPI_GET_SERIAL', `0xc0044308')
-define(`GIGASET_REDIR', `0xc0044700')
-define(`GIGASET_CONFIG', `0xc0044701')
-define(`ION_IOC_FREE', `0xc0044901')
-define(`SOUND_MIXER_AGC', `0xc0044d67')
-define(`SOUND_MIXER_3DSE', `0xc0044d68')
-define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
-define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
-define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
-define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
-define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
-define(`SNDCTL_DSP_SPEED', `0xc0045002')
-define(`SNDCTL_DSP_STEREO', `0xc0045003')
-define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
-define(`SNDCTL_DSP_SETFMT', `0xc0045005')
-define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
-define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
-define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
-define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
-define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
-define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
-define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
-define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
-define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
-define(`SNDCTL_TMR_TEMPO', `0xc0045405')
-define(`SNDCTL_TMR_SOURCE', `0xc0045406')
-define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
-define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
-define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
-define(`VIDIOC_S_INPUT', `0xc0045627')
-define(`VIDIOC_S_OUTPUT', `0xc004562f')
-define(`WDIOC_SETTIMEOUT', `0xc0045706')
-define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
-define(`FIFREEZE', `0xc0045877')
-define(`FITHAW', `0xc0045878')
-define(`SONET_SETDIAG', `0xc0046112')
-define(`SONET_CLRDIAG', `0xc0046113')
-define(`BINDER_VERSION', `0xc0046209')
-define(`DRM_IOCTL_BLOCK', `0xc0046412')
-define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
-define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
-define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
-define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
-define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
-define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
-define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
-define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
-define(`MGSL_IOCWAITEVENT', `0xc0046d08')
-define(`TOSH_SMM', `0xc0047490')
-define(`MEYEIOC_SYNC', `0xc00476c3')
-define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
-define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
-define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
-define(`NET_ADD_IF', `0xc0066f34')
-define(`NET_GET_IF', `0xc0066f36')
-define(`AGPIOC_ALLOCATE', `0xc0084106')
-define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
-define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
-define(`ION_IOC_MAP', `0xc0084902')
-define(`ION_IOC_SHARE', `0xc0084904')
-define(`ION_IOC_IMPORT', `0xc0084905')
-define(`ION_IOC_SYNC', `0xc0084907')
-define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
-define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
-define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
-define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
-define(`VIDIOC_G_CTRL', `0xc008561b')
-define(`VIDIOC_S_CTRL', `0xc008561c')
-define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
-define(`CM_IOCGATR', `0xc0086301')
-define(`CIOC_KERNEL_VERSION', `0xc008630a')
-define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
-define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
-define(`DRM_IOCTL_RM_CTX', `0xc0086421')
-define(`DRM_IOCTL_GET_CTX', `0xc0086423')
-define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
-define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
-define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
-define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
-define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
-define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
-define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
-define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
-define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
-define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
-define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
-define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
-define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
-define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
-define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
-define(`I8K_GET_SPEED', `0xc0086985')
-define(`I8K_GET_FAN', `0xc0086986')
-define(`I8K_SET_FAN', `0xc0086987')
-define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
-define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
-define(`PHN_GET_REG', `0xc0087000')
-define(`PHN_GET_REGS', `0xc0087002')
-define(`PHN_GETREG', `0xc0087005')
-define(`PPS_FETCH', `0xc00870a4')
-define(`PHONE_QUERY_CODEC', `0xc00871a7')
-define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
-define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
-define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
-define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
-define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
-define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
-define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
-define(`KVM_GET_MSRS', `0xc008ae88')
-define(`KVM_GET_CPUID2', `0xc008ae91')
-define(`KVM_GET_REG_LIST', `0xc008aeb0')
-define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
-define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
-define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
-define(`VHOST_GET_VRING_BASE', `0xc008af12')
-define(`HIDIOCGREPORTINFO', `0xc00c4809')
-define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
-define(`USBDEVFS_IOCTL32', `0xc00c5512')
-define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
-define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
-define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
-define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
-define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
-define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
-define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
-define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
-define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
-define(`KVM_CREATE_DEVICE', `0xc00caee0')
-define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
-define(`MBXFB_IOCX_REG', `0xc00cf405')
-define(`CAPI_GET_VERSION', `0xc0104307')
-define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
-define(`GIGASET_VERSION', `0xc0104703')
-define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
-define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
-define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
-define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
-define(`ION_IOC_CUSTOM', `0xc0104906')
-define(`MEMWRITEOOB', `0xc0104d03')
-define(`MEMREADOOB', `0xc0104d04')
-define(`MEMGETREGIONINFO', `0xc0104d08')
-define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
-define(`USBDEVFS_CONTROL32', `0xc0105500')
-define(`USBDEVFS_BULK32', `0xc0105502')
-define(`USBDEVFS_IOCTL', `0xc0105512')
-define(`NS_GETPSTAT', `0xc0106161')
-define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
-define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
-define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
-define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
-define(`DRM_IOCTL_GET_CAP', `0xc010640c')
-define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
-define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
-define(`DRM_IOCTL_RES_CTX', `0xc0106426')
-define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
-define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
-define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
-define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
-define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
-define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
-define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
-define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
-define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
-define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
-define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
-define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
-define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
-define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
-define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
-define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
-define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
-define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
-define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
-define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
-define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
-define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
-define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
-define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
-define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
-define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
-define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
-define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
-define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
-define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
-define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
-define(`MGSL_IOCWAITGPIO', `0xc0106d12')
-define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
-define(`DMX_GET_STC', `0xc0106f32')
-define(`UVCIOC_CTRL_QUERY', `0xc0107521')
-define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
-define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
-define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
-define(`SNDCTL_COPR_RDATA', `0xc0144302')
-define(`SNDCTL_COPR_RCODE', `0xc0144303')
-define(`SNDCTL_COPR_RUN', `0xc0144306')
-define(`SNDCTL_COPR_HALT', `0xc0144307')
-define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
-define(`VIDIOC_REQBUFS', `0xc0145608')
-define(`VIDIOC_G_CROP', `0xc014563b')
-define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
-define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
-define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
-define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
-define(`HIDIOCGUSAGE', `0xc018480b')
-define(`HIDIOCGUCODE', `0xc018480d')
-define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
-define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
-define(`MEMWRITEOOB64', `0xc0184d15')
-define(`MEMREADOOB64', `0xc0184d16')
-define(`USBDEVFS_CONTROL', `0xc0185500')
-define(`USBDEVFS_BULK', `0xc0185502')
-define(`PACKET_CTRL_CMD', `0xc0185801')
-define(`FITRIM', `0xc0185879')
-define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
-define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
-define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
-define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
-define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
-define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
-define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
-define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
-define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
-define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
-define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
-define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
-define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
-define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
-define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
-define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
-define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
-define(`I2OHRTGET', `0xc0186901')
-define(`I2OLCTGET', `0xc0186902')
-define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
-define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
-define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
-define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
-define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
-define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
-define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
-define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
-define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
-define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
-define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
-define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
-define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
-define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
-define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
-define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
-define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
-define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
-define(`KVM_TRANSLATE', `0xc018ae85')
-define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
-define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
-define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
-define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
-define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
-define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
-define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
-define(`ION_IOC_ALLOC', `0xc0204900')
-define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
-define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
-define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
-define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
-define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
-define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
-define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
-define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
-define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
-define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
-define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
-define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
-define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
-define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
-define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
-define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
-define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
-define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
-define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
-define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
-define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
-define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
-define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
-define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
-define(`FS_IOC_FIEMAP', `0xc020660b')
-define(`GENWQE_PIN_MEM', `0xc020a528')
-define(`GENWQE_UNPIN_MEM', `0xc020a529')
-define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
-define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
-define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
-define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
-define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
-define(`SYNC_IOC_MERGE', `0xc0283e01')
-define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
-define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
-define(`VIDIOC_G_EDID', `0xc0285628')
-define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
-define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
-define(`VIDIOC_S_EDID', `0xc0285629')
-define(`VIDIOC_ENCODER_CMD', `0xc028564d')
-define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
-define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
-define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
-define(`DRM_IOCTL_GET_MAP', `0xc0286404')
-define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
-define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
-define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
-define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
-define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
-define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
-define(`I2OPARMSET', `0xc0286903')
-define(`I2OPARMGET', `0xc0286904')
-define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
-define(`PHN_GETREGS', `0xc0287007')
-define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
-define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
-define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
-define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
-define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
-define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
-define(`VIDIOC_QUERYMENU', `0xc02c5625')
-define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
-define(`VIDIOC_CROPCAP', `0xc02c563a')
-define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
-define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
-define(`MEMWRITE', `0xc0304d18')
-define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
-define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
-define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
-define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
-define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
-define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
-define(`BINDER_WRITE_READ', `0xc0306201')
-define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
-define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
-define(`I2OSWDL', `0xc0306905')
-define(`I2OSWUL', `0xc0306906')
-define(`I2OSWDEL', `0xc0306907')
-define(`I2OHTML', `0xc0306909')
-define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
-define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
-define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
-define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
-define(`VIDIOC_ENUMAUDIO', `0xc0345641')
-define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
-define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
-define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
-define(`HIDIOCGFIELDINFO', `0xc038480a')
-define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
-define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
-define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
-define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
-define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
-define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
-define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
-define(`GENWQE_SLU_UPDATE', `0xc038a550')
-define(`GENWQE_SLU_READ', `0xc038a551')
-define(`CAPI_GET_PROFILE', `0xc0404309')
-define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
-define(`VIDIOC_ENUM_FMT', `0xc0405602')
-define(`VIDIOC_EXPBUF', `0xc0405610')
-define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
-define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
-define(`VIDIOC_G_SELECTION', `0xc040565e')
-define(`VIDIOC_S_SELECTION', `0xc040565f')
-define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
-define(`DRM_IOCTL_VERSION', `0xc0406400')
-define(`DRM_IOCTL_DMA', `0xc0406429')
-define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
-define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
-define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
-define(`VIDIOC_QUERYCTRL', `0xc0445624')
-define(`VIDIOC_G_MODULATOR', `0xc0445636')
-define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
-define(`BLKTRACESETUP', `0xc0481273')
-define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
-define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
-define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
-define(`VIDIOC_ENUMSTD', `0xc0485619')
-define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
-define(`VIDIOC_DECODER_CMD', `0xc0485660')
-define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
-define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
-define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
-define(`VIDEO_COMMAND', `0xc0486f3b')
-define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
-define(`KVM_GET_PIT', `0xc048ae65')
-define(`MMC_IOC_CMD', `0xc048b300')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
-define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
-define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
-define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
-define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
-define(`VIDIOC_ENUMINPUT', `0xc050561a')
-define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
-define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
-define(`VIDIOC_G_TUNER', `0xc054561d')
-define(`SISFB_COMMAND', `0xc054f305')
-define(`CCISS_PASSTHRU', `0xc058420b')
-define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
-define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
-define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
-define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
-define(`VIDIOC_QUERYBUF', `0xc0585609')
-define(`VIDIOC_QBUF', `0xc058560f')
-define(`VIDIOC_DQBUF', `0xc0585611')
-define(`VIDIOC_PREPARE_BUF', `0xc058565d')
-define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
-define(`PTP_PIN_GETFUNC', `0xc0603d06')
-define(`CCISS_BIG_PASSTHRU', `0xc0604212')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
-define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
-define(`UVCIOC_CTRL_MAP', `0xc0607520')
-define(`FBIO_CURSOR', `0xc0684608')
-define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
-define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
-define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
-define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
-define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
-define(`SNDCTL_MIDI_INFO', `0xc074510c')
-define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
-define(`SOUND_MIXER_ACCESS', `0xc0804d66')
-define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
-define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
-define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
-define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
-define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
-define(`SNDCTL_SYNTH_ID', `0xc08c5114')
-define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
-define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
-define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
-define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
-define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
-define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
-define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
-define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
-define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
-define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
-define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
-define(`VIDIOC_G_PARM', `0xc0cc5615')
-define(`VIDIOC_S_PARM', `0xc0cc5616')
-define(`VIDIOC_G_FMT', `0xc0d05604')
-define(`VIDIOC_S_FMT', `0xc0d05605')
-define(`VIDIOC_TRY_FMT', `0xc0d05640')
-define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
-define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
-define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
-define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
-define(`VIDIOC_CREATE_BUFS', `0xc100565c')
-define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
-define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
-define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
-define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
-define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
-define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
-define(`DM_VERSION', `0xc138fd00')
-define(`DM_REMOVE_ALL', `0xc138fd01')
-define(`DM_LIST_DEVICES', `0xc138fd02')
-define(`DM_DEV_CREATE', `0xc138fd03')
-define(`DM_DEV_REMOVE', `0xc138fd04')
-define(`DM_DEV_RENAME', `0xc138fd05')
-define(`DM_DEV_SUSPEND', `0xc138fd06')
-define(`DM_DEV_STATUS', `0xc138fd07')
-define(`DM_DEV_WAIT', `0xc138fd08')
-define(`DM_TABLE_LOAD', `0xc138fd09')
-define(`DM_TABLE_CLEAR', `0xc138fd0a')
-define(`DM_TABLE_DEPS', `0xc138fd0b')
-define(`DM_TABLE_STATUS', `0xc138fd0c')
-define(`DM_LIST_VERSIONS', `0xc138fd0d')
-define(`DM_TARGET_MSG', `0xc138fd0e')
-define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
-define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
-define(`KVM_GET_IRQCHIP', `0xc208ae62')
-define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
-define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
-define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
-define(`BTRFS_IOC_SCRUB', `0xc400941b')
-define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
-define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
-define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
-define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
-define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
-define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
-define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
-define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
-define(`SNDCTL_COPR_LOAD', `0xcfb04301')
-define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
-define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
-define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
-define(`HIDIOCGUSAGES', `0xd01c4813')
-define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
-define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
-define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
-define(`PPPIOCGL2TPSTATS', `0x7436')
-define(`PPPIOCGCHAN', `0x7437')
-define(`PPPIOCATTCHAN', `0x7438')
-define(`PPPIOCDISCONN', `0x7439')
-define(`PPPIOCCONNECT', `0x743a')
-define(`PPPIOCSMRRU', `0x743b')
-define(`PPPIOCDETACH', `0x743c')
-define(`PPPIOCATTACH', `0x743d')
-define(`PPPIOCNEWUNIT', `0x743e')
-define(`PPPIOCGIDLE', `0x743f')
-define(`PPPIOCSDEBUG', `0x7440')
-define(`PPPIOCGDEBUG', `0x7441')
-define(`PPPIOCSACTIVE', `0x7446')
-define(`PPPIOCSPASS', `0x7447')
-define(`PPPIOCSNPMODE', `0x744b')
-define(`PPPIOCGNPMODE', `0x744c')
-define(`PPPIOCSCOMPRESS', `0x744d')
-define(`PPPIOCXFERUNIT', `0x744e')
-define(`PPPIOCSXASYNCMAP', `0x744f')
-define(`PPPIOCGXASYNCMAP', `0x7450')
-define(`PPPIOCSMAXCID', `0x7451')
-define(`PPPIOCSMRU', `0x7452')
-define(`PPPIOCGMRU', `0x7453')
-define(`PPPIOCSRASYNCMAP', `0x7454')
-define(`PPPIOCGRASYNCMAP', `0x7455')
-define(`PPPIOCGUNIT', `0x7456')
-define(`PPPIOCSASYNCMAP', `0x7457')
-define(`PPPIOCGASYNCMAP', `0x7458')
-define(`PPPIOCSFLAGS', `0x7459')
-define(`PPPIOCGFLAGS', `0x745a')
-define(`PPPIOCGCALLINFO', `0x7480')
-define(`PPPIOCBUNDLE', `0x7481')
-define(`PPPIOCGMPFLAGS', `0x7482')
-define(`PPPIOCSMPFLAGS', `0x7483')
-define(`PPPIOCSMPMTU', `0x7484')
-define(`PPPIOCSMPMRU', `0x7485')
-define(`PPPIOCGCOMPRESSORS', `0x7486')
-define(`PPPIOCSCOMPRESSOR', `0x7487')
-define(`PPPIOCGIFNAME', `0x7488')
diff --git a/prebuilts/api/27.0/public/ioctl_macros b/prebuilts/api/27.0/public/ioctl_macros
deleted file mode 100644
index f7081d5..0000000
--- a/prebuilts/api/27.0/public/ioctl_macros
+++ /dev/null
@@ -1,68 +0,0 @@
-# socket ioctls allowed to unprivileged apps
-define(`unpriv_sock_ioctls', `
-{
-# Socket ioctls for gathering information about the interface
-SIOCGSTAMP SIOCGSTAMPNS
-SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
-SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
-# Wireless extension ioctls. Primarily get functions.
-SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
-SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
-SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-}')
-
-# socket ioctls never allowed to unprivileged apps
-define(`priv_sock_ioctls', `
-{
-# qualcomm rmnet ioctls
-WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
-# socket ioctls
-SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
-SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
-SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
-SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
-SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
-SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
-SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
-SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
-SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
-SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
-# device and protocol specific ioctls
-SIOCDEVPRIVATE-SIOCDEVPRIVLAST
-SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
-# Wireless extension ioctls
-SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
-SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
-SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
-SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
-SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
-SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
-# Dev private ioctl i.e. hardware specific ioctls
-SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
-}')
-
-# commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{
- TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
-}')
-
-# commonly used TTY ioctls
-# merge with unpriv_unix_sock_ioctls?
-define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW
- TCFLSH TIOCSPGRP TIOCGPGRP
-}')
-
-# point to point ioctls
-define(`ppp_ioctls', `{
-PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
-PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
-PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
-PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
-PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
-PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
-PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
-PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
-PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
-PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
-}')
diff --git a/prebuilts/api/27.0/public/isolated_app.te b/prebuilts/api/27.0/public/isolated_app.te
deleted file mode 100644
index a907dac..0000000
--- a/prebuilts/api/27.0/public/isolated_app.te
+++ /dev/null
@@ -1,9 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-type isolated_app, domain;
diff --git a/prebuilts/api/27.0/public/kernel.te b/prebuilts/api/27.0/public/kernel.te
deleted file mode 100644
index 7f5d224..0000000
--- a/prebuilts/api/27.0/public/kernel.te
+++ /dev/null
@@ -1,104 +0,0 @@
-# Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
-
-allow kernel self:capability sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-r_dir_file(kernel, proc)
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Mount usbfs.
-allow kernel usbfs:filesystem mount;
-allow kernel usbfs:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:capability sys_resource;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:capability sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
-
-# f_mtp driver accesses files from kernel context.
-allow kernel mediaprovider:fd use;
-
-# Allow the kernel to read OBB files from app directories. (b/17428116)
-# Kernel thread "loop0" reads a vold supplied file descriptor.
-# Fixes CTS tests:
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
-allow kernel vold:fd use;
-allow kernel app_data_file:file read;
-allow kernel asec_image_file:file read;
-
-# Allow reading loop device in update_engine_unittests. (b/28319454)
-userdebug_or_eng(`
- allow kernel update_engine_data_file:file read;
- allow kernel nativetest_data_file:file read;
-')
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow kernel media_rw_data_file:dir create_dir_perms;
-allow kernel media_rw_data_file:file create_file_perms;
-
-# Access to /data/misc/vold/virtual_disk.
-allow kernel vold_data_file:file read;
-
-###
-### neverallow rules
-###
-
-# The initial task starts in the kernel domain (assigned via
-# initial_sid_contexts), but nothing ever transitions to it.
-neverallow * kernel:process { transition dyntransition };
-
-# The kernel domain is never entered via an exec, nor should it
-# ever execute a program outside the rootfs without changing to another domain.
-# If you encounter an execute_no_trans denial on the kernel domain, then
-# possible causes include:
-# - The program is a kernel usermodehelper. In this case, define a domain
-# for the program and domain_auto_trans() to it.
-# - You are running an exploit which switched to the init task credentials
-# and is then trying to exec a shell or other program. You lose!
-neverallow kernel *:file { entrypoint execute_no_trans };
-
-# the kernel should not be accessing files owned by other users.
-# Instead of adding dac_{read_search,override}, fix the unix permissions
-# on files being accessed.
-neverallow kernel self:capability { dac_override dac_read_search };
diff --git a/prebuilts/api/27.0/public/keystore.te b/prebuilts/api/27.0/public/keystore.te
deleted file mode 100644
index ee5e675..0000000
--- a/prebuilts/api/27.0/public/keystore.te
+++ /dev/null
@@ -1,34 +0,0 @@
-type keystore, domain;
-type keystore_exec, exec_type, file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-binder_call(keystore, system_server)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-allow keystore sec_key_att_app_id_provider_service:service_manager find;
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-
-###
-### Neverallow rules
-###
-### Protect ourself from others
-###
-
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-
-neverallow * keystore:process ptrace;
diff --git a/prebuilts/api/27.0/public/lmkd.te b/prebuilts/api/27.0/public/lmkd.te
deleted file mode 100644
index 208720c..0000000
--- a/prebuilts/api/27.0/public/lmkd.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, exec_type, file_type;
-
-allow lmkd self:capability { dac_override sys_resource kill };
-
-# lmkd locks itself in memory, to prevent it from being
-# swapped out and unable to kill other memory hogs.
-# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
-# b/16236289
-allow lmkd self:capability ipc_lock;
-
-## Open and write to /proc/PID/oom_score_adj
-## TODO: maybe scope this down?
-r_dir_file(lmkd, appdomain)
-allow lmkd appdomain:file write;
-r_dir_file(lmkd, system_server)
-allow lmkd system_server:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_type)
-allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-
-# Send kill signals
-allow lmkd appdomain:process sigkill;
-
-# Clean up old cgroups
-allow lmkd cgroup:dir { remove_name rmdir };
-
-# Allow to read memcg stats
-allow lmkd cgroup:file r_file_perms;
-
-# Set self to SCHED_FIFO
-allow lmkd self:capability sys_nice;
-
-allow lmkd proc_zoneinfo:file r_file_perms;
-
-### neverallow rules
-
-# never honor LD_PRELOAD
-neverallow * lmkd:process noatsecure;
diff --git a/prebuilts/api/27.0/public/logd.te b/prebuilts/api/27.0/public/logd.te
deleted file mode 100644
index 62bff97..0000000
--- a/prebuilts/api/27.0/public/logd.te
+++ /dev/null
@@ -1,73 +0,0 @@
-# android user-space log manager
-type logd, domain, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
-r_dir_file(logd, proc)
-r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
-
-allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
-allow logd self:capability2 syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file w_file_perms;
-allow logd system_data_file:{ file lnk_file } r_file_perms;
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-userdebug_or_eng(`
- # Access to /data/misc/logd/event-log-tags
- allow logd misc_logd_file:dir r_dir_perms;
- allow logd misc_logd_file:file rw_file_perms;
-')
-allow logd runtime_event_log_tags_file:file rw_file_perms;
-
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-allow runtime_event_log_tags_file tmpfs:filesystem associate;
-# Typically harmlessly blindly trying to access via liblog
-# event tag mapping while in the untrusted_app domain.
-# Access for that domain is controlled and gated via the
-# event log tag service (albeit at a performance penalty,
-# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { open read };
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init is allowed to enter the logd domain via exec()
-neverallow { domain -init } logd:process transition;
-neverallow * logd:process dyntransition;
-
-# protect the event-log-tags file
-neverallow {
- domain
- -init
- -logd
-} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/prebuilts/api/27.0/public/logpersist.te b/prebuilts/api/27.0/public/logpersist.te
deleted file mode 100644
index 7536cb8..0000000
--- a/prebuilts/api/27.0/public/logpersist.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# android debug logging, logpersist domains
-type logpersist, domain;
-
-###
-### Neverallow rules
-###
-### logpersist should NEVER do any of this
-
-# Block device access.
-neverallow logpersist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logpersist domain:process ptrace;
-
-# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init should be allowed to enter the logpersist domain via exec()
-# Following is a list of debug domains we know that transition to logpersist
-# neverallow_with_undefined_domains {
-# domain
-# -init # goldfish, logcatd, raft
-# -mmi # bat, mtp8996, msmcobalt
-# -system_app # Smith.apk
-# } logpersist:process transition;
-neverallow * logpersist:process dyntransition;
diff --git a/prebuilts/api/27.0/public/mdnsd.te b/prebuilts/api/27.0/public/mdnsd.te
deleted file mode 100644
index ef7b065..0000000
--- a/prebuilts/api/27.0/public/mdnsd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# mdns daemon
-type mdnsd, domain;
diff --git a/prebuilts/api/27.0/public/mediacodec.te b/prebuilts/api/27.0/public/mediacodec.te
deleted file mode 100644
index bcccbb8..0000000
--- a/prebuilts/api/27.0/public/mediacodec.te
+++ /dev/null
@@ -1,69 +0,0 @@
-# mediacodec - audio and video codecs live here
-type mediacodec, domain;
-type mediacodec_exec, exec_type, vendor_file_type, file_type;
-
-typeattribute mediacodec mlstrustedsubject;
-
-# TODO(b/36375899) attributize this domain appropriately as hal_omx
-# and use macro hal_server_domain
-get_prop(mediacodec, hwservicemanager_prop)
-
-# can route /dev/binder traffic to /dev/vndbinder
-vndbinder_use(mediacodec)
-
-not_full_treble(`
- # on legacy devices, continue to allow /dev/binder traffic
- binder_use(mediacodec)
- binder_service(mediacodec)
- add_service(mediacodec, mediacodec_service)
- allow mediacodec mediametrics_service:service_manager find;
- allow mediacodec surfaceflinger_service:service_manager find;
-')
-binder_call(mediacodec, binderservicedomain)
-binder_call(mediacodec, appdomain)
-
-# Allow mediacodec access to composer sync fences
-allow mediacodec hal_graphics_composer:fd use;
-
-allow mediacodec gpu_device:chr_file rw_file_perms;
-allow mediacodec video_device:chr_file rw_file_perms;
-allow mediacodec video_device:dir search;
-allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_camera:fd use;
-
-crash_dump_fallback(mediacodec)
-
-add_hwservice(mediacodec, hal_omx_hwservice)
-
-hal_client_domain(mediacodec, hal_allocator)
-
-hal_client_domain(mediacodec, hal_cas)
-
-# allocate and use graphic buffers
-hal_client_domain(mediacodec, hal_graphics_allocator)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to mediacodec via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediacodec bufferhubd:fd use;
-
-###
-### neverallow rules
-###
-
-# mediacodec should never execute any executable without a
-# domain transition
-neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/public/mediadrmserver.te b/prebuilts/api/27.0/public/mediadrmserver.te
deleted file mode 100644
index 123cb29..0000000
--- a/prebuilts/api/27.0/public/mediadrmserver.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# mediadrmserver - mediadrm daemon
-type mediadrmserver, domain;
-type mediadrmserver_exec, exec_type, file_type;
-
-typeattribute mediadrmserver mlstrustedsubject;
-
-net_domain(mediadrmserver)
-binder_use(mediadrmserver)
-binder_call(mediadrmserver, binderservicedomain)
-binder_call(mediadrmserver, appdomain)
-binder_service(mediadrmserver)
-hal_client_domain(mediadrmserver, hal_drm)
-
-add_service(mediadrmserver, mediadrmserver_service)
-allow mediadrmserver mediaserver_service:service_manager find;
-allow mediadrmserver mediametrics_service:service_manager find;
-allow mediadrmserver processinfo_service:service_manager find;
-allow mediadrmserver surfaceflinger_service:service_manager find;
-allow mediadrmserver system_file:dir r_dir_perms;
-
-binder_call(mediadrmserver, mediacodec)
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/27.0/public/mediaextractor.te b/prebuilts/api/27.0/public/mediaextractor.te
deleted file mode 100644
index 05e65bf..0000000
--- a/prebuilts/api/27.0/public/mediaextractor.te
+++ /dev/null
@@ -1,52 +0,0 @@
-# mediaextractor - multimedia daemon
-type mediaextractor, domain;
-type mediaextractor_exec, exec_type, file_type;
-
-typeattribute mediaextractor mlstrustedsubject;
-
-binder_use(mediaextractor)
-binder_call(mediaextractor, binderservicedomain)
-binder_call(mediaextractor, appdomain)
-binder_service(mediaextractor)
-
-add_service(mediaextractor, mediaextractor_service)
-allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor hidl_token_hwservice:hwservice_manager find;
-
-allow mediaextractor system_server:fd use;
-
-hal_client_domain(mediaextractor, hal_cas)
-
-r_dir_file(mediaextractor, cgroup)
-allow mediaextractor proc_meminfo:file r_file_perms;
-
-crash_dump_fallback(mediaextractor)
-
-# allow mediaextractor read permissions for file sources
-allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor app_data_file:file { getattr read };
-
-# Read resources from open apk files passed over Binder
-allow mediaextractor apk_data_file:file { read getattr };
-allow mediaextractor asec_apk_file:file { read getattr };
-allow mediaextractor ringtone_file:file { read getattr };
-
-###
-### neverallow rules
-###
-
-# mediaextractor should never execute any executable without a
-# domain transition
-neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/public/mediametrics.te b/prebuilts/api/27.0/public/mediametrics.te
deleted file mode 100644
index ada90cc..0000000
--- a/prebuilts/api/27.0/public/mediametrics.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# mediametrics - daemon for collecting media.metrics data
-type mediametrics, domain;
-type mediametrics_exec, exec_type, file_type;
-
-
-binder_use(mediametrics)
-binder_call(mediametrics, binderservicedomain)
-binder_service(mediametrics)
-
-add_service(mediametrics, mediametrics_service)
-
-allow mediametrics system_server:fd use;
-
-r_dir_file(mediametrics, cgroup)
-allow mediametrics proc_meminfo:file r_file_perms;
-
-# allows interactions with dumpsys to GMScore
-allow mediametrics app_data_file:file write;
-
-# allow access to package manager for uid->apk mapping
-allow mediametrics package_native_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# mediametrics should never execute any executable without a
-# domain transition
-neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/public/mediaserver.te b/prebuilts/api/27.0/public/mediaserver.te
deleted file mode 100644
index 6efaf0f..0000000
--- a/prebuilts/api/27.0/public/mediaserver.te
+++ /dev/null
@@ -1,150 +0,0 @@
-# mediaserver - multimedia daemon
-type mediaserver, domain;
-type mediaserver_exec, exec_type, file_type;
-
-typeattribute mediaserver mlstrustedsubject;
-
-# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
-typeattribute mediaserver halclientdomain;
-
-net_domain(mediaserver)
-
-r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaserver, cgroup)
-
-# stat /proc/self
-allow mediaserver proc:lnk_file getattr;
-
-# open /vendor/lib/mediadrm
-allow mediaserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # ptrace to processes in the same domain for memory leak detection
- allow mediaserver self:process ptrace;
-')
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver media_data_file:dir create_dir_perms;
-allow mediaserver media_data_file:file create_file_perms;
-allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver sdcard_type:file write;
-allow mediaserver gpu_device:chr_file rw_file_perms;
-allow mediaserver video_device:dir r_dir_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-
-set_prop(mediaserver, audio_prop)
-
-# XXX Label with a specific type?
-allow mediaserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow mediaserver apk_data_file:file { read getattr };
-allow mediaserver asec_apk_file:file { read getattr };
-allow mediaserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow mediaserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
-
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file r_file_perms;
-
-r_dir_file(mediaserver, media_rw_data_file)
-
-# Grant access to read files on appfuse.
-allow mediaserver app_fuse_file:file { read getattr };
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file rw_file_perms;
-allow mediaserver qtaguid_device:chr_file r_file_perms;
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediaserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(mediaserver, bluetooth, bluetooth)
-
-add_service(mediaserver, mediaserver_service)
-allow mediaserver activity_service:service_manager find;
-allow mediaserver appops_service:service_manager find;
-allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver drmserver_service:service_manager find;
-allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediacodec_service:service_manager find;
-allow mediaserver mediametrics_service:service_manager find;
-allow mediaserver media_session_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver processinfo_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-allow mediaserver surfaceflinger_service:service_manager find;
-
-# for ModDrm/MediaPlayer
-allow mediaserver mediadrmserver_service:service_manager find;
-
-# For interfacing with OMX HAL
-allow mediaserver hidl_token_hwservice:hwservice_manager find;
-
-# /oem access
-allow mediaserver oemfs:dir search;
-allow mediaserver oemfs:file r_file_perms;
-
-use_drmservice(mediaserver)
-allow mediaserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow mediaserver media_rw_data_file:dir create_dir_perms;
-allow mediaserver media_rw_data_file:file create_file_perms;
-
-# Access to media in /data/preloads
-allow mediaserver preloads_media_file:file { getattr read ioctl };
-
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver hal_graphics_allocator:fd use;
-allow mediaserver hal_graphics_composer:fd use;
-allow mediaserver hal_camera:fd use;
-
-allow mediaserver system_server:fd use;
-
-hal_client_domain(mediaserver, hal_allocator)
-
-binder_call(mediaserver, mediacodec)
-
-###
-### neverallow rules
-###
-
-# mediaserver should never execute any executable without a
-# domain transition
-neverallow mediaserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/27.0/public/modprobe.te b/prebuilts/api/27.0/public/modprobe.te
deleted file mode 100644
index 3ed320e..0000000
--- a/prebuilts/api/27.0/public/modprobe.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type modprobe, domain;
-
-allow modprobe proc_modules:file r_file_perms;
-allow modprobe self:capability sys_module;
-allow modprobe kernel:key search;
-recovery_only(`
- allow modprobe rootfs:system module_load;
- allow modprobe rootfs:file r_file_perms;
-')
-allow modprobe { system_file }:system module_load;
-r_dir_file(modprobe, { system_file })
diff --git a/prebuilts/api/27.0/public/mtp.te b/prebuilts/api/27.0/public/mtp.te
deleted file mode 100644
index a776240..0000000
--- a/prebuilts/api/27.0/public/mtp.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# vpn tunneling protocol manager
-type mtp, domain;
-type mtp_exec, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:socket create_socket_perms_no_ioctl;
-allow mtp self:capability net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/prebuilts/api/27.0/public/net.te b/prebuilts/api/27.0/public/net.te
deleted file mode 100644
index 7e00ed8..0000000
--- a/prebuilts/api/27.0/public/net.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
diff --git a/prebuilts/api/27.0/public/netd.te b/prebuilts/api/27.0/public/netd.te
deleted file mode 100644
index 7f7872e..0000000
--- a/prebuilts/api/27.0/public/netd.te
+++ /dev/null
@@ -1,129 +0,0 @@
-# network manager
-type netd, domain, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
-
-net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
-allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(netd, cgroup)
-allow netd system_server:fd use;
-
-allow netd self:capability { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:capability fsetid;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-not_full_treble(`allow netd vendor_file:file x_file_perms;')
-allow netd devpts:chr_file rw_file_perms;
-
-# Acquire advisory lock on /system/etc/xtables.lock
-allow netd system_file:file lock;
-
-r_dir_file(netd, proc_net)
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
-
-# Enables PppController and interface enumeration (among others)
-r_dir_file(netd, sysfs_type)
-# Allows setting interface MTU
-allow netd sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow netd sysfs_usb:file write;
-
-# TODO: netd previously thought it needed these permissions to do WiFi related
-# work. However, after all the WiFi stuff is gone, we still need them.
-# Why?
-allow netd self:capability { dac_override chown };
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-allow netd self:capability fowner;
-
-# Needed to lock the iptables lock.
-allow netd system_file:file lock;
-
-# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
-
-# Allow netd to start clatd in its own domain
-allow netd clatd:process signal;
-
-set_prop(netd, ctl_mdnsd_prop)
-set_prop(netd, netd_stable_secret_prop)
-
-# Allow netd to publish a binder service and make binder calls.
-binder_use(netd)
-add_service(netd, netd_service)
-allow netd dumpstate:fifo_file { getattr write };
-
-# Allow netd to call into the system server so it can check permissions.
-allow netd system_server:binder call;
-allow netd permission_service:service_manager find;
-
-# Allow netd to talk to the framework service which collects netd events.
-allow netd netd_listener_service:service_manager find;
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{
- tcp_socket
- udp_socket
- rawip_socket
- tun_socket
-} { read write getattr setattr getopt setopt };
-allow netd netdomain:fd use;
-
-# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-
-# Allow netd to register as hal server.
-add_hwservice(netd, system_net_netd_hwservice)
-hwbinder_use(netd)
-get_prop(netd, hwservicemanager_prop)
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-
-# only system_server and dumpstate may find netd service
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
-
-# apps may not interact with netd over binder.
-neverallow appdomain netd:binder call;
-neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
-
-# persist.netd.stable_secret contains RFC 7217 secret key which should never be
-# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
-
-# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
-# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
-neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/prebuilts/api/27.0/public/netutils_wrapper.te b/prebuilts/api/27.0/public/netutils_wrapper.te
deleted file mode 100644
index c844762..0000000
--- a/prebuilts/api/27.0/public/netutils_wrapper.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type netutils_wrapper, domain;
-type netutils_wrapper_exec, exec_type, file_type;
-
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/prebuilts/api/27.0/public/neverallow_macros b/prebuilts/api/27.0/public/neverallow_macros
deleted file mode 100644
index e2b6ed1..0000000
--- a/prebuilts/api/27.0/public/neverallow_macros
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Common neverallow permissions
-define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
-define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
-define(`no_x_file_perms', `{ execute execute_no_trans }')
-define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
-
-#####################################
-# neverallow_establish_socket_comms(src, dst)
-# neverallow src domain establishing socket connections to dst domain.
-#
-define(`neverallow_establish_socket_comms', `
- neverallow $1 $2:socket_class_set { connect sendto };
- neverallow $1 $2:unix_stream_socket connectto;
-')
diff --git a/prebuilts/api/27.0/public/nfc.te b/prebuilts/api/27.0/public/nfc.te
deleted file mode 100644
index e3a03e7..0000000
--- a/prebuilts/api/27.0/public/nfc.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# nfc subsystem
-type nfc, domain;
diff --git a/prebuilts/api/27.0/public/otapreopt_chroot.te b/prebuilts/api/27.0/public/otapreopt_chroot.te
deleted file mode 100644
index c071f44..0000000
--- a/prebuilts/api/27.0/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:capability { sys_admin sys_chroot };
-
-# This is required to mount /vendor.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem mount;
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/prebuilts/api/27.0/public/otapreopt_slot.te b/prebuilts/api/27.0/public/otapreopt_slot.te
deleted file mode 100644
index 6551864..0000000
--- a/prebuilts/api/27.0/public/otapreopt_slot.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# otapreopt_slot
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, exec_type, file_type;
-
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/27.0/public/performanced.te b/prebuilts/api/27.0/public/performanced.te
deleted file mode 100644
index 9bf813e..0000000
--- a/prebuilts/api/27.0/public/performanced.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# performanced
-type performanced, domain, mlstrustedsubject;
-type performanced_exec, exec_type, file_type;
-
-# Needed to check for app permissions.
-binder_use(performanced)
-binder_call(performanced, system_server)
-allow performanced permission_service:service_manager find;
-
-pdx_server(performanced, performance_client)
-
-# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:capability { setuid setgid sys_nice };
-
-# Access /proc to validate we're only affecting threads in the same thread group.
-# Performanced also shields unbound kernel threads. It scans every task in the
-# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
-dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
-
-# Access /dev/cpuset/cpuset.cpus
-r_dir_file(performanced, cgroup)
diff --git a/prebuilts/api/27.0/public/perfprofd.te b/prebuilts/api/27.0/public/perfprofd.te
deleted file mode 100644
index bfb8693..0000000
--- a/prebuilts/api/27.0/public/perfprofd.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# perfprofd - perf profile collection daemon
-type perfprofd, domain;
-type perfprofd_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-
- typeattribute perfprofd coredomain;
- typeattribute perfprofd mlstrustedsubject;
-
- # perfprofd needs to control CPU hot-plug in order to avoid kernel
- # perfevents problems in cases where CPU goes on/off during measurement;
- # this means read access to /sys/devices/system/cpu/possible
- # and read/write access to /sys/devices/system/cpu/cpu*/online
- allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
-
- # perfprofd checks for the existence of and then invokes simpleperf;
- # simpleperf retains perfprofd domain after exec
- allow perfprofd system_file:file rx_file_perms;
-
- # perfprofd reads a config file from /data/data/com.google.android.gms/files
- allow perfprofd app_data_file:file r_file_perms;
- allow perfprofd app_data_file:dir search;
- allow perfprofd self:capability { dac_override };
-
- # perfprofd opens a file for writing in /data/misc/perfprofd
- allow perfprofd perfprofd_data_file:file create_file_perms;
- allow perfprofd perfprofd_data_file:dir rw_dir_perms;
-
- # perfprofd uses the system log
- read_logd(perfprofd);
- write_logd(perfprofd);
-
- # perfprofd inspects /sys/power/wake_unlock
- wakelock_use(perfprofd);
-
- # simpleperf uses ioctl() to turn on kernel perf events measurements
- allow perfprofd self:capability sys_admin;
-
- # simpleperf needs to examine /proc to collect task/thread info
- r_dir_file(perfprofd, domain)
-
- # simpleperf needs to access /proc/<pid>/exec
- allow perfprofd self:capability { sys_resource sys_ptrace };
- neverallow perfprofd domain:process ptrace;
-
- # simpleperf needs open/read any file that turns up in a profile
- # to see whether it has a build ID
- allow perfprofd exec_type:file r_file_perms;
-
- # simpleperf examines debugfs on startup to collect tracepoint event types
- allow perfprofd debugfs_tracing:file r_file_perms;
-
- # simpleperf is going to execute "sleep"
- allow perfprofd toolbox_exec:file rx_file_perms;
-
- # needed for simpleperf on some kernels
- allow perfprofd self:capability ipc_lock;
-
-')
diff --git a/prebuilts/api/27.0/public/platform_app.te b/prebuilts/api/27.0/public/platform_app.te
deleted file mode 100644
index 9b1faf0..0000000
--- a/prebuilts/api/27.0/public/platform_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-type platform_app, domain;
diff --git a/prebuilts/api/27.0/public/postinstall.te b/prebuilts/api/27.0/public/postinstall.te
deleted file mode 100644
index 7fd4dc6..0000000
--- a/prebuilts/api/27.0/public/postinstall.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# Domain where the postinstall program runs during the update.
-# Extend the permissions in this domain to allow this program to access other
-# files needed by the specific device on your device's sepolicy directory.
-type postinstall, domain;
-
-# Allow postinstall to write to its stdout/stderr when redirected via pipes to
-# update_engine.
-allow postinstall update_engine_common:fd use;
-allow postinstall update_engine_common:fifo_file rw_file_perms;
-
-# Allow postinstall to read and execute directories and files in the same
-# mounted location.
-allow postinstall postinstall_file:file rx_file_perms;
-allow postinstall postinstall_file:lnk_file r_file_perms;
-allow postinstall postinstall_file:dir r_dir_perms;
-
-# Allow postinstall to execute the shell or other system executables.
-allow postinstall shell_exec:file rx_file_perms;
-allow postinstall system_file:file rx_file_perms;
-allow postinstall toolbox_exec:file rx_file_perms;
-
-#
-# For OTA dexopt.
-#
-
-# Allow postinstall scripts to talk to the system server.
-binder_use(postinstall)
-binder_call(postinstall, system_server)
-
-# Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
-
-# No domain other than update_engine and recovery (via update_engine_sideload)
-# should transition to postinstall, as it is only meant to run during the
-# update.
-neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/prebuilts/api/27.0/public/postinstall_dexopt.te b/prebuilts/api/27.0/public/postinstall_dexopt.te
deleted file mode 100644
index 0ce617b..0000000
--- a/prebuilts/api/27.0/public/postinstall_dexopt.te
+++ /dev/null
@@ -1,57 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain;
-
-allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr search };
-allow postinstall_dexopt postinstall_file:lnk_file read;
-allow postinstall_dexopt proc:file { getattr open read };
-allow postinstall_dexopt tmpfs:file read;
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
-
-allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/prebuilts/api/27.0/public/ppp.te b/prebuilts/api/27.0/public/ppp.te
deleted file mode 100644
index 04e17f5..0000000
--- a/prebuilts/api/27.0/public/ppp.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Point to Point Protocol daemon
-type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net)
-
-allow ppp mtp:socket rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:socket ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/prebuilts/api/27.0/public/preopt2cachename.te b/prebuilts/api/27.0/public/preopt2cachename.te
deleted file mode 100644
index 49df647..0000000
--- a/prebuilts/api/27.0/public/preopt2cachename.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-type preopt2cachename, domain;
-type preopt2cachename_exec, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
diff --git a/prebuilts/api/27.0/public/priv_app.te b/prebuilts/api/27.0/public/priv_app.te
deleted file mode 100644
index 0761fc3..0000000
--- a/prebuilts/api/27.0/public/priv_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-type priv_app, domain;
diff --git a/prebuilts/api/27.0/public/profman.te b/prebuilts/api/27.0/public/profman.te
deleted file mode 100644
index a5c18b5..0000000
--- a/prebuilts/api/27.0/public/profman.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# profman
-type profman, domain;
-type profman_exec, exec_type, file_type;
-
-allow profman user_profile_data_file:file { getattr read write lock };
-
-# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
-allow profman oemfs:file { read };
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read };
-allow profman profman_dump_data_file:file { write };
-
-allow profman installd:fd use;
-
-# Allow profman to analyze profiles for the secondary dex files. These
-# are application dex files reported back to the framework when using
-# BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
-
-###
-### neverallow rules
-###
-
-neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/27.0/public/property.te b/prebuilts/api/27.0/public/property.te
deleted file mode 100644
index 2c716c5..0000000
--- a/prebuilts/api/27.0/public/property.te
+++ /dev/null
@@ -1,90 +0,0 @@
-type audio_prop, property_type, core_property_type;
-type boottime_prop, property_type;
-type boottime_public_prop, property_type;
-type bluetooth_prop, property_type;
-type config_prop, property_type, core_property_type;
-type cppreopt_prop, property_type, core_property_type;
-type ctl_bootanim_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_dumpstate_prop, property_type;
-type ctl_fuse_prop, property_type;
-type ctl_mdnsd_prop, property_type;
-type ctl_rildaemon_prop, property_type;
-type dalvik_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type default_prop, property_type, core_property_type;
-type device_logging_prop, property_type;
-type dhcp_prop, property_type, core_property_type;
-type dumpstate_options_prop, property_type;
-type dumpstate_prop, property_type, core_property_type;
-type ffs_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type firstboot_prop, property_type;
-type hwservicemanager_prop, property_type;
-type logd_prop, property_type, core_property_type;
-type logpersistd_logging_prop, property_type;
-type log_prop, property_type, log_property_type;
-type log_tag_prop, property_type, log_property_type;
-type mmc_prop, property_type;
-type net_dns_prop, property_type;
-type net_radio_prop, property_type, core_property_type;
-type netd_stable_secret_prop, property_type;
-type nfc_prop, property_type, core_property_type;
-type overlay_prop, property_type;
-type pan_result_prop, property_type, core_property_type;
-type persist_debug_prop, property_type, core_property_type;
-type persistent_properties_ready_prop, property_type;
-type powerctl_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type restorecon_prop, property_type, core_property_type;
-type safemode_prop, property_type;
-type serialno_prop, property_type;
-type shell_prop, property_type, core_property_type;
-type system_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type vold_prop, property_type, core_property_type;
-type wifi_log_prop, property_type, log_property_type;
-type wifi_prop, property_type;
-
-allow property_type tmpfs:filesystem associate;
-
-###
-### Neverallow rules
-###
-
-# core_property_type should not be used for new properties or
-# device specific properties. Properties with this attribute
-# are readable to everyone, which is overly broad and should
-# be avoided.
-# New properties should have appropriate read / write access
-# control rules written.
-
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -default_prop
- -dhcp_prop
- -dumpstate_prop
- -ffs_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -system_radio_prop
- -vold_prop
-}:file no_rw_file_perms;
diff --git a/prebuilts/api/27.0/public/racoon.te b/prebuilts/api/27.0/public/racoon.te
deleted file mode 100644
index 00744d8..0000000
--- a/prebuilts/api/27.0/public/racoon.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allow racoon cgroup:dir { add_name create };
-allow racoon kernel:system module_request;
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/prebuilts/api/27.0/public/radio.te b/prebuilts/api/27.0/public/radio.te
deleted file mode 100644
index 6f29a70..0000000
--- a/prebuilts/api/27.0/public/radio.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# phone subsystem
-type radio, domain, mlstrustedsubject;
-
-net_domain(radio)
-bluetooth_domain(radio)
-binder_service(radio)
-
-# Talks to rild via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, rild)')
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
-allow radio alarm_device:chr_file rw_file_perms;
-
-allow radio net_data_file:dir search;
-allow radio net_data_file:file r_file_perms;
-
-# Property service
-set_prop(radio, radio_prop)
-set_prop(radio, net_radio_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
-add_service(radio, radio_service)
-allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
-allow radio drmserver_service:service_manager find;
-allow radio mediaserver_service:service_manager find;
-allow radio nfc_service:service_manager find;
-allow radio surfaceflinger_service:service_manager find;
-allow radio app_api_service:service_manager find;
-allow radio system_api_service:service_manager find;
-
-# Perform HwBinder IPC.
-hwbinder_use(radio)
-hal_client_domain(radio, hal_telephony)
diff --git a/prebuilts/api/27.0/public/recovery.te b/prebuilts/api/27.0/public/recovery.te
deleted file mode 100644
index fe0b20e..0000000
--- a/prebuilts/api/27.0/public/recovery.te
+++ /dev/null
@@ -1,159 +0,0 @@
-# recovery console (used in recovery init.rc for /sbin/recovery)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type recovery, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common;
- # Recovery can only use HALs in passthrough mode
- passthrough_hal_client_domain(recovery, hal_bootctl)
-
- allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
-
- # Set security contexts on files that are not known to the loaded policy.
- allow recovery self:capability2 mac_admin;
-
- # Run helpers from / or /system without changing domain.
- r_dir_file(recovery, rootfs)
- allow recovery rootfs:file execute_no_trans;
- allow recovery system_file:file execute_no_trans;
- allow recovery toolbox_exec:file rx_file_perms;
-
- # Mount filesystems.
- allow recovery rootfs:dir mounton;
- allow recovery fs_type:filesystem ~relabelto;
- allow recovery unlabeled:filesystem ~relabelto;
- allow recovery contextmount_type:filesystem relabelto;
-
- # Create and relabel files and directories under /system.
- allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
-
- # We may be asked to set an SELinux label for a type not known to the
- # currently loaded policy. Allow it.
- allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
- # Get file contexts
- allow recovery file_contexts_file:file r_file_perms;
-
- # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
- # support to OTAs. However, that code has a bug. When an update occurs,
- # some directories are inappropriately labeled as exec_type. This is
- # only transient, and subsequent steps in the OTA script correct this
- # mistake. New devices are moving to block based OTAs, so this is not
- # worth fixing. b/15575013
- allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
-
- # Write to /proc/sys/vm/drop_caches
- allow recovery proc_drop_caches:file w_file_perms;
-
- # Read kernel config through libvintf for OTA matching
- allow recovery config_gz:file { open read getattr };
-
- # Write to /sys/class/android_usb/android0/enable.
- # TODO: create more specific label?
- r_dir_file(recovery, sysfs)
- allow recovery sysfs:file w_file_perms;
-
- # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
- allow recovery sysfs_devices_system_cpu:file w_file_perms;
-
- allow recovery sysfs_batteryinfo:file r_file_perms;
-
- # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
- # control backlight brightness.
- allow recovery sysfs_leds:dir r_dir_perms;
- allow recovery sysfs_leds:file rw_file_perms;
- allow recovery sysfs_leds:lnk_file read;
-
- allow recovery kernel:system syslog_read;
-
- # Access /dev/usb-ffs/adb/ep0
- allow recovery functionfs:dir search;
- allow recovery functionfs:file rw_file_perms;
-
- # Access to /sys/fs/selinux/policyvers for compatibility check
- allow recovery selinuxfs:file r_file_perms;
-
- # Required to e.g. wipe userdata/cache.
- allow recovery device:dir r_dir_perms;
- allow recovery block_device:dir r_dir_perms;
- allow recovery dev_type:blk_file rw_file_perms;
-
- # GUI
- allow recovery graphics_device:chr_file rw_file_perms;
- allow recovery graphics_device:dir r_dir_perms;
- allow recovery input_device:dir r_dir_perms;
- allow recovery input_device:chr_file r_file_perms;
- allow recovery tty_device:chr_file rw_file_perms;
-
- # Create /tmp/recovery.log and execute /tmp/update_binary.
- allow recovery tmpfs:file { create_file_perms x_file_perms };
- allow recovery tmpfs:dir create_dir_perms;
-
- # Manage files on /cache and /cache/recovery
- allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
- allow recovery { cache_file cache_recovery_file }:file create_file_perms;
-
- # Read /sys/class/thermal/*/temp for thermal info.
- r_dir_file(recovery, sysfs_thermal)
-
- # Read files on /oem.
- r_dir_file(recovery, oemfs);
-
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Start/stop adbd via ctl.start adbd
- set_prop(recovery, ctl_default_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Set sys.usb.ffs.ready when starting minadbd for sideload.
- set_prop(recovery, ffs_prop)
-
- # Use setfscreatecon() to label files for OTA updates.
- allow recovery self:process setfscreate;
-
- # Allow recovery to create a fuse filesystem, and read files from it.
- allow recovery fuse_device:chr_file rw_file_perms;
- allow recovery fuse:dir r_dir_perms;
- allow recovery fuse:file r_file_perms;
-
- wakelock_use(recovery)
-
- # This line seems suspect, as it should not really need to
- # set scheduling parameters for a kernel domain task.
- allow recovery kernel:process setsched;
-')
-
-###
-### neverallow rules
-###
-
-# Recovery should never touch /data.
-#
-# In particular, if /data is encrypted, it is not accessible
-# to recovery anyway.
-#
-# For now, we only enforce write/execute restrictions, as domain.te
-# contains a number of read-only rules that apply to all
-# domains, including recovery.
-#
-# TODO: tighten this up further.
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
-}:file { no_w_file_perms no_x_file_perms };
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
-}:dir no_w_dir_perms;
diff --git a/prebuilts/api/27.0/public/recovery_persist.te b/prebuilts/api/27.0/public/recovery_persist.te
deleted file mode 100644
index 091d300..0000000
--- a/prebuilts/api/27.0/public/recovery_persist.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# android recovery persistent log manager
-type recovery_persist, domain;
-type recovery_persist_exec, exec_type, file_type;
-
-allow recovery_persist pstorefs:dir search;
-allow recovery_persist pstorefs:file r_file_perms;
-
-allow recovery_persist recovery_data_file:file create_file_perms;
-allow recovery_persist recovery_data_file:dir create_dir_perms;
-
-###
-### Neverallow rules
-###
-### recovery_persist should NEVER do any of this
-
-# Block device access.
-neverallow recovery_persist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_persist domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
-
-# Write to files in /data/data
-neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
-
diff --git a/prebuilts/api/27.0/public/recovery_refresh.te b/prebuilts/api/27.0/public/recovery_refresh.te
deleted file mode 100644
index 602ed51..0000000
--- a/prebuilts/api/27.0/public/recovery_refresh.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# android recovery refresh log manager
-type recovery_refresh, domain;
-type recovery_refresh_exec, exec_type, file_type;
-
-allow recovery_refresh pstorefs:dir search;
-allow recovery_refresh pstorefs:file r_file_perms;
-# NB: domain inherits write_logd which hands us write to pmsg_device
-
-###
-### Neverallow rules
-###
-### recovery_refresh should NEVER do any of this
-
-# Block device access.
-neverallow recovery_refresh dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_refresh domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/prebuilts/api/27.0/public/rild.te b/prebuilts/api/27.0/public/rild.te
deleted file mode 100644
index 59cfd90..0000000
--- a/prebuilts/api/27.0/public/rild.te
+++ /dev/null
@@ -1,44 +0,0 @@
-# rild - radio interface layer daemon
-type rild, domain;
-hal_server_domain(rild, hal_telephony)
-
-net_domain(rild)
-allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
-
-allow rild self:netlink_route_socket nlmsg_write;
-allow rild kernel:system module_request;
-allow rild self:capability { setpcap setgid setuid net_admin net_raw };
-allow rild alarm_device:chr_file rw_file_perms;
-allow rild cgroup:dir create_dir_perms;
-allow rild cgroup:{ file lnk_file } r_file_perms;
-allow rild radio_device:chr_file rw_file_perms;
-allow rild radio_device:blk_file r_file_perms;
-allow rild mtd_device:dir search;
-allow rild efs_file:dir create_dir_perms;
-allow rild efs_file:file create_file_perms;
-allow rild shell_exec:file rx_file_perms;
-allow rild bluetooth_efs_file:file r_file_perms;
-allow rild bluetooth_efs_file:dir r_dir_perms;
-allow rild sdcard_type:dir r_dir_perms;
-
-# property service
-set_prop(rild, radio_prop)
-
-allow rild tty_device:chr_file rw_file_perms;
-
-# Allow rild to create and use netlink sockets.
-allow rild self:netlink_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Access to wake locks
-wakelock_use(rild)
-
-r_dir_file(rild, proc)
-r_dir_file(rild, proc_net)
-r_dir_file(rild, sysfs_type)
-r_dir_file(rild, system_file)
-
-# granting the ioctl permission for rild should be device specific
-allow rild self:socket create_socket_perms_no_ioctl;
-
diff --git a/prebuilts/api/27.0/public/roles b/prebuilts/api/27.0/public/roles
deleted file mode 100644
index ca92934..0000000
--- a/prebuilts/api/27.0/public/roles
+++ /dev/null
@@ -1 +0,0 @@
-role r types domain;
diff --git a/prebuilts/api/27.0/public/runas.te b/prebuilts/api/27.0/public/runas.te
deleted file mode 100644
index 12c4181..0000000
--- a/prebuilts/api/27.0/public/runas.te
+++ /dev/null
@@ -1,38 +0,0 @@
-type runas, domain, mlstrustedsubject;
-type runas_exec, exec_type, file_type;
-
-allow runas adbd:fd use;
-allow runas adbd:process sigchld;
-allow runas adbd:unix_stream_socket { read write };
-allow runas shell:fd use;
-allow runas shell:fifo_file { read write };
-allow runas shell:unix_stream_socket { read write };
-allow runas devpts:chr_file { read write ioctl };
-allow runas shell_data_file:file { read write };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
-
-# run-as switches to the app security context.
-selinux_check_context(runas) # validate context
-allow runas self:process setcurrent;
-allow runas non_system_app_set:process dyntransition; # setcon
-
-# runas/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow runas seapp_contexts_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:capability ~{ setuid setgid };
-neverallow runas self:capability2 *;
diff --git a/prebuilts/api/27.0/public/sdcardd.te b/prebuilts/api/27.0/public/sdcardd.te
deleted file mode 100644
index 47a2f80..0000000
--- a/prebuilts/api/27.0/public/sdcardd.te
+++ /dev/null
@@ -1,43 +0,0 @@
-type sdcardd, domain;
-type sdcardd_exec, exec_type, file_type;
-
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
-allow sdcardd sdcardfs:filesystem remount;
-allow sdcardd tmpfs:dir r_dir_perms;
-allow sdcardd mnt_media_rw_file:dir r_dir_perms;
-allow sdcardd storage_file:dir search;
-allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
-
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
-
-allow sdcardd media_rw_data_file:dir create_dir_perms;
-allow sdcardd media_rw_data_file:file create_file_perms;
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file r_file_perms;
-
-# Read /data/.layout_version
-allow sdcardd install_data_file:file r_file_perms;
-
-# Allow stdin/out back to vold
-allow sdcardd vold:fd use;
-allow sdcardd vold:fifo_file { read write getattr };
-
-# Allow running on top of expanded storage
-allow sdcardd mnt_expand_file:dir search;
-
-# access /proc/filesystems
-allow sdcardd proc:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# The sdcard daemon should no longer be started from init
-neverallow init sdcardd_exec:file execute;
-neverallow init sdcardd:process { transition dyntransition };
diff --git a/prebuilts/api/27.0/public/service.te b/prebuilts/api/27.0/public/service.te
deleted file mode 100644
index e97b864..0000000
--- a/prebuilts/api/27.0/public/service.te
+++ /dev/null
@@ -1,150 +0,0 @@
-type audioserver_service, service_manager_type;
-type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
-type default_android_service, service_manager_type;
-type drmserver_service, service_manager_type;
-type dumpstate_service, service_manager_type;
-type fingerprintd_service, service_manager_type;
-type hal_fingerprint_service, service_manager_type;
-type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
-type inputflinger_service, service_manager_type;
-type incident_service, service_manager_type;
-type installd_service, service_manager_type;
-type keystore_service, service_manager_type;
-type mediaserver_service, service_manager_type;
-type mediametrics_service, service_manager_type;
-type mediaextractor_service, service_manager_type;
-type mediacodec_service, service_manager_type;
-type mediadrmserver_service, service_manager_type;
-type netd_service, service_manager_type;
-type nfc_service, service_manager_type;
-type radio_service, service_manager_type;
-type storaged_service, service_manager_type;
-type surfaceflinger_service, service_manager_type;
-type system_app_service, service_manager_type;
-type thermal_service, service_manager_type;
-type update_engine_service, service_manager_type;
-type virtual_touchpad_service, service_manager_type;
-type vr_hwc_service, service_manager_type;
-
-# system_server_services broken down
-type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type battery_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
-type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type commontime_management_service, system_server_service, service_manager_type;
-type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
-# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
-type coverage_service, system_server_service, service_manager_type;
-type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
-type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netd_listener_service, system_server_service, service_manager_type;
-type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hardware_service, system_server_service, service_manager_type;
-type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lock_settings_service, system_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_score_service, system_api_service, system_server_service, service_manager_type;
-type network_time_update_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type oem_lock_service, system_api_service, system_server_service, service_manager_type;
-type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_api_service, system_server_service, service_manager_type;
-type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type package_native_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
-type pinner_service, system_server_service, service_manager_type;
-type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type task_service, system_server_service, service_manager_type;
-type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vr_manager_service, system_server_service, service_manager_type;
-type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wificond_service, service_manager_type;
-type wifiaware_service, app_api_service, system_server_service, service_manager_type;
-type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/27.0/public/servicemanager.te b/prebuilts/api/27.0/public/servicemanager.te
deleted file mode 100644
index c7cd738..0000000
--- a/prebuilts/api/27.0/public/servicemanager.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -hwservicemanager
- -vndservicemanager
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
diff --git a/prebuilts/api/27.0/public/sgdisk.te b/prebuilts/api/27.0/public/sgdisk.te
deleted file mode 100644
index 3007398..0000000
--- a/prebuilts/api/27.0/public/sgdisk.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# sgdisk called from vold
-type sgdisk, domain;
-type sgdisk_exec, exec_type, file_type;
-
-# Allowed to read/write low-level partition tables
-allow sgdisk block_device:dir search;
-allow sgdisk vold_device:blk_file rw_file_perms;
-
-# Inherit and use pty created by android_fork_execvp()
-allow sgdisk devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow sgdisk vold:fd use;
-allow sgdisk vold:fifo_file { read write getattr };
-
-# Used to probe kernel to reload partition tables
-allow sgdisk self:capability sys_admin;
-
-# Only allow entry from vold
-neverallow { domain -vold } sgdisk:process transition;
-neverallow * sgdisk:process dyntransition;
-neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/public/shared_relro.te b/prebuilts/api/27.0/public/shared_relro.te
deleted file mode 100644
index 91cf44d..0000000
--- a/prebuilts/api/27.0/public/shared_relro.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro webviewupdate_service:service_manager find;
diff --git a/prebuilts/api/27.0/public/shell.te b/prebuilts/api/27.0/public/shell.te
deleted file mode 100644
index 9540cca..0000000
--- a/prebuilts/api/27.0/public/shell.te
+++ /dev/null
@@ -1,185 +0,0 @@
-# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# logcat
-read_logd(shell)
-control_logd(shell)
-# logcat -L (directly, or via dumpstate)
-allow shell pstorefs:dir search;
-allow shell pstorefs:file r_file_perms;
-
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# read files in /data/anr
-allow shell anr_data_file:dir r_dir_perms;
-allow shell anr_data_file:file r_file_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
-
-# Read/execute files in /data/nativetest
-userdebug_or_eng(`
- allow shell nativetest_data_file:dir r_dir_perms;
- allow shell nativetest_data_file:file rx_file_perms;
-')
-
-# adb bugreport
-unix_socket_connect(shell, dumpstate, dumpstate)
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file rw_file_perms;
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-
-r_dir_file(shell, apk_data_file)
-
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-
-userdebug_or_eng(`
- # "systrace --boot" support - allow boottrace service to run
- allow shell boottrace_data_file:dir rw_dir_perms;
- allow shell boottrace_data_file:file create_file_perms;
- set_prop(shell, persist_debug_prop)
-')
-
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# allow shell access to services
-allow shell servicemanager:service_manager list;
-# don't allow shell to access GateKeeper service
-# TODO: why is this so broad? Tightening candidate? It needs at list:
-# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
-allow shell dumpstate:binder call;
-
-# allow shell to get information from hwservicemanager
-# for instance, listing hardware services with lshal
-hwbinder_use(shell)
-allow shell hwservicemanager:hwservice_manager list;
-
-# allow shell to look through /proc/ for ps, top, netstat
-r_dir_file(shell, proc)
-r_dir_file(shell, proc_net)
-allow shell proc_interrupts:file r_file_perms;
-allow shell proc_meminfo:file r_file_perms;
-allow shell proc_stat:file r_file_perms;
-allow shell proc_timer:file r_file_perms;
-allow shell proc_zoneinfo:file r_file_perms;
-r_dir_file(shell, cgroup)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# enable shell domain to read/write files/dirs for bootchart data
-# User will creates the start and stop file via adb shell
-# and read other files created by init process under /data/bootchart
-allow shell bootchart_data_file:dir rw_dir_perms;
-allow shell bootchart_data_file:file create_file_perms;
-
-# Make sure strace works for the non-privileged shell user
-allow shell self:process ptrace;
-
-# allow shell to get battery info
-allow shell sysfs_batteryinfo:file r_file_perms;
-allow shell sysfs:dir r_dir_perms;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-
-#
-# filesystem test for insecure chr_file's is done
-# via a host side test
-#
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
-# /dev/fd is a symlink
-allow shell proc:lnk_file getattr;
-
-#
-# filesystem test for insucre blk_file's is done
-# via hostside test
-#
-allow shell dev_type:blk_file getattr;
-
-# read selinux policy files
-allow shell file_contexts_file:file r_file_perms;
-allow shell property_contexts_file:file r_file_perms;
-allow shell seapp_contexts_file:file r_file_perms;
-allow shell service_contexts_file:file r_file_perms;
-allow shell sepolicy_file:file r_file_perms;
-
-###
-### Neverallow rules
-###
-
-# Do not allow shell to hard link to any files.
-# In particular, if shell hard links to app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure the shell user never has this
-# capability.
-neverallow shell file_type:file link;
-
-# Do not allow privileged socket ioctl commands
-neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
-# limit shell access to sensitive char drivers to
-# only getattr required for host side test.
-neverallow shell {
- fuse_device
- hw_random_device
- kmem_device
- port_device
-}:chr_file ~getattr;
-
-# Limit shell to only getattr on blk devices for host side tests.
-neverallow shell dev_type:blk_file ~getattr;
diff --git a/prebuilts/api/27.0/public/slideshow.te b/prebuilts/api/27.0/public/slideshow.te
deleted file mode 100644
index 86d4bff..0000000
--- a/prebuilts/api/27.0/public/slideshow.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# slideshow seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type slideshow, domain;
-
-allow slideshow kmsg_device:chr_file rw_file_perms;
-wakelock_use(slideshow)
-allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability sys_tty_config;
-allow slideshow graphics_device:dir r_dir_perms;
-allow slideshow graphics_device:chr_file rw_file_perms;
-allow slideshow input_device:dir r_dir_perms;
-allow slideshow input_device:chr_file r_file_perms;
-allow slideshow tty_device:chr_file rw_file_perms;
-
diff --git a/prebuilts/api/27.0/public/su.te b/prebuilts/api/27.0/public/su.te
deleted file mode 100644
index 8ddd162..0000000
--- a/prebuilts/api/27.0/public/su.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
-type su, domain;
-
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
- typeattribute su mlstrustedsubject;
-
- # Add su to various domains
- net_domain(su)
-
- # grant su access to vndbinder
- vndbinder_use(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su kernel:security *;
- dontaudit su kernel:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:process *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:service_manager *;
- dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su postinstall_file:filesystem *;
-')
diff --git a/prebuilts/api/27.0/public/surfaceflinger.te b/prebuilts/api/27.0/public/surfaceflinger.te
deleted file mode 100644
index ae00287..0000000
--- a/prebuilts/api/27.0/public/surfaceflinger.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# surfaceflinger - display compositor service
-type surfaceflinger, domain;
diff --git a/prebuilts/api/27.0/public/system_app.te b/prebuilts/api/27.0/public/system_app.te
deleted file mode 100644
index 023058e..0000000
--- a/prebuilts/api/27.0/public/system_app.te
+++ /dev/null
@@ -1,7 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-type system_app, domain;
diff --git a/prebuilts/api/27.0/public/system_server.te b/prebuilts/api/27.0/public/system_server.te
deleted file mode 100644
index 805d617..0000000
--- a/prebuilts/api/27.0/public/system_server.te
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system_server, domain;
diff --git a/prebuilts/api/27.0/public/te_macros b/prebuilts/api/27.0/public/te_macros
deleted file mode 100644
index cac977b..0000000
--- a/prebuilts/api/27.0/public/te_macros
+++ /dev/null
@@ -1,581 +0,0 @@
-#####################################
-# domain_trans(olddomain, type, newdomain)
-# Allow a transition from olddomain to newdomain
-# upon executing a file labeled with type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use domain_auto_trans
-# if that is what you want.
-#
-define(`domain_trans', `
-# Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute map };
-allow $1 $3:process transition;
-# New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr map };
-# New domain can send SIGCHLD to its caller.
-ifelse($1, `init', `', `allow $3 $1:process sigchld;')
-# Enable AT_SECURE, i.e. libc secure mode.
-dontaudit $1 $3:process noatsecure;
-# XXX dontaudit candidate but requires further study.
-allow $1 $3:process { siginh rlimitinh };
-')
-
-#####################################
-# domain_auto_trans(olddomain, type, newdomain)
-# Automatically transition from olddomain to newdomain
-# upon executing a file labeled with type.
-#
-define(`domain_auto_trans', `
-# Allow the necessary permissions.
-domain_trans($1,$2,$3)
-# Make the transition occur by default.
-type_transition $1 $2:process $3;
-')
-
-#####################################
-# file_type_trans(domain, dir_type, file_type)
-# Allow domain to create a file labeled file_type in a
-# directory labeled dir_type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use file_type_auto_trans
-# if that is what you want.
-#
-define(`file_type_trans', `
-# Allow the domain to add entries to the directory.
-allow $1 $2:dir ra_dir_perms;
-# Allow the domain to create the file.
-allow $1 $3:notdevfile_class_set create_file_perms;
-allow $1 $3:dir create_dir_perms;
-')
-
-#####################################
-# file_type_auto_trans(domain, dir_type, file_type)
-# Automatically label new files with file_type when
-# they are created by domain in directories labeled dir_type.
-#
-define(`file_type_auto_trans', `
-# Allow the necessary permissions.
-file_type_trans($1, $2, $3)
-# Make the transition occur by default.
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-')
-
-#####################################
-# r_dir_file(domain, type)
-# Allow the specified domain to read directories, files
-# and symbolic links of the specified type.
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:{ file lnk_file } r_file_perms;
-')
-
-#####################################
-# tmpfs_domain(domain)
-# Define and allow access to a unique type for
-# this domain when creating tmpfs / shmem / ashmem files.
-define(`tmpfs_domain', `
-type $1_tmpfs, file_type;
-type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr };
-allow $1 tmpfs:dir { getattr search };
-')
-
-# pdx macros for IPC. pdx is a high-level name which contains transport-specific
-# rules from underlying transport (e.g. UDS-based implementation).
-
-#####################################
-# pdx_service_attributes(service)
-# Defines type attribute used to identify various service-related types.
-define(`pdx_service_attributes', `
-attribute pdx_$1_endpoint_dir_type;
-attribute pdx_$1_endpoint_socket_type;
-attribute pdx_$1_channel_socket_type;
-attribute pdx_$1_server_type;
-')
-
-#####################################
-# pdx_service_socket_types(service, endpoint_dir_t)
-# Define types for endpoint and channel sockets.
-define(`pdx_service_socket_types', `
-typeattribute $2 pdx_$1_endpoint_dir_type;
-type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
-type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
-userdebug_or_eng(`
-dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
-dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
-')
-')
-
-#####################################
-# pdx_server(server_domain, service)
-define(`pdx_server', `
-# Mark the server domain as a PDX server.
-typeattribute $1 pdx_$2_server_type;
-# Allow the init process to create the initial endpoint socket.
-allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
-# Allow the server domain to use the endpoint socket and accept connections on it.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
-# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
-allow $1 self:process setsockcreate;
-# Allow the server domain to create a client channel socket.
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
-# Prevent other processes from claiming to be a server for the same service.
-neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
-')
-
-#####################################
-# pdx_connect(client, service)
-define(`pdx_connect', `
-# Allow client to open the service endpoint file.
-allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
-allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
-# Allow the client to connect to endpoint socket.
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
-')
-
-#####################################
-# pdx_use(client, service)
-define(`pdx_use', `
-# Allow the client to use the PDX channel socket.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
-# Client needs to use an channel event fd from the server.
-allow $1 pdx_$2_server_type:fd use;
-# Servers may receive sync fences, gralloc buffers, etc, from clients.
-# This could be tightened on a per-server basis, but keeping track of service
-# clients is error prone.
-allow pdx_$2_server_type $1:fd use;
-')
-
-#####################################
-# pdx_client(client, service)
-define(`pdx_client', `
-pdx_connect($1, $2)
-pdx_use($1, $2)
-')
-
-#####################################
-# init_daemon_domain(domain)
-# Set up a transition from init to the daemon domain
-# upon executing its binary.
-define(`init_daemon_domain', `
-domain_auto_trans(init, $1_exec, $1)
-tmpfs_domain($1)
-')
-
-#####################################
-# app_domain(domain)
-# Allow a base set of permissions required for all apps.
-define(`app_domain', `
-typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
-')
-
-#####################################
-# untrusted_app_domain(domain)
-# Allow a base set of permissions required for all untrusted apps.
-define(`untrusted_app_domain', `
-typeattribute $1 untrusted_app_all;
-')
-
-#####################################
-# net_domain(domain)
-# Allow a base set of permissions required for network access.
-define(`net_domain', `
-typeattribute $1 netdomain;
-')
-
-#####################################
-# bluetooth_domain(domain)
-# Allow a base set of permissions required for bluetooth access.
-define(`bluetooth_domain', `
-typeattribute $1 bluetoothdomain;
-')
-
-#####################################
-# hal_server_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to offer a
-# HAL implementation of the specified type over HwBinder.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_server_domain(hal_foo_default, hal_foo)
-#
-define(`hal_server_domain', `
-typeattribute $1 halserverdomain;
-typeattribute $1 $2_server;
-typeattribute $1 $2;
-')
-
-#####################################
-# hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a HAL of the specified type.
-#
-# For example, make some_domain a client of Foo HAL:
-# hal_client_domain(some_domain, hal_foo)
-#
-define(`hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-
-# TODO(b/34170079): Make the inclusion of the rules below conditional also on
-# non-Treble devices. For now, on non-Treble device, always grant clients of a
-# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
-not_full_treble(`
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute map };
-')
-')
-
-#####################################
-# passthrough_hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a passthrough HAL of the specified type.
-#
-# For example, make some_domain a client of passthrough Foo HAL:
-# passthrough_hal_client_domain(some_domain, hal_foo)
-#
-define(`passthrough_hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute map };
-')
-
-#####################################
-# unix_socket_connect(clientdomain, socket, serverdomain)
-# Allow a local socket connection from clientdomain via
-# socket to serverdomain.
-#
-# Note: If you see denial records that distill to the
-# following allow rules:
-# allow clientdomain property_socket:sock_file write;
-# allow clientdomain init:unix_stream_socket connectto;
-# allow clientdomain something_prop:property_service set;
-#
-# This sequence is indicative of attempting to set a property.
-# use set_prop(sourcedomain, targetproperty)
-#
-define(`unix_socket_connect', `
-ifelse($2, `property', `
- ifelse($3,`init', `
- print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
- ')
-')
-__unix_socket_connect__($1, $2, $3)
-')
-
-define(`__unix_socket_connect__', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_stream_socket connectto;
-')
-
-#####################################
-# set_prop(sourcedomain, targetproperty)
-# Allows source domain to set the
-# targetproperty.
-#
-define(`set_prop', `
-__unix_socket_connect__($1, property, init)
-allow $1 $2:property_service set;
-get_prop($1, $2)
-')
-
-#####################################
-# get_prop(sourcedomain, targetproperty)
-# Allows source domain to read the
-# targetproperty.
-#
-define(`get_prop', `
-allow $1 $2:file r_file_perms;
-')
-
-#####################################
-# unix_socket_send(clientdomain, socket, serverdomain)
-# Allow a local socket send from clientdomain via
-# socket to serverdomain.
-define(`unix_socket_send', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_dgram_socket sendto;
-')
-
-#####################################
-# binder_use(domain)
-# Allow domain to use Binder IPC.
-define(`binder_use', `
-# Call the servicemanager and transfer references to it.
-allow $1 servicemanager:binder { call transfer };
-# servicemanager performs getpidcon on clients.
-allow servicemanager $1:dir search;
-allow servicemanager $1:file { read open };
-allow servicemanager $1:process getattr;
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# hwbinder_use(domain)
-# Allow domain to use HwBinder IPC.
-define(`hwbinder_use', `
-# Call the hwservicemanager and transfer references to it.
-allow $1 hwservicemanager:binder { call transfer };
-# Allow hwservicemanager to send out callbacks
-allow hwservicemanager $1:binder { call transfer };
-# hwservicemanager performs getpidcon on clients.
-allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
-allow hwservicemanager $1:process getattr;
-# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# vndbinder_use(domain)
-# Allow domain to use Binder IPC.
-define(`vndbinder_use', `
-# Talk to the vndbinder device node
-allow $1 vndbinder_device:chr_file rw_file_perms;
-# Call the vndservicemanager and transfer references to it.
-allow $1 vndservicemanager:binder { call transfer };
-# vndservicemanager performs getpidcon on clients.
-allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
-allow vndservicemanager $1:process getattr;
-')
-
-#####################################
-# binder_call(clientdomain, serverdomain)
-# Allow clientdomain to perform binder IPC to serverdomain.
-define(`binder_call', `
-# Call the server domain and optionally transfer references to it.
-allow $1 $2:binder { call transfer };
-# Allow the serverdomain to transfer references to the client on the reply.
-allow $2 $1:binder transfer;
-# Receive and use open files from the server.
-allow $1 $2:fd use;
-')
-
-#####################################
-# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
-define(`binder_service', `
-typeattribute $1 binderservicedomain;
-')
-
-#####################################
-# wakelock_use(domain)
-# Allow domain to manage wake locks
-define(`wakelock_use', `
-# Access /sys/power/wake_lock and /sys/power/wake_unlock
-allow $1 sysfs_wake_lock:file rw_file_perms;
-# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
-')
-
-#####################################
-# selinux_check_access(domain)
-# Allow domain to check SELinux permissions via selinuxfs.
-define(`selinux_check_access', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
-')
-
-#####################################
-# selinux_check_context(domain)
-# Allow domain to check SELinux contexts via selinuxfs.
-define(`selinux_check_context', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security check_context;
-')
-
-#####################################
-# create_pty(domain)
-# Allow domain to create and use a pty, isolated from any other domain ptys.
-define(`create_pty', `
-# Each domain gets a unique devpts type.
-type $1_devpts, fs_type;
-# Label the pty with the unique type when created.
-type_transition $1 devpts:chr_file $1_devpts;
-# Allow use of the pty after creation.
-allow $1 $1_devpts:chr_file { open getattr read write ioctl };
-allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
-# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
-# allowed to everyone via domain.te.
-')
-
-#####################################
-# Non system_app application set
-#
-define(`non_system_app_set', `{ appdomain -system_app }')
-
-#####################################
-# Recovery only
-# SELinux rules which apply only to recovery mode
-#
-define(`recovery_only', ifelse(target_recovery, `true', $1, ))
-
-#####################################
-# Full TREBLE only
-# SELinux rules which apply only to full TREBLE devices
-#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1,
-ifelse(target_full_treble, `cts',
-# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# Not full TREBLE
-# SELinux rules which apply only to devices which are not full TREBLE devices
-#
-define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
-
-#####################################
-# Userdebug or eng builds
-# SELinux rules which apply only to userdebug or eng builds
-#
-define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-
-#####################################
-# User builds
-# SELinux rules which apply only to user builds
-#
-define(`userbuild', ifelse(target_build_variant, `user', $1, ))
-
-#####################################
-# asan builds
-# SELinux rules which apply only to asan builds
-#
-define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
-
-####################################
-# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
-#
-define(`crash_dump_fallback', `
-userdebug_or_eng(`
- allow $1 su:fifo_file append;
-')
-allow $1 anr_data_file:file append;
-allow $1 dumpstate:fd use;
-# TODO: Figure out why write is needed.
-allow $1 dumpstate:fifo_file { append write };
-allow $1 system_server:fifo_file { append write };
-allow $1 tombstoned:unix_stream_socket connectto;
-allow $1 tombstoned:fd use;
-allow $1 tombstoned_crash_socket:sock_file write;
-allow $1 tombstone_data_file:file append;
-')
-
-#####################################
-# WITH_DEXPREOPT builds
-# SELinux rules which apply only when pre-opting.
-#
-define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
-
-#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# read_runtime_log_tags(domain)
-# ability to directly map the runtime event log tags
-define(`read_runtime_log_tags', `
-allow $1 runtime_event_log_tags_file:file r_file_perms;
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
-# use_keystore(domain)
-# Ability to use keystore.
-# Keystore is requires the following permissions
-# to call getpidcon.
-define(`use_keystore', `
- allow keystore $1:dir search;
- allow keystore $1:file { read open };
- allow keystore $1:process getattr;
- allow $1 keystore_service:service_manager find;
- binder_call($1, keystore)
-')
-
-###########################################
-# use_drmservice(domain)
-# Ability to use DrmService which requires
-# DrmService to call getpidcon.
-define(`use_drmservice', `
- allow drmserver $1:dir search;
- allow drmserver $1:file { read open };
- allow drmserver $1:process getattr;
-')
-
-###########################################
-# add_service(domain, service)
-# Ability for domain to add a service to service_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_service', `
- allow $1 $2:service_manager { add find };
- neverallow { domain -$1 } $2:service_manager add;
-')
-
-###########################################
-# add_hwservice(domain, service)
-# Ability for domain to add a service to hwservice_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_hwservice', `
- allow $1 $2:hwservice_manager { add find };
- allow $1 hidl_base_hwservice:hwservice_manager add;
- neverallow { domain -$1 } $2:hwservice_manager add;
-')
-
-##########################################
-# print a message with a trailing newline
-# print(`args')
-define(`print', `errprint(`m4: '__file__: __line__`: $*
-')')
diff --git a/prebuilts/api/27.0/public/tee.te b/prebuilts/api/27.0/public/tee.te
deleted file mode 100644
index f023d5c..0000000
--- a/prebuilts/api/27.0/public/tee.te
+++ /dev/null
@@ -1,7 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain;
-
-# Device(s) for communicating with the TEE
-type tee_device, dev_type;
diff --git a/prebuilts/api/27.0/public/thermalserviced.te b/prebuilts/api/27.0/public/thermalserviced.te
deleted file mode 100644
index 5b6025c..0000000
--- a/prebuilts/api/27.0/public/thermalserviced.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# thermalserviced -- thermal management services for system and vendor
-type thermalserviced, domain;
-type thermalserviced_exec, exec_type, file_type;
-
-binder_use(thermalserviced)
-binder_service(thermalserviced)
-add_service(thermalserviced, thermal_service)
-
-hwbinder_use(thermalserviced)
-hal_client_domain(thermalserviced, hal_thermal)
-add_hwservice(thermalserviced, thermalcallback_hwservice)
diff --git a/prebuilts/api/27.0/public/tombstoned.te b/prebuilts/api/27.0/public/tombstoned.te
deleted file mode 100644
index cf3ddcb..0000000
--- a/prebuilts/api/27.0/public/tombstoned.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# debugger interface
-type tombstoned, domain, mlstrustedsubject;
-type tombstoned_exec, exec_type, file_type;
-
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file create_file_perms;
-
-# TODO: Remove append / write permissions. They were temporarily
-# granted due to a bug which appears to have been fixed.
-allow tombstoned anr_data_file:file { append write };
-auditallow tombstoned anr_data_file:file { append write };
-
-# Changes for the new stack dumping mechanism. Each trace goes into a
-# separate file, and these files are managed by tombstoned.
-allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { getattr open create };
diff --git a/prebuilts/api/27.0/public/toolbox.te b/prebuilts/api/27.0/public/toolbox.te
deleted file mode 100644
index 59c3a9c..0000000
--- a/prebuilts/api/27.0/public/toolbox.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
-# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain;
-type toolbox_exec, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow toolbox tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow toolbox devpts:chr_file { read write getattr ioctl };
-
-# mkswap-specific.
-# Read/write block devices used for swap partitions.
-# Assign swap_block_device type any such partition in your
-# device/<vendor>/<product>/sepolicy/file_contexts file.
-allow toolbox block_device:dir search;
-allow toolbox swap_block_device:blk_file rw_file_perms;
-
-# Only allow entry from init via the toolbox binary.
-neverallow { domain -init } toolbox:process transition;
-neverallow * toolbox:process dyntransition;
-neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/prebuilts/api/27.0/public/tzdatacheck.te b/prebuilts/api/27.0/public/tzdatacheck.te
deleted file mode 100644
index 6f60c8e2..0000000
--- a/prebuilts/api/27.0/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/prebuilts/api/27.0/public/ueventd.te b/prebuilts/api/27.0/public/ueventd.te
deleted file mode 100644
index 212087e..0000000
--- a/prebuilts/api/27.0/public/ueventd.te
+++ /dev/null
@@ -1,54 +0,0 @@
-# ueventd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type ueventd, domain;
-
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, rootfs)
-
-# ueventd needs write access to files in /sys to regenerate uevents
-allow ueventd sysfs_type:file w_file_perms;
-r_dir_file(ueventd, sysfs_type)
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-#####
-##### neverallow rules
-#####
-
-# ueventd must never set properties, otherwise deadlocks may occur.
-# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
-# No writing to the property socket, connecting to init, or setting properties.
-neverallow ueventd property_socket:sock_file write;
-neverallow ueventd init:unix_stream_socket connectto;
-neverallow ueventd property_type:property_service set;
-
-# Restrict ueventd access on block devices to maintenence operations.
-neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
diff --git a/prebuilts/api/27.0/public/uncrypt.te b/prebuilts/api/27.0/public/uncrypt.te
deleted file mode 100644
index d10eb39..0000000
--- a/prebuilts/api/27.0/public/uncrypt.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# uncrypt
-type uncrypt, domain, mlstrustedsubject;
-type uncrypt_exec, exec_type, file_type;
-
-allow uncrypt self:capability dac_override;
-
-# Read OTA zip file from /data/data/com.google.android.gsf/app_download
-r_dir_file(uncrypt, app_data_file)
-
-userdebug_or_eng(`
- # For debugging, allow /data/local/tmp access
- r_dir_file(uncrypt, shell_data_file)
-')
-
-# Read /cache/recovery/command
-# Read /cache/recovery/uncrypt_file
-allow uncrypt cache_file:dir search;
-allow uncrypt cache_recovery_file:dir rw_dir_perms;
-allow uncrypt cache_recovery_file:file create_file_perms;
-
-# Read OTA zip file at /data/ota_package/.
-allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
-
-# Write to /dev/socket/uncrypt
-unix_socket_connect(uncrypt, uncrypt, uncrypt)
-
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
-
-# Raw writes to block device
-allow uncrypt self:capability sys_rawio;
-allow uncrypt misc_block_device:blk_file w_file_perms;
-allow uncrypt block_device:dir r_dir_perms;
-
-# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
diff --git a/prebuilts/api/27.0/public/untrusted_app.te b/prebuilts/api/27.0/public/untrusted_app.te
deleted file mode 100644
index 6f29396..0000000
--- a/prebuilts/api/27.0/public/untrusted_app.te
+++ /dev/null
@@ -1,19 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-type untrusted_app, domain;
diff --git a/prebuilts/api/27.0/public/untrusted_app_25.te b/prebuilts/api/27.0/public/untrusted_app_25.te
deleted file mode 100644
index 4ca6e31..0000000
--- a/prebuilts/api/27.0/public/untrusted_app_25.te
+++ /dev/null
@@ -1,20 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-type untrusted_app_25, domain;
-
diff --git a/prebuilts/api/27.0/public/untrusted_v2_app.te b/prebuilts/api/27.0/public/untrusted_v2_app.te
deleted file mode 100644
index ac82f15..0000000
--- a/prebuilts/api/27.0/public/untrusted_v2_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Untrusted v2 sandbox apps.
-###
-
-type untrusted_v2_app, domain;
diff --git a/prebuilts/api/27.0/public/update_engine.te b/prebuilts/api/27.0/public/update_engine.te
deleted file mode 100644
index b8f0035..0000000
--- a/prebuilts/api/27.0/public/update_engine.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# Domain for update_engine daemon.
-type update_engine, domain, update_engine_common;
-type update_engine_exec, exec_type, file_type;
-
-net_domain(update_engine);
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
-# sockets.
-allow update_engine qtaguid_proc:file rw_file_perms;
-allow update_engine qtaguid_device:chr_file r_file_perms;
-
-# Following permissions are needed for update_engine.
-allow update_engine self:process { setsched };
-allow update_engine self:capability { fowner sys_admin };
-allow update_engine kmsg_device:chr_file w_file_perms;
-allow update_engine update_engine_exec:file rx_file_perms;
-wakelock_use(update_engine);
-
-# Ignore these denials.
-dontaudit update_engine kernel:process setsched;
-
-# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir { create_dir_perms };
-allow update_engine update_engine_data_file:file { create_file_perms };
-
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
-# Register the service to perform Binder IPC.
-binder_use(update_engine)
-add_service(update_engine, update_engine_service)
-
-# Allow update_engine to call the callback function provided by priv_app.
-binder_call(update_engine, priv_app)
-
-# Read OTA zip file at /data/ota_package/.
-allow update_engine ota_package_file:file r_file_perms;
-allow update_engine ota_package_file:dir r_dir_perms;
-
-# Use Boot Control HAL
-hal_client_domain(update_engine, hal_bootctl)
diff --git a/prebuilts/api/27.0/public/update_engine_common.te b/prebuilts/api/27.0/public/update_engine_common.te
deleted file mode 100644
index e9bf24f..0000000
--- a/prebuilts/api/27.0/public/update_engine_common.te
+++ /dev/null
@@ -1,48 +0,0 @@
-# update_engine payload application permissions. These are shared between the
-# background daemon and the recovery tool to sideload an update.
-
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine_common block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine_common boot_block_device:blk_file rw_file_perms;
-allow update_engine_common system_block_device:blk_file rw_file_perms;
-
-# Allow to set recovery options in the BCB. Used to trigger factory reset when
-# the update to an older version (channel change) or incompatible version
-# requires it.
-allow update_engine_common misc_block_device:blk_file rw_file_perms;
-
-# read fstab
-allow update_engine_common rootfs:dir getattr;
-allow update_engine_common rootfs:file r_file_perms;
-
-# Allow update_engine_common to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
-allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem relabelfrom;
-
-# Allow update_engine_common to read and execute postinstall_file.
-allow update_engine_common postinstall_file:file rx_file_perms;
-allow update_engine_common postinstall_file:lnk_file r_file_perms;
-allow update_engine_common postinstall_file:dir r_dir_perms;
-
-# install update.zip from cache
-r_dir_file(update_engine_common, cache_file)
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine_common shell_exec:file rx_file_perms;
-
-# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/misc
-# Access is also granted to proc:file, but it is likely unneeded
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
diff --git a/prebuilts/api/27.0/public/update_verifier.te b/prebuilts/api/27.0/public/update_verifier.te
deleted file mode 100644
index 4d4e1f9..0000000
--- a/prebuilts/api/27.0/public/update_verifier.te
+++ /dev/null
@@ -1,19 +0,0 @@
-# update_verifier
-type update_verifier, domain;
-type update_verifier_exec, exec_type, file_type;
-
-# Allow update_verifier to reach block devices in /dev/block.
-allow update_verifier block_device:dir search;
-
-# Read care map in /data/ota_package/.
-allow update_verifier ota_package_file:dir r_dir_perms;
-allow update_verifier ota_package_file:file r_file_perms;
-
-# Read all blocks in dm wrapped system partition.
-allow update_verifier dm_device:blk_file r_file_perms;
-
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Use Boot Control HAL
-hal_client_domain(update_verifier, hal_bootctl)
diff --git a/prebuilts/api/27.0/public/vdc.te b/prebuilts/api/27.0/public/vdc.te
deleted file mode 100644
index 53d7bbe..0000000
--- a/prebuilts/api/27.0/public/vdc.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
-#
-# We also transition into this domain from dumpstate, when
-# collecting bug reports.
-
-type vdc, domain;
-type vdc_exec, exec_type, file_type;
-
-unix_socket_connect(vdc, vold, vold)
-
-# vdc sends information back to dumpstate when "adb bugreport" is used
-allow vdc dumpstate:fd use;
-allow vdc dumpstate:unix_stream_socket { read write getattr };
-
-# vdc information is written to shell owned bugreport files
-allow vdc shell_data_file:file { write getattr };
-
-# Why?
-allow vdc dumpstate:unix_dgram_socket { read write };
-
-# vdc can be invoked with logwrapper, so let it write to pty
-allow vdc devpts:chr_file rw_file_perms;
-
-# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file w_file_perms;
diff --git a/prebuilts/api/27.0/public/vendor_shell.te b/prebuilts/api/27.0/public/vendor_shell.te
deleted file mode 100644
index b330542..0000000
--- a/prebuilts/api/27.0/public/vendor_shell.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# vendor shell MUST never run as interactive or login shell.
-# vendor shell CAN never be traisitioned to by any process, so it is
-# only intended by shell script interpreter.
-type vendor_shell_exec, exec_type, vendor_file_type, file_type;
diff --git a/prebuilts/api/27.0/public/vendor_toolbox.te b/prebuilts/api/27.0/public/vendor_toolbox.te
deleted file mode 100644
index 63f938d..0000000
--- a/prebuilts/api/27.0/public/vendor_toolbox.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# Toolbox installation for vendor binaries / scripts
-# Non-vendor processes are not allowed to execute the binary
-# and is always executed without transition.
-type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
-
-# Do not allow domains to transition to vendor toolbox
-# or read, execute the vendor_toolbox file.
-full_treble_only(`
- # Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
- neverallow {
- coredomain
- -init
- -modprobe
- } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
-')
diff --git a/prebuilts/api/27.0/public/virtual_touchpad.te b/prebuilts/api/27.0/public/virtual_touchpad.te
deleted file mode 100644
index c2800e3..0000000
--- a/prebuilts/api/27.0/public/virtual_touchpad.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type virtual_touchpad, domain;
-type virtual_touchpad_exec, exec_type, file_type;
-
-binder_use(virtual_touchpad)
-binder_service(virtual_touchpad)
-add_service(virtual_touchpad, virtual_touchpad_service)
-
-# Needed to check app permissions.
-binder_call(virtual_touchpad, system_server)
-
-# Requires access to /dev/uinput to create and feed the virtual device.
-allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow virtual_touchpad permission_service:service_manager find;
diff --git a/prebuilts/api/27.0/public/vndservice.te b/prebuilts/api/27.0/public/vndservice.te
deleted file mode 100644
index 0d309bf..0000000
--- a/prebuilts/api/27.0/public/vndservice.te
+++ /dev/null
@@ -1 +0,0 @@
-type default_android_vndservice, vndservice_manager_type;
diff --git a/prebuilts/api/27.0/public/vndservicemanager.te b/prebuilts/api/27.0/public/vndservicemanager.te
deleted file mode 100644
index 6b9f73d..0000000
--- a/prebuilts/api/27.0/public/vndservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager, domain;
diff --git a/prebuilts/api/27.0/public/vold.te b/prebuilts/api/27.0/public/vold.te
deleted file mode 100644
index 836db5f..0000000
--- a/prebuilts/api/27.0/public/vold.te
+++ /dev/null
@@ -1,190 +0,0 @@
-# volume manager
-type vold, domain;
-type vold_exec, exec_type, file_type;
-
-# Read already opened /cache files.
-allow vold cache_file:dir r_dir_perms;
-allow vold cache_file:file { getattr read };
-allow vold cache_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(vold, proc)
-r_dir_file(vold, proc_net)
-r_dir_file(vold, sysfs_type)
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
-allow vold sysfs_usb:file w_file_perms;
-allow vold sysfs_zram_uevent:file w_file_perms;
-
-r_dir_file(vold, rootfs)
-allow vold proc_meminfo:file r_file_perms;
-
-#Get file contexts
-allow vold file_contexts_file:file r_file_perms;
-
-# Allow us to jump into execution domains of above tools
-allow vold self:process setexec;
-
-# For sgdisk launched through popen()
-allow vold shell_exec:file rx_file_perms;
-
-# For formatting adoptable storage devices
-allow vold e2fs_exec:file rx_file_perms;
-
-typeattribute vold mlstrustedsubject;
-allow vold self:process setfscreate;
-allow vold system_file:file x_file_perms;
-not_full_treble(`allow vold vendor_file:file x_file_perms;')
-allow vold block_device:dir create_dir_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
-
-# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
-
-# Access to storage that backs emulated FUSE daemons for migration optimization
-allow vold media_rw_data_file:dir create_dir_perms;
-allow vold media_rw_data_file:file create_file_perms;
-
-# Allow mounting of storage devices
-allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-
-# Manage per-user primary symlinks
-allow vold mnt_user_file:dir create_dir_perms;
-allow vold mnt_user_file:lnk_file create_file_perms;
-
-# Allow to create and mount expanded storage
-allow vold mnt_expand_file:dir { create_dir_perms mounton };
-allow vold apk_data_file:dir { create getattr setattr };
-allow vold shell_data_file:dir { create getattr setattr };
-
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow vold app_data_file:dir search;
-allow vold app_data_file:file rw_file_perms;
-allow vold loop_control_device:chr_file rw_file_perms;
-allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
-allow vold dm_device:chr_file rw_file_perms;
-allow vold dm_device:blk_file rw_file_perms;
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
-
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
-allow vold kmsg_device:chr_file rw_file_perms;
-
-# Run fsck in the fsck domain.
-allow vold fsck_exec:file { r_file_perms execute };
-
-# Log fsck results
-allow vold fscklogs:dir rw_dir_perms;
-allow vold fscklogs:file create_file_perms;
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
-# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# Property Service
-set_prop(vold, vold_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
-allow vold asec_public_file:file { relabelto setattr };
-# restorecon files in asec containers created on 4.2 or earlier.
-allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
-allow vold unlabeled:file { r_file_perms setattr relabelfrom };
-
-# Handle wake locks (used for device encryption)
-wakelock_use(vold)
-
-# talk to batteryservice
-binder_use(vold)
-binder_call(vold, healthd)
-
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
-# Access userdata block device.
-allow vold userdata_block_device:blk_file rw_file_perms;
-
-# Access metadata block device used for encryption meta-data.
-allow vold metadata_block_device:blk_file rw_file_perms;
-
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
-allow vold unencrypted_data_file:dir create_dir_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vold proc_drop_caches:file w_file_perms;
-
-# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir create_dir_perms;
-allow vold vold_data_file:file create_file_perms;
-
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
-# vold temporarily changes its priority when running benchmarks
-allow vold self:capability sys_nice;
-
-# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:capability sys_chroot;
-allow vold storage_file:dir mounton;
-
-# For AppFuse.
-allow vold fuse_device:chr_file rw_file_perms;
-allow vold fuse:filesystem { relabelfrom };
-allow vold app_fusefs:filesystem { relabelfrom relabelto };
-allow vold app_fusefs:filesystem { mount unmount };
-
-# MoveTask.cpp executes cp and rm
-allow vold toolbox_exec:file rx_file_perms;
-
-# Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
-
-# Raw writes to misc block device
-allow vold misc_block_device:blk_file w_file_perms;
-
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
-neverallow { domain -vold -init } restorecon_prop:property_service set;
-
-neverallow vold fsck_exec:file execute_no_trans;
diff --git a/prebuilts/api/27.0/public/vr_hwc.te b/prebuilts/api/27.0/public/vr_hwc.te
deleted file mode 100644
index c05dd63..0000000
--- a/prebuilts/api/27.0/public/vr_hwc.te
+++ /dev/null
@@ -1,31 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
diff --git a/prebuilts/api/27.0/public/watchdogd.te b/prebuilts/api/27.0/public/watchdogd.te
deleted file mode 100644
index 00292a9..0000000
--- a/prebuilts/api/27.0/public/watchdogd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/27.0/public/webview_zygote.te b/prebuilts/api/27.0/public/webview_zygote.te
deleted file mode 100644
index 5d19b32..0000000
--- a/prebuilts/api/27.0/public/webview_zygote.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-type webview_zygote, domain;
-type webview_zygote_exec, exec_type, file_type;
diff --git a/prebuilts/api/27.0/public/wificond.te b/prebuilts/api/27.0/public/wificond.te
deleted file mode 100644
index c91053e..0000000
--- a/prebuilts/api/27.0/public/wificond.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# wificond
-type wificond, domain;
-type wificond_exec, exec_type, file_type;
-
-binder_use(wificond)
-binder_call(wificond, system_server)
-
-add_service(wificond, wificond_service)
-
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
-# create sockets to set interfaces up and down
-allow wificond self:udp_socket create_socket_perms;
-# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
-allow wificond self:capability { net_admin net_raw };
-# allow wificond to speak to nl80211 in the kernel
-allow wificond self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-r_dir_file(wificond, proc_net)
-
-# wificond writes out configuration files for wpa_supplicant/hostapd.
-# wificond also reads pid files out of this directory
-allow wificond wifi_data_file:dir rw_dir_perms;
-allow wificond wifi_data_file:file create_file_perms;
-
-# allow wificond to check permission for dumping logs
-allow wificond permission_service:service_manager find;
-
-# dumpstate support
-allow wificond dumpstate:fd use;
-allow wificond dumpstate:fifo_file write;
diff --git a/prebuilts/api/27.0/public/zygote.te b/prebuilts/api/27.0/public/zygote.te
deleted file mode 100644
index 83c42ef..0000000
--- a/prebuilts/api/27.0/public/zygote.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# zygote
-type zygote, domain;
-type zygote_exec, exec_type, file_type;
diff --git a/prebuilts/api/28.0/plat_pub_versioned.cil b/prebuilts/api/28.0/plat_pub_versioned.cil
deleted file mode 100644
index d98a249..0000000
--- a/prebuilts/api/28.0/plat_pub_versioned.cil
+++ /dev/null
@@ -1,8871 +0,0 @@
-(roletype r domain)
-(typeattribute dev_type)
-(typeattributeset dev_type (device_28_0 alarm_device_28_0 ashmem_device_28_0 audio_device_28_0 audio_timer_device_28_0 audio_seq_device_28_0 binder_device_28_0 hwbinder_device_28_0 vndbinder_device_28_0 block_device_28_0 camera_device_28_0 dm_device_28_0 keychord_device_28_0 loop_control_device_28_0 loop_device_28_0 pmsg_device_28_0 radio_device_28_0 ram_device_28_0 rtc_device_28_0 vold_device_28_0 console_device_28_0 cpuctl_device_28_0 fscklogs_28_0 full_device_28_0 gpu_device_28_0 graphics_device_28_0 hw_random_device_28_0 input_device_28_0 kmem_device_28_0 port_device_28_0 lowpan_device_28_0 mtd_device_28_0 mtp_device_28_0 nfc_device_28_0 ptmx_device_28_0 kmsg_device_28_0 kmsg_debug_device_28_0 null_device_28_0 random_device_28_0 secure_element_device_28_0 sensors_device_28_0 serial_device_28_0 socket_device_28_0 owntty_device_28_0 tty_device_28_0 video_device_28_0 vcs_device_28_0 zero_device_28_0 fuse_device_28_0 iio_device_28_0 ion_device_28_0 qtaguid_device_28_0 watchdog_device_28_0 uhid_device_28_0 uio_device_28_0 tun_device_28_0 usbaccessory_device_28_0 usb_device_28_0 properties_device_28_0 properties_serial_28_0 property_info_28_0 i2c_device_28_0 hci_attach_dev_28_0 rpmsg_device_28_0 root_block_device_28_0 frp_block_device_28_0 system_block_device_28_0 recovery_block_device_28_0 boot_block_device_28_0 userdata_block_device_28_0 cache_block_device_28_0 swap_block_device_28_0 metadata_block_device_28_0 misc_block_device_28_0 ppp_device_28_0 tee_device_28_0))
-(typeattribute domain)
-(typeattributeset domain (adbd_28_0 audioserver_28_0 blkid_28_0 blkid_untrusted_28_0 bluetooth_28_0 bootanim_28_0 bootstat_28_0 bufferhubd_28_0 cameraserver_28_0 charger_28_0 clatd_28_0 cppreopts_28_0 crash_dump_28_0 dex2oat_28_0 dhcp_28_0 dnsmasq_28_0 drmserver_28_0 dumpstate_28_0 e2fs_28_0 ephemeral_app_28_0 fingerprintd_28_0 fsck_28_0 fsck_untrusted_28_0 gatekeeperd_28_0 healthd_28_0 hwservicemanager_28_0 idmap_28_0 incident_28_0 incident_helper_28_0 incidentd_28_0 init_28_0 inputflinger_28_0 install_recovery_28_0 installd_28_0 isolated_app_28_0 kernel_28_0 keystore_28_0 lmkd_28_0 logd_28_0 logpersist_28_0 mdnsd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediametrics_28_0 mediaprovider_28_0 mediaserver_28_0 modprobe_28_0 mtp_28_0 netd_28_0 netutils_wrapper_28_0 nfc_28_0 otapreopt_chroot_28_0 otapreopt_slot_28_0 performanced_28_0 perfprofd_28_0 platform_app_28_0 postinstall_28_0 postinstall_dexopt_28_0 ppp_28_0 preopt2cachename_28_0 priv_app_28_0 profman_28_0 racoon_28_0 radio_28_0 recovery_28_0 recovery_persist_28_0 recovery_refresh_28_0 runas_28_0 sdcardd_28_0 secure_element_28_0 servicemanager_28_0 sgdisk_28_0 shared_relro_28_0 shell_28_0 slideshow_28_0 su_28_0 surfaceflinger_28_0 system_app_28_0 system_server_28_0 tee_28_0 thermalserviced_28_0 tombstoned_28_0 toolbox_28_0 traced_probes_28_0 traceur_app_28_0 tzdatacheck_28_0 ueventd_28_0 uncrypt_28_0 untrusted_app_28_0 untrusted_app_27_28_0 untrusted_app_25_28_0 untrusted_v2_app_28_0 update_engine_28_0 update_verifier_28_0 usbd_28_0 vdc_28_0 vendor_init_28_0 vendor_shell_28_0 virtual_touchpad_28_0 vndservicemanager_28_0 vold_28_0 vold_prepare_subdirs_28_0 vr_hwc_28_0 watchdogd_28_0 webview_zygote_28_0 wificond_28_0 wpantund_28_0 zygote_28_0))
-(typeattribute fs_type)
-(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0))
-(typeattribute contextmount_type)
-(typeattributeset contextmount_type (oemfs_28_0 app_fusefs_28_0))
-(typeattribute file_type)
-(typeattributeset file_type (adbd_exec_28_0 bootanim_exec_28_0 bootstat_exec_28_0 bufferhubd_exec_28_0 cameraserver_exec_28_0 clatd_exec_28_0 cppreopts_exec_28_0 crash_dump_exec_28_0 dex2oat_exec_28_0 dhcp_exec_28_0 dnsmasq_exec_28_0 drmserver_exec_28_0 drmserver_socket_28_0 dumpstate_exec_28_0 e2fs_exec_28_0 unlabeled_28_0 system_file_28_0 vendor_hal_file_28_0 vendor_file_28_0 vendor_app_file_28_0 vendor_configs_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0 vendor_framework_file_28_0 vendor_overlay_file_28_0 metadata_file_28_0 vold_metadata_file_28_0 runtime_event_log_tags_file_28_0 logcat_exec_28_0 coredump_file_28_0 system_data_file_28_0 vendor_data_file_28_0 unencrypted_data_file_28_0 install_data_file_28_0 drm_data_file_28_0 adb_data_file_28_0 anr_data_file_28_0 tombstone_data_file_28_0 tombstone_wifi_data_file_28_0 apk_data_file_28_0 apk_tmp_file_28_0 apk_private_data_file_28_0 apk_private_tmp_file_28_0 dalvikcache_data_file_28_0 ota_data_file_28_0 ota_package_file_28_0 user_profile_data_file_28_0 profman_dump_data_file_28_0 resourcecache_data_file_28_0 shell_data_file_28_0 property_data_file_28_0 bootchart_data_file_28_0 heapdump_data_file_28_0 nativetest_data_file_28_0 ringtone_file_28_0 preloads_data_file_28_0 preloads_media_file_28_0 dhcp_data_file_28_0 mnt_media_rw_file_28_0 mnt_user_file_28_0 mnt_expand_file_28_0 storage_file_28_0 mnt_media_rw_stub_file_28_0 storage_stub_file_28_0 mnt_vendor_file_28_0 postinstall_mnt_dir_28_0 postinstall_file_28_0 adb_keys_file_28_0 audio_data_file_28_0 audioserver_data_file_28_0 bluetooth_data_file_28_0 bluetooth_logs_data_file_28_0 bootstat_data_file_28_0 boottrace_data_file_28_0 camera_data_file_28_0 gatekeeper_data_file_28_0 incident_data_file_28_0 keychain_data_file_28_0 keystore_data_file_28_0 media_data_file_28_0 media_rw_data_file_28_0 misc_user_data_file_28_0 net_data_file_28_0 network_watchlist_data_file_28_0 nfc_data_file_28_0 radio_data_file_28_0 recovery_data_file_28_0 shared_relro_file_28_0 systemkeys_data_file_28_0 textclassifier_data_file_28_0 trace_data_file_28_0 vpn_data_file_28_0 wifi_data_file_28_0 zoneinfo_data_file_28_0 vold_data_file_28_0 perfprofd_data_file_28_0 tee_data_file_28_0 update_engine_data_file_28_0 update_engine_log_data_file_28_0 method_trace_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 cache_file_28_0 cache_backup_file_28_0 cache_private_backup_file_28_0 cache_recovery_file_28_0 efs_file_28_0 wallpaper_file_28_0 shortcut_manager_icons_28_0 icon_file_28_0 asec_apk_file_28_0 asec_public_file_28_0 asec_image_file_28_0 backup_data_file_28_0 bluetooth_efs_file_28_0 fingerprintd_data_file_28_0 fingerprint_vendor_data_file_28_0 app_fuse_file_28_0 adbd_socket_28_0 bluetooth_socket_28_0 dnsproxyd_socket_28_0 dumpstate_socket_28_0 fwmarkd_socket_28_0 lmkd_socket_28_0 logd_socket_28_0 logdr_socket_28_0 logdw_socket_28_0 mdns_socket_28_0 mdnsd_socket_28_0 misc_logd_file_28_0 mtpd_socket_28_0 netd_socket_28_0 property_socket_28_0 racoon_socket_28_0 rild_socket_28_0 rild_debug_socket_28_0 system_wpa_socket_28_0 system_ndebug_socket_28_0 tombstoned_crash_socket_28_0 tombstoned_java_trace_socket_28_0 tombstoned_intercept_socket_28_0 traced_producer_socket_28_0 traced_consumer_socket_28_0 uncrypt_socket_28_0 wpa_socket_28_0 zygote_socket_28_0 gps_control_28_0 pdx_display_dir_28_0 pdx_performance_dir_28_0 pdx_bufferhub_dir_28_0 pdx_display_client_endpoint_socket_28_0 pdx_display_manager_endpoint_socket_28_0 pdx_display_screenshot_endpoint_socket_28_0 pdx_display_vsync_endpoint_socket_28_0 pdx_performance_client_endpoint_socket_28_0 pdx_bufferhub_client_endpoint_socket_28_0 file_contexts_file_28_0 mac_perms_file_28_0 property_contexts_file_28_0 seapp_contexts_file_28_0 sepolicy_file_28_0 service_contexts_file_28_0 nonplat_service_contexts_file_28_0 hwservice_contexts_file_28_0 vndservice_contexts_file_28_0 audiohal_data_file_28_0 fingerprintd_exec_28_0 fsck_exec_28_0 gatekeeperd_exec_28_0 healthd_exec_28_0 hwservicemanager_exec_28_0 idmap_exec_28_0 init_exec_28_0 inputflinger_exec_28_0 install_recovery_exec_28_0 installd_exec_28_0 keystore_exec_28_0 lmkd_exec_28_0 logd_exec_28_0 mediacodec_exec_28_0 mediadrmserver_exec_28_0 mediaextractor_exec_28_0 mediametrics_exec_28_0 mediaserver_exec_28_0 mtp_exec_28_0 netd_exec_28_0 netutils_wrapper_exec_28_0 otapreopt_chroot_exec_28_0 otapreopt_slot_exec_28_0 performanced_exec_28_0 perfprofd_exec_28_0 ppp_exec_28_0 preopt2cachename_exec_28_0 profman_exec_28_0 racoon_exec_28_0 recovery_persist_exec_28_0 recovery_refresh_exec_28_0 runas_exec_28_0 sdcardd_exec_28_0 servicemanager_exec_28_0 sgdisk_exec_28_0 shell_exec_28_0 su_exec_28_0 thermalserviced_exec_28_0 tombstoned_exec_28_0 toolbox_exec_28_0 tzdatacheck_exec_28_0 uncrypt_exec_28_0 update_engine_exec_28_0 update_verifier_exec_28_0 usbd_exec_28_0 vdc_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0 virtual_touchpad_exec_28_0 vold_exec_28_0 vold_prepare_subdirs_exec_28_0 vr_hwc_exec_28_0 webview_zygote_exec_28_0 wificond_exec_28_0 wpantund_exec_28_0 zygote_exec_28_0))
-(typeattribute exec_type)
-(typeattributeset exec_type (adbd_exec_28_0 bootanim_exec_28_0 bootstat_exec_28_0 bufferhubd_exec_28_0 cameraserver_exec_28_0 clatd_exec_28_0 cppreopts_exec_28_0 crash_dump_exec_28_0 dex2oat_exec_28_0 dhcp_exec_28_0 dnsmasq_exec_28_0 drmserver_exec_28_0 dumpstate_exec_28_0 e2fs_exec_28_0 logcat_exec_28_0 fingerprintd_exec_28_0 fsck_exec_28_0 gatekeeperd_exec_28_0 healthd_exec_28_0 hwservicemanager_exec_28_0 idmap_exec_28_0 init_exec_28_0 inputflinger_exec_28_0 install_recovery_exec_28_0 installd_exec_28_0 keystore_exec_28_0 lmkd_exec_28_0 logd_exec_28_0 mediacodec_exec_28_0 mediadrmserver_exec_28_0 mediaextractor_exec_28_0 mediametrics_exec_28_0 mediaserver_exec_28_0 mtp_exec_28_0 netd_exec_28_0 netutils_wrapper_exec_28_0 otapreopt_chroot_exec_28_0 otapreopt_slot_exec_28_0 performanced_exec_28_0 perfprofd_exec_28_0 ppp_exec_28_0 preopt2cachename_exec_28_0 profman_exec_28_0 racoon_exec_28_0 recovery_persist_exec_28_0 recovery_refresh_exec_28_0 runas_exec_28_0 sdcardd_exec_28_0 servicemanager_exec_28_0 sgdisk_exec_28_0 shell_exec_28_0 su_exec_28_0 thermalserviced_exec_28_0 tombstoned_exec_28_0 toolbox_exec_28_0 tzdatacheck_exec_28_0 uncrypt_exec_28_0 update_engine_exec_28_0 update_verifier_exec_28_0 usbd_exec_28_0 vdc_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0 virtual_touchpad_exec_28_0 vold_exec_28_0 vold_prepare_subdirs_exec_28_0 vr_hwc_exec_28_0 webview_zygote_exec_28_0 wificond_exec_28_0 wpantund_exec_28_0 zygote_exec_28_0))
-(typeattribute data_file_type)
-(expandtypeattribute (data_file_type) false)
-(typeattributeset data_file_type (system_data_file_28_0 vendor_data_file_28_0 unencrypted_data_file_28_0 install_data_file_28_0 drm_data_file_28_0 adb_data_file_28_0 anr_data_file_28_0 tombstone_data_file_28_0 tombstone_wifi_data_file_28_0 apk_data_file_28_0 apk_tmp_file_28_0 apk_private_data_file_28_0 apk_private_tmp_file_28_0 dalvikcache_data_file_28_0 ota_data_file_28_0 ota_package_file_28_0 user_profile_data_file_28_0 profman_dump_data_file_28_0 resourcecache_data_file_28_0 shell_data_file_28_0 property_data_file_28_0 bootchart_data_file_28_0 heapdump_data_file_28_0 nativetest_data_file_28_0 ringtone_file_28_0 preloads_data_file_28_0 preloads_media_file_28_0 dhcp_data_file_28_0 adb_keys_file_28_0 audio_data_file_28_0 audioserver_data_file_28_0 bluetooth_data_file_28_0 bluetooth_logs_data_file_28_0 bootstat_data_file_28_0 boottrace_data_file_28_0 camera_data_file_28_0 gatekeeper_data_file_28_0 incident_data_file_28_0 keychain_data_file_28_0 keystore_data_file_28_0 media_data_file_28_0 media_rw_data_file_28_0 misc_user_data_file_28_0 net_data_file_28_0 network_watchlist_data_file_28_0 nfc_data_file_28_0 radio_data_file_28_0 recovery_data_file_28_0 shared_relro_file_28_0 systemkeys_data_file_28_0 textclassifier_data_file_28_0 trace_data_file_28_0 vpn_data_file_28_0 wifi_data_file_28_0 zoneinfo_data_file_28_0 vold_data_file_28_0 perfprofd_data_file_28_0 tee_data_file_28_0 update_engine_data_file_28_0 update_engine_log_data_file_28_0 method_trace_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 cache_file_28_0 cache_backup_file_28_0 cache_private_backup_file_28_0 cache_recovery_file_28_0 wallpaper_file_28_0 shortcut_manager_icons_28_0 icon_file_28_0 asec_apk_file_28_0 asec_public_file_28_0 asec_image_file_28_0 backup_data_file_28_0 fingerprintd_data_file_28_0 fingerprint_vendor_data_file_28_0 app_fuse_file_28_0 bluetooth_socket_28_0 misc_logd_file_28_0 system_wpa_socket_28_0 system_ndebug_socket_28_0 wpa_socket_28_0 audiohal_data_file_28_0))
-(typeattribute core_data_file_type)
-(expandtypeattribute (core_data_file_type) false)
-(typeattributeset core_data_file_type (system_data_file_28_0 unencrypted_data_file_28_0 install_data_file_28_0 drm_data_file_28_0 adb_data_file_28_0 anr_data_file_28_0 tombstone_data_file_28_0 apk_data_file_28_0 apk_tmp_file_28_0 apk_private_data_file_28_0 apk_private_tmp_file_28_0 dalvikcache_data_file_28_0 ota_data_file_28_0 ota_package_file_28_0 user_profile_data_file_28_0 profman_dump_data_file_28_0 resourcecache_data_file_28_0 shell_data_file_28_0 property_data_file_28_0 bootchart_data_file_28_0 heapdump_data_file_28_0 nativetest_data_file_28_0 ringtone_file_28_0 preloads_data_file_28_0 preloads_media_file_28_0 dhcp_data_file_28_0 adb_keys_file_28_0 audio_data_file_28_0 audioserver_data_file_28_0 bluetooth_data_file_28_0 bluetooth_logs_data_file_28_0 bootstat_data_file_28_0 boottrace_data_file_28_0 camera_data_file_28_0 gatekeeper_data_file_28_0 incident_data_file_28_0 keychain_data_file_28_0 keystore_data_file_28_0 media_data_file_28_0 media_rw_data_file_28_0 misc_user_data_file_28_0 net_data_file_28_0 network_watchlist_data_file_28_0 nfc_data_file_28_0 radio_data_file_28_0 recovery_data_file_28_0 shared_relro_file_28_0 systemkeys_data_file_28_0 textclassifier_data_file_28_0 trace_data_file_28_0 vpn_data_file_28_0 wifi_data_file_28_0 zoneinfo_data_file_28_0 vold_data_file_28_0 perfprofd_data_file_28_0 update_engine_data_file_28_0 update_engine_log_data_file_28_0 method_trace_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 cache_file_28_0 cache_backup_file_28_0 cache_private_backup_file_28_0 cache_recovery_file_28_0 wallpaper_file_28_0 shortcut_manager_icons_28_0 icon_file_28_0 asec_apk_file_28_0 asec_public_file_28_0 asec_image_file_28_0 backup_data_file_28_0 fingerprintd_data_file_28_0 app_fuse_file_28_0 bluetooth_socket_28_0 misc_logd_file_28_0 system_wpa_socket_28_0 system_ndebug_socket_28_0 wpa_socket_28_0 audiohal_data_file_28_0))
-(typeattribute vendor_file_type)
-(typeattributeset vendor_file_type (vendor_hal_file_28_0 vendor_file_28_0 vendor_app_file_28_0 vendor_configs_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0 vendor_framework_file_28_0 vendor_overlay_file_28_0 mediacodec_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0))
-(typeattribute proc_type)
-(expandtypeattribute (proc_type) false)
-(typeattributeset proc_type (proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0))
-(typeattribute sysfs_type)
-(typeattributeset sysfs_type (sysfs_usermodehelper_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0))
-(typeattribute debugfs_type)
-(typeattributeset debugfs_type (debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0))
-(typeattribute sdcard_type)
-(typeattributeset sdcard_type (fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0))
-(typeattribute node_type)
-(typeattributeset node_type (node_28_0))
-(typeattribute netif_type)
-(typeattributeset netif_type (netif_28_0))
-(typeattribute port_type)
-(typeattributeset port_type (port_28_0))
-(typeattribute property_type)
-(typeattributeset property_type (audio_prop_28_0 boottime_prop_28_0 bluetooth_a2dp_offload_prop_28_0 bluetooth_prop_28_0 bootloader_boot_reason_prop_28_0 config_prop_28_0 cppreopt_prop_28_0 ctl_bootanim_prop_28_0 ctl_bugreport_prop_28_0 ctl_console_prop_28_0 ctl_default_prop_28_0 ctl_dumpstate_prop_28_0 ctl_fuse_prop_28_0 ctl_interface_restart_prop_28_0 ctl_interface_start_prop_28_0 ctl_interface_stop_prop_28_0 ctl_mdnsd_prop_28_0 ctl_restart_prop_28_0 ctl_rildaemon_prop_28_0 ctl_sigstop_prop_28_0 ctl_start_prop_28_0 ctl_stop_prop_28_0 dalvik_prop_28_0 debuggerd_prop_28_0 debug_prop_28_0 default_prop_28_0 device_logging_prop_28_0 dhcp_prop_28_0 dumpstate_options_prop_28_0 dumpstate_prop_28_0 exported_secure_prop_28_0 ffs_prop_28_0 fingerprint_prop_28_0 firstboot_prop_28_0 hwservicemanager_prop_28_0 last_boot_reason_prop_28_0 logd_prop_28_0 logpersistd_logging_prop_28_0 log_prop_28_0 log_tag_prop_28_0 lowpan_prop_28_0 mmc_prop_28_0 net_dns_prop_28_0 net_radio_prop_28_0 netd_stable_secret_prop_28_0 nfc_prop_28_0 overlay_prop_28_0 pan_result_prop_28_0 persist_debug_prop_28_0 persistent_properties_ready_prop_28_0 pm_prop_28_0 powerctl_prop_28_0 radio_prop_28_0 restorecon_prop_28_0 safemode_prop_28_0 serialno_prop_28_0 shell_prop_28_0 system_boot_reason_prop_28_0 system_prop_28_0 system_radio_prop_28_0 test_boot_reason_prop_28_0 traced_enabled_prop_28_0 vold_prop_28_0 wifi_log_prop_28_0 wifi_prop_28_0 vendor_security_patch_level_prop_28_0 exported_audio_prop_28_0 exported_bluetooth_prop_28_0 exported_config_prop_28_0 exported_dalvik_prop_28_0 exported_default_prop_28_0 exported_dumpstate_prop_28_0 exported_ffs_prop_28_0 exported_fingerprint_prop_28_0 exported_overlay_prop_28_0 exported_pm_prop_28_0 exported_radio_prop_28_0 exported_system_prop_28_0 exported_system_radio_prop_28_0 exported_vold_prop_28_0 exported_wifi_prop_28_0 exported2_config_prop_28_0 exported2_default_prop_28_0 exported2_radio_prop_28_0 exported2_system_prop_28_0 exported2_vold_prop_28_0 exported3_default_prop_28_0 exported3_radio_prop_28_0 exported3_system_prop_28_0 vendor_default_prop_28_0))
-(typeattribute core_property_type)
-(typeattributeset core_property_type (audio_prop_28_0 config_prop_28_0 cppreopt_prop_28_0 dalvik_prop_28_0 debuggerd_prop_28_0 debug_prop_28_0 default_prop_28_0 dhcp_prop_28_0 dumpstate_prop_28_0 ffs_prop_28_0 fingerprint_prop_28_0 logd_prop_28_0 net_radio_prop_28_0 nfc_prop_28_0 pan_result_prop_28_0 persist_debug_prop_28_0 powerctl_prop_28_0 radio_prop_28_0 restorecon_prop_28_0 shell_prop_28_0 system_prop_28_0 system_radio_prop_28_0 vold_prop_28_0))
-(typeattribute log_property_type)
-(typeattributeset log_property_type (log_prop_28_0 log_tag_prop_28_0 wifi_log_prop_28_0))
-(typeattribute extended_core_property_type)
-(typeattribute system_server_service)
-(typeattributeset system_server_service (accessibility_service_28_0 account_service_28_0 activity_service_28_0 alarm_service_28_0 appops_service_28_0 appwidget_service_28_0 assetatlas_service_28_0 audio_service_28_0 autofill_service_28_0 backup_service_28_0 batterystats_service_28_0 battery_service_28_0 binder_calls_stats_service_28_0 bluetooth_manager_service_28_0 broadcastradio_service_28_0 cameraproxy_service_28_0 clipboard_service_28_0 contexthub_service_28_0 crossprofileapps_service_28_0 IProxyService_service_28_0 commontime_management_service_28_0 companion_device_service_28_0 connectivity_service_28_0 connmetrics_service_28_0 consumer_ir_service_28_0 content_service_28_0 country_detector_service_28_0 coverage_service_28_0 cpuinfo_service_28_0 dbinfo_service_28_0 device_policy_service_28_0 deviceidle_service_28_0 device_identifiers_service_28_0 devicestoragemonitor_service_28_0 diskstats_service_28_0 display_service_28_0 font_service_28_0 netd_listener_service_28_0 network_watchlist_service_28_0 DockObserver_service_28_0 dreams_service_28_0 dropbox_service_28_0 lowpan_service_28_0 ethernet_service_28_0 fingerprint_service_28_0 gfxinfo_service_28_0 graphicsstats_service_28_0 hardware_service_28_0 hardware_properties_service_28_0 hdmi_control_service_28_0 input_method_service_28_0 input_service_28_0 imms_service_28_0 ipsec_service_28_0 jobscheduler_service_28_0 launcherapps_service_28_0 location_service_28_0 lock_settings_service_28_0 media_projection_service_28_0 media_router_service_28_0 media_session_service_28_0 meminfo_service_28_0 midi_service_28_0 mount_service_28_0 netpolicy_service_28_0 netstats_service_28_0 network_management_service_28_0 network_score_service_28_0 network_time_update_service_28_0 notification_service_28_0 oem_lock_service_28_0 otadexopt_service_28_0 overlay_service_28_0 package_service_28_0 package_native_service_28_0 permission_service_28_0 persistent_data_block_service_28_0 pinner_service_28_0 power_service_28_0 print_service_28_0 processinfo_service_28_0 procstats_service_28_0 recovery_service_28_0 registry_service_28_0 restrictions_service_28_0 rttmanager_service_28_0 samplingprofiler_service_28_0 scheduling_policy_service_28_0 search_service_28_0 sec_key_att_app_id_provider_service_28_0 sensorservice_service_28_0 serial_service_28_0 servicediscovery_service_28_0 settings_service_28_0 shortcut_service_28_0 slice_service_28_0 statusbar_service_28_0 storagestats_service_28_0 system_update_service_28_0 task_service_28_0 textclassification_service_28_0 textservices_service_28_0 telecom_service_28_0 timezone_service_28_0 trust_service_28_0 tv_input_service_28_0 uimode_service_28_0 updatelock_service_28_0 usagestats_service_28_0 usb_service_28_0 user_service_28_0 vibrator_service_28_0 voiceinteraction_service_28_0 vr_manager_service_28_0 wallpaper_service_28_0 webviewupdate_service_28_0 wifip2p_service_28_0 wifiscanner_service_28_0 wifi_service_28_0 wifiaware_service_28_0 window_service_28_0))
-(typeattribute app_api_service)
-(typeattributeset app_api_service (batteryproperties_service_28_0 gatekeeper_service_28_0 surfaceflinger_service_28_0 accessibility_service_28_0 account_service_28_0 activity_service_28_0 alarm_service_28_0 appops_service_28_0 appwidget_service_28_0 assetatlas_service_28_0 audio_service_28_0 autofill_service_28_0 backup_service_28_0 batterystats_service_28_0 bluetooth_manager_service_28_0 clipboard_service_28_0 contexthub_service_28_0 crossprofileapps_service_28_0 IProxyService_service_28_0 companion_device_service_28_0 connectivity_service_28_0 connmetrics_service_28_0 consumer_ir_service_28_0 content_service_28_0 country_detector_service_28_0 device_policy_service_28_0 deviceidle_service_28_0 device_identifiers_service_28_0 display_service_28_0 font_service_28_0 dreams_service_28_0 dropbox_service_28_0 ethernet_service_28_0 fingerprint_service_28_0 graphicsstats_service_28_0 hardware_properties_service_28_0 input_method_service_28_0 input_service_28_0 imms_service_28_0 ipsec_service_28_0 jobscheduler_service_28_0 launcherapps_service_28_0 location_service_28_0 media_projection_service_28_0 media_router_service_28_0 media_session_service_28_0 midi_service_28_0 mount_service_28_0 netpolicy_service_28_0 netstats_service_28_0 network_management_service_28_0 notification_service_28_0 package_service_28_0 permission_service_28_0 power_service_28_0 print_service_28_0 procstats_service_28_0 registry_service_28_0 restrictions_service_28_0 rttmanager_service_28_0 search_service_28_0 sec_key_att_app_id_provider_service_28_0 sensorservice_service_28_0 servicediscovery_service_28_0 settings_service_28_0 shortcut_service_28_0 slice_service_28_0 statusbar_service_28_0 storagestats_service_28_0 textclassification_service_28_0 textservices_service_28_0 telecom_service_28_0 trust_service_28_0 tv_input_service_28_0 uimode_service_28_0 usagestats_service_28_0 usb_service_28_0 user_service_28_0 vibrator_service_28_0 voiceinteraction_service_28_0 wallpaper_service_28_0 webviewupdate_service_28_0 wifip2p_service_28_0 wifi_service_28_0 wifiaware_service_28_0))
-(typeattribute ephemeral_app_api_service)
-(typeattributeset ephemeral_app_api_service (batteryproperties_service_28_0 surfaceflinger_service_28_0 accessibility_service_28_0 account_service_28_0 activity_service_28_0 alarm_service_28_0 appops_service_28_0 appwidget_service_28_0 assetatlas_service_28_0 audio_service_28_0 autofill_service_28_0 backup_service_28_0 batterystats_service_28_0 bluetooth_manager_service_28_0 clipboard_service_28_0 IProxyService_service_28_0 companion_device_service_28_0 connectivity_service_28_0 connmetrics_service_28_0 consumer_ir_service_28_0 content_service_28_0 country_detector_service_28_0 deviceidle_service_28_0 device_identifiers_service_28_0 display_service_28_0 font_service_28_0 dreams_service_28_0 dropbox_service_28_0 graphicsstats_service_28_0 hardware_properties_service_28_0 input_method_service_28_0 input_service_28_0 imms_service_28_0 ipsec_service_28_0 jobscheduler_service_28_0 launcherapps_service_28_0 location_service_28_0 media_projection_service_28_0 media_router_service_28_0 media_session_service_28_0 midi_service_28_0 mount_service_28_0 netpolicy_service_28_0 netstats_service_28_0 network_management_service_28_0 notification_service_28_0 package_service_28_0 permission_service_28_0 power_service_28_0 print_service_28_0 procstats_service_28_0 registry_service_28_0 restrictions_service_28_0 rttmanager_service_28_0 search_service_28_0 sensorservice_service_28_0 servicediscovery_service_28_0 settings_service_28_0 statusbar_service_28_0 storagestats_service_28_0 textclassification_service_28_0 textservices_service_28_0 telecom_service_28_0 tv_input_service_28_0 uimode_service_28_0 usagestats_service_28_0 user_service_28_0 vibrator_service_28_0 voiceinteraction_service_28_0 webviewupdate_service_28_0))
-(typeattribute system_api_service)
-(typeattributeset system_api_service (cpuinfo_service_28_0 dbinfo_service_28_0 diskstats_service_28_0 lowpan_service_28_0 gfxinfo_service_28_0 hdmi_control_service_28_0 lock_settings_service_28_0 meminfo_service_28_0 network_score_service_28_0 oem_lock_service_28_0 overlay_service_28_0 persistent_data_block_service_28_0 serial_service_28_0 updatelock_service_28_0 wifiscanner_service_28_0 window_service_28_0 wpantund_service_28_0))
-(typeattribute service_manager_type)
-(typeattributeset service_manager_type (audioserver_service_28_0 batteryproperties_service_28_0 bluetooth_service_28_0 cameraserver_service_28_0 default_android_service_28_0 drmserver_service_28_0 dumpstate_service_28_0 fingerprintd_service_28_0 hal_fingerprint_service_28_0 gatekeeper_service_28_0 gpu_service_28_0 inputflinger_service_28_0 incident_service_28_0 installd_service_28_0 keystore_service_28_0 mediaserver_service_28_0 mediametrics_service_28_0 mediaextractor_service_28_0 mediaextractor_update_service_28_0 mediacodec_service_28_0 mediadrmserver_service_28_0 netd_service_28_0 nfc_service_28_0 perfprofd_service_28_0 radio_service_28_0 secure_element_service_28_0 storaged_service_28_0 surfaceflinger_service_28_0 system_app_service_28_0 thermal_service_28_0 update_engine_service_28_0 virtual_touchpad_service_28_0 vold_service_28_0 vr_hwc_service_28_0 accessibility_service_28_0 account_service_28_0 activity_service_28_0 alarm_service_28_0 appops_service_28_0 appwidget_service_28_0 assetatlas_service_28_0 audio_service_28_0 autofill_service_28_0 backup_service_28_0 batterystats_service_28_0 battery_service_28_0 binder_calls_stats_service_28_0 bluetooth_manager_service_28_0 broadcastradio_service_28_0 cameraproxy_service_28_0 clipboard_service_28_0 contexthub_service_28_0 crossprofileapps_service_28_0 IProxyService_service_28_0 commontime_management_service_28_0 companion_device_service_28_0 connectivity_service_28_0 connmetrics_service_28_0 consumer_ir_service_28_0 content_service_28_0 country_detector_service_28_0 coverage_service_28_0 cpuinfo_service_28_0 dbinfo_service_28_0 device_policy_service_28_0 deviceidle_service_28_0 device_identifiers_service_28_0 devicestoragemonitor_service_28_0 diskstats_service_28_0 display_service_28_0 font_service_28_0 netd_listener_service_28_0 network_watchlist_service_28_0 DockObserver_service_28_0 dreams_service_28_0 dropbox_service_28_0 lowpan_service_28_0 ethernet_service_28_0 fingerprint_service_28_0 gfxinfo_service_28_0 graphicsstats_service_28_0 hardware_service_28_0 hardware_properties_service_28_0 hdmi_control_service_28_0 input_method_service_28_0 input_service_28_0 imms_service_28_0 ipsec_service_28_0 jobscheduler_service_28_0 launcherapps_service_28_0 location_service_28_0 lock_settings_service_28_0 media_projection_service_28_0 media_router_service_28_0 media_session_service_28_0 meminfo_service_28_0 midi_service_28_0 mount_service_28_0 netpolicy_service_28_0 netstats_service_28_0 network_management_service_28_0 network_score_service_28_0 network_time_update_service_28_0 notification_service_28_0 oem_lock_service_28_0 otadexopt_service_28_0 overlay_service_28_0 package_service_28_0 package_native_service_28_0 permission_service_28_0 persistent_data_block_service_28_0 pinner_service_28_0 power_service_28_0 print_service_28_0 processinfo_service_28_0 procstats_service_28_0 recovery_service_28_0 registry_service_28_0 restrictions_service_28_0 rttmanager_service_28_0 samplingprofiler_service_28_0 scheduling_policy_service_28_0 search_service_28_0 sec_key_att_app_id_provider_service_28_0 sensorservice_service_28_0 serial_service_28_0 servicediscovery_service_28_0 settings_service_28_0 shortcut_service_28_0 slice_service_28_0 statusbar_service_28_0 storagestats_service_28_0 system_update_service_28_0 task_service_28_0 textclassification_service_28_0 textservices_service_28_0 telecom_service_28_0 timezone_service_28_0 trust_service_28_0 tv_input_service_28_0 uimode_service_28_0 updatelock_service_28_0 usagestats_service_28_0 usb_service_28_0 user_service_28_0 vibrator_service_28_0 voiceinteraction_service_28_0 vr_manager_service_28_0 wallpaper_service_28_0 webviewupdate_service_28_0 wifip2p_service_28_0 wifiscanner_service_28_0 wifi_service_28_0 wificond_service_28_0 wifiaware_service_28_0 window_service_28_0 wpantund_service_28_0))
-(typeattribute hwservice_manager_type)
-(typeattributeset hwservice_manager_type (default_android_hwservice_28_0 fwk_display_hwservice_28_0 fwk_scheduler_hwservice_28_0 fwk_sensor_hwservice_28_0 hal_audiocontrol_hwservice_28_0 hal_audio_hwservice_28_0 hal_authsecret_hwservice_28_0 hal_bluetooth_hwservice_28_0 hal_bootctl_hwservice_28_0 hal_broadcastradio_hwservice_28_0 hal_camera_hwservice_28_0 hal_codec2_hwservice_28_0 hal_configstore_ISurfaceFlingerConfigs_28_0 hal_confirmationui_hwservice_28_0 hal_contexthub_hwservice_28_0 hal_drm_hwservice_28_0 hal_cas_hwservice_28_0 hal_dumpstate_hwservice_28_0 hal_evs_hwservice_28_0 hal_fingerprint_hwservice_28_0 hal_gatekeeper_hwservice_28_0 hal_gnss_hwservice_28_0 hal_graphics_allocator_hwservice_28_0 hal_graphics_composer_hwservice_28_0 hal_graphics_mapper_hwservice_28_0 hal_health_hwservice_28_0 hal_ir_hwservice_28_0 hal_keymaster_hwservice_28_0 hal_light_hwservice_28_0 hal_lowpan_hwservice_28_0 hal_memtrack_hwservice_28_0 hal_neuralnetworks_hwservice_28_0 hal_nfc_hwservice_28_0 hal_oemlock_hwservice_28_0 hal_omx_hwservice_28_0 hal_power_hwservice_28_0 hal_renderscript_hwservice_28_0 hal_secure_element_hwservice_28_0 hal_sensors_hwservice_28_0 hal_telephony_hwservice_28_0 hal_tetheroffload_hwservice_28_0 hal_thermal_hwservice_28_0 hal_tv_cec_hwservice_28_0 hal_tv_input_hwservice_28_0 hal_usb_hwservice_28_0 hal_usb_gadget_hwservice_28_0 hal_vehicle_hwservice_28_0 hal_vibrator_hwservice_28_0 hal_vr_hwservice_28_0 hal_weaver_hwservice_28_0 hal_wifi_hwservice_28_0 hal_wifi_hostapd_hwservice_28_0 hal_wifi_offload_hwservice_28_0 hal_wifi_supplicant_hwservice_28_0 hidl_allocator_hwservice_28_0 hidl_base_hwservice_28_0 hidl_manager_hwservice_28_0 hidl_memory_hwservice_28_0 hidl_token_hwservice_28_0 system_net_netd_hwservice_28_0 system_wifi_keystore_hwservice_28_0 thermalcallback_hwservice_28_0))
-(typeattribute same_process_hwservice)
-(typeattributeset same_process_hwservice (hal_graphics_mapper_hwservice_28_0 hal_renderscript_hwservice_28_0))
-(typeattribute coredomain_hwservice)
-(typeattributeset coredomain_hwservice (fwk_display_hwservice_28_0 fwk_scheduler_hwservice_28_0 fwk_sensor_hwservice_28_0 hidl_allocator_hwservice_28_0 hidl_manager_hwservice_28_0 hidl_memory_hwservice_28_0 hidl_token_hwservice_28_0 system_net_netd_hwservice_28_0 system_wifi_keystore_hwservice_28_0))
-(typeattribute vndservice_manager_type)
-(typeattributeset vndservice_manager_type (default_android_vndservice_28_0))
-(typeattribute mlstrustedsubject)
-(typeattributeset mlstrustedsubject (bufferhubd_28_0 cppreopts_28_0 drmserver_28_0 dumpstate_28_0 pdx_display_client_endpoint_socket_28_0 pdx_display_manager_endpoint_socket_28_0 pdx_display_screenshot_endpoint_socket_28_0 pdx_display_vsync_endpoint_socket_28_0 pdx_performance_client_endpoint_socket_28_0 pdx_bufferhub_client_endpoint_socket_28_0 hwservicemanager_28_0 init_28_0 installd_28_0 kernel_28_0 keystore_28_0 lmkd_28_0 logd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediaserver_28_0 netd_28_0 otapreopt_slot_28_0 performanced_28_0 perfprofd_28_0 racoon_28_0 radio_28_0 runas_28_0 servicemanager_28_0 shell_28_0 su_28_0 tombstoned_28_0 traced_probes_28_0 uncrypt_28_0 vendor_init_28_0 vold_28_0))
-(typeattribute mlstrustedobject)
-(typeattributeset mlstrustedobject (alarm_device_28_0 ashmem_device_28_0 binder_device_28_0 hwbinder_device_28_0 pmsg_device_28_0 gpu_device_28_0 mtp_device_28_0 ptmx_device_28_0 null_device_28_0 random_device_28_0 owntty_device_28_0 zero_device_28_0 fuse_device_28_0 ion_device_28_0 tun_device_28_0 usbaccessory_device_28_0 usb_device_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 selinuxfs_28_0 cgroup_28_0 sysfs_28_0 sysfs_bluetooth_writable_28_0 sysfs_kernel_notes_28_0 sysfs_nfc_power_writable_28_0 inotify_28_0 devpts_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 functionfs_28_0 anr_data_file_28_0 tombstone_data_file_28_0 apk_tmp_file_28_0 apk_private_tmp_file_28_0 ota_package_file_28_0 user_profile_data_file_28_0 shell_data_file_28_0 heapdump_data_file_28_0 ringtone_file_28_0 media_rw_data_file_28_0 radio_data_file_28_0 trace_data_file_28_0 perfprofd_data_file_28_0 method_trace_data_file_28_0 system_app_data_file_28_0 cache_file_28_0 cache_backup_file_28_0 cache_recovery_file_28_0 wallpaper_file_28_0 shortcut_manager_icons_28_0 asec_apk_file_28_0 backup_data_file_28_0 app_fuse_file_28_0 dnsproxyd_socket_28_0 fwmarkd_socket_28_0 logd_socket_28_0 logdr_socket_28_0 logdw_socket_28_0 mdnsd_socket_28_0 property_socket_28_0 system_ndebug_socket_28_0 tombstoned_crash_socket_28_0 tombstoned_java_trace_socket_28_0 traced_producer_socket_28_0 pdx_display_client_endpoint_socket_28_0 pdx_display_manager_endpoint_socket_28_0 pdx_display_screenshot_endpoint_socket_28_0 pdx_display_vsync_endpoint_socket_28_0 pdx_performance_client_endpoint_socket_28_0 pdx_bufferhub_client_endpoint_socket_28_0))
-(typeattribute appdomain)
-(typeattribute untrusted_app_all)
-(typeattribute netdomain)
-(typeattributeset netdomain (clatd_28_0 dhcp_28_0 dnsmasq_28_0 drmserver_28_0 dumpstate_28_0 mediadrmserver_28_0 mediaserver_28_0 mtp_28_0 netd_28_0 ppp_28_0 racoon_28_0 radio_28_0 shell_28_0 su_28_0 update_engine_28_0 wpantund_28_0))
-(typeattribute bluetoothdomain)
-(typeattributeset bluetoothdomain (radio_28_0))
-(typeattribute binderservicedomain)
-(typeattributeset binderservicedomain (cameraserver_28_0 drmserver_28_0 gatekeeperd_28_0 inputflinger_28_0 keystore_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediametrics_28_0 mediaserver_28_0 radio_28_0 thermalserviced_28_0 virtual_touchpad_28_0 vr_hwc_28_0))
-(typeattribute update_engine_common)
-(typeattributeset update_engine_common (update_engine_28_0))
-(typeattribute coredomain)
-(typeattributeset coredomain (e2fs_28_0 perfprofd_28_0 traced_probes_28_0 vold_prepare_subdirs_28_0))
-(typeattribute coredomain_socket)
-(expandtypeattribute (coredomain_socket) false)
-(typeattributeset coredomain_socket (adbd_socket_28_0 bluetooth_socket_28_0 dnsproxyd_socket_28_0 dumpstate_socket_28_0 fwmarkd_socket_28_0 lmkd_socket_28_0 logd_socket_28_0 logdr_socket_28_0 logdw_socket_28_0 mdns_socket_28_0 mdnsd_socket_28_0 misc_logd_file_28_0 mtpd_socket_28_0 netd_socket_28_0 property_socket_28_0 racoon_socket_28_0 system_wpa_socket_28_0 system_ndebug_socket_28_0 tombstoned_crash_socket_28_0 tombstoned_intercept_socket_28_0 traced_producer_socket_28_0 traced_consumer_socket_28_0 uncrypt_socket_28_0 zygote_socket_28_0 pdx_display_client_endpoint_socket_28_0 pdx_display_client_channel_socket_28_0 pdx_display_manager_endpoint_socket_28_0 pdx_display_manager_channel_socket_28_0 pdx_display_screenshot_endpoint_socket_28_0 pdx_display_screenshot_channel_socket_28_0 pdx_display_vsync_endpoint_socket_28_0 pdx_display_vsync_channel_socket_28_0 pdx_performance_client_endpoint_socket_28_0 pdx_performance_client_channel_socket_28_0 pdx_bufferhub_client_endpoint_socket_28_0 pdx_bufferhub_client_channel_socket_28_0))
-(typeattribute binder_in_vendor_violators)
-(expandtypeattribute (binder_in_vendor_violators) false)
-(typeattribute socket_between_core_and_vendor_violators)
-(expandtypeattribute (socket_between_core_and_vendor_violators) false)
-(typeattribute vendor_executes_system_violators)
-(expandtypeattribute (vendor_executes_system_violators) false)
-(typeattribute data_between_core_and_vendor_violators)
-(expandtypeattribute (data_between_core_and_vendor_violators) false)
-(typeattribute system_executes_vendor_violators)
-(expandtypeattribute (system_executes_vendor_violators) false)
-(typeattribute system_writes_vendor_properties_violators)
-(expandtypeattribute (system_writes_vendor_properties_violators) false)
-(typeattribute untrusted_app_visible_hwservice)
-(expandtypeattribute (untrusted_app_visible_hwservice) false)
-(typeattribute untrusted_app_visible_halserver)
-(expandtypeattribute (untrusted_app_visible_halserver) false)
-(typeattribute pdx_endpoint_dir_type)
-(typeattributeset pdx_endpoint_dir_type (pdx_display_dir_28_0 pdx_performance_dir_28_0 pdx_bufferhub_dir_28_0))
-(typeattribute pdx_endpoint_socket_type)
-(expandtypeattribute (pdx_endpoint_socket_type) false)
-(typeattributeset pdx_endpoint_socket_type (pdx_display_client_endpoint_socket_28_0 pdx_display_manager_endpoint_socket_28_0 pdx_display_screenshot_endpoint_socket_28_0 pdx_display_vsync_endpoint_socket_28_0 pdx_performance_client_endpoint_socket_28_0 pdx_bufferhub_client_endpoint_socket_28_0))
-(typeattribute pdx_channel_socket_type)
-(expandtypeattribute (pdx_channel_socket_type) false)
-(typeattributeset pdx_channel_socket_type (pdx_display_client_channel_socket_28_0 pdx_display_manager_channel_socket_28_0 pdx_display_screenshot_channel_socket_28_0 pdx_display_vsync_channel_socket_28_0 pdx_performance_client_channel_socket_28_0 pdx_bufferhub_client_channel_socket_28_0))
-(typeattribute pdx_display_client_endpoint_dir_type)
-(typeattributeset pdx_display_client_endpoint_dir_type (pdx_display_dir_28_0))
-(typeattribute pdx_display_client_endpoint_socket_type)
-(typeattributeset pdx_display_client_endpoint_socket_type (pdx_display_client_endpoint_socket_28_0))
-(typeattribute pdx_display_client_channel_socket_type)
-(typeattributeset pdx_display_client_channel_socket_type (pdx_display_client_channel_socket_28_0))
-(typeattribute pdx_display_client_server_type)
-(typeattribute pdx_display_manager_endpoint_dir_type)
-(typeattributeset pdx_display_manager_endpoint_dir_type (pdx_display_dir_28_0))
-(typeattribute pdx_display_manager_endpoint_socket_type)
-(typeattributeset pdx_display_manager_endpoint_socket_type (pdx_display_manager_endpoint_socket_28_0))
-(typeattribute pdx_display_manager_channel_socket_type)
-(typeattributeset pdx_display_manager_channel_socket_type (pdx_display_manager_channel_socket_28_0))
-(typeattribute pdx_display_manager_server_type)
-(typeattribute pdx_display_screenshot_endpoint_dir_type)
-(typeattributeset pdx_display_screenshot_endpoint_dir_type (pdx_display_dir_28_0))
-(typeattribute pdx_display_screenshot_endpoint_socket_type)
-(typeattributeset pdx_display_screenshot_endpoint_socket_type (pdx_display_screenshot_endpoint_socket_28_0))
-(typeattribute pdx_display_screenshot_channel_socket_type)
-(typeattributeset pdx_display_screenshot_channel_socket_type (pdx_display_screenshot_channel_socket_28_0))
-(typeattribute pdx_display_screenshot_server_type)
-(typeattribute pdx_display_vsync_endpoint_dir_type)
-(typeattributeset pdx_display_vsync_endpoint_dir_type (pdx_display_dir_28_0))
-(typeattribute pdx_display_vsync_endpoint_socket_type)
-(typeattributeset pdx_display_vsync_endpoint_socket_type (pdx_display_vsync_endpoint_socket_28_0))
-(typeattribute pdx_display_vsync_channel_socket_type)
-(typeattributeset pdx_display_vsync_channel_socket_type (pdx_display_vsync_channel_socket_28_0))
-(typeattribute pdx_display_vsync_server_type)
-(typeattribute pdx_performance_client_endpoint_dir_type)
-(typeattributeset pdx_performance_client_endpoint_dir_type (pdx_performance_dir_28_0))
-(typeattribute pdx_performance_client_endpoint_socket_type)
-(typeattributeset pdx_performance_client_endpoint_socket_type (pdx_performance_client_endpoint_socket_28_0))
-(typeattribute pdx_performance_client_channel_socket_type)
-(typeattributeset pdx_performance_client_channel_socket_type (pdx_performance_client_channel_socket_28_0))
-(typeattribute pdx_performance_client_server_type)
-(typeattributeset pdx_performance_client_server_type (performanced_28_0))
-(typeattribute pdx_bufferhub_client_endpoint_dir_type)
-(typeattributeset pdx_bufferhub_client_endpoint_dir_type (pdx_bufferhub_dir_28_0))
-(typeattribute pdx_bufferhub_client_endpoint_socket_type)
-(typeattributeset pdx_bufferhub_client_endpoint_socket_type (pdx_bufferhub_client_endpoint_socket_28_0))
-(typeattribute pdx_bufferhub_client_channel_socket_type)
-(typeattributeset pdx_bufferhub_client_channel_socket_type (pdx_bufferhub_client_channel_socket_28_0))
-(typeattribute pdx_bufferhub_client_server_type)
-(typeattributeset pdx_bufferhub_client_server_type (bufferhubd_28_0))
-(typeattribute halserverdomain)
-(typeattribute halclientdomain)
-(expandtypeattribute (halclientdomain) true)
-(typeattributeset halclientdomain (bootanim_28_0 bufferhubd_28_0 cameraserver_28_0 dumpstate_28_0 gatekeeperd_28_0 healthd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediaserver_28_0 radio_28_0 su_28_0 thermalserviced_28_0 update_engine_28_0 update_verifier_28_0 vold_28_0 vr_hwc_28_0 wpantund_28_0))
-(typeattribute hal_automotive_socket_exemption)
-(typeattribute hal_audio)
-(typeattribute hal_audio_client)
-(expandtypeattribute (hal_audio_client) true)
-(typeattributeset hal_audio_client (su_28_0))
-(typeattribute hal_audio_server)
-(expandtypeattribute (hal_audio_server) false)
-(typeattribute hal_bootctl)
-(typeattribute hal_bootctl_client)
-(expandtypeattribute (hal_bootctl_client) true)
-(typeattributeset hal_bootctl_client (su_28_0 update_engine_28_0 update_verifier_28_0))
-(typeattribute hal_bootctl_server)
-(expandtypeattribute (hal_bootctl_server) false)
-(typeattribute hal_camera)
-(typeattribute hal_camera_client)
-(expandtypeattribute (hal_camera_client) true)
-(typeattributeset hal_camera_client (cameraserver_28_0 su_28_0))
-(typeattribute hal_camera_server)
-(expandtypeattribute (hal_camera_server) false)
-(typeattribute hal_drm)
-(typeattribute hal_drm_client)
-(expandtypeattribute (hal_drm_client) true)
-(typeattributeset hal_drm_client (mediadrmserver_28_0 su_28_0))
-(typeattribute hal_drm_server)
-(expandtypeattribute (hal_drm_server) false)
-(typeattribute hal_cas)
-(typeattribute hal_cas_client)
-(expandtypeattribute (hal_cas_client) true)
-(typeattributeset hal_cas_client (mediacodec_28_0 mediaextractor_28_0 su_28_0))
-(typeattribute hal_cas_server)
-(expandtypeattribute (hal_cas_server) false)
-(typeattribute hal_allocator)
-(expandtypeattribute (hal_allocator) true)
-(typeattribute hal_allocator_client)
-(expandtypeattribute (hal_allocator_client) true)
-(typeattributeset hal_allocator_client (mediacodec_28_0 mediaserver_28_0 su_28_0))
-(typeattribute hal_allocator_server)
-(expandtypeattribute (hal_allocator_server) false)
-(typeattribute hal_audiocontrol)
-(expandtypeattribute (hal_audiocontrol) true)
-(typeattribute hal_audiocontrol_client)
-(expandtypeattribute (hal_audiocontrol_client) true)
-(typeattribute hal_audiocontrol_server)
-(expandtypeattribute (hal_audiocontrol_server) false)
-(typeattribute hal_authsecret)
-(expandtypeattribute (hal_authsecret) true)
-(typeattribute hal_authsecret_client)
-(expandtypeattribute (hal_authsecret_client) true)
-(typeattributeset hal_authsecret_client (su_28_0))
-(typeattribute hal_authsecret_server)
-(expandtypeattribute (hal_authsecret_server) false)
-(typeattribute hal_bluetooth)
-(expandtypeattribute (hal_bluetooth) true)
-(typeattribute hal_bluetooth_client)
-(expandtypeattribute (hal_bluetooth_client) true)
-(typeattributeset hal_bluetooth_client (su_28_0))
-(typeattribute hal_bluetooth_server)
-(expandtypeattribute (hal_bluetooth_server) false)
-(typeattribute hal_broadcastradio)
-(expandtypeattribute (hal_broadcastradio) true)
-(typeattribute hal_broadcastradio_client)
-(expandtypeattribute (hal_broadcastradio_client) true)
-(typeattribute hal_broadcastradio_server)
-(expandtypeattribute (hal_broadcastradio_server) false)
-(typeattribute hal_configstore)
-(expandtypeattribute (hal_configstore) true)
-(typeattribute hal_configstore_client)
-(expandtypeattribute (hal_configstore_client) true)
-(typeattributeset hal_configstore_client (bootanim_28_0 su_28_0))
-(typeattribute hal_configstore_server)
-(expandtypeattribute (hal_configstore_server) false)
-(typeattribute hal_confirmationui)
-(expandtypeattribute (hal_confirmationui) true)
-(typeattribute hal_confirmationui_client)
-(expandtypeattribute (hal_confirmationui_client) true)
-(typeattributeset hal_confirmationui_client (su_28_0))
-(typeattribute hal_confirmationui_server)
-(expandtypeattribute (hal_confirmationui_server) false)
-(typeattribute hal_contexthub)
-(expandtypeattribute (hal_contexthub) true)
-(typeattribute hal_contexthub_client)
-(expandtypeattribute (hal_contexthub_client) true)
-(typeattributeset hal_contexthub_client (su_28_0))
-(typeattribute hal_contexthub_server)
-(expandtypeattribute (hal_contexthub_server) false)
-(typeattribute hal_dumpstate)
-(expandtypeattribute (hal_dumpstate) true)
-(typeattribute hal_dumpstate_client)
-(expandtypeattribute (hal_dumpstate_client) true)
-(typeattributeset hal_dumpstate_client (dumpstate_28_0 su_28_0))
-(typeattribute hal_dumpstate_server)
-(expandtypeattribute (hal_dumpstate_server) false)
-(typeattribute hal_evs)
-(expandtypeattribute (hal_evs) true)
-(typeattribute hal_evs_client)
-(expandtypeattribute (hal_evs_client) true)
-(typeattribute hal_evs_server)
-(expandtypeattribute (hal_evs_server) false)
-(typeattribute hal_fingerprint)
-(expandtypeattribute (hal_fingerprint) true)
-(typeattribute hal_fingerprint_client)
-(expandtypeattribute (hal_fingerprint_client) true)
-(typeattributeset hal_fingerprint_client (su_28_0))
-(typeattribute hal_fingerprint_server)
-(expandtypeattribute (hal_fingerprint_server) false)
-(typeattribute hal_gatekeeper)
-(expandtypeattribute (hal_gatekeeper) true)
-(typeattribute hal_gatekeeper_client)
-(expandtypeattribute (hal_gatekeeper_client) true)
-(typeattributeset hal_gatekeeper_client (gatekeeperd_28_0 su_28_0))
-(typeattribute hal_gatekeeper_server)
-(expandtypeattribute (hal_gatekeeper_server) false)
-(typeattribute hal_gnss)
-(expandtypeattribute (hal_gnss) true)
-(typeattribute hal_gnss_client)
-(expandtypeattribute (hal_gnss_client) true)
-(typeattributeset hal_gnss_client (su_28_0))
-(typeattribute hal_gnss_server)
-(expandtypeattribute (hal_gnss_server) false)
-(typeattribute hal_graphics_allocator)
-(expandtypeattribute (hal_graphics_allocator) true)
-(typeattribute hal_graphics_allocator_client)
-(expandtypeattribute (hal_graphics_allocator_client) true)
-(typeattributeset hal_graphics_allocator_client (bootanim_28_0 bufferhubd_28_0 cameraserver_28_0 dumpstate_28_0 mediacodec_28_0 su_28_0 vr_hwc_28_0))
-(typeattribute hal_graphics_allocator_server)
-(expandtypeattribute (hal_graphics_allocator_server) false)
-(typeattribute hal_graphics_composer)
-(expandtypeattribute (hal_graphics_composer) true)
-(typeattribute hal_graphics_composer_client)
-(expandtypeattribute (hal_graphics_composer_client) true)
-(typeattributeset hal_graphics_composer_client (bootanim_28_0 su_28_0))
-(typeattribute hal_graphics_composer_server)
-(expandtypeattribute (hal_graphics_composer_server) false)
-(typeattribute hal_health)
-(expandtypeattribute (hal_health) true)
-(typeattribute hal_health_client)
-(expandtypeattribute (hal_health_client) true)
-(typeattributeset hal_health_client (healthd_28_0 su_28_0))
-(typeattribute hal_health_server)
-(expandtypeattribute (hal_health_server) false)
-(typeattribute hal_ir)
-(expandtypeattribute (hal_ir) true)
-(typeattribute hal_ir_client)
-(expandtypeattribute (hal_ir_client) true)
-(typeattributeset hal_ir_client (su_28_0))
-(typeattribute hal_ir_server)
-(expandtypeattribute (hal_ir_server) false)
-(typeattribute hal_keymaster)
-(expandtypeattribute (hal_keymaster) true)
-(typeattribute hal_keymaster_client)
-(expandtypeattribute (hal_keymaster_client) true)
-(typeattributeset hal_keymaster_client (su_28_0 vold_28_0))
-(typeattribute hal_keymaster_server)
-(expandtypeattribute (hal_keymaster_server) false)
-(typeattribute hal_light)
-(expandtypeattribute (hal_light) true)
-(typeattribute hal_light_client)
-(expandtypeattribute (hal_light_client) true)
-(typeattributeset hal_light_client (su_28_0))
-(typeattribute hal_light_server)
-(expandtypeattribute (hal_light_server) false)
-(typeattribute hal_lowpan)
-(expandtypeattribute (hal_lowpan) true)
-(typeattribute hal_lowpan_client)
-(expandtypeattribute (hal_lowpan_client) true)
-(typeattributeset hal_lowpan_client (wpantund_28_0))
-(typeattribute hal_lowpan_server)
-(expandtypeattribute (hal_lowpan_server) false)
-(typeattribute hal_memtrack)
-(expandtypeattribute (hal_memtrack) true)
-(typeattribute hal_memtrack_client)
-(expandtypeattribute (hal_memtrack_client) true)
-(typeattributeset hal_memtrack_client (su_28_0))
-(typeattribute hal_memtrack_server)
-(expandtypeattribute (hal_memtrack_server) false)
-(typeattribute hal_neuralnetworks)
-(expandtypeattribute (hal_neuralnetworks) true)
-(typeattribute hal_neuralnetworks_client)
-(expandtypeattribute (hal_neuralnetworks_client) true)
-(typeattributeset hal_neuralnetworks_client (su_28_0))
-(typeattribute hal_neuralnetworks_server)
-(expandtypeattribute (hal_neuralnetworks_server) false)
-(typeattribute hal_nfc)
-(expandtypeattribute (hal_nfc) true)
-(typeattribute hal_nfc_client)
-(expandtypeattribute (hal_nfc_client) true)
-(typeattributeset hal_nfc_client (su_28_0))
-(typeattribute hal_nfc_server)
-(expandtypeattribute (hal_nfc_server) false)
-(typeattribute hal_oemlock)
-(expandtypeattribute (hal_oemlock) true)
-(typeattribute hal_oemlock_client)
-(expandtypeattribute (hal_oemlock_client) true)
-(typeattributeset hal_oemlock_client (su_28_0))
-(typeattribute hal_oemlock_server)
-(expandtypeattribute (hal_oemlock_server) false)
-(typeattribute hal_power)
-(expandtypeattribute (hal_power) true)
-(typeattribute hal_power_client)
-(expandtypeattribute (hal_power_client) true)
-(typeattributeset hal_power_client (su_28_0))
-(typeattribute hal_power_server)
-(expandtypeattribute (hal_power_server) false)
-(typeattribute hal_secure_element)
-(expandtypeattribute (hal_secure_element) true)
-(typeattribute hal_secure_element_client)
-(expandtypeattribute (hal_secure_element_client) true)
-(typeattributeset hal_secure_element_client (su_28_0))
-(typeattribute hal_secure_element_server)
-(expandtypeattribute (hal_secure_element_server) false)
-(typeattribute hal_sensors)
-(expandtypeattribute (hal_sensors) true)
-(typeattribute hal_sensors_client)
-(expandtypeattribute (hal_sensors_client) true)
-(typeattributeset hal_sensors_client (su_28_0))
-(typeattribute hal_sensors_server)
-(expandtypeattribute (hal_sensors_server) false)
-(typeattribute hal_telephony)
-(expandtypeattribute (hal_telephony) true)
-(typeattribute hal_telephony_client)
-(expandtypeattribute (hal_telephony_client) true)
-(typeattributeset hal_telephony_client (radio_28_0 su_28_0))
-(typeattribute hal_telephony_server)
-(expandtypeattribute (hal_telephony_server) false)
-(typeattribute hal_tetheroffload)
-(expandtypeattribute (hal_tetheroffload) true)
-(typeattribute hal_tetheroffload_client)
-(expandtypeattribute (hal_tetheroffload_client) true)
-(typeattributeset hal_tetheroffload_client (su_28_0))
-(typeattribute hal_tetheroffload_server)
-(expandtypeattribute (hal_tetheroffload_server) false)
-(typeattribute hal_thermal)
-(expandtypeattribute (hal_thermal) true)
-(typeattribute hal_thermal_client)
-(expandtypeattribute (hal_thermal_client) true)
-(typeattributeset hal_thermal_client (su_28_0 thermalserviced_28_0))
-(typeattribute hal_thermal_server)
-(expandtypeattribute (hal_thermal_server) false)
-(typeattribute hal_tv_cec)
-(expandtypeattribute (hal_tv_cec) true)
-(typeattribute hal_tv_cec_client)
-(expandtypeattribute (hal_tv_cec_client) true)
-(typeattributeset hal_tv_cec_client (su_28_0))
-(typeattribute hal_tv_cec_server)
-(expandtypeattribute (hal_tv_cec_server) false)
-(typeattribute hal_tv_input)
-(expandtypeattribute (hal_tv_input) true)
-(typeattribute hal_tv_input_client)
-(expandtypeattribute (hal_tv_input_client) true)
-(typeattributeset hal_tv_input_client (su_28_0))
-(typeattribute hal_tv_input_server)
-(expandtypeattribute (hal_tv_input_server) false)
-(typeattribute hal_usb)
-(expandtypeattribute (hal_usb) true)
-(typeattribute hal_usb_client)
-(expandtypeattribute (hal_usb_client) true)
-(typeattributeset hal_usb_client (su_28_0))
-(typeattribute hal_usb_server)
-(expandtypeattribute (hal_usb_server) false)
-(typeattribute hal_usb_gadget)
-(expandtypeattribute (hal_usb_gadget) true)
-(typeattribute hal_usb_gadget_client)
-(expandtypeattribute (hal_usb_gadget_client) true)
-(typeattribute hal_usb_gadget_server)
-(expandtypeattribute (hal_usb_gadget_server) false)
-(typeattribute hal_vehicle)
-(expandtypeattribute (hal_vehicle) true)
-(typeattribute hal_vehicle_client)
-(expandtypeattribute (hal_vehicle_client) true)
-(typeattribute hal_vehicle_server)
-(expandtypeattribute (hal_vehicle_server) false)
-(typeattribute hal_vibrator)
-(expandtypeattribute (hal_vibrator) true)
-(typeattribute hal_vibrator_client)
-(expandtypeattribute (hal_vibrator_client) true)
-(typeattributeset hal_vibrator_client (dumpstate_28_0 su_28_0))
-(typeattribute hal_vibrator_server)
-(expandtypeattribute (hal_vibrator_server) false)
-(typeattribute hal_vr)
-(expandtypeattribute (hal_vr) true)
-(typeattribute hal_vr_client)
-(expandtypeattribute (hal_vr_client) true)
-(typeattributeset hal_vr_client (su_28_0))
-(typeattribute hal_vr_server)
-(expandtypeattribute (hal_vr_server) false)
-(typeattribute hal_weaver)
-(expandtypeattribute (hal_weaver) true)
-(typeattribute hal_weaver_client)
-(expandtypeattribute (hal_weaver_client) true)
-(typeattributeset hal_weaver_client (su_28_0))
-(typeattribute hal_weaver_server)
-(expandtypeattribute (hal_weaver_server) false)
-(typeattribute hal_wifi)
-(expandtypeattribute (hal_wifi) true)
-(typeattribute hal_wifi_client)
-(expandtypeattribute (hal_wifi_client) true)
-(typeattributeset hal_wifi_client (su_28_0))
-(typeattribute hal_wifi_server)
-(expandtypeattribute (hal_wifi_server) false)
-(typeattribute hal_wifi_hostapd)
-(expandtypeattribute (hal_wifi_hostapd) true)
-(typeattribute hal_wifi_hostapd_client)
-(expandtypeattribute (hal_wifi_hostapd_client) true)
-(typeattributeset hal_wifi_hostapd_client (su_28_0))
-(typeattribute hal_wifi_hostapd_server)
-(expandtypeattribute (hal_wifi_hostapd_server) false)
-(typeattribute hal_wifi_offload)
-(expandtypeattribute (hal_wifi_offload) true)
-(typeattribute hal_wifi_offload_client)
-(expandtypeattribute (hal_wifi_offload_client) true)
-(typeattributeset hal_wifi_offload_client (su_28_0))
-(typeattribute hal_wifi_offload_server)
-(expandtypeattribute (hal_wifi_offload_server) false)
-(typeattribute hal_wifi_supplicant)
-(expandtypeattribute (hal_wifi_supplicant) true)
-(typeattribute hal_wifi_supplicant_client)
-(expandtypeattribute (hal_wifi_supplicant_client) true)
-(typeattributeset hal_wifi_supplicant_client (su_28_0))
-(typeattribute hal_wifi_supplicant_server)
-(expandtypeattribute (hal_wifi_supplicant_server) false)
-(typeattribute display_service_server)
-(typeattribute wifi_keystore_service_server)
-(type adbd)
-(typeattribute adbd_28_0)
-(roletype object_r adbd_28_0)
-(type adbd_exec)
-(typeattribute adbd_exec_28_0)
-(roletype object_r adbd_exec_28_0)
-(type audioserver)
-(typeattribute audioserver_28_0)
-(roletype object_r audioserver_28_0)
-(type blkid)
-(typeattribute blkid_28_0)
-(roletype object_r blkid_28_0)
-(type blkid_untrusted)
-(typeattribute blkid_untrusted_28_0)
-(roletype object_r blkid_untrusted_28_0)
-(type bluetooth)
-(typeattribute bluetooth_28_0)
-(roletype object_r bluetooth_28_0)
-(type bootanim)
-(typeattribute bootanim_28_0)
-(roletype object_r bootanim_28_0)
-(type bootanim_exec)
-(typeattribute bootanim_exec_28_0)
-(roletype object_r bootanim_exec_28_0)
-(type bootstat)
-(typeattribute bootstat_28_0)
-(roletype object_r bootstat_28_0)
-(type bootstat_exec)
-(typeattribute bootstat_exec_28_0)
-(roletype object_r bootstat_exec_28_0)
-(type bufferhubd)
-(typeattribute bufferhubd_28_0)
-(roletype object_r bufferhubd_28_0)
-(type bufferhubd_exec)
-(typeattribute bufferhubd_exec_28_0)
-(roletype object_r bufferhubd_exec_28_0)
-(type cameraserver)
-(typeattribute cameraserver_28_0)
-(roletype object_r cameraserver_28_0)
-(type cameraserver_exec)
-(typeattribute cameraserver_exec_28_0)
-(roletype object_r cameraserver_exec_28_0)
-(type charger)
-(typeattribute charger_28_0)
-(roletype object_r charger_28_0)
-(type clatd)
-(typeattribute clatd_28_0)
-(roletype object_r clatd_28_0)
-(type clatd_exec)
-(typeattribute clatd_exec_28_0)
-(roletype object_r clatd_exec_28_0)
-(type cppreopts)
-(typeattribute cppreopts_28_0)
-(roletype object_r cppreopts_28_0)
-(type cppreopts_exec)
-(typeattribute cppreopts_exec_28_0)
-(roletype object_r cppreopts_exec_28_0)
-(type crash_dump)
-(typeattribute crash_dump_28_0)
-(roletype object_r crash_dump_28_0)
-(type crash_dump_exec)
-(typeattribute crash_dump_exec_28_0)
-(roletype object_r crash_dump_exec_28_0)
-(type device)
-(typeattribute device_28_0)
-(roletype object_r device_28_0)
-(type alarm_device)
-(typeattribute alarm_device_28_0)
-(roletype object_r alarm_device_28_0)
-(type ashmem_device)
-(typeattribute ashmem_device_28_0)
-(roletype object_r ashmem_device_28_0)
-(type audio_device)
-(typeattribute audio_device_28_0)
-(roletype object_r audio_device_28_0)
-(type audio_timer_device)
-(typeattribute audio_timer_device_28_0)
-(roletype object_r audio_timer_device_28_0)
-(type audio_seq_device)
-(typeattribute audio_seq_device_28_0)
-(roletype object_r audio_seq_device_28_0)
-(type binder_device)
-(typeattribute binder_device_28_0)
-(roletype object_r binder_device_28_0)
-(type hwbinder_device)
-(typeattribute hwbinder_device_28_0)
-(roletype object_r hwbinder_device_28_0)
-(type vndbinder_device)
-(typeattribute vndbinder_device_28_0)
-(roletype object_r vndbinder_device_28_0)
-(type block_device)
-(typeattribute block_device_28_0)
-(roletype object_r block_device_28_0)
-(type camera_device)
-(typeattribute camera_device_28_0)
-(roletype object_r camera_device_28_0)
-(type dm_device)
-(typeattribute dm_device_28_0)
-(roletype object_r dm_device_28_0)
-(type keychord_device)
-(typeattribute keychord_device_28_0)
-(roletype object_r keychord_device_28_0)
-(type loop_control_device)
-(typeattribute loop_control_device_28_0)
-(roletype object_r loop_control_device_28_0)
-(type loop_device)
-(typeattribute loop_device_28_0)
-(roletype object_r loop_device_28_0)
-(type pmsg_device)
-(typeattribute pmsg_device_28_0)
-(roletype object_r pmsg_device_28_0)
-(type radio_device)
-(typeattribute radio_device_28_0)
-(roletype object_r radio_device_28_0)
-(type ram_device)
-(typeattribute ram_device_28_0)
-(roletype object_r ram_device_28_0)
-(type rtc_device)
-(typeattribute rtc_device_28_0)
-(roletype object_r rtc_device_28_0)
-(type vold_device)
-(typeattribute vold_device_28_0)
-(roletype object_r vold_device_28_0)
-(type console_device)
-(typeattribute console_device_28_0)
-(roletype object_r console_device_28_0)
-(type cpuctl_device)
-(typeattribute cpuctl_device_28_0)
-(roletype object_r cpuctl_device_28_0)
-(type fscklogs)
-(typeattribute fscklogs_28_0)
-(roletype object_r fscklogs_28_0)
-(type full_device)
-(typeattribute full_device_28_0)
-(roletype object_r full_device_28_0)
-(type gpu_device)
-(typeattribute gpu_device_28_0)
-(roletype object_r gpu_device_28_0)
-(type graphics_device)
-(typeattribute graphics_device_28_0)
-(roletype object_r graphics_device_28_0)
-(type hw_random_device)
-(typeattribute hw_random_device_28_0)
-(roletype object_r hw_random_device_28_0)
-(type input_device)
-(typeattribute input_device_28_0)
-(roletype object_r input_device_28_0)
-(type kmem_device)
-(typeattribute kmem_device_28_0)
-(roletype object_r kmem_device_28_0)
-(type port_device)
-(typeattribute port_device_28_0)
-(roletype object_r port_device_28_0)
-(type lowpan_device)
-(typeattribute lowpan_device_28_0)
-(roletype object_r lowpan_device_28_0)
-(type mtd_device)
-(typeattribute mtd_device_28_0)
-(roletype object_r mtd_device_28_0)
-(type mtp_device)
-(typeattribute mtp_device_28_0)
-(roletype object_r mtp_device_28_0)
-(type nfc_device)
-(typeattribute nfc_device_28_0)
-(roletype object_r nfc_device_28_0)
-(type ptmx_device)
-(typeattribute ptmx_device_28_0)
-(roletype object_r ptmx_device_28_0)
-(type kmsg_device)
-(typeattribute kmsg_device_28_0)
-(roletype object_r kmsg_device_28_0)
-(type kmsg_debug_device)
-(typeattribute kmsg_debug_device_28_0)
-(roletype object_r kmsg_debug_device_28_0)
-(type null_device)
-(typeattribute null_device_28_0)
-(roletype object_r null_device_28_0)
-(type random_device)
-(typeattribute random_device_28_0)
-(roletype object_r random_device_28_0)
-(type secure_element_device)
-(typeattribute secure_element_device_28_0)
-(roletype object_r secure_element_device_28_0)
-(type sensors_device)
-(typeattribute sensors_device_28_0)
-(roletype object_r sensors_device_28_0)
-(type serial_device)
-(typeattribute serial_device_28_0)
-(roletype object_r serial_device_28_0)
-(type socket_device)
-(typeattribute socket_device_28_0)
-(roletype object_r socket_device_28_0)
-(type owntty_device)
-(typeattribute owntty_device_28_0)
-(roletype object_r owntty_device_28_0)
-(type tty_device)
-(typeattribute tty_device_28_0)
-(roletype object_r tty_device_28_0)
-(type video_device)
-(typeattribute video_device_28_0)
-(roletype object_r video_device_28_0)
-(type vcs_device)
-(typeattribute vcs_device_28_0)
-(roletype object_r vcs_device_28_0)
-(type zero_device)
-(typeattribute zero_device_28_0)
-(roletype object_r zero_device_28_0)
-(type fuse_device)
-(typeattribute fuse_device_28_0)
-(roletype object_r fuse_device_28_0)
-(type iio_device)
-(typeattribute iio_device_28_0)
-(roletype object_r iio_device_28_0)
-(type ion_device)
-(typeattribute ion_device_28_0)
-(roletype object_r ion_device_28_0)
-(type qtaguid_device)
-(typeattribute qtaguid_device_28_0)
-(roletype object_r qtaguid_device_28_0)
-(type watchdog_device)
-(typeattribute watchdog_device_28_0)
-(roletype object_r watchdog_device_28_0)
-(type uhid_device)
-(typeattribute uhid_device_28_0)
-(roletype object_r uhid_device_28_0)
-(type uio_device)
-(typeattribute uio_device_28_0)
-(roletype object_r uio_device_28_0)
-(type tun_device)
-(typeattribute tun_device_28_0)
-(roletype object_r tun_device_28_0)
-(type usbaccessory_device)
-(typeattribute usbaccessory_device_28_0)
-(roletype object_r usbaccessory_device_28_0)
-(type usb_device)
-(typeattribute usb_device_28_0)
-(roletype object_r usb_device_28_0)
-(type properties_device)
-(typeattribute properties_device_28_0)
-(roletype object_r properties_device_28_0)
-(type properties_serial)
-(typeattribute properties_serial_28_0)
-(roletype object_r properties_serial_28_0)
-(type property_info)
-(typeattribute property_info_28_0)
-(roletype object_r property_info_28_0)
-(type i2c_device)
-(typeattribute i2c_device_28_0)
-(roletype object_r i2c_device_28_0)
-(type hci_attach_dev)
-(typeattribute hci_attach_dev_28_0)
-(roletype object_r hci_attach_dev_28_0)
-(type rpmsg_device)
-(typeattribute rpmsg_device_28_0)
-(roletype object_r rpmsg_device_28_0)
-(type root_block_device)
-(typeattribute root_block_device_28_0)
-(roletype object_r root_block_device_28_0)
-(type frp_block_device)
-(typeattribute frp_block_device_28_0)
-(roletype object_r frp_block_device_28_0)
-(type system_block_device)
-(typeattribute system_block_device_28_0)
-(roletype object_r system_block_device_28_0)
-(type recovery_block_device)
-(typeattribute recovery_block_device_28_0)
-(roletype object_r recovery_block_device_28_0)
-(type boot_block_device)
-(typeattribute boot_block_device_28_0)
-(roletype object_r boot_block_device_28_0)
-(type userdata_block_device)
-(typeattribute userdata_block_device_28_0)
-(roletype object_r userdata_block_device_28_0)
-(type cache_block_device)
-(typeattribute cache_block_device_28_0)
-(roletype object_r cache_block_device_28_0)
-(type swap_block_device)
-(typeattribute swap_block_device_28_0)
-(roletype object_r swap_block_device_28_0)
-(type metadata_block_device)
-(typeattribute metadata_block_device_28_0)
-(roletype object_r metadata_block_device_28_0)
-(type misc_block_device)
-(typeattribute misc_block_device_28_0)
-(roletype object_r misc_block_device_28_0)
-(type dex2oat)
-(typeattribute dex2oat_28_0)
-(roletype object_r dex2oat_28_0)
-(type dex2oat_exec)
-(typeattribute dex2oat_exec_28_0)
-(roletype object_r dex2oat_exec_28_0)
-(type dhcp)
-(typeattribute dhcp_28_0)
-(roletype object_r dhcp_28_0)
-(type dhcp_exec)
-(typeattribute dhcp_exec_28_0)
-(roletype object_r dhcp_exec_28_0)
-(type dnsmasq)
-(typeattribute dnsmasq_28_0)
-(roletype object_r dnsmasq_28_0)
-(type dnsmasq_exec)
-(typeattribute dnsmasq_exec_28_0)
-(roletype object_r dnsmasq_exec_28_0)
-(type drmserver)
-(typeattribute drmserver_28_0)
-(roletype object_r drmserver_28_0)
-(type drmserver_exec)
-(typeattribute drmserver_exec_28_0)
-(roletype object_r drmserver_exec_28_0)
-(type drmserver_socket)
-(typeattribute drmserver_socket_28_0)
-(roletype object_r drmserver_socket_28_0)
-(type dumpstate)
-(typeattribute dumpstate_28_0)
-(roletype object_r dumpstate_28_0)
-(type dumpstate_exec)
-(typeattribute dumpstate_exec_28_0)
-(roletype object_r dumpstate_exec_28_0)
-(type e2fs)
-(typeattribute e2fs_28_0)
-(roletype object_r e2fs_28_0)
-(type e2fs_exec)
-(typeattribute e2fs_exec_28_0)
-(roletype object_r e2fs_exec_28_0)
-(type ephemeral_app)
-(typeattribute ephemeral_app_28_0)
-(roletype object_r ephemeral_app_28_0)
-(type labeledfs)
-(typeattribute labeledfs_28_0)
-(roletype object_r labeledfs_28_0)
-(type pipefs)
-(typeattribute pipefs_28_0)
-(roletype object_r pipefs_28_0)
-(type sockfs)
-(typeattribute sockfs_28_0)
-(roletype object_r sockfs_28_0)
-(type rootfs)
-(typeattribute rootfs_28_0)
-(roletype object_r rootfs_28_0)
-(type proc)
-(typeattribute proc_28_0)
-(roletype object_r proc_28_0)
-(type proc_security)
-(typeattribute proc_security_28_0)
-(roletype object_r proc_security_28_0)
-(type proc_drop_caches)
-(typeattribute proc_drop_caches_28_0)
-(roletype object_r proc_drop_caches_28_0)
-(type proc_overcommit_memory)
-(typeattribute proc_overcommit_memory_28_0)
-(roletype object_r proc_overcommit_memory_28_0)
-(type proc_min_free_order_shift)
-(typeattribute proc_min_free_order_shift_28_0)
-(roletype object_r proc_min_free_order_shift_28_0)
-(type usermodehelper)
-(typeattribute usermodehelper_28_0)
-(roletype object_r usermodehelper_28_0)
-(type sysfs_usermodehelper)
-(typeattribute sysfs_usermodehelper_28_0)
-(roletype object_r sysfs_usermodehelper_28_0)
-(type qtaguid_proc)
-(typeattribute qtaguid_proc_28_0)
-(roletype object_r qtaguid_proc_28_0)
-(type proc_qtaguid_stat)
-(typeattribute proc_qtaguid_stat_28_0)
-(roletype object_r proc_qtaguid_stat_28_0)
-(type proc_bluetooth_writable)
-(typeattribute proc_bluetooth_writable_28_0)
-(roletype object_r proc_bluetooth_writable_28_0)
-(type proc_abi)
-(typeattribute proc_abi_28_0)
-(roletype object_r proc_abi_28_0)
-(type proc_asound)
-(typeattribute proc_asound_28_0)
-(roletype object_r proc_asound_28_0)
-(type proc_buddyinfo)
-(typeattribute proc_buddyinfo_28_0)
-(roletype object_r proc_buddyinfo_28_0)
-(type proc_cmdline)
-(typeattribute proc_cmdline_28_0)
-(roletype object_r proc_cmdline_28_0)
-(type proc_cpuinfo)
-(typeattribute proc_cpuinfo_28_0)
-(roletype object_r proc_cpuinfo_28_0)
-(type proc_dirty)
-(typeattribute proc_dirty_28_0)
-(roletype object_r proc_dirty_28_0)
-(type proc_diskstats)
-(typeattribute proc_diskstats_28_0)
-(roletype object_r proc_diskstats_28_0)
-(type proc_extra_free_kbytes)
-(typeattribute proc_extra_free_kbytes_28_0)
-(roletype object_r proc_extra_free_kbytes_28_0)
-(type proc_filesystems)
-(typeattribute proc_filesystems_28_0)
-(roletype object_r proc_filesystems_28_0)
-(type proc_hostname)
-(typeattribute proc_hostname_28_0)
-(roletype object_r proc_hostname_28_0)
-(type proc_hung_task)
-(typeattribute proc_hung_task_28_0)
-(roletype object_r proc_hung_task_28_0)
-(type proc_interrupts)
-(typeattribute proc_interrupts_28_0)
-(roletype object_r proc_interrupts_28_0)
-(type proc_iomem)
-(typeattribute proc_iomem_28_0)
-(roletype object_r proc_iomem_28_0)
-(type proc_kmsg)
-(typeattribute proc_kmsg_28_0)
-(roletype object_r proc_kmsg_28_0)
-(type proc_loadavg)
-(typeattribute proc_loadavg_28_0)
-(roletype object_r proc_loadavg_28_0)
-(type proc_max_map_count)
-(typeattribute proc_max_map_count_28_0)
-(roletype object_r proc_max_map_count_28_0)
-(type proc_meminfo)
-(typeattribute proc_meminfo_28_0)
-(roletype object_r proc_meminfo_28_0)
-(type proc_misc)
-(typeattribute proc_misc_28_0)
-(roletype object_r proc_misc_28_0)
-(type proc_modules)
-(typeattribute proc_modules_28_0)
-(roletype object_r proc_modules_28_0)
-(type proc_mounts)
-(typeattribute proc_mounts_28_0)
-(roletype object_r proc_mounts_28_0)
-(type proc_net)
-(typeattribute proc_net_28_0)
-(roletype object_r proc_net_28_0)
-(type proc_page_cluster)
-(typeattribute proc_page_cluster_28_0)
-(roletype object_r proc_page_cluster_28_0)
-(type proc_pagetypeinfo)
-(typeattribute proc_pagetypeinfo_28_0)
-(roletype object_r proc_pagetypeinfo_28_0)
-(type proc_panic)
-(typeattribute proc_panic_28_0)
-(roletype object_r proc_panic_28_0)
-(type proc_perf)
-(typeattribute proc_perf_28_0)
-(roletype object_r proc_perf_28_0)
-(type proc_pid_max)
-(typeattribute proc_pid_max_28_0)
-(roletype object_r proc_pid_max_28_0)
-(type proc_pipe_conf)
-(typeattribute proc_pipe_conf_28_0)
-(roletype object_r proc_pipe_conf_28_0)
-(type proc_random)
-(typeattribute proc_random_28_0)
-(roletype object_r proc_random_28_0)
-(type proc_sched)
-(typeattribute proc_sched_28_0)
-(roletype object_r proc_sched_28_0)
-(type proc_stat)
-(typeattribute proc_stat_28_0)
-(roletype object_r proc_stat_28_0)
-(type proc_swaps)
-(typeattribute proc_swaps_28_0)
-(roletype object_r proc_swaps_28_0)
-(type proc_sysrq)
-(typeattribute proc_sysrq_28_0)
-(roletype object_r proc_sysrq_28_0)
-(type proc_timer)
-(typeattribute proc_timer_28_0)
-(roletype object_r proc_timer_28_0)
-(type proc_tty_drivers)
-(typeattribute proc_tty_drivers_28_0)
-(roletype object_r proc_tty_drivers_28_0)
-(type proc_uid_cputime_showstat)
-(typeattribute proc_uid_cputime_showstat_28_0)
-(roletype object_r proc_uid_cputime_showstat_28_0)
-(type proc_uid_cputime_removeuid)
-(typeattribute proc_uid_cputime_removeuid_28_0)
-(roletype object_r proc_uid_cputime_removeuid_28_0)
-(type proc_uid_io_stats)
-(typeattribute proc_uid_io_stats_28_0)
-(roletype object_r proc_uid_io_stats_28_0)
-(type proc_uid_procstat_set)
-(typeattribute proc_uid_procstat_set_28_0)
-(roletype object_r proc_uid_procstat_set_28_0)
-(type proc_uid_time_in_state)
-(typeattribute proc_uid_time_in_state_28_0)
-(roletype object_r proc_uid_time_in_state_28_0)
-(type proc_uid_concurrent_active_time)
-(typeattribute proc_uid_concurrent_active_time_28_0)
-(roletype object_r proc_uid_concurrent_active_time_28_0)
-(type proc_uid_concurrent_policy_time)
-(typeattribute proc_uid_concurrent_policy_time_28_0)
-(roletype object_r proc_uid_concurrent_policy_time_28_0)
-(type proc_uid_cpupower)
-(typeattribute proc_uid_cpupower_28_0)
-(roletype object_r proc_uid_cpupower_28_0)
-(type proc_uptime)
-(typeattribute proc_uptime_28_0)
-(roletype object_r proc_uptime_28_0)
-(type proc_version)
-(typeattribute proc_version_28_0)
-(roletype object_r proc_version_28_0)
-(type proc_vmallocinfo)
-(typeattribute proc_vmallocinfo_28_0)
-(roletype object_r proc_vmallocinfo_28_0)
-(type proc_vmstat)
-(typeattribute proc_vmstat_28_0)
-(roletype object_r proc_vmstat_28_0)
-(type proc_zoneinfo)
-(typeattribute proc_zoneinfo_28_0)
-(roletype object_r proc_zoneinfo_28_0)
-(type selinuxfs)
-(typeattribute selinuxfs_28_0)
-(roletype object_r selinuxfs_28_0)
-(type cgroup)
-(typeattribute cgroup_28_0)
-(roletype object_r cgroup_28_0)
-(type cgroup_bpf)
-(typeattribute cgroup_bpf_28_0)
-(roletype object_r cgroup_bpf_28_0)
-(type sysfs)
-(typeattribute sysfs_28_0)
-(roletype object_r sysfs_28_0)
-(type sysfs_android_usb)
-(typeattribute sysfs_android_usb_28_0)
-(roletype object_r sysfs_android_usb_28_0)
-(type sysfs_uio)
-(typeattribute sysfs_uio_28_0)
-(roletype object_r sysfs_uio_28_0)
-(type sysfs_batteryinfo)
-(typeattribute sysfs_batteryinfo_28_0)
-(roletype object_r sysfs_batteryinfo_28_0)
-(type sysfs_bluetooth_writable)
-(typeattribute sysfs_bluetooth_writable_28_0)
-(roletype object_r sysfs_bluetooth_writable_28_0)
-(type sysfs_dm)
-(typeattribute sysfs_dm_28_0)
-(roletype object_r sysfs_dm_28_0)
-(type sysfs_dt_firmware_android)
-(typeattribute sysfs_dt_firmware_android_28_0)
-(roletype object_r sysfs_dt_firmware_android_28_0)
-(type sysfs_ipv4)
-(typeattribute sysfs_ipv4_28_0)
-(roletype object_r sysfs_ipv4_28_0)
-(type sysfs_kernel_notes)
-(typeattribute sysfs_kernel_notes_28_0)
-(roletype object_r sysfs_kernel_notes_28_0)
-(type sysfs_leds)
-(typeattribute sysfs_leds_28_0)
-(roletype object_r sysfs_leds_28_0)
-(type sysfs_hwrandom)
-(typeattribute sysfs_hwrandom_28_0)
-(roletype object_r sysfs_hwrandom_28_0)
-(type sysfs_nfc_power_writable)
-(typeattribute sysfs_nfc_power_writable_28_0)
-(roletype object_r sysfs_nfc_power_writable_28_0)
-(type sysfs_wake_lock)
-(typeattribute sysfs_wake_lock_28_0)
-(roletype object_r sysfs_wake_lock_28_0)
-(type sysfs_mac_address)
-(typeattribute sysfs_mac_address_28_0)
-(roletype object_r sysfs_mac_address_28_0)
-(type sysfs_net)
-(typeattribute sysfs_net_28_0)
-(roletype object_r sysfs_net_28_0)
-(type sysfs_power)
-(typeattribute sysfs_power_28_0)
-(roletype object_r sysfs_power_28_0)
-(type sysfs_rtc)
-(typeattribute sysfs_rtc_28_0)
-(roletype object_r sysfs_rtc_28_0)
-(type sysfs_switch)
-(typeattribute sysfs_switch_28_0)
-(roletype object_r sysfs_switch_28_0)
-(type sysfs_usb)
-(typeattribute sysfs_usb_28_0)
-(roletype object_r sysfs_usb_28_0)
-(type sysfs_wakeup_reasons)
-(typeattribute sysfs_wakeup_reasons_28_0)
-(roletype object_r sysfs_wakeup_reasons_28_0)
-(type sysfs_fs_ext4_features)
-(typeattribute sysfs_fs_ext4_features_28_0)
-(roletype object_r sysfs_fs_ext4_features_28_0)
-(type fs_bpf)
-(typeattribute fs_bpf_28_0)
-(roletype object_r fs_bpf_28_0)
-(type configfs)
-(typeattribute configfs_28_0)
-(roletype object_r configfs_28_0)
-(type sysfs_devices_system_cpu)
-(typeattribute sysfs_devices_system_cpu_28_0)
-(roletype object_r sysfs_devices_system_cpu_28_0)
-(type sysfs_lowmemorykiller)
-(typeattribute sysfs_lowmemorykiller_28_0)
-(roletype object_r sysfs_lowmemorykiller_28_0)
-(type sysfs_wlan_fwpath)
-(typeattribute sysfs_wlan_fwpath_28_0)
-(roletype object_r sysfs_wlan_fwpath_28_0)
-(type sysfs_vibrator)
-(typeattribute sysfs_vibrator_28_0)
-(roletype object_r sysfs_vibrator_28_0)
-(type sysfs_thermal)
-(typeattribute sysfs_thermal_28_0)
-(roletype object_r sysfs_thermal_28_0)
-(type sysfs_zram)
-(typeattribute sysfs_zram_28_0)
-(roletype object_r sysfs_zram_28_0)
-(type sysfs_zram_uevent)
-(typeattribute sysfs_zram_uevent_28_0)
-(roletype object_r sysfs_zram_uevent_28_0)
-(type inotify)
-(typeattribute inotify_28_0)
-(roletype object_r inotify_28_0)
-(type devpts)
-(typeattribute devpts_28_0)
-(roletype object_r devpts_28_0)
-(type tmpfs)
-(typeattribute tmpfs_28_0)
-(roletype object_r tmpfs_28_0)
-(type shm)
-(typeattribute shm_28_0)
-(roletype object_r shm_28_0)
-(type mqueue)
-(typeattribute mqueue_28_0)
-(roletype object_r mqueue_28_0)
-(type fuse)
-(typeattribute fuse_28_0)
-(roletype object_r fuse_28_0)
-(type sdcardfs)
-(typeattribute sdcardfs_28_0)
-(roletype object_r sdcardfs_28_0)
-(type vfat)
-(typeattribute vfat_28_0)
-(roletype object_r vfat_28_0)
-(type exfat)
-(typeattribute exfat_28_0)
-(roletype object_r exfat_28_0)
-(type debugfs)
-(typeattribute debugfs_28_0)
-(roletype object_r debugfs_28_0)
-(type debugfs_mmc)
-(typeattribute debugfs_mmc_28_0)
-(roletype object_r debugfs_mmc_28_0)
-(type debugfs_trace_marker)
-(typeattribute debugfs_trace_marker_28_0)
-(roletype object_r debugfs_trace_marker_28_0)
-(type debugfs_tracing)
-(typeattribute debugfs_tracing_28_0)
-(roletype object_r debugfs_tracing_28_0)
-(type debugfs_tracing_debug)
-(typeattribute debugfs_tracing_debug_28_0)
-(roletype object_r debugfs_tracing_debug_28_0)
-(type debugfs_tracing_instances)
-(typeattribute debugfs_tracing_instances_28_0)
-(roletype object_r debugfs_tracing_instances_28_0)
-(type debugfs_wakeup_sources)
-(typeattribute debugfs_wakeup_sources_28_0)
-(roletype object_r debugfs_wakeup_sources_28_0)
-(type debugfs_wifi_tracing)
-(typeattribute debugfs_wifi_tracing_28_0)
-(roletype object_r debugfs_wifi_tracing_28_0)
-(type pstorefs)
-(typeattribute pstorefs_28_0)
-(roletype object_r pstorefs_28_0)
-(type functionfs)
-(typeattribute functionfs_28_0)
-(roletype object_r functionfs_28_0)
-(type oemfs)
-(typeattribute oemfs_28_0)
-(roletype object_r oemfs_28_0)
-(type usbfs)
-(typeattribute usbfs_28_0)
-(roletype object_r usbfs_28_0)
-(type binfmt_miscfs)
-(typeattribute binfmt_miscfs_28_0)
-(roletype object_r binfmt_miscfs_28_0)
-(type app_fusefs)
-(typeattribute app_fusefs_28_0)
-(roletype object_r app_fusefs_28_0)
-(type unlabeled)
-(typeattribute unlabeled_28_0)
-(roletype object_r unlabeled_28_0)
-(type system_file)
-(typeattribute system_file_28_0)
-(roletype object_r system_file_28_0)
-(type vendor_hal_file)
-(typeattribute vendor_hal_file_28_0)
-(roletype object_r vendor_hal_file_28_0)
-(type vendor_file)
-(typeattribute vendor_file_28_0)
-(roletype object_r vendor_file_28_0)
-(type vendor_app_file)
-(typeattribute vendor_app_file_28_0)
-(roletype object_r vendor_app_file_28_0)
-(type vendor_configs_file)
-(typeattribute vendor_configs_file_28_0)
-(roletype object_r vendor_configs_file_28_0)
-(type same_process_hal_file)
-(typeattribute same_process_hal_file_28_0)
-(roletype object_r same_process_hal_file_28_0)
-(type vndk_sp_file)
-(typeattribute vndk_sp_file_28_0)
-(roletype object_r vndk_sp_file_28_0)
-(type vendor_framework_file)
-(typeattribute vendor_framework_file_28_0)
-(roletype object_r vendor_framework_file_28_0)
-(type vendor_overlay_file)
-(typeattribute vendor_overlay_file_28_0)
-(roletype object_r vendor_overlay_file_28_0)
-(type metadata_file)
-(typeattribute metadata_file_28_0)
-(roletype object_r metadata_file_28_0)
-(type vold_metadata_file)
-(typeattribute vold_metadata_file_28_0)
-(roletype object_r vold_metadata_file_28_0)
-(type runtime_event_log_tags_file)
-(typeattribute runtime_event_log_tags_file_28_0)
-(roletype object_r runtime_event_log_tags_file_28_0)
-(type logcat_exec)
-(typeattribute logcat_exec_28_0)
-(roletype object_r logcat_exec_28_0)
-(type coredump_file)
-(typeattribute coredump_file_28_0)
-(roletype object_r coredump_file_28_0)
-(type system_data_file)
-(typeattribute system_data_file_28_0)
-(roletype object_r system_data_file_28_0)
-(type vendor_data_file)
-(typeattribute vendor_data_file_28_0)
-(roletype object_r vendor_data_file_28_0)
-(type unencrypted_data_file)
-(typeattribute unencrypted_data_file_28_0)
-(roletype object_r unencrypted_data_file_28_0)
-(type install_data_file)
-(typeattribute install_data_file_28_0)
-(roletype object_r install_data_file_28_0)
-(type drm_data_file)
-(typeattribute drm_data_file_28_0)
-(roletype object_r drm_data_file_28_0)
-(type adb_data_file)
-(typeattribute adb_data_file_28_0)
-(roletype object_r adb_data_file_28_0)
-(type anr_data_file)
-(typeattribute anr_data_file_28_0)
-(roletype object_r anr_data_file_28_0)
-(type tombstone_data_file)
-(typeattribute tombstone_data_file_28_0)
-(roletype object_r tombstone_data_file_28_0)
-(type tombstone_wifi_data_file)
-(typeattribute tombstone_wifi_data_file_28_0)
-(roletype object_r tombstone_wifi_data_file_28_0)
-(type apk_data_file)
-(typeattribute apk_data_file_28_0)
-(roletype object_r apk_data_file_28_0)
-(type apk_tmp_file)
-(typeattribute apk_tmp_file_28_0)
-(roletype object_r apk_tmp_file_28_0)
-(type apk_private_data_file)
-(typeattribute apk_private_data_file_28_0)
-(roletype object_r apk_private_data_file_28_0)
-(type apk_private_tmp_file)
-(typeattribute apk_private_tmp_file_28_0)
-(roletype object_r apk_private_tmp_file_28_0)
-(type dalvikcache_data_file)
-(typeattribute dalvikcache_data_file_28_0)
-(roletype object_r dalvikcache_data_file_28_0)
-(type ota_data_file)
-(typeattribute ota_data_file_28_0)
-(roletype object_r ota_data_file_28_0)
-(type ota_package_file)
-(typeattribute ota_package_file_28_0)
-(roletype object_r ota_package_file_28_0)
-(type user_profile_data_file)
-(typeattribute user_profile_data_file_28_0)
-(roletype object_r user_profile_data_file_28_0)
-(type profman_dump_data_file)
-(typeattribute profman_dump_data_file_28_0)
-(roletype object_r profman_dump_data_file_28_0)
-(type resourcecache_data_file)
-(typeattribute resourcecache_data_file_28_0)
-(roletype object_r resourcecache_data_file_28_0)
-(type shell_data_file)
-(typeattribute shell_data_file_28_0)
-(roletype object_r shell_data_file_28_0)
-(type property_data_file)
-(typeattribute property_data_file_28_0)
-(roletype object_r property_data_file_28_0)
-(type bootchart_data_file)
-(typeattribute bootchart_data_file_28_0)
-(roletype object_r bootchart_data_file_28_0)
-(type heapdump_data_file)
-(typeattribute heapdump_data_file_28_0)
-(roletype object_r heapdump_data_file_28_0)
-(type nativetest_data_file)
-(typeattribute nativetest_data_file_28_0)
-(roletype object_r nativetest_data_file_28_0)
-(type ringtone_file)
-(typeattribute ringtone_file_28_0)
-(roletype object_r ringtone_file_28_0)
-(type preloads_data_file)
-(typeattribute preloads_data_file_28_0)
-(roletype object_r preloads_data_file_28_0)
-(type preloads_media_file)
-(typeattribute preloads_media_file_28_0)
-(roletype object_r preloads_media_file_28_0)
-(type dhcp_data_file)
-(typeattribute dhcp_data_file_28_0)
-(roletype object_r dhcp_data_file_28_0)
-(type mnt_media_rw_file)
-(typeattribute mnt_media_rw_file_28_0)
-(roletype object_r mnt_media_rw_file_28_0)
-(type mnt_user_file)
-(typeattribute mnt_user_file_28_0)
-(roletype object_r mnt_user_file_28_0)
-(type mnt_expand_file)
-(typeattribute mnt_expand_file_28_0)
-(roletype object_r mnt_expand_file_28_0)
-(type storage_file)
-(typeattribute storage_file_28_0)
-(roletype object_r storage_file_28_0)
-(type mnt_media_rw_stub_file)
-(typeattribute mnt_media_rw_stub_file_28_0)
-(roletype object_r mnt_media_rw_stub_file_28_0)
-(type storage_stub_file)
-(typeattribute storage_stub_file_28_0)
-(roletype object_r storage_stub_file_28_0)
-(type mnt_vendor_file)
-(typeattribute mnt_vendor_file_28_0)
-(roletype object_r mnt_vendor_file_28_0)
-(type postinstall_mnt_dir)
-(typeattribute postinstall_mnt_dir_28_0)
-(roletype object_r postinstall_mnt_dir_28_0)
-(type postinstall_file)
-(typeattribute postinstall_file_28_0)
-(roletype object_r postinstall_file_28_0)
-(type adb_keys_file)
-(typeattribute adb_keys_file_28_0)
-(roletype object_r adb_keys_file_28_0)
-(type audio_data_file)
-(typeattribute audio_data_file_28_0)
-(roletype object_r audio_data_file_28_0)
-(type audioserver_data_file)
-(typeattribute audioserver_data_file_28_0)
-(roletype object_r audioserver_data_file_28_0)
-(type bluetooth_data_file)
-(typeattribute bluetooth_data_file_28_0)
-(roletype object_r bluetooth_data_file_28_0)
-(type bluetooth_logs_data_file)
-(typeattribute bluetooth_logs_data_file_28_0)
-(roletype object_r bluetooth_logs_data_file_28_0)
-(type bootstat_data_file)
-(typeattribute bootstat_data_file_28_0)
-(roletype object_r bootstat_data_file_28_0)
-(type boottrace_data_file)
-(typeattribute boottrace_data_file_28_0)
-(roletype object_r boottrace_data_file_28_0)
-(type camera_data_file)
-(typeattribute camera_data_file_28_0)
-(roletype object_r camera_data_file_28_0)
-(type gatekeeper_data_file)
-(typeattribute gatekeeper_data_file_28_0)
-(roletype object_r gatekeeper_data_file_28_0)
-(type incident_data_file)
-(typeattribute incident_data_file_28_0)
-(roletype object_r incident_data_file_28_0)
-(type keychain_data_file)
-(typeattribute keychain_data_file_28_0)
-(roletype object_r keychain_data_file_28_0)
-(type keystore_data_file)
-(typeattribute keystore_data_file_28_0)
-(roletype object_r keystore_data_file_28_0)
-(type media_data_file)
-(typeattribute media_data_file_28_0)
-(roletype object_r media_data_file_28_0)
-(type media_rw_data_file)
-(typeattribute media_rw_data_file_28_0)
-(roletype object_r media_rw_data_file_28_0)
-(type misc_user_data_file)
-(typeattribute misc_user_data_file_28_0)
-(roletype object_r misc_user_data_file_28_0)
-(type net_data_file)
-(typeattribute net_data_file_28_0)
-(roletype object_r net_data_file_28_0)
-(type network_watchlist_data_file)
-(typeattribute network_watchlist_data_file_28_0)
-(roletype object_r network_watchlist_data_file_28_0)
-(type nfc_data_file)
-(typeattribute nfc_data_file_28_0)
-(roletype object_r nfc_data_file_28_0)
-(type radio_data_file)
-(typeattribute radio_data_file_28_0)
-(roletype object_r radio_data_file_28_0)
-(type recovery_data_file)
-(typeattribute recovery_data_file_28_0)
-(roletype object_r recovery_data_file_28_0)
-(type shared_relro_file)
-(typeattribute shared_relro_file_28_0)
-(roletype object_r shared_relro_file_28_0)
-(type systemkeys_data_file)
-(typeattribute systemkeys_data_file_28_0)
-(roletype object_r systemkeys_data_file_28_0)
-(type textclassifier_data_file)
-(typeattribute textclassifier_data_file_28_0)
-(roletype object_r textclassifier_data_file_28_0)
-(type trace_data_file)
-(typeattribute trace_data_file_28_0)
-(roletype object_r trace_data_file_28_0)
-(type vpn_data_file)
-(typeattribute vpn_data_file_28_0)
-(roletype object_r vpn_data_file_28_0)
-(type wifi_data_file)
-(typeattribute wifi_data_file_28_0)
-(roletype object_r wifi_data_file_28_0)
-(type zoneinfo_data_file)
-(typeattribute zoneinfo_data_file_28_0)
-(roletype object_r zoneinfo_data_file_28_0)
-(type vold_data_file)
-(typeattribute vold_data_file_28_0)
-(roletype object_r vold_data_file_28_0)
-(type perfprofd_data_file)
-(typeattribute perfprofd_data_file_28_0)
-(roletype object_r perfprofd_data_file_28_0)
-(type tee_data_file)
-(typeattribute tee_data_file_28_0)
-(roletype object_r tee_data_file_28_0)
-(type update_engine_data_file)
-(typeattribute update_engine_data_file_28_0)
-(roletype object_r update_engine_data_file_28_0)
-(type update_engine_log_data_file)
-(typeattribute update_engine_log_data_file_28_0)
-(roletype object_r update_engine_log_data_file_28_0)
-(type method_trace_data_file)
-(typeattribute method_trace_data_file_28_0)
-(roletype object_r method_trace_data_file_28_0)
-(type app_data_file)
-(typeattribute app_data_file_28_0)
-(roletype object_r app_data_file_28_0)
-(type system_app_data_file)
-(typeattribute system_app_data_file_28_0)
-(roletype object_r system_app_data_file_28_0)
-(type cache_file)
-(typeattribute cache_file_28_0)
-(roletype object_r cache_file_28_0)
-(type cache_backup_file)
-(typeattribute cache_backup_file_28_0)
-(roletype object_r cache_backup_file_28_0)
-(type cache_private_backup_file)
-(typeattribute cache_private_backup_file_28_0)
-(roletype object_r cache_private_backup_file_28_0)
-(type cache_recovery_file)
-(typeattribute cache_recovery_file_28_0)
-(roletype object_r cache_recovery_file_28_0)
-(type efs_file)
-(typeattribute efs_file_28_0)
-(roletype object_r efs_file_28_0)
-(type wallpaper_file)
-(typeattribute wallpaper_file_28_0)
-(roletype object_r wallpaper_file_28_0)
-(type shortcut_manager_icons)
-(typeattribute shortcut_manager_icons_28_0)
-(roletype object_r shortcut_manager_icons_28_0)
-(type icon_file)
-(typeattribute icon_file_28_0)
-(roletype object_r icon_file_28_0)
-(type asec_apk_file)
-(typeattribute asec_apk_file_28_0)
-(roletype object_r asec_apk_file_28_0)
-(type asec_public_file)
-(typeattribute asec_public_file_28_0)
-(roletype object_r asec_public_file_28_0)
-(type asec_image_file)
-(typeattribute asec_image_file_28_0)
-(roletype object_r asec_image_file_28_0)
-(type backup_data_file)
-(typeattribute backup_data_file_28_0)
-(roletype object_r backup_data_file_28_0)
-(type bluetooth_efs_file)
-(typeattribute bluetooth_efs_file_28_0)
-(roletype object_r bluetooth_efs_file_28_0)
-(type fingerprintd_data_file)
-(typeattribute fingerprintd_data_file_28_0)
-(roletype object_r fingerprintd_data_file_28_0)
-(type fingerprint_vendor_data_file)
-(typeattribute fingerprint_vendor_data_file_28_0)
-(roletype object_r fingerprint_vendor_data_file_28_0)
-(type app_fuse_file)
-(typeattribute app_fuse_file_28_0)
-(roletype object_r app_fuse_file_28_0)
-(type adbd_socket)
-(typeattribute adbd_socket_28_0)
-(roletype object_r adbd_socket_28_0)
-(type bluetooth_socket)
-(typeattribute bluetooth_socket_28_0)
-(roletype object_r bluetooth_socket_28_0)
-(type dnsproxyd_socket)
-(typeattribute dnsproxyd_socket_28_0)
-(roletype object_r dnsproxyd_socket_28_0)
-(type dumpstate_socket)
-(typeattribute dumpstate_socket_28_0)
-(roletype object_r dumpstate_socket_28_0)
-(type fwmarkd_socket)
-(typeattribute fwmarkd_socket_28_0)
-(roletype object_r fwmarkd_socket_28_0)
-(type lmkd_socket)
-(typeattribute lmkd_socket_28_0)
-(roletype object_r lmkd_socket_28_0)
-(type logd_socket)
-(typeattribute logd_socket_28_0)
-(roletype object_r logd_socket_28_0)
-(type logdr_socket)
-(typeattribute logdr_socket_28_0)
-(roletype object_r logdr_socket_28_0)
-(type logdw_socket)
-(typeattribute logdw_socket_28_0)
-(roletype object_r logdw_socket_28_0)
-(type mdns_socket)
-(typeattribute mdns_socket_28_0)
-(roletype object_r mdns_socket_28_0)
-(type mdnsd_socket)
-(typeattribute mdnsd_socket_28_0)
-(roletype object_r mdnsd_socket_28_0)
-(type misc_logd_file)
-(typeattribute misc_logd_file_28_0)
-(roletype object_r misc_logd_file_28_0)
-(type mtpd_socket)
-(typeattribute mtpd_socket_28_0)
-(roletype object_r mtpd_socket_28_0)
-(type netd_socket)
-(typeattribute netd_socket_28_0)
-(roletype object_r netd_socket_28_0)
-(type property_socket)
-(typeattribute property_socket_28_0)
-(roletype object_r property_socket_28_0)
-(type racoon_socket)
-(typeattribute racoon_socket_28_0)
-(roletype object_r racoon_socket_28_0)
-(type rild_socket)
-(typeattribute rild_socket_28_0)
-(roletype object_r rild_socket_28_0)
-(type rild_debug_socket)
-(typeattribute rild_debug_socket_28_0)
-(roletype object_r rild_debug_socket_28_0)
-(type system_wpa_socket)
-(typeattribute system_wpa_socket_28_0)
-(roletype object_r system_wpa_socket_28_0)
-(type system_ndebug_socket)
-(typeattribute system_ndebug_socket_28_0)
-(roletype object_r system_ndebug_socket_28_0)
-(type tombstoned_crash_socket)
-(typeattribute tombstoned_crash_socket_28_0)
-(roletype object_r tombstoned_crash_socket_28_0)
-(type tombstoned_java_trace_socket)
-(typeattribute tombstoned_java_trace_socket_28_0)
-(roletype object_r tombstoned_java_trace_socket_28_0)
-(type tombstoned_intercept_socket)
-(typeattribute tombstoned_intercept_socket_28_0)
-(roletype object_r tombstoned_intercept_socket_28_0)
-(type traced_producer_socket)
-(typeattribute traced_producer_socket_28_0)
-(roletype object_r traced_producer_socket_28_0)
-(type traced_consumer_socket)
-(typeattribute traced_consumer_socket_28_0)
-(roletype object_r traced_consumer_socket_28_0)
-(type uncrypt_socket)
-(typeattribute uncrypt_socket_28_0)
-(roletype object_r uncrypt_socket_28_0)
-(type wpa_socket)
-(typeattribute wpa_socket_28_0)
-(roletype object_r wpa_socket_28_0)
-(type zygote_socket)
-(typeattribute zygote_socket_28_0)
-(roletype object_r zygote_socket_28_0)
-(type gps_control)
-(typeattribute gps_control_28_0)
-(roletype object_r gps_control_28_0)
-(type pdx_display_dir)
-(typeattribute pdx_display_dir_28_0)
-(roletype object_r pdx_display_dir_28_0)
-(type pdx_performance_dir)
-(typeattribute pdx_performance_dir_28_0)
-(roletype object_r pdx_performance_dir_28_0)
-(type pdx_bufferhub_dir)
-(typeattribute pdx_bufferhub_dir_28_0)
-(roletype object_r pdx_bufferhub_dir_28_0)
-(type pdx_display_client_endpoint_socket)
-(typeattribute pdx_display_client_endpoint_socket_28_0)
-(roletype object_r pdx_display_client_endpoint_socket_28_0)
-(type pdx_display_client_channel_socket)
-(typeattribute pdx_display_client_channel_socket_28_0)
-(roletype object_r pdx_display_client_channel_socket_28_0)
-(type pdx_display_manager_endpoint_socket)
-(typeattribute pdx_display_manager_endpoint_socket_28_0)
-(roletype object_r pdx_display_manager_endpoint_socket_28_0)
-(type pdx_display_manager_channel_socket)
-(typeattribute pdx_display_manager_channel_socket_28_0)
-(roletype object_r pdx_display_manager_channel_socket_28_0)
-(type pdx_display_screenshot_endpoint_socket)
-(typeattribute pdx_display_screenshot_endpoint_socket_28_0)
-(roletype object_r pdx_display_screenshot_endpoint_socket_28_0)
-(type pdx_display_screenshot_channel_socket)
-(typeattribute pdx_display_screenshot_channel_socket_28_0)
-(roletype object_r pdx_display_screenshot_channel_socket_28_0)
-(type pdx_display_vsync_endpoint_socket)
-(typeattribute pdx_display_vsync_endpoint_socket_28_0)
-(roletype object_r pdx_display_vsync_endpoint_socket_28_0)
-(type pdx_display_vsync_channel_socket)
-(typeattribute pdx_display_vsync_channel_socket_28_0)
-(roletype object_r pdx_display_vsync_channel_socket_28_0)
-(type pdx_performance_client_endpoint_socket)
-(typeattribute pdx_performance_client_endpoint_socket_28_0)
-(roletype object_r pdx_performance_client_endpoint_socket_28_0)
-(type pdx_performance_client_channel_socket)
-(typeattribute pdx_performance_client_channel_socket_28_0)
-(roletype object_r pdx_performance_client_channel_socket_28_0)
-(type pdx_bufferhub_client_endpoint_socket)
-(typeattribute pdx_bufferhub_client_endpoint_socket_28_0)
-(roletype object_r pdx_bufferhub_client_endpoint_socket_28_0)
-(type pdx_bufferhub_client_channel_socket)
-(typeattribute pdx_bufferhub_client_channel_socket_28_0)
-(roletype object_r pdx_bufferhub_client_channel_socket_28_0)
-(type file_contexts_file)
-(typeattribute file_contexts_file_28_0)
-(roletype object_r file_contexts_file_28_0)
-(type mac_perms_file)
-(typeattribute mac_perms_file_28_0)
-(roletype object_r mac_perms_file_28_0)
-(type property_contexts_file)
-(typeattribute property_contexts_file_28_0)
-(roletype object_r property_contexts_file_28_0)
-(type seapp_contexts_file)
-(typeattribute seapp_contexts_file_28_0)
-(roletype object_r seapp_contexts_file_28_0)
-(type sepolicy_file)
-(typeattribute sepolicy_file_28_0)
-(roletype object_r sepolicy_file_28_0)
-(type service_contexts_file)
-(typeattribute service_contexts_file_28_0)
-(roletype object_r service_contexts_file_28_0)
-(type nonplat_service_contexts_file)
-(typeattribute nonplat_service_contexts_file_28_0)
-(roletype object_r nonplat_service_contexts_file_28_0)
-(type hwservice_contexts_file)
-(typeattribute hwservice_contexts_file_28_0)
-(roletype object_r hwservice_contexts_file_28_0)
-(type vndservice_contexts_file)
-(typeattribute vndservice_contexts_file_28_0)
-(roletype object_r vndservice_contexts_file_28_0)
-(type audiohal_data_file)
-(typeattribute audiohal_data_file_28_0)
-(roletype object_r audiohal_data_file_28_0)
-(type fingerprintd)
-(typeattribute fingerprintd_28_0)
-(roletype object_r fingerprintd_28_0)
-(type fingerprintd_exec)
-(typeattribute fingerprintd_exec_28_0)
-(roletype object_r fingerprintd_exec_28_0)
-(type fsck)
-(typeattribute fsck_28_0)
-(roletype object_r fsck_28_0)
-(type fsck_exec)
-(typeattribute fsck_exec_28_0)
-(roletype object_r fsck_exec_28_0)
-(type fsck_untrusted)
-(typeattribute fsck_untrusted_28_0)
-(roletype object_r fsck_untrusted_28_0)
-(type gatekeeperd)
-(typeattribute gatekeeperd_28_0)
-(roletype object_r gatekeeperd_28_0)
-(type gatekeeperd_exec)
-(typeattribute gatekeeperd_exec_28_0)
-(roletype object_r gatekeeperd_exec_28_0)
-(type healthd)
-(typeattribute healthd_28_0)
-(roletype object_r healthd_28_0)
-(type healthd_exec)
-(typeattribute healthd_exec_28_0)
-(roletype object_r healthd_exec_28_0)
-(type default_android_hwservice)
-(typeattribute default_android_hwservice_28_0)
-(roletype object_r default_android_hwservice_28_0)
-(type fwk_display_hwservice)
-(typeattribute fwk_display_hwservice_28_0)
-(roletype object_r fwk_display_hwservice_28_0)
-(type fwk_scheduler_hwservice)
-(typeattribute fwk_scheduler_hwservice_28_0)
-(roletype object_r fwk_scheduler_hwservice_28_0)
-(type fwk_sensor_hwservice)
-(typeattribute fwk_sensor_hwservice_28_0)
-(roletype object_r fwk_sensor_hwservice_28_0)
-(type hal_audiocontrol_hwservice)
-(typeattribute hal_audiocontrol_hwservice_28_0)
-(roletype object_r hal_audiocontrol_hwservice_28_0)
-(type hal_audio_hwservice)
-(typeattribute hal_audio_hwservice_28_0)
-(roletype object_r hal_audio_hwservice_28_0)
-(type hal_authsecret_hwservice)
-(typeattribute hal_authsecret_hwservice_28_0)
-(roletype object_r hal_authsecret_hwservice_28_0)
-(type hal_bluetooth_hwservice)
-(typeattribute hal_bluetooth_hwservice_28_0)
-(roletype object_r hal_bluetooth_hwservice_28_0)
-(type hal_bootctl_hwservice)
-(typeattribute hal_bootctl_hwservice_28_0)
-(roletype object_r hal_bootctl_hwservice_28_0)
-(type hal_broadcastradio_hwservice)
-(typeattribute hal_broadcastradio_hwservice_28_0)
-(roletype object_r hal_broadcastradio_hwservice_28_0)
-(type hal_camera_hwservice)
-(typeattribute hal_camera_hwservice_28_0)
-(roletype object_r hal_camera_hwservice_28_0)
-(type hal_codec2_hwservice)
-(typeattribute hal_codec2_hwservice_28_0)
-(roletype object_r hal_codec2_hwservice_28_0)
-(type hal_configstore_ISurfaceFlingerConfigs)
-(typeattribute hal_configstore_ISurfaceFlingerConfigs_28_0)
-(roletype object_r hal_configstore_ISurfaceFlingerConfigs_28_0)
-(type hal_confirmationui_hwservice)
-(typeattribute hal_confirmationui_hwservice_28_0)
-(roletype object_r hal_confirmationui_hwservice_28_0)
-(type hal_contexthub_hwservice)
-(typeattribute hal_contexthub_hwservice_28_0)
-(roletype object_r hal_contexthub_hwservice_28_0)
-(type hal_drm_hwservice)
-(typeattribute hal_drm_hwservice_28_0)
-(roletype object_r hal_drm_hwservice_28_0)
-(type hal_cas_hwservice)
-(typeattribute hal_cas_hwservice_28_0)
-(roletype object_r hal_cas_hwservice_28_0)
-(type hal_dumpstate_hwservice)
-(typeattribute hal_dumpstate_hwservice_28_0)
-(roletype object_r hal_dumpstate_hwservice_28_0)
-(type hal_evs_hwservice)
-(typeattribute hal_evs_hwservice_28_0)
-(roletype object_r hal_evs_hwservice_28_0)
-(type hal_fingerprint_hwservice)
-(typeattribute hal_fingerprint_hwservice_28_0)
-(roletype object_r hal_fingerprint_hwservice_28_0)
-(type hal_gatekeeper_hwservice)
-(typeattribute hal_gatekeeper_hwservice_28_0)
-(roletype object_r hal_gatekeeper_hwservice_28_0)
-(type hal_gnss_hwservice)
-(typeattribute hal_gnss_hwservice_28_0)
-(roletype object_r hal_gnss_hwservice_28_0)
-(type hal_graphics_allocator_hwservice)
-(typeattribute hal_graphics_allocator_hwservice_28_0)
-(roletype object_r hal_graphics_allocator_hwservice_28_0)
-(type hal_graphics_composer_hwservice)
-(typeattribute hal_graphics_composer_hwservice_28_0)
-(roletype object_r hal_graphics_composer_hwservice_28_0)
-(type hal_graphics_mapper_hwservice)
-(typeattribute hal_graphics_mapper_hwservice_28_0)
-(roletype object_r hal_graphics_mapper_hwservice_28_0)
-(type hal_health_hwservice)
-(typeattribute hal_health_hwservice_28_0)
-(roletype object_r hal_health_hwservice_28_0)
-(type hal_ir_hwservice)
-(typeattribute hal_ir_hwservice_28_0)
-(roletype object_r hal_ir_hwservice_28_0)
-(type hal_keymaster_hwservice)
-(typeattribute hal_keymaster_hwservice_28_0)
-(roletype object_r hal_keymaster_hwservice_28_0)
-(type hal_light_hwservice)
-(typeattribute hal_light_hwservice_28_0)
-(roletype object_r hal_light_hwservice_28_0)
-(type hal_lowpan_hwservice)
-(typeattribute hal_lowpan_hwservice_28_0)
-(roletype object_r hal_lowpan_hwservice_28_0)
-(type hal_memtrack_hwservice)
-(typeattribute hal_memtrack_hwservice_28_0)
-(roletype object_r hal_memtrack_hwservice_28_0)
-(type hal_neuralnetworks_hwservice)
-(typeattribute hal_neuralnetworks_hwservice_28_0)
-(roletype object_r hal_neuralnetworks_hwservice_28_0)
-(type hal_nfc_hwservice)
-(typeattribute hal_nfc_hwservice_28_0)
-(roletype object_r hal_nfc_hwservice_28_0)
-(type hal_oemlock_hwservice)
-(typeattribute hal_oemlock_hwservice_28_0)
-(roletype object_r hal_oemlock_hwservice_28_0)
-(type hal_omx_hwservice)
-(typeattribute hal_omx_hwservice_28_0)
-(roletype object_r hal_omx_hwservice_28_0)
-(type hal_power_hwservice)
-(typeattribute hal_power_hwservice_28_0)
-(roletype object_r hal_power_hwservice_28_0)
-(type hal_renderscript_hwservice)
-(typeattribute hal_renderscript_hwservice_28_0)
-(roletype object_r hal_renderscript_hwservice_28_0)
-(type hal_secure_element_hwservice)
-(typeattribute hal_secure_element_hwservice_28_0)
-(roletype object_r hal_secure_element_hwservice_28_0)
-(type hal_sensors_hwservice)
-(typeattribute hal_sensors_hwservice_28_0)
-(roletype object_r hal_sensors_hwservice_28_0)
-(type hal_telephony_hwservice)
-(typeattribute hal_telephony_hwservice_28_0)
-(roletype object_r hal_telephony_hwservice_28_0)
-(type hal_tetheroffload_hwservice)
-(typeattribute hal_tetheroffload_hwservice_28_0)
-(roletype object_r hal_tetheroffload_hwservice_28_0)
-(type hal_thermal_hwservice)
-(typeattribute hal_thermal_hwservice_28_0)
-(roletype object_r hal_thermal_hwservice_28_0)
-(type hal_tv_cec_hwservice)
-(typeattribute hal_tv_cec_hwservice_28_0)
-(roletype object_r hal_tv_cec_hwservice_28_0)
-(type hal_tv_input_hwservice)
-(typeattribute hal_tv_input_hwservice_28_0)
-(roletype object_r hal_tv_input_hwservice_28_0)
-(type hal_usb_hwservice)
-(typeattribute hal_usb_hwservice_28_0)
-(roletype object_r hal_usb_hwservice_28_0)
-(type hal_usb_gadget_hwservice)
-(typeattribute hal_usb_gadget_hwservice_28_0)
-(roletype object_r hal_usb_gadget_hwservice_28_0)
-(type hal_vehicle_hwservice)
-(typeattribute hal_vehicle_hwservice_28_0)
-(roletype object_r hal_vehicle_hwservice_28_0)
-(type hal_vibrator_hwservice)
-(typeattribute hal_vibrator_hwservice_28_0)
-(roletype object_r hal_vibrator_hwservice_28_0)
-(type hal_vr_hwservice)
-(typeattribute hal_vr_hwservice_28_0)
-(roletype object_r hal_vr_hwservice_28_0)
-(type hal_weaver_hwservice)
-(typeattribute hal_weaver_hwservice_28_0)
-(roletype object_r hal_weaver_hwservice_28_0)
-(type hal_wifi_hwservice)
-(typeattribute hal_wifi_hwservice_28_0)
-(roletype object_r hal_wifi_hwservice_28_0)
-(type hal_wifi_hostapd_hwservice)
-(typeattribute hal_wifi_hostapd_hwservice_28_0)
-(roletype object_r hal_wifi_hostapd_hwservice_28_0)
-(type hal_wifi_offload_hwservice)
-(typeattribute hal_wifi_offload_hwservice_28_0)
-(roletype object_r hal_wifi_offload_hwservice_28_0)
-(type hal_wifi_supplicant_hwservice)
-(typeattribute hal_wifi_supplicant_hwservice_28_0)
-(roletype object_r hal_wifi_supplicant_hwservice_28_0)
-(type hidl_allocator_hwservice)
-(typeattribute hidl_allocator_hwservice_28_0)
-(roletype object_r hidl_allocator_hwservice_28_0)
-(type hidl_base_hwservice)
-(typeattribute hidl_base_hwservice_28_0)
-(roletype object_r hidl_base_hwservice_28_0)
-(type hidl_manager_hwservice)
-(typeattribute hidl_manager_hwservice_28_0)
-(roletype object_r hidl_manager_hwservice_28_0)
-(type hidl_memory_hwservice)
-(typeattribute hidl_memory_hwservice_28_0)
-(roletype object_r hidl_memory_hwservice_28_0)
-(type hidl_token_hwservice)
-(typeattribute hidl_token_hwservice_28_0)
-(roletype object_r hidl_token_hwservice_28_0)
-(type system_net_netd_hwservice)
-(typeattribute system_net_netd_hwservice_28_0)
-(roletype object_r system_net_netd_hwservice_28_0)
-(type system_wifi_keystore_hwservice)
-(typeattribute system_wifi_keystore_hwservice_28_0)
-(roletype object_r system_wifi_keystore_hwservice_28_0)
-(type thermalcallback_hwservice)
-(typeattribute thermalcallback_hwservice_28_0)
-(roletype object_r thermalcallback_hwservice_28_0)
-(type hwservicemanager)
-(typeattribute hwservicemanager_28_0)
-(roletype object_r hwservicemanager_28_0)
-(type hwservicemanager_exec)
-(typeattribute hwservicemanager_exec_28_0)
-(roletype object_r hwservicemanager_exec_28_0)
-(type idmap)
-(typeattribute idmap_28_0)
-(roletype object_r idmap_28_0)
-(type idmap_exec)
-(typeattribute idmap_exec_28_0)
-(roletype object_r idmap_exec_28_0)
-(type incident)
-(typeattribute incident_28_0)
-(roletype object_r incident_28_0)
-(type incident_helper)
-(typeattribute incident_helper_28_0)
-(roletype object_r incident_helper_28_0)
-(type incidentd)
-(typeattribute incidentd_28_0)
-(roletype object_r incidentd_28_0)
-(type init)
-(typeattribute init_28_0)
-(roletype object_r init_28_0)
-(type init_exec)
-(typeattribute init_exec_28_0)
-(roletype object_r init_exec_28_0)
-(type inputflinger)
-(typeattribute inputflinger_28_0)
-(roletype object_r inputflinger_28_0)
-(type inputflinger_exec)
-(typeattribute inputflinger_exec_28_0)
-(roletype object_r inputflinger_exec_28_0)
-(type install_recovery)
-(typeattribute install_recovery_28_0)
-(roletype object_r install_recovery_28_0)
-(type install_recovery_exec)
-(typeattribute install_recovery_exec_28_0)
-(roletype object_r install_recovery_exec_28_0)
-(type installd)
-(typeattribute installd_28_0)
-(roletype object_r installd_28_0)
-(type installd_exec)
-(typeattribute installd_exec_28_0)
-(roletype object_r installd_exec_28_0)
-(type isolated_app)
-(typeattribute isolated_app_28_0)
-(roletype object_r isolated_app_28_0)
-(type kernel)
-(typeattribute kernel_28_0)
-(roletype object_r kernel_28_0)
-(type keystore)
-(typeattribute keystore_28_0)
-(roletype object_r keystore_28_0)
-(type keystore_exec)
-(typeattribute keystore_exec_28_0)
-(roletype object_r keystore_exec_28_0)
-(type lmkd)
-(typeattribute lmkd_28_0)
-(roletype object_r lmkd_28_0)
-(type lmkd_exec)
-(typeattribute lmkd_exec_28_0)
-(roletype object_r lmkd_exec_28_0)
-(type logd)
-(typeattribute logd_28_0)
-(roletype object_r logd_28_0)
-(type logd_exec)
-(typeattribute logd_exec_28_0)
-(roletype object_r logd_exec_28_0)
-(type logpersist)
-(typeattribute logpersist_28_0)
-(roletype object_r logpersist_28_0)
-(type mdnsd)
-(typeattribute mdnsd_28_0)
-(roletype object_r mdnsd_28_0)
-(type mediacodec)
-(typeattribute mediacodec_28_0)
-(roletype object_r mediacodec_28_0)
-(type mediacodec_exec)
-(typeattribute mediacodec_exec_28_0)
-(roletype object_r mediacodec_exec_28_0)
-(type mediadrmserver)
-(typeattribute mediadrmserver_28_0)
-(roletype object_r mediadrmserver_28_0)
-(type mediadrmserver_exec)
-(typeattribute mediadrmserver_exec_28_0)
-(roletype object_r mediadrmserver_exec_28_0)
-(type mediaextractor)
-(typeattribute mediaextractor_28_0)
-(roletype object_r mediaextractor_28_0)
-(type mediaextractor_exec)
-(typeattribute mediaextractor_exec_28_0)
-(roletype object_r mediaextractor_exec_28_0)
-(type mediametrics)
-(typeattribute mediametrics_28_0)
-(roletype object_r mediametrics_28_0)
-(type mediametrics_exec)
-(typeattribute mediametrics_exec_28_0)
-(roletype object_r mediametrics_exec_28_0)
-(type mediaprovider)
-(typeattribute mediaprovider_28_0)
-(roletype object_r mediaprovider_28_0)
-(type mediaserver)
-(typeattribute mediaserver_28_0)
-(roletype object_r mediaserver_28_0)
-(type mediaserver_exec)
-(typeattribute mediaserver_exec_28_0)
-(roletype object_r mediaserver_exec_28_0)
-(type modprobe)
-(typeattribute modprobe_28_0)
-(roletype object_r modprobe_28_0)
-(type mtp)
-(typeattribute mtp_28_0)
-(roletype object_r mtp_28_0)
-(type mtp_exec)
-(typeattribute mtp_exec_28_0)
-(roletype object_r mtp_exec_28_0)
-(type node)
-(typeattribute node_28_0)
-(roletype object_r node_28_0)
-(type netif)
-(typeattribute netif_28_0)
-(roletype object_r netif_28_0)
-(type port)
-(typeattribute port_28_0)
-(roletype object_r port_28_0)
-(type netd)
-(typeattribute netd_28_0)
-(roletype object_r netd_28_0)
-(type netd_exec)
-(typeattribute netd_exec_28_0)
-(roletype object_r netd_exec_28_0)
-(type netutils_wrapper)
-(typeattribute netutils_wrapper_28_0)
-(roletype object_r netutils_wrapper_28_0)
-(type netutils_wrapper_exec)
-(typeattribute netutils_wrapper_exec_28_0)
-(roletype object_r netutils_wrapper_exec_28_0)
-(type nfc)
-(typeattribute nfc_28_0)
-(roletype object_r nfc_28_0)
-(type otapreopt_chroot)
-(typeattribute otapreopt_chroot_28_0)
-(roletype object_r otapreopt_chroot_28_0)
-(type otapreopt_chroot_exec)
-(typeattribute otapreopt_chroot_exec_28_0)
-(roletype object_r otapreopt_chroot_exec_28_0)
-(type otapreopt_slot)
-(typeattribute otapreopt_slot_28_0)
-(roletype object_r otapreopt_slot_28_0)
-(type otapreopt_slot_exec)
-(typeattribute otapreopt_slot_exec_28_0)
-(roletype object_r otapreopt_slot_exec_28_0)
-(type performanced)
-(typeattribute performanced_28_0)
-(roletype object_r performanced_28_0)
-(type performanced_exec)
-(typeattribute performanced_exec_28_0)
-(roletype object_r performanced_exec_28_0)
-(type perfprofd)
-(typeattribute perfprofd_28_0)
-(roletype object_r perfprofd_28_0)
-(type perfprofd_exec)
-(typeattribute perfprofd_exec_28_0)
-(roletype object_r perfprofd_exec_28_0)
-(type platform_app)
-(typeattribute platform_app_28_0)
-(roletype object_r platform_app_28_0)
-(type postinstall)
-(typeattribute postinstall_28_0)
-(roletype object_r postinstall_28_0)
-(type postinstall_dexopt)
-(typeattribute postinstall_dexopt_28_0)
-(roletype object_r postinstall_dexopt_28_0)
-(type ppp)
-(typeattribute ppp_28_0)
-(roletype object_r ppp_28_0)
-(type ppp_device)
-(typeattribute ppp_device_28_0)
-(roletype object_r ppp_device_28_0)
-(type ppp_exec)
-(typeattribute ppp_exec_28_0)
-(roletype object_r ppp_exec_28_0)
-(type preopt2cachename)
-(typeattribute preopt2cachename_28_0)
-(roletype object_r preopt2cachename_28_0)
-(type preopt2cachename_exec)
-(typeattribute preopt2cachename_exec_28_0)
-(roletype object_r preopt2cachename_exec_28_0)
-(type priv_app)
-(typeattribute priv_app_28_0)
-(roletype object_r priv_app_28_0)
-(type profman)
-(typeattribute profman_28_0)
-(roletype object_r profman_28_0)
-(type profman_exec)
-(typeattribute profman_exec_28_0)
-(roletype object_r profman_exec_28_0)
-(type audio_prop)
-(typeattribute audio_prop_28_0)
-(roletype object_r audio_prop_28_0)
-(type boottime_prop)
-(typeattribute boottime_prop_28_0)
-(roletype object_r boottime_prop_28_0)
-(type bluetooth_a2dp_offload_prop)
-(typeattribute bluetooth_a2dp_offload_prop_28_0)
-(roletype object_r bluetooth_a2dp_offload_prop_28_0)
-(type bluetooth_prop)
-(typeattribute bluetooth_prop_28_0)
-(roletype object_r bluetooth_prop_28_0)
-(type bootloader_boot_reason_prop)
-(typeattribute bootloader_boot_reason_prop_28_0)
-(roletype object_r bootloader_boot_reason_prop_28_0)
-(type config_prop)
-(typeattribute config_prop_28_0)
-(roletype object_r config_prop_28_0)
-(type cppreopt_prop)
-(typeattribute cppreopt_prop_28_0)
-(roletype object_r cppreopt_prop_28_0)
-(type ctl_bootanim_prop)
-(typeattribute ctl_bootanim_prop_28_0)
-(roletype object_r ctl_bootanim_prop_28_0)
-(type ctl_bugreport_prop)
-(typeattribute ctl_bugreport_prop_28_0)
-(roletype object_r ctl_bugreport_prop_28_0)
-(type ctl_console_prop)
-(typeattribute ctl_console_prop_28_0)
-(roletype object_r ctl_console_prop_28_0)
-(type ctl_default_prop)
-(typeattribute ctl_default_prop_28_0)
-(roletype object_r ctl_default_prop_28_0)
-(type ctl_dumpstate_prop)
-(typeattribute ctl_dumpstate_prop_28_0)
-(roletype object_r ctl_dumpstate_prop_28_0)
-(type ctl_fuse_prop)
-(typeattribute ctl_fuse_prop_28_0)
-(roletype object_r ctl_fuse_prop_28_0)
-(type ctl_interface_restart_prop)
-(typeattribute ctl_interface_restart_prop_28_0)
-(roletype object_r ctl_interface_restart_prop_28_0)
-(type ctl_interface_start_prop)
-(typeattribute ctl_interface_start_prop_28_0)
-(roletype object_r ctl_interface_start_prop_28_0)
-(type ctl_interface_stop_prop)
-(typeattribute ctl_interface_stop_prop_28_0)
-(roletype object_r ctl_interface_stop_prop_28_0)
-(type ctl_mdnsd_prop)
-(typeattribute ctl_mdnsd_prop_28_0)
-(roletype object_r ctl_mdnsd_prop_28_0)
-(type ctl_restart_prop)
-(typeattribute ctl_restart_prop_28_0)
-(roletype object_r ctl_restart_prop_28_0)
-(type ctl_rildaemon_prop)
-(typeattribute ctl_rildaemon_prop_28_0)
-(roletype object_r ctl_rildaemon_prop_28_0)
-(type ctl_sigstop_prop)
-(typeattribute ctl_sigstop_prop_28_0)
-(roletype object_r ctl_sigstop_prop_28_0)
-(type ctl_start_prop)
-(typeattribute ctl_start_prop_28_0)
-(roletype object_r ctl_start_prop_28_0)
-(type ctl_stop_prop)
-(typeattribute ctl_stop_prop_28_0)
-(roletype object_r ctl_stop_prop_28_0)
-(type dalvik_prop)
-(typeattribute dalvik_prop_28_0)
-(roletype object_r dalvik_prop_28_0)
-(type debuggerd_prop)
-(typeattribute debuggerd_prop_28_0)
-(roletype object_r debuggerd_prop_28_0)
-(type debug_prop)
-(typeattribute debug_prop_28_0)
-(roletype object_r debug_prop_28_0)
-(type default_prop)
-(typeattribute default_prop_28_0)
-(roletype object_r default_prop_28_0)
-(type device_logging_prop)
-(typeattribute device_logging_prop_28_0)
-(roletype object_r device_logging_prop_28_0)
-(type dhcp_prop)
-(typeattribute dhcp_prop_28_0)
-(roletype object_r dhcp_prop_28_0)
-(type dumpstate_options_prop)
-(typeattribute dumpstate_options_prop_28_0)
-(roletype object_r dumpstate_options_prop_28_0)
-(type dumpstate_prop)
-(typeattribute dumpstate_prop_28_0)
-(roletype object_r dumpstate_prop_28_0)
-(type exported_secure_prop)
-(typeattribute exported_secure_prop_28_0)
-(roletype object_r exported_secure_prop_28_0)
-(type ffs_prop)
-(typeattribute ffs_prop_28_0)
-(roletype object_r ffs_prop_28_0)
-(type fingerprint_prop)
-(typeattribute fingerprint_prop_28_0)
-(roletype object_r fingerprint_prop_28_0)
-(type firstboot_prop)
-(typeattribute firstboot_prop_28_0)
-(roletype object_r firstboot_prop_28_0)
-(type hwservicemanager_prop)
-(typeattribute hwservicemanager_prop_28_0)
-(roletype object_r hwservicemanager_prop_28_0)
-(type last_boot_reason_prop)
-(typeattribute last_boot_reason_prop_28_0)
-(roletype object_r last_boot_reason_prop_28_0)
-(type logd_prop)
-(typeattribute logd_prop_28_0)
-(roletype object_r logd_prop_28_0)
-(type logpersistd_logging_prop)
-(typeattribute logpersistd_logging_prop_28_0)
-(roletype object_r logpersistd_logging_prop_28_0)
-(type log_prop)
-(typeattribute log_prop_28_0)
-(roletype object_r log_prop_28_0)
-(type log_tag_prop)
-(typeattribute log_tag_prop_28_0)
-(roletype object_r log_tag_prop_28_0)
-(type lowpan_prop)
-(typeattribute lowpan_prop_28_0)
-(roletype object_r lowpan_prop_28_0)
-(type mmc_prop)
-(typeattribute mmc_prop_28_0)
-(roletype object_r mmc_prop_28_0)
-(type net_dns_prop)
-(typeattribute net_dns_prop_28_0)
-(roletype object_r net_dns_prop_28_0)
-(type net_radio_prop)
-(typeattribute net_radio_prop_28_0)
-(roletype object_r net_radio_prop_28_0)
-(type netd_stable_secret_prop)
-(typeattribute netd_stable_secret_prop_28_0)
-(roletype object_r netd_stable_secret_prop_28_0)
-(type nfc_prop)
-(typeattribute nfc_prop_28_0)
-(roletype object_r nfc_prop_28_0)
-(type overlay_prop)
-(typeattribute overlay_prop_28_0)
-(roletype object_r overlay_prop_28_0)
-(type pan_result_prop)
-(typeattribute pan_result_prop_28_0)
-(roletype object_r pan_result_prop_28_0)
-(type persist_debug_prop)
-(typeattribute persist_debug_prop_28_0)
-(roletype object_r persist_debug_prop_28_0)
-(type persistent_properties_ready_prop)
-(typeattribute persistent_properties_ready_prop_28_0)
-(roletype object_r persistent_properties_ready_prop_28_0)
-(type pm_prop)
-(typeattribute pm_prop_28_0)
-(roletype object_r pm_prop_28_0)
-(type powerctl_prop)
-(typeattribute powerctl_prop_28_0)
-(roletype object_r powerctl_prop_28_0)
-(type radio_prop)
-(typeattribute radio_prop_28_0)
-(roletype object_r radio_prop_28_0)
-(type restorecon_prop)
-(typeattribute restorecon_prop_28_0)
-(roletype object_r restorecon_prop_28_0)
-(type safemode_prop)
-(typeattribute safemode_prop_28_0)
-(roletype object_r safemode_prop_28_0)
-(type serialno_prop)
-(typeattribute serialno_prop_28_0)
-(roletype object_r serialno_prop_28_0)
-(type shell_prop)
-(typeattribute shell_prop_28_0)
-(roletype object_r shell_prop_28_0)
-(type system_boot_reason_prop)
-(typeattribute system_boot_reason_prop_28_0)
-(roletype object_r system_boot_reason_prop_28_0)
-(type system_prop)
-(typeattribute system_prop_28_0)
-(roletype object_r system_prop_28_0)
-(type system_radio_prop)
-(typeattribute system_radio_prop_28_0)
-(roletype object_r system_radio_prop_28_0)
-(type test_boot_reason_prop)
-(typeattribute test_boot_reason_prop_28_0)
-(roletype object_r test_boot_reason_prop_28_0)
-(type traced_enabled_prop)
-(typeattribute traced_enabled_prop_28_0)
-(roletype object_r traced_enabled_prop_28_0)
-(type vold_prop)
-(typeattribute vold_prop_28_0)
-(roletype object_r vold_prop_28_0)
-(type wifi_log_prop)
-(typeattribute wifi_log_prop_28_0)
-(roletype object_r wifi_log_prop_28_0)
-(type wifi_prop)
-(typeattribute wifi_prop_28_0)
-(roletype object_r wifi_prop_28_0)
-(type vendor_security_patch_level_prop)
-(typeattribute vendor_security_patch_level_prop_28_0)
-(roletype object_r vendor_security_patch_level_prop_28_0)
-(type exported_audio_prop)
-(typeattribute exported_audio_prop_28_0)
-(roletype object_r exported_audio_prop_28_0)
-(type exported_bluetooth_prop)
-(typeattribute exported_bluetooth_prop_28_0)
-(roletype object_r exported_bluetooth_prop_28_0)
-(type exported_config_prop)
-(typeattribute exported_config_prop_28_0)
-(roletype object_r exported_config_prop_28_0)
-(type exported_dalvik_prop)
-(typeattribute exported_dalvik_prop_28_0)
-(roletype object_r exported_dalvik_prop_28_0)
-(type exported_default_prop)
-(typeattribute exported_default_prop_28_0)
-(roletype object_r exported_default_prop_28_0)
-(type exported_dumpstate_prop)
-(typeattribute exported_dumpstate_prop_28_0)
-(roletype object_r exported_dumpstate_prop_28_0)
-(type exported_ffs_prop)
-(typeattribute exported_ffs_prop_28_0)
-(roletype object_r exported_ffs_prop_28_0)
-(type exported_fingerprint_prop)
-(typeattribute exported_fingerprint_prop_28_0)
-(roletype object_r exported_fingerprint_prop_28_0)
-(type exported_overlay_prop)
-(typeattribute exported_overlay_prop_28_0)
-(roletype object_r exported_overlay_prop_28_0)
-(type exported_pm_prop)
-(typeattribute exported_pm_prop_28_0)
-(roletype object_r exported_pm_prop_28_0)
-(type exported_radio_prop)
-(typeattribute exported_radio_prop_28_0)
-(roletype object_r exported_radio_prop_28_0)
-(type exported_system_prop)
-(typeattribute exported_system_prop_28_0)
-(roletype object_r exported_system_prop_28_0)
-(type exported_system_radio_prop)
-(typeattribute exported_system_radio_prop_28_0)
-(roletype object_r exported_system_radio_prop_28_0)
-(type exported_vold_prop)
-(typeattribute exported_vold_prop_28_0)
-(roletype object_r exported_vold_prop_28_0)
-(type exported_wifi_prop)
-(typeattribute exported_wifi_prop_28_0)
-(roletype object_r exported_wifi_prop_28_0)
-(type exported2_config_prop)
-(typeattribute exported2_config_prop_28_0)
-(roletype object_r exported2_config_prop_28_0)
-(type exported2_default_prop)
-(typeattribute exported2_default_prop_28_0)
-(roletype object_r exported2_default_prop_28_0)
-(type exported2_radio_prop)
-(typeattribute exported2_radio_prop_28_0)
-(roletype object_r exported2_radio_prop_28_0)
-(type exported2_system_prop)
-(typeattribute exported2_system_prop_28_0)
-(roletype object_r exported2_system_prop_28_0)
-(type exported2_vold_prop)
-(typeattribute exported2_vold_prop_28_0)
-(roletype object_r exported2_vold_prop_28_0)
-(type exported3_default_prop)
-(typeattribute exported3_default_prop_28_0)
-(roletype object_r exported3_default_prop_28_0)
-(type exported3_radio_prop)
-(typeattribute exported3_radio_prop_28_0)
-(roletype object_r exported3_radio_prop_28_0)
-(type exported3_system_prop)
-(typeattribute exported3_system_prop_28_0)
-(roletype object_r exported3_system_prop_28_0)
-(type vendor_default_prop)
-(typeattribute vendor_default_prop_28_0)
-(roletype object_r vendor_default_prop_28_0)
-(type racoon)
-(typeattribute racoon_28_0)
-(roletype object_r racoon_28_0)
-(type racoon_exec)
-(typeattribute racoon_exec_28_0)
-(roletype object_r racoon_exec_28_0)
-(type radio)
-(typeattribute radio_28_0)
-(roletype object_r radio_28_0)
-(type recovery)
-(typeattribute recovery_28_0)
-(roletype object_r recovery_28_0)
-(type recovery_persist)
-(typeattribute recovery_persist_28_0)
-(roletype object_r recovery_persist_28_0)
-(type recovery_persist_exec)
-(typeattribute recovery_persist_exec_28_0)
-(roletype object_r recovery_persist_exec_28_0)
-(type recovery_refresh)
-(typeattribute recovery_refresh_28_0)
-(roletype object_r recovery_refresh_28_0)
-(type recovery_refresh_exec)
-(typeattribute recovery_refresh_exec_28_0)
-(roletype object_r recovery_refresh_exec_28_0)
-(type runas)
-(typeattribute runas_28_0)
-(roletype object_r runas_28_0)
-(type runas_exec)
-(typeattribute runas_exec_28_0)
-(roletype object_r runas_exec_28_0)
-(type sdcardd)
-(typeattribute sdcardd_28_0)
-(roletype object_r sdcardd_28_0)
-(type sdcardd_exec)
-(typeattribute sdcardd_exec_28_0)
-(roletype object_r sdcardd_exec_28_0)
-(type secure_element)
-(typeattribute secure_element_28_0)
-(roletype object_r secure_element_28_0)
-(type audioserver_service)
-(typeattribute audioserver_service_28_0)
-(roletype object_r audioserver_service_28_0)
-(type batteryproperties_service)
-(typeattribute batteryproperties_service_28_0)
-(roletype object_r batteryproperties_service_28_0)
-(type bluetooth_service)
-(typeattribute bluetooth_service_28_0)
-(roletype object_r bluetooth_service_28_0)
-(type cameraserver_service)
-(typeattribute cameraserver_service_28_0)
-(roletype object_r cameraserver_service_28_0)
-(type default_android_service)
-(typeattribute default_android_service_28_0)
-(roletype object_r default_android_service_28_0)
-(type drmserver_service)
-(typeattribute drmserver_service_28_0)
-(roletype object_r drmserver_service_28_0)
-(type dumpstate_service)
-(typeattribute dumpstate_service_28_0)
-(roletype object_r dumpstate_service_28_0)
-(type fingerprintd_service)
-(typeattribute fingerprintd_service_28_0)
-(roletype object_r fingerprintd_service_28_0)
-(type hal_fingerprint_service)
-(typeattribute hal_fingerprint_service_28_0)
-(roletype object_r hal_fingerprint_service_28_0)
-(type gatekeeper_service)
-(typeattribute gatekeeper_service_28_0)
-(roletype object_r gatekeeper_service_28_0)
-(type gpu_service)
-(typeattribute gpu_service_28_0)
-(roletype object_r gpu_service_28_0)
-(type inputflinger_service)
-(typeattribute inputflinger_service_28_0)
-(roletype object_r inputflinger_service_28_0)
-(type incident_service)
-(typeattribute incident_service_28_0)
-(roletype object_r incident_service_28_0)
-(type installd_service)
-(typeattribute installd_service_28_0)
-(roletype object_r installd_service_28_0)
-(type keystore_service)
-(typeattribute keystore_service_28_0)
-(roletype object_r keystore_service_28_0)
-(type mediaserver_service)
-(typeattribute mediaserver_service_28_0)
-(roletype object_r mediaserver_service_28_0)
-(type mediametrics_service)
-(typeattribute mediametrics_service_28_0)
-(roletype object_r mediametrics_service_28_0)
-(type mediaextractor_service)
-(typeattribute mediaextractor_service_28_0)
-(roletype object_r mediaextractor_service_28_0)
-(type mediaextractor_update_service)
-(typeattribute mediaextractor_update_service_28_0)
-(roletype object_r mediaextractor_update_service_28_0)
-(type mediacodec_service)
-(typeattribute mediacodec_service_28_0)
-(roletype object_r mediacodec_service_28_0)
-(type mediadrmserver_service)
-(typeattribute mediadrmserver_service_28_0)
-(roletype object_r mediadrmserver_service_28_0)
-(type netd_service)
-(typeattribute netd_service_28_0)
-(roletype object_r netd_service_28_0)
-(type nfc_service)
-(typeattribute nfc_service_28_0)
-(roletype object_r nfc_service_28_0)
-(type perfprofd_service)
-(typeattribute perfprofd_service_28_0)
-(roletype object_r perfprofd_service_28_0)
-(type radio_service)
-(typeattribute radio_service_28_0)
-(roletype object_r radio_service_28_0)
-(type secure_element_service)
-(typeattribute secure_element_service_28_0)
-(roletype object_r secure_element_service_28_0)
-(type storaged_service)
-(typeattribute storaged_service_28_0)
-(roletype object_r storaged_service_28_0)
-(type surfaceflinger_service)
-(typeattribute surfaceflinger_service_28_0)
-(roletype object_r surfaceflinger_service_28_0)
-(type system_app_service)
-(typeattribute system_app_service_28_0)
-(roletype object_r system_app_service_28_0)
-(type thermal_service)
-(typeattribute thermal_service_28_0)
-(roletype object_r thermal_service_28_0)
-(type update_engine_service)
-(typeattribute update_engine_service_28_0)
-(roletype object_r update_engine_service_28_0)
-(type virtual_touchpad_service)
-(typeattribute virtual_touchpad_service_28_0)
-(roletype object_r virtual_touchpad_service_28_0)
-(type vold_service)
-(typeattribute vold_service_28_0)
-(roletype object_r vold_service_28_0)
-(type vr_hwc_service)
-(typeattribute vr_hwc_service_28_0)
-(roletype object_r vr_hwc_service_28_0)
-(type accessibility_service)
-(typeattribute accessibility_service_28_0)
-(roletype object_r accessibility_service_28_0)
-(type account_service)
-(typeattribute account_service_28_0)
-(roletype object_r account_service_28_0)
-(type activity_service)
-(typeattribute activity_service_28_0)
-(roletype object_r activity_service_28_0)
-(type alarm_service)
-(typeattribute alarm_service_28_0)
-(roletype object_r alarm_service_28_0)
-(type appops_service)
-(typeattribute appops_service_28_0)
-(roletype object_r appops_service_28_0)
-(type appwidget_service)
-(typeattribute appwidget_service_28_0)
-(roletype object_r appwidget_service_28_0)
-(type assetatlas_service)
-(typeattribute assetatlas_service_28_0)
-(roletype object_r assetatlas_service_28_0)
-(type audio_service)
-(typeattribute audio_service_28_0)
-(roletype object_r audio_service_28_0)
-(type autofill_service)
-(typeattribute autofill_service_28_0)
-(roletype object_r autofill_service_28_0)
-(type backup_service)
-(typeattribute backup_service_28_0)
-(roletype object_r backup_service_28_0)
-(type batterystats_service)
-(typeattribute batterystats_service_28_0)
-(roletype object_r batterystats_service_28_0)
-(type battery_service)
-(typeattribute battery_service_28_0)
-(roletype object_r battery_service_28_0)
-(type binder_calls_stats_service)
-(typeattribute binder_calls_stats_service_28_0)
-(roletype object_r binder_calls_stats_service_28_0)
-(type bluetooth_manager_service)
-(typeattribute bluetooth_manager_service_28_0)
-(roletype object_r bluetooth_manager_service_28_0)
-(type broadcastradio_service)
-(typeattribute broadcastradio_service_28_0)
-(roletype object_r broadcastradio_service_28_0)
-(type cameraproxy_service)
-(typeattribute cameraproxy_service_28_0)
-(roletype object_r cameraproxy_service_28_0)
-(type clipboard_service)
-(typeattribute clipboard_service_28_0)
-(roletype object_r clipboard_service_28_0)
-(type contexthub_service)
-(typeattribute contexthub_service_28_0)
-(roletype object_r contexthub_service_28_0)
-(type crossprofileapps_service)
-(typeattribute crossprofileapps_service_28_0)
-(roletype object_r crossprofileapps_service_28_0)
-(type IProxyService_service)
-(typeattribute IProxyService_service_28_0)
-(roletype object_r IProxyService_service_28_0)
-(type commontime_management_service)
-(typeattribute commontime_management_service_28_0)
-(roletype object_r commontime_management_service_28_0)
-(type companion_device_service)
-(typeattribute companion_device_service_28_0)
-(roletype object_r companion_device_service_28_0)
-(type connectivity_service)
-(typeattribute connectivity_service_28_0)
-(roletype object_r connectivity_service_28_0)
-(type connmetrics_service)
-(typeattribute connmetrics_service_28_0)
-(roletype object_r connmetrics_service_28_0)
-(type consumer_ir_service)
-(typeattribute consumer_ir_service_28_0)
-(roletype object_r consumer_ir_service_28_0)
-(type content_service)
-(typeattribute content_service_28_0)
-(roletype object_r content_service_28_0)
-(type country_detector_service)
-(typeattribute country_detector_service_28_0)
-(roletype object_r country_detector_service_28_0)
-(type coverage_service)
-(typeattribute coverage_service_28_0)
-(roletype object_r coverage_service_28_0)
-(type cpuinfo_service)
-(typeattribute cpuinfo_service_28_0)
-(roletype object_r cpuinfo_service_28_0)
-(type dbinfo_service)
-(typeattribute dbinfo_service_28_0)
-(roletype object_r dbinfo_service_28_0)
-(type device_policy_service)
-(typeattribute device_policy_service_28_0)
-(roletype object_r device_policy_service_28_0)
-(type deviceidle_service)
-(typeattribute deviceidle_service_28_0)
-(roletype object_r deviceidle_service_28_0)
-(type device_identifiers_service)
-(typeattribute device_identifiers_service_28_0)
-(roletype object_r device_identifiers_service_28_0)
-(type devicestoragemonitor_service)
-(typeattribute devicestoragemonitor_service_28_0)
-(roletype object_r devicestoragemonitor_service_28_0)
-(type diskstats_service)
-(typeattribute diskstats_service_28_0)
-(roletype object_r diskstats_service_28_0)
-(type display_service)
-(typeattribute display_service_28_0)
-(roletype object_r display_service_28_0)
-(type font_service)
-(typeattribute font_service_28_0)
-(roletype object_r font_service_28_0)
-(type netd_listener_service)
-(typeattribute netd_listener_service_28_0)
-(roletype object_r netd_listener_service_28_0)
-(type network_watchlist_service)
-(typeattribute network_watchlist_service_28_0)
-(roletype object_r network_watchlist_service_28_0)
-(type DockObserver_service)
-(typeattribute DockObserver_service_28_0)
-(roletype object_r DockObserver_service_28_0)
-(type dreams_service)
-(typeattribute dreams_service_28_0)
-(roletype object_r dreams_service_28_0)
-(type dropbox_service)
-(typeattribute dropbox_service_28_0)
-(roletype object_r dropbox_service_28_0)
-(type lowpan_service)
-(typeattribute lowpan_service_28_0)
-(roletype object_r lowpan_service_28_0)
-(type ethernet_service)
-(typeattribute ethernet_service_28_0)
-(roletype object_r ethernet_service_28_0)
-(type fingerprint_service)
-(typeattribute fingerprint_service_28_0)
-(roletype object_r fingerprint_service_28_0)
-(type gfxinfo_service)
-(typeattribute gfxinfo_service_28_0)
-(roletype object_r gfxinfo_service_28_0)
-(type graphicsstats_service)
-(typeattribute graphicsstats_service_28_0)
-(roletype object_r graphicsstats_service_28_0)
-(type hardware_service)
-(typeattribute hardware_service_28_0)
-(roletype object_r hardware_service_28_0)
-(type hardware_properties_service)
-(typeattribute hardware_properties_service_28_0)
-(roletype object_r hardware_properties_service_28_0)
-(type hdmi_control_service)
-(typeattribute hdmi_control_service_28_0)
-(roletype object_r hdmi_control_service_28_0)
-(type input_method_service)
-(typeattribute input_method_service_28_0)
-(roletype object_r input_method_service_28_0)
-(type input_service)
-(typeattribute input_service_28_0)
-(roletype object_r input_service_28_0)
-(type imms_service)
-(typeattribute imms_service_28_0)
-(roletype object_r imms_service_28_0)
-(type ipsec_service)
-(typeattribute ipsec_service_28_0)
-(roletype object_r ipsec_service_28_0)
-(type jobscheduler_service)
-(typeattribute jobscheduler_service_28_0)
-(roletype object_r jobscheduler_service_28_0)
-(type launcherapps_service)
-(typeattribute launcherapps_service_28_0)
-(roletype object_r launcherapps_service_28_0)
-(type location_service)
-(typeattribute location_service_28_0)
-(roletype object_r location_service_28_0)
-(type lock_settings_service)
-(typeattribute lock_settings_service_28_0)
-(roletype object_r lock_settings_service_28_0)
-(type media_projection_service)
-(typeattribute media_projection_service_28_0)
-(roletype object_r media_projection_service_28_0)
-(type media_router_service)
-(typeattribute media_router_service_28_0)
-(roletype object_r media_router_service_28_0)
-(type media_session_service)
-(typeattribute media_session_service_28_0)
-(roletype object_r media_session_service_28_0)
-(type meminfo_service)
-(typeattribute meminfo_service_28_0)
-(roletype object_r meminfo_service_28_0)
-(type midi_service)
-(typeattribute midi_service_28_0)
-(roletype object_r midi_service_28_0)
-(type mount_service)
-(typeattribute mount_service_28_0)
-(roletype object_r mount_service_28_0)
-(type netpolicy_service)
-(typeattribute netpolicy_service_28_0)
-(roletype object_r netpolicy_service_28_0)
-(type netstats_service)
-(typeattribute netstats_service_28_0)
-(roletype object_r netstats_service_28_0)
-(type network_management_service)
-(typeattribute network_management_service_28_0)
-(roletype object_r network_management_service_28_0)
-(type network_score_service)
-(typeattribute network_score_service_28_0)
-(roletype object_r network_score_service_28_0)
-(type network_time_update_service)
-(typeattribute network_time_update_service_28_0)
-(roletype object_r network_time_update_service_28_0)
-(type notification_service)
-(typeattribute notification_service_28_0)
-(roletype object_r notification_service_28_0)
-(type oem_lock_service)
-(typeattribute oem_lock_service_28_0)
-(roletype object_r oem_lock_service_28_0)
-(type otadexopt_service)
-(typeattribute otadexopt_service_28_0)
-(roletype object_r otadexopt_service_28_0)
-(type overlay_service)
-(typeattribute overlay_service_28_0)
-(roletype object_r overlay_service_28_0)
-(type package_service)
-(typeattribute package_service_28_0)
-(roletype object_r package_service_28_0)
-(type package_native_service)
-(typeattribute package_native_service_28_0)
-(roletype object_r package_native_service_28_0)
-(type permission_service)
-(typeattribute permission_service_28_0)
-(roletype object_r permission_service_28_0)
-(type persistent_data_block_service)
-(typeattribute persistent_data_block_service_28_0)
-(roletype object_r persistent_data_block_service_28_0)
-(type pinner_service)
-(typeattribute pinner_service_28_0)
-(roletype object_r pinner_service_28_0)
-(type power_service)
-(typeattribute power_service_28_0)
-(roletype object_r power_service_28_0)
-(type print_service)
-(typeattribute print_service_28_0)
-(roletype object_r print_service_28_0)
-(type processinfo_service)
-(typeattribute processinfo_service_28_0)
-(roletype object_r processinfo_service_28_0)
-(type procstats_service)
-(typeattribute procstats_service_28_0)
-(roletype object_r procstats_service_28_0)
-(type recovery_service)
-(typeattribute recovery_service_28_0)
-(roletype object_r recovery_service_28_0)
-(type registry_service)
-(typeattribute registry_service_28_0)
-(roletype object_r registry_service_28_0)
-(type restrictions_service)
-(typeattribute restrictions_service_28_0)
-(roletype object_r restrictions_service_28_0)
-(type rttmanager_service)
-(typeattribute rttmanager_service_28_0)
-(roletype object_r rttmanager_service_28_0)
-(type samplingprofiler_service)
-(typeattribute samplingprofiler_service_28_0)
-(roletype object_r samplingprofiler_service_28_0)
-(type scheduling_policy_service)
-(typeattribute scheduling_policy_service_28_0)
-(roletype object_r scheduling_policy_service_28_0)
-(type search_service)
-(typeattribute search_service_28_0)
-(roletype object_r search_service_28_0)
-(type sec_key_att_app_id_provider_service)
-(typeattribute sec_key_att_app_id_provider_service_28_0)
-(roletype object_r sec_key_att_app_id_provider_service_28_0)
-(type sensorservice_service)
-(typeattribute sensorservice_service_28_0)
-(roletype object_r sensorservice_service_28_0)
-(type serial_service)
-(typeattribute serial_service_28_0)
-(roletype object_r serial_service_28_0)
-(type servicediscovery_service)
-(typeattribute servicediscovery_service_28_0)
-(roletype object_r servicediscovery_service_28_0)
-(type settings_service)
-(typeattribute settings_service_28_0)
-(roletype object_r settings_service_28_0)
-(type shortcut_service)
-(typeattribute shortcut_service_28_0)
-(roletype object_r shortcut_service_28_0)
-(type slice_service)
-(typeattribute slice_service_28_0)
-(roletype object_r slice_service_28_0)
-(type statusbar_service)
-(typeattribute statusbar_service_28_0)
-(roletype object_r statusbar_service_28_0)
-(type storagestats_service)
-(typeattribute storagestats_service_28_0)
-(roletype object_r storagestats_service_28_0)
-(type system_update_service)
-(typeattribute system_update_service_28_0)
-(roletype object_r system_update_service_28_0)
-(type task_service)
-(typeattribute task_service_28_0)
-(roletype object_r task_service_28_0)
-(type textclassification_service)
-(typeattribute textclassification_service_28_0)
-(roletype object_r textclassification_service_28_0)
-(type textservices_service)
-(typeattribute textservices_service_28_0)
-(roletype object_r textservices_service_28_0)
-(type telecom_service)
-(typeattribute telecom_service_28_0)
-(roletype object_r telecom_service_28_0)
-(type timezone_service)
-(typeattribute timezone_service_28_0)
-(roletype object_r timezone_service_28_0)
-(type trust_service)
-(typeattribute trust_service_28_0)
-(roletype object_r trust_service_28_0)
-(type tv_input_service)
-(typeattribute tv_input_service_28_0)
-(roletype object_r tv_input_service_28_0)
-(type uimode_service)
-(typeattribute uimode_service_28_0)
-(roletype object_r uimode_service_28_0)
-(type updatelock_service)
-(typeattribute updatelock_service_28_0)
-(roletype object_r updatelock_service_28_0)
-(type usagestats_service)
-(typeattribute usagestats_service_28_0)
-(roletype object_r usagestats_service_28_0)
-(type usb_service)
-(typeattribute usb_service_28_0)
-(roletype object_r usb_service_28_0)
-(type user_service)
-(typeattribute user_service_28_0)
-(roletype object_r user_service_28_0)
-(type vibrator_service)
-(typeattribute vibrator_service_28_0)
-(roletype object_r vibrator_service_28_0)
-(type voiceinteraction_service)
-(typeattribute voiceinteraction_service_28_0)
-(roletype object_r voiceinteraction_service_28_0)
-(type vr_manager_service)
-(typeattribute vr_manager_service_28_0)
-(roletype object_r vr_manager_service_28_0)
-(type wallpaper_service)
-(typeattribute wallpaper_service_28_0)
-(roletype object_r wallpaper_service_28_0)
-(type webviewupdate_service)
-(typeattribute webviewupdate_service_28_0)
-(roletype object_r webviewupdate_service_28_0)
-(type wifip2p_service)
-(typeattribute wifip2p_service_28_0)
-(roletype object_r wifip2p_service_28_0)
-(type wifiscanner_service)
-(typeattribute wifiscanner_service_28_0)
-(roletype object_r wifiscanner_service_28_0)
-(type wifi_service)
-(typeattribute wifi_service_28_0)
-(roletype object_r wifi_service_28_0)
-(type wificond_service)
-(typeattribute wificond_service_28_0)
-(roletype object_r wificond_service_28_0)
-(type wifiaware_service)
-(typeattribute wifiaware_service_28_0)
-(roletype object_r wifiaware_service_28_0)
-(type window_service)
-(typeattribute window_service_28_0)
-(roletype object_r window_service_28_0)
-(type wpantund_service)
-(typeattribute wpantund_service_28_0)
-(roletype object_r wpantund_service_28_0)
-(type servicemanager)
-(typeattribute servicemanager_28_0)
-(roletype object_r servicemanager_28_0)
-(type servicemanager_exec)
-(typeattribute servicemanager_exec_28_0)
-(roletype object_r servicemanager_exec_28_0)
-(type sgdisk)
-(typeattribute sgdisk_28_0)
-(roletype object_r sgdisk_28_0)
-(type sgdisk_exec)
-(typeattribute sgdisk_exec_28_0)
-(roletype object_r sgdisk_exec_28_0)
-(type shared_relro)
-(typeattribute shared_relro_28_0)
-(roletype object_r shared_relro_28_0)
-(type shell)
-(typeattribute shell_28_0)
-(roletype object_r shell_28_0)
-(type shell_exec)
-(typeattribute shell_exec_28_0)
-(roletype object_r shell_exec_28_0)
-(type slideshow)
-(typeattribute slideshow_28_0)
-(roletype object_r slideshow_28_0)
-(type su)
-(typeattribute su_28_0)
-(roletype object_r su_28_0)
-(type su_exec)
-(typeattribute su_exec_28_0)
-(roletype object_r su_exec_28_0)
-(type surfaceflinger)
-(typeattribute surfaceflinger_28_0)
-(roletype object_r surfaceflinger_28_0)
-(type system_app)
-(typeattribute system_app_28_0)
-(roletype object_r system_app_28_0)
-(type system_server)
-(typeattribute system_server_28_0)
-(roletype object_r system_server_28_0)
-(type tee)
-(typeattribute tee_28_0)
-(roletype object_r tee_28_0)
-(type tee_device)
-(typeattribute tee_device_28_0)
-(roletype object_r tee_device_28_0)
-(type thermalserviced)
-(typeattribute thermalserviced_28_0)
-(roletype object_r thermalserviced_28_0)
-(type thermalserviced_exec)
-(typeattribute thermalserviced_exec_28_0)
-(roletype object_r thermalserviced_exec_28_0)
-(type tombstoned)
-(typeattribute tombstoned_28_0)
-(roletype object_r tombstoned_28_0)
-(type tombstoned_exec)
-(typeattribute tombstoned_exec_28_0)
-(roletype object_r tombstoned_exec_28_0)
-(type toolbox)
-(typeattribute toolbox_28_0)
-(roletype object_r toolbox_28_0)
-(type toolbox_exec)
-(typeattribute toolbox_exec_28_0)
-(roletype object_r toolbox_exec_28_0)
-(type traced_probes)
-(typeattribute traced_probes_28_0)
-(roletype object_r traced_probes_28_0)
-(type traceur_app)
-(typeattribute traceur_app_28_0)
-(roletype object_r traceur_app_28_0)
-(type tzdatacheck)
-(typeattribute tzdatacheck_28_0)
-(roletype object_r tzdatacheck_28_0)
-(type tzdatacheck_exec)
-(typeattribute tzdatacheck_exec_28_0)
-(roletype object_r tzdatacheck_exec_28_0)
-(type ueventd)
-(typeattribute ueventd_28_0)
-(roletype object_r ueventd_28_0)
-(type uncrypt)
-(typeattribute uncrypt_28_0)
-(roletype object_r uncrypt_28_0)
-(type uncrypt_exec)
-(typeattribute uncrypt_exec_28_0)
-(roletype object_r uncrypt_exec_28_0)
-(type untrusted_app)
-(typeattribute untrusted_app_28_0)
-(roletype object_r untrusted_app_28_0)
-(type untrusted_app_27)
-(typeattribute untrusted_app_27_28_0)
-(roletype object_r untrusted_app_27_28_0)
-(type untrusted_app_25)
-(typeattribute untrusted_app_25_28_0)
-(roletype object_r untrusted_app_25_28_0)
-(type untrusted_v2_app)
-(typeattribute untrusted_v2_app_28_0)
-(roletype object_r untrusted_v2_app_28_0)
-(type update_engine)
-(typeattribute update_engine_28_0)
-(roletype object_r update_engine_28_0)
-(type update_engine_exec)
-(typeattribute update_engine_exec_28_0)
-(roletype object_r update_engine_exec_28_0)
-(type update_verifier)
-(typeattribute update_verifier_28_0)
-(roletype object_r update_verifier_28_0)
-(type update_verifier_exec)
-(typeattribute update_verifier_exec_28_0)
-(roletype object_r update_verifier_exec_28_0)
-(type usbd)
-(typeattribute usbd_28_0)
-(roletype object_r usbd_28_0)
-(type usbd_exec)
-(typeattribute usbd_exec_28_0)
-(roletype object_r usbd_exec_28_0)
-(type vdc)
-(typeattribute vdc_28_0)
-(roletype object_r vdc_28_0)
-(type vdc_exec)
-(typeattribute vdc_exec_28_0)
-(roletype object_r vdc_exec_28_0)
-(type vendor_init)
-(typeattribute vendor_init_28_0)
-(roletype object_r vendor_init_28_0)
-(type vendor_shell)
-(typeattribute vendor_shell_28_0)
-(roletype object_r vendor_shell_28_0)
-(type vendor_shell_exec)
-(typeattribute vendor_shell_exec_28_0)
-(roletype object_r vendor_shell_exec_28_0)
-(type vendor_toolbox_exec)
-(typeattribute vendor_toolbox_exec_28_0)
-(roletype object_r vendor_toolbox_exec_28_0)
-(type virtual_touchpad)
-(typeattribute virtual_touchpad_28_0)
-(roletype object_r virtual_touchpad_28_0)
-(type virtual_touchpad_exec)
-(typeattribute virtual_touchpad_exec_28_0)
-(roletype object_r virtual_touchpad_exec_28_0)
-(type default_android_vndservice)
-(typeattribute default_android_vndservice_28_0)
-(roletype object_r default_android_vndservice_28_0)
-(type vndservicemanager)
-(typeattribute vndservicemanager_28_0)
-(roletype object_r vndservicemanager_28_0)
-(type vold)
-(typeattribute vold_28_0)
-(roletype object_r vold_28_0)
-(type vold_exec)
-(typeattribute vold_exec_28_0)
-(roletype object_r vold_exec_28_0)
-(type vold_prepare_subdirs)
-(typeattribute vold_prepare_subdirs_28_0)
-(roletype object_r vold_prepare_subdirs_28_0)
-(type vold_prepare_subdirs_exec)
-(typeattribute vold_prepare_subdirs_exec_28_0)
-(roletype object_r vold_prepare_subdirs_exec_28_0)
-(type vr_hwc)
-(typeattribute vr_hwc_28_0)
-(roletype object_r vr_hwc_28_0)
-(type vr_hwc_exec)
-(typeattribute vr_hwc_exec_28_0)
-(roletype object_r vr_hwc_exec_28_0)
-(type watchdogd)
-(typeattribute watchdogd_28_0)
-(roletype object_r watchdogd_28_0)
-(type webview_zygote)
-(typeattribute webview_zygote_28_0)
-(roletype object_r webview_zygote_28_0)
-(type webview_zygote_exec)
-(typeattribute webview_zygote_exec_28_0)
-(roletype object_r webview_zygote_exec_28_0)
-(type wificond)
-(typeattribute wificond_28_0)
-(roletype object_r wificond_28_0)
-(type wificond_exec)
-(typeattribute wificond_exec_28_0)
-(roletype object_r wificond_exec_28_0)
-(type wpantund)
-(typeattribute wpantund_28_0)
-(roletype object_r wpantund_28_0)
-(type wpantund_exec)
-(typeattribute wpantund_exec_28_0)
-(roletype object_r wpantund_exec_28_0)
-(type zygote)
-(typeattribute zygote_28_0)
-(roletype object_r zygote_28_0)
-(type zygote_exec)
-(typeattribute zygote_exec_28_0)
-(roletype object_r zygote_exec_28_0)
-(neverallow base_typeattr_1_28_0 domain (process (fork)))
-(neverallow base_typeattr_2_28_0 domain (process (fork)))
-(neverallow base_typeattr_3_28_0 domain (process (fork)))
-(neverallow base_typeattr_4_28_0 domain (process (fork)))
-(neverallow base_typeattr_5_28_0 domain (process (fork)))
-(neverallow base_typeattr_6_28_0 domain (process (fork)))
-(neverallow base_typeattr_7_28_0 domain (process (fork)))
-(neverallow base_typeattr_8_28_0 domain (process (fork)))
-(neverallow base_typeattr_9_28_0 domain (process (fork)))
-(neverallow base_typeattr_10_28_0 domain (process (fork)))
-(neverallow base_typeattr_11_28_0 domain (process (fork)))
-(neverallow base_typeattr_12_28_0 domain (process (fork)))
-(neverallow base_typeattr_13_28_0 domain (process (fork)))
-(neverallow base_typeattr_14_28_0 domain (process (fork)))
-(neverallow base_typeattr_15_28_0 domain (process (fork)))
-(neverallow base_typeattr_16_28_0 domain (process (fork)))
-(neverallow base_typeattr_17_28_0 domain (process (fork)))
-(neverallow base_typeattr_18_28_0 domain (process (fork)))
-(neverallow base_typeattr_19_28_0 domain (process (fork)))
-(neverallow base_typeattr_20_28_0 domain (process (fork)))
-(neverallow base_typeattr_21_28_0 domain (process (fork)))
-(neverallow base_typeattr_22_28_0 domain (process (fork)))
-(neverallow base_typeattr_23_28_0 domain (process (fork)))
-(neverallow base_typeattr_24_28_0 domain (process (fork)))
-(neverallow base_typeattr_25_28_0 domain (process (fork)))
-(neverallow base_typeattr_26_28_0 domain (process (fork)))
-(neverallow base_typeattr_27_28_0 domain (process (fork)))
-(neverallow base_typeattr_28_28_0 domain (process (fork)))
-(neverallow base_typeattr_29_28_0 domain (process (fork)))
-(neverallow base_typeattr_30_28_0 domain (process (fork)))
-(neverallow base_typeattr_31_28_0 domain (process (fork)))
-(neverallow base_typeattr_32_28_0 domain (process (fork)))
-(neverallow base_typeattr_33_28_0 domain (process (fork)))
-(neverallow base_typeattr_34_28_0 domain (process (fork)))
-(neverallow base_typeattr_35_28_0 domain (process (fork)))
-(neverallow base_typeattr_36_28_0 domain (process (fork)))
-(neverallow base_typeattr_37_28_0 domain (process (fork)))
-(neverallow base_typeattr_38_28_0 domain (process (fork)))
-(neverallow base_typeattr_39_28_0 domain (process (fork)))
-(neverallow base_typeattr_40_28_0 domain (process (fork)))
-(neverallow base_typeattr_41_28_0 domain (process (fork)))
-(neverallow base_typeattr_42_28_0 domain (process (fork)))
-(allow appdomain self (process (execmem)))
-(allow appdomain ashmem_device_28_0 (chr_file (execute)))
-(allow appdomain zygote_28_0 (fd (use)))
-(allow appdomain zygote_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow appdomain zygote_28_0 (process (sigchld)))
-(allow appdomain cgroup_28_0 (dir (write search)))
-(allow appdomain cgroup_28_0 (file (ioctl read write getattr lock append map open)))
-(allow appdomain dalvikcache_data_file_28_0 (dir (getattr search)))
-(allow appdomain dalvikcache_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow base_typeattr_43_28_0 rootfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow base_typeattr_43_28_0 tmpfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain tmpfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain zygote_28_0 (fifo_file (write)))
-(allow appdomain method_trace_data_file_28_0 (dir (write lock add_name remove_name search open)))
-(allow appdomain method_trace_data_file_28_0 (file (write create lock append map open)))
-(allow appdomain shell_28_0 (process (sigchld)))
-(allow appdomain adbd_28_0 (process (sigchld)))
-(allow appdomain devpts_28_0 (chr_file (ioctl read write getattr)))
-(allow appdomain system_server_28_0 (fd (use)))
-(allow appdomain system_server_28_0 (fifo_file (ioctl read write getattr lock append map open)))
-(allow appdomain system_server_28_0 (unix_stream_socket (read write getattr getopt setopt shutdown)))
-(allow appdomain system_server_28_0 (tcp_socket (read write getattr getopt shutdown)))
-(allow appdomain appdomain (fifo_file (ioctl read write getattr lock append map open)))
-(allow appdomain surfaceflinger_28_0 (unix_stream_socket (read write getattr getopt setopt shutdown)))
-(allow base_typeattr_43_28_0 app_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow base_typeattr_43_28_0 app_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow base_typeattr_43_28_0 app_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow base_typeattr_43_28_0 app_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow base_typeattr_43_28_0 app_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow appdomain mnt_expand_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain keychain_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain keychain_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain keychain_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain misc_user_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain misc_user_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow base_typeattr_43_28_0 textclassifier_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_43_28_0 textclassifier_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow base_typeattr_43_28_0 textclassifier_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain oemfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain oemfs_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow base_typeattr_44_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow base_typeattr_44_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow base_typeattr_45_28_0 system_file_28_0 (file (getattr map execute execute_no_trans)))
-(allow appdomain system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain system_file_28_0 (lnk_file (read getattr open)))
-(allow base_typeattr_43_28_0 vendor_file_28_0 (dir (read open)))
-(allow base_typeattr_44_28_0 vendor_app_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_44_28_0 vendor_app_file_28_0 (file (ioctl read getattr lock map open)))
-(allow base_typeattr_44_28_0 vendor_app_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow base_typeattr_44_28_0 vendor_app_file_28_0 (file (execute)))
-(allow appdomain vendor_overlay_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain vendor_overlay_file_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain vendor_overlay_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain vendor_framework_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain vendor_framework_file_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain vendor_framework_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain dex2oat_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow appdomain wallpaper_file_28_0 (file (read write getattr)))
-(allow appdomain ringtone_file_28_0 (file (read write getattr)))
-(allow appdomain shortcut_manager_icons_28_0 (file (read getattr)))
-(allow appdomain icon_file_28_0 (file (read getattr)))
-(allow appdomain anr_data_file_28_0 (dir (search)))
-(allow appdomain anr_data_file_28_0 (file (append open)))
-(allow appdomain tombstoned_java_trace_socket_28_0 (sock_file (write)))
-(allow appdomain tombstoned_28_0 (unix_stream_socket (connectto)))
-(allow appdomain tombstoned_28_0 (fd (use)))
-(allow appdomain dumpstate_28_0 (fifo_file (append)))
-(allow appdomain incidentd_28_0 (fifo_file (append)))
-(allow appdomain dumpstate_28_0 (fd (use)))
-(allow appdomain dumpstate_28_0 (unix_stream_socket (read write getattr getopt shutdown)))
-(allow appdomain dumpstate_28_0 (fifo_file (write getattr)))
-(allow appdomain shell_data_file_28_0 (file (write getattr)))
-(allow appdomain incidentd_28_0 (fd (use)))
-(allow appdomain incidentd_28_0 (fifo_file (write getattr)))
-(allow appdomain user_profile_data_file_28_0 (dir (write add_name search)))
-(allow appdomain user_profile_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow appdomain heapdump_data_file_28_0 (file (append)))
-(allow platform_app_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow priv_app_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow shell_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow system_app_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow untrusted_app_27_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow untrusted_app_25_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_46_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_46_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow base_typeattr_46_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow platform_app_28_0 proc_qtaguid_stat_28_0 (dir (ioctl read getattr lock search open)))
-(allow priv_app_28_0 proc_qtaguid_stat_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 proc_qtaguid_stat_28_0 (dir (ioctl read getattr lock search open)))
-(allow system_app_28_0 proc_qtaguid_stat_28_0 (dir (ioctl read getattr lock search open)))
-(allow untrusted_app_27_28_0 proc_qtaguid_stat_28_0 (dir (ioctl read getattr lock search open)))
-(allow untrusted_app_25_28_0 proc_qtaguid_stat_28_0 (dir (ioctl read getattr lock search open)))
-(allow platform_app_28_0 proc_qtaguid_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow platform_app_28_0 proc_qtaguid_stat_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow priv_app_28_0 proc_qtaguid_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow priv_app_28_0 proc_qtaguid_stat_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_qtaguid_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_qtaguid_stat_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow system_app_28_0 proc_qtaguid_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow system_app_28_0 proc_qtaguid_stat_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow untrusted_app_27_28_0 proc_qtaguid_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow untrusted_app_27_28_0 proc_qtaguid_stat_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow untrusted_app_25_28_0 proc_qtaguid_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow untrusted_app_25_28_0 proc_qtaguid_stat_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow platform_app_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow priv_app_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow shell_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow system_app_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow untrusted_app_27_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow untrusted_app_25_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow base_typeattr_43_28_0 gpu_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow appdomain servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 appdomain (dir (search)))
-(allow servicemanager_28_0 appdomain (file (read open)))
-(allow servicemanager_28_0 appdomain (process (getattr)))
-(allow appdomain binderservicedomain (binder (call transfer)))
-(allow binderservicedomain appdomain (binder (transfer)))
-(allow appdomain binderservicedomain (fd (use)))
-(allow appdomain appdomain (binder (call transfer)))
-(allow appdomain appdomain (binder (transfer)))
-(allow appdomain appdomain (fd (use)))
-(allow appdomain ephemeral_app_28_0 (binder (call transfer)))
-(allow ephemeral_app_28_0 appdomain (binder (transfer)))
-(allow appdomain ephemeral_app_28_0 (fd (use)))
-(allow base_typeattr_43_28_0 hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 base_typeattr_43_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 base_typeattr_43_28_0 (dir (search)))
-(allow hwservicemanager_28_0 base_typeattr_43_28_0 (file (read open)))
-(allow hwservicemanager_28_0 base_typeattr_43_28_0 (process (getattr)))
-(allow base_typeattr_43_28_0 hal_codec2_hwservice_28_0 (hwservice_manager (find)))
-(allow base_typeattr_43_28_0 hal_omx_hwservice_28_0 (hwservice_manager (find)))
-(allow base_typeattr_43_28_0 hidl_token_hwservice_28_0 (hwservice_manager (find)))
-(allow appdomain hal_graphics_composer (fd (use)))
-(allow appdomain appdomain (unix_stream_socket (read write getattr getopt shutdown)))
-(allow appdomain backup_data_file_28_0 (file (read write getattr)))
-(allow appdomain cache_backup_file_28_0 (file (read write getattr)))
-(allow appdomain cache_backup_file_28_0 (dir (getattr)))
-(allow appdomain system_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain system_data_file_28_0 (file (read getattr)))
-(allow base_typeattr_43_28_0 media_rw_data_file_28_0 (file (read getattr)))
-(allow base_typeattr_43_28_0 radio_data_file_28_0 (file (read write getattr)))
-(allow base_typeattr_46_28_0 storage_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_46_28_0 storage_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow base_typeattr_46_28_0 mnt_user_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_46_28_0 mnt_user_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow base_typeattr_46_28_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow base_typeattr_46_28_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow base_typeattr_46_28_0 media_rw_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow base_typeattr_46_28_0 media_rw_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow base_typeattr_46_28_0 usb_device_28_0 (chr_file (ioctl read write getattr)))
-(allow base_typeattr_46_28_0 usbaccessory_device_28_0 (chr_file (read write getattr)))
-(allow appdomain dalvikcache_data_file_28_0 (file (execute)))
-(allow appdomain dalvikcache_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain shared_relro_file_28_0 (dir (search)))
-(allow appdomain shared_relro_file_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain apk_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain apk_data_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow appdomain resourcecache_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain resourcecache_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow appdomain logcat_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow appdomain logdr_socket_28_0 (sock_file (write)))
-(allow appdomain logd_28_0 (unix_stream_socket (connectto)))
-(allow base_typeattr_47_28_0 logd_socket_28_0 (sock_file (write)))
-(allow base_typeattr_47_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(allow appdomain zygote_28_0 (unix_dgram_socket (write)))
-(allow base_typeattr_46_28_0 keystore_28_0 (keystore_key (get_state get insert delete exist list sign verify)))
-(allow keystore_28_0 base_typeattr_46_28_0 (dir (search)))
-(allow keystore_28_0 base_typeattr_46_28_0 (file (read open)))
-(allow keystore_28_0 base_typeattr_46_28_0 (process (getattr)))
-(allow base_typeattr_46_28_0 keystore_service_28_0 (service_manager (find)))
-(allow base_typeattr_46_28_0 keystore_28_0 (binder (call transfer)))
-(allow keystore_28_0 base_typeattr_46_28_0 (binder (transfer)))
-(allow base_typeattr_46_28_0 keystore_28_0 (fd (use)))
-(allow keystore_28_0 base_typeattr_46_28_0 (binder (call transfer)))
-(allow base_typeattr_46_28_0 keystore_28_0 (binder (transfer)))
-(allow keystore_28_0 base_typeattr_46_28_0 (fd (use)))
-(allow appdomain console_device_28_0 (chr_file (read write)))
-(allowx base_typeattr_48_28_0 self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx base_typeattr_48_28_0 self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx base_typeattr_48_28_0 self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx base_typeattr_48_28_0 self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx base_typeattr_48_28_0 self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx base_typeattr_48_28_0 self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx base_typeattr_48_28_0 self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx base_typeattr_48_28_0 self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx base_typeattr_48_28_0 self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allow base_typeattr_43_28_0 ion_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(auditallow base_typeattr_49_28_0 ion_device_28_0 (chr_file (write append)))
-(allow base_typeattr_43_28_0 hwservicemanager_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow base_typeattr_43_28_0 mediacodec_28_0 (binder (call transfer)))
-(allow mediacodec_28_0 base_typeattr_43_28_0 (binder (transfer)))
-(allow base_typeattr_43_28_0 mediacodec_28_0 (fd (use)))
-(allow base_typeattr_43_28_0 hal_audio (fd (use)))
-(allow base_typeattr_43_28_0 hal_camera (fd (use)))
-(allow base_typeattr_43_28_0 hal_renderscript_hwservice_28_0 (hwservice_manager (find)))
-(allow appdomain proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain app_fuse_file_28_0 (file (read write getattr append)))
-(allow base_typeattr_46_28_0 pdx_display_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_46_28_0 pdx_display_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_46_28_0 pdx_display_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow base_typeattr_46_28_0 pdx_display_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow base_typeattr_46_28_0 pdx_display_client_server_type (fd (use)))
-(allow pdx_display_client_server_type base_typeattr_46_28_0 (fd (use)))
-(allow base_typeattr_46_28_0 pdx_display_manager_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_46_28_0 pdx_display_manager_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_46_28_0 pdx_display_manager_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow base_typeattr_46_28_0 pdx_display_manager_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow base_typeattr_46_28_0 pdx_display_manager_server_type (fd (use)))
-(allow pdx_display_manager_server_type base_typeattr_46_28_0 (fd (use)))
-(allow base_typeattr_46_28_0 pdx_display_vsync_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_46_28_0 pdx_display_vsync_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_46_28_0 pdx_display_vsync_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow base_typeattr_46_28_0 pdx_display_vsync_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow base_typeattr_46_28_0 pdx_display_vsync_server_type (fd (use)))
-(allow pdx_display_vsync_server_type base_typeattr_46_28_0 (fd (use)))
-(allow base_typeattr_46_28_0 pdx_performance_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_46_28_0 pdx_performance_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_46_28_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow base_typeattr_46_28_0 pdx_performance_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow base_typeattr_46_28_0 pdx_performance_client_server_type (fd (use)))
-(allow pdx_performance_client_server_type base_typeattr_46_28_0 (fd (use)))
-(allow base_typeattr_46_28_0 pdx_bufferhub_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow base_typeattr_46_28_0 pdx_bufferhub_client_server_type (fd (use)))
-(allow pdx_bufferhub_client_server_type base_typeattr_46_28_0 (fd (use)))
-(allow appdomain runas_exec_28_0 (file (getattr)))
-(allow base_typeattr_46_28_0 tun_device_28_0 (chr_file (ioctl read write getattr append)))
-(allow appdomain adbd_28_0 (unix_stream_socket (connectto)))
-(allow appdomain adbd_28_0 (fd (use)))
-(allow appdomain adbd_28_0 (unix_stream_socket (ioctl read write getattr getopt shutdown)))
-(allow appdomain cache_file_28_0 (dir (getattr)))
-(neverallow base_typeattr_48_28_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow base_typeattr_48_28_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(neverallow base_typeattr_48_28_0 self (cap_userns (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow base_typeattr_48_28_0 self (cap2_userns (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(neverallow appdomain dev_type (blk_file (read write)))
-(neverallow appdomain audio_device_28_0 (chr_file (read write)))
-(neverallow appdomain camera_device_28_0 (chr_file (read write)))
-(neverallow appdomain dm_device_28_0 (chr_file (read write)))
-(neverallow appdomain radio_device_28_0 (chr_file (read write)))
-(neverallow appdomain video_device_28_0 (chr_file (read write)))
-(neverallow appdomain rpmsg_device_28_0 (chr_file (read write)))
-(neverallow isolated_app_28_0 graphics_device_28_0 (chr_file (read write)))
-(neverallow shell_28_0 graphics_device_28_0 (chr_file (read write)))
-(neverallow untrusted_app_28_0 graphics_device_28_0 (chr_file (read write)))
-(neverallow base_typeattr_50_28_0 nfc_device_28_0 (chr_file (read write)))
-(neverallow base_typeattr_48_28_0 hci_attach_dev_28_0 (chr_file (read write)))
-(neverallow appdomain tee_device_28_0 (chr_file (read write)))
-(neverallow appdomain domain (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(neverallow appdomain domain (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow appdomain domain (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(neverallow appdomain domain (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(neverallow appdomain domain (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow appdomain domain (netlink_kobject_uevent_socket (write append)))
-(neverallow appdomain socket_device_28_0 (sock_file (write)))
-(neverallow appdomain adbd_socket_28_0 (sock_file (write)))
-(neverallow base_typeattr_51_28_0 rild_socket_28_0 (sock_file (write)))
-(neverallow appdomain zygote_socket_28_0 (sock_file (write)))
-(neverallow appdomain base_typeattr_52_28_0 (process (ptrace)))
-(neverallow appdomain base_typeattr_52_28_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_53_28_0 base_typeattr_52_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow appdomain base_typeattr_52_28_0 (process (sigkill sigstop signal)))
-(neverallow base_typeattr_54_28_0 base_typeattr_55_28_0 (process (transition)))
-(neverallow base_typeattr_54_28_0 base_typeattr_52_28_0 (process (dyntransition)))
-(neverallow appdomain rootfs_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain rootfs_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain rootfs_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain rootfs_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain rootfs_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain rootfs_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain rootfs_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain exec_type (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain system_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain drm_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain drm_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain drm_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain drm_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain drm_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain drm_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain drm_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_tmp_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_tmp_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_tmp_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_tmp_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_tmp_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_tmp_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_tmp_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_tmp_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_tmp_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_tmp_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_tmp_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_tmp_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_tmp_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_56_28_0 apk_private_tmp_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_53_28_0 shell_data_file_28_0 (file (create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_53_28_0 shell_data_file_28_0 (dir (create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_53_28_0 shell_data_file_28_0 (lnk_file (create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_53_28_0 shell_data_file_28_0 (chr_file (create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_53_28_0 shell_data_file_28_0 (blk_file (create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_53_28_0 shell_data_file_28_0 (sock_file (create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_53_28_0 shell_data_file_28_0 (fifo_file (create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_48_28_0 bluetooth_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_48_28_0 bluetooth_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_48_28_0 bluetooth_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_48_28_0 bluetooth_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_48_28_0 bluetooth_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_48_28_0 bluetooth_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_48_28_0 bluetooth_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain keystore_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain keystore_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain keystore_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain keystore_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain keystore_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain keystore_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain keystore_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain systemkeys_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain systemkeys_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain systemkeys_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain systemkeys_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain systemkeys_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain systemkeys_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain systemkeys_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain wifi_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain wifi_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain wifi_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain wifi_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain wifi_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain wifi_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain wifi_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain dhcp_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain dhcp_data_file_28_0 (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain dhcp_data_file_28_0 (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain dhcp_data_file_28_0 (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain dhcp_data_file_28_0 (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain dhcp_data_file_28_0 (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow appdomain dhcp_data_file_28_0 (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_57_28_0 apk_tmp_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_57_28_0 apk_tmp_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_tmp_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_tmp_file_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_57_28_0 apk_tmp_file_28_0 (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_tmp_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_tmp_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_private_tmp_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_57_28_0 apk_private_tmp_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_private_tmp_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_private_tmp_file_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_57_28_0 apk_private_tmp_file_28_0 (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_private_tmp_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_57_28_0 apk_private_tmp_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_tmp_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow untrusted_app_all apk_tmp_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_tmp_file_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow untrusted_app_all apk_tmp_file_28_0 (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_tmp_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_tmp_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_private_tmp_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow untrusted_app_all apk_private_tmp_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_private_tmp_file_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow untrusted_app_all apk_private_tmp_file_28_0 (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_private_tmp_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_private_tmp_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow untrusted_app_all apk_tmp_file_28_0 (file (ioctl write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow untrusted_app_all apk_private_tmp_file_28_0 (file (ioctl write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow appdomain efs_file_28_0 (file (write)))
-(neverallow appdomain efs_file_28_0 (dir (write)))
-(neverallow appdomain efs_file_28_0 (lnk_file (write)))
-(neverallow appdomain efs_file_28_0 (chr_file (write)))
-(neverallow appdomain efs_file_28_0 (blk_file (write)))
-(neverallow appdomain efs_file_28_0 (sock_file (write)))
-(neverallow appdomain efs_file_28_0 (fifo_file (write)))
-(neverallow base_typeattr_53_28_0 efs_file_28_0 (file (read)))
-(neverallow base_typeattr_53_28_0 efs_file_28_0 (dir (read)))
-(neverallow base_typeattr_53_28_0 efs_file_28_0 (lnk_file (read)))
-(neverallow base_typeattr_53_28_0 efs_file_28_0 (chr_file (read)))
-(neverallow base_typeattr_53_28_0 efs_file_28_0 (blk_file (read)))
-(neverallow base_typeattr_53_28_0 efs_file_28_0 (sock_file (read)))
-(neverallow base_typeattr_53_28_0 efs_file_28_0 (fifo_file (read)))
-(neverallow base_typeattr_58_28_0 sysfs_28_0 (file (write)))
-(neverallow base_typeattr_58_28_0 sysfs_28_0 (dir (write)))
-(neverallow base_typeattr_58_28_0 sysfs_28_0 (lnk_file (write)))
-(neverallow base_typeattr_58_28_0 sysfs_28_0 (chr_file (write)))
-(neverallow base_typeattr_58_28_0 sysfs_28_0 (blk_file (write)))
-(neverallow base_typeattr_58_28_0 sysfs_28_0 (sock_file (write)))
-(neverallow base_typeattr_58_28_0 sysfs_28_0 (fifo_file (write)))
-(neverallow appdomain proc_28_0 (file (write)))
-(neverallow appdomain proc_28_0 (dir (write)))
-(neverallow appdomain proc_28_0 (lnk_file (write)))
-(neverallow appdomain proc_28_0 (chr_file (write)))
-(neverallow appdomain proc_28_0 (blk_file (write)))
-(neverallow appdomain proc_28_0 (sock_file (write)))
-(neverallow appdomain proc_28_0 (fifo_file (write)))
-(neverallow appdomain kernel_28_0 (system (syslog_read syslog_mod syslog_console)))
-(neverallow base_typeattr_53_28_0 base_typeattr_59_28_0 (security (compute_av check_context)))
-(neverallow base_typeattr_53_28_0 base_typeattr_59_28_0 (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow appdomain fs_type (filesystem (mount remount unmount relabelfrom relabelto associate quotamod quotaget)))
-(neverallow appdomain dev_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow appdomain rootfs_28_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow appdomain tmpfs_28_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow appdomain system_file_28_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow appdomain apk_data_file_28_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow appdomain cache_file_28_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow appdomain cache_recovery_file_28_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow bluetooth_28_0 base_typeattr_60_28_0 (file (execute execute_no_trans)))
-(neverallow isolated_app_28_0 base_typeattr_60_28_0 (file (execute execute_no_trans)))
-(neverallow nfc_28_0 base_typeattr_60_28_0 (file (execute execute_no_trans)))
-(neverallow radio_28_0 base_typeattr_60_28_0 (file (execute execute_no_trans)))
-(neverallow shared_relro_28_0 base_typeattr_60_28_0 (file (execute execute_no_trans)))
-(neverallow system_app_28_0 base_typeattr_60_28_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_53_28_0 input_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_61_28_0 bluetooth_a2dp_offload_prop_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(neverallow base_typeattr_61_28_0 bluetooth_prop_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(neverallow base_typeattr_61_28_0 exported_bluetooth_prop_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(neverallow appdomain proc_uid_time_in_state_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow appdomain proc_uid_concurrent_active_time_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow appdomain proc_uid_concurrent_policy_time_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow appdomain proc_uid_cpupower_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow bootanim_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 bootanim_28_0 (dir (search)))
-(allow servicemanager_28_0 bootanim_28_0 (file (read open)))
-(allow servicemanager_28_0 bootanim_28_0 (process (getattr)))
-(allow bootanim_28_0 surfaceflinger_28_0 (binder (call transfer)))
-(allow surfaceflinger_28_0 bootanim_28_0 (binder (transfer)))
-(allow bootanim_28_0 surfaceflinger_28_0 (fd (use)))
-(allow bootanim_28_0 audioserver_28_0 (binder (call transfer)))
-(allow audioserver_28_0 bootanim_28_0 (binder (transfer)))
-(allow bootanim_28_0 audioserver_28_0 (fd (use)))
-(allow bootanim_28_0 hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 bootanim_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 bootanim_28_0 (dir (search)))
-(allow hwservicemanager_28_0 bootanim_28_0 (file (read open)))
-(allow hwservicemanager_28_0 bootanim_28_0 (process (getattr)))
-(allow bootanim_28_0 gpu_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow bootanim_28_0 oemfs_28_0 (dir (search)))
-(allow bootanim_28_0 oemfs_28_0 (file (ioctl read getattr lock map open)))
-(allow bootanim_28_0 audio_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_28_0 audio_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow bootanim_28_0 audioserver_service_28_0 (service_manager (find)))
-(allow bootanim_28_0 surfaceflinger_service_28_0 (service_manager (find)))
-(allow bootanim_28_0 ion_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow bootanim_28_0 hal_graphics_allocator (fd (use)))
-(allow bootanim_28_0 hal_graphics_composer (fd (use)))
-(allow bootanim_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow bootanim_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow bootanim_28_0 bootloader_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_28_0 runtime_event_log_tags_file_28_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_28_0 bootstat_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow bootstat_28_0 bootstat_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow bootstat_28_0 boottime_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_28_0 property_socket_28_0 (sock_file (write)))
-(allow bootstat_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow bootstat_28_0 bootloader_boot_reason_prop_28_0 (property_service (set)))
-(allow bootstat_28_0 bootloader_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_28_0 property_socket_28_0 (sock_file (write)))
-(allow bootstat_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow bootstat_28_0 system_boot_reason_prop_28_0 (property_service (set)))
-(allow bootstat_28_0 system_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_28_0 property_socket_28_0 (sock_file (write)))
-(allow bootstat_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow bootstat_28_0 last_boot_reason_prop_28_0 (property_service (set)))
-(allow bootstat_28_0 last_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_28_0 pstorefs_28_0 (dir (search)))
-(allow bootstat_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(allow bootstat_28_0 kernel_28_0 (system (syslog_read)))
-(allow bootstat_28_0 logcat_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow bootstat_28_0 logdr_socket_28_0 (sock_file (write)))
-(allow bootstat_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_62_28_0 bootloader_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_62_28_0 last_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow bootanim_28_0 last_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow recovery_28_0 last_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_63_28_0 bootloader_boot_reason_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_63_28_0 last_boot_reason_prop_28_0 (property_service (set)))
-(neverallow system_server_28_0 bootloader_boot_reason_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_64_28_0 system_boot_reason_prop_28_0 (property_service (set)))
-(allow init_28_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (create bind)))
-(allow bufferhubd_28_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (read write getattr setattr lock append listen accept getopt setopt shutdown)))
-(allow bufferhubd_28_0 self (process (setsockcreate)))
-(allow bufferhubd_28_0 pdx_bufferhub_client_channel_socket_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
-(neverallow base_typeattr_65_28_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (listen accept)))
-(allow bufferhubd_28_0 pdx_performance_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow bufferhubd_28_0 pdx_performance_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
-(allow bufferhubd_28_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow bufferhubd_28_0 pdx_performance_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow bufferhubd_28_0 pdx_performance_client_server_type (fd (use)))
-(allow pdx_performance_client_server_type bufferhubd_28_0 (fd (use)))
-(allow bufferhubd_28_0 gpu_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow bufferhubd_28_0 ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow bufferhubd_28_0 mediacodec_28_0 (fd (use)))
-(allow cameraserver_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 cameraserver_28_0 (dir (search)))
-(allow servicemanager_28_0 cameraserver_28_0 (file (read open)))
-(allow servicemanager_28_0 cameraserver_28_0 (process (getattr)))
-(allow cameraserver_28_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain cameraserver_28_0 (binder (transfer)))
-(allow cameraserver_28_0 binderservicedomain (fd (use)))
-(allow cameraserver_28_0 appdomain (binder (call transfer)))
-(allow appdomain cameraserver_28_0 (binder (transfer)))
-(allow cameraserver_28_0 appdomain (fd (use)))
-(allow cameraserver_28_0 ion_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow cameraserver_28_0 hal_graphics_composer (fd (use)))
-(allow cameraserver_28_0 cameraserver_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_66_28_0 cameraserver_service_28_0 (service_manager (add)))
-(allow cameraserver_28_0 activity_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 appops_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 audioserver_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 batterystats_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 cameraproxy_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 mediaserver_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 processinfo_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 scheduling_policy_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 surfaceflinger_service_28_0 (service_manager (find)))
-(allow cameraserver_28_0 hidl_token_hwservice_28_0 (hwservice_manager (find)))
-(neverallow cameraserver_28_0 fs_type (file (execute_no_trans)))
-(neverallow cameraserver_28_0 file_type (file (execute_no_trans)))
-(neverallow cameraserver_28_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow cameraserver_28_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow cameraserver_28_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow cameraserver_28_0 adbd_28_0 (fd (use)))
-(allow cameraserver_28_0 adbd_28_0 (unix_stream_socket (read write)))
-(allow cameraserver_28_0 shell_28_0 (fd (use)))
-(allow cameraserver_28_0 shell_28_0 (unix_stream_socket (read write)))
-(allow cameraserver_28_0 shell_28_0 (fifo_file (read write)))
-(allow cameraserver_28_0 su_28_0 (fd (use)))
-(allow cameraserver_28_0 su_28_0 (fifo_file (read write)))
-(allow cameraserver_28_0 su_28_0 (unix_stream_socket (read write)))
-(allow charger_28_0 kmsg_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow charger_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow charger_28_0 rootfs_28_0 (file (ioctl read getattr lock map open)))
-(allow charger_28_0 rootfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow charger_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow charger_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow charger_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow charger_28_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow charger_28_0 self (capability (sys_tty_config)))
-(allow charger_28_0 self (cap_userns (sys_tty_config)))
-(allow charger_28_0 self (capability (sys_boot)))
-(allow charger_28_0 self (cap_userns (sys_boot)))
-(allow charger_28_0 sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow charger_28_0 self (capability2 (block_suspend)))
-(allow charger_28_0 self (cap2_userns (block_suspend)))
-(allow charger_28_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow charger_28_0 sysfs_power_28_0 (file (ioctl read write getattr lock append map open)))
-(allow charger_28_0 sysfs_batteryinfo_28_0 (dir (ioctl read getattr lock search open)))
-(allow charger_28_0 sysfs_batteryinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow charger_28_0 sysfs_batteryinfo_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow charger_28_0 pstorefs_28_0 (dir (ioctl read getattr lock search open)))
-(allow charger_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(allow charger_28_0 graphics_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow charger_28_0 graphics_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow charger_28_0 input_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow charger_28_0 input_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow charger_28_0 tty_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow charger_28_0 proc_sysrq_28_0 (file (ioctl read write getattr lock append map open)))
-(allow charger_28_0 property_socket_28_0 (sock_file (write)))
-(allow charger_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow charger_28_0 system_prop_28_0 (property_service (set)))
-(allow charger_28_0 system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow charger_28_0 property_socket_28_0 (sock_file (write)))
-(allow charger_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow charger_28_0 exported_system_prop_28_0 (property_service (set)))
-(allow charger_28_0 exported_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow charger_28_0 property_socket_28_0 (sock_file (write)))
-(allow charger_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow charger_28_0 exported2_system_prop_28_0 (property_service (set)))
-(allow charger_28_0 exported2_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow charger_28_0 property_socket_28_0 (sock_file (write)))
-(allow charger_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow charger_28_0 exported3_system_prop_28_0 (property_service (set)))
-(allow charger_28_0 exported3_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow clatd_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow clatd_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow clatd_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow clatd_28_0 netd_28_0 (fd (use)))
-(allow clatd_28_0 netd_28_0 (fifo_file (read write)))
-(allow clatd_28_0 netd_28_0 (netlink_kobject_uevent_socket (read write)))
-(allow clatd_28_0 netd_28_0 (netlink_nflog_socket (read write)))
-(allow clatd_28_0 netd_28_0 (netlink_route_socket (read write)))
-(allow clatd_28_0 netd_28_0 (udp_socket (read write)))
-(allow clatd_28_0 netd_28_0 (unix_stream_socket (read write)))
-(allow clatd_28_0 netd_28_0 (unix_dgram_socket (read write)))
-(allow clatd_28_0 self (capability (setgid setuid net_admin net_raw)))
-(allow clatd_28_0 self (cap_userns (setgid setuid net_admin net_raw)))
-(allow clatd_28_0 self (capability (ipc_lock)))
-(allow clatd_28_0 self (cap_userns (ipc_lock)))
-(allow clatd_28_0 self (netlink_route_socket (nlmsg_write)))
-(allow clatd_28_0 self (rawip_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_28_0 self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_28_0 self (tun_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow clatd_28_0 tun_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow cppreopts_28_0 dalvikcache_data_file_28_0 (dir (write add_name remove_name search)))
-(allow cppreopts_28_0 dalvikcache_data_file_28_0 (file (read write create getattr unlink rename open)))
-(allow cppreopts_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow cppreopts_28_0 system_file_28_0 (dir (read open)))
-(allow cppreopts_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow crash_dump_28_0 base_typeattr_67_28_0 (process (sigchld sigkill sigstop signal ptrace)))
-(dontaudit crash_dump_28_0 self (capability (sys_ptrace)))
-(dontaudit crash_dump_28_0 self (cap_userns (sys_ptrace)))
-(allow crash_dump_28_0 logd_28_0 (process (sigchld sigkill sigstop signal ptrace)))
-(allow crash_dump_28_0 kmsg_debug_device_28_0 (chr_file (append open)))
-(allow crash_dump_28_0 domain (fd (use)))
-(allow crash_dump_28_0 domain (fifo_file (read write)))
-(allow crash_dump_28_0 domain (fifo_file (append)))
-(allow crash_dump_28_0 domain (dir (ioctl read getattr lock search open)))
-(allow crash_dump_28_0 domain (file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 exec_type (file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 dalvikcache_data_file_28_0 (dir (getattr search)))
-(allow crash_dump_28_0 dalvikcache_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 apk_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_28_0 apk_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 apk_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 vendor_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_28_0 same_process_hal_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow crash_dump_28_0 vendor_file_28_0 (file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 vendor_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 same_process_hal_file_28_0 (file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 same_process_hal_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow crash_dump_28_0 tombstoned_crash_socket_28_0 (sock_file (write)))
-(allow crash_dump_28_0 tombstoned_28_0 (unix_stream_socket (connectto)))
-(allow crash_dump_28_0 system_ndebug_socket_28_0 (sock_file (write)))
-(allow crash_dump_28_0 system_server_28_0 (unix_stream_socket (connectto)))
-(allow crash_dump_28_0 anr_data_file_28_0 (file (getattr append)))
-(allow crash_dump_28_0 tombstone_data_file_28_0 (file (getattr append)))
-(allow crash_dump_28_0 logcat_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow crash_dump_28_0 logdr_socket_28_0 (sock_file (write)))
-(allow crash_dump_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(dontaudit crash_dump_28_0 core_data_file_type (dir (search)))
-(dontaudit crash_dump_28_0 vendor_file_type (dir (search)))
-(dontaudit crash_dump_28_0 system_data_file_28_0 (file (read)))
-(neverallow domain crash_dump_exec_28_0 (file (execute_no_trans)))
-(allow dex2oat_28_0 apk_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_28_0 apk_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_28_0 apk_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dex2oat_28_0 vendor_app_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_28_0 vendor_app_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_28_0 vendor_app_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dex2oat_28_0 vendor_framework_file_28_0 (dir (getattr search)))
-(allow dex2oat_28_0 vendor_framework_file_28_0 (file (read getattr open)))
-(allow dex2oat_28_0 tmpfs_28_0 (file (read getattr)))
-(allow dex2oat_28_0 dalvikcache_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dex2oat_28_0 dalvikcache_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_28_0 dalvikcache_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dex2oat_28_0 dalvikcache_data_file_28_0 (file (write)))
-(allow dex2oat_28_0 dalvikcache_data_file_28_0 (lnk_file (read)))
-(allow dex2oat_28_0 installd_28_0 (fd (use)))
-(allow dex2oat_28_0 system_file_28_0 (file (lock)))
-(allow dex2oat_28_0 asec_apk_file_28_0 (file (read)))
-(allow dex2oat_28_0 unlabeled_28_0 (file (read)))
-(allow dex2oat_28_0 oemfs_28_0 (file (read)))
-(allow dex2oat_28_0 apk_tmp_file_28_0 (dir (search)))
-(allow dex2oat_28_0 apk_tmp_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_28_0 user_profile_data_file_28_0 (file (read getattr lock)))
-(allow dex2oat_28_0 app_data_file_28_0 (file (read write getattr lock)))
-(allow dex2oat_28_0 postinstall_dexopt_28_0 (fd (use)))
-(allow dex2oat_28_0 postinstall_file_28_0 (dir (getattr search)))
-(allow dex2oat_28_0 postinstall_file_28_0 (filesystem (getattr)))
-(allow dex2oat_28_0 postinstall_file_28_0 (lnk_file (read getattr)))
-(allow dex2oat_28_0 ota_data_file_28_0 (dir (ioctl read write getattr lock add_name search open)))
-(allow dex2oat_28_0 ota_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dex2oat_28_0 ota_data_file_28_0 (lnk_file (read create)))
-(allow dex2oat_28_0 ota_data_file_28_0 (file (write create setattr lock append map open)))
-(neverallow dex2oat_28_0 app_data_file_28_0 (file (open)))
-(neverallow dex2oat_28_0 app_data_file_28_0 (lnk_file (open)))
-(neverallow dex2oat_28_0 app_data_file_28_0 (sock_file (open)))
-(neverallow dex2oat_28_0 app_data_file_28_0 (fifo_file (open)))
-(allow dhcp_28_0 cgroup_28_0 (dir (write create add_name)))
-(allow dhcp_28_0 self (capability (setgid setuid net_bind_service net_admin net_raw)))
-(allow dhcp_28_0 self (cap_userns (setgid setuid net_bind_service net_admin net_raw)))
-(allow dhcp_28_0 self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow dhcp_28_0 self (netlink_route_socket (nlmsg_write)))
-(allow dhcp_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dhcp_28_0 system_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dhcp_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dhcp_28_0 proc_net_28_0 (file (write)))
-(allow dhcp_28_0 property_socket_28_0 (sock_file (write)))
-(allow dhcp_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow dhcp_28_0 dhcp_prop_28_0 (property_service (set)))
-(allow dhcp_28_0 dhcp_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow dhcp_28_0 property_socket_28_0 (sock_file (write)))
-(allow dhcp_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow dhcp_28_0 pan_result_prop_28_0 (property_service (set)))
-(allow dhcp_28_0 pan_result_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow dhcp_28_0 dhcp_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow dhcp_28_0 dhcp_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow dhcp_28_0 netd_28_0 (fd (use)))
-(allow dhcp_28_0 netd_28_0 (fifo_file (ioctl read write getattr lock append map open)))
-(allow dhcp_28_0 netd_28_0 (udp_socket (read write)))
-(allow dhcp_28_0 netd_28_0 (unix_stream_socket (read write)))
-(allow dhcp_28_0 netd_28_0 (unix_dgram_socket (read write)))
-(allow dhcp_28_0 netd_28_0 (netlink_route_socket (read write)))
-(allow dhcp_28_0 netd_28_0 (netlink_nflog_socket (read write)))
-(allow dhcp_28_0 netd_28_0 (netlink_kobject_uevent_socket (read write)))
-(allow display_service_server fwk_display_hwservice_28_0 (hwservice_manager (add find)))
-(allow display_service_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_68_28_0 fwk_display_hwservice_28_0 (hwservice_manager (add)))
-(allowx dnsmasq_28_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx dnsmasq_28_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx dnsmasq_28_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow dnsmasq_28_0 self (capability (dac_override)))
-(allow dnsmasq_28_0 self (cap_userns (dac_override)))
-(allow dnsmasq_28_0 self (capability (setgid setuid net_bind_service net_admin net_raw)))
-(allow dnsmasq_28_0 self (cap_userns (setgid setuid net_bind_service net_admin net_raw)))
-(allow dnsmasq_28_0 dhcp_data_file_28_0 (dir (write lock add_name remove_name search open)))
-(allow dnsmasq_28_0 dhcp_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow dnsmasq_28_0 netd_28_0 (fd (use)))
-(allow dnsmasq_28_0 netd_28_0 (fifo_file (read write)))
-(allow dnsmasq_28_0 netd_28_0 (netlink_kobject_uevent_socket (read write)))
-(allow dnsmasq_28_0 netd_28_0 (netlink_nflog_socket (read write)))
-(allow dnsmasq_28_0 netd_28_0 (netlink_route_socket (read write)))
-(allow dnsmasq_28_0 netd_28_0 (unix_stream_socket (read write)))
-(allow dnsmasq_28_0 netd_28_0 (unix_dgram_socket (read write)))
-(allow dnsmasq_28_0 netd_28_0 (udp_socket (read write)))
-(allow domain init_28_0 (process (sigchld)))
-(allow domain self (process (fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit)))
-(allow domain self (fd (use)))
-(allow domain proc_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain proc_net_28_0 (dir (search)))
-(allow domain self (dir (ioctl read getattr lock search open)))
-(allow domain self (file (ioctl read getattr lock map open)))
-(allow domain self (lnk_file (ioctl read getattr lock map open)))
-(allow domain self (file (ioctl read write getattr lock append map open)))
-(allow domain self (fifo_file (ioctl read write getattr lock append map open)))
-(allow domain self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown sendto)))
-(allow domain self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
-(allow domain init_28_0 (fd (use)))
-(allow domain su_28_0 (fd (use)))
-(allow domain su_28_0 (unix_stream_socket (read write getattr getopt shutdown connectto)))
-(allow domain su_28_0 (unix_dgram_socket (sendto)))
-(allow base_typeattr_69_28_0 su_28_0 (binder (call transfer)))
-(allow domain su_28_0 (fifo_file (write getattr)))
-(allow domain su_28_0 (process (sigchld)))
-(allow domain coredump_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow domain coredump_file_28_0 (dir (ioctl read write getattr lock add_name search open)))
-(allow domain rootfs_28_0 (dir (search)))
-(allow domain rootfs_28_0 (lnk_file (read getattr)))
-(allow domain device_28_0 (dir (search)))
-(allow domain dev_type (lnk_file (ioctl read getattr lock map open)))
-(allow domain devpts_28_0 (dir (search)))
-(allow domain socket_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain owntty_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain null_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain zero_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain ashmem_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_70_28_0 binder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow base_typeattr_71_28_0 hwbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain ptmx_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain alarm_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow domain random_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow domain proc_random_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain proc_random_28_0 (file (ioctl read getattr lock map open)))
-(allow domain properties_device_28_0 (dir (getattr search)))
-(allow domain properties_serial_28_0 (file (ioctl read getattr lock map open)))
-(allow domain property_info_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain core_property_type (file (ioctl read getattr lock map open)))
-(allow coredomain core_property_type (file (ioctl read getattr lock map open)))
-(allow shell_28_0 core_property_type (file (ioctl read getattr lock map open)))
-(allow appdomain exported_dalvik_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported_dalvik_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported_dalvik_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported_ffs_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported_ffs_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported_ffs_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported_system_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported_system_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported_system_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported2_config_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported2_config_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported2_config_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported2_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported2_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported2_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported2_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported2_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported2_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported2_vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported2_vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported2_vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported3_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported3_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported3_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported3_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported3_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported3_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow appdomain exported3_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow coredomain exported3_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 exported3_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 core_property_type (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported_dalvik_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported_ffs_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported_system_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported2_config_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported2_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported2_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported2_vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported3_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported3_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow su_28_0 exported3_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow base_typeattr_72_28_0 vendor_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain debug_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported_config_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported_dumpstate_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported_fingerprint_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported_secure_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported_vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain exported2_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain logd_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow domain log_property_type (file (ioctl read getattr lock map open)))
-(dontaudit domain property_type (file (audit_access)))
-(allow domain property_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow domain init_28_0 (key (search)))
-(allow domain vold_28_0 (key (search)))
-(allow domain logdw_socket_28_0 (sock_file (write)))
-(allow domain logd_28_0 (unix_dgram_socket (sendto)))
-(allow domain pmsg_device_28_0 (chr_file (write lock append map open)))
-(allow domain system_file_28_0 (dir (getattr search)))
-(allow domain system_file_28_0 (file (read getattr map execute open)))
-(allow domain system_file_28_0 (lnk_file (read getattr)))
-(allow domain vendor_hal_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain same_process_hal_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain same_process_hal_file_28_0 (file (read getattr map execute open)))
-(allow domain vndk_sp_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain vndk_sp_file_28_0 (file (read getattr map execute open)))
-(allow domain vendor_configs_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain vendor_configs_file_28_0 (file (read getattr open)))
-(allow domain vendor_file_type (lnk_file (read getattr open)))
-(allow domain vendor_file_28_0 (dir (getattr search)))
-(allow base_typeattr_73_28_0 vendor_file_type (dir (ioctl read getattr lock search open)))
-(allow base_typeattr_73_28_0 vendor_file_type (file (read getattr map execute open)))
-(allow base_typeattr_73_28_0 vendor_file_type (lnk_file (read getattr)))
-(allow domain sysfs_28_0 (lnk_file (read getattr)))
-(allow domain zoneinfo_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow domain zoneinfo_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain sysfs_devices_system_cpu_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain sysfs_devices_system_cpu_28_0 (file (ioctl read getattr lock map open)))
-(allow domain sysfs_devices_system_cpu_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow domain sysfs_usb_28_0 (dir (ioctl read getattr lock search open)))
-(allow domain sysfs_usb_28_0 (file (ioctl read getattr lock map open)))
-(allow domain sysfs_usb_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow appdomain system_data_file_28_0 (dir (getattr)))
-(allow coredomain system_data_file_28_0 (dir (getattr)))
-(allow domain system_data_file_28_0 (dir (search)))
-(allow domain vendor_data_file_28_0 (dir (getattr search)))
-(allow domain proc_28_0 (lnk_file (read getattr)))
-(allow domain proc_cpuinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow domain proc_overcommit_memory_28_0 (file (ioctl read getattr lock map open)))
-(allow domain proc_perf_28_0 (file (ioctl read getattr lock map open)))
-(allow domain selinuxfs_28_0 (dir (search)))
-(allow domain selinuxfs_28_0 (file (getattr)))
-(allow domain sysfs_28_0 (dir (search)))
-(allow domain selinuxfs_28_0 (filesystem (getattr)))
-(allow domain cgroup_28_0 (dir (write search)))
-(allow domain cgroup_28_0 (file (write lock append map open)))
-(allow domain debugfs_28_0 (dir (search)))
-(allow domain debugfs_tracing_28_0 (dir (search)))
-(allow domain debugfs_tracing_debug_28_0 (dir (search)))
-(allow domain debugfs_trace_marker_28_0 (file (write lock append map open)))
-(allow domain fs_type (filesystem (getattr)))
-(allow domain fs_type (dir (getattr)))
-(allowx domain domain (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx domain domain (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx domain domain (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx domain domain (ioctl unix_stream_socket (0x5401 0x5411 ((range 0x5413 0x5414)) 0x541b 0x5451)))
-(allowx domain domain (ioctl unix_dgram_socket (0x5401 0x5411 ((range 0x5413 0x5414)) 0x541b 0x5451)))
-(allowx domain devpts_28_0 (ioctl chr_file (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allow base_typeattr_74_28_0 hwservice_manager_type (hwservice_manager (add find)))
-(allow base_typeattr_74_28_0 vndservice_manager_type (service_manager (add find)))
-(neverallowx domain domain (ioctl socket (0x0)))
-(neverallowx domain domain (ioctl tcp_socket (0x0)))
-(neverallowx domain domain (ioctl udp_socket (0x0)))
-(neverallowx domain domain (ioctl rawip_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_socket (0x0)))
-(neverallowx domain domain (ioctl packet_socket (0x0)))
-(neverallowx domain domain (ioctl key_socket (0x0)))
-(neverallowx domain domain (ioctl unix_stream_socket (0x0)))
-(neverallowx domain domain (ioctl unix_dgram_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_route_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_tcpdiag_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_nflog_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_xfrm_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_selinux_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_audit_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_dnrt_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_kobject_uevent_socket (0x0)))
-(neverallowx domain domain (ioctl appletalk_socket (0x0)))
-(neverallowx domain domain (ioctl tun_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_iscsi_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_fib_lookup_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_connector_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_netfilter_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_generic_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_scsitransport_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_rdma_socket (0x0)))
-(neverallowx domain domain (ioctl netlink_crypto_socket (0x0)))
-(neverallowx domain domain (ioctl sctp_socket (0x0)))
-(neverallowx domain domain (ioctl icmp_socket (0x0)))
-(neverallowx domain domain (ioctl ax25_socket (0x0)))
-(neverallowx domain domain (ioctl ipx_socket (0x0)))
-(neverallowx domain domain (ioctl netrom_socket (0x0)))
-(neverallowx domain domain (ioctl atmpvc_socket (0x0)))
-(neverallowx domain domain (ioctl x25_socket (0x0)))
-(neverallowx domain domain (ioctl rose_socket (0x0)))
-(neverallowx domain domain (ioctl decnet_socket (0x0)))
-(neverallowx domain domain (ioctl atmsvc_socket (0x0)))
-(neverallowx domain domain (ioctl rds_socket (0x0)))
-(neverallowx domain domain (ioctl irda_socket (0x0)))
-(neverallowx domain domain (ioctl pppox_socket (0x0)))
-(neverallowx domain domain (ioctl llc_socket (0x0)))
-(neverallowx domain domain (ioctl can_socket (0x0)))
-(neverallowx domain domain (ioctl tipc_socket (0x0)))
-(neverallowx domain domain (ioctl bluetooth_socket (0x0)))
-(neverallowx domain domain (ioctl iucv_socket (0x0)))
-(neverallowx domain domain (ioctl rxrpc_socket (0x0)))
-(neverallowx domain domain (ioctl isdn_socket (0x0)))
-(neverallowx domain domain (ioctl phonet_socket (0x0)))
-(neverallowx domain domain (ioctl ieee802154_socket (0x0)))
-(neverallowx domain domain (ioctl caif_socket (0x0)))
-(neverallowx domain domain (ioctl alg_socket (0x0)))
-(neverallowx domain domain (ioctl nfc_socket (0x0)))
-(neverallowx domain domain (ioctl vsock_socket (0x0)))
-(neverallowx domain domain (ioctl kcm_socket (0x0)))
-(neverallowx domain domain (ioctl qipcrtr_socket (0x0)))
-(neverallowx domain domain (ioctl smc_socket (0x0)))
-(neverallowx domain domain (ioctl socket (0x8905)))
-(neverallowx domain domain (ioctl tcp_socket (0x8905)))
-(neverallowx domain domain (ioctl udp_socket (0x8905)))
-(neverallowx domain domain (ioctl rawip_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_socket (0x8905)))
-(neverallowx domain domain (ioctl packet_socket (0x8905)))
-(neverallowx domain domain (ioctl key_socket (0x8905)))
-(neverallowx domain domain (ioctl unix_stream_socket (0x8905)))
-(neverallowx domain domain (ioctl unix_dgram_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_route_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_tcpdiag_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_nflog_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_xfrm_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_selinux_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_audit_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_dnrt_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_kobject_uevent_socket (0x8905)))
-(neverallowx domain domain (ioctl appletalk_socket (0x8905)))
-(neverallowx domain domain (ioctl tun_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_iscsi_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_fib_lookup_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_connector_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_netfilter_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_generic_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_scsitransport_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_rdma_socket (0x8905)))
-(neverallowx domain domain (ioctl netlink_crypto_socket (0x8905)))
-(neverallowx domain domain (ioctl sctp_socket (0x8905)))
-(neverallowx domain domain (ioctl icmp_socket (0x8905)))
-(neverallowx domain domain (ioctl ax25_socket (0x8905)))
-(neverallowx domain domain (ioctl ipx_socket (0x8905)))
-(neverallowx domain domain (ioctl netrom_socket (0x8905)))
-(neverallowx domain domain (ioctl atmpvc_socket (0x8905)))
-(neverallowx domain domain (ioctl x25_socket (0x8905)))
-(neverallowx domain domain (ioctl rose_socket (0x8905)))
-(neverallowx domain domain (ioctl decnet_socket (0x8905)))
-(neverallowx domain domain (ioctl atmsvc_socket (0x8905)))
-(neverallowx domain domain (ioctl rds_socket (0x8905)))
-(neverallowx domain domain (ioctl irda_socket (0x8905)))
-(neverallowx domain domain (ioctl pppox_socket (0x8905)))
-(neverallowx domain domain (ioctl llc_socket (0x8905)))
-(neverallowx domain domain (ioctl can_socket (0x8905)))
-(neverallowx domain domain (ioctl tipc_socket (0x8905)))
-(neverallowx domain domain (ioctl bluetooth_socket (0x8905)))
-(neverallowx domain domain (ioctl iucv_socket (0x8905)))
-(neverallowx domain domain (ioctl rxrpc_socket (0x8905)))
-(neverallowx domain domain (ioctl isdn_socket (0x8905)))
-(neverallowx domain domain (ioctl phonet_socket (0x8905)))
-(neverallowx domain domain (ioctl ieee802154_socket (0x8905)))
-(neverallowx domain domain (ioctl caif_socket (0x8905)))
-(neverallowx domain domain (ioctl alg_socket (0x8905)))
-(neverallowx domain domain (ioctl nfc_socket (0x8905)))
-(neverallowx domain domain (ioctl vsock_socket (0x8905)))
-(neverallowx domain domain (ioctl kcm_socket (0x8905)))
-(neverallowx domain domain (ioctl qipcrtr_socket (0x8905)))
-(neverallowx domain domain (ioctl smc_socket (0x8905)))
-(neverallowx base_typeattr_59_28_0 devpts_28_0 (ioctl chr_file (0x5412)))
-(neverallow base_typeattr_75_28_0 unlabeled_28_0 (file (create)))
-(neverallow base_typeattr_75_28_0 unlabeled_28_0 (dir (create)))
-(neverallow base_typeattr_75_28_0 unlabeled_28_0 (lnk_file (create)))
-(neverallow base_typeattr_75_28_0 unlabeled_28_0 (chr_file (create)))
-(neverallow base_typeattr_75_28_0 unlabeled_28_0 (blk_file (create)))
-(neverallow base_typeattr_75_28_0 unlabeled_28_0 (sock_file (create)))
-(neverallow base_typeattr_75_28_0 unlabeled_28_0 (fifo_file (create)))
-(neverallow base_typeattr_76_28_0 self (capability (mknod)))
-(neverallow base_typeattr_76_28_0 self (cap_userns (mknod)))
-(neverallow base_typeattr_77_28_0 self (capability (sys_rawio)))
-(neverallow base_typeattr_77_28_0 self (cap_userns (sys_rawio)))
-(neverallow base_typeattr_59_28_0 self (memprotect (mmap_zero)))
-(neverallow base_typeattr_59_28_0 self (capability2 (mac_override)))
-(neverallow base_typeattr_59_28_0 self (cap2_userns (mac_override)))
-(neverallow base_typeattr_59_28_0 self (capability2 (mac_admin)))
-(neverallow base_typeattr_59_28_0 self (cap2_userns (mac_admin)))
-(neverallow base_typeattr_59_28_0 kernel_28_0 (security (load_policy)))
-(neverallow base_typeattr_59_28_0 kernel_28_0 (security (setenforce)))
-(neverallow base_typeattr_78_28_0 kernel_28_0 (security (setcheckreqprot)))
-(neverallow base_typeattr_59_28_0 kernel_28_0 (security (setbool)))
-(neverallow base_typeattr_69_28_0 kernel_28_0 (security (setsecparam)))
-(neverallow base_typeattr_79_28_0 hw_random_device_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_80_28_0 keychord_device_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_59_28_0 base_typeattr_81_28_0 (file (entrypoint)))
-(neverallow base_typeattr_82_28_0 kmem_device_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_59_28_0 kmem_device_28_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_82_28_0 port_device_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_59_28_0 port_device_28_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_69_28_0 usermodehelper_28_0 (file (write append)))
-(neverallow base_typeattr_83_28_0 sysfs_usermodehelper_28_0 (file (write append)))
-(neverallow base_typeattr_84_28_0 proc_security_28_0 (file (read write append open)))
-(neverallow base_typeattr_59_28_0 init_28_0 (process (ptrace)))
-(neverallow base_typeattr_59_28_0 init_28_0 (binder (impersonate call set_context_mgr transfer)))
-(neverallow base_typeattr_59_28_0 vendor_init_28_0 (binder (impersonate call set_context_mgr transfer)))
-(neverallow base_typeattr_85_28_0 block_device_28_0 (blk_file (read write open)))
-(neverallow base_typeattr_59_28_0 base_typeattr_59_28_0 (chr_file (rename)))
-(neverallow base_typeattr_59_28_0 base_typeattr_59_28_0 (blk_file (rename)))
-(neverallow domain device_28_0 (chr_file (read write open)))
-(neverallow base_typeattr_86_28_0 base_typeattr_87_28_0 (filesystem (mount remount relabelfrom relabelto)))
-(neverallow base_typeattr_88_28_0 base_typeattr_89_28_0 (file (execute)))
-(neverallow base_typeattr_90_28_0 base_typeattr_91_28_0 (file (execute)))
-(neverallow domain cache_file_28_0 (file (execute)))
-(neverallow domain cache_backup_file_28_0 (file (execute)))
-(neverallow domain cache_private_backup_file_28_0 (file (execute)))
-(neverallow domain cache_recovery_file_28_0 (file (execute)))
-(neverallow base_typeattr_52_28_0 base_typeattr_60_28_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_78_28_0 nativetest_data_file_28_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_78_28_0 nativetest_data_file_28_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_78_28_0 nativetest_data_file_28_0 (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_78_28_0 nativetest_data_file_28_0 (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_78_28_0 nativetest_data_file_28_0 (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_78_28_0 nativetest_data_file_28_0 (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain nativetest_data_file_28_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_92_28_0 nativetest_data_file_28_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_69_28_0 property_data_file_28_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_69_28_0 property_data_file_28_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_69_28_0 property_type (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_69_28_0 properties_device_28_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow base_typeattr_69_28_0 properties_serial_28_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow domain exec_type (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain exec_type (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain exec_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain exec_type (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain exec_type (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain exec_type (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain exec_type (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain vendor_file_type (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain vendor_file_type (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain vendor_file_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain vendor_file_type (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain vendor_file_type (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain vendor_file_type (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain vendor_file_type (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain system_file_28_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain system_file_28_0 (dir (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain system_file_28_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain system_file_28_0 (chr_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain system_file_28_0 (blk_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain system_file_28_0 (sock_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow domain system_file_28_0 (fifo_file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_78_28_0 exec_type (file (relabelto)))
-(neverallow base_typeattr_78_28_0 exec_type (dir (relabelto)))
-(neverallow base_typeattr_78_28_0 exec_type (lnk_file (relabelto)))
-(neverallow base_typeattr_78_28_0 exec_type (chr_file (relabelto)))
-(neverallow base_typeattr_78_28_0 exec_type (blk_file (relabelto)))
-(neverallow base_typeattr_78_28_0 exec_type (sock_file (relabelto)))
-(neverallow base_typeattr_78_28_0 exec_type (fifo_file (relabelto)))
-(neverallow base_typeattr_78_28_0 vendor_file_type (file (relabelto)))
-(neverallow base_typeattr_78_28_0 vendor_file_type (dir (relabelto)))
-(neverallow base_typeattr_78_28_0 vendor_file_type (lnk_file (relabelto)))
-(neverallow base_typeattr_78_28_0 vendor_file_type (chr_file (relabelto)))
-(neverallow base_typeattr_78_28_0 vendor_file_type (blk_file (relabelto)))
-(neverallow base_typeattr_78_28_0 vendor_file_type (sock_file (relabelto)))
-(neverallow base_typeattr_78_28_0 vendor_file_type (fifo_file (relabelto)))
-(neverallow base_typeattr_78_28_0 system_file_28_0 (file (relabelto)))
-(neverallow base_typeattr_78_28_0 system_file_28_0 (dir (relabelto)))
-(neverallow base_typeattr_78_28_0 system_file_28_0 (lnk_file (relabelto)))
-(neverallow base_typeattr_78_28_0 system_file_28_0 (chr_file (relabelto)))
-(neverallow base_typeattr_78_28_0 system_file_28_0 (blk_file (relabelto)))
-(neverallow base_typeattr_78_28_0 system_file_28_0 (sock_file (relabelto)))
-(neverallow base_typeattr_78_28_0 system_file_28_0 (fifo_file (relabelto)))
-(neverallow base_typeattr_59_28_0 exec_type (file (mounton)))
-(neverallow base_typeattr_59_28_0 exec_type (dir (mounton)))
-(neverallow base_typeattr_59_28_0 exec_type (lnk_file (mounton)))
-(neverallow base_typeattr_59_28_0 exec_type (chr_file (mounton)))
-(neverallow base_typeattr_59_28_0 exec_type (blk_file (mounton)))
-(neverallow base_typeattr_59_28_0 exec_type (sock_file (mounton)))
-(neverallow base_typeattr_59_28_0 exec_type (fifo_file (mounton)))
-(neverallow base_typeattr_69_28_0 vendor_file_type (file (mounton)))
-(neverallow base_typeattr_69_28_0 vendor_file_type (dir (mounton)))
-(neverallow base_typeattr_69_28_0 vendor_file_type (lnk_file (mounton)))
-(neverallow base_typeattr_69_28_0 vendor_file_type (chr_file (mounton)))
-(neverallow base_typeattr_69_28_0 vendor_file_type (blk_file (mounton)))
-(neverallow base_typeattr_69_28_0 vendor_file_type (sock_file (mounton)))
-(neverallow base_typeattr_69_28_0 vendor_file_type (fifo_file (mounton)))
-(neverallow base_typeattr_69_28_0 system_file_28_0 (file (mounton)))
-(neverallow base_typeattr_69_28_0 system_file_28_0 (dir (mounton)))
-(neverallow base_typeattr_69_28_0 system_file_28_0 (lnk_file (mounton)))
-(neverallow base_typeattr_69_28_0 system_file_28_0 (chr_file (mounton)))
-(neverallow base_typeattr_69_28_0 system_file_28_0 (blk_file (mounton)))
-(neverallow base_typeattr_69_28_0 system_file_28_0 (sock_file (mounton)))
-(neverallow base_typeattr_69_28_0 system_file_28_0 (fifo_file (mounton)))
-(neverallow base_typeattr_59_28_0 rootfs_28_0 (file (write create setattr relabelto append unlink link rename)))
-(neverallow base_typeattr_59_28_0 base_typeattr_93_28_0 (filesystem (relabelto)))
-(neverallow base_typeattr_59_28_0 contextmount_type (file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_59_28_0 contextmount_type (dir (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_59_28_0 contextmount_type (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_59_28_0 contextmount_type (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_59_28_0 contextmount_type (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_59_28_0 contextmount_type (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_59_28_0 contextmount_type (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
-(neverallow base_typeattr_59_28_0 default_android_service_28_0 (service_manager (add)))
-(neverallow base_typeattr_59_28_0 default_android_vndservice_28_0 (service_manager (add find)))
-(neverallow base_typeattr_59_28_0 default_android_hwservice_28_0 (hwservice_manager (add find)))
-(neverallow base_typeattr_59_28_0 hidl_base_hwservice_28_0 (hwservice_manager (find)))
-(neverallow base_typeattr_84_28_0 default_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_84_28_0 mmc_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_69_28_0 default_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_69_28_0 mmc_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_84_28_0 exported_default_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_69_28_0 exported_secure_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_69_28_0 exported2_default_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_84_28_0 exported3_default_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_84_28_0 vendor_default_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_94_28_0 pm_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_73_28_0 pm_prop_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_95_28_0 exported_pm_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_96_28_0 exported_pm_prop_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_97_28_0 serialno_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_98_28_0 firstboot_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_99_28_0 frp_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_100_28_0 metadata_block_device_28_0 (blk_file (ioctl read write lock append link rename open)))
-(neverallow base_typeattr_101_28_0 system_block_device_28_0 (blk_file (write append)))
-(neverallow base_typeattr_102_28_0 recovery_block_device_28_0 (blk_file (write append)))
-(neverallow base_typeattr_103_28_0 misc_block_device_28_0 (blk_file (ioctl read write lock relabelfrom append link rename open)))
-(neverallow base_typeattr_104_28_0 base_typeattr_59_28_0 (binder (set_context_mgr)))
-(neverallow servicemanager_28_0 hwbinder_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow servicemanager_28_0 vndbinder_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow hwservicemanager_28_0 binder_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow hwservicemanager_28_0 vndbinder_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow vndservicemanager_28_0 binder_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow vndservicemanager_28_0 hwbinder_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_105_28_0 binder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(neverallow base_typeattr_105_28_0 service_manager_type (service_manager (find)))
-(neverallow base_typeattr_106_28_0 base_typeattr_107_28_0 (service_manager (find)))
-(neverallow base_typeattr_105_28_0 servicemanager_28_0 (binder (call transfer)))
-(neverallow base_typeattr_108_28_0 vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(neverallow ueventd_28_0 vndbinder_device_28_0 (chr_file (ioctl read write append)))
-(neverallow base_typeattr_109_28_0 vndservice_manager_type (service_manager (add find list)))
-(neverallow base_typeattr_109_28_0 vndservicemanager_28_0 (binder (impersonate call set_context_mgr transfer)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (smc_socket (connect sendto)))
-(neverallow base_typeattr_110_28_0 base_typeattr_111_28_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (smc_socket (connect sendto)))
-(neverallow base_typeattr_112_28_0 base_typeattr_113_28_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (tcp_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (udp_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (rawip_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (packet_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (key_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (unix_stream_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (unix_dgram_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_route_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_nflog_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_selinux_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_audit_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (appletalk_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (tun_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_connector_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_generic_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_rdma_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netlink_crypto_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (sctp_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (icmp_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (ax25_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (ipx_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (netrom_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (atmpvc_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (x25_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (rose_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (decnet_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (atmsvc_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (rds_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (irda_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (pppox_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (llc_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (can_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (tipc_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (bluetooth_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (iucv_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (rxrpc_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (isdn_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (phonet_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (ieee802154_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (caif_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (alg_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (nfc_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (vsock_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (kcm_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (qipcrtr_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (smc_socket (connect sendto)))
-(neverallow base_typeattr_114_28_0 netd_28_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_115_28_0 core_data_file_type (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_115_28_0 coredomain_socket (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_115_28_0 unlabeled_28_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_106_28_0 base_typeattr_116_28_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_117_28_0 base_typeattr_118_28_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_119_28_0 base_typeattr_120_28_0 (file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_119_28_0 base_typeattr_120_28_0 (lnk_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_119_28_0 base_typeattr_120_28_0 (chr_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_119_28_0 base_typeattr_120_28_0 (blk_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_119_28_0 base_typeattr_120_28_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_119_28_0 base_typeattr_120_28_0 (fifo_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_119_28_0 base_typeattr_121_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_122_28_0 base_typeattr_123_28_0 (file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_122_28_0 base_typeattr_123_28_0 (lnk_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_122_28_0 base_typeattr_123_28_0 (chr_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_122_28_0 base_typeattr_123_28_0 (blk_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_122_28_0 base_typeattr_123_28_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_122_28_0 base_typeattr_123_28_0 (fifo_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_124_28_0 base_typeattr_125_28_0 (file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_124_28_0 base_typeattr_125_28_0 (lnk_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_124_28_0 base_typeattr_125_28_0 (chr_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_124_28_0 base_typeattr_125_28_0 (blk_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_124_28_0 base_typeattr_125_28_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_124_28_0 base_typeattr_125_28_0 (fifo_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow vendor_init_28_0 unencrypted_data_file_28_0 (file (write create setattr relabelfrom relabelto append unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod audit_access)))
-(neverallow base_typeattr_122_28_0 base_typeattr_126_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_124_28_0 base_typeattr_127_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow vendor_init_28_0 unencrypted_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir open audit_access execmod)))
-(neverallow base_typeattr_128_28_0 system_data_file_28_0 (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir open audit_access execmod)))
-(neverallow base_typeattr_129_28_0 vendor_data_file_28_0 (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir open audit_access execmod)))
-(neverallow base_typeattr_130_28_0 vendor_data_file_28_0 (file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_130_28_0 vendor_data_file_28_0 (lnk_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_130_28_0 vendor_data_file_28_0 (chr_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_130_28_0 vendor_data_file_28_0 (blk_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_130_28_0 vendor_data_file_28_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_130_28_0 vendor_data_file_28_0 (fifo_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_131_28_0 vendor_app_file_28_0 (dir (read getattr search open)))
-(neverallow base_typeattr_131_28_0 vendor_app_file_28_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_132_28_0 vendor_overlay_file_28_0 (dir (read getattr search open)))
-(neverallow base_typeattr_132_28_0 vendor_overlay_file_28_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_133_28_0 vendor_shell_exec_28_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_134_28_0 base_typeattr_135_28_0 (file (execute execute_no_trans entrypoint)))
-(neverallow base_typeattr_136_28_0 base_typeattr_137_28_0 (file (execute)))
-(neverallow base_typeattr_138_28_0 vendor_file_type (file (execute_no_trans)))
-(neverallow base_typeattr_139_28_0 dalvikcache_data_file_28_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_139_28_0 dalvikcache_data_file_28_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_140_28_0 zygote_28_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_141_28_0 zygote_socket_28_0 (sock_file (write)))
-(neverallow base_typeattr_142_28_0 webview_zygote_28_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_141_28_0 webview_zygote_28_0 (sock_file (write)))
-(neverallow base_typeattr_143_28_0 tombstoned_crash_socket_28_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_144_28_0 tombstoned_intercept_socket_28_0 (sock_file (write)))
-(neverallow base_typeattr_144_28_0 tombstoned_intercept_socket_28_0 (unix_stream_socket (connectto)))
-(neverallow base_typeattr_59_28_0 base_typeattr_59_28_0 (sem (create destroy getattr setattr read write associate unix_read unix_write)))
-(neverallow base_typeattr_59_28_0 base_typeattr_59_28_0 (msg (send receive)))
-(neverallow base_typeattr_59_28_0 base_typeattr_59_28_0 (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
-(neverallow base_typeattr_59_28_0 base_typeattr_59_28_0 (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
-(neverallow base_typeattr_59_28_0 dev_type (lnk_file (mounton)))
-(neverallow base_typeattr_59_28_0 dev_type (sock_file (mounton)))
-(neverallow base_typeattr_59_28_0 dev_type (fifo_file (mounton)))
-(neverallow base_typeattr_59_28_0 fs_type (lnk_file (mounton)))
-(neverallow base_typeattr_59_28_0 fs_type (sock_file (mounton)))
-(neverallow base_typeattr_59_28_0 fs_type (fifo_file (mounton)))
-(neverallow base_typeattr_59_28_0 file_type (lnk_file (mounton)))
-(neverallow base_typeattr_59_28_0 file_type (sock_file (mounton)))
-(neverallow base_typeattr_59_28_0 file_type (fifo_file (mounton)))
-(neverallow base_typeattr_145_28_0 su_exec_28_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_59_28_0 base_typeattr_146_28_0 (file (execmod)))
-(neverallow base_typeattr_59_28_0 self (process (execstack execheap)))
-(neverallow base_typeattr_147_28_0 file_type (file (execmod)))
-(neverallow base_typeattr_69_28_0 proc_28_0 (file (mounton)))
-(neverallow base_typeattr_69_28_0 proc_28_0 (dir (mounton)))
-(neverallow base_typeattr_148_28_0 domain (process (transition dyntransition)))
-(neverallow base_typeattr_149_28_0 system_data_file_28_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow installd_28_0 system_data_file_28_0 (file (write create setattr relabelto append link rename execute quotaon mounton execute_no_trans entrypoint execmod audit_access)))
-(neverallow base_typeattr_150_28_0 system_app_data_file_28_0 (file (create unlink open)))
-(neverallow base_typeattr_150_28_0 system_app_data_file_28_0 (dir (create unlink open)))
-(neverallow base_typeattr_150_28_0 system_app_data_file_28_0 (lnk_file (create unlink open)))
-(neverallow base_typeattr_150_28_0 system_app_data_file_28_0 (chr_file (create unlink open)))
-(neverallow base_typeattr_150_28_0 system_app_data_file_28_0 (blk_file (create unlink open)))
-(neverallow base_typeattr_150_28_0 system_app_data_file_28_0 (sock_file (create unlink open)))
-(neverallow base_typeattr_150_28_0 system_app_data_file_28_0 (fifo_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_28_0 (file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_28_0 (dir (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_28_0 (lnk_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_28_0 (chr_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_28_0 (blk_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_28_0 (sock_file (create unlink open)))
-(neverallow untrusted_app_all system_app_data_file_28_0 (fifo_file (create unlink open)))
-(neverallow ephemeral_app_28_0 system_app_data_file_28_0 (file (create unlink open)))
-(neverallow ephemeral_app_28_0 system_app_data_file_28_0 (dir (create unlink open)))
-(neverallow ephemeral_app_28_0 system_app_data_file_28_0 (lnk_file (create unlink open)))
-(neverallow ephemeral_app_28_0 system_app_data_file_28_0 (chr_file (create unlink open)))
-(neverallow ephemeral_app_28_0 system_app_data_file_28_0 (blk_file (create unlink open)))
-(neverallow ephemeral_app_28_0 system_app_data_file_28_0 (sock_file (create unlink open)))
-(neverallow ephemeral_app_28_0 system_app_data_file_28_0 (fifo_file (create unlink open)))
-(neverallow isolated_app_28_0 system_app_data_file_28_0 (file (create unlink open)))
-(neverallow isolated_app_28_0 system_app_data_file_28_0 (dir (create unlink open)))
-(neverallow isolated_app_28_0 system_app_data_file_28_0 (lnk_file (create unlink open)))
-(neverallow isolated_app_28_0 system_app_data_file_28_0 (chr_file (create unlink open)))
-(neverallow isolated_app_28_0 system_app_data_file_28_0 (blk_file (create unlink open)))
-(neverallow isolated_app_28_0 system_app_data_file_28_0 (sock_file (create unlink open)))
-(neverallow isolated_app_28_0 system_app_data_file_28_0 (fifo_file (create unlink open)))
-(neverallow priv_app_28_0 system_app_data_file_28_0 (file (create unlink open)))
-(neverallow priv_app_28_0 system_app_data_file_28_0 (dir (create unlink open)))
-(neverallow priv_app_28_0 system_app_data_file_28_0 (lnk_file (create unlink open)))
-(neverallow priv_app_28_0 system_app_data_file_28_0 (chr_file (create unlink open)))
-(neverallow priv_app_28_0 system_app_data_file_28_0 (blk_file (create unlink open)))
-(neverallow priv_app_28_0 system_app_data_file_28_0 (sock_file (create unlink open)))
-(neverallow priv_app_28_0 system_app_data_file_28_0 (fifo_file (create unlink open)))
-(neverallow base_typeattr_151_28_0 app_data_file_28_0 (file (create unlink)))
-(neverallow base_typeattr_151_28_0 app_data_file_28_0 (dir (create unlink)))
-(neverallow base_typeattr_151_28_0 app_data_file_28_0 (lnk_file (create unlink)))
-(neverallow base_typeattr_151_28_0 app_data_file_28_0 (chr_file (create unlink)))
-(neverallow base_typeattr_151_28_0 app_data_file_28_0 (blk_file (create unlink)))
-(neverallow base_typeattr_151_28_0 app_data_file_28_0 (sock_file (create unlink)))
-(neverallow base_typeattr_151_28_0 app_data_file_28_0 (fifo_file (create unlink)))
-(neverallow base_typeattr_152_28_0 shell_28_0 (process (transition dyntransition)))
-(neverallow base_typeattr_153_28_0 base_typeattr_54_28_0 (process (transition dyntransition)))
-(neverallow base_typeattr_154_28_0 app_data_file_28_0 (lnk_file (read)))
-(neverallow base_typeattr_155_28_0 shell_data_file_28_0 (lnk_file (read)))
-(neverallow base_typeattr_156_28_0 shell_data_file_28_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(neverallow base_typeattr_157_28_0 shell_data_file_28_0 (dir (search open)))
-(neverallow base_typeattr_158_28_0 shell_data_file_28_0 (file (open)))
-(neverallow base_typeattr_59_28_0 base_typeattr_159_28_0 (service_manager (list)))
-(neverallow base_typeattr_59_28_0 base_typeattr_160_28_0 (hwservice_manager (list)))
-(neverallow base_typeattr_59_28_0 domain (file (execute execute_no_trans entrypoint)))
-(neverallow base_typeattr_161_28_0 debugfs_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_162_28_0 profman_exec_28_0 (file (execute execute_no_trans)))
-(neverallow base_typeattr_59_28_0 base_typeattr_163_28_0 (system (module_load)))
-(neverallow base_typeattr_59_28_0 self (capability (setfcap)))
-(neverallow base_typeattr_59_28_0 self (cap_userns (setfcap)))
-(neverallow domain crash_dump_28_0 (process (noatsecure)))
-(neverallow base_typeattr_164_28_0 coredomain_hwservice (hwservice_manager (add)))
-(neverallow base_typeattr_59_28_0 same_process_hwservice (hwservice_manager (add)))
-(neverallow base_typeattr_165_28_0 vendor_file_28_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans open)))
-(neverallow base_typeattr_166_28_0 self (capability (dac_override)))
-(neverallow base_typeattr_167_28_0 self (capability (dac_read_search)))
-(neverallow domain proc_type (dir (write create link rename add_name remove_name reparent rmdir)))
-(neverallow domain sysfs_type (dir (write create link rename add_name remove_name reparent rmdir)))
-(neverallow domain cgroup_28_0 (file (create)))
-(dontaudit domain proc_type (dir (write)))
-(dontaudit domain sysfs_type (dir (write)))
-(dontaudit domain cgroup_28_0 (file (create)))
-(dontaudit domain proc_type (dir (add_name)))
-(dontaudit domain sysfs_type (dir (add_name)))
-(dontaudit domain proc_type (file (create)))
-(dontaudit domain sysfs_type (file (create)))
-(neverallow base_typeattr_168_28_0 mnt_vendor_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(allow drmserver_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 drmserver_28_0 (dir (search)))
-(allow servicemanager_28_0 drmserver_28_0 (file (read open)))
-(allow servicemanager_28_0 drmserver_28_0 (process (getattr)))
-(allow drmserver_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 drmserver_28_0 (binder (transfer)))
-(allow drmserver_28_0 system_server_28_0 (fd (use)))
-(allow drmserver_28_0 appdomain (binder (call transfer)))
-(allow appdomain drmserver_28_0 (binder (transfer)))
-(allow drmserver_28_0 appdomain (fd (use)))
-(allow drmserver_28_0 system_server_28_0 (fd (use)))
-(allow drmserver_28_0 mediaserver_28_0 (binder (call transfer)))
-(allow mediaserver_28_0 drmserver_28_0 (binder (transfer)))
-(allow drmserver_28_0 mediaserver_28_0 (fd (use)))
-(allow drmserver_28_0 sdcard_type (dir (search)))
-(allow drmserver_28_0 drm_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow drmserver_28_0 drm_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow drmserver_28_0 tee_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow drmserver_28_0 app_data_file_28_0 (file (read write getattr)))
-(allow drmserver_28_0 sdcard_type (file (read write getattr)))
-(allow drmserver_28_0 efs_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_28_0 efs_file_28_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 efs_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 apk_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow drmserver_28_0 drmserver_socket_28_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow drmserver_28_0 apk_data_file_28_0 (sock_file (unlink)))
-(allow drmserver_28_0 media_rw_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_28_0 media_rw_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 media_rw_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 apk_data_file_28_0 (file (read getattr)))
-(allow drmserver_28_0 asec_apk_file_28_0 (file (read getattr)))
-(allow drmserver_28_0 ringtone_file_28_0 (file (read getattr)))
-(allow drmserver_28_0 radio_data_file_28_0 (file (read getattr)))
-(allow drmserver_28_0 oemfs_28_0 (dir (search)))
-(allow drmserver_28_0 oemfs_28_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 drmserver_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_169_28_0 drmserver_service_28_0 (service_manager (add)))
-(allow drmserver_28_0 permission_service_28_0 (service_manager (find)))
-(allow drmserver_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow drmserver_28_0 kernel_28_0 (security (compute_av)))
-(allow drmserver_28_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow drmserver_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow drmserver_28_0 system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 dumpstate_28_0 (dir (search)))
-(allow servicemanager_28_0 dumpstate_28_0 (file (read open)))
-(allow servicemanager_28_0 dumpstate_28_0 (process (getattr)))
-(allow dumpstate_28_0 sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow dumpstate_28_0 self (capability2 (block_suspend)))
-(allow dumpstate_28_0 self (cap2_userns (block_suspend)))
-(allow dumpstate_28_0 self (capability (setgid setuid sys_resource)))
-(allow dumpstate_28_0 self (cap_userns (setgid setuid sys_resource)))
-(allow dumpstate_28_0 domain (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 domain (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 self (capability (kill net_admin net_raw)))
-(allow dumpstate_28_0 self (cap_userns (kill net_admin net_raw)))
-(allow dumpstate_28_0 system_file_28_0 (file (execute_no_trans)))
-(allow dumpstate_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dumpstate_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 self (capability (chown dac_override fowner fsetid)))
-(allow dumpstate_28_0 self (cap_userns (chown dac_override fowner fsetid)))
-(allow dumpstate_28_0 anr_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow dumpstate_28_0 anr_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow dumpstate_28_0 system_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 self (capability2 (syslog)))
-(allow dumpstate_28_0 self (cap2_userns (syslog)))
-(allow dumpstate_28_0 kernel_28_0 (system (syslog_read)))
-(allow dumpstate_28_0 pstorefs_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 domain (process (getattr)))
-(allow dumpstate_28_0 appdomain (process (signal)))
-(allow dumpstate_28_0 system_server_28_0 (process (signal)))
-(allow dumpstate_28_0 hal_audio_server (process (signal)))
-(allow dumpstate_28_0 hal_camera_server (process (signal)))
-(allow dumpstate_28_0 hal_drm_server (process (signal)))
-(allow dumpstate_28_0 hal_bluetooth_server (process (signal)))
-(allow dumpstate_28_0 hal_graphics_composer_server (process (signal)))
-(allow dumpstate_28_0 hal_sensors_server (process (signal)))
-(allow dumpstate_28_0 hal_vr_server (process (signal)))
-(allow dumpstate_28_0 audioserver_28_0 (process (signal)))
-(allow dumpstate_28_0 cameraserver_28_0 (process (signal)))
-(allow dumpstate_28_0 drmserver_28_0 (process (signal)))
-(allow dumpstate_28_0 inputflinger_28_0 (process (signal)))
-(allow dumpstate_28_0 mediacodec_28_0 (process (signal)))
-(allow dumpstate_28_0 mediadrmserver_28_0 (process (signal)))
-(allow dumpstate_28_0 mediaextractor_28_0 (process (signal)))
-(allow dumpstate_28_0 mediametrics_28_0 (process (signal)))
-(allow dumpstate_28_0 mediaserver_28_0 (process (signal)))
-(allow dumpstate_28_0 sdcardd_28_0 (process (signal)))
-(allow dumpstate_28_0 surfaceflinger_28_0 (process (signal)))
-(allow dumpstate_28_0 tombstoned_intercept_socket_28_0 (sock_file (write)))
-(allow dumpstate_28_0 tombstoned_28_0 (unix_stream_socket (connectto)))
-(allow dumpstate_28_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 sysfs_dm_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 sysfs_usb_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 sysfs_zram_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 qtaguid_proc_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 debugfs_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 block_device_28_0 (dir (getattr search)))
-(allow dumpstate_28_0 rootfs_28_0 (dir (getattr search)))
-(allow dumpstate_28_0 selinuxfs_28_0 (dir (getattr search)))
-(allow dumpstate_28_0 tmpfs_28_0 (dir (getattr search)))
-(allow dumpstate_28_0 metadata_file_28_0 (dir (getattr search)))
-(allow dumpstate_28_0 storage_file_28_0 (dir (getattr search)))
-(allow dumpstate_28_0 cache_file_28_0 (dir (getattr search)))
-(allow dumpstate_28_0 fuse_device_28_0 (chr_file (getattr)))
-(allow dumpstate_28_0 dm_device_28_0 (blk_file (getattr)))
-(allow dumpstate_28_0 cache_block_device_28_0 (blk_file (getattr)))
-(allow dumpstate_28_0 rootfs_28_0 (lnk_file (read getattr)))
-(allow dumpstate_28_0 cache_file_28_0 (lnk_file (read getattr)))
-(allow dumpstate_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain dumpstate_28_0 (binder (transfer)))
-(allow dumpstate_28_0 binderservicedomain (fd (use)))
-(allow dumpstate_28_0 appdomain (binder (call transfer)))
-(allow dumpstate_28_0 netd_28_0 (binder (call transfer)))
-(allow dumpstate_28_0 wificond_28_0 (binder (call transfer)))
-(allow appdomain dumpstate_28_0 (binder (transfer)))
-(allow netd_28_0 dumpstate_28_0 (binder (transfer)))
-(allow wificond_28_0 dumpstate_28_0 (binder (transfer)))
-(allow dumpstate_28_0 appdomain (fd (use)))
-(allow dumpstate_28_0 netd_28_0 (fd (use)))
-(allow dumpstate_28_0 wificond_28_0 (fd (use)))
-(allow dumpstate_28_0 self (capability (sys_ptrace)))
-(allow dumpstate_28_0 self (cap_userns (sys_ptrace)))
-(allow dumpstate_28_0 shell_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow dumpstate_28_0 shell_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow dumpstate_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dumpstate_28_0 zygote_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dumpstate_28_0 ashmem_device_28_0 (chr_file (execute)))
-(allow dumpstate_28_0 self (process (execmem)))
-(allow dumpstate_28_0 dalvikcache_data_file_28_0 (dir (getattr search)))
-(allow dumpstate_28_0 dalvikcache_data_file_28_0 (file (ioctl read getattr lock map execute open)))
-(allow dumpstate_28_0 dalvikcache_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 bluetooth_data_file_28_0 (dir (search)))
-(allow dumpstate_28_0 bluetooth_logs_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 bluetooth_logs_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 gpu_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow dumpstate_28_0 logcat_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow dumpstate_28_0 logdr_socket_28_0 (sock_file (write)))
-(allow dumpstate_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(allow dumpstate_28_0 logd_socket_28_0 (sock_file (write)))
-(allow dumpstate_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(allow dumpstate_28_0 runtime_event_log_tags_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_qtaguid_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_buddyinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_cmdline_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_modules_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_pagetypeinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_pipe_conf_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_version_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_vmallocinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_vmstat_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 net_data_file_28_0 (dir (search)))
-(allow dumpstate_28_0 net_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 self (netlink_tcpdiag_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read)))
-(allow dumpstate_28_0 tombstone_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 tombstone_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 cache_recovery_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 cache_recovery_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 recovery_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 recovery_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 update_engine_log_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 update_engine_log_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 user_profile_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 user_profile_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 misc_logd_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow dumpstate_28_0 misc_logd_file_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 base_typeattr_170_28_0 (service_manager (find)))
-(dontaudit dumpstate_28_0 dumpstate_service_28_0 (service_manager (find)))
-(dontaudit dumpstate_28_0 gatekeeper_service_28_0 (service_manager (find)))
-(dontaudit dumpstate_28_0 incident_service_28_0 (service_manager (find)))
-(dontaudit dumpstate_28_0 virtual_touchpad_service_28_0 (service_manager (find)))
-(dontaudit dumpstate_28_0 vold_service_28_0 (service_manager (find)))
-(dontaudit dumpstate_28_0 vr_hwc_service_28_0 (service_manager (find)))
-(allow dumpstate_28_0 servicemanager_28_0 (service_manager (list)))
-(allow dumpstate_28_0 hwservicemanager_28_0 (hwservice_manager (list)))
-(allow dumpstate_28_0 devpts_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow dumpstate_28_0 property_socket_28_0 (sock_file (write)))
-(allow dumpstate_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow dumpstate_28_0 dumpstate_prop_28_0 (property_service (set)))
-(allow dumpstate_28_0 dumpstate_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 property_socket_28_0 (sock_file (write)))
-(allow dumpstate_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow dumpstate_28_0 exported_dumpstate_prop_28_0 (property_service (set)))
-(allow dumpstate_28_0 exported_dumpstate_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 property_socket_28_0 (sock_file (write)))
-(allow dumpstate_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow dumpstate_28_0 dumpstate_options_prop_28_0 (property_service (set)))
-(allow dumpstate_28_0 dumpstate_options_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 property_type (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 media_rw_data_file_28_0 (dir (getattr)))
-(allow dumpstate_28_0 proc_interrupts_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_zoneinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 dumpstate_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_171_28_0 dumpstate_service_28_0 (service_manager (add)))
-(allow dumpstate_28_0 ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 proc_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow dumpstate_28_0 installd_28_0 (binder (call transfer)))
-(allow installd_28_0 dumpstate_28_0 (binder (transfer)))
-(allow dumpstate_28_0 installd_28_0 (fd (use)))
-(allow dumpstate_28_0 self (netlink_xfrm_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read)))
-(allow dumpstate_28_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow dumpstate_28_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow dumpstate_28_0 property_socket_28_0 (sock_file (write)))
-(allow dumpstate_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow dumpstate_28_0 ctl_dumpstate_prop_28_0 (property_service (set)))
-(allow dumpstate_28_0 ctl_dumpstate_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow dumpstate_28_0 base_typeattr_59_28_0 (process (ptrace)))
-(neverallow base_typeattr_172_28_0 dumpstate_service_28_0 (service_manager (find)))
-(allow e2fs_28_0 devpts_28_0 (chr_file (ioctl read write getattr)))
-(allow e2fs_28_0 dev_type (blk_file (getattr)))
-(allow e2fs_28_0 block_device_28_0 (dir (search)))
-(allow e2fs_28_0 userdata_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow e2fs_28_0 metadata_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow e2fs_28_0 proc_filesystems_28_0 (file (ioctl read getattr lock map open)))
-(allow e2fs_28_0 proc_mounts_28_0 (file (ioctl read getattr lock map open)))
-(allow e2fs_28_0 proc_swaps_28_0 (file (ioctl read getattr lock map open)))
-(allow e2fs_28_0 sysfs_fs_ext4_features_28_0 (dir (search)))
-(allow e2fs_28_0 sysfs_fs_ext4_features_28_0 (file (ioctl read getattr lock map open)))
-(allow e2fs_28_0 file_contexts_file_28_0 (file (read getattr open)))
-(dontaudit su_28_0 pdx_display_client_endpoint_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_display_client_channel_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_display_manager_endpoint_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_display_manager_channel_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_display_screenshot_endpoint_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_display_screenshot_channel_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_display_vsync_endpoint_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_display_vsync_channel_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_performance_client_endpoint_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_performance_client_channel_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_bufferhub_client_endpoint_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 pdx_bufferhub_client_channel_socket_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(allow fs_type self (filesystem (associate)))
-(allow cgroup_28_0 tmpfs_28_0 (filesystem (associate)))
-(allow cgroup_bpf_28_0 tmpfs_28_0 (filesystem (associate)))
-(allow sysfs_type sysfs_28_0 (filesystem (associate)))
-(allow debugfs_type debugfs_28_0 (filesystem (associate)))
-(allow debugfs_type debugfs_tracing_28_0 (filesystem (associate)))
-(allow debugfs_type debugfs_tracing_debug_28_0 (filesystem (associate)))
-(allow file_type labeledfs_28_0 (filesystem (associate)))
-(allow file_type tmpfs_28_0 (filesystem (associate)))
-(allow file_type rootfs_28_0 (filesystem (associate)))
-(allow dev_type tmpfs_28_0 (filesystem (associate)))
-(allow app_fuse_file_28_0 app_fusefs_28_0 (filesystem (associate)))
-(allow postinstall_file_28_0 self (filesystem (associate)))
-(neverallow fs_type file_type (filesystem (associate)))
-(allow fingerprintd_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 fingerprintd_28_0 (dir (search)))
-(allow servicemanager_28_0 fingerprintd_28_0 (file (read open)))
-(allow servicemanager_28_0 fingerprintd_28_0 (process (getattr)))
-(allow fingerprintd_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow fingerprintd_28_0 fingerprintd_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_173_28_0 fingerprintd_service_28_0 (service_manager (add)))
-(allow fingerprintd_28_0 fingerprintd_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow fingerprintd_28_0 fingerprintd_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow keystore_28_0 fingerprintd_28_0 (dir (search)))
-(allow keystore_28_0 fingerprintd_28_0 (file (read open)))
-(allow keystore_28_0 fingerprintd_28_0 (process (getattr)))
-(allow fingerprintd_28_0 keystore_service_28_0 (service_manager (find)))
-(allow fingerprintd_28_0 keystore_28_0 (binder (call transfer)))
-(allow keystore_28_0 fingerprintd_28_0 (binder (transfer)))
-(allow fingerprintd_28_0 keystore_28_0 (fd (use)))
-(allow keystore_28_0 fingerprintd_28_0 (binder (call transfer)))
-(allow fingerprintd_28_0 keystore_28_0 (binder (transfer)))
-(allow keystore_28_0 fingerprintd_28_0 (fd (use)))
-(allow fingerprintd_28_0 keystore_28_0 (keystore_key (add_auth)))
-(allow fingerprintd_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 fingerprintd_28_0 (binder (transfer)))
-(allow fingerprintd_28_0 system_server_28_0 (fd (use)))
-(allow fingerprintd_28_0 permission_service_28_0 (service_manager (find)))
-(allow fingerprintd_28_0 ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow fsck_28_0 tmpfs_28_0 (chr_file (ioctl read write)))
-(allow fsck_28_0 devpts_28_0 (chr_file (ioctl read write getattr)))
-(allow fsck_28_0 vold_28_0 (fd (use)))
-(allow fsck_28_0 vold_28_0 (fifo_file (read write getattr)))
-(allow fsck_28_0 block_device_28_0 (dir (search)))
-(allow fsck_28_0 userdata_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow fsck_28_0 cache_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow fsck_28_0 dm_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow fsck_28_0 dev_type (blk_file (getattr)))
-(allow fsck_28_0 proc_mounts_28_0 (file (ioctl read getattr lock map open)))
-(allow fsck_28_0 proc_swaps_28_0 (file (ioctl read getattr lock map open)))
-(allow fsck_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(neverallow fsck_28_0 vold_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_28_0 root_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_28_0 frp_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_28_0 system_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_28_0 recovery_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_28_0 boot_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_28_0 swap_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_174_28_0 fsck_28_0 (process (transition)))
-(neverallow base_typeattr_59_28_0 fsck_28_0 (process (dyntransition)))
-(neverallow fsck_28_0 base_typeattr_175_28_0 (file (entrypoint)))
-(allow fsck_untrusted_28_0 devpts_28_0 (chr_file (ioctl read write getattr)))
-(allow fsck_untrusted_28_0 vold_28_0 (fd (use)))
-(allow fsck_untrusted_28_0 vold_28_0 (fifo_file (read write getattr)))
-(allow fsck_untrusted_28_0 block_device_28_0 (dir (search)))
-(allow fsck_untrusted_28_0 vold_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow fsck_untrusted_28_0 proc_mounts_28_0 (file (ioctl read getattr lock map open)))
-(allow fsck_untrusted_28_0 dev_type (blk_file (getattr)))
-(neverallow fsck_untrusted_28_0 dm_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 root_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 frp_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 system_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 recovery_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 boot_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 userdata_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 cache_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 swap_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow fsck_untrusted_28_0 metadata_block_device_28_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_176_28_0 fsck_untrusted_28_0 (process (transition)))
-(neverallow base_typeattr_59_28_0 fsck_untrusted_28_0 (process (dyntransition)))
-(neverallow fsck_untrusted_28_0 base_typeattr_175_28_0 (file (entrypoint)))
-(allow gatekeeperd_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 gatekeeperd_28_0 (dir (search)))
-(allow servicemanager_28_0 gatekeeperd_28_0 (file (read open)))
-(allow servicemanager_28_0 gatekeeperd_28_0 (process (getattr)))
-(allow gatekeeperd_28_0 tee_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow gatekeeperd_28_0 ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow gatekeeperd_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow gatekeeperd_28_0 gatekeeper_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_177_28_0 gatekeeper_service_28_0 (service_manager (add)))
-(allow keystore_28_0 gatekeeperd_28_0 (dir (search)))
-(allow keystore_28_0 gatekeeperd_28_0 (file (read open)))
-(allow keystore_28_0 gatekeeperd_28_0 (process (getattr)))
-(allow gatekeeperd_28_0 keystore_service_28_0 (service_manager (find)))
-(allow gatekeeperd_28_0 keystore_28_0 (binder (call transfer)))
-(allow keystore_28_0 gatekeeperd_28_0 (binder (transfer)))
-(allow gatekeeperd_28_0 keystore_28_0 (fd (use)))
-(allow keystore_28_0 gatekeeperd_28_0 (binder (call transfer)))
-(allow gatekeeperd_28_0 keystore_28_0 (binder (transfer)))
-(allow keystore_28_0 gatekeeperd_28_0 (fd (use)))
-(allow gatekeeperd_28_0 keystore_28_0 (keystore_key (add_auth)))
-(allow gatekeeperd_28_0 system_server_28_0 (binder (call)))
-(allow gatekeeperd_28_0 permission_service_28_0 (service_manager (find)))
-(allow gatekeeperd_28_0 gatekeeper_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow gatekeeperd_28_0 gatekeeper_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow gatekeeperd_28_0 hardware_properties_service_28_0 (service_manager (find)))
-(allow gatekeeperd_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow gatekeeperd_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow gatekeeperd_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_allocator_client hal_allocator_server (binder (call transfer)))
-(allow hal_allocator_server hal_allocator_client (binder (transfer)))
-(allow hal_allocator_client hal_allocator_server (fd (use)))
-(allow hal_allocator_server hidl_allocator_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_allocator_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_178_28_0 hidl_allocator_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_allocator_client hidl_allocator_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_allocator_client hidl_memory_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_audio_client hal_audio_server (binder (call transfer)))
-(allow hal_audio_server hal_audio_client (binder (transfer)))
-(allow hal_audio_client hal_audio_server (fd (use)))
-(allow hal_audio_server hal_audio_client (binder (call transfer)))
-(allow hal_audio_client hal_audio_server (binder (transfer)))
-(allow hal_audio_server hal_audio_client (fd (use)))
-(allow hal_audio_server hal_audio_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_audio_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_179_28_0 hal_audio_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_audio_client hal_audio_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_audio ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_audio proc_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_audio proc_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_audio proc_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_audio proc_asound_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_audio proc_asound_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_audio proc_asound_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_audio_server audio_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_audio_server audio_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_audio shell_28_0 (fd (use)))
-(allow hal_audio shell_28_0 (fifo_file (write)))
-(allow hal_audio dumpstate_28_0 (fd (use)))
-(allow hal_audio dumpstate_28_0 (fifo_file (write)))
-(allow hal_audio vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_audio vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 hal_audio (dir (search)))
-(allow vndservicemanager_28_0 hal_audio (file (read open)))
-(allow vndservicemanager_28_0 hal_audio (process (getattr)))
-(neverallow hal_audio_server fs_type (file (execute_no_trans)))
-(neverallow hal_audio_server file_type (file (execute_no_trans)))
-(neverallow hal_audio_server domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow hal_audio_server domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_audio_server domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_180_28_0 audio_device_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow hal_audio bluetooth_a2dp_offload_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_audiocontrol_client hal_audiocontrol_server (binder (call transfer)))
-(allow hal_audiocontrol_server hal_audiocontrol_client (binder (transfer)))
-(allow hal_audiocontrol_client hal_audiocontrol_server (fd (use)))
-(allow hal_audiocontrol_server hal_audiocontrol_client (binder (call transfer)))
-(allow hal_audiocontrol_client hal_audiocontrol_server (binder (transfer)))
-(allow hal_audiocontrol_server hal_audiocontrol_client (fd (use)))
-(allow hal_audiocontrol_server hal_audiocontrol_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_audiocontrol_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_181_28_0 hal_audiocontrol_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_audiocontrol_client hal_audiocontrol_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_authsecret_client hal_authsecret_server (binder (call transfer)))
-(allow hal_authsecret_server hal_authsecret_client (binder (transfer)))
-(allow hal_authsecret_client hal_authsecret_server (fd (use)))
-(allow hal_authsecret_server hal_authsecret_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_authsecret_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_182_28_0 hal_authsecret_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_authsecret_client hal_authsecret_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_bluetooth_client hal_bluetooth_server (binder (call transfer)))
-(allow hal_bluetooth_server hal_bluetooth_client (binder (transfer)))
-(allow hal_bluetooth_client hal_bluetooth_server (fd (use)))
-(allow hal_bluetooth_server hal_bluetooth_client (binder (call transfer)))
-(allow hal_bluetooth_client hal_bluetooth_server (binder (transfer)))
-(allow hal_bluetooth_server hal_bluetooth_client (fd (use)))
-(allow hal_bluetooth_server hal_bluetooth_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_bluetooth_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_183_28_0 hal_bluetooth_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_bluetooth_client hal_bluetooth_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_bluetooth sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth self (capability2 (block_suspend)))
-(allow hal_bluetooth self (cap2_userns (block_suspend)))
-(allow hal_bluetooth self (capability (net_admin)))
-(allow hal_bluetooth self (cap_userns (net_admin)))
-(allow hal_bluetooth bluetooth_efs_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_bluetooth bluetooth_efs_file_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_bluetooth bluetooth_efs_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_bluetooth uhid_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth hci_attach_dev_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_bluetooth sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_bluetooth sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_bluetooth sysfs_bluetooth_writable_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth self (capability2 (wake_alarm)))
-(allow hal_bluetooth self (cap2_userns (wake_alarm)))
-(allow hal_bluetooth property_socket_28_0 (sock_file (write)))
-(allow hal_bluetooth init_28_0 (unix_stream_socket (connectto)))
-(allow hal_bluetooth bluetooth_a2dp_offload_prop_28_0 (property_service (set)))
-(allow hal_bluetooth bluetooth_a2dp_offload_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_bluetooth property_socket_28_0 (sock_file (write)))
-(allow hal_bluetooth init_28_0 (unix_stream_socket (connectto)))
-(allow hal_bluetooth bluetooth_prop_28_0 (property_service (set)))
-(allow hal_bluetooth bluetooth_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_bluetooth property_socket_28_0 (sock_file (write)))
-(allow hal_bluetooth init_28_0 (unix_stream_socket (connectto)))
-(allow hal_bluetooth exported_bluetooth_prop_28_0 (property_service (set)))
-(allow hal_bluetooth exported_bluetooth_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_bluetooth proc_bluetooth_writable_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_bluetooth self (capability (sys_nice)))
-(allow hal_bluetooth self (cap_userns (sys_nice)))
-(allow hal_bootctl_client hal_bootctl_server (binder (call transfer)))
-(allow hal_bootctl_server hal_bootctl_client (binder (transfer)))
-(allow hal_bootctl_client hal_bootctl_server (fd (use)))
-(allow hal_bootctl_server hal_bootctl_client (binder (call transfer)))
-(allow hal_bootctl_client hal_bootctl_server (binder (transfer)))
-(allow hal_bootctl_server hal_bootctl_client (fd (use)))
-(allow hal_bootctl_server hal_bootctl_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_bootctl_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_184_28_0 hal_bootctl_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_bootctl_client hal_bootctl_hwservice_28_0 (hwservice_manager (find)))
-(dontaudit hal_bootctl self (capability (sys_rawio)))
-(allow hal_broadcastradio_client hal_broadcastradio_server (binder (call transfer)))
-(allow hal_broadcastradio_server hal_broadcastradio_client (binder (transfer)))
-(allow hal_broadcastradio_client hal_broadcastradio_server (fd (use)))
-(allow hal_broadcastradio_server hal_broadcastradio_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_broadcastradio_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_185_28_0 hal_broadcastradio_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_broadcastradio_client hal_broadcastradio_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_camera_client hal_camera_server (binder (call transfer)))
-(allow hal_camera_server hal_camera_client (binder (transfer)))
-(allow hal_camera_client hal_camera_server (fd (use)))
-(allow hal_camera_server hal_camera_client (binder (call transfer)))
-(allow hal_camera_client hal_camera_server (binder (transfer)))
-(allow hal_camera_server hal_camera_client (fd (use)))
-(allow hal_camera_server hal_camera_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_camera_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_186_28_0 hal_camera_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_camera_client hal_camera_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_camera device_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_camera video_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_camera video_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_camera camera_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_camera ion_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_camera_client hal_graphics_allocator (fd (use)))
-(allow hal_camera_server hal_graphics_allocator (fd (use)))
-(allow hal_camera base_typeattr_43_28_0 (fd (use)))
-(allow hal_camera surfaceflinger_28_0 (fd (use)))
-(allow hal_camera hal_allocator_server (fd (use)))
-(neverallow hal_camera_server fs_type (file (execute_no_trans)))
-(neverallow hal_camera_server file_type (file (execute_no_trans)))
-(neverallow hal_camera_server domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow hal_camera_server domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_camera_server domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_187_28_0 camera_device_28_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow hal_cas_client hal_cas_server (binder (call transfer)))
-(allow hal_cas_server hal_cas_client (binder (transfer)))
-(allow hal_cas_client hal_cas_server (fd (use)))
-(allow hal_cas_server hal_cas_client (binder (call transfer)))
-(allow hal_cas_client hal_cas_server (binder (transfer)))
-(allow hal_cas_server hal_cas_client (fd (use)))
-(allow hal_cas_server hal_cas_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_cas_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_188_28_0 hal_cas_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_cas_client hal_cas_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_cas_server hidl_memory_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_cas_server serialno_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_cas system_data_file_28_0 (file (read getattr)))
-(allow hal_cas cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_cas cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_cas cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_cas cgroup_28_0 (dir (write search)))
-(allow hal_cas cgroup_28_0 (file (write lock append map open)))
-(allow hal_cas ion_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_cas hal_graphics_allocator (fd (use)))
-(allow hal_cas tee_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(neverallow hal_cas_server fs_type (file (execute_no_trans)))
-(neverallow hal_cas_server file_type (file (execute_no_trans)))
-(neverallowx hal_cas_server domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx hal_cas_server domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx hal_cas_server domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx hal_cas_server domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_cas_server domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_cas_server domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_cas_server domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_cas_server domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_cas_server domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_configstore_client hal_configstore_server (binder (call transfer)))
-(allow hal_configstore_server hal_configstore_client (binder (transfer)))
-(allow hal_configstore_client hal_configstore_server (fd (use)))
-(allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs_28_0 (hwservice_manager (find)))
-(allow hal_configstore_server hal_configstore_ISurfaceFlingerConfigs_28_0 (hwservice_manager (add find)))
-(allow hal_configstore_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_189_28_0 hal_configstore_ISurfaceFlingerConfigs_28_0 (hwservice_manager (add)))
-(allow hal_configstore_server su_28_0 (fifo_file (append)))
-(allow hal_configstore_server anr_data_file_28_0 (file (append)))
-(allow hal_configstore_server dumpstate_28_0 (fd (use)))
-(allow hal_configstore_server incidentd_28_0 (fd (use)))
-(allow hal_configstore_server dumpstate_28_0 (fifo_file (write append)))
-(allow hal_configstore_server incidentd_28_0 (fifo_file (write append)))
-(allow hal_configstore_server system_server_28_0 (fifo_file (write append)))
-(allow hal_configstore_server tombstoned_28_0 (unix_stream_socket (connectto)))
-(allow hal_configstore_server tombstoned_28_0 (fd (use)))
-(allow hal_configstore_server tombstoned_crash_socket_28_0 (sock_file (write)))
-(allow hal_configstore_server tombstone_data_file_28_0 (file (append)))
-(neverallow hal_configstore_server fs_type (file (execute_no_trans)))
-(neverallow hal_configstore_server file_type (file (execute_no_trans)))
-(neverallow hal_configstore_server domain (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow hal_configstore_server domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_configstore_server domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow hal_configstore_server domain (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(neverallow hal_configstore_server domain (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(neverallow hal_configstore_server domain (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(neverallow hal_configstore_server domain (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(neverallow hal_configstore_server domain (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
-(neverallow hal_configstore_server domain (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server domain (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server base_typeattr_190_28_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(neverallow hal_configstore_server base_typeattr_190_28_0 (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(neverallow hal_configstore_server base_typeattr_191_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server base_typeattr_191_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow hal_configstore_server base_typeattr_191_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow hal_configstore_server sdcard_type (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_configstore_server fuse_28_0 (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_configstore_server sdcardfs_28_0 (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_configstore_server vfat_28_0 (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_configstore_server exfat_28_0 (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_configstore_server sdcard_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server fuse_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server sdcardfs_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server vfat_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server exfat_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (service_manager (add find list)))
-(neverallow hal_configstore_server self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow hal_configstore_server self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(neverallow hal_configstore_server self (cap_userns (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow hal_configstore_server self (cap2_userns (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (process (ptrace)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (dir (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (lnk_file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (chr_file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (blk_file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (sock_file (relabelfrom relabelto)))
-(neverallow hal_configstore_server base_typeattr_59_28_0 (fifo_file (relabelfrom relabelto)))
-(allow hal_confirmationui_client hal_confirmationui_server (binder (call transfer)))
-(allow hal_confirmationui_server hal_confirmationui_client (binder (transfer)))
-(allow hal_confirmationui_client hal_confirmationui_server (fd (use)))
-(allow hal_confirmationui_server hal_confirmationui_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_confirmationui_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_192_28_0 hal_confirmationui_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_confirmationui_client hal_confirmationui_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_contexthub_client hal_contexthub_server (binder (call transfer)))
-(allow hal_contexthub_server hal_contexthub_client (binder (transfer)))
-(allow hal_contexthub_client hal_contexthub_server (fd (use)))
-(allow hal_contexthub_server hal_contexthub_client (binder (call transfer)))
-(allow hal_contexthub_client hal_contexthub_server (binder (transfer)))
-(allow hal_contexthub_server hal_contexthub_client (fd (use)))
-(allow hal_contexthub_server hal_contexthub_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_contexthub_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_193_28_0 hal_contexthub_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_contexthub_client hal_contexthub_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_drm_client hal_drm_server (binder (call transfer)))
-(allow hal_drm_server hal_drm_client (binder (transfer)))
-(allow hal_drm_client hal_drm_server (fd (use)))
-(allow hal_drm_server hal_drm_client (binder (call transfer)))
-(allow hal_drm_client hal_drm_server (binder (transfer)))
-(allow hal_drm_server hal_drm_client (fd (use)))
-(allow hal_drm_server hal_drm_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_drm_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_194_28_0 hal_drm_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_drm_client hal_drm_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_drm hidl_memory_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_drm self (process (execmem)))
-(allow hal_drm serialno_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_drm system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_drm system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_drm system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_drm system_data_file_28_0 (file (read getattr)))
-(allow hal_drm cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_drm cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_drm cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_drm cgroup_28_0 (dir (write search)))
-(allow hal_drm cgroup_28_0 (file (write lock append map open)))
-(allow hal_drm ion_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_drm hal_graphics_allocator (fd (use)))
-(allow hal_drm mediaserver_28_0 (fd (use)))
-(allow hal_drm sysfs_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_drm tee_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allowx hal_drm self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_drm self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx hal_drm self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx hal_drm self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx hal_drm self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(neverallow hal_drm_server fs_type (file (execute_no_trans)))
-(neverallow hal_drm_server file_type (file (execute_no_trans)))
-(neverallowx hal_drm_server domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx hal_drm_server domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx hal_drm_server domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx hal_drm_server domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm_server domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm_server domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx hal_drm_server domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_drm_server domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx hal_drm_server domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_dumpstate_client hal_dumpstate_server (binder (call transfer)))
-(allow hal_dumpstate_server hal_dumpstate_client (binder (transfer)))
-(allow hal_dumpstate_client hal_dumpstate_server (fd (use)))
-(allow hal_dumpstate_server hal_dumpstate_client (binder (call transfer)))
-(allow hal_dumpstate_client hal_dumpstate_server (binder (transfer)))
-(allow hal_dumpstate_server hal_dumpstate_client (fd (use)))
-(allow hal_dumpstate_server hal_dumpstate_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_dumpstate_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_195_28_0 hal_dumpstate_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_dumpstate_client hal_dumpstate_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_dumpstate shell_data_file_28_0 (file (write)))
-(allow hal_dumpstate proc_interrupts_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_evs_client hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 hal_evs_client (binder (call transfer)))
-(allow hwservicemanager_28_0 hal_evs_client (dir (search)))
-(allow hwservicemanager_28_0 hal_evs_client (file (read open)))
-(allow hwservicemanager_28_0 hal_evs_client (process (getattr)))
-(allow hal_evs_server hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 hal_evs_server (binder (call transfer)))
-(allow hwservicemanager_28_0 hal_evs_server (dir (search)))
-(allow hwservicemanager_28_0 hal_evs_server (file (read open)))
-(allow hwservicemanager_28_0 hal_evs_server (process (getattr)))
-(allow hal_evs_client hal_evs_server (binder (call transfer)))
-(allow hal_evs_server hal_evs_client (binder (transfer)))
-(allow hal_evs_client hal_evs_server (fd (use)))
-(allow hal_evs_server hal_evs_client (binder (call transfer)))
-(allow hal_evs_client hal_evs_server (binder (transfer)))
-(allow hal_evs_server hal_evs_client (fd (use)))
-(allow hal_fingerprint_client hal_fingerprint_server (binder (call transfer)))
-(allow hal_fingerprint_server hal_fingerprint_client (binder (transfer)))
-(allow hal_fingerprint_client hal_fingerprint_server (fd (use)))
-(allow hal_fingerprint_server hal_fingerprint_client (binder (call transfer)))
-(allow hal_fingerprint_client hal_fingerprint_server (binder (transfer)))
-(allow hal_fingerprint_server hal_fingerprint_client (fd (use)))
-(allow hal_fingerprint_server hal_fingerprint_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_fingerprint_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_196_28_0 hal_fingerprint_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_fingerprint_client hal_fingerprint_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_fingerprint ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_fingerprint fingerprint_vendor_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_fingerprint fingerprint_vendor_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow hal_fingerprint cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_fingerprint cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_fingerprint cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_fingerprint sysfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_fingerprint sysfs_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_fingerprint sysfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_gatekeeper_client hal_gatekeeper_server (binder (call transfer)))
-(allow hal_gatekeeper_server hal_gatekeeper_client (binder (transfer)))
-(allow hal_gatekeeper_client hal_gatekeeper_server (fd (use)))
-(allow hal_gatekeeper_server hal_gatekeeper_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_gatekeeper_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_197_28_0 hal_gatekeeper_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_gatekeeper_client hal_gatekeeper_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_gatekeeper tee_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_gatekeeper ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_gnss_client hal_gnss_server (binder (call transfer)))
-(allow hal_gnss_server hal_gnss_client (binder (transfer)))
-(allow hal_gnss_client hal_gnss_server (fd (use)))
-(allow hal_gnss_server hal_gnss_client (binder (call transfer)))
-(allow hal_gnss_client hal_gnss_server (binder (transfer)))
-(allow hal_gnss_server hal_gnss_client (fd (use)))
-(allow hal_gnss_server hal_gnss_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_gnss_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_198_28_0 hal_gnss_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_gnss_client hal_gnss_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_server (binder (call transfer)))
-(allow hal_graphics_allocator_server hal_graphics_allocator_client (binder (transfer)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_server (fd (use)))
-(allow hal_graphics_allocator_server hal_graphics_allocator_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_graphics_allocator_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_199_28_0 hal_graphics_allocator_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_graphics_allocator_client hal_graphics_allocator_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator_client hal_graphics_mapper_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_graphics_allocator gpu_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_graphics_allocator ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_graphics_allocator self (capability (sys_nice)))
-(allow hal_graphics_allocator self (cap_userns (sys_nice)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (binder (call transfer)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (binder (transfer)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (fd (use)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (binder (call transfer)))
-(allow hal_graphics_composer_client hal_graphics_composer_server (binder (transfer)))
-(allow hal_graphics_composer_server hal_graphics_composer_client (fd (use)))
-(allow hal_graphics_composer_server hal_graphics_composer_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_graphics_composer_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_200_28_0 hal_graphics_composer_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_graphics_composer_client hal_graphics_composer_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_graphics_composer_server hal_graphics_mapper_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_graphics_composer gpu_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_graphics_composer ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_graphics_composer hal_graphics_allocator (fd (use)))
-(allow hal_graphics_composer graphics_device_28_0 (dir (search)))
-(allow hal_graphics_composer graphics_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_graphics_composer system_server_28_0 (fd (use)))
-(allow hal_graphics_composer bootanim_28_0 (fd (use)))
-(allow hal_graphics_composer appdomain (fd (use)))
-(allow hal_graphics_composer self (capability (sys_nice)))
-(allow hal_graphics_composer self (cap_userns (sys_nice)))
-(allow hal_health_client hal_health_server (binder (call transfer)))
-(allow hal_health_server hal_health_client (binder (transfer)))
-(allow hal_health_client hal_health_server (fd (use)))
-(allow hal_health_server hal_health_client (binder (call transfer)))
-(allow hal_health_client hal_health_server (binder (transfer)))
-(allow hal_health_server hal_health_client (fd (use)))
-(allow hal_health_server hal_health_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_health_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_201_28_0 hal_health_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_health_client hal_health_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_health system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_health system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_health system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_health_server self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_health_server sysfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_health_server sysfs_batteryinfo_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_health_server sysfs_batteryinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_health_server sysfs_batteryinfo_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_health_server sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_health_server self (capability2 (block_suspend)))
-(allow hal_health_server self (cap2_userns (block_suspend)))
-(allow hal_health_server kmsg_device_28_0 (chr_file (write lock append map open)))
-(allow hal_ir_client hal_ir_server (binder (call transfer)))
-(allow hal_ir_server hal_ir_client (binder (transfer)))
-(allow hal_ir_client hal_ir_server (fd (use)))
-(allow hal_ir_server hal_ir_client (binder (call transfer)))
-(allow hal_ir_client hal_ir_server (binder (transfer)))
-(allow hal_ir_server hal_ir_client (fd (use)))
-(allow hal_ir_server hal_ir_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_ir_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_202_28_0 hal_ir_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_ir_client hal_ir_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_keymaster_client hal_keymaster_server (binder (call transfer)))
-(allow hal_keymaster_server hal_keymaster_client (binder (transfer)))
-(allow hal_keymaster_client hal_keymaster_server (fd (use)))
-(allow hal_keymaster_server hal_keymaster_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_keymaster_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_203_28_0 hal_keymaster_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_keymaster_client hal_keymaster_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_keymaster tee_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_keymaster ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_light_client hal_light_server (binder (call transfer)))
-(allow hal_light_server hal_light_client (binder (transfer)))
-(allow hal_light_client hal_light_server (fd (use)))
-(allow hal_light_server hal_light_client (binder (call transfer)))
-(allow hal_light_client hal_light_server (binder (transfer)))
-(allow hal_light_server hal_light_client (fd (use)))
-(allow hal_light_server hal_light_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_light_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_204_28_0 hal_light_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_light_client hal_light_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_light sysfs_leds_28_0 (lnk_file (read)))
-(allow hal_light sysfs_leds_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_light sysfs_leds_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_lowpan_client hal_lowpan_server (binder (call transfer)))
-(allow hal_lowpan_server hal_lowpan_client (binder (transfer)))
-(allow hal_lowpan_client hal_lowpan_server (fd (use)))
-(allow hal_lowpan_server hal_lowpan_client (binder (call transfer)))
-(allow hal_lowpan_client hal_lowpan_server (binder (transfer)))
-(allow hal_lowpan_server hal_lowpan_client (fd (use)))
-(allow hal_lowpan_server hal_lowpan_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_lowpan_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_205_28_0 hal_lowpan_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_lowpan_client hal_lowpan_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_lowpan_server property_socket_28_0 (sock_file (write)))
-(allow hal_lowpan_server init_28_0 (unix_stream_socket (connectto)))
-(allow hal_lowpan_server lowpan_prop_28_0 (property_service (set)))
-(allow hal_lowpan_server lowpan_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_lowpan_server lowpan_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(neverallow base_typeattr_206_28_0 lowpan_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow hal_memtrack_client hal_memtrack_server (binder (call transfer)))
-(allow hal_memtrack_server hal_memtrack_client (binder (transfer)))
-(allow hal_memtrack_client hal_memtrack_server (fd (use)))
-(allow hal_memtrack_server hal_memtrack_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_memtrack_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_207_28_0 hal_memtrack_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_memtrack_client hal_memtrack_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_neuralnetworks_client hal_neuralnetworks_server (binder (call transfer)))
-(allow hal_neuralnetworks_server hal_neuralnetworks_client (binder (transfer)))
-(allow hal_neuralnetworks_client hal_neuralnetworks_server (fd (use)))
-(allow hal_neuralnetworks_server hal_neuralnetworks_client (binder (call transfer)))
-(allow hal_neuralnetworks_client hal_neuralnetworks_server (binder (transfer)))
-(allow hal_neuralnetworks_server hal_neuralnetworks_client (fd (use)))
-(allow hal_neuralnetworks_server hal_neuralnetworks_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_neuralnetworks_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_208_28_0 hal_neuralnetworks_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_neuralnetworks_client hal_neuralnetworks_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_neuralnetworks hidl_memory_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_neuralnetworks hal_allocator (fd (use)))
-(neverallow base_typeattr_209_28_0 self (capability (net_admin net_raw)))
-(neverallow base_typeattr_209_28_0 self (cap_userns (net_admin net_raw)))
-(neverallow base_typeattr_210_28_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow base_typeattr_210_28_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_210_28_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow base_typeattr_211_28_0 fs_type (file (execute_no_trans)))
-(neverallow base_typeattr_211_28_0 file_type (file (execute_no_trans)))
-(neverallow base_typeattr_69_28_0 halserverdomain (process (transition)))
-(neverallow base_typeattr_59_28_0 halserverdomain (process (dyntransition)))
-(allow hal_nfc_client hal_nfc_server (binder (call transfer)))
-(allow hal_nfc_server hal_nfc_client (binder (transfer)))
-(allow hal_nfc_client hal_nfc_server (fd (use)))
-(allow hal_nfc_server hal_nfc_client (binder (call transfer)))
-(allow hal_nfc_client hal_nfc_server (binder (transfer)))
-(allow hal_nfc_server hal_nfc_client (fd (use)))
-(allow hal_nfc_server hal_nfc_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_nfc_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_212_28_0 hal_nfc_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_nfc_client hal_nfc_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_nfc property_socket_28_0 (sock_file (write)))
-(allow hal_nfc init_28_0 (unix_stream_socket (connectto)))
-(allow hal_nfc nfc_prop_28_0 (property_service (set)))
-(allow hal_nfc nfc_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_nfc nfc_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_oemlock_client hal_oemlock_server (binder (call transfer)))
-(allow hal_oemlock_server hal_oemlock_client (binder (transfer)))
-(allow hal_oemlock_client hal_oemlock_server (fd (use)))
-(allow hal_oemlock_server hal_oemlock_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_oemlock_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_213_28_0 hal_oemlock_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_oemlock_client hal_oemlock_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_power_client hal_power_server (binder (call transfer)))
-(allow hal_power_server hal_power_client (binder (transfer)))
-(allow hal_power_client hal_power_server (fd (use)))
-(allow hal_power_server hal_power_client (binder (call transfer)))
-(allow hal_power_client hal_power_server (binder (transfer)))
-(allow hal_power_server hal_power_client (fd (use)))
-(allow hal_power_server hal_power_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_power_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_214_28_0 hal_power_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_power_client hal_power_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_secure_element_client hal_secure_element_server (binder (call transfer)))
-(allow hal_secure_element_server hal_secure_element_client (binder (transfer)))
-(allow hal_secure_element_client hal_secure_element_server (fd (use)))
-(allow hal_secure_element_server hal_secure_element_client (binder (call transfer)))
-(allow hal_secure_element_client hal_secure_element_server (binder (transfer)))
-(allow hal_secure_element_server hal_secure_element_client (fd (use)))
-(allow hal_secure_element_server hal_secure_element_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_secure_element_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_215_28_0 hal_secure_element_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_secure_element_client hal_secure_element_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_sensors_client hal_sensors_server (binder (call transfer)))
-(allow hal_sensors_server hal_sensors_client (binder (transfer)))
-(allow hal_sensors_client hal_sensors_server (fd (use)))
-(allow hal_sensors_server hal_sensors_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_sensors_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_216_28_0 hal_sensors_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_sensors_client hal_sensors_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_sensors base_typeattr_43_28_0 (fd (use)))
-(allow hal_sensors hal_allocator (fd (use)))
-(allow hal_sensors self (capability (sys_nice)))
-(allow hal_sensors self (cap_userns (sys_nice)))
-(allow hal_telephony_client hal_telephony_server (binder (call transfer)))
-(allow hal_telephony_server hal_telephony_client (binder (transfer)))
-(allow hal_telephony_client hal_telephony_server (fd (use)))
-(allow hal_telephony_server hal_telephony_client (binder (call transfer)))
-(allow hal_telephony_client hal_telephony_server (binder (transfer)))
-(allow hal_telephony_server hal_telephony_client (fd (use)))
-(allow hal_telephony_server hal_telephony_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_telephony_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_217_28_0 hal_telephony_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_telephony_client hal_telephony_hwservice_28_0 (hwservice_manager (find)))
-(allowx hal_telephony_server self (ioctl udp_socket (0x6900 0x6902)))
-(allowx hal_telephony_server self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hal_telephony_server self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_telephony_server self (netlink_route_socket (nlmsg_write)))
-(allow hal_telephony_server kernel_28_0 (system (module_request)))
-(allow hal_telephony_server self (capability (setgid setuid setpcap net_admin net_raw)))
-(allow hal_telephony_server self (cap_userns (setgid setuid setpcap net_admin net_raw)))
-(allow hal_telephony_server alarm_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_telephony_server cgroup_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_telephony_server cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_telephony_server radio_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_telephony_server radio_device_28_0 (blk_file (ioctl read getattr lock map open)))
-(allow hal_telephony_server mtd_device_28_0 (dir (search)))
-(allow hal_telephony_server efs_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_telephony_server efs_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_telephony_server vendor_shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow hal_telephony_server bluetooth_efs_file_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server bluetooth_efs_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_telephony_server property_socket_28_0 (sock_file (write)))
-(allow hal_telephony_server init_28_0 (unix_stream_socket (connectto)))
-(allow hal_telephony_server radio_prop_28_0 (property_service (set)))
-(allow hal_telephony_server radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server property_socket_28_0 (sock_file (write)))
-(allow hal_telephony_server init_28_0 (unix_stream_socket (connectto)))
-(allow hal_telephony_server exported_radio_prop_28_0 (property_service (set)))
-(allow hal_telephony_server exported_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server property_socket_28_0 (sock_file (write)))
-(allow hal_telephony_server init_28_0 (unix_stream_socket (connectto)))
-(allow hal_telephony_server exported2_radio_prop_28_0 (property_service (set)))
-(allow hal_telephony_server exported2_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server property_socket_28_0 (sock_file (write)))
-(allow hal_telephony_server init_28_0 (unix_stream_socket (connectto)))
-(allow hal_telephony_server exported3_radio_prop_28_0 (property_service (set)))
-(allow hal_telephony_server exported3_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server tty_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_telephony_server self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_telephony_server self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_telephony_server self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_telephony_server sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_telephony_server self (capability2 (block_suspend)))
-(allow hal_telephony_server self (cap2_userns (block_suspend)))
-(allow hal_telephony_server proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_telephony_server proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_telephony_server sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_telephony_server sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_telephony_server system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_telephony_server system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_telephony_server system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_telephony_server self (socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (binder (call transfer)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (binder (transfer)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (fd (use)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (binder (call transfer)))
-(allow hal_tetheroffload_client hal_tetheroffload_server (binder (transfer)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (fd (use)))
-(allow hal_tetheroffload_client hal_tetheroffload_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_tetheroffload_server hal_tetheroffload_client (netlink_netfilter_socket (read write getattr setopt)))
-(allow hal_thermal_client hal_thermal_server (binder (call transfer)))
-(allow hal_thermal_server hal_thermal_client (binder (transfer)))
-(allow hal_thermal_client hal_thermal_server (fd (use)))
-(allow hal_thermal_server hal_thermal_client (binder (call transfer)))
-(allow hal_thermal_client hal_thermal_server (binder (transfer)))
-(allow hal_thermal_server hal_thermal_client (fd (use)))
-(allow hal_thermal_server hal_thermal_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_thermal_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_218_28_0 hal_thermal_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_thermal_client hal_thermal_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_tv_cec_client hal_tv_cec_server (binder (call transfer)))
-(allow hal_tv_cec_server hal_tv_cec_client (binder (transfer)))
-(allow hal_tv_cec_client hal_tv_cec_server (fd (use)))
-(allow hal_tv_cec_server hal_tv_cec_client (binder (call transfer)))
-(allow hal_tv_cec_client hal_tv_cec_server (binder (transfer)))
-(allow hal_tv_cec_server hal_tv_cec_client (fd (use)))
-(allow hal_tv_cec_server hal_tv_cec_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_tv_cec_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_219_28_0 hal_tv_cec_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_tv_cec_client hal_tv_cec_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_tv_input_client hal_tv_input_server (binder (call transfer)))
-(allow hal_tv_input_server hal_tv_input_client (binder (transfer)))
-(allow hal_tv_input_client hal_tv_input_server (fd (use)))
-(allow hal_tv_input_server hal_tv_input_client (binder (call transfer)))
-(allow hal_tv_input_client hal_tv_input_server (binder (transfer)))
-(allow hal_tv_input_server hal_tv_input_client (fd (use)))
-(allow hal_tv_input_server hal_tv_input_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_tv_input_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_220_28_0 hal_tv_input_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_tv_input_client hal_tv_input_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_usb_client hal_usb_server (binder (call transfer)))
-(allow hal_usb_server hal_usb_client (binder (transfer)))
-(allow hal_usb_client hal_usb_server (fd (use)))
-(allow hal_usb_server hal_usb_client (binder (call transfer)))
-(allow hal_usb_client hal_usb_server (binder (transfer)))
-(allow hal_usb_server hal_usb_client (fd (use)))
-(allow hal_usb_server hal_usb_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_usb_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_221_28_0 hal_usb_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_usb_client hal_usb_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_usb self (netlink_kobject_uevent_socket (create)))
-(allow hal_usb self (netlink_kobject_uevent_socket (setopt)))
-(allow hal_usb self (netlink_kobject_uevent_socket (bind)))
-(allow hal_usb self (netlink_kobject_uevent_socket (read)))
-(allow hal_usb sysfs_28_0 (dir (open)))
-(allow hal_usb sysfs_28_0 (dir (read)))
-(allow hal_usb sysfs_28_0 (file (read)))
-(allow hal_usb sysfs_28_0 (file (open)))
-(allow hal_usb sysfs_28_0 (file (write)))
-(allow hal_usb sysfs_28_0 (file (getattr)))
-(allow hal_usb_gadget_client hal_usb_gadget_server (binder (call transfer)))
-(allow hal_usb_gadget_server hal_usb_gadget_client (binder (transfer)))
-(allow hal_usb_gadget_client hal_usb_gadget_server (fd (use)))
-(allow hal_usb_gadget_server hal_usb_gadget_client (binder (call transfer)))
-(allow hal_usb_gadget_client hal_usb_gadget_server (binder (transfer)))
-(allow hal_usb_gadget_server hal_usb_gadget_client (fd (use)))
-(allow hal_usb_gadget_server hal_usb_gadget_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_usb_gadget_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_222_28_0 hal_usb_gadget_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_usb_gadget_client hal_usb_gadget_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_usb_gadget_server configfs_28_0 (lnk_file (read create unlink)))
-(allow hal_usb_gadget_server configfs_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow hal_usb_gadget_server configfs_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_usb_gadget_server functionfs_28_0 (dir (read search)))
-(allow hal_usb_gadget_server functionfs_28_0 (file (read)))
-(allow hal_vehicle_client hal_vehicle_server (binder (call transfer)))
-(allow hal_vehicle_server hal_vehicle_client (binder (transfer)))
-(allow hal_vehicle_client hal_vehicle_server (fd (use)))
-(allow hal_vehicle_server hal_vehicle_client (binder (call transfer)))
-(allow hal_vehicle_client hal_vehicle_server (binder (transfer)))
-(allow hal_vehicle_server hal_vehicle_client (fd (use)))
-(allow hal_vehicle_server hal_vehicle_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_vehicle_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_223_28_0 hal_vehicle_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_vehicle_client hal_vehicle_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_vibrator_client hal_vibrator_server (binder (call transfer)))
-(allow hal_vibrator_server hal_vibrator_client (binder (transfer)))
-(allow hal_vibrator_client hal_vibrator_server (fd (use)))
-(allow hal_vibrator_server hal_vibrator_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_vibrator_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_224_28_0 hal_vibrator_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_vibrator_client hal_vibrator_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_vibrator sysfs_vibrator_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_vibrator sysfs_vibrator_28_0 (dir (search)))
-(allow hal_vr_client hal_vr_server (binder (call transfer)))
-(allow hal_vr_server hal_vr_client (binder (transfer)))
-(allow hal_vr_client hal_vr_server (fd (use)))
-(allow hal_vr_server hal_vr_client (binder (call transfer)))
-(allow hal_vr_client hal_vr_server (binder (transfer)))
-(allow hal_vr_server hal_vr_client (fd (use)))
-(allow hal_vr_server hal_vr_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_vr_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_225_28_0 hal_vr_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_vr_client hal_vr_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_weaver_client hal_weaver_server (binder (call transfer)))
-(allow hal_weaver_server hal_weaver_client (binder (transfer)))
-(allow hal_weaver_client hal_weaver_server (fd (use)))
-(allow hal_weaver_server hal_weaver_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_weaver_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_226_28_0 hal_weaver_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_weaver_client hal_weaver_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_wifi_client hal_wifi_server (binder (call transfer)))
-(allow hal_wifi_server hal_wifi_client (binder (transfer)))
-(allow hal_wifi_client hal_wifi_server (fd (use)))
-(allow hal_wifi_server hal_wifi_client (binder (call transfer)))
-(allow hal_wifi_client hal_wifi_server (binder (transfer)))
-(allow hal_wifi_server hal_wifi_client (fd (use)))
-(allow hal_wifi_server hal_wifi_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_wifi_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_227_28_0 hal_wifi_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_wifi_client hal_wifi_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_wifi proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_wifi sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi property_socket_28_0 (sock_file (write)))
-(allow hal_wifi init_28_0 (unix_stream_socket (connectto)))
-(allow hal_wifi exported_wifi_prop_28_0 (property_service (set)))
-(allow hal_wifi exported_wifi_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi property_socket_28_0 (sock_file (write)))
-(allow hal_wifi init_28_0 (unix_stream_socket (connectto)))
-(allow hal_wifi wifi_prop_28_0 (property_service (set)))
-(allow hal_wifi wifi_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx hal_wifi self (ioctl udp_socket (0x8914 0x8924)))
-(allow hal_wifi self (capability (net_admin net_raw)))
-(allow hal_wifi self (cap_userns (net_admin net_raw)))
-(allow hal_wifi self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi sysfs_wlan_fwpath_28_0 (file (write lock append map open)))
-(allow hal_wifi proc_modules_28_0 (file (read getattr open)))
-(allow hal_wifi_server tombstone_wifi_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow hal_wifi_server tombstone_wifi_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_wifi_hostapd_client hal_wifi_hostapd_server (binder (call transfer)))
-(allow hal_wifi_hostapd_server hal_wifi_hostapd_client (binder (transfer)))
-(allow hal_wifi_hostapd_client hal_wifi_hostapd_server (fd (use)))
-(allow hal_wifi_hostapd_server hal_wifi_hostapd_client (binder (call transfer)))
-(allow hal_wifi_hostapd_client hal_wifi_hostapd_server (binder (transfer)))
-(allow hal_wifi_hostapd_server hal_wifi_hostapd_client (fd (use)))
-(allow hal_wifi_hostapd_server hal_wifi_hostapd_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_wifi_hostapd_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_228_28_0 hal_wifi_hostapd_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_wifi_hostapd_server self (capability (net_admin net_raw)))
-(allow hal_wifi_hostapd_server self (cap_userns (net_admin net_raw)))
-(allow hal_wifi_hostapd_server sysfs_net_28_0 (dir (search)))
-(allow hal_wifi_hostapd_server proc_net_28_0 (file (read getattr open)))
-(allowx hal_wifi_hostapd_server self (ioctl udp_socket (0x6900 0x6902)))
-(allowx hal_wifi_hostapd_server self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hal_wifi_hostapd_server self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_wifi_hostapd_server self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_hostapd_server self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_hostapd_server self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_hostapd_server self (netlink_route_socket (nlmsg_write)))
-(neverallow hal_wifi_hostapd_server sdcard_type (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_wifi_hostapd_server sdcard_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (binder (call transfer)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (binder (transfer)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (fd (use)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (binder (call transfer)))
-(allow hal_wifi_offload_client hal_wifi_offload_server (binder (transfer)))
-(allow hal_wifi_offload_server hal_wifi_offload_client (fd (use)))
-(allow hal_wifi_offload_server hal_wifi_offload_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_wifi_offload_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_229_28_0 hal_wifi_offload_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_wifi_offload_client hal_wifi_offload_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_wifi_offload proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_offload proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi_offload proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi_offload sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_offload sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_wifi_offload sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (binder (call transfer)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (binder (transfer)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (fd (use)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (binder (call transfer)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (binder (transfer)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (fd (use)))
-(allow hal_wifi_supplicant_server hal_wifi_supplicant_hwservice_28_0 (hwservice_manager (add find)))
-(allow hal_wifi_supplicant_server hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_230_28_0 hal_wifi_supplicant_hwservice_28_0 (hwservice_manager (add)))
-(allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice_28_0 (hwservice_manager (find)))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (0x6900 0x6902)))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hal_wifi_supplicant self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow hal_wifi_supplicant sysfs_type (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_supplicant sysfs_type (file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_wifi_supplicant proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hal_wifi_supplicant kernel_28_0 (system (module_request)))
-(allow hal_wifi_supplicant self (capability (setgid setuid net_admin net_raw)))
-(allow hal_wifi_supplicant self (cap_userns (setgid setuid net_admin net_raw)))
-(allow hal_wifi_supplicant cgroup_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_supplicant self (netlink_route_socket (nlmsg_write)))
-(allow hal_wifi_supplicant self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_supplicant self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow hal_wifi_supplicant self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (0x6900 0x6902)))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x8906 0x8907)) ((range 0x890b 0x890d)) ((range 0x8910 0x8927)) 0x8929 ((range 0x8930 0x8939)) ((range 0x8940 0x8943)) ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x8b00 0x8b02)) ((range 0x8b04 0x8b1d)) ((range 0x8b20 0x8b2d)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallow hal_wifi_supplicant_server sdcard_type (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow hal_wifi_supplicant_server sdcard_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow healthd_28_0 kmsg_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow healthd_28_0 sysfs_type (dir (search)))
-(allow healthd_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_28_0 rootfs_28_0 (file (ioctl read getattr lock map open)))
-(allow healthd_28_0 rootfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow healthd_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_28_0 system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow healthd_28_0 system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_28_0 self (capability (sys_tty_config)))
-(allow healthd_28_0 self (cap_userns (sys_tty_config)))
-(allow healthd_28_0 self (capability (sys_boot)))
-(allow healthd_28_0 self (cap_userns (sys_boot)))
-(allow healthd_28_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow healthd_28_0 sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow healthd_28_0 self (capability2 (block_suspend)))
-(allow healthd_28_0 self (cap2_userns (block_suspend)))
-(allow healthd_28_0 sysfs_power_28_0 (file (ioctl read write getattr lock append map open)))
-(allow healthd_28_0 sysfs_usb_28_0 (file (write)))
-(allow healthd_28_0 sysfs_batteryinfo_28_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_28_0 sysfs_batteryinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow healthd_28_0 sysfs_batteryinfo_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow healthd_28_0 pstorefs_28_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(allow healthd_28_0 graphics_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_28_0 graphics_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow healthd_28_0 input_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow healthd_28_0 input_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow healthd_28_0 tty_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow healthd_28_0 ashmem_device_28_0 (chr_file (execute)))
-(allow healthd_28_0 self (process (execmem)))
-(allow healthd_28_0 proc_sysrq_28_0 (file (ioctl read write getattr lock append map open)))
-(allow healthd_28_0 property_socket_28_0 (sock_file (write)))
-(allow healthd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow healthd_28_0 system_prop_28_0 (property_service (set)))
-(allow healthd_28_0 system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow healthd_28_0 property_socket_28_0 (sock_file (write)))
-(allow healthd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow healthd_28_0 exported_system_prop_28_0 (property_service (set)))
-(allow healthd_28_0 exported_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow healthd_28_0 property_socket_28_0 (sock_file (write)))
-(allow healthd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow healthd_28_0 exported2_system_prop_28_0 (property_service (set)))
-(allow healthd_28_0 exported2_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow healthd_28_0 property_socket_28_0 (sock_file (write)))
-(allow healthd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow healthd_28_0 exported3_system_prop_28_0 (property_service (set)))
-(allow healthd_28_0 exported3_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hwservicemanager_28_0 self (binder (set_context_mgr)))
-(allow hwservicemanager_28_0 property_socket_28_0 (sock_file (write)))
-(allow hwservicemanager_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow hwservicemanager_28_0 hwservicemanager_prop_28_0 (property_service (set)))
-(allow hwservicemanager_28_0 hwservicemanager_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow hwservicemanager_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow hwservicemanager_28_0 hwservice_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow hwservicemanager_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow hwservicemanager_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow hwservicemanager_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow hwservicemanager_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow hwservicemanager_28_0 kernel_28_0 (security (compute_av)))
-(allow hwservicemanager_28_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow idmap_28_0 installd_28_0 (fd (use)))
-(allow idmap_28_0 resourcecache_data_file_28_0 (file (read write getattr)))
-(dontaudit idmap_28_0 installd_28_0 (file (read)))
-(allow idmap_28_0 apk_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow idmap_28_0 apk_data_file_28_0 (dir (search)))
-(allow idmap_28_0 vendor_app_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow idmap_28_0 vendor_app_file_28_0 (file (ioctl read getattr lock map open)))
-(allow idmap_28_0 vendor_app_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow idmap_28_0 vendor_overlay_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow idmap_28_0 vendor_overlay_file_28_0 (file (ioctl read getattr lock map open)))
-(allow idmap_28_0 vendor_overlay_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 tmpfs_28_0 (chr_file (ioctl read write create getattr setattr lock append map unlink open)))
-(allow init_28_0 tmpfs_28_0 (chr_file (relabelfrom)))
-(allow init_28_0 kmsg_device_28_0 (chr_file (write relabelto)))
-(allow init_28_0 kmsg_debug_device_28_0 (chr_file (write relabelto)))
-(allow init_28_0 properties_device_28_0 (dir (relabelto)))
-(allow init_28_0 properties_serial_28_0 (file (write relabelto)))
-(allow init_28_0 property_type (file (ioctl read write create getattr setattr lock relabelto append map unlink rename open)))
-(allow init_28_0 properties_device_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_28_0 property_info_28_0 (file (relabelto)))
-(allow init_28_0 device_28_0 (file (relabelfrom)))
-(allow init_28_0 runtime_event_log_tags_file_28_0 (file (write create setattr relabelto open)))
-(allow init_28_0 device_28_0 (dir (relabelto)))
-(allow init_28_0 socket_device_28_0 (dir (relabelto)))
-(allow init_28_0 random_device_28_0 (chr_file (relabelto)))
-(allow init_28_0 tmpfs_28_0 (chr_file (relabelfrom)))
-(allow init_28_0 tmpfs_28_0 (blk_file (relabelfrom)))
-(allow init_28_0 tmpfs_28_0 (blk_file (getattr)))
-(allow init_28_0 block_device_28_0 (dir (relabelto)))
-(allow init_28_0 block_device_28_0 (lnk_file (relabelto)))
-(allow init_28_0 block_device_28_0 (blk_file (relabelto)))
-(allow init_28_0 dm_device_28_0 (chr_file (relabelto)))
-(allow init_28_0 dm_device_28_0 (blk_file (relabelto)))
-(allow init_28_0 kernel_28_0 (fd (use)))
-(allow init_28_0 tmpfs_28_0 (lnk_file (read getattr relabelfrom)))
-(allow init_28_0 system_block_device_28_0 (lnk_file (relabelto)))
-(allow init_28_0 system_block_device_28_0 (blk_file (relabelto)))
-(allow init_28_0 recovery_block_device_28_0 (lnk_file (relabelto)))
-(allow init_28_0 recovery_block_device_28_0 (blk_file (relabelto)))
-(allow init_28_0 misc_block_device_28_0 (lnk_file (relabelto)))
-(allow init_28_0 misc_block_device_28_0 (blk_file (relabelto)))
-(allow init_28_0 self (capability (sys_resource)))
-(allow init_28_0 self (cap_userns (sys_resource)))
-(allow init_28_0 tmpfs_28_0 (file (unlink)))
-(allow init_28_0 devpts_28_0 (chr_file (read write open)))
-(allow init_28_0 fscklogs_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_28_0 tmpfs_28_0 (chr_file (write)))
-(allow init_28_0 console_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_28_0 tty_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_28_0 self (capability (sys_admin)))
-(allow init_28_0 self (cap_userns (sys_admin)))
-(allow init_28_0 rootfs_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 rootfs_28_0 (dir (mounton)))
-(allow init_28_0 cgroup_28_0 (dir (mounton)))
-(allow init_28_0 system_file_28_0 (dir (mounton)))
-(allow init_28_0 vendor_file_28_0 (dir (mounton)))
-(allow init_28_0 system_data_file_28_0 (dir (mounton)))
-(allow init_28_0 storage_file_28_0 (dir (mounton)))
-(allow init_28_0 postinstall_mnt_dir_28_0 (dir (mounton)))
-(allow init_28_0 cache_file_28_0 (dir (mounton)))
-(allow init_28_0 cgroup_bpf_28_0 (dir (create mounton)))
-(allow init_28_0 fs_bpf_28_0 (dir (mounton)))
-(allow init_28_0 device_28_0 (dir (mounton)))
-(allow init_28_0 rootfs_28_0 (lnk_file (create unlink)))
-(allow init_28_0 sysfs_28_0 (dir (mounton)))
-(allow init_28_0 tmpfs_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 tmpfs_28_0 (dir (mounton)))
-(allow init_28_0 cgroup_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow init_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 cpuctl_device_28_0 (dir (create mounton)))
-(allow init_28_0 configfs_28_0 (dir (mounton)))
-(allow init_28_0 configfs_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 configfs_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_28_0 configfs_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_28_0 metadata_file_28_0 (dir (mounton)))
-(allow init_28_0 tmpfs_28_0 (dir (relabelfrom)))
-(allow init_28_0 self (capability (dac_override)))
-(allow init_28_0 self (cap_userns (dac_override)))
-(allow init_28_0 self (capability (sys_time)))
-(allow init_28_0 self (cap_userns (sys_time)))
-(allow init_28_0 self (capability (sys_rawio mknod)))
-(allow init_28_0 self (cap_userns (sys_rawio mknod)))
-(allow init_28_0 dev_type (blk_file (ioctl read getattr lock map open)))
-(allow init_28_0 fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget)))
-(allow init_28_0 unlabeled_28_0 (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget)))
-(allow init_28_0 contextmount_type (filesystem (relabelto)))
-(allow init_28_0 contextmount_type (dir (ioctl read getattr lock search open)))
-(allow init_28_0 contextmount_type (file (ioctl read getattr lock map open)))
-(allow init_28_0 contextmount_type (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 contextmount_type (sock_file (ioctl read getattr lock map open)))
-(allow init_28_0 contextmount_type (fifo_file (ioctl read getattr lock map open)))
-(allow init_28_0 rootfs_28_0 (file (relabelfrom)))
-(allow init_28_0 rootfs_28_0 (dir (relabelfrom)))
-(allow init_28_0 self (capability (chown fowner fsetid)))
-(allow init_28_0 self (cap_userns (chown fowner fsetid)))
-(allow init_28_0 base_typeattr_231_28_0 (dir (ioctl read create getattr setattr search open)))
-(allow init_28_0 base_typeattr_232_28_0 (dir (write relabelfrom add_name remove_name rmdir)))
-(allow init_28_0 base_typeattr_233_28_0 (file (read write create getattr setattr relabelfrom unlink open)))
-(allow init_28_0 base_typeattr_232_28_0 (sock_file (read create getattr setattr relabelfrom unlink open)))
-(allow init_28_0 base_typeattr_232_28_0 (fifo_file (read create getattr setattr relabelfrom unlink open)))
-(allow init_28_0 base_typeattr_232_28_0 (lnk_file (create getattr setattr relabelfrom unlink)))
-(allow init_28_0 cache_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 base_typeattr_234_28_0 (file (relabelto)))
-(allow init_28_0 base_typeattr_234_28_0 (dir (relabelto)))
-(allow init_28_0 base_typeattr_234_28_0 (lnk_file (relabelto)))
-(allow init_28_0 base_typeattr_234_28_0 (chr_file (relabelto)))
-(allow init_28_0 base_typeattr_234_28_0 (blk_file (relabelto)))
-(allow init_28_0 base_typeattr_234_28_0 (sock_file (relabelto)))
-(allow init_28_0 base_typeattr_234_28_0 (fifo_file (relabelto)))
-(allow init_28_0 sysfs_28_0 (file (getattr relabelfrom)))
-(allow init_28_0 sysfs_28_0 (dir (getattr relabelfrom)))
-(allow init_28_0 sysfs_28_0 (lnk_file (getattr relabelfrom)))
-(allow init_28_0 debugfs_28_0 (file (getattr relabelfrom)))
-(allow init_28_0 debugfs_28_0 (dir (getattr relabelfrom)))
-(allow init_28_0 debugfs_28_0 (lnk_file (getattr relabelfrom)))
-(allow init_28_0 debugfs_tracing_28_0 (file (getattr relabelfrom)))
-(allow init_28_0 debugfs_tracing_28_0 (dir (getattr relabelfrom)))
-(allow init_28_0 debugfs_tracing_28_0 (lnk_file (getattr relabelfrom)))
-(allow init_28_0 debugfs_tracing_debug_28_0 (file (getattr relabelfrom)))
-(allow init_28_0 debugfs_tracing_debug_28_0 (dir (getattr relabelfrom)))
-(allow init_28_0 debugfs_tracing_debug_28_0 (lnk_file (getattr relabelfrom)))
-(allow init_28_0 sysfs_type (file (getattr relabelto)))
-(allow init_28_0 sysfs_type (dir (getattr relabelto)))
-(allow init_28_0 sysfs_type (lnk_file (getattr relabelto)))
-(allow init_28_0 debugfs_type (file (getattr relabelto)))
-(allow init_28_0 debugfs_type (dir (getattr relabelto)))
-(allow init_28_0 debugfs_type (lnk_file (getattr relabelto)))
-(allow init_28_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 dev_type (lnk_file (create)))
-(allow init_28_0 debugfs_tracing_28_0 (file (write lock append map open)))
-(allow init_28_0 debugfs_tracing_instances_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 debugfs_tracing_instances_28_0 (file (write lock append map open)))
-(allow init_28_0 debugfs_wifi_tracing_28_0 (file (write lock append map open)))
-(allow init_28_0 base_typeattr_235_28_0 (file (read setattr open)))
-(allow init_28_0 base_typeattr_236_28_0 (dir (read setattr search open)))
-(allow init_28_0 base_typeattr_237_28_0 (chr_file (read open)))
-(auditallow init_28_0 base_typeattr_238_28_0 (chr_file (read open)))
-(allow init_28_0 base_typeattr_239_28_0 (chr_file (setattr)))
-(allow init_28_0 unlabeled_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 unlabeled_28_0 (file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
-(allow init_28_0 unlabeled_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
-(allow init_28_0 unlabeled_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
-(allow init_28_0 unlabeled_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
-(allow init_28_0 kernel_28_0 (system (syslog_mod)))
-(allow init_28_0 self (capability2 (syslog)))
-(allow init_28_0 self (cap2_userns (syslog)))
-(allow init_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow init_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_cmdline_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_diskstats_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_kmsg_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_uptime_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_version_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 proc_overcommit_memory_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_min_free_order_shift_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_abi_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_dirty_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_extra_free_kbytes_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_hostname_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_hung_task_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_max_map_count_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_net_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_page_cluster_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_panic_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_perf_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_sched_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_sysrq_28_0 (file (write lock append map open)))
-(allow init_28_0 proc_security_28_0 (file (ioctl read write getattr lock append map open)))
-(allow init_28_0 sysfs_android_usb_28_0 (file (write lock append map open)))
-(allow init_28_0 sysfs_leds_28_0 (file (write lock append map open)))
-(allow init_28_0 sysfs_power_28_0 (file (write lock append map open)))
-(allow init_28_0 sysfs_dt_firmware_android_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 sysfs_zram_28_0 (file (ioctl read write getattr lock append map open)))
-(allow init_28_0 sysfs_vibrator_28_0 (file (write lock append map open)))
-(allow init_28_0 sysfs_android_usb_28_0 (file (setattr)))
-(allow init_28_0 sysfs_ipv4_28_0 (file (setattr)))
-(allow init_28_0 sysfs_leds_28_0 (file (setattr)))
-(allow init_28_0 sysfs_wake_lock_28_0 (file (setattr)))
-(allow init_28_0 sysfs_power_28_0 (file (setattr)))
-(allow init_28_0 sysfs_devices_system_cpu_28_0 (file (setattr)))
-(allow init_28_0 sysfs_lowmemorykiller_28_0 (file (setattr)))
-(allow init_28_0 sysfs_vibrator_28_0 (file (setattr)))
-(allow init_28_0 usermodehelper_28_0 (file (ioctl read write getattr lock append map open)))
-(allow init_28_0 sysfs_usermodehelper_28_0 (file (ioctl read write getattr lock append map open)))
-(allow init_28_0 self (capability (net_admin)))
-(allow init_28_0 self (cap_userns (net_admin)))
-(allow init_28_0 self (capability (sys_boot)))
-(allow init_28_0 self (cap_userns (sys_boot)))
-(allow init_28_0 misc_logd_file_28_0 (dir (read write create getattr setattr add_name search open)))
-(allow init_28_0 misc_logd_file_28_0 (file (write create getattr setattr open)))
-(allow init_28_0 self (capability (kill)))
-(allow init_28_0 self (cap_userns (kill)))
-(allow init_28_0 domain (process (sigkill signal getpgid)))
-(allow init_28_0 keystore_data_file_28_0 (dir (read create getattr setattr search open)))
-(allow init_28_0 keystore_data_file_28_0 (file (getattr)))
-(allow init_28_0 vold_data_file_28_0 (dir (read create getattr setattr search open)))
-(allow init_28_0 vold_data_file_28_0 (file (getattr)))
-(allow init_28_0 shell_data_file_28_0 (dir (read create getattr setattr search open)))
-(allow init_28_0 shell_data_file_28_0 (file (getattr)))
-(allow init_28_0 self (capability (setgid setuid setpcap)))
-(allow init_28_0 self (cap_userns (setgid setuid setpcap)))
-(allow init_28_0 domain (dir (ioctl read getattr lock search open)))
-(allow init_28_0 domain (file (ioctl read getattr lock map open)))
-(allow init_28_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 self (process (setexec setfscreate setsockcreate)))
-(allow init_28_0 file_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 sepolicy_file_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow init_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow init_28_0 kernel_28_0 (security (compute_av)))
-(allow init_28_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow init_28_0 kernel_28_0 (security (compute_create)))
-(allow init_28_0 domain (unix_stream_socket (create bind setopt)))
-(allow init_28_0 domain (unix_dgram_socket (create bind setopt)))
-(allow init_28_0 property_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 property_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_28_0 property_type (property_service (set)))
-(allow init_28_0 self (netlink_audit_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_relay)))
-(allow init_28_0 self (capability (audit_write)))
-(allow init_28_0 self (cap_userns (audit_write)))
-(allow init_28_0 self (udp_socket (ioctl create)))
-(allowx init_28_0 self (ioctl udp_socket (0x8914)))
-(allow init_28_0 self (capability (net_raw)))
-(allow init_28_0 self (cap_userns (net_raw)))
-(allow init_28_0 kernel_28_0 (process (setsched)))
-(allow init_28_0 swap_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow init_28_0 hw_random_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow init_28_0 device_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_28_0 self (capability (sys_tty_config)))
-(allow init_28_0 self (cap_userns (sys_tty_config)))
-(allow init_28_0 keychord_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_28_0 dm_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_28_0 dm_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow init_28_0 metadata_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow init_28_0 pstorefs_28_0 (dir (search)))
-(allow init_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 kernel_28_0 (system (syslog_read)))
-(allow init_28_0 init_28_0 (key (write search setattr)))
-(allow init_28_0 unencrypted_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 proc_overcommit_memory_28_0 (file (write)))
-(allow init_28_0 misc_block_device_28_0 (blk_file (write lock append map open)))
-(allow init_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow init_28_0 system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 vendor_file_type (dir (ioctl read getattr lock search open)))
-(allow init_28_0 vendor_file_type (file (ioctl read getattr lock map open)))
-(allow init_28_0 vendor_file_type (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 system_data_file_28_0 (file (read getattr)))
-(allow init_28_0 system_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 vendor_shell_exec_28_0 (file (execute)))
-(allow init_28_0 vold_metadata_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow init_28_0 vold_metadata_file_28_0 (file (getattr)))
-(neverallow domain init_28_0 (process (dyntransition)))
-(neverallow base_typeattr_78_28_0 init_28_0 (process (transition)))
-(neverallow init_28_0 base_typeattr_240_28_0 (file (entrypoint)))
-(neverallow init_28_0 shell_data_file_28_0 (lnk_file (read)))
-(neverallow init_28_0 app_data_file_28_0 (lnk_file (read)))
-(neverallow init_28_0 fs_type (file (execute_no_trans)))
-(neverallow init_28_0 file_type (file (execute_no_trans)))
-(neverallow init_28_0 service_manager_type (service_manager (add find)))
-(neverallow init_28_0 servicemanager_28_0 (service_manager (list)))
-(neverallow init_28_0 shell_data_file_28_0 (dir (write add_name remove_name)))
-(neverallow init_28_0 sysfs_28_0 (file (read write open)))
-(allow inputflinger_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 inputflinger_28_0 (dir (search)))
-(allow servicemanager_28_0 inputflinger_28_0 (file (read open)))
-(allow servicemanager_28_0 inputflinger_28_0 (process (getattr)))
-(allow inputflinger_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 inputflinger_28_0 (binder (transfer)))
-(allow inputflinger_28_0 system_server_28_0 (fd (use)))
-(allow inputflinger_28_0 sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow inputflinger_28_0 self (capability2 (block_suspend)))
-(allow inputflinger_28_0 self (cap2_userns (block_suspend)))
-(allow inputflinger_28_0 inputflinger_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_241_28_0 inputflinger_service_28_0 (service_manager (add)))
-(allow inputflinger_28_0 input_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow inputflinger_28_0 input_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow inputflinger_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow inputflinger_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow inputflinger_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow install_recovery_28_0 self (capability (dac_override)))
-(allow install_recovery_28_0 self (cap_userns (dac_override)))
-(allow install_recovery_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow install_recovery_28_0 system_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow install_recovery_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow install_recovery_28_0 block_device_28_0 (dir (search)))
-(allow install_recovery_28_0 boot_block_device_28_0 (blk_file (ioctl read getattr lock map open)))
-(allow install_recovery_28_0 recovery_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow install_recovery_28_0 cache_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow install_recovery_28_0 cache_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow install_recovery_28_0 proc_drop_caches_28_0 (file (write lock append map open)))
-(allow installd_28_0 self (capability (chown dac_override fowner fsetid setgid setuid sys_admin)))
-(allow installd_28_0 self (cap_userns (chown dac_override fowner fsetid setgid setuid sys_admin)))
-(allow installd_28_0 dalvikcache_data_file_28_0 (dir (relabelto)))
-(allow installd_28_0 dalvikcache_data_file_28_0 (file (relabelto link)))
-(allow installd_28_0 apk_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 apk_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom append map unlink link rename open)))
-(allow installd_28_0 apk_data_file_28_0 (lnk_file (ioctl read create getattr lock map unlink open)))
-(allow installd_28_0 asec_apk_file_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 apk_tmp_file_28_0 (file (ioctl read getattr lock map unlink open)))
-(allow installd_28_0 apk_tmp_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 oemfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow installd_28_0 oemfs_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 cgroup_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 mnt_expand_file_28_0 (dir (getattr search)))
-(allow installd_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow installd_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow installd_28_0 kernel_28_0 (security (check_context)))
-(allow installd_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow installd_28_0 rootfs_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 rootfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow installd_28_0 system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_28_0 vendor_app_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow installd_28_0 vendor_app_file_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 vendor_app_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_28_0 vendor_overlay_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow installd_28_0 vendor_overlay_file_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 vendor_overlay_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow installd_28_0 file_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 seapp_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 asec_image_file_28_0 (dir (search)))
-(allow installd_28_0 asec_image_file_28_0 (file (getattr)))
-(allow installd_28_0 system_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 system_data_file_28_0 (lnk_file (read create getattr setattr unlink)))
-(allow installd_28_0 media_rw_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 media_rw_data_file_28_0 (file (getattr unlink)))
-(allow installd_28_0 system_data_file_28_0 (dir (relabelfrom)))
-(allow installd_28_0 media_rw_data_file_28_0 (dir (relabelto)))
-(allow installd_28_0 tmpfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow installd_28_0 storage_file_28_0 (dir (search)))
-(allow installd_28_0 sdcardfs_28_0 (dir (read write getattr remove_name search rmdir open)))
-(allow installd_28_0 sdcardfs_28_0 (file (getattr unlink)))
-(allow installd_28_0 misc_user_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 misc_user_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_28_0 keychain_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 keychain_data_file_28_0 (file (ioctl read getattr lock map unlink open)))
-(allow installd_28_0 install_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_28_0 dalvikcache_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 dalvikcache_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_28_0 dalvikcache_data_file_28_0 (lnk_file (getattr)))
-(allow installd_28_0 resourcecache_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow installd_28_0 resourcecache_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_28_0 unlabeled_28_0 (dir (ioctl read write getattr lock relabelfrom add_name remove_name search rmdir open)))
-(allow installd_28_0 unlabeled_28_0 (file (getattr setattr relabelfrom unlink rename)))
-(allow installd_28_0 unlabeled_28_0 (lnk_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_28_0 unlabeled_28_0 (sock_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_28_0 unlabeled_28_0 (fifo_file (getattr setattr relabelfrom unlink rename)))
-(allow installd_28_0 unlabeled_28_0 (file (ioctl read getattr lock map open)))
-(allow installd_28_0 system_data_file_28_0 (file (getattr relabelfrom unlink)))
-(allow installd_28_0 system_data_file_28_0 (lnk_file (getattr relabelfrom unlink)))
-(allow installd_28_0 system_data_file_28_0 (sock_file (getattr relabelfrom unlink)))
-(allow installd_28_0 system_data_file_28_0 (fifo_file (getattr relabelfrom unlink)))
-(allow installd_28_0 shell_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 bluetooth_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 nfc_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 radio_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 app_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 system_app_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 shell_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 shell_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 shell_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 shell_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 bluetooth_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 bluetooth_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 bluetooth_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 bluetooth_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 nfc_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 nfc_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 nfc_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 nfc_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 radio_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 radio_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 radio_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 radio_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 app_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 app_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 app_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 app_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 system_app_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 system_app_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 system_app_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 system_app_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
-(allow installd_28_0 user_profile_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow installd_28_0 user_profile_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow installd_28_0 user_profile_data_file_28_0 (dir (rmdir)))
-(allow installd_28_0 user_profile_data_file_28_0 (file (unlink)))
-(allow installd_28_0 profman_dump_data_file_28_0 (dir (write add_name search)))
-(allow installd_28_0 profman_dump_data_file_28_0 (file (write create setattr open)))
-(allow installd_28_0 devpts_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow installd_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow installd_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 installd_28_0 (dir (search)))
-(allow servicemanager_28_0 installd_28_0 (file (read open)))
-(allow servicemanager_28_0 installd_28_0 (process (getattr)))
-(allow installd_28_0 installd_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_242_28_0 installd_service_28_0 (service_manager (add)))
-(allow installd_28_0 dumpstate_28_0 (fifo_file (write getattr)))
-(allow installd_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 installd_28_0 (binder (transfer)))
-(allow installd_28_0 system_server_28_0 (fd (use)))
-(allow installd_28_0 permission_service_28_0 (service_manager (find)))
-(allow installd_28_0 block_device_28_0 (dir (search)))
-(allow installd_28_0 labeledfs_28_0 (filesystem (quotamod quotaget)))
-(allow installd_28_0 preloads_data_file_28_0 (file (ioctl read getattr lock map unlink open)))
-(allow installd_28_0 preloads_data_file_28_0 (dir (ioctl read write getattr lock remove_name search rmdir open)))
-(allow installd_28_0 preloads_media_file_28_0 (file (ioctl read getattr lock map unlink open)))
-(allow installd_28_0 preloads_media_file_28_0 (dir (ioctl read write getattr lock remove_name search rmdir open)))
-(neverallow base_typeattr_243_28_0 installd_service_28_0 (service_manager (find)))
-(neverallow base_typeattr_244_28_0 installd_28_0 (binder (call)))
-(neverallow installd_28_0 base_typeattr_245_28_0 (binder (call)))
-(allow kernel_28_0 self (capability (sys_nice)))
-(allow kernel_28_0 self (cap_userns (sys_nice)))
-(allow kernel_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow kernel_28_0 rootfs_28_0 (file (ioctl read getattr lock map open)))
-(allow kernel_28_0 rootfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow kernel_28_0 proc_cmdline_28_0 (file (ioctl read getattr lock map open)))
-(allow kernel_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow kernel_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow kernel_28_0 file_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow kernel_28_0 rootfs_28_0 (file (relabelfrom)))
-(allow kernel_28_0 init_exec_28_0 (file (relabelto)))
-(allow kernel_28_0 init_28_0 (process (share)))
-(allow kernel_28_0 unlabeled_28_0 (dir (search)))
-(allow kernel_28_0 usbfs_28_0 (filesystem (mount)))
-(allow kernel_28_0 usbfs_28_0 (dir (search)))
-(dontaudit kernel_28_0 self (security (setenforce)))
-(allow kernel_28_0 self (capability (sys_resource)))
-(allow kernel_28_0 self (cap_userns (sys_resource)))
-(allow kernel_28_0 self (capability (sys_boot)))
-(allow kernel_28_0 self (cap_userns (sys_boot)))
-(allow kernel_28_0 proc_sysrq_28_0 (file (write lock append map open)))
-(allow kernel_28_0 tmpfs_28_0 (chr_file (write)))
-(allow kernel_28_0 selinuxfs_28_0 (file (write)))
-(allow kernel_28_0 self (security (setcheckreqprot)))
-(allow kernel_28_0 sdcard_type (file (read write)))
-(allow kernel_28_0 mediaprovider_28_0 (fd (use)))
-(allow kernel_28_0 vold_28_0 (fd (use)))
-(allow kernel_28_0 app_data_file_28_0 (file (read)))
-(allow kernel_28_0 asec_image_file_28_0 (file (read)))
-(allow kernel_28_0 update_engine_data_file_28_0 (file (read)))
-(allow kernel_28_0 nativetest_data_file_28_0 (file (read write)))
-(allow kernel_28_0 media_rw_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow kernel_28_0 media_rw_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow kernel_28_0 vold_data_file_28_0 (file (read)))
-(neverallow base_typeattr_59_28_0 kernel_28_0 (process (transition dyntransition)))
-(neverallow kernel_28_0 base_typeattr_59_28_0 (file (execute_no_trans entrypoint)))
-(neverallow kernel_28_0 self (capability (dac_override dac_read_search)))
-(neverallow kernel_28_0 self (cap_userns (dac_override dac_read_search)))
-(allow keystore_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 keystore_28_0 (dir (search)))
-(allow servicemanager_28_0 keystore_28_0 (file (read open)))
-(allow servicemanager_28_0 keystore_28_0 (process (getattr)))
-(allow keystore_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 keystore_28_0 (binder (transfer)))
-(allow keystore_28_0 system_server_28_0 (fd (use)))
-(allow keystore_28_0 keystore_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow keystore_28_0 keystore_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow keystore_28_0 keystore_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow keystore_28_0 keystore_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow keystore_28_0 keystore_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow keystore_28_0 keystore_exec_28_0 (file (getattr)))
-(allow keystore_28_0 keystore_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_246_28_0 keystore_service_28_0 (service_manager (add)))
-(allow keystore_28_0 sec_key_att_app_id_provider_service_28_0 (service_manager (find)))
-(allow keystore_28_0 dropbox_service_28_0 (service_manager (find)))
-(allow keystore_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow keystore_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow keystore_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow keystore_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow keystore_28_0 kernel_28_0 (security (compute_av)))
-(allow keystore_28_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow keystore_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow keystore_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow keystore_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_246_28_0 keystore_data_file_28_0 (dir (write lock relabelfrom append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir audit_access execmod)))
-(neverallow base_typeattr_246_28_0 keystore_data_file_28_0 (file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_246_28_0 keystore_data_file_28_0 (lnk_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_246_28_0 keystore_data_file_28_0 (sock_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_246_28_0 keystore_data_file_28_0 (fifo_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_247_28_0 keystore_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_247_28_0 keystore_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_247_28_0 keystore_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_247_28_0 keystore_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_247_28_0 keystore_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_59_28_0 keystore_28_0 (process (ptrace)))
-(allow lmkd_28_0 self (capability (dac_override kill sys_resource)))
-(allow lmkd_28_0 self (cap_userns (dac_override kill sys_resource)))
-(allow lmkd_28_0 self (capability (ipc_lock)))
-(allow lmkd_28_0 self (cap_userns (ipc_lock)))
-(allow lmkd_28_0 appdomain (dir (ioctl read getattr lock search open)))
-(allow lmkd_28_0 appdomain (file (ioctl read getattr lock map open)))
-(allow lmkd_28_0 appdomain (lnk_file (ioctl read getattr lock map open)))
-(allow lmkd_28_0 appdomain (file (write)))
-(allow lmkd_28_0 system_server_28_0 (dir (ioctl read getattr lock search open)))
-(allow lmkd_28_0 system_server_28_0 (file (ioctl read getattr lock map open)))
-(allow lmkd_28_0 system_server_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow lmkd_28_0 system_server_28_0 (file (write)))
-(allow lmkd_28_0 sysfs_lowmemorykiller_28_0 (dir (ioctl read getattr lock search open)))
-(allow lmkd_28_0 sysfs_lowmemorykiller_28_0 (file (ioctl read getattr lock map open)))
-(allow lmkd_28_0 sysfs_lowmemorykiller_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow lmkd_28_0 sysfs_lowmemorykiller_28_0 (file (write lock append map open)))
-(allow lmkd_28_0 appdomain (process (sigkill)))
-(allow lmkd_28_0 cgroup_28_0 (dir (remove_name rmdir)))
-(allow lmkd_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow lmkd_28_0 self (capability (sys_nice)))
-(allow lmkd_28_0 self (cap_userns (sys_nice)))
-(allow lmkd_28_0 proc_zoneinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow lmkd_28_0 domain (dir (read search open)))
-(allow lmkd_28_0 domain (file (read open)))
-(allow lmkd_28_0 proc_sysrq_28_0 (file (ioctl read write getattr lock append map open)))
-(allow lmkd_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_59_28_0 lmkd_28_0 (process (noatsecure)))
-(allow logd_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow logd_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow logd_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_28_0 proc_kmsg_28_0 (dir (ioctl read getattr lock search open)))
-(allow logd_28_0 proc_kmsg_28_0 (file (ioctl read getattr lock map open)))
-(allow logd_28_0 proc_kmsg_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_28_0 proc_meminfo_28_0 (dir (ioctl read getattr lock search open)))
-(allow logd_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow logd_28_0 proc_meminfo_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow logd_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow logd_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_28_0 self (capability (setgid setuid setpcap sys_nice audit_control)))
-(allow logd_28_0 self (cap_userns (setgid setuid setpcap sys_nice audit_control)))
-(allow logd_28_0 self (capability2 (syslog)))
-(allow logd_28_0 self (cap2_userns (syslog)))
-(allow logd_28_0 self (netlink_audit_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_write)))
-(allow logd_28_0 kernel_28_0 (system (syslog_read)))
-(allow logd_28_0 kmsg_device_28_0 (chr_file (write lock append map open)))
-(allow logd_28_0 system_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow logd_28_0 system_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow logd_28_0 pstorefs_28_0 (dir (search)))
-(allow logd_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(allow logd_28_0 misc_logd_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow logd_28_0 misc_logd_file_28_0 (file (ioctl read write getattr lock append map open)))
-(allow logd_28_0 runtime_event_log_tags_file_28_0 (file (ioctl read write getattr lock append map open)))
-(allow logd_28_0 device_logging_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow logd_28_0 domain (dir (ioctl read getattr lock search open)))
-(allow logd_28_0 domain (file (ioctl read getattr lock map open)))
-(allow logd_28_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow logd_28_0 kernel_28_0 (system (syslog_mod)))
-(allow logd_28_0 logd_socket_28_0 (sock_file (write)))
-(allow logd_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(allow logd_28_0 runtime_event_log_tags_file_28_0 (file (ioctl read getattr lock map open)))
-(allow runtime_event_log_tags_file_28_0 tmpfs_28_0 (filesystem (associate)))
-(dontaudit domain runtime_event_log_tags_file_28_0 (file (read open)))
-(neverallow logd_28_0 dev_type (blk_file (read write)))
-(neverallow logd_28_0 domain (process (ptrace)))
-(neverallow base_typeattr_248_28_0 logd_28_0 (process (ptrace)))
-(neverallow logd_28_0 system_file_28_0 (file (write)))
-(neverallow logd_28_0 system_file_28_0 (dir (write)))
-(neverallow logd_28_0 system_file_28_0 (lnk_file (write)))
-(neverallow logd_28_0 system_file_28_0 (chr_file (write)))
-(neverallow logd_28_0 system_file_28_0 (blk_file (write)))
-(neverallow logd_28_0 system_file_28_0 (sock_file (write)))
-(neverallow logd_28_0 system_file_28_0 (fifo_file (write)))
-(neverallow logd_28_0 system_data_file_28_0 (file (write)))
-(neverallow logd_28_0 system_data_file_28_0 (dir (write)))
-(neverallow logd_28_0 system_data_file_28_0 (lnk_file (write)))
-(neverallow logd_28_0 system_data_file_28_0 (chr_file (write)))
-(neverallow logd_28_0 system_data_file_28_0 (blk_file (write)))
-(neverallow logd_28_0 system_data_file_28_0 (sock_file (write)))
-(neverallow logd_28_0 system_data_file_28_0 (fifo_file (write)))
-(neverallow logd_28_0 app_data_file_28_0 (file (write)))
-(neverallow logd_28_0 app_data_file_28_0 (dir (write)))
-(neverallow logd_28_0 app_data_file_28_0 (lnk_file (write)))
-(neverallow logd_28_0 app_data_file_28_0 (chr_file (write)))
-(neverallow logd_28_0 app_data_file_28_0 (blk_file (write)))
-(neverallow logd_28_0 app_data_file_28_0 (sock_file (write)))
-(neverallow logd_28_0 app_data_file_28_0 (fifo_file (write)))
-(neverallow base_typeattr_69_28_0 logd_28_0 (process (transition)))
-(neverallow base_typeattr_59_28_0 logd_28_0 (process (dyntransition)))
-(neverallow base_typeattr_249_28_0 runtime_event_log_tags_file_28_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow logpersist_28_0 dev_type (blk_file (read write)))
-(neverallow logpersist_28_0 domain (process (ptrace)))
-(neverallow logpersist_28_0 system_data_file_28_0 (file (write)))
-(neverallow logpersist_28_0 system_data_file_28_0 (dir (write)))
-(neverallow logpersist_28_0 system_data_file_28_0 (lnk_file (write)))
-(neverallow logpersist_28_0 system_data_file_28_0 (chr_file (write)))
-(neverallow logpersist_28_0 system_data_file_28_0 (blk_file (write)))
-(neverallow logpersist_28_0 system_data_file_28_0 (sock_file (write)))
-(neverallow logpersist_28_0 system_data_file_28_0 (fifo_file (write)))
-(neverallow logpersist_28_0 app_data_file_28_0 (file (write)))
-(neverallow logpersist_28_0 app_data_file_28_0 (dir (write)))
-(neverallow logpersist_28_0 app_data_file_28_0 (lnk_file (write)))
-(neverallow logpersist_28_0 app_data_file_28_0 (chr_file (write)))
-(neverallow logpersist_28_0 app_data_file_28_0 (blk_file (write)))
-(neverallow logpersist_28_0 app_data_file_28_0 (sock_file (write)))
-(neverallow logpersist_28_0 app_data_file_28_0 (fifo_file (write)))
-(neverallow base_typeattr_59_28_0 logpersist_28_0 (process (dyntransition)))
-(allow mediacodec_28_0 hwservicemanager_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow mediacodec_28_0 vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediacodec_28_0 vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 mediacodec_28_0 (dir (search)))
-(allow vndservicemanager_28_0 mediacodec_28_0 (file (read open)))
-(allow vndservicemanager_28_0 mediacodec_28_0 (process (getattr)))
-(allow mediacodec_28_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediacodec_28_0 (binder (transfer)))
-(allow mediacodec_28_0 binderservicedomain (fd (use)))
-(allow mediacodec_28_0 appdomain (binder (call transfer)))
-(allow appdomain mediacodec_28_0 (binder (transfer)))
-(allow mediacodec_28_0 appdomain (fd (use)))
-(allow mediacodec_28_0 hal_graphics_composer (fd (use)))
-(allow mediacodec_28_0 gpu_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediacodec_28_0 video_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediacodec_28_0 video_device_28_0 (dir (search)))
-(allow mediacodec_28_0 ion_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediacodec_28_0 hal_camera (fd (use)))
-(allow mediacodec_28_0 su_28_0 (fifo_file (append)))
-(allow mediacodec_28_0 anr_data_file_28_0 (file (append)))
-(allow mediacodec_28_0 dumpstate_28_0 (fd (use)))
-(allow mediacodec_28_0 incidentd_28_0 (fd (use)))
-(allow mediacodec_28_0 dumpstate_28_0 (fifo_file (write append)))
-(allow mediacodec_28_0 incidentd_28_0 (fifo_file (write append)))
-(allow mediacodec_28_0 system_server_28_0 (fifo_file (write append)))
-(allow mediacodec_28_0 tombstoned_28_0 (unix_stream_socket (connectto)))
-(allow mediacodec_28_0 tombstoned_28_0 (fd (use)))
-(allow mediacodec_28_0 tombstoned_crash_socket_28_0 (sock_file (write)))
-(allow mediacodec_28_0 tombstone_data_file_28_0 (file (append)))
-(allow mediacodec_28_0 hal_codec2_hwservice_28_0 (hwservice_manager (add find)))
-(allow mediacodec_28_0 hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_250_28_0 hal_codec2_hwservice_28_0 (hwservice_manager (add)))
-(allow mediacodec_28_0 hal_omx_hwservice_28_0 (hwservice_manager (add find)))
-(allow mediacodec_28_0 hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_250_28_0 hal_omx_hwservice_28_0 (hwservice_manager (add)))
-(allow mediacodec_28_0 bufferhubd_28_0 (fd (use)))
-(neverallow mediacodec_28_0 fs_type (file (execute_no_trans)))
-(neverallow mediacodec_28_0 file_type (file (execute_no_trans)))
-(neverallow mediacodec_28_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediacodec_28_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediacodec_28_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow mediadrmserver_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 mediadrmserver_28_0 (dir (search)))
-(allow servicemanager_28_0 mediadrmserver_28_0 (file (read open)))
-(allow servicemanager_28_0 mediadrmserver_28_0 (process (getattr)))
-(allow mediadrmserver_28_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediadrmserver_28_0 (binder (transfer)))
-(allow mediadrmserver_28_0 binderservicedomain (fd (use)))
-(allow mediadrmserver_28_0 appdomain (binder (call transfer)))
-(allow appdomain mediadrmserver_28_0 (binder (transfer)))
-(allow mediadrmserver_28_0 appdomain (fd (use)))
-(allow mediadrmserver_28_0 mediadrmserver_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_251_28_0 mediadrmserver_service_28_0 (service_manager (add)))
-(allow mediadrmserver_28_0 mediaserver_service_28_0 (service_manager (find)))
-(allow mediadrmserver_28_0 mediametrics_service_28_0 (service_manager (find)))
-(allow mediadrmserver_28_0 processinfo_service_28_0 (service_manager (find)))
-(allow mediadrmserver_28_0 surfaceflinger_service_28_0 (service_manager (find)))
-(allow mediadrmserver_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow mediadrmserver_28_0 mediacodec_28_0 (binder (call transfer)))
-(allow mediacodec_28_0 mediadrmserver_28_0 (binder (transfer)))
-(allow mediadrmserver_28_0 mediacodec_28_0 (fd (use)))
-(neverallow mediadrmserver_28_0 fs_type (file (execute_no_trans)))
-(neverallow mediadrmserver_28_0 file_type (file (execute_no_trans)))
-(neverallowx mediadrmserver_28_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_28_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_28_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx mediadrmserver_28_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_28_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_28_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediadrmserver_28_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediadrmserver_28_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediadrmserver_28_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow mediaextractor_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 mediaextractor_28_0 (dir (search)))
-(allow servicemanager_28_0 mediaextractor_28_0 (file (read open)))
-(allow servicemanager_28_0 mediaextractor_28_0 (process (getattr)))
-(allow mediaextractor_28_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediaextractor_28_0 (binder (transfer)))
-(allow mediaextractor_28_0 binderservicedomain (fd (use)))
-(allow mediaextractor_28_0 appdomain (binder (call transfer)))
-(allow appdomain mediaextractor_28_0 (binder (transfer)))
-(allow mediaextractor_28_0 appdomain (fd (use)))
-(allow mediaextractor_28_0 mediaextractor_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_252_28_0 mediaextractor_service_28_0 (service_manager (add)))
-(allow mediaextractor_28_0 mediametrics_service_28_0 (service_manager (find)))
-(allow mediaextractor_28_0 hidl_token_hwservice_28_0 (hwservice_manager (find)))
-(allow mediaextractor_28_0 system_server_28_0 (fd (use)))
-(allow mediaextractor_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow mediaextractor_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow mediaextractor_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mediaextractor_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow mediaextractor_28_0 su_28_0 (fifo_file (append)))
-(allow mediaextractor_28_0 anr_data_file_28_0 (file (append)))
-(allow mediaextractor_28_0 dumpstate_28_0 (fd (use)))
-(allow mediaextractor_28_0 incidentd_28_0 (fd (use)))
-(allow mediaextractor_28_0 dumpstate_28_0 (fifo_file (write append)))
-(allow mediaextractor_28_0 incidentd_28_0 (fifo_file (write append)))
-(allow mediaextractor_28_0 system_server_28_0 (fifo_file (write append)))
-(allow mediaextractor_28_0 tombstoned_28_0 (unix_stream_socket (connectto)))
-(allow mediaextractor_28_0 tombstoned_28_0 (fd (use)))
-(allow mediaextractor_28_0 tombstoned_crash_socket_28_0 (sock_file (write)))
-(allow mediaextractor_28_0 tombstone_data_file_28_0 (file (append)))
-(allow mediaextractor_28_0 sdcardfs_28_0 (file (read getattr)))
-(allow mediaextractor_28_0 media_rw_data_file_28_0 (file (read getattr)))
-(allow mediaextractor_28_0 app_data_file_28_0 (file (read getattr)))
-(allow mediaextractor_28_0 apk_data_file_28_0 (file (read getattr)))
-(allow mediaextractor_28_0 asec_apk_file_28_0 (file (read getattr)))
-(allow mediaextractor_28_0 ringtone_file_28_0 (file (read getattr)))
-(allow mediaextractor_28_0 system_file_28_0 (dir (read open)))
-(allow mediaextractor_28_0 mediaextractor_update_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_252_28_0 mediaextractor_update_service_28_0 (service_manager (add)))
-(allow mediaextractor_28_0 apk_data_file_28_0 (dir (search)))
-(allow mediaextractor_28_0 apk_data_file_28_0 (file (execute open)))
-(neverallow mediaextractor_28_0 fs_type (file (execute_no_trans)))
-(neverallow mediaextractor_28_0 file_type (file (execute_no_trans)))
-(neverallow mediaextractor_28_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediaextractor_28_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediaextractor_28_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediaextractor_28_0 base_typeattr_253_28_0 (file (open)))
-(allow mediametrics_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 mediametrics_28_0 (dir (search)))
-(allow servicemanager_28_0 mediametrics_28_0 (file (read open)))
-(allow servicemanager_28_0 mediametrics_28_0 (process (getattr)))
-(allow mediametrics_28_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediametrics_28_0 (binder (transfer)))
-(allow mediametrics_28_0 binderservicedomain (fd (use)))
-(allow mediametrics_28_0 mediametrics_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_254_28_0 mediametrics_service_28_0 (service_manager (add)))
-(allow mediametrics_28_0 system_server_28_0 (fd (use)))
-(allow mediametrics_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow mediametrics_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow mediametrics_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mediametrics_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow mediametrics_28_0 app_data_file_28_0 (file (write)))
-(allow mediametrics_28_0 package_native_service_28_0 (service_manager (find)))
-(neverallow mediametrics_28_0 fs_type (file (execute_no_trans)))
-(neverallow mediametrics_28_0 file_type (file (execute_no_trans)))
-(neverallow mediametrics_28_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(neverallow mediametrics_28_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(neverallow mediametrics_28_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow mediaserver_28_0 sdcard_type (dir (ioctl read getattr lock search open)))
-(allow mediaserver_28_0 sdcard_type (file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 sdcard_type (lnk_file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 proc_28_0 (lnk_file (getattr)))
-(allow mediaserver_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_28_0 self (process (ptrace)))
-(allow mediaserver_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 mediaserver_28_0 (dir (search)))
-(allow servicemanager_28_0 mediaserver_28_0 (file (read open)))
-(allow servicemanager_28_0 mediaserver_28_0 (process (getattr)))
-(allow mediaserver_28_0 binderservicedomain (binder (call transfer)))
-(allow binderservicedomain mediaserver_28_0 (binder (transfer)))
-(allow mediaserver_28_0 binderservicedomain (fd (use)))
-(allow mediaserver_28_0 appdomain (binder (call transfer)))
-(allow appdomain mediaserver_28_0 (binder (transfer)))
-(allow mediaserver_28_0 appdomain (fd (use)))
-(allow mediaserver_28_0 media_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow mediaserver_28_0 media_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow mediaserver_28_0 app_data_file_28_0 (dir (search)))
-(allow mediaserver_28_0 app_data_file_28_0 (file (ioctl read write getattr lock append map open)))
-(allow mediaserver_28_0 sdcard_type (file (write)))
-(allow mediaserver_28_0 gpu_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediaserver_28_0 video_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_28_0 video_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediaserver_28_0 property_socket_28_0 (sock_file (write)))
-(allow mediaserver_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow mediaserver_28_0 audio_prop_28_0 (property_service (set)))
-(allow mediaserver_28_0 audio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 apk_data_file_28_0 (file (read getattr)))
-(allow mediaserver_28_0 asec_apk_file_28_0 (file (read getattr)))
-(allow mediaserver_28_0 ringtone_file_28_0 (file (read getattr)))
-(allow mediaserver_28_0 radio_data_file_28_0 (file (read getattr)))
-(allow mediaserver_28_0 appdomain (fifo_file (read write getattr)))
-(allow mediaserver_28_0 rpmsg_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow mediaserver_28_0 system_server_28_0 (fifo_file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 media_rw_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow mediaserver_28_0 media_rw_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 media_rw_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 app_fuse_file_28_0 (file (read getattr)))
-(allow mediaserver_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow mediaserver_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 drmserver_socket_28_0 (sock_file (write)))
-(allow mediaserver_28_0 drmserver_28_0 (unix_stream_socket (connectto)))
-(allow mediaserver_28_0 bluetooth_socket_28_0 (sock_file (write)))
-(allow mediaserver_28_0 bluetooth_28_0 (unix_stream_socket (connectto)))
-(allow mediaserver_28_0 mediaserver_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_255_28_0 mediaserver_service_28_0 (service_manager (add)))
-(allow mediaserver_28_0 activity_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 appops_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 audioserver_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 cameraserver_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 batterystats_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 drmserver_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 mediaextractor_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 mediacodec_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 mediametrics_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 media_session_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 permission_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 power_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 processinfo_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 scheduling_policy_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 surfaceflinger_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 mediadrmserver_service_28_0 (service_manager (find)))
-(allow mediaserver_28_0 hidl_token_hwservice_28_0 (hwservice_manager (find)))
-(allow mediaserver_28_0 oemfs_28_0 (dir (search)))
-(allow mediaserver_28_0 oemfs_28_0 (file (ioctl read getattr lock map open)))
-(allow drmserver_28_0 mediaserver_28_0 (dir (search)))
-(allow drmserver_28_0 mediaserver_28_0 (file (read open)))
-(allow drmserver_28_0 mediaserver_28_0 (process (getattr)))
-(allow mediaserver_28_0 drmserver_28_0 (drmservice (consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread)))
-(allowx mediaserver_28_0 self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_28_0 self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_28_0 self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
-(allowx mediaserver_28_0 self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_28_0 self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_28_0 self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
-(allowx mediaserver_28_0 self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx mediaserver_28_0 self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allowx mediaserver_28_0 self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
-(allow mediaserver_28_0 media_rw_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow mediaserver_28_0 media_rw_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow mediaserver_28_0 preloads_media_file_28_0 (file (ioctl read getattr)))
-(allow mediaserver_28_0 ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow mediaserver_28_0 hal_graphics_allocator (fd (use)))
-(allow mediaserver_28_0 hal_graphics_composer (fd (use)))
-(allow mediaserver_28_0 hal_camera (fd (use)))
-(allow mediaserver_28_0 system_server_28_0 (fd (use)))
-(allow mediaserver_28_0 mediacodec_28_0 (binder (call transfer)))
-(allow mediacodec_28_0 mediaserver_28_0 (binder (transfer)))
-(allow mediaserver_28_0 mediacodec_28_0 (fd (use)))
-(neverallow mediaserver_28_0 fs_type (file (execute_no_trans)))
-(neverallow mediaserver_28_0 file_type (file (execute_no_trans)))
-(neverallowx mediaserver_28_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx mediaserver_28_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx mediaserver_28_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx mediaserver_28_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_28_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_28_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx mediaserver_28_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediaserver_28_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx mediaserver_28_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow modprobe_28_0 proc_modules_28_0 (file (ioctl read getattr lock map open)))
-(allow modprobe_28_0 self (capability (sys_module)))
-(allow modprobe_28_0 self (cap_userns (sys_module)))
-(allow modprobe_28_0 kernel_28_0 (key (search)))
-(allow mtp_28_0 self (socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow mtp_28_0 self (capability (net_raw)))
-(allow mtp_28_0 self (cap_userns (net_raw)))
-(allow mtp_28_0 ppp_28_0 (process (signal)))
-(allow mtp_28_0 vpn_data_file_28_0 (dir (search)))
-(allowx netd_28_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx netd_28_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx netd_28_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow netd_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow netd_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow netd_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow netd_28_0 system_server_28_0 (fd (use)))
-(allow netd_28_0 self (capability (kill net_admin net_raw)))
-(allow netd_28_0 self (cap_userns (kill net_admin net_raw)))
-(dontaudit netd_28_0 self (capability (fsetid)))
-(dontaudit netd_28_0 self (cap_userns (fsetid)))
-(allow netd_28_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_28_0 self (netlink_route_socket (nlmsg_write)))
-(allow netd_28_0 self (netlink_nflog_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_28_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_28_0 self (netlink_tcpdiag_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write)))
-(allow netd_28_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_28_0 self (netlink_netfilter_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow netd_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow netd_28_0 system_file_28_0 (file (getattr map execute execute_no_trans)))
-(allow netd_28_0 devpts_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow netd_28_0 system_file_28_0 (file (lock)))
-(allow netd_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow netd_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow netd_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow netd_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow netd_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow netd_28_0 proc_net_28_0 (file (ioctl read write getattr lock append map open)))
-(allow netd_28_0 sysfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow netd_28_0 sysfs_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow netd_28_0 sysfs_net_28_0 (file (ioctl read getattr lock map open)))
-(allow netd_28_0 sysfs_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow netd_28_0 sysfs_net_28_0 (file (write lock append map open)))
-(allow netd_28_0 sysfs_usb_28_0 (file (write)))
-(allow netd_28_0 fs_bpf_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow netd_28_0 fs_bpf_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow netd_28_0 self (capability (chown dac_override)))
-(allow netd_28_0 self (cap_userns (chown dac_override)))
-(allow netd_28_0 net_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow netd_28_0 net_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow netd_28_0 self (capability (fowner)))
-(allow netd_28_0 self (cap_userns (fowner)))
-(allow netd_28_0 system_file_28_0 (file (lock)))
-(allow netd_28_0 dnsmasq_28_0 (process (signal)))
-(allow netd_28_0 clatd_28_0 (process (signal)))
-(allow netd_28_0 property_socket_28_0 (sock_file (write)))
-(allow netd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow netd_28_0 ctl_mdnsd_prop_28_0 (property_service (set)))
-(allow netd_28_0 ctl_mdnsd_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow netd_28_0 property_socket_28_0 (sock_file (write)))
-(allow netd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow netd_28_0 netd_stable_secret_prop_28_0 (property_service (set)))
-(allow netd_28_0 netd_stable_secret_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow netd_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 netd_28_0 (dir (search)))
-(allow servicemanager_28_0 netd_28_0 (file (read open)))
-(allow servicemanager_28_0 netd_28_0 (process (getattr)))
-(allow netd_28_0 netd_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_256_28_0 netd_service_28_0 (service_manager (add)))
-(allow netd_28_0 dumpstate_28_0 (fifo_file (write getattr)))
-(allow netd_28_0 system_server_28_0 (binder (call)))
-(allow netd_28_0 permission_service_28_0 (service_manager (find)))
-(allow netd_28_0 netd_listener_service_28_0 (service_manager (find)))
-(allow netd_28_0 netdomain (tcp_socket (read write getattr setattr getopt setopt)))
-(allow netd_28_0 netdomain (udp_socket (read write getattr setattr getopt setopt)))
-(allow netd_28_0 netdomain (rawip_socket (read write getattr setattr getopt setopt)))
-(allow netd_28_0 netdomain (tun_socket (read write getattr setattr getopt setopt)))
-(allow netd_28_0 netdomain (fd (use)))
-(allow netd_28_0 self (netlink_xfrm_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write)))
-(allow netd_28_0 self (bpf (map_create map_read map_write)))
-(allow netd_28_0 system_net_netd_hwservice_28_0 (hwservice_manager (add find)))
-(allow netd_28_0 hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_256_28_0 system_net_netd_hwservice_28_0 (hwservice_manager (add)))
-(allow netd_28_0 hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 netd_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 netd_28_0 (dir (search)))
-(allow hwservicemanager_28_0 netd_28_0 (file (read open)))
-(allow hwservicemanager_28_0 netd_28_0 (process (getattr)))
-(allow netd_28_0 hwservicemanager_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow netd_28_0 dev_type (blk_file (read write)))
-(neverallow netd_28_0 domain (process (ptrace)))
-(neverallow netd_28_0 system_file_28_0 (file (write)))
-(neverallow netd_28_0 system_file_28_0 (dir (write)))
-(neverallow netd_28_0 system_file_28_0 (lnk_file (write)))
-(neverallow netd_28_0 system_file_28_0 (chr_file (write)))
-(neverallow netd_28_0 system_file_28_0 (blk_file (write)))
-(neverallow netd_28_0 system_file_28_0 (sock_file (write)))
-(neverallow netd_28_0 system_file_28_0 (fifo_file (write)))
-(neverallow netd_28_0 system_data_file_28_0 (file (write)))
-(neverallow netd_28_0 system_data_file_28_0 (dir (write)))
-(neverallow netd_28_0 system_data_file_28_0 (lnk_file (write)))
-(neverallow netd_28_0 system_data_file_28_0 (chr_file (write)))
-(neverallow netd_28_0 system_data_file_28_0 (blk_file (write)))
-(neverallow netd_28_0 system_data_file_28_0 (sock_file (write)))
-(neverallow netd_28_0 system_data_file_28_0 (fifo_file (write)))
-(neverallow netd_28_0 app_data_file_28_0 (file (write)))
-(neverallow netd_28_0 app_data_file_28_0 (dir (write)))
-(neverallow netd_28_0 app_data_file_28_0 (lnk_file (write)))
-(neverallow netd_28_0 app_data_file_28_0 (chr_file (write)))
-(neverallow netd_28_0 app_data_file_28_0 (blk_file (write)))
-(neverallow netd_28_0 app_data_file_28_0 (sock_file (write)))
-(neverallow netd_28_0 app_data_file_28_0 (fifo_file (write)))
-(neverallow base_typeattr_257_28_0 netd_service_28_0 (service_manager (find)))
-(neverallow base_typeattr_256_28_0 netd_28_0 (bpf (map_create)))
-(neverallow appdomain netd_28_0 (binder (call)))
-(neverallow netd_28_0 base_typeattr_49_28_0 (binder (call)))
-(neverallow base_typeattr_258_28_0 netd_stable_secret_prop_28_0 (file (ioctl read getattr lock map open)))
-(neverallow base_typeattr_259_28_0 netd_stable_secret_prop_28_0 (property_service (set)))
-(neverallow domain netutils_wrapper_exec_28_0 (file (execute_no_trans)))
-(allow otapreopt_chroot_28_0 postinstall_file_28_0 (dir (mounton search)))
-(allow otapreopt_chroot_28_0 self (capability (sys_chroot sys_admin)))
-(allow otapreopt_chroot_28_0 self (cap_userns (sys_chroot sys_admin)))
-(allow otapreopt_chroot_28_0 block_device_28_0 (dir (search)))
-(allow otapreopt_chroot_28_0 labeledfs_28_0 (filesystem (mount)))
-(dontaudit otapreopt_chroot_28_0 kernel_28_0 (process (setsched)))
-(allow otapreopt_chroot_28_0 postinstall_28_0 (fd (use)))
-(allow otapreopt_chroot_28_0 update_engine_28_0 (fd (use)))
-(allow otapreopt_chroot_28_0 update_engine_28_0 (fifo_file (write)))
-(allow otapreopt_slot_28_0 ota_data_file_28_0 (dir (ioctl read write getattr lock rename add_name remove_name reparent search rmdir open)))
-(allow otapreopt_slot_28_0 ota_data_file_28_0 (file (getattr)))
-(allow otapreopt_slot_28_0 ota_data_file_28_0 (lnk_file (getattr)))
-(allow otapreopt_slot_28_0 ota_data_file_28_0 (lnk_file (read)))
-(allow otapreopt_slot_28_0 dalvikcache_data_file_28_0 (dir (read write getattr add_name remove_name search rmdir open)))
-(allow otapreopt_slot_28_0 dalvikcache_data_file_28_0 (file (getattr unlink)))
-(allow otapreopt_slot_28_0 dalvikcache_data_file_28_0 (lnk_file (read getattr unlink)))
-(allow otapreopt_slot_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow otapreopt_slot_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow performanced_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 performanced_28_0 (dir (search)))
-(allow servicemanager_28_0 performanced_28_0 (file (read open)))
-(allow servicemanager_28_0 performanced_28_0 (process (getattr)))
-(allow performanced_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 performanced_28_0 (binder (transfer)))
-(allow performanced_28_0 system_server_28_0 (fd (use)))
-(allow performanced_28_0 permission_service_28_0 (service_manager (find)))
-(allow init_28_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (create bind)))
-(allow performanced_28_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write getattr setattr lock append listen accept getopt setopt shutdown)))
-(allow performanced_28_0 self (process (setsockcreate)))
-(allow performanced_28_0 pdx_performance_client_channel_socket_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
-(neverallow base_typeattr_260_28_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (listen accept)))
-(allow performanced_28_0 self (capability (setgid setuid sys_nice)))
-(allow performanced_28_0 self (cap_userns (setgid setuid sys_nice)))
-(allow performanced_28_0 appdomain (dir (ioctl read getattr lock search open)))
-(allow performanced_28_0 bufferhubd_28_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_28_0 kernel_28_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_28_0 surfaceflinger_28_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_28_0 appdomain (file (ioctl read getattr lock map open)))
-(allow performanced_28_0 appdomain (lnk_file (ioctl read getattr lock map open)))
-(allow performanced_28_0 bufferhubd_28_0 (file (ioctl read getattr lock map open)))
-(allow performanced_28_0 bufferhubd_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow performanced_28_0 kernel_28_0 (file (ioctl read getattr lock map open)))
-(allow performanced_28_0 kernel_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow performanced_28_0 surfaceflinger_28_0 (file (ioctl read getattr lock map open)))
-(allow performanced_28_0 surfaceflinger_28_0 (lnk_file (ioctl read getattr lock map open)))
-(dontaudit performanced_28_0 domain (dir (read)))
-(allow performanced_28_0 appdomain (process (setsched)))
-(allow performanced_28_0 bufferhubd_28_0 (process (setsched)))
-(allow performanced_28_0 kernel_28_0 (process (setsched)))
-(allow performanced_28_0 surfaceflinger_28_0 (process (setsched)))
-(dontaudit performanced_28_0 domain (dir (open)))
-(dontaudit performanced_28_0 domain (file (read getattr open)))
-(allow performanced_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow performanced_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow performanced_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 sysfs_type (dir (search)))
-(allow perfprofd_28_0 sysfs_devices_system_cpu_28_0 (file (ioctl read write getattr lock append map open)))
-(allow perfprofd_28_0 system_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow perfprofd_28_0 app_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 app_data_file_28_0 (dir (search)))
-(allow perfprofd_28_0 self (capability (dac_override)))
-(allow perfprofd_28_0 self (cap_userns (dac_override)))
-(allow perfprofd_28_0 perfprofd_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow perfprofd_28_0 perfprofd_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow perfprofd_28_0 logcat_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow perfprofd_28_0 logdr_socket_28_0 (sock_file (write)))
-(allow perfprofd_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(allow perfprofd_28_0 logdw_socket_28_0 (sock_file (write)))
-(allow perfprofd_28_0 logd_28_0 (unix_dgram_socket (sendto)))
-(allow perfprofd_28_0 pmsg_device_28_0 (chr_file (write lock append map open)))
-(allow perfprofd_28_0 sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow perfprofd_28_0 self (capability2 (block_suspend)))
-(allow perfprofd_28_0 self (cap2_userns (block_suspend)))
-(allow perfprofd_28_0 sysfs_thermal_28_0 (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 sysfs_batteryinfo_28_0 (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 sysfs_batteryinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 sysfs_batteryinfo_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 sysfs_kernel_notes_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 proc_loadavg_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 proc_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 proc_modules_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 proc_perf_28_0 (file (write)))
-(dontaudit perfprofd_28_0 proc_security_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow perfprofd_28_0 self (capability (sys_admin)))
-(allow perfprofd_28_0 self (cap_userns (sys_admin)))
-(allow perfprofd_28_0 domain (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 domain (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 self (capability (sys_ptrace sys_resource)))
-(allow perfprofd_28_0 self (cap_userns (sys_ptrace sys_resource)))
-(neverallow perfprofd_28_0 domain (process (ptrace)))
-(allow perfprofd_28_0 exec_type (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 apk_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 apk_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 apk_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 dalvikcache_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 dalvikcache_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 dalvikcache_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 vendor_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 vendor_file_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 vendor_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 vendor_app_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 vendor_app_file_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 vendor_app_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 property_socket_28_0 (sock_file (write)))
-(allow perfprofd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow perfprofd_28_0 shell_prop_28_0 (property_service (set)))
-(allow perfprofd_28_0 shell_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 debugfs_tracing_28_0 (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 debugfs_tracing_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 debugfs_tracing_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 debugfs_tracing_debug_28_0 (dir (ioctl read getattr lock search open)))
-(allow perfprofd_28_0 debugfs_tracing_debug_28_0 (file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 debugfs_tracing_debug_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow perfprofd_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow perfprofd_28_0 self (capability (ipc_lock)))
-(allow perfprofd_28_0 self (cap_userns (ipc_lock)))
-(dontaudit perfprofd_28_0 shell_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit perfprofd_28_0 shell_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow perfprofd_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 perfprofd_28_0 (dir (search)))
-(allow servicemanager_28_0 perfprofd_28_0 (file (read open)))
-(allow servicemanager_28_0 perfprofd_28_0 (process (getattr)))
-(allow perfprofd_28_0 perfprofd_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_261_28_0 perfprofd_service_28_0 (service_manager (add)))
-(allow perfprofd_28_0 devpts_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow perfprofd_28_0 su_28_0 (unix_stream_socket (read write getattr sendto)))
-(allow perfprofd_28_0 su_28_0 (fifo_file (ioctl read getattr lock map open)))
-(allow perfprofd_28_0 dropbox_service_28_0 (service_manager (find)))
-(allow perfprofd_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 perfprofd_28_0 (binder (transfer)))
-(allow perfprofd_28_0 system_server_28_0 (fd (use)))
-(allow postinstall_28_0 update_engine_common (fd (use)))
-(allow postinstall_28_0 update_engine_common (fifo_file (ioctl read write getattr lock append map open)))
-(allow postinstall_28_0 postinstall_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow postinstall_28_0 postinstall_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_28_0 postinstall_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow postinstall_28_0 system_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow postinstall_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow postinstall_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 postinstall_28_0 (dir (search)))
-(allow servicemanager_28_0 postinstall_28_0 (file (read open)))
-(allow servicemanager_28_0 postinstall_28_0 (process (getattr)))
-(allow postinstall_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 postinstall_28_0 (binder (transfer)))
-(allow postinstall_28_0 system_server_28_0 (fd (use)))
-(allow postinstall_28_0 otadexopt_service_28_0 (service_manager (find)))
-(neverallow base_typeattr_101_28_0 postinstall_28_0 (process (transition dyntransition)))
-(allow postinstall_dexopt_28_0 self (capability (chown dac_override fowner fsetid setgid setuid)))
-(allow postinstall_dexopt_28_0 self (cap_userns (chown dac_override fowner fsetid setgid setuid)))
-(allow postinstall_dexopt_28_0 postinstall_file_28_0 (filesystem (getattr)))
-(allow postinstall_dexopt_28_0 postinstall_file_28_0 (dir (getattr search)))
-(allow postinstall_dexopt_28_0 postinstall_file_28_0 (lnk_file (read getattr)))
-(allow postinstall_dexopt_28_0 proc_filesystems_28_0 (file (read getattr open)))
-(allow postinstall_dexopt_28_0 tmpfs_28_0 (file (read)))
-(allow postinstall_dexopt_28_0 apk_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_28_0 apk_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 apk_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 vendor_app_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_28_0 vendor_app_file_28_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 vendor_app_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 dalvikcache_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_28_0 dalvikcache_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 dalvikcache_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 user_profile_data_file_28_0 (dir (getattr search)))
-(allow postinstall_dexopt_28_0 user_profile_data_file_28_0 (file (ioctl read getattr lock map open)))
-(dontaudit postinstall_dexopt_28_0 user_profile_data_file_28_0 (file (write)))
-(allow postinstall_dexopt_28_0 ota_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow postinstall_dexopt_28_0 ota_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow postinstall_dexopt_28_0 ota_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow postinstall_dexopt_28_0 dalvikcache_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow postinstall_dexopt_28_0 dalvikcache_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow postinstall_dexopt_28_0 dalvikcache_data_file_28_0 (dir (relabelto)))
-(allow postinstall_dexopt_28_0 dalvikcache_data_file_28_0 (file (relabelto link)))
-(allow postinstall_dexopt_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow postinstall_dexopt_28_0 kernel_28_0 (security (check_context)))
-(allow postinstall_dexopt_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow postinstall_dexopt_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow postinstall_dexopt_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow postinstall_dexopt_28_0 kernel_28_0 (security (compute_av)))
-(allow postinstall_dexopt_28_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow postinstall_dexopt_28_0 postinstall_28_0 (process (sigchld)))
-(allow postinstall_dexopt_28_0 otapreopt_chroot_28_0 (fd (use)))
-(allow postinstall_dexopt_28_0 cpuctl_device_28_0 (dir (search)))
-(allow ppp_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow ppp_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow ppp_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow ppp_28_0 mtp_28_0 (socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx ppp_28_0 self (ioctl udp_socket (0x6900 0x6902)))
-(allowx ppp_28_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx ppp_28_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allowx ppp_28_0 mtp_28_0 (ioctl socket (((range 0x7436 0x7441)) ((range 0x7446 0x7447)) ((range 0x744b 0x745a)) ((range 0x7480 0x7488)))))
-(allow ppp_28_0 mtp_28_0 (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow ppp_28_0 ppp_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow ppp_28_0 self (capability (net_admin)))
-(allow ppp_28_0 self (cap_userns (net_admin)))
-(allow ppp_28_0 system_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow ppp_28_0 vpn_data_file_28_0 (dir (write lock add_name remove_name search open)))
-(allow ppp_28_0 vpn_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow ppp_28_0 mtp_28_0 (fd (use)))
-(allow preopt2cachename_28_0 cppreopts_28_0 (fd (use)))
-(allow preopt2cachename_28_0 cppreopts_28_0 (fifo_file (read write getattr)))
-(allow preopt2cachename_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow profman_28_0 user_profile_data_file_28_0 (file (read write getattr lock)))
-(allow profman_28_0 asec_apk_file_28_0 (file (read)))
-(allow profman_28_0 apk_data_file_28_0 (file (read getattr)))
-(allow profman_28_0 apk_data_file_28_0 (dir (read getattr search)))
-(allow profman_28_0 oemfs_28_0 (file (read)))
-(allow profman_28_0 tmpfs_28_0 (file (read)))
-(allow profman_28_0 profman_dump_data_file_28_0 (file (write)))
-(allow profman_28_0 installd_28_0 (fd (use)))
-(allow profman_28_0 app_data_file_28_0 (file (read write getattr lock)))
-(allow profman_28_0 app_data_file_28_0 (dir (read getattr search)))
-(neverallow profman_28_0 app_data_file_28_0 (file (open)))
-(neverallow profman_28_0 app_data_file_28_0 (lnk_file (open)))
-(neverallow profman_28_0 app_data_file_28_0 (sock_file (open)))
-(neverallow profman_28_0 app_data_file_28_0 (fifo_file (open)))
-(allow property_type tmpfs_28_0 (filesystem (associate)))
-(neverallow base_typeattr_59_28_0 base_typeattr_262_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_84_28_0 ctl_sigstop_prop_28_0 (property_service (set)))
-(dontaudit domain ctl_bootanim_prop_28_0 (property_service (set)))
-(dontaudit domain ctl_bugreport_prop_28_0 (property_service (set)))
-(dontaudit domain ctl_console_prop_28_0 (property_service (set)))
-(dontaudit domain ctl_default_prop_28_0 (property_service (set)))
-(dontaudit domain ctl_dumpstate_prop_28_0 (property_service (set)))
-(dontaudit domain ctl_fuse_prop_28_0 (property_service (set)))
-(dontaudit domain ctl_mdnsd_prop_28_0 (property_service (set)))
-(dontaudit domain ctl_rildaemon_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_263_28_0 base_typeattr_264_28_0 (property_service (set)))
-(neverallow base_typeattr_265_28_0 nfc_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_266_28_0 exported_radio_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_266_28_0 exported3_radio_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_267_28_0 radio_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_267_28_0 exported2_radio_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_268_28_0 bluetooth_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_269_28_0 exported_bluetooth_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_270_28_0 wifi_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_271_28_0 exported_wifi_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_263_28_0 base_typeattr_272_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_265_28_0 nfc_prop_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_267_28_0 radio_prop_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_268_28_0 bluetooth_prop_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_270_28_0 wifi_prop_28_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
-(neverallow base_typeattr_273_28_0 base_typeattr_274_28_0 (property_service (set)))
-(allowx racoon_28_0 self (ioctl udp_socket (0x8914 0x8916 0x891c)))
-(allow racoon_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 racoon_28_0 (dir (search)))
-(allow servicemanager_28_0 racoon_28_0 (file (read open)))
-(allow servicemanager_28_0 racoon_28_0 (process (getattr)))
-(allow racoon_28_0 tun_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow racoon_28_0 cgroup_28_0 (dir (create add_name)))
-(allow racoon_28_0 kernel_28_0 (system (module_request)))
-(allow racoon_28_0 self (key_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow racoon_28_0 self (tun_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow racoon_28_0 self (capability (net_bind_service net_admin net_raw)))
-(allow racoon_28_0 self (cap_userns (net_bind_service net_admin net_raw)))
-(allow racoon_28_0 system_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow racoon_28_0 vpn_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow racoon_28_0 vpn_data_file_28_0 (dir (write lock add_name remove_name search open)))
-(allow keystore_28_0 racoon_28_0 (dir (search)))
-(allow keystore_28_0 racoon_28_0 (file (read open)))
-(allow keystore_28_0 racoon_28_0 (process (getattr)))
-(allow racoon_28_0 keystore_service_28_0 (service_manager (find)))
-(allow racoon_28_0 keystore_28_0 (binder (call transfer)))
-(allow keystore_28_0 racoon_28_0 (binder (transfer)))
-(allow racoon_28_0 keystore_28_0 (fd (use)))
-(allow keystore_28_0 racoon_28_0 (binder (call transfer)))
-(allow racoon_28_0 keystore_28_0 (binder (transfer)))
-(allow keystore_28_0 racoon_28_0 (fd (use)))
-(allow racoon_28_0 keystore_28_0 (keystore_key (get sign verify)))
-(allow radio_28_0 radio_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow radio_28_0 radio_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow radio_28_0 radio_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow radio_28_0 radio_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow radio_28_0 radio_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow radio_28_0 alarm_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow radio_28_0 net_data_file_28_0 (dir (search)))
-(allow radio_28_0 net_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow radio_28_0 property_socket_28_0 (sock_file (write)))
-(allow radio_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow radio_28_0 radio_prop_28_0 (property_service (set)))
-(allow radio_28_0 radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow radio_28_0 property_socket_28_0 (sock_file (write)))
-(allow radio_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow radio_28_0 exported_radio_prop_28_0 (property_service (set)))
-(allow radio_28_0 exported_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow radio_28_0 property_socket_28_0 (sock_file (write)))
-(allow radio_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow radio_28_0 exported2_radio_prop_28_0 (property_service (set)))
-(allow radio_28_0 exported2_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow radio_28_0 property_socket_28_0 (sock_file (write)))
-(allow radio_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow radio_28_0 exported3_radio_prop_28_0 (property_service (set)))
-(allow radio_28_0 exported3_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow radio_28_0 property_socket_28_0 (sock_file (write)))
-(allow radio_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow radio_28_0 net_radio_prop_28_0 (property_service (set)))
-(allow radio_28_0 net_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow radio_28_0 property_socket_28_0 (sock_file (write)))
-(allow radio_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow radio_28_0 ctl_rildaemon_prop_28_0 (property_service (set)))
-(allow radio_28_0 ctl_rildaemon_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow radio_28_0 radio_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_275_28_0 radio_service_28_0 (service_manager (add)))
-(allow radio_28_0 audioserver_service_28_0 (service_manager (find)))
-(allow radio_28_0 cameraserver_service_28_0 (service_manager (find)))
-(allow radio_28_0 drmserver_service_28_0 (service_manager (find)))
-(allow radio_28_0 mediaserver_service_28_0 (service_manager (find)))
-(allow radio_28_0 nfc_service_28_0 (service_manager (find)))
-(allow radio_28_0 app_api_service (service_manager (find)))
-(allow radio_28_0 system_api_service (service_manager (find)))
-(allow radio_28_0 hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 radio_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 radio_28_0 (dir (search)))
-(allow hwservicemanager_28_0 radio_28_0 (file (read open)))
-(allow hwservicemanager_28_0 radio_28_0 (process (getattr)))
-(neverallow recovery_28_0 base_typeattr_276_28_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
-(neverallow recovery_28_0 base_typeattr_276_28_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(allow recovery_persist_28_0 pstorefs_28_0 (dir (search)))
-(allow recovery_persist_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(allow recovery_persist_28_0 recovery_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow recovery_persist_28_0 recovery_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(neverallow recovery_persist_28_0 dev_type (blk_file (read write)))
-(neverallow recovery_persist_28_0 domain (process (ptrace)))
-(neverallow recovery_persist_28_0 system_file_28_0 (file (write)))
-(neverallow recovery_persist_28_0 system_file_28_0 (dir (write)))
-(neverallow recovery_persist_28_0 system_file_28_0 (lnk_file (write)))
-(neverallow recovery_persist_28_0 system_file_28_0 (chr_file (write)))
-(neverallow recovery_persist_28_0 system_file_28_0 (blk_file (write)))
-(neverallow recovery_persist_28_0 system_file_28_0 (sock_file (write)))
-(neverallow recovery_persist_28_0 system_file_28_0 (fifo_file (write)))
-(neverallow recovery_persist_28_0 system_data_file_28_0 (file (write)))
-(neverallow recovery_persist_28_0 system_data_file_28_0 (dir (write)))
-(neverallow recovery_persist_28_0 system_data_file_28_0 (lnk_file (write)))
-(neverallow recovery_persist_28_0 system_data_file_28_0 (chr_file (write)))
-(neverallow recovery_persist_28_0 system_data_file_28_0 (blk_file (write)))
-(neverallow recovery_persist_28_0 system_data_file_28_0 (sock_file (write)))
-(neverallow recovery_persist_28_0 system_data_file_28_0 (fifo_file (write)))
-(neverallow recovery_persist_28_0 app_data_file_28_0 (file (write)))
-(neverallow recovery_persist_28_0 app_data_file_28_0 (dir (write)))
-(neverallow recovery_persist_28_0 app_data_file_28_0 (lnk_file (write)))
-(neverallow recovery_persist_28_0 app_data_file_28_0 (chr_file (write)))
-(neverallow recovery_persist_28_0 app_data_file_28_0 (blk_file (write)))
-(neverallow recovery_persist_28_0 app_data_file_28_0 (sock_file (write)))
-(neverallow recovery_persist_28_0 app_data_file_28_0 (fifo_file (write)))
-(allow recovery_refresh_28_0 pstorefs_28_0 (dir (search)))
-(allow recovery_refresh_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(neverallow recovery_refresh_28_0 dev_type (blk_file (read write)))
-(neverallow recovery_refresh_28_0 domain (process (ptrace)))
-(neverallow recovery_refresh_28_0 system_file_28_0 (file (write)))
-(neverallow recovery_refresh_28_0 system_file_28_0 (dir (write)))
-(neverallow recovery_refresh_28_0 system_file_28_0 (lnk_file (write)))
-(neverallow recovery_refresh_28_0 system_file_28_0 (chr_file (write)))
-(neverallow recovery_refresh_28_0 system_file_28_0 (blk_file (write)))
-(neverallow recovery_refresh_28_0 system_file_28_0 (sock_file (write)))
-(neverallow recovery_refresh_28_0 system_file_28_0 (fifo_file (write)))
-(neverallow recovery_refresh_28_0 system_data_file_28_0 (file (write)))
-(neverallow recovery_refresh_28_0 system_data_file_28_0 (dir (write)))
-(neverallow recovery_refresh_28_0 system_data_file_28_0 (lnk_file (write)))
-(neverallow recovery_refresh_28_0 system_data_file_28_0 (chr_file (write)))
-(neverallow recovery_refresh_28_0 system_data_file_28_0 (blk_file (write)))
-(neverallow recovery_refresh_28_0 system_data_file_28_0 (sock_file (write)))
-(neverallow recovery_refresh_28_0 system_data_file_28_0 (fifo_file (write)))
-(neverallow recovery_refresh_28_0 app_data_file_28_0 (file (write)))
-(neverallow recovery_refresh_28_0 app_data_file_28_0 (dir (write)))
-(neverallow recovery_refresh_28_0 app_data_file_28_0 (lnk_file (write)))
-(neverallow recovery_refresh_28_0 app_data_file_28_0 (chr_file (write)))
-(neverallow recovery_refresh_28_0 app_data_file_28_0 (blk_file (write)))
-(neverallow recovery_refresh_28_0 app_data_file_28_0 (sock_file (write)))
-(neverallow recovery_refresh_28_0 app_data_file_28_0 (fifo_file (write)))
-(allow runas_28_0 adbd_28_0 (fd (use)))
-(allow runas_28_0 adbd_28_0 (process (sigchld)))
-(allow runas_28_0 adbd_28_0 (unix_stream_socket (read write)))
-(allow runas_28_0 shell_28_0 (fd (use)))
-(allow runas_28_0 shell_28_0 (fifo_file (read write)))
-(allow runas_28_0 shell_28_0 (unix_stream_socket (read write)))
-(allow runas_28_0 devpts_28_0 (chr_file (ioctl read write)))
-(allow runas_28_0 shell_data_file_28_0 (file (read write)))
-(allow runas_28_0 system_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow runas_28_0 system_data_file_28_0 (lnk_file (getattr)))
-(allow runas_28_0 system_data_file_28_0 (lnk_file (read)))
-(dontaudit runas_28_0 self (capability (dac_override)))
-(dontaudit runas_28_0 self (cap_userns (dac_override)))
-(allow runas_28_0 app_data_file_28_0 (dir (getattr search)))
-(allow runas_28_0 self (capability (setgid setuid)))
-(allow runas_28_0 self (cap_userns (setgid setuid)))
-(allow runas_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow runas_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow runas_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow runas_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow runas_28_0 kernel_28_0 (security (check_context)))
-(allow runas_28_0 self (process (setcurrent)))
-(allow runas_28_0 base_typeattr_277_28_0 (process (dyntransition)))
-(allow runas_28_0 seapp_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(neverallow runas_28_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow runas_28_0 self (cap_userns (chown dac_override dac_read_search fowner fsetid kill setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(neverallow runas_28_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(neverallow runas_28_0 self (cap2_userns (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(allow sdcardd_28_0 cgroup_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_28_0 fuse_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow sdcardd_28_0 rootfs_28_0 (dir (mounton)))
-(allow sdcardd_28_0 sdcardfs_28_0 (filesystem (remount)))
-(allow sdcardd_28_0 tmpfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow sdcardd_28_0 mnt_media_rw_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow sdcardd_28_0 storage_file_28_0 (dir (search)))
-(allow sdcardd_28_0 storage_stub_file_28_0 (dir (mounton search)))
-(allow sdcardd_28_0 sdcard_type (filesystem (mount unmount)))
-(allow sdcardd_28_0 self (capability (dac_override setgid setuid sys_admin sys_resource)))
-(allow sdcardd_28_0 self (cap_userns (dac_override setgid setuid sys_admin sys_resource)))
-(allow sdcardd_28_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_28_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow sdcardd_28_0 media_rw_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow sdcardd_28_0 media_rw_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow sdcardd_28_0 system_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow sdcardd_28_0 install_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow sdcardd_28_0 vold_28_0 (fd (use)))
-(allow sdcardd_28_0 vold_28_0 (fifo_file (read write getattr)))
-(allow sdcardd_28_0 mnt_expand_file_28_0 (dir (search)))
-(allow sdcardd_28_0 proc_filesystems_28_0 (file (ioctl read getattr lock map open)))
-(neverallow init_28_0 sdcardd_exec_28_0 (file (execute)))
-(neverallow init_28_0 sdcardd_28_0 (process (transition dyntransition)))
-(allow servicemanager_28_0 self (binder (set_context_mgr)))
-(allow servicemanager_28_0 base_typeattr_278_28_0 (binder (transfer)))
-(allow servicemanager_28_0 service_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow servicemanager_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow servicemanager_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow servicemanager_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow servicemanager_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow servicemanager_28_0 kernel_28_0 (security (compute_av)))
-(allow servicemanager_28_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow sgdisk_28_0 block_device_28_0 (dir (search)))
-(allow sgdisk_28_0 vold_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow sgdisk_28_0 devpts_28_0 (chr_file (ioctl read write getattr)))
-(allow sgdisk_28_0 vold_28_0 (fd (use)))
-(allow sgdisk_28_0 vold_28_0 (fifo_file (read write getattr)))
-(allow sgdisk_28_0 self (capability (sys_admin)))
-(allow sgdisk_28_0 self (cap_userns (sys_admin)))
-(neverallow base_typeattr_176_28_0 sgdisk_28_0 (process (transition)))
-(neverallow base_typeattr_59_28_0 sgdisk_28_0 (process (dyntransition)))
-(neverallow sgdisk_28_0 base_typeattr_279_28_0 (file (entrypoint)))
-(allow shared_relro_28_0 shared_relro_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shared_relro_28_0 shared_relro_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shared_relro_28_0 activity_service_28_0 (service_manager (find)))
-(allow shared_relro_28_0 webviewupdate_service_28_0 (service_manager (find)))
-(allow shell_28_0 logcat_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_28_0 logdr_socket_28_0 (sock_file (write)))
-(allow shell_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 logd_socket_28_0 (sock_file (write)))
-(allow shell_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 pstorefs_28_0 (dir (search)))
-(allow shell_28_0 pstorefs_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 anr_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 anr_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 shell_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow shell_28_0 shell_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shell_28_0 shell_data_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_28_0 shell_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shell_28_0 trace_data_file_28_0 (file (ioctl read getattr lock map unlink open)))
-(allow shell_28_0 trace_data_file_28_0 (dir (ioctl read write getattr lock remove_name search open)))
-(allow shell_28_0 profman_dump_data_file_28_0 (dir (ioctl read write getattr lock remove_name search open)))
-(allow shell_28_0 profman_dump_data_file_28_0 (file (ioctl read getattr lock map unlink open)))
-(allow shell_28_0 nativetest_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 nativetest_data_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_28_0 dumpstate_socket_28_0 (sock_file (write)))
-(allow shell_28_0 dumpstate_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 devpts_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_28_0 tty_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_28_0 console_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_28_0 input_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 input_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_28_0 system_file_28_0 (file (getattr map execute execute_no_trans)))
-(allow shell_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_28_0 tzdatacheck_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_28_0 zygote_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow shell_28_0 apk_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 apk_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 apk_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 shell_prop_28_0 (property_service (set)))
-(allow shell_28_0 shell_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 ctl_bugreport_prop_28_0 (property_service (set)))
-(allow shell_28_0 ctl_bugreport_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 ctl_dumpstate_prop_28_0 (property_service (set)))
-(allow shell_28_0 ctl_dumpstate_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 dumpstate_prop_28_0 (property_service (set)))
-(allow shell_28_0 dumpstate_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 exported_dumpstate_prop_28_0 (property_service (set)))
-(allow shell_28_0 exported_dumpstate_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 debug_prop_28_0 (property_service (set)))
-(allow shell_28_0 debug_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 powerctl_prop_28_0 (property_service (set)))
-(allow shell_28_0 powerctl_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 log_tag_prop_28_0 (property_service (set)))
-(allow shell_28_0 log_tag_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 wifi_log_prop_28_0 (property_service (set)))
-(allow shell_28_0 wifi_log_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 traced_enabled_prop_28_0 (property_service (set)))
-(allow shell_28_0 traced_enabled_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 log_prop_28_0 (property_service (set)))
-(allow shell_28_0 log_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 logpersistd_logging_prop_28_0 (property_service (set)))
-(allow shell_28_0 logpersistd_logging_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 boottrace_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shell_28_0 boottrace_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shell_28_0 property_socket_28_0 (sock_file (write)))
-(allow shell_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow shell_28_0 persist_debug_prop_28_0 (property_service (set)))
-(allow shell_28_0 persist_debug_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 serialno_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 vendor_security_patch_level_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 device_logging_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 bootloader_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 last_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 system_boot_reason_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 servicemanager_28_0 (service_manager (list)))
-(allow shell_28_0 base_typeattr_280_28_0 (service_manager (find)))
-(allow shell_28_0 dumpstate_28_0 (binder (call)))
-(allow shell_28_0 hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 shell_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 shell_28_0 (dir (search)))
-(allow hwservicemanager_28_0 shell_28_0 (file (read open)))
-(allow hwservicemanager_28_0 shell_28_0 (process (getattr)))
-(allow shell_28_0 hwservicemanager_28_0 (hwservice_manager (list)))
-(allow shell_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_asound_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_filesystems_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_interrupts_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_modules_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_pid_max_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_stat_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_timer_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_uptime_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_version_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 proc_zoneinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 sysfs_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 cgroup_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 cgroup_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 cgroup_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow shell_28_0 domain (dir (read getattr search open)))
-(allow shell_28_0 domain (file (read getattr open)))
-(allow shell_28_0 domain (lnk_file (read getattr open)))
-(allow shell_28_0 labeledfs_28_0 (filesystem (getattr)))
-(allow shell_28_0 proc_28_0 (filesystem (getattr)))
-(allow shell_28_0 device_28_0 (dir (getattr)))
-(allow shell_28_0 domain (process (getattr)))
-(allow shell_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 bootchart_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow shell_28_0 bootchart_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow shell_28_0 self (process (ptrace)))
-(allow shell_28_0 sysfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 sysfs_batteryinfo_28_0 (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 sysfs_batteryinfo_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 ion_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow shell_28_0 dev_type (dir (ioctl read getattr lock search open)))
-(allow shell_28_0 dev_type (chr_file (getattr)))
-(allow shell_28_0 proc_28_0 (lnk_file (getattr)))
-(allow shell_28_0 dev_type (blk_file (getattr)))
-(allow shell_28_0 file_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 property_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 seapp_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 service_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 sepolicy_file_28_0 (file (ioctl read getattr lock map open)))
-(allow shell_28_0 vendor_shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(neverallow shell_28_0 file_type (file (link)))
-(neverallowx shell_28_0 domain (ioctl tcp_socket (0x6900 0x6902)))
-(neverallowx shell_28_0 domain (ioctl udp_socket (0x6900 0x6902)))
-(neverallowx shell_28_0 domain (ioctl rawip_socket (0x6900 0x6902)))
-(neverallowx shell_28_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_28_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_28_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(neverallowx shell_28_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx shell_28_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallowx shell_28_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(neverallow shell_28_0 hw_random_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_28_0 kmem_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_28_0 port_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_28_0 fuse_device_28_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow shell_28_0 dev_type (blk_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(allow slideshow_28_0 kmsg_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow slideshow_28_0 sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow slideshow_28_0 self (capability2 (block_suspend)))
-(allow slideshow_28_0 self (cap2_userns (block_suspend)))
-(allow slideshow_28_0 device_28_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_28_0 self (capability (sys_tty_config)))
-(allow slideshow_28_0 self (cap_userns (sys_tty_config)))
-(allow slideshow_28_0 graphics_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_28_0 graphics_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow slideshow_28_0 input_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow slideshow_28_0 input_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow slideshow_28_0 tty_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow su_28_0 vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow su_28_0 vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 su_28_0 (dir (search)))
-(allow vndservicemanager_28_0 su_28_0 (file (read open)))
-(allow vndservicemanager_28_0 su_28_0 (process (getattr)))
-(dontaudit su_28_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(dontaudit su_28_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(dontaudit su_28_0 self (cap_userns (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
-(dontaudit su_28_0 self (cap2_userns (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
-(dontaudit su_28_0 kernel_28_0 (security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans)))
-(dontaudit su_28_0 kernel_28_0 (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load)))
-(dontaudit su_28_0 self (memprotect (mmap_zero)))
-(dontaudit su_28_0 domain (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
-(dontaudit su_28_0 domain (fd (use)))
-(dontaudit su_28_0 domain (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_28_0 domain (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 domain (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_28_0 domain (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 domain (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_28_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 domain (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 domain (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_28_0 domain (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_28_0 domain (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_28_0 domain (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(dontaudit su_28_0 domain (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
-(dontaudit su_28_0 domain (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 domain (icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 domain (ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 domain (sem (create destroy getattr setattr read write associate unix_read unix_write)))
-(dontaudit su_28_0 domain (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
-(dontaudit su_28_0 domain (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
-(dontaudit su_28_0 domain (ipc (create destroy getattr setattr read write associate unix_read unix_write)))
-(dontaudit su_28_0 domain (key (view read write search link setattr create)))
-(dontaudit su_28_0 fs_type (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(dontaudit su_28_0 dev_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_28_0 dev_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_28_0 dev_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 dev_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_28_0 dev_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 dev_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 dev_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 fs_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_28_0 fs_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_28_0 fs_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 fs_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_28_0 fs_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 fs_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 fs_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 file_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_28_0 file_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(dontaudit su_28_0 file_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 file_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_28_0 file_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 file_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 file_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(dontaudit su_28_0 node_type (node (recvfrom sendto)))
-(dontaudit su_28_0 node_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_28_0 node_type (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 node_type (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 netif_type (netif (ingress egress)))
-(dontaudit su_28_0 port_type (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_28_0 port_type (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 port_type (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 port_type (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
-(dontaudit su_28_0 port_type (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_28_0 port_type (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_28_0 port_type (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
-(dontaudit su_28_0 port_type (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
-(dontaudit su_28_0 port_type (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
-(dontaudit su_28_0 port_type (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 port_type (icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(dontaudit su_28_0 port_type (ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(dontaudit su_28_0 port_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_28_0 port_type (dccp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
-(dontaudit su_28_0 domain (peer (recv)))
-(dontaudit su_28_0 domain (binder (impersonate call set_context_mgr transfer)))
-(dontaudit su_28_0 property_type (property_service (set)))
-(dontaudit su_28_0 property_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(dontaudit su_28_0 service_manager_type (service_manager (add find list)))
-(dontaudit su_28_0 hwservice_manager_type (hwservice_manager (add find list)))
-(dontaudit su_28_0 vndservice_manager_type (service_manager (add find list)))
-(dontaudit su_28_0 servicemanager_28_0 (service_manager (list)))
-(dontaudit su_28_0 hwservicemanager_28_0 (hwservice_manager (list)))
-(dontaudit su_28_0 vndservicemanager_28_0 (service_manager (list)))
-(dontaudit su_28_0 keystore_28_0 (keystore_key (get_state get insert delete exist list reset password lock unlock is_empty sign verify grant duplicate clear_uid add_auth user_changed gen_unique_id)))
-(dontaudit su_28_0 domain (drmservice (consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread)))
-(dontaudit su_28_0 unlabeled_28_0 (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(dontaudit su_28_0 postinstall_file_28_0 (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
-(allow tee_28_0 fingerprint_vendor_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tee_28_0 fingerprint_vendor_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow thermalserviced_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 thermalserviced_28_0 (dir (search)))
-(allow servicemanager_28_0 thermalserviced_28_0 (file (read open)))
-(allow servicemanager_28_0 thermalserviced_28_0 (process (getattr)))
-(allow thermalserviced_28_0 thermal_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_281_28_0 thermal_service_28_0 (service_manager (add)))
-(allow thermalserviced_28_0 hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 thermalserviced_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 thermalserviced_28_0 (dir (search)))
-(allow hwservicemanager_28_0 thermalserviced_28_0 (file (read open)))
-(allow hwservicemanager_28_0 thermalserviced_28_0 (process (getattr)))
-(allow thermalserviced_28_0 thermalcallback_hwservice_28_0 (hwservice_manager (add find)))
-(allow thermalserviced_28_0 hidl_base_hwservice_28_0 (hwservice_manager (add)))
-(neverallow base_typeattr_281_28_0 thermalcallback_hwservice_28_0 (hwservice_manager (add)))
-(allow thermalserviced_28_0 platform_app_28_0 (binder (call transfer)))
-(allow platform_app_28_0 thermalserviced_28_0 (binder (transfer)))
-(allow thermalserviced_28_0 platform_app_28_0 (fd (use)))
-(allow tombstoned_28_0 domain (fd (use)))
-(allow tombstoned_28_0 domain (fifo_file (write)))
-(allow tombstoned_28_0 domain (dir (ioctl read getattr lock search open)))
-(allow tombstoned_28_0 domain (file (ioctl read getattr lock map open)))
-(allow tombstoned_28_0 tombstone_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tombstoned_28_0 tombstone_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink link rename open)))
-(allow tombstoned_28_0 anr_data_file_28_0 (file (write append)))
-(auditallow tombstoned_28_0 anr_data_file_28_0 (file (write append)))
-(allow tombstoned_28_0 anr_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tombstoned_28_0 anr_data_file_28_0 (file (create getattr unlink link open)))
-(allow toolbox_28_0 tmpfs_28_0 (chr_file (ioctl read write)))
-(allow toolbox_28_0 devpts_28_0 (chr_file (ioctl read write getattr)))
-(allow toolbox_28_0 block_device_28_0 (dir (search)))
-(allow toolbox_28_0 swap_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(neverallow base_typeattr_69_28_0 toolbox_28_0 (process (transition)))
-(neverallow base_typeattr_59_28_0 toolbox_28_0 (process (dyntransition)))
-(neverallow toolbox_28_0 base_typeattr_282_28_0 (file (entrypoint)))
-(allow traceur_app_28_0 servicemanager_28_0 (service_manager (list)))
-(allow traceur_app_28_0 hwservicemanager_28_0 (hwservice_manager (list)))
-(allow traceur_app_28_0 property_socket_28_0 (sock_file (write)))
-(allow traceur_app_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow traceur_app_28_0 debug_prop_28_0 (property_service (set)))
-(allow traceur_app_28_0 debug_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow traceur_app_28_0 base_typeattr_280_28_0 (service_manager (find)))
-(dontaudit traceur_app_28_0 service_manager_type (service_manager (find)))
-(dontaudit traceur_app_28_0 hwservice_manager_type (hwservice_manager (find)))
-(dontaudit traceur_app_28_0 domain (binder (call)))
-(allow tzdatacheck_28_0 zoneinfo_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow tzdatacheck_28_0 zoneinfo_data_file_28_0 (file (unlink)))
-(neverallow base_typeattr_283_28_0 zoneinfo_data_file_28_0 (file (write create setattr relabelfrom append unlink link rename)))
-(neverallow base_typeattr_283_28_0 zoneinfo_data_file_28_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
-(allow ueventd_28_0 kmsg_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow ueventd_28_0 self (capability (chown dac_override fowner fsetid setgid net_admin sys_rawio mknod)))
-(allow ueventd_28_0 self (cap_userns (chown dac_override fowner fsetid setgid net_admin sys_rawio mknod)))
-(allow ueventd_28_0 device_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow ueventd_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_28_0 rootfs_28_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 rootfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 sysfs_type (file (write lock append map open)))
-(allow ueventd_28_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow ueventd_28_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 sysfs_type (file (setattr relabelfrom relabelto)))
-(allow ueventd_28_0 sysfs_type (lnk_file (setattr relabelfrom relabelto)))
-(allow ueventd_28_0 sysfs_type (dir (setattr relabelfrom relabelto)))
-(allow ueventd_28_0 tmpfs_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow ueventd_28_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow ueventd_28_0 dev_type (lnk_file (create unlink)))
-(allow ueventd_28_0 dev_type (chr_file (create getattr setattr unlink)))
-(allow ueventd_28_0 dev_type (blk_file (create getattr setattr relabelfrom relabelto unlink)))
-(allow ueventd_28_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow ueventd_28_0 efs_file_28_0 (dir (search)))
-(allow ueventd_28_0 efs_file_28_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 base_typeattr_284_28_0 (dir (ioctl read getattr lock search open)))
-(allow ueventd_28_0 base_typeattr_284_28_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 base_typeattr_284_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 file_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow ueventd_28_0 self (process (setfscreate)))
-(allow ueventd_28_0 proc_cmdline_28_0 (file (ioctl read getattr lock map open)))
-(neverallow ueventd_28_0 property_socket_28_0 (sock_file (write)))
-(neverallow ueventd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(neverallow ueventd_28_0 property_type (property_service (set)))
-(neverallow ueventd_28_0 dev_type (blk_file (ioctl read write lock append map link rename execute quotaon mounton open audit_access execmod)))
-(neverallow ueventd_28_0 kmem_device_28_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow ueventd_28_0 port_device_28_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(allow uncrypt_28_0 self (capability (dac_override)))
-(allow uncrypt_28_0 self (cap_userns (dac_override)))
-(allow uncrypt_28_0 app_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_28_0 app_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 app_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 shell_data_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_28_0 shell_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 shell_data_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 cache_file_28_0 (dir (search)))
-(allow uncrypt_28_0 cache_recovery_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow uncrypt_28_0 cache_recovery_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow uncrypt_28_0 ota_package_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_28_0 ota_package_file_28_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 uncrypt_socket_28_0 (sock_file (write)))
-(allow uncrypt_28_0 uncrypt_28_0 (unix_stream_socket (connectto)))
-(allow uncrypt_28_0 property_socket_28_0 (sock_file (write)))
-(allow uncrypt_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow uncrypt_28_0 powerctl_prop_28_0 (property_service (set)))
-(allow uncrypt_28_0 powerctl_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 self (capability (sys_rawio)))
-(allow uncrypt_28_0 self (cap_userns (sys_rawio)))
-(allow uncrypt_28_0 misc_block_device_28_0 (blk_file (write lock append map open)))
-(allow uncrypt_28_0 block_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_28_0 userdata_block_device_28_0 (blk_file (write lock append map open)))
-(allow uncrypt_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_28_0 rootfs_28_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 rootfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 proc_cmdline_28_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 sysfs_dt_firmware_android_28_0 (dir (ioctl read getattr lock search open)))
-(allow uncrypt_28_0 sysfs_dt_firmware_android_28_0 (file (ioctl read getattr lock map open)))
-(allow uncrypt_28_0 sysfs_dt_firmware_android_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow update_engine_28_0 qtaguid_proc_28_0 (file (ioctl read write getattr lock append map open)))
-(allow update_engine_28_0 qtaguid_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow update_engine_28_0 self (process (setsched)))
-(allow update_engine_28_0 self (capability (fowner sys_admin)))
-(allow update_engine_28_0 self (cap_userns (fowner sys_admin)))
-(dontaudit update_engine_28_0 self (capability (fsetid)))
-(dontaudit update_engine_28_0 self (cap_userns (fsetid)))
-(allow update_engine_28_0 kmsg_device_28_0 (chr_file (write lock append map open)))
-(allow update_engine_28_0 update_engine_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow update_engine_28_0 sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow update_engine_28_0 self (capability2 (block_suspend)))
-(allow update_engine_28_0 self (cap2_userns (block_suspend)))
-(dontaudit update_engine_28_0 kernel_28_0 (process (setsched)))
-(dontaudit update_engine_28_0 self (capability (sys_rawio)))
-(allow update_engine_28_0 update_engine_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow update_engine_28_0 update_engine_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow update_engine_28_0 update_engine_log_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow update_engine_28_0 update_engine_log_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(dontaudit update_engine_28_0 kernel_28_0 (system (module_request)))
-(allow update_engine_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 update_engine_28_0 (dir (search)))
-(allow servicemanager_28_0 update_engine_28_0 (file (read open)))
-(allow servicemanager_28_0 update_engine_28_0 (process (getattr)))
-(allow update_engine_28_0 update_engine_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_285_28_0 update_engine_service_28_0 (service_manager (add)))
-(allow update_engine_28_0 priv_app_28_0 (binder (call transfer)))
-(allow priv_app_28_0 update_engine_28_0 (binder (transfer)))
-(allow update_engine_28_0 priv_app_28_0 (fd (use)))
-(allow update_engine_28_0 ota_package_file_28_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_28_0 ota_package_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_28_0 proc_misc_28_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common block_device_28_0 (dir (search)))
-(allow update_engine_common boot_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow update_engine_common system_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow update_engine_common misc_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow update_engine_common rootfs_28_0 (dir (getattr)))
-(allow update_engine_common rootfs_28_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_common postinstall_mnt_dir_28_0 (dir (getattr mounton search)))
-(allow update_engine_common postinstall_file_28_0 (filesystem (mount unmount relabelfrom relabelto)))
-(allow update_engine_common labeledfs_28_0 (filesystem (relabelfrom)))
-(allow update_engine_common postinstall_file_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow update_engine_common postinstall_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow update_engine_common postinstall_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common cache_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common cache_file_28_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_common cache_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow update_engine_common shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow update_engine_common postinstall_28_0 (process (sigkill sigstop signal)))
-(allow update_engine_common proc_cmdline_28_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_common sysfs_dt_firmware_android_28_0 (dir (ioctl read getattr lock search open)))
-(allow update_engine_common sysfs_dt_firmware_android_28_0 (file (ioctl read getattr lock map open)))
-(allow update_engine_common sysfs_dt_firmware_android_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow update_verifier_28_0 block_device_28_0 (dir (search)))
-(allow update_verifier_28_0 ota_package_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow update_verifier_28_0 ota_package_file_28_0 (file (ioctl read getattr lock map open)))
-(allow update_verifier_28_0 sysfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow update_verifier_28_0 sysfs_dm_28_0 (dir (ioctl read getattr lock search open)))
-(allow update_verifier_28_0 sysfs_dm_28_0 (file (ioctl read getattr lock map open)))
-(allow update_verifier_28_0 dm_device_28_0 (blk_file (ioctl read getattr lock map open)))
-(allow update_verifier_28_0 kmsg_device_28_0 (chr_file (write lock append map open)))
-(allow update_verifier_28_0 property_socket_28_0 (sock_file (write)))
-(allow update_verifier_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow update_verifier_28_0 powerctl_prop_28_0 (property_service (set)))
-(allow update_verifier_28_0 powerctl_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vdc_28_0 devpts_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vdc_28_0 kmsg_device_28_0 (chr_file (write lock append map open)))
-(allow vdc_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 vdc_28_0 (dir (search)))
-(allow servicemanager_28_0 vdc_28_0 (file (read open)))
-(allow servicemanager_28_0 vdc_28_0 (process (getattr)))
-(allow vdc_28_0 vold_28_0 (binder (call transfer)))
-(allow vold_28_0 vdc_28_0 (binder (transfer)))
-(allow vdc_28_0 vold_28_0 (fd (use)))
-(allow vdc_28_0 vold_service_28_0 (service_manager (find)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (read write)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (tcp_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (udp_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (rawip_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (packet_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (key_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (unix_stream_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (unix_dgram_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_route_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_tcpdiag_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_nflog_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_xfrm_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_selinux_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_audit_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_dnrt_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_kobject_uevent_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (appletalk_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (tun_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_iscsi_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_fib_lookup_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_connector_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_netfilter_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_generic_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_scsitransport_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_rdma_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netlink_crypto_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (sctp_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (icmp_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (ax25_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (ipx_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (netrom_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (atmpvc_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (x25_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (rose_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (decnet_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (atmsvc_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (rds_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (irda_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (pppox_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (llc_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (can_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (tipc_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (bluetooth_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (iucv_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (rxrpc_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (isdn_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (phonet_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (ieee802154_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (caif_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (alg_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (nfc_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (vsock_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (kcm_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (qipcrtr_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (smc_socket (connect sendto)))
-(neverallow vendor_init_28_0 base_typeattr_286_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 kmsg_device_28_0 (chr_file (write open)))
-(allow vendor_init_28_0 device_28_0 (dir (mounton)))
-(allow vendor_init_28_0 rootfs_28_0 (lnk_file (create unlink)))
-(allow vendor_init_28_0 cgroup_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vendor_init_28_0 configfs_28_0 (dir (mounton)))
-(allow vendor_init_28_0 configfs_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vendor_init_28_0 configfs_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vendor_init_28_0 configfs_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vendor_init_28_0 self (capability (dac_override)))
-(allow vendor_init_28_0 self (cap_userns (dac_override)))
-(allow vendor_init_28_0 self (capability (chown fowner fsetid)))
-(allow vendor_init_28_0 self (cap_userns (chown fowner fsetid)))
-(allow vendor_init_28_0 unencrypted_data_file_28_0 (dir (search)))
-(allow vendor_init_28_0 unencrypted_data_file_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 system_data_file_28_0 (dir (getattr)))
-(allow vendor_init_28_0 base_typeattr_287_28_0 (dir (ioctl read write create getattr setattr relabelfrom add_name remove_name search rmdir open)))
-(allow vendor_init_28_0 base_typeattr_288_28_0 (file (read write create getattr setattr relabelfrom unlink open)))
-(allow vendor_init_28_0 base_typeattr_287_28_0 (sock_file (read create getattr setattr relabelfrom unlink open)))
-(allow vendor_init_28_0 base_typeattr_287_28_0 (fifo_file (read create getattr setattr relabelfrom unlink open)))
-(allow vendor_init_28_0 base_typeattr_287_28_0 (lnk_file (create getattr setattr relabelfrom unlink)))
-(allow vendor_init_28_0 base_typeattr_289_28_0 (file (relabelto)))
-(allow vendor_init_28_0 base_typeattr_289_28_0 (dir (relabelto)))
-(allow vendor_init_28_0 base_typeattr_289_28_0 (lnk_file (relabelto)))
-(allow vendor_init_28_0 base_typeattr_289_28_0 (chr_file (relabelto)))
-(allow vendor_init_28_0 base_typeattr_289_28_0 (blk_file (relabelto)))
-(allow vendor_init_28_0 base_typeattr_289_28_0 (sock_file (relabelto)))
-(allow vendor_init_28_0 base_typeattr_289_28_0 (fifo_file (relabelto)))
-(allow vendor_init_28_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vendor_init_28_0 dev_type (lnk_file (create)))
-(allow vendor_init_28_0 debugfs_tracing_28_0 (file (write lock append map open)))
-(allow vendor_init_28_0 base_typeattr_290_28_0 (file (read setattr open)))
-(allow vendor_init_28_0 base_typeattr_290_28_0 (dir (read setattr search open)))
-(allow vendor_init_28_0 base_typeattr_291_28_0 (chr_file (setattr)))
-(allow vendor_init_28_0 dev_type (blk_file (getattr)))
-(allow vendor_init_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow vendor_init_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 proc_net_28_0 (file (write lock append map open)))
-(allow vendor_init_28_0 self (capability (net_admin)))
-(allow vendor_init_28_0 self (cap_userns (net_admin)))
-(allow vendor_init_28_0 proc_page_cluster_28_0 (file (write lock append map open)))
-(allow vendor_init_28_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow vendor_init_28_0 sysfs_type (lnk_file (read)))
-(allow vendor_init_28_0 base_typeattr_292_28_0 (file (ioctl read write getattr lock append map open)))
-(allow vendor_init_28_0 self (process (setfscreate)))
-(allow vendor_init_28_0 vendor_file_type (dir (ioctl read getattr lock search open)))
-(allow vendor_init_28_0 vendor_file_type (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 vendor_file_type (lnk_file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 serialno_prop_28_0 (file (read getattr open)))
-(allow vendor_init_28_0 self (capability (sys_admin)))
-(allow vendor_init_28_0 self (cap_userns (sys_admin)))
-(allow vendor_init_28_0 misc_block_device_28_0 (blk_file (write lock append map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 bluetooth_a2dp_offload_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 bluetooth_a2dp_offload_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 debug_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 debug_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_audio_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_audio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_bluetooth_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_bluetooth_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_config_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_config_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_dalvik_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_dalvik_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_default_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_ffs_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_ffs_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_overlay_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_overlay_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_pm_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_pm_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_radio_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_system_radio_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_system_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported_wifi_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported_wifi_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported2_config_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported2_config_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported2_system_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported2_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported2_vold_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported2_vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported3_default_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported3_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 exported3_radio_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 exported3_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 logd_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 logd_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 log_tag_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 log_tag_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 log_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 log_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 serialno_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 serialno_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 vendor_default_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 vendor_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 vendor_security_patch_level_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 vendor_security_patch_level_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 property_socket_28_0 (sock_file (write)))
-(allow vendor_init_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vendor_init_28_0 wifi_log_prop_28_0 (property_service (set)))
-(allow vendor_init_28_0 wifi_log_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 exported2_radio_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 exported3_system_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_shell_28_0 vendor_shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow vendor_shell_28_0 vendor_toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow vendor_shell_28_0 shell_28_0 (fd (use)))
-(allow vendor_shell_28_0 adbd_28_0 (fd (use)))
-(allow vendor_shell_28_0 adbd_28_0 (process (sigchld)))
-(allow vendor_shell_28_0 adbd_28_0 (unix_stream_socket (ioctl read write getattr)))
-(allow vendor_shell_28_0 devpts_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vendor_shell_28_0 tty_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vendor_shell_28_0 console_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vendor_shell_28_0 input_device_28_0 (dir (ioctl read getattr lock search open)))
-(allow vendor_shell_28_0 input_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(neverallow base_typeattr_293_28_0 vendor_toolbox_exec_28_0 (file (execute execute_no_trans entrypoint)))
-(allow virtual_touchpad_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 virtual_touchpad_28_0 (dir (search)))
-(allow servicemanager_28_0 virtual_touchpad_28_0 (file (read open)))
-(allow servicemanager_28_0 virtual_touchpad_28_0 (process (getattr)))
-(allow virtual_touchpad_28_0 virtual_touchpad_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_294_28_0 virtual_touchpad_service_28_0 (service_manager (add)))
-(allow virtual_touchpad_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 virtual_touchpad_28_0 (binder (transfer)))
-(allow virtual_touchpad_28_0 system_server_28_0 (fd (use)))
-(allow virtual_touchpad_28_0 uhid_device_28_0 (chr_file (ioctl write lock append map open)))
-(allow virtual_touchpad_28_0 permission_service_28_0 (service_manager (find)))
-(allow vold_28_0 cache_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow vold_28_0 cache_file_28_0 (file (read getattr)))
-(allow vold_28_0 cache_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vold_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow vold_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vold_28_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow vold_28_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow vold_28_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow vold_28_0 sysfs_28_0 (file (write lock append map open)))
-(allow vold_28_0 sysfs_dm_28_0 (file (write lock append map open)))
-(allow vold_28_0 sysfs_usb_28_0 (file (write lock append map open)))
-(allow vold_28_0 sysfs_zram_uevent_28_0 (file (write lock append map open)))
-(allow vold_28_0 rootfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow vold_28_0 rootfs_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 rootfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vold_28_0 metadata_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow vold_28_0 metadata_file_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 metadata_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vold_28_0 proc_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 proc_drop_caches_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 proc_cmdline_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 proc_filesystems_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 proc_meminfo_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 proc_mounts_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 file_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 self (process (setexec)))
-(allow vold_28_0 shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow vold_28_0 e2fs_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow vold_28_0 self (process (setfscreate)))
-(allow vold_28_0 system_file_28_0 (file (getattr map execute execute_no_trans)))
-(allow vold_28_0 block_device_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 device_28_0 (dir (write)))
-(allow vold_28_0 devpts_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 rootfs_28_0 (dir (mounton)))
-(allow vold_28_0 sdcard_type (dir (mounton)))
-(allow vold_28_0 sdcard_type (filesystem (mount remount unmount)))
-(allow vold_28_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 mnt_media_rw_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 storage_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 mnt_media_rw_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 storage_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 media_rw_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 media_rw_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 mnt_media_rw_stub_file_28_0 (dir (create getattr setattr mounton rmdir)))
-(allow vold_28_0 storage_stub_file_28_0 (dir (create getattr setattr mounton rmdir)))
-(allow vold_28_0 mnt_user_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 mnt_user_file_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 mnt_expand_file_28_0 (dir (ioctl read write create getattr setattr lock rename mounton add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 apk_data_file_28_0 (dir (create getattr setattr)))
-(allow vold_28_0 shell_data_file_28_0 (dir (create getattr setattr)))
-(allow vold_28_0 tmpfs_28_0 (filesystem (mount unmount)))
-(allow vold_28_0 tmpfs_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 tmpfs_28_0 (dir (mounton)))
-(allow vold_28_0 self (capability (chown dac_override fowner fsetid net_admin sys_admin mknod)))
-(allow vold_28_0 self (cap_userns (chown dac_override fowner fsetid net_admin sys_admin mknod)))
-(allow vold_28_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow vold_28_0 app_data_file_28_0 (dir (search)))
-(allow vold_28_0 app_data_file_28_0 (file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 loop_control_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 loop_device_28_0 (blk_file (ioctl read write create getattr setattr lock append map unlink open)))
-(allow vold_28_0 vold_device_28_0 (blk_file (ioctl read write create getattr setattr lock append map unlink open)))
-(allow vold_28_0 dm_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 dm_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 domain (dir (ioctl read getattr lock search open)))
-(allow vold_28_0 domain (file (ioctl read getattr lock map open)))
-(allow vold_28_0 domain (lnk_file (ioctl read getattr lock map open)))
-(allow vold_28_0 domain (process (sigkill signal)))
-(allow vold_28_0 self (capability (kill sys_ptrace)))
-(allow vold_28_0 self (cap_userns (kill sys_ptrace)))
-(allow vold_28_0 kmsg_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 fsck_exec_28_0 (file (ioctl read getattr lock map execute open)))
-(allow vold_28_0 fscklogs_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow vold_28_0 fscklogs_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 labeledfs_28_0 (filesystem (mount unmount)))
-(allow vold_28_0 efs_file_28_0 (file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 system_data_file_28_0 (dir (ioctl read write create getattr setattr lock mounton add_name remove_name search rmdir open)))
-(allow vold_28_0 system_data_file_28_0 (lnk_file (getattr)))
-(allow vold_28_0 vendor_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 system_data_file_28_0 (file (read)))
-(allow vold_28_0 kernel_28_0 (process (setsched)))
-(allow vold_28_0 property_socket_28_0 (sock_file (write)))
-(allow vold_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vold_28_0 vold_prop_28_0 (property_service (set)))
-(allow vold_28_0 vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 property_socket_28_0 (sock_file (write)))
-(allow vold_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vold_28_0 exported_vold_prop_28_0 (property_service (set)))
-(allow vold_28_0 exported_vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 property_socket_28_0 (sock_file (write)))
-(allow vold_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vold_28_0 exported2_vold_prop_28_0 (property_service (set)))
-(allow vold_28_0 exported2_vold_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 property_socket_28_0 (sock_file (write)))
-(allow vold_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vold_28_0 powerctl_prop_28_0 (property_service (set)))
-(allow vold_28_0 powerctl_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 property_socket_28_0 (sock_file (write)))
-(allow vold_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vold_28_0 ctl_fuse_prop_28_0 (property_service (set)))
-(allow vold_28_0 ctl_fuse_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 property_socket_28_0 (sock_file (write)))
-(allow vold_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow vold_28_0 restorecon_prop_28_0 (property_service (set)))
-(allow vold_28_0 restorecon_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow vold_28_0 asec_image_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 asec_image_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow vold_28_0 asec_apk_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename mounton add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 asec_public_file_28_0 (dir (setattr relabelto)))
-(allow vold_28_0 asec_apk_file_28_0 (file (ioctl read getattr setattr lock relabelfrom relabelto map open)))
-(allow vold_28_0 asec_public_file_28_0 (file (setattr relabelto)))
-(allow vold_28_0 unlabeled_28_0 (dir (ioctl read getattr setattr lock relabelfrom search open)))
-(allow vold_28_0 unlabeled_28_0 (file (ioctl read getattr setattr lock relabelfrom map open)))
-(allow vold_28_0 sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 self (capability2 (block_suspend)))
-(allow vold_28_0 self (cap2_userns (block_suspend)))
-(allow vold_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 vold_28_0 (dir (search)))
-(allow servicemanager_28_0 vold_28_0 (file (read open)))
-(allow servicemanager_28_0 vold_28_0 (process (getattr)))
-(allow vold_28_0 vold_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_176_28_0 vold_service_28_0 (service_manager (add)))
-(allow vold_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 vold_28_0 (binder (transfer)))
-(allow vold_28_0 system_server_28_0 (fd (use)))
-(allow vold_28_0 permission_service_28_0 (service_manager (find)))
-(allow vold_28_0 healthd_28_0 (binder (call transfer)))
-(allow healthd_28_0 vold_28_0 (binder (transfer)))
-(allow vold_28_0 healthd_28_0 (fd (use)))
-(allow vold_28_0 userdata_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 metadata_block_device_28_0 (blk_file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 unencrypted_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 unencrypted_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 proc_drop_caches_28_0 (file (write lock append map open)))
-(allow vold_28_0 vold_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 vold_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 vold_metadata_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 vold_metadata_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow vold_28_0 init_28_0 (key (write search setattr)))
-(allow vold_28_0 vold_28_0 (key (write search setattr)))
-(allow vold_28_0 self (capability (sys_nice)))
-(allow vold_28_0 self (cap_userns (sys_nice)))
-(allow vold_28_0 self (capability (sys_chroot)))
-(allow vold_28_0 self (cap_userns (sys_chroot)))
-(allow vold_28_0 storage_file_28_0 (dir (mounton)))
-(allow vold_28_0 fuse_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vold_28_0 fuse_28_0 (filesystem (relabelfrom)))
-(allow vold_28_0 app_fusefs_28_0 (filesystem (relabelfrom relabelto)))
-(allow vold_28_0 app_fusefs_28_0 (filesystem (mount unmount)))
-(allow vold_28_0 toolbox_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow vold_28_0 user_profile_data_file_28_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow vold_28_0 misc_block_device_28_0 (blk_file (write lock append map open)))
-(neverallow base_typeattr_295_28_0 vold_data_file_28_0 (dir (write lock relabelfrom append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir audit_access execmod)))
-(neverallow base_typeattr_296_28_0 vold_data_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_297_28_0 vold_metadata_file_28_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
-(neverallow base_typeattr_298_28_0 vold_data_file_28_0 (file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_298_28_0 vold_data_file_28_0 (lnk_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_298_28_0 vold_data_file_28_0 (sock_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_298_28_0 vold_data_file_28_0 (fifo_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_296_28_0 vold_metadata_file_28_0 (file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_296_28_0 vold_metadata_file_28_0 (lnk_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_296_28_0 vold_metadata_file_28_0 (sock_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_296_28_0 vold_metadata_file_28_0 (fifo_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_299_28_0 vold_metadata_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_299_28_0 vold_metadata_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_299_28_0 vold_metadata_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_299_28_0 vold_metadata_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_299_28_0 vold_data_file_28_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
-(neverallow base_typeattr_299_28_0 vold_data_file_28_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_299_28_0 vold_data_file_28_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_299_28_0 vold_data_file_28_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
-(neverallow base_typeattr_174_28_0 restorecon_prop_28_0 (property_service (set)))
-(neverallow base_typeattr_300_28_0 vold_service_28_0 (service_manager (find)))
-(neverallow vold_28_0 base_typeattr_301_28_0 (binder (call)))
-(neverallow vold_28_0 fsck_exec_28_0 (file (execute_no_trans)))
-(neverallow base_typeattr_69_28_0 vold_28_0 (process (transition dyntransition)))
-(neverallow vold_28_0 base_typeattr_59_28_0 (process (ptrace)))
-(neverallow vold_28_0 base_typeattr_59_28_0 (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
-(allow vr_hwc_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 vr_hwc_28_0 (dir (search)))
-(allow servicemanager_28_0 vr_hwc_28_0 (file (read open)))
-(allow servicemanager_28_0 vr_hwc_28_0 (process (getattr)))
-(allow vr_hwc_28_0 surfaceflinger_28_0 (binder (call transfer)))
-(allow surfaceflinger_28_0 vr_hwc_28_0 (binder (transfer)))
-(allow vr_hwc_28_0 surfaceflinger_28_0 (fd (use)))
-(allow vr_hwc_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 vr_hwc_28_0 (binder (transfer)))
-(allow vr_hwc_28_0 system_server_28_0 (fd (use)))
-(allow vr_hwc_28_0 vr_hwc_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_302_28_0 vr_hwc_service_28_0 (service_manager (add)))
-(allow vr_hwc_28_0 hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 vr_hwc_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 vr_hwc_28_0 (dir (search)))
-(allow hwservicemanager_28_0 vr_hwc_28_0 (file (read open)))
-(allow hwservicemanager_28_0 vr_hwc_28_0 (process (getattr)))
-(allow vr_hwc_28_0 system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow vr_hwc_28_0 ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow vr_hwc_28_0 pdx_display_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
-(allow vr_hwc_28_0 pdx_display_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
-(allow vr_hwc_28_0 pdx_display_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
-(allow vr_hwc_28_0 pdx_display_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
-(allow vr_hwc_28_0 pdx_display_client_server_type (fd (use)))
-(allow pdx_display_client_server_type vr_hwc_28_0 (fd (use)))
-(allow vr_hwc_28_0 permission_service_28_0 (service_manager (find)))
-(allow watchdogd_28_0 watchdog_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow watchdogd_28_0 kmsg_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow wificond_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 wificond_28_0 (dir (search)))
-(allow servicemanager_28_0 wificond_28_0 (file (read open)))
-(allow servicemanager_28_0 wificond_28_0 (process (getattr)))
-(allow wificond_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 wificond_28_0 (binder (transfer)))
-(allow wificond_28_0 system_server_28_0 (fd (use)))
-(allow wificond_28_0 wificond_service_28_0 (service_manager (add find)))
-(neverallow base_typeattr_303_28_0 wificond_service_28_0 (service_manager (add)))
-(allow wificond_28_0 property_socket_28_0 (sock_file (write)))
-(allow wificond_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow wificond_28_0 exported_wifi_prop_28_0 (property_service (set)))
-(allow wificond_28_0 exported_wifi_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow wificond_28_0 property_socket_28_0 (sock_file (write)))
-(allow wificond_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow wificond_28_0 wifi_prop_28_0 (property_service (set)))
-(allow wificond_28_0 wifi_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow wificond_28_0 property_socket_28_0 (sock_file (write)))
-(allow wificond_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow wificond_28_0 ctl_default_prop_28_0 (property_service (set)))
-(allow wificond_28_0 ctl_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow wificond_28_0 self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx wificond_28_0 self (ioctl udp_socket (0x8914 0x8924)))
-(allow wificond_28_0 self (capability (net_admin net_raw)))
-(allow wificond_28_0 self (cap_userns (net_admin net_raw)))
-(allow wificond_28_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow wificond_28_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow wificond_28_0 proc_net_28_0 (dir (ioctl read getattr lock search open)))
-(allow wificond_28_0 proc_net_28_0 (file (ioctl read getattr lock map open)))
-(allow wificond_28_0 proc_net_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow wificond_28_0 permission_service_28_0 (service_manager (find)))
-(allow wificond_28_0 dumpstate_28_0 (fd (use)))
-(allow wificond_28_0 dumpstate_28_0 (fifo_file (write)))
-(allow wpantund_28_0 servicemanager_28_0 (binder (call transfer)))
-(allow servicemanager_28_0 wpantund_28_0 (dir (search)))
-(allow servicemanager_28_0 wpantund_28_0 (file (read open)))
-(allow servicemanager_28_0 wpantund_28_0 (process (getattr)))
-(allow wpantund_28_0 system_server_28_0 (binder (call transfer)))
-(allow system_server_28_0 wpantund_28_0 (binder (transfer)))
-(allow wpantund_28_0 system_server_28_0 (fd (use)))
-(allow wpantund_28_0 lowpan_service_28_0 (service_manager (find)))
-(allow wpantund_28_0 priv_app_28_0 (binder (call)))
-(allow wpantund_28_0 shell_28_0 (binder (call)))
-(allow wpantund_28_0 self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allowx wpantund_28_0 self (ioctl udp_socket (0x8914 0x8922)))
-(allow wpantund_28_0 tun_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow wpantund_28_0 self (capability (net_admin net_raw)))
-(allow wpantund_28_0 self (cap_userns (net_admin net_raw)))
-(allow wpantund_28_0 self (tun_socket (create)))
-(typeattribute base_typeattr_303_28_0)
-(typeattributeset base_typeattr_303_28_0 ((and (domain) ((not (wificond_28_0))))))
-(typeattribute base_typeattr_302_28_0)
-(typeattributeset base_typeattr_302_28_0 ((and (domain) ((not (vr_hwc_28_0))))))
-(typeattribute base_typeattr_301_28_0)
-(typeattributeset base_typeattr_301_28_0 ((and (domain) ((not (hal_keymaster_server healthd_28_0 hwservicemanager_28_0 servicemanager_28_0 su_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_300_28_0)
-(typeattributeset base_typeattr_300_28_0 ((and (domain) ((not (system_server_28_0 vdc_28_0 vold_28_0))))))
-(typeattribute base_typeattr_299_28_0)
-(typeattributeset base_typeattr_299_28_0 ((and (domain) ((not (init_28_0 kernel_28_0 vendor_init_28_0 vold_28_0 vold_prepare_subdirs_28_0))))))
-(typeattribute base_typeattr_298_28_0)
-(typeattributeset base_typeattr_298_28_0 ((and (domain) ((not (kernel_28_0 vold_28_0 vold_prepare_subdirs_28_0))))))
-(typeattribute base_typeattr_297_28_0)
-(typeattributeset base_typeattr_297_28_0 ((and (domain) ((not (init_28_0 vendor_init_28_0 vold_28_0))))))
-(typeattribute base_typeattr_296_28_0)
-(typeattributeset base_typeattr_296_28_0 ((and (domain) ((not (init_28_0 vold_28_0 vold_prepare_subdirs_28_0))))))
-(typeattribute base_typeattr_295_28_0)
-(typeattributeset base_typeattr_295_28_0 ((and (domain) ((not (vold_28_0 vold_prepare_subdirs_28_0))))))
-(typeattribute base_typeattr_294_28_0)
-(typeattributeset base_typeattr_294_28_0 ((and (domain) ((not (virtual_touchpad_28_0))))))
-(typeattribute base_typeattr_293_28_0)
-(typeattributeset base_typeattr_293_28_0 ((and (coredomain) ((not (init_28_0 modprobe_28_0))))))
-(typeattribute base_typeattr_292_28_0)
-(typeattributeset base_typeattr_292_28_0 ((and (sysfs_type) ((not (sysfs_usermodehelper_28_0))))))
-(typeattribute base_typeattr_291_28_0)
-(typeattributeset base_typeattr_291_28_0 ((and (dev_type) ((not (hw_random_device_28_0 kmem_device_28_0 port_device_28_0 lowpan_device_28_0))))))
-(typeattribute base_typeattr_290_28_0)
-(typeattributeset base_typeattr_290_28_0 ((and (fs_type) ((not (contextmount_type sdcard_type rootfs_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0))))))
-(typeattribute base_typeattr_289_28_0)
-(typeattributeset base_typeattr_289_28_0 ((and (file_type) ((not (exec_type core_data_file_type vendor_file_type system_file_28_0 vold_metadata_file_28_0))))))
-(typeattribute base_typeattr_288_28_0)
-(typeattributeset base_typeattr_288_28_0 ((and (file_type) ((not (exec_type core_data_file_type vendor_file_type unlabeled_28_0 system_file_28_0 vold_metadata_file_28_0 runtime_event_log_tags_file_28_0))))))
-(typeattribute base_typeattr_287_28_0)
-(typeattributeset base_typeattr_287_28_0 ((and (file_type) ((not (exec_type core_data_file_type vendor_file_type unlabeled_28_0 system_file_28_0 vold_metadata_file_28_0))))))
-(typeattribute base_typeattr_286_28_0)
-(typeattributeset base_typeattr_286_28_0 ((and (domain) ((not (init_28_0 logd_28_0 su_28_0 vendor_init_28_0))))))
-(typeattribute base_typeattr_285_28_0)
-(typeattributeset base_typeattr_285_28_0 ((and (domain) ((not (update_engine_28_0))))))
-(typeattribute base_typeattr_284_28_0)
-(typeattributeset base_typeattr_284_28_0 ((and (vendor_file_type) ((not (vendor_app_file_28_0 vendor_overlay_file_28_0))))))
-(typeattribute base_typeattr_283_28_0)
-(typeattributeset base_typeattr_283_28_0 ((and (domain) ((not (init_28_0 system_server_28_0 tzdatacheck_28_0))))))
-(typeattribute base_typeattr_282_28_0)
-(typeattributeset base_typeattr_282_28_0 ((and (fs_type file_type) ((not (toolbox_exec_28_0))))))
-(typeattribute base_typeattr_281_28_0)
-(typeattributeset base_typeattr_281_28_0 ((and (domain) ((not (thermalserviced_28_0))))))
-(typeattribute base_typeattr_280_28_0)
-(typeattributeset base_typeattr_280_28_0 ((and (service_manager_type) ((not (gatekeeper_service_28_0 incident_service_28_0 installd_service_28_0 netd_service_28_0 virtual_touchpad_service_28_0 vold_service_28_0 vr_hwc_service_28_0))))))
-(typeattribute base_typeattr_279_28_0)
-(typeattributeset base_typeattr_279_28_0 ((and (fs_type file_type) ((not (sgdisk_exec_28_0))))))
-(typeattribute base_typeattr_278_28_0)
-(typeattributeset base_typeattr_278_28_0 ((and (domain) ((not (hwservicemanager_28_0 init_28_0 vendor_init_28_0 vndservicemanager_28_0))))))
-(typeattribute base_typeattr_277_28_0)
-(typeattributeset base_typeattr_277_28_0 ((and (appdomain) ((not (system_app_28_0))))))
-(typeattribute base_typeattr_276_28_0)
-(typeattributeset base_typeattr_276_28_0 ((and (data_file_type) ((not (cache_file_28_0 cache_recovery_file_28_0))))))
-(typeattribute base_typeattr_275_28_0)
-(typeattributeset base_typeattr_275_28_0 ((and (domain) ((not (radio_28_0))))))
-(typeattribute base_typeattr_274_28_0)
-(typeattributeset base_typeattr_274_28_0 ((and (property_type) ((not (extended_core_property_type audio_prop_28_0 boottime_prop_28_0 bluetooth_a2dp_offload_prop_28_0 bluetooth_prop_28_0 bootloader_boot_reason_prop_28_0 config_prop_28_0 cppreopt_prop_28_0 ctl_bootanim_prop_28_0 ctl_bugreport_prop_28_0 ctl_console_prop_28_0 ctl_default_prop_28_0 ctl_dumpstate_prop_28_0 ctl_fuse_prop_28_0 ctl_interface_restart_prop_28_0 ctl_interface_start_prop_28_0 ctl_interface_stop_prop_28_0 ctl_mdnsd_prop_28_0 ctl_restart_prop_28_0 ctl_rildaemon_prop_28_0 ctl_sigstop_prop_28_0 ctl_start_prop_28_0 ctl_stop_prop_28_0 dalvik_prop_28_0 debuggerd_prop_28_0 debug_prop_28_0 default_prop_28_0 device_logging_prop_28_0 dhcp_prop_28_0 dumpstate_options_prop_28_0 dumpstate_prop_28_0 exported_secure_prop_28_0 ffs_prop_28_0 fingerprint_prop_28_0 firstboot_prop_28_0 hwservicemanager_prop_28_0 last_boot_reason_prop_28_0 logd_prop_28_0 logpersistd_logging_prop_28_0 log_prop_28_0 log_tag_prop_28_0 lowpan_prop_28_0 mmc_prop_28_0 net_dns_prop_28_0 net_radio_prop_28_0 netd_stable_secret_prop_28_0 nfc_prop_28_0 overlay_prop_28_0 pan_result_prop_28_0 persist_debug_prop_28_0 persistent_properties_ready_prop_28_0 pm_prop_28_0 powerctl_prop_28_0 radio_prop_28_0 restorecon_prop_28_0 safemode_prop_28_0 serialno_prop_28_0 shell_prop_28_0 system_boot_reason_prop_28_0 system_prop_28_0 system_radio_prop_28_0 test_boot_reason_prop_28_0 traced_enabled_prop_28_0 vold_prop_28_0 wifi_log_prop_28_0 wifi_prop_28_0 vendor_security_patch_level_prop_28_0 exported_bluetooth_prop_28_0 exported_config_prop_28_0 exported_dalvik_prop_28_0 exported_default_prop_28_0 exported_dumpstate_prop_28_0 exported_ffs_prop_28_0 exported_fingerprint_prop_28_0 exported_overlay_prop_28_0 exported_pm_prop_28_0 exported_radio_prop_28_0 exported_system_prop_28_0 exported_system_radio_prop_28_0 exported_vold_prop_28_0 exported_wifi_prop_28_0 exported2_config_prop_28_0 exported2_default_prop_28_0 exported2_radio_prop_28_0 exported2_system_prop_28_0 exported2_vold_prop_28_0 exported3_default_prop_28_0 exported3_radio_prop_28_0 exported3_system_prop_28_0 vendor_default_prop_28_0))))))
-(typeattribute base_typeattr_273_28_0)
-(typeattributeset base_typeattr_273_28_0 ((and (coredomain) ((not (system_writes_vendor_properties_violators init_28_0))))))
-(typeattribute base_typeattr_272_28_0)
-(typeattributeset base_typeattr_272_28_0 ((and (core_property_type extended_core_property_type exported_dalvik_prop_28_0 exported_ffs_prop_28_0 exported_system_radio_prop_28_0 exported2_config_prop_28_0 exported2_system_prop_28_0 exported2_vold_prop_28_0 exported3_default_prop_28_0 exported3_system_prop_28_0) ((not (debug_prop_28_0 logd_prop_28_0 nfc_prop_28_0 powerctl_prop_28_0 radio_prop_28_0))))))
-(typeattribute base_typeattr_271_28_0)
-(typeattributeset base_typeattr_271_28_0 ((and (domain) ((not (coredomain hal_wifi_server vendor_init_28_0 wificond_28_0))))))
-(typeattribute base_typeattr_270_28_0)
-(typeattributeset base_typeattr_270_28_0 ((and (domain) ((not (coredomain hal_wifi_server wificond_28_0))))))
-(typeattribute base_typeattr_269_28_0)
-(typeattributeset base_typeattr_269_28_0 ((and (domain) ((not (coredomain hal_bluetooth_server bluetooth_28_0 vendor_init_28_0))))))
-(typeattribute base_typeattr_268_28_0)
-(typeattributeset base_typeattr_268_28_0 ((and (domain) ((not (coredomain hal_bluetooth_server bluetooth_28_0))))))
-(typeattribute base_typeattr_267_28_0)
-(typeattributeset base_typeattr_267_28_0 ((and (domain) ((not (appdomain coredomain hal_telephony_server))))))
-(typeattribute base_typeattr_266_28_0)
-(typeattributeset base_typeattr_266_28_0 ((and (domain) ((not (appdomain coredomain hal_telephony_server vendor_init_28_0))))))
-(typeattribute base_typeattr_265_28_0)
-(typeattributeset base_typeattr_265_28_0 ((and (domain) ((not (appdomain coredomain hal_nfc_server))))))
-(typeattribute base_typeattr_264_28_0)
-(typeattributeset base_typeattr_264_28_0 ((and (core_property_type extended_core_property_type exported_config_prop_28_0 exported_dalvik_prop_28_0 exported_default_prop_28_0 exported_dumpstate_prop_28_0 exported_ffs_prop_28_0 exported_fingerprint_prop_28_0 exported_system_prop_28_0 exported_system_radio_prop_28_0 exported_vold_prop_28_0 exported2_config_prop_28_0 exported2_default_prop_28_0 exported2_system_prop_28_0 exported2_vold_prop_28_0 exported3_default_prop_28_0 exported3_system_prop_28_0) ((not (nfc_prop_28_0 powerctl_prop_28_0 radio_prop_28_0))))))
-(typeattribute base_typeattr_263_28_0)
-(typeattributeset base_typeattr_263_28_0 ((and (domain) ((not (appdomain coredomain vendor_init_28_0))))))
-(typeattribute base_typeattr_262_28_0)
-(typeattributeset base_typeattr_262_28_0 ((and (core_property_type) ((not (audio_prop_28_0 config_prop_28_0 cppreopt_prop_28_0 dalvik_prop_28_0 debuggerd_prop_28_0 debug_prop_28_0 default_prop_28_0 dhcp_prop_28_0 dumpstate_prop_28_0 ffs_prop_28_0 fingerprint_prop_28_0 logd_prop_28_0 net_radio_prop_28_0 nfc_prop_28_0 pan_result_prop_28_0 persist_debug_prop_28_0 powerctl_prop_28_0 radio_prop_28_0 restorecon_prop_28_0 shell_prop_28_0 system_prop_28_0 system_radio_prop_28_0 vold_prop_28_0))))))
-(typeattribute base_typeattr_261_28_0)
-(typeattributeset base_typeattr_261_28_0 ((and (domain) ((not (perfprofd_28_0))))))
-(typeattribute base_typeattr_260_28_0)
-(typeattributeset base_typeattr_260_28_0 ((and (domain) ((not (performanced_28_0))))))
-(typeattribute base_typeattr_259_28_0)
-(typeattributeset base_typeattr_259_28_0 ((and (domain) ((not (init_28_0 netd_28_0))))))
-(typeattribute base_typeattr_258_28_0)
-(typeattributeset base_typeattr_258_28_0 ((and (domain) ((not (dumpstate_28_0 init_28_0 netd_28_0))))))
-(typeattribute base_typeattr_257_28_0)
-(typeattributeset base_typeattr_257_28_0 ((and (domain) ((not (dumpstate_28_0 netd_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_256_28_0)
-(typeattributeset base_typeattr_256_28_0 ((and (domain) ((not (netd_28_0))))))
-(typeattribute base_typeattr_255_28_0)
-(typeattributeset base_typeattr_255_28_0 ((and (domain) ((not (mediaserver_28_0))))))
-(typeattribute base_typeattr_254_28_0)
-(typeattributeset base_typeattr_254_28_0 ((and (domain) ((not (mediametrics_28_0))))))
-(typeattribute base_typeattr_253_28_0)
-(typeattributeset base_typeattr_253_28_0 ((and (data_file_type) ((not (apk_data_file_28_0 zoneinfo_data_file_28_0))))))
-(typeattribute base_typeattr_252_28_0)
-(typeattributeset base_typeattr_252_28_0 ((and (domain) ((not (mediaextractor_28_0))))))
-(typeattribute base_typeattr_251_28_0)
-(typeattributeset base_typeattr_251_28_0 ((and (domain) ((not (mediadrmserver_28_0))))))
-(typeattribute base_typeattr_250_28_0)
-(typeattributeset base_typeattr_250_28_0 ((and (domain) ((not (mediacodec_28_0))))))
-(typeattribute base_typeattr_249_28_0)
-(typeattributeset base_typeattr_249_28_0 ((and (domain) ((not (init_28_0 logd_28_0))))))
-(typeattribute base_typeattr_248_28_0)
-(typeattributeset base_typeattr_248_28_0 ((and (domain) ((not (crash_dump_28_0))))))
-(typeattribute base_typeattr_247_28_0)
-(typeattributeset base_typeattr_247_28_0 ((and (domain) ((not (init_28_0 keystore_28_0))))))
-(typeattribute base_typeattr_246_28_0)
-(typeattributeset base_typeattr_246_28_0 ((and (domain) ((not (keystore_28_0))))))
-(typeattribute base_typeattr_245_28_0)
-(typeattributeset base_typeattr_245_28_0 ((and (domain) ((not (servicemanager_28_0 su_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_244_28_0)
-(typeattributeset base_typeattr_244_28_0 ((and (domain) ((not (dumpstate_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_243_28_0)
-(typeattributeset base_typeattr_243_28_0 ((and (domain) ((not (dumpstate_28_0 installd_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_242_28_0)
-(typeattributeset base_typeattr_242_28_0 ((and (domain) ((not (installd_28_0))))))
-(typeattribute base_typeattr_241_28_0)
-(typeattributeset base_typeattr_241_28_0 ((and (domain) ((not (inputflinger_28_0))))))
-(typeattribute base_typeattr_240_28_0)
-(typeattributeset base_typeattr_240_28_0 ((and (fs_type file_type) ((not (init_exec_28_0))))))
-(typeattribute base_typeattr_239_28_0)
-(typeattributeset base_typeattr_239_28_0 ((and (dev_type) ((not (kmem_device_28_0 port_device_28_0))))))
-(typeattribute base_typeattr_238_28_0)
-(typeattributeset base_typeattr_238_28_0 ((and (dev_type) ((not (device_28_0 alarm_device_28_0 ashmem_device_28_0 binder_device_28_0 hwbinder_device_28_0 dm_device_28_0 keychord_device_28_0 console_device_28_0 hw_random_device_28_0 kmem_device_28_0 port_device_28_0 ptmx_device_28_0 kmsg_device_28_0 null_device_28_0 random_device_28_0 owntty_device_28_0 zero_device_28_0 devpts_28_0))))))
-(typeattribute base_typeattr_237_28_0)
-(typeattributeset base_typeattr_237_28_0 ((and (dev_type) ((not (device_28_0 vndbinder_device_28_0 kmem_device_28_0 port_device_28_0))))))
-(typeattribute base_typeattr_236_28_0)
-(typeattributeset base_typeattr_236_28_0 ((and (fs_type) ((not (contextmount_type sdcard_type rootfs_28_0))))))
-(typeattribute base_typeattr_235_28_0)
-(typeattributeset base_typeattr_235_28_0 ((and (fs_type) ((not (contextmount_type sysfs_type sdcard_type rootfs_28_0 proc_28_0))))))
-(typeattribute base_typeattr_234_28_0)
-(typeattributeset base_typeattr_234_28_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_28_0))))))
-(typeattribute base_typeattr_233_28_0)
-(typeattributeset base_typeattr_233_28_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_28_0 runtime_event_log_tags_file_28_0 shell_data_file_28_0 nativetest_data_file_28_0 keystore_data_file_28_0 vold_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 misc_logd_file_28_0))))))
-(typeattribute base_typeattr_232_28_0)
-(typeattributeset base_typeattr_232_28_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_28_0 shell_data_file_28_0 nativetest_data_file_28_0 keystore_data_file_28_0 vold_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 misc_logd_file_28_0))))))
-(typeattribute base_typeattr_231_28_0)
-(typeattributeset base_typeattr_231_28_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_28_0 nativetest_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 misc_logd_file_28_0))))))
-(typeattribute base_typeattr_230_28_0)
-(typeattributeset base_typeattr_230_28_0 ((and (domain) ((not (hal_wifi_supplicant_server))))))
-(typeattribute base_typeattr_229_28_0)
-(typeattributeset base_typeattr_229_28_0 ((and (domain) ((not (hal_wifi_offload_server))))))
-(typeattribute base_typeattr_228_28_0)
-(typeattributeset base_typeattr_228_28_0 ((and (domain) ((not (hal_wifi_hostapd_server))))))
-(typeattribute base_typeattr_227_28_0)
-(typeattributeset base_typeattr_227_28_0 ((and (domain) ((not (hal_wifi_server))))))
-(typeattribute base_typeattr_226_28_0)
-(typeattributeset base_typeattr_226_28_0 ((and (domain) ((not (hal_weaver_server))))))
-(typeattribute base_typeattr_225_28_0)
-(typeattributeset base_typeattr_225_28_0 ((and (domain) ((not (hal_vr_server))))))
-(typeattribute base_typeattr_224_28_0)
-(typeattributeset base_typeattr_224_28_0 ((and (domain) ((not (hal_vibrator_server))))))
-(typeattribute base_typeattr_223_28_0)
-(typeattributeset base_typeattr_223_28_0 ((and (domain) ((not (hal_vehicle_server))))))
-(typeattribute base_typeattr_222_28_0)
-(typeattributeset base_typeattr_222_28_0 ((and (domain) ((not (hal_usb_gadget_server))))))
-(typeattribute base_typeattr_221_28_0)
-(typeattributeset base_typeattr_221_28_0 ((and (domain) ((not (hal_usb_server))))))
-(typeattribute base_typeattr_220_28_0)
-(typeattributeset base_typeattr_220_28_0 ((and (domain) ((not (hal_tv_input_server))))))
-(typeattribute base_typeattr_219_28_0)
-(typeattributeset base_typeattr_219_28_0 ((and (domain) ((not (hal_tv_cec_server))))))
-(typeattribute base_typeattr_218_28_0)
-(typeattributeset base_typeattr_218_28_0 ((and (domain) ((not (hal_thermal_server))))))
-(typeattribute base_typeattr_217_28_0)
-(typeattributeset base_typeattr_217_28_0 ((and (domain) ((not (hal_telephony_server))))))
-(typeattribute base_typeattr_216_28_0)
-(typeattributeset base_typeattr_216_28_0 ((and (domain) ((not (hal_sensors_server))))))
-(typeattribute base_typeattr_215_28_0)
-(typeattributeset base_typeattr_215_28_0 ((and (domain) ((not (hal_secure_element_server))))))
-(typeattribute base_typeattr_214_28_0)
-(typeattributeset base_typeattr_214_28_0 ((and (domain) ((not (hal_power_server))))))
-(typeattribute base_typeattr_213_28_0)
-(typeattributeset base_typeattr_213_28_0 ((and (domain) ((not (hal_oemlock_server))))))
-(typeattribute base_typeattr_212_28_0)
-(typeattributeset base_typeattr_212_28_0 ((and (domain) ((not (hal_nfc_server))))))
-(typeattribute base_typeattr_211_28_0)
-(typeattributeset base_typeattr_211_28_0 ((and (halserverdomain) ((not (hal_dumpstate_server hal_telephony_server))))))
-(typeattribute base_typeattr_210_28_0)
-(typeattributeset base_typeattr_210_28_0 ((and (halserverdomain) ((not (hal_automotive_socket_exemption hal_telephony_server hal_tetheroffload_server hal_wifi_server hal_wifi_hostapd_server hal_wifi_supplicant_server))))))
-(typeattribute base_typeattr_209_28_0)
-(typeattributeset base_typeattr_209_28_0 ((and (halserverdomain) ((not (hal_bluetooth_server hal_telephony_server hal_wifi_server hal_wifi_hostapd_server hal_wifi_supplicant_server))))))
-(typeattribute base_typeattr_208_28_0)
-(typeattributeset base_typeattr_208_28_0 ((and (domain) ((not (hal_neuralnetworks_server))))))
-(typeattribute base_typeattr_207_28_0)
-(typeattributeset base_typeattr_207_28_0 ((and (domain) ((not (hal_memtrack_server))))))
-(typeattribute base_typeattr_206_28_0)
-(typeattributeset base_typeattr_206_28_0 ((and (domain) ((not (hal_lowpan_server init_28_0 ueventd_28_0))))))
-(typeattribute base_typeattr_205_28_0)
-(typeattributeset base_typeattr_205_28_0 ((and (domain) ((not (hal_lowpan_server))))))
-(typeattribute base_typeattr_204_28_0)
-(typeattributeset base_typeattr_204_28_0 ((and (domain) ((not (hal_light_server))))))
-(typeattribute base_typeattr_203_28_0)
-(typeattributeset base_typeattr_203_28_0 ((and (domain) ((not (hal_keymaster_server))))))
-(typeattribute base_typeattr_202_28_0)
-(typeattributeset base_typeattr_202_28_0 ((and (domain) ((not (hal_ir_server))))))
-(typeattribute base_typeattr_201_28_0)
-(typeattributeset base_typeattr_201_28_0 ((and (domain) ((not (hal_health_server))))))
-(typeattribute base_typeattr_200_28_0)
-(typeattributeset base_typeattr_200_28_0 ((and (domain) ((not (hal_graphics_composer_server))))))
-(typeattribute base_typeattr_199_28_0)
-(typeattributeset base_typeattr_199_28_0 ((and (domain) ((not (hal_graphics_allocator_server))))))
-(typeattribute base_typeattr_198_28_0)
-(typeattributeset base_typeattr_198_28_0 ((and (domain) ((not (hal_gnss_server))))))
-(typeattribute base_typeattr_197_28_0)
-(typeattributeset base_typeattr_197_28_0 ((and (domain) ((not (hal_gatekeeper_server))))))
-(typeattribute base_typeattr_196_28_0)
-(typeattributeset base_typeattr_196_28_0 ((and (domain) ((not (hal_fingerprint_server))))))
-(typeattribute base_typeattr_195_28_0)
-(typeattributeset base_typeattr_195_28_0 ((and (domain) ((not (hal_dumpstate_server))))))
-(typeattribute base_typeattr_194_28_0)
-(typeattributeset base_typeattr_194_28_0 ((and (domain) ((not (hal_drm_server))))))
-(typeattribute base_typeattr_193_28_0)
-(typeattributeset base_typeattr_193_28_0 ((and (domain) ((not (hal_contexthub_server))))))
-(typeattribute base_typeattr_192_28_0)
-(typeattributeset base_typeattr_192_28_0 ((and (domain) ((not (hal_confirmationui_server))))))
-(typeattribute base_typeattr_191_28_0)
-(typeattributeset base_typeattr_191_28_0 ((and (data_file_type) ((not (anr_data_file_28_0 tombstone_data_file_28_0 zoneinfo_data_file_28_0))))))
-(typeattribute base_typeattr_190_28_0)
-(typeattributeset base_typeattr_190_28_0 ((and (domain) ((not (hal_configstore_server logd_28_0 su_28_0 tombstoned_28_0))))))
-(typeattribute base_typeattr_189_28_0)
-(typeattributeset base_typeattr_189_28_0 ((and (domain) ((not (hal_configstore_server))))))
-(typeattribute base_typeattr_188_28_0)
-(typeattributeset base_typeattr_188_28_0 ((and (domain) ((not (hal_cas_server))))))
-(typeattribute base_typeattr_187_28_0)
-(typeattributeset base_typeattr_187_28_0 ((and (halserverdomain) ((not (hal_camera_server))))))
-(typeattribute base_typeattr_186_28_0)
-(typeattributeset base_typeattr_186_28_0 ((and (domain) ((not (hal_camera_server))))))
-(typeattribute base_typeattr_185_28_0)
-(typeattributeset base_typeattr_185_28_0 ((and (domain) ((not (hal_broadcastradio_server))))))
-(typeattribute base_typeattr_184_28_0)
-(typeattributeset base_typeattr_184_28_0 ((and (domain) ((not (hal_bootctl_server))))))
-(typeattribute base_typeattr_183_28_0)
-(typeattributeset base_typeattr_183_28_0 ((and (domain) ((not (hal_bluetooth_server))))))
-(typeattribute base_typeattr_182_28_0)
-(typeattributeset base_typeattr_182_28_0 ((and (domain) ((not (hal_authsecret_server))))))
-(typeattribute base_typeattr_181_28_0)
-(typeattributeset base_typeattr_181_28_0 ((and (domain) ((not (hal_audiocontrol_server))))))
-(typeattribute base_typeattr_180_28_0)
-(typeattributeset base_typeattr_180_28_0 ((and (halserverdomain) ((not (hal_audio_server))))))
-(typeattribute base_typeattr_179_28_0)
-(typeattributeset base_typeattr_179_28_0 ((and (domain) ((not (hal_audio_server))))))
-(typeattribute base_typeattr_178_28_0)
-(typeattributeset base_typeattr_178_28_0 ((and (domain) ((not (hal_allocator_server))))))
-(typeattribute base_typeattr_177_28_0)
-(typeattributeset base_typeattr_177_28_0 ((and (domain) ((not (gatekeeperd_28_0))))))
-(typeattribute base_typeattr_176_28_0)
-(typeattributeset base_typeattr_176_28_0 ((and (domain) ((not (vold_28_0))))))
-(typeattribute base_typeattr_175_28_0)
-(typeattributeset base_typeattr_175_28_0 ((and (fs_type file_type) ((not (fsck_exec_28_0))))))
-(typeattribute base_typeattr_174_28_0)
-(typeattributeset base_typeattr_174_28_0 ((and (domain) ((not (init_28_0 vold_28_0))))))
-(typeattribute base_typeattr_173_28_0)
-(typeattributeset base_typeattr_173_28_0 ((and (domain) ((not (fingerprintd_28_0))))))
-(typeattribute base_typeattr_172_28_0)
-(typeattributeset base_typeattr_172_28_0 ((and (domain) ((not (dumpstate_28_0 shell_28_0 system_server_28_0 traceur_app_28_0))))))
-(typeattribute base_typeattr_171_28_0)
-(typeattributeset base_typeattr_171_28_0 ((and (domain) ((not (dumpstate_28_0))))))
-(typeattribute base_typeattr_170_28_0)
-(typeattributeset base_typeattr_170_28_0 ((and (service_manager_type) ((not (dumpstate_service_28_0 gatekeeper_service_28_0 incident_service_28_0 virtual_touchpad_service_28_0 vold_service_28_0 vr_hwc_service_28_0))))))
-(typeattribute base_typeattr_169_28_0)
-(typeattributeset base_typeattr_169_28_0 ((and (domain) ((not (drmserver_28_0))))))
-(typeattribute base_typeattr_168_28_0)
-(typeattributeset base_typeattr_168_28_0 ((and (coredomain) ((not (init_28_0))))))
-(typeattribute base_typeattr_167_28_0)
-(typeattributeset base_typeattr_167_28_0 ((and (domain) ((not (traced_probes_28_0))))))
-(typeattribute base_typeattr_166_28_0)
-(typeattributeset base_typeattr_166_28_0 ((and (domain) ((not (dnsmasq_28_0 dumpstate_28_0 init_28_0 install_recovery_28_0 installd_28_0 lmkd_28_0 netd_28_0 perfprofd_28_0 postinstall_dexopt_28_0 recovery_28_0 sdcardd_28_0 tee_28_0 ueventd_28_0 uncrypt_28_0 vendor_init_28_0 vold_28_0 vold_prepare_subdirs_28_0 zygote_28_0))))))
-(typeattribute base_typeattr_165_28_0)
-(typeattributeset base_typeattr_165_28_0 ((and (coredomain) ((not (appdomain bootanim_28_0 crash_dump_28_0 init_28_0 kernel_28_0 perfprofd_28_0 ueventd_28_0))))))
-(typeattribute base_typeattr_164_28_0)
-(typeattributeset base_typeattr_164_28_0 ((not (coredomain))))
-(typeattribute base_typeattr_163_28_0)
-(typeattributeset base_typeattr_163_28_0 ((not (rootfs_28_0 system_file_28_0 vendor_file_28_0))))
-(typeattribute base_typeattr_162_28_0)
-(typeattributeset base_typeattr_162_28_0 ((and (domain) ((not (installd_28_0 profman_28_0))))))
-(typeattribute base_typeattr_161_28_0)
-(typeattributeset base_typeattr_161_28_0 ((and (domain) ((not (dumpstate_28_0 init_28_0 system_server_28_0 vendor_init_28_0))))))
-(typeattribute base_typeattr_160_28_0)
-(typeattributeset base_typeattr_160_28_0 ((not (hwservicemanager_28_0))))
-(typeattribute base_typeattr_159_28_0)
-(typeattributeset base_typeattr_159_28_0 ((not (servicemanager_28_0 vndservicemanager_28_0))))
-(typeattribute base_typeattr_158_28_0)
-(typeattributeset base_typeattr_158_28_0 ((and (domain) ((not (appdomain adbd_28_0 dumpstate_28_0 installd_28_0 uncrypt_28_0))))))
-(typeattribute base_typeattr_157_28_0)
-(typeattributeset base_typeattr_157_28_0 ((and (domain) ((not (appdomain adbd_28_0 dumpstate_28_0 init_28_0 installd_28_0 system_server_28_0 uncrypt_28_0))))))
-(typeattribute base_typeattr_156_28_0)
-(typeattributeset base_typeattr_156_28_0 ((and (domain) ((not (adbd_28_0 dumpstate_28_0 init_28_0 installd_28_0 shell_28_0 vold_28_0))))))
-(typeattribute base_typeattr_155_28_0)
-(typeattributeset base_typeattr_155_28_0 ((and (domain) ((not (installd_28_0 shell_28_0 uncrypt_28_0))))))
-(typeattribute base_typeattr_154_28_0)
-(typeattributeset base_typeattr_154_28_0 ((and (domain) ((not (appdomain installd_28_0 uncrypt_28_0))))))
-(typeattribute base_typeattr_153_28_0)
-(typeattributeset base_typeattr_153_28_0 ((and (domain) ((not (runas_28_0 webview_zygote_28_0 zygote_28_0))))))
-(typeattribute base_typeattr_152_28_0)
-(typeattributeset base_typeattr_152_28_0 ((and (domain) ((not (adbd_28_0 init_28_0 runas_28_0 zygote_28_0))))))
-(typeattribute base_typeattr_151_28_0)
-(typeattributeset base_typeattr_151_28_0 ((and (domain) ((not (appdomain installd_28_0))))))
-(typeattribute base_typeattr_150_28_0)
-(typeattributeset base_typeattr_150_28_0 ((and (domain) ((not (appdomain installd_28_0 system_server_28_0 traced_probes_28_0))))))
-(typeattribute base_typeattr_149_28_0)
-(typeattributeset base_typeattr_149_28_0 ((and (domain) ((not (init_28_0 installd_28_0 system_app_28_0 system_server_28_0 vold_prepare_subdirs_28_0))))))
-(typeattribute base_typeattr_148_28_0)
-(typeattributeset base_typeattr_148_28_0 ((not (domain))))
-(typeattribute base_typeattr_147_28_0)
-(typeattributeset base_typeattr_147_28_0 ((and (domain) ((not (untrusted_app_all))))))
-(typeattribute base_typeattr_146_28_0)
-(typeattributeset base_typeattr_146_28_0 ((and (file_type) ((not (apk_data_file_28_0 app_data_file_28_0 asec_public_file_28_0))))))
-(typeattribute base_typeattr_145_28_0)
-(typeattributeset base_typeattr_145_28_0 ((and (domain) ((not (dumpstate_28_0 shell_28_0 su_28_0))))))
-(typeattribute base_typeattr_144_28_0)
-(typeattributeset base_typeattr_144_28_0 ((and (domain) ((not (dumpstate_28_0 incidentd_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_143_28_0)
-(typeattributeset base_typeattr_143_28_0 ((and (domain) ((not (crash_dump_28_0 dumpstate_28_0 incidentd_28_0 mediacodec_28_0 mediaextractor_28_0 system_server_28_0 tombstoned_28_0))))))
-(typeattribute base_typeattr_142_28_0)
-(typeattributeset base_typeattr_142_28_0 ((and (domain) ((not (system_server_28_0 webview_zygote_28_0))))))
-(typeattribute base_typeattr_141_28_0)
-(typeattributeset base_typeattr_141_28_0 ((and (domain) ((not (system_server_28_0))))))
-(typeattribute base_typeattr_140_28_0)
-(typeattributeset base_typeattr_140_28_0 ((and (domain) ((not (system_server_28_0 zygote_28_0))))))
-(typeattribute base_typeattr_139_28_0)
-(typeattributeset base_typeattr_139_28_0 ((and (domain) ((not (cppreopts_28_0 dex2oat_28_0 init_28_0 installd_28_0 otapreopt_slot_28_0 postinstall_dexopt_28_0 zygote_28_0))))))
-(typeattribute base_typeattr_138_28_0)
-(typeattributeset base_typeattr_138_28_0 ((and (coredomain) ((not (system_executes_vendor_violators shell_28_0))))))
-(typeattribute base_typeattr_137_28_0)
-(typeattributeset base_typeattr_137_28_0 ((and (vendor_file_type) ((not (vendor_app_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0))))))
-(typeattribute base_typeattr_136_28_0)
-(typeattributeset base_typeattr_136_28_0 ((and (coredomain) ((not (system_executes_vendor_violators init_28_0 shell_28_0))))))
-(typeattribute base_typeattr_135_28_0)
-(typeattributeset base_typeattr_135_28_0 ((and (exec_type) ((not (vendor_file_type crash_dump_exec_28_0 netutils_wrapper_exec_28_0))))))
-(typeattribute base_typeattr_134_28_0)
-(typeattributeset base_typeattr_134_28_0 ((and (domain) ((not (appdomain coredomain vendor_executes_system_violators vendor_init_28_0))))))
-(typeattribute base_typeattr_133_28_0)
-(typeattributeset base_typeattr_133_28_0 ((and (coredomain) ((not (init_28_0 shell_28_0))))))
-(typeattribute base_typeattr_132_28_0)
-(typeattributeset base_typeattr_132_28_0 ((and (coredomain) ((not (appdomain idmap_28_0 init_28_0 installd_28_0 system_server_28_0 webview_zygote_28_0 zygote_28_0))))))
-(typeattribute base_typeattr_131_28_0)
-(typeattributeset base_typeattr_131_28_0 ((and (coredomain) ((not (appdomain dex2oat_28_0 idmap_28_0 init_28_0 installd_28_0 perfprofd_28_0 postinstall_dexopt_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_130_28_0)
-(typeattributeset base_typeattr_130_28_0 ((and (coredomain) ((not (data_between_core_and_vendor_violators init_28_0))))))
-(typeattribute base_typeattr_129_28_0)
-(typeattributeset base_typeattr_129_28_0 ((and (coredomain) ((not (data_between_core_and_vendor_violators init_28_0 vold_28_0 vold_prepare_subdirs_28_0))))))
-(typeattribute base_typeattr_128_28_0)
-(typeattributeset base_typeattr_128_28_0 ((and (domain) ((not (appdomain coredomain data_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_127_28_0)
-(typeattributeset base_typeattr_127_28_0 ((and (core_data_file_type) ((not (system_data_file_28_0 vendor_data_file_28_0 unencrypted_data_file_28_0 zoneinfo_data_file_28_0))))))
-(typeattribute base_typeattr_126_28_0)
-(typeattributeset base_typeattr_126_28_0 ((and (core_data_file_type) ((not (system_data_file_28_0 vendor_data_file_28_0 zoneinfo_data_file_28_0))))))
-(typeattribute base_typeattr_125_28_0)
-(typeattributeset base_typeattr_125_28_0 ((and (core_data_file_type) ((not (unencrypted_data_file_28_0 zoneinfo_data_file_28_0))))))
-(typeattribute base_typeattr_124_28_0)
-(typeattributeset base_typeattr_124_28_0 ((and (vendor_init_28_0) ((not (data_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_123_28_0)
-(typeattributeset base_typeattr_123_28_0 ((and (core_data_file_type) ((not (zoneinfo_data_file_28_0))))))
-(typeattribute base_typeattr_122_28_0)
-(typeattributeset base_typeattr_122_28_0 ((and (domain) ((not (appdomain coredomain data_between_core_and_vendor_violators vendor_init_28_0))))))
-(typeattribute base_typeattr_121_28_0)
-(typeattributeset base_typeattr_121_28_0 ((and (data_file_type) ((not (core_data_file_type vendor_data_file_28_0))))))
-(typeattribute base_typeattr_120_28_0)
-(typeattributeset base_typeattr_120_28_0 ((and (data_file_type) ((not (core_data_file_type))))))
-(typeattribute base_typeattr_119_28_0)
-(typeattributeset base_typeattr_119_28_0 ((and (coredomain) ((not (appdomain data_between_core_and_vendor_violators init_28_0 vold_prepare_subdirs_28_0))))))
-(typeattribute base_typeattr_118_28_0)
-(typeattributeset base_typeattr_118_28_0 ((and (dev_type file_type) ((not (core_data_file_type coredomain_socket unlabeled_28_0))))))
-(typeattribute base_typeattr_117_28_0)
-(typeattributeset base_typeattr_117_28_0 ((and (coredomain) ((not (socket_between_core_and_vendor_violators init_28_0 ueventd_28_0))))))
-(typeattribute base_typeattr_116_28_0)
-(typeattributeset base_typeattr_116_28_0 ((and (core_data_file_type coredomain_socket unlabeled_28_0) ((not (pdx_endpoint_socket_type pdx_channel_socket_type app_data_file_28_0))))))
-(typeattribute base_typeattr_115_28_0)
-(typeattributeset base_typeattr_115_28_0 ((and (domain) ((not (appdomain coredomain socket_between_core_and_vendor_violators data_between_core_and_vendor_violators vendor_init_28_0))))))
-(typeattribute base_typeattr_114_28_0)
-(typeattributeset base_typeattr_114_28_0 ((and (domain) ((not (netdomain coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_113_28_0)
-(typeattributeset base_typeattr_113_28_0 ((and (coredomain) ((not (incidentd_28_0 init_28_0 logd_28_0 mdnsd_28_0 netd_28_0 su_28_0 tombstoned_28_0))))))
-(typeattribute base_typeattr_112_28_0)
-(typeattributeset base_typeattr_112_28_0 ((and (domain) ((not (appdomain coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_111_28_0)
-(typeattributeset base_typeattr_111_28_0 ((and (domain) ((not (coredomain socket_between_core_and_vendor_violators))))))
-(typeattribute base_typeattr_110_28_0)
-(typeattributeset base_typeattr_110_28_0 ((and (coredomain) ((not (adbd_28_0 init_28_0))))))
-(typeattribute base_typeattr_109_28_0)
-(typeattributeset base_typeattr_109_28_0 ((and (coredomain) ((not (shell_28_0 su_28_0))))))
-(typeattribute base_typeattr_108_28_0)
-(typeattributeset base_typeattr_108_28_0 ((and (coredomain) ((not (shell_28_0 su_28_0 ueventd_28_0))))))
-(typeattribute base_typeattr_107_28_0)
-(typeattributeset base_typeattr_107_28_0 ((and (service_manager_type) ((not (app_api_service ephemeral_app_api_service audioserver_service_28_0 cameraserver_service_28_0 drmserver_service_28_0 keystore_service_28_0 mediaserver_service_28_0 mediametrics_service_28_0 mediaextractor_service_28_0 mediadrmserver_service_28_0 nfc_service_28_0 radio_service_28_0 virtual_touchpad_service_28_0 vr_hwc_service_28_0 vr_manager_service_28_0))))))
-(typeattribute base_typeattr_106_28_0)
-(typeattributeset base_typeattr_106_28_0 ((and (appdomain) ((not (coredomain))))))
-(typeattribute base_typeattr_105_28_0)
-(typeattributeset base_typeattr_105_28_0 ((and (domain) ((not (appdomain coredomain binder_in_vendor_violators))))))
-(typeattribute base_typeattr_104_28_0)
-(typeattributeset base_typeattr_104_28_0 ((and (domain) ((not (hwservicemanager_28_0 servicemanager_28_0 vndservicemanager_28_0))))))
-(typeattribute base_typeattr_103_28_0)
-(typeattributeset base_typeattr_103_28_0 ((and (domain) ((not (domain hal_bootctl_server init_28_0 recovery_28_0 ueventd_28_0 uncrypt_28_0 update_engine_28_0 vendor_init_28_0 vold_28_0))))))
-(typeattribute base_typeattr_102_28_0)
-(typeattributeset base_typeattr_102_28_0 ((and (domain) ((not (install_recovery_28_0 recovery_28_0))))))
-(typeattribute base_typeattr_101_28_0)
-(typeattributeset base_typeattr_101_28_0 ((and (domain) ((not (recovery_28_0 update_engine_28_0))))))
-(typeattribute base_typeattr_100_28_0)
-(typeattributeset base_typeattr_100_28_0 ((and (domain) ((not (e2fs_28_0 fsck_28_0 init_28_0 recovery_28_0 vold_28_0))))))
-(typeattribute base_typeattr_99_28_0)
-(typeattributeset base_typeattr_99_28_0 ((and (domain) ((not (init_28_0 recovery_28_0 shell_28_0 system_server_28_0 ueventd_28_0))))))
-(typeattribute base_typeattr_98_28_0)
-(typeattributeset base_typeattr_98_28_0 ((and (domain) ((not (dumpstate_28_0 init_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_97_28_0)
-(typeattributeset base_typeattr_97_28_0 ((and (domain) ((not (hal_drm_server hal_cas_server adbd_28_0 dumpstate_28_0 init_28_0 mediadrmserver_28_0 recovery_28_0 shell_28_0 system_server_28_0 vendor_init_28_0))))))
-(typeattribute base_typeattr_96_28_0)
-(typeattributeset base_typeattr_96_28_0 ((and (domain) ((not (coredomain vendor_init_28_0))))))
-(typeattribute base_typeattr_95_28_0)
-(typeattributeset base_typeattr_95_28_0 ((and (domain) ((not (init_28_0 system_server_28_0 vendor_init_28_0))))))
-(typeattribute base_typeattr_94_28_0)
-(typeattributeset base_typeattr_94_28_0 ((and (domain) ((not (init_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_93_28_0)
-(typeattributeset base_typeattr_93_28_0 ((and (fs_type) ((not (contextmount_type))))))
-(typeattribute base_typeattr_92_28_0)
-(typeattributeset base_typeattr_92_28_0 ((and (domain) ((not (shell_28_0))))))
-(typeattribute base_typeattr_91_28_0)
-(typeattributeset base_typeattr_91_28_0 ((and (fs_type) ((not (rootfs_28_0))))))
-(typeattribute base_typeattr_90_28_0)
-(typeattributeset base_typeattr_90_28_0 ((and (domain) ((not (appdomain bootanim_28_0 recovery_28_0))))))
-(typeattribute base_typeattr_89_28_0)
-(typeattributeset base_typeattr_89_28_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_28_0 postinstall_file_28_0))))))
-(typeattribute base_typeattr_88_28_0)
-(typeattributeset base_typeattr_88_28_0 ((and (domain) ((not (appdomain dumpstate_28_0 mediaextractor_28_0 shell_28_0 su_28_0 webview_zygote_28_0 zygote_28_0))))))
-(typeattribute base_typeattr_87_28_0)
-(typeattributeset base_typeattr_87_28_0 ((and (fs_type) ((not (sdcard_type))))))
-(typeattribute base_typeattr_86_28_0)
-(typeattributeset base_typeattr_86_28_0 ((and (domain) ((not (init_28_0 kernel_28_0 otapreopt_chroot_28_0 recovery_28_0 update_engine_28_0 vold_28_0 zygote_28_0))))))
-(typeattribute base_typeattr_85_28_0)
-(typeattributeset base_typeattr_85_28_0 ((and (domain) ((not (init_28_0 kernel_28_0 recovery_28_0))))))
-(typeattribute base_typeattr_84_28_0)
-(typeattributeset base_typeattr_84_28_0 ((and (domain) ((not (init_28_0 vendor_init_28_0))))))
-(typeattribute base_typeattr_83_28_0)
-(typeattributeset base_typeattr_83_28_0 ((and (domain) ((not (init_28_0 ueventd_28_0))))))
-(typeattribute base_typeattr_82_28_0)
-(typeattributeset base_typeattr_82_28_0 ((and (domain) ((not (shell_28_0 ueventd_28_0))))))
-(typeattribute base_typeattr_81_28_0)
-(typeattributeset base_typeattr_81_28_0 ((and (file_type) ((not (exec_type postinstall_file_28_0))))))
-(typeattribute base_typeattr_80_28_0)
-(typeattributeset base_typeattr_80_28_0 ((and (domain) ((not (init_28_0 shell_28_0 ueventd_28_0 vendor_init_28_0))))))
-(typeattribute base_typeattr_79_28_0)
-(typeattributeset base_typeattr_79_28_0 ((and (domain) ((not (init_28_0 shell_28_0 system_server_28_0 ueventd_28_0))))))
-(typeattribute base_typeattr_78_28_0)
-(typeattributeset base_typeattr_78_28_0 ((and (domain) ((not (kernel_28_0))))))
-(typeattribute base_typeattr_77_28_0)
-(typeattributeset base_typeattr_77_28_0 ((and (domain) ((not (domain healthd_28_0 init_28_0 kernel_28_0 recovery_28_0 tee_28_0 ueventd_28_0 uncrypt_28_0))))))
-(typeattribute base_typeattr_76_28_0)
-(typeattributeset base_typeattr_76_28_0 ((and (domain) ((not (init_28_0 kernel_28_0 ueventd_28_0 vold_28_0))))))
-(typeattribute base_typeattr_75_28_0)
-(typeattributeset base_typeattr_75_28_0 ((and (domain) ((not (init_28_0 recovery_28_0))))))
-(typeattribute base_typeattr_74_28_0)
-(typeattributeset base_typeattr_74_28_0 ((and (domain) ((not (domain))))))
-(typeattribute base_typeattr_73_28_0)
-(typeattributeset base_typeattr_73_28_0 ((and (domain) ((not (coredomain))))))
-(typeattribute base_typeattr_72_28_0)
-(typeattributeset base_typeattr_72_28_0 ((and (domain) ((not (appdomain coredomain))))))
-(typeattribute base_typeattr_71_28_0)
-(typeattributeset base_typeattr_71_28_0 ((and (domain) ((not (isolated_app_28_0 servicemanager_28_0 vndservicemanager_28_0))))))
-(typeattribute base_typeattr_70_28_0)
-(typeattributeset base_typeattr_70_28_0 ((and (appdomain coredomain binder_in_vendor_violators) ((not (hwservicemanager_28_0))))))
-(typeattribute base_typeattr_69_28_0)
-(typeattributeset base_typeattr_69_28_0 ((and (domain) ((not (init_28_0))))))
-(typeattribute base_typeattr_68_28_0)
-(typeattributeset base_typeattr_68_28_0 ((and (domain) ((not (display_service_server))))))
-(typeattribute base_typeattr_67_28_0)
-(typeattributeset base_typeattr_67_28_0 ((and (domain) ((not (crash_dump_28_0 init_28_0 keystore_28_0 logd_28_0))))))
-(typeattribute base_typeattr_66_28_0)
-(typeattributeset base_typeattr_66_28_0 ((and (domain) ((not (cameraserver_28_0))))))
-(typeattribute base_typeattr_65_28_0)
-(typeattributeset base_typeattr_65_28_0 ((and (domain) ((not (bufferhubd_28_0))))))
-(typeattribute base_typeattr_64_28_0)
-(typeattributeset base_typeattr_64_28_0 ((and (domain) ((not (bootstat_28_0 init_28_0))))))
-(typeattribute base_typeattr_63_28_0)
-(typeattributeset base_typeattr_63_28_0 ((and (domain) ((not (bootstat_28_0 init_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_62_28_0)
-(typeattributeset base_typeattr_62_28_0 ((and (domain) ((not (bootanim_28_0 bootstat_28_0 dumpstate_28_0 init_28_0 recovery_28_0 shell_28_0 system_server_28_0))))))
-(typeattribute base_typeattr_61_28_0)
-(typeattributeset base_typeattr_61_28_0 ((and (appdomain) ((not (bluetooth_28_0 system_app_28_0))))))
-(typeattribute base_typeattr_60_28_0)
-(typeattributeset base_typeattr_60_28_0 ((and (data_file_type) ((not (system_data_file_28_0 apk_data_file_28_0 dalvikcache_data_file_28_0))))))
-(typeattribute base_typeattr_59_28_0)
-(typeattributeset base_typeattr_59_28_0 ((all)))
-(typeattribute base_typeattr_58_28_0)
-(typeattributeset base_typeattr_58_28_0 ((and (appdomain) ((not (bluetooth_28_0 nfc_28_0))))))
-(typeattribute base_typeattr_57_28_0)
-(typeattributeset base_typeattr_57_28_0 ((and (appdomain) ((not (untrusted_app_all platform_app_28_0 priv_app_28_0))))))
-(typeattribute base_typeattr_56_28_0)
-(typeattributeset base_typeattr_56_28_0 ((and (appdomain) ((not (platform_app_28_0))))))
-(typeattribute base_typeattr_55_28_0)
-(typeattributeset base_typeattr_55_28_0 ((and (domain) ((not (appdomain crash_dump_28_0))))))
-(typeattribute base_typeattr_54_28_0)
-(typeattributeset base_typeattr_54_28_0 ((and (appdomain) ((not (shell_28_0 su_28_0))))))
-(typeattribute base_typeattr_53_28_0)
-(typeattributeset base_typeattr_53_28_0 ((and (appdomain) ((not (shell_28_0))))))
-(typeattribute base_typeattr_52_28_0)
-(typeattributeset base_typeattr_52_28_0 ((and (domain) ((not (appdomain))))))
-(typeattribute base_typeattr_51_28_0)
-(typeattributeset base_typeattr_51_28_0 ((and (appdomain) ((not (radio_28_0))))))
-(typeattribute base_typeattr_50_28_0)
-(typeattributeset base_typeattr_50_28_0 ((and (appdomain) ((not (nfc_28_0))))))
-(typeattribute base_typeattr_49_28_0)
-(typeattributeset base_typeattr_49_28_0 ((and (appdomain) ((not (su_28_0))))))
-(typeattribute base_typeattr_48_28_0)
-(typeattributeset base_typeattr_48_28_0 ((and (appdomain) ((not (bluetooth_28_0))))))
-(typeattribute base_typeattr_47_28_0)
-(typeattributeset base_typeattr_47_28_0 ((and (appdomain untrusted_v2_app_28_0) ((not (ephemeral_app_28_0))))))
-(typeattribute base_typeattr_46_28_0)
-(typeattributeset base_typeattr_46_28_0 ((and (appdomain) ((not (ephemeral_app_28_0 isolated_app_28_0))))))
-(typeattribute base_typeattr_45_28_0)
-(typeattributeset base_typeattr_45_28_0 ((and (appdomain) ((not (untrusted_v2_app_28_0))))))
-(typeattribute base_typeattr_44_28_0)
-(typeattributeset base_typeattr_44_28_0 ((and (appdomain) ((not (ephemeral_app_28_0 untrusted_v2_app_28_0))))))
-(typeattribute base_typeattr_43_28_0)
-(typeattributeset base_typeattr_43_28_0 ((and (appdomain) ((not (isolated_app_28_0))))))
-(typeattribute base_typeattr_42_28_0)
-(typeattributeset base_typeattr_42_28_0 ((and (hal_wifi_supplicant_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_41_28_0)
-(typeattributeset base_typeattr_41_28_0 ((and (hal_wifi_offload_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_40_28_0)
-(typeattributeset base_typeattr_40_28_0 ((and (hal_wifi_hostapd_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_39_28_0)
-(typeattributeset base_typeattr_39_28_0 ((and (hal_wifi_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_38_28_0)
-(typeattributeset base_typeattr_38_28_0 ((and (hal_weaver_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_37_28_0)
-(typeattributeset base_typeattr_37_28_0 ((and (hal_vr_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_36_28_0)
-(typeattributeset base_typeattr_36_28_0 ((and (hal_vibrator_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_35_28_0)
-(typeattributeset base_typeattr_35_28_0 ((and (hal_vehicle_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_34_28_0)
-(typeattributeset base_typeattr_34_28_0 ((and (hal_usb_gadget_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_33_28_0)
-(typeattributeset base_typeattr_33_28_0 ((and (hal_usb_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_32_28_0)
-(typeattributeset base_typeattr_32_28_0 ((and (hal_tv_input_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_31_28_0)
-(typeattributeset base_typeattr_31_28_0 ((and (hal_tv_cec_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_30_28_0)
-(typeattributeset base_typeattr_30_28_0 ((and (hal_thermal_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_29_28_0)
-(typeattributeset base_typeattr_29_28_0 ((and (hal_tetheroffload_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_28_28_0)
-(typeattributeset base_typeattr_28_28_0 ((and (hal_telephony_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_27_28_0)
-(typeattributeset base_typeattr_27_28_0 ((and (hal_sensors_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_26_28_0)
-(typeattributeset base_typeattr_26_28_0 ((and (hal_secure_element_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_25_28_0)
-(typeattributeset base_typeattr_25_28_0 ((and (hal_power_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_24_28_0)
-(typeattributeset base_typeattr_24_28_0 ((and (hal_oemlock_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_23_28_0)
-(typeattributeset base_typeattr_23_28_0 ((and (hal_nfc_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_22_28_0)
-(typeattributeset base_typeattr_22_28_0 ((and (hal_neuralnetworks_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_21_28_0)
-(typeattributeset base_typeattr_21_28_0 ((and (hal_memtrack_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_20_28_0)
-(typeattributeset base_typeattr_20_28_0 ((and (hal_lowpan_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_19_28_0)
-(typeattributeset base_typeattr_19_28_0 ((and (hal_light_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_18_28_0)
-(typeattributeset base_typeattr_18_28_0 ((and (hal_keymaster_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_17_28_0)
-(typeattributeset base_typeattr_17_28_0 ((and (hal_ir_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_16_28_0)
-(typeattributeset base_typeattr_16_28_0 ((and (hal_health_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_15_28_0)
-(typeattributeset base_typeattr_15_28_0 ((and (hal_graphics_composer_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_14_28_0)
-(typeattributeset base_typeattr_14_28_0 ((and (hal_graphics_allocator_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_13_28_0)
-(typeattributeset base_typeattr_13_28_0 ((and (hal_gnss_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_12_28_0)
-(typeattributeset base_typeattr_12_28_0 ((and (hal_gatekeeper_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_11_28_0)
-(typeattributeset base_typeattr_11_28_0 ((and (hal_fingerprint_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_10_28_0)
-(typeattributeset base_typeattr_10_28_0 ((and (hal_evs_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_9_28_0)
-(typeattributeset base_typeattr_9_28_0 ((and (hal_dumpstate_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_8_28_0)
-(typeattributeset base_typeattr_8_28_0 ((and (hal_contexthub_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_7_28_0)
-(typeattributeset base_typeattr_7_28_0 ((and (hal_confirmationui_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_6_28_0)
-(typeattributeset base_typeattr_6_28_0 ((and (hal_configstore_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_5_28_0)
-(typeattributeset base_typeattr_5_28_0 ((and (hal_broadcastradio_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_4_28_0)
-(typeattributeset base_typeattr_4_28_0 ((and (hal_bluetooth_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_3_28_0)
-(typeattributeset base_typeattr_3_28_0 ((and (hal_authsecret_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_2_28_0)
-(typeattributeset base_typeattr_2_28_0 ((and (hal_audiocontrol_server) ((not (halserverdomain))))))
-(typeattribute base_typeattr_1_28_0)
-(typeattributeset base_typeattr_1_28_0 ((and (hal_allocator_server) ((not (halserverdomain))))))
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
deleted file mode 100644
index 0478a56..0000000
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.cil
+++ /dev/null
@@ -1,762 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_keystore)
-(typeattribute hal_wifi_keystore_client)
-(typeattribute hal_wifi_keystore_server)
-
-;; types removed from current policy
-(type asan_reboot_prop)
-(type log_device)
-(type mediacasserver_service)
-(type reboot_data_file)
-(type tracing_shell_writable)
-(type tracing_shell_writable_debug)
-(type vold_socket)
-(type webview_zygote_socket)
-(type rild)
-
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0
- ( debugfs
- debugfs_wakeup_sources
- ))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0
- ( default_prop pm_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset perfprofd_26_0 (perfprofd))
-(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_swaps
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0
- ( proc_net
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0 (qtaguid_proc))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0
- ( system_data_file
- vendor_data_file))
-(typeattributeset system_file_26_0 (system_file))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
deleted file mode 100644
index 4e0aae2..0000000
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,158 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( adbd_exec
- atrace
- binder_calls_stats_service
- bootloader_boot_reason_prop
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- broadcastradio_service
- cgroup_bpf
- crossprofileapps_service
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- e2fs
- e2fs_exec
- exfat
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- fingerprint_vendor_data_file
- fs_bpf
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_broadcastradio_hwservice
- hal_cas_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_lowpan_hwservice
- hal_neuralnetworks_hwservice
- hal_secure_element_hwservice
- hal_tetheroffload_hwservice
- hal_wifi_hostapd_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_offload_hwservice
- incident_helper
- incident_helper_exec
- kmsg_debug_device
- last_boot_reason_prop
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaextractor_update_service
- mediaprovider_tmpfs
- metadata_file
- mnt_vendor_file
- netd_stable_secret_prop
- network_watchlist_data_file
- network_watchlist_service
- package_native_service
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- perfprofd_service
- property_info
- secure_element
- secure_element_device
- secure_element_tmpfs
- secure_element_service
- slice_service
- stats
- stats_data_file
- stats_exec
- stats_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- statscompanion_service
- storaged_data_file
- sysfs_fs_ext4_features
- system_boot_reason_prop
- system_net_netd_hwservice
- system_update_service
- test_boot_reason_prop
- thermal_service
- thermalcallback_hwservice
- thermalserviced
- thermalserviced_exec
- thermalserviced_tmpfs
- timezone_service
- tombstoned_java_trace_socket
- tombstone_wifi_data_file
- trace_data_file
- traceur_app
- traceur_app_tmpfs
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- vendor_default_prop
- vendor_security_patch_level_prop
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_init
- vendor_shell
- vold_metadata_file
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- wm_trace_data_file))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( adbd_tmpfs
- untrusted_app_27_tmpfs
- ))
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
deleted file mode 100644
index dbe3e88..0000000
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.cil
+++ /dev/null
@@ -1,1484 +0,0 @@
-;; types removed from current policy
-(type webview_zygote_socket)
-(type reboot_data_file)
-(type vold_socket)
-(type rild)
-
-(expandtypeattribute (accessibility_service_27_0) true)
-(expandtypeattribute (account_service_27_0) true)
-(expandtypeattribute (activity_service_27_0) true)
-(expandtypeattribute (adbd_27_0) true)
-(expandtypeattribute (adb_data_file_27_0) true)
-(expandtypeattribute (adbd_exec_27_0) true)
-(expandtypeattribute (adbd_socket_27_0) true)
-(expandtypeattribute (adb_keys_file_27_0) true)
-(expandtypeattribute (alarm_device_27_0) true)
-(expandtypeattribute (alarm_service_27_0) true)
-(expandtypeattribute (anr_data_file_27_0) true)
-(expandtypeattribute (apk_data_file_27_0) true)
-(expandtypeattribute (apk_private_data_file_27_0) true)
-(expandtypeattribute (apk_private_tmp_file_27_0) true)
-(expandtypeattribute (apk_tmp_file_27_0) true)
-(expandtypeattribute (app_data_file_27_0) true)
-(expandtypeattribute (app_fuse_file_27_0) true)
-(expandtypeattribute (app_fusefs_27_0) true)
-(expandtypeattribute (appops_service_27_0) true)
-(expandtypeattribute (appwidget_service_27_0) true)
-(expandtypeattribute (asec_apk_file_27_0) true)
-(expandtypeattribute (asec_image_file_27_0) true)
-(expandtypeattribute (asec_public_file_27_0) true)
-(expandtypeattribute (ashmem_device_27_0) true)
-(expandtypeattribute (assetatlas_service_27_0) true)
-(expandtypeattribute (audio_data_file_27_0) true)
-(expandtypeattribute (audio_device_27_0) true)
-(expandtypeattribute (audiohal_data_file_27_0) true)
-(expandtypeattribute (audio_prop_27_0) true)
-(expandtypeattribute (audio_seq_device_27_0) true)
-(expandtypeattribute (audioserver_27_0) true)
-(expandtypeattribute (audioserver_data_file_27_0) true)
-(expandtypeattribute (audioserver_service_27_0) true)
-(expandtypeattribute (audio_service_27_0) true)
-(expandtypeattribute (audio_timer_device_27_0) true)
-(expandtypeattribute (autofill_service_27_0) true)
-(expandtypeattribute (backup_data_file_27_0) true)
-(expandtypeattribute (backup_service_27_0) true)
-(expandtypeattribute (batteryproperties_service_27_0) true)
-(expandtypeattribute (battery_service_27_0) true)
-(expandtypeattribute (batterystats_service_27_0) true)
-(expandtypeattribute (binder_device_27_0) true)
-(expandtypeattribute (binfmt_miscfs_27_0) true)
-(expandtypeattribute (blkid_27_0) true)
-(expandtypeattribute (blkid_untrusted_27_0) true)
-(expandtypeattribute (block_device_27_0) true)
-(expandtypeattribute (bluetooth_27_0) true)
-(expandtypeattribute (bluetooth_data_file_27_0) true)
-(expandtypeattribute (bluetooth_efs_file_27_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
-(expandtypeattribute (bluetooth_manager_service_27_0) true)
-(expandtypeattribute (bluetooth_prop_27_0) true)
-(expandtypeattribute (bluetooth_service_27_0) true)
-(expandtypeattribute (bluetooth_socket_27_0) true)
-(expandtypeattribute (bootanim_27_0) true)
-(expandtypeattribute (bootanim_exec_27_0) true)
-(expandtypeattribute (boot_block_device_27_0) true)
-(expandtypeattribute (bootchart_data_file_27_0) true)
-(expandtypeattribute (bootstat_27_0) true)
-(expandtypeattribute (bootstat_data_file_27_0) true)
-(expandtypeattribute (bootstat_exec_27_0) true)
-(expandtypeattribute (boottime_prop_27_0) true)
-(expandtypeattribute (boottrace_data_file_27_0) true)
-(expandtypeattribute (broadcastradio_service_27_0) true)
-(expandtypeattribute (bufferhubd_27_0) true)
-(expandtypeattribute (bufferhubd_exec_27_0) true)
-(expandtypeattribute (cache_backup_file_27_0) true)
-(expandtypeattribute (cache_block_device_27_0) true)
-(expandtypeattribute (cache_file_27_0) true)
-(expandtypeattribute (cache_private_backup_file_27_0) true)
-(expandtypeattribute (cache_recovery_file_27_0) true)
-(expandtypeattribute (camera_data_file_27_0) true)
-(expandtypeattribute (camera_device_27_0) true)
-(expandtypeattribute (cameraproxy_service_27_0) true)
-(expandtypeattribute (cameraserver_27_0) true)
-(expandtypeattribute (cameraserver_exec_27_0) true)
-(expandtypeattribute (cameraserver_service_27_0) true)
-(expandtypeattribute (cgroup_27_0) true)
-(expandtypeattribute (charger_27_0) true)
-(expandtypeattribute (clatd_27_0) true)
-(expandtypeattribute (clatd_exec_27_0) true)
-(expandtypeattribute (clipboard_service_27_0) true)
-(expandtypeattribute (commontime_management_service_27_0) true)
-(expandtypeattribute (companion_device_service_27_0) true)
-(expandtypeattribute (configfs_27_0) true)
-(expandtypeattribute (config_prop_27_0) true)
-(expandtypeattribute (connectivity_service_27_0) true)
-(expandtypeattribute (connmetrics_service_27_0) true)
-(expandtypeattribute (console_device_27_0) true)
-(expandtypeattribute (consumer_ir_service_27_0) true)
-(expandtypeattribute (content_service_27_0) true)
-(expandtypeattribute (contexthub_service_27_0) true)
-(expandtypeattribute (coredump_file_27_0) true)
-(expandtypeattribute (country_detector_service_27_0) true)
-(expandtypeattribute (coverage_service_27_0) true)
-(expandtypeattribute (cppreopt_prop_27_0) true)
-(expandtypeattribute (cppreopts_27_0) true)
-(expandtypeattribute (cppreopts_exec_27_0) true)
-(expandtypeattribute (cpuctl_device_27_0) true)
-(expandtypeattribute (cpuinfo_service_27_0) true)
-(expandtypeattribute (crash_dump_27_0) true)
-(expandtypeattribute (crash_dump_exec_27_0) true)
-(expandtypeattribute (ctl_bootanim_prop_27_0) true)
-(expandtypeattribute (ctl_bugreport_prop_27_0) true)
-(expandtypeattribute (ctl_console_prop_27_0) true)
-(expandtypeattribute (ctl_default_prop_27_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
-(expandtypeattribute (ctl_fuse_prop_27_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
-(expandtypeattribute (dalvikcache_data_file_27_0) true)
-(expandtypeattribute (dalvik_prop_27_0) true)
-(expandtypeattribute (dbinfo_service_27_0) true)
-(expandtypeattribute (debugfs_27_0) true)
-(expandtypeattribute (debugfs_mmc_27_0) true)
-(expandtypeattribute (debugfs_trace_marker_27_0) true)
-(expandtypeattribute (debugfs_tracing_27_0) true)
-(expandtypeattribute (debugfs_tracing_debug_27_0) true)
-(expandtypeattribute (debugfs_tracing_instances_27_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
-(expandtypeattribute (debuggerd_prop_27_0) true)
-(expandtypeattribute (debug_prop_27_0) true)
-(expandtypeattribute (default_android_hwservice_27_0) true)
-(expandtypeattribute (default_android_service_27_0) true)
-(expandtypeattribute (default_android_vndservice_27_0) true)
-(expandtypeattribute (default_prop_27_0) true)
-(expandtypeattribute (device_27_0) true)
-(expandtypeattribute (device_identifiers_service_27_0) true)
-(expandtypeattribute (deviceidle_service_27_0) true)
-(expandtypeattribute (device_logging_prop_27_0) true)
-(expandtypeattribute (device_policy_service_27_0) true)
-(expandtypeattribute (devicestoragemonitor_service_27_0) true)
-(expandtypeattribute (devpts_27_0) true)
-(expandtypeattribute (dex2oat_27_0) true)
-(expandtypeattribute (dex2oat_exec_27_0) true)
-(expandtypeattribute (dhcp_27_0) true)
-(expandtypeattribute (dhcp_data_file_27_0) true)
-(expandtypeattribute (dhcp_exec_27_0) true)
-(expandtypeattribute (dhcp_prop_27_0) true)
-(expandtypeattribute (diskstats_service_27_0) true)
-(expandtypeattribute (display_service_27_0) true)
-(expandtypeattribute (dm_device_27_0) true)
-(expandtypeattribute (dnsmasq_27_0) true)
-(expandtypeattribute (dnsmasq_exec_27_0) true)
-(expandtypeattribute (dnsproxyd_socket_27_0) true)
-(expandtypeattribute (DockObserver_service_27_0) true)
-(expandtypeattribute (dreams_service_27_0) true)
-(expandtypeattribute (drm_data_file_27_0) true)
-(expandtypeattribute (drmserver_27_0) true)
-(expandtypeattribute (drmserver_exec_27_0) true)
-(expandtypeattribute (drmserver_service_27_0) true)
-(expandtypeattribute (drmserver_socket_27_0) true)
-(expandtypeattribute (dropbox_service_27_0) true)
-(expandtypeattribute (dumpstate_27_0) true)
-(expandtypeattribute (dumpstate_exec_27_0) true)
-(expandtypeattribute (dumpstate_options_prop_27_0) true)
-(expandtypeattribute (dumpstate_prop_27_0) true)
-(expandtypeattribute (dumpstate_service_27_0) true)
-(expandtypeattribute (dumpstate_socket_27_0) true)
-(expandtypeattribute (e2fs_27_0) true)
-(expandtypeattribute (e2fs_exec_27_0) true)
-(expandtypeattribute (efs_file_27_0) true)
-(expandtypeattribute (ephemeral_app_27_0) true)
-(expandtypeattribute (ethernet_service_27_0) true)
-(expandtypeattribute (ffs_prop_27_0) true)
-(expandtypeattribute (file_contexts_file_27_0) true)
-(expandtypeattribute (fingerprintd_27_0) true)
-(expandtypeattribute (fingerprintd_data_file_27_0) true)
-(expandtypeattribute (fingerprintd_exec_27_0) true)
-(expandtypeattribute (fingerprintd_service_27_0) true)
-(expandtypeattribute (fingerprint_prop_27_0) true)
-(expandtypeattribute (fingerprint_service_27_0) true)
-(expandtypeattribute (firstboot_prop_27_0) true)
-(expandtypeattribute (font_service_27_0) true)
-(expandtypeattribute (frp_block_device_27_0) true)
-(expandtypeattribute (fsck_27_0) true)
-(expandtypeattribute (fsck_exec_27_0) true)
-(expandtypeattribute (fscklogs_27_0) true)
-(expandtypeattribute (fsck_untrusted_27_0) true)
-(expandtypeattribute (full_device_27_0) true)
-(expandtypeattribute (functionfs_27_0) true)
-(expandtypeattribute (fuse_27_0) true)
-(expandtypeattribute (fuse_device_27_0) true)
-(expandtypeattribute (fwk_display_hwservice_27_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
-(expandtypeattribute (fwmarkd_socket_27_0) true)
-(expandtypeattribute (gatekeeperd_27_0) true)
-(expandtypeattribute (gatekeeper_data_file_27_0) true)
-(expandtypeattribute (gatekeeperd_exec_27_0) true)
-(expandtypeattribute (gatekeeper_service_27_0) true)
-(expandtypeattribute (gfxinfo_service_27_0) true)
-(expandtypeattribute (gps_control_27_0) true)
-(expandtypeattribute (gpu_device_27_0) true)
-(expandtypeattribute (gpu_service_27_0) true)
-(expandtypeattribute (graphics_device_27_0) true)
-(expandtypeattribute (graphicsstats_service_27_0) true)
-(expandtypeattribute (hal_audio_hwservice_27_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
-(expandtypeattribute (hal_camera_hwservice_27_0) true)
-(expandtypeattribute (hal_cas_hwservice_27_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
-(expandtypeattribute (hal_drm_hwservice_27_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_service_27_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
-(expandtypeattribute (hal_gnss_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
-(expandtypeattribute (hal_health_hwservice_27_0) true)
-(expandtypeattribute (hal_ir_hwservice_27_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
-(expandtypeattribute (hal_light_hwservice_27_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
-(expandtypeattribute (hal_nfc_hwservice_27_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
-(expandtypeattribute (hal_omx_hwservice_27_0) true)
-(expandtypeattribute (hal_power_hwservice_27_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
-(expandtypeattribute (hal_sensors_hwservice_27_0) true)
-(expandtypeattribute (hal_telephony_hwservice_27_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
-(expandtypeattribute (hal_thermal_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
-(expandtypeattribute (hal_usb_hwservice_27_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
-(expandtypeattribute (hal_vr_hwservice_27_0) true)
-(expandtypeattribute (hal_weaver_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
-(expandtypeattribute (hardware_properties_service_27_0) true)
-(expandtypeattribute (hardware_service_27_0) true)
-(expandtypeattribute (hci_attach_dev_27_0) true)
-(expandtypeattribute (hdmi_control_service_27_0) true)
-(expandtypeattribute (healthd_27_0) true)
-(expandtypeattribute (healthd_exec_27_0) true)
-(expandtypeattribute (heapdump_data_file_27_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
-(expandtypeattribute (hidl_base_hwservice_27_0) true)
-(expandtypeattribute (hidl_manager_hwservice_27_0) true)
-(expandtypeattribute (hidl_memory_hwservice_27_0) true)
-(expandtypeattribute (hidl_token_hwservice_27_0) true)
-(expandtypeattribute (hwbinder_device_27_0) true)
-(expandtypeattribute (hw_random_device_27_0) true)
-(expandtypeattribute (hwservice_contexts_file_27_0) true)
-(expandtypeattribute (hwservicemanager_27_0) true)
-(expandtypeattribute (hwservicemanager_exec_27_0) true)
-(expandtypeattribute (hwservicemanager_prop_27_0) true)
-(expandtypeattribute (i2c_device_27_0) true)
-(expandtypeattribute (icon_file_27_0) true)
-(expandtypeattribute (idmap_27_0) true)
-(expandtypeattribute (idmap_exec_27_0) true)
-(expandtypeattribute (iio_device_27_0) true)
-(expandtypeattribute (imms_service_27_0) true)
-(expandtypeattribute (incident_27_0) true)
-(expandtypeattribute (incidentd_27_0) true)
-(expandtypeattribute (incident_data_file_27_0) true)
-(expandtypeattribute (incident_service_27_0) true)
-(expandtypeattribute (init_27_0) true)
-(expandtypeattribute (init_exec_27_0) true)
-(expandtypeattribute (inotify_27_0) true)
-(expandtypeattribute (input_device_27_0) true)
-(expandtypeattribute (inputflinger_27_0) true)
-(expandtypeattribute (inputflinger_exec_27_0) true)
-(expandtypeattribute (inputflinger_service_27_0) true)
-(expandtypeattribute (input_method_service_27_0) true)
-(expandtypeattribute (input_service_27_0) true)
-(expandtypeattribute (installd_27_0) true)
-(expandtypeattribute (install_data_file_27_0) true)
-(expandtypeattribute (installd_exec_27_0) true)
-(expandtypeattribute (installd_service_27_0) true)
-(expandtypeattribute (install_recovery_27_0) true)
-(expandtypeattribute (install_recovery_exec_27_0) true)
-(expandtypeattribute (ion_device_27_0) true)
-(expandtypeattribute (IProxyService_service_27_0) true)
-(expandtypeattribute (ipsec_service_27_0) true)
-(expandtypeattribute (isolated_app_27_0) true)
-(expandtypeattribute (jobscheduler_service_27_0) true)
-(expandtypeattribute (kernel_27_0) true)
-(expandtypeattribute (keychain_data_file_27_0) true)
-(expandtypeattribute (keychord_device_27_0) true)
-(expandtypeattribute (keystore_27_0) true)
-(expandtypeattribute (keystore_data_file_27_0) true)
-(expandtypeattribute (keystore_exec_27_0) true)
-(expandtypeattribute (keystore_service_27_0) true)
-(expandtypeattribute (kmem_device_27_0) true)
-(expandtypeattribute (kmsg_debug_device_27_0) true)
-(expandtypeattribute (kmsg_device_27_0) true)
-(expandtypeattribute (labeledfs_27_0) true)
-(expandtypeattribute (launcherapps_service_27_0) true)
-(expandtypeattribute (lmkd_27_0) true)
-(expandtypeattribute (lmkd_exec_27_0) true)
-(expandtypeattribute (lmkd_socket_27_0) true)
-(expandtypeattribute (location_service_27_0) true)
-(expandtypeattribute (lock_settings_service_27_0) true)
-(expandtypeattribute (logcat_exec_27_0) true)
-(expandtypeattribute (logd_27_0) true)
-(expandtypeattribute (logd_exec_27_0) true)
-(expandtypeattribute (logd_prop_27_0) true)
-(expandtypeattribute (logdr_socket_27_0) true)
-(expandtypeattribute (logd_socket_27_0) true)
-(expandtypeattribute (logdw_socket_27_0) true)
-(expandtypeattribute (logpersist_27_0) true)
-(expandtypeattribute (logpersistd_logging_prop_27_0) true)
-(expandtypeattribute (log_prop_27_0) true)
-(expandtypeattribute (log_tag_prop_27_0) true)
-(expandtypeattribute (loop_control_device_27_0) true)
-(expandtypeattribute (loop_device_27_0) true)
-(expandtypeattribute (mac_perms_file_27_0) true)
-(expandtypeattribute (mdnsd_27_0) true)
-(expandtypeattribute (mdnsd_socket_27_0) true)
-(expandtypeattribute (mdns_socket_27_0) true)
-(expandtypeattribute (mediacodec_27_0) true)
-(expandtypeattribute (mediacodec_exec_27_0) true)
-(expandtypeattribute (mediacodec_service_27_0) true)
-(expandtypeattribute (media_data_file_27_0) true)
-(expandtypeattribute (mediadrmserver_27_0) true)
-(expandtypeattribute (mediadrmserver_exec_27_0) true)
-(expandtypeattribute (mediadrmserver_service_27_0) true)
-(expandtypeattribute (mediaextractor_27_0) true)
-(expandtypeattribute (mediaextractor_exec_27_0) true)
-(expandtypeattribute (mediaextractor_service_27_0) true)
-(expandtypeattribute (mediametrics_27_0) true)
-(expandtypeattribute (mediametrics_exec_27_0) true)
-(expandtypeattribute (mediametrics_service_27_0) true)
-(expandtypeattribute (media_projection_service_27_0) true)
-(expandtypeattribute (mediaprovider_27_0) true)
-(expandtypeattribute (media_router_service_27_0) true)
-(expandtypeattribute (media_rw_data_file_27_0) true)
-(expandtypeattribute (mediaserver_27_0) true)
-(expandtypeattribute (mediaserver_exec_27_0) true)
-(expandtypeattribute (mediaserver_service_27_0) true)
-(expandtypeattribute (media_session_service_27_0) true)
-(expandtypeattribute (meminfo_service_27_0) true)
-(expandtypeattribute (metadata_block_device_27_0) true)
-(expandtypeattribute (method_trace_data_file_27_0) true)
-(expandtypeattribute (midi_service_27_0) true)
-(expandtypeattribute (misc_block_device_27_0) true)
-(expandtypeattribute (misc_logd_file_27_0) true)
-(expandtypeattribute (misc_user_data_file_27_0) true)
-(expandtypeattribute (mmc_prop_27_0) true)
-(expandtypeattribute (mnt_expand_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
-(expandtypeattribute (mnt_user_file_27_0) true)
-(expandtypeattribute (modprobe_27_0) true)
-(expandtypeattribute (mount_service_27_0) true)
-(expandtypeattribute (mqueue_27_0) true)
-(expandtypeattribute (mtd_device_27_0) true)
-(expandtypeattribute (mtp_27_0) true)
-(expandtypeattribute (mtp_device_27_0) true)
-(expandtypeattribute (mtpd_socket_27_0) true)
-(expandtypeattribute (mtp_exec_27_0) true)
-(expandtypeattribute (nativetest_data_file_27_0) true)
-(expandtypeattribute (netd_27_0) true)
-(expandtypeattribute (net_data_file_27_0) true)
-(expandtypeattribute (netd_exec_27_0) true)
-(expandtypeattribute (netd_listener_service_27_0) true)
-(expandtypeattribute (net_dns_prop_27_0) true)
-(expandtypeattribute (netd_service_27_0) true)
-(expandtypeattribute (netd_socket_27_0) true)
-(expandtypeattribute (netd_stable_secret_prop_27_0) true)
-(expandtypeattribute (netif_27_0) true)
-(expandtypeattribute (netpolicy_service_27_0) true)
-(expandtypeattribute (net_radio_prop_27_0) true)
-(expandtypeattribute (netstats_service_27_0) true)
-(expandtypeattribute (netutils_wrapper_27_0) true)
-(expandtypeattribute (netutils_wrapper_exec_27_0) true)
-(expandtypeattribute (network_management_service_27_0) true)
-(expandtypeattribute (network_score_service_27_0) true)
-(expandtypeattribute (network_time_update_service_27_0) true)
-(expandtypeattribute (nfc_27_0) true)
-(expandtypeattribute (nfc_data_file_27_0) true)
-(expandtypeattribute (nfc_device_27_0) true)
-(expandtypeattribute (nfc_prop_27_0) true)
-(expandtypeattribute (nfc_service_27_0) true)
-(expandtypeattribute (node_27_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
-(expandtypeattribute (notification_service_27_0) true)
-(expandtypeattribute (null_device_27_0) true)
-(expandtypeattribute (oemfs_27_0) true)
-(expandtypeattribute (oem_lock_service_27_0) true)
-(expandtypeattribute (ota_data_file_27_0) true)
-(expandtypeattribute (otadexopt_service_27_0) true)
-(expandtypeattribute (ota_package_file_27_0) true)
-(expandtypeattribute (otapreopt_chroot_27_0) true)
-(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
-(expandtypeattribute (otapreopt_slot_27_0) true)
-(expandtypeattribute (otapreopt_slot_exec_27_0) true)
-(expandtypeattribute (overlay_prop_27_0) true)
-(expandtypeattribute (overlay_service_27_0) true)
-(expandtypeattribute (owntty_device_27_0) true)
-(expandtypeattribute (package_native_service_27_0) true)
-(expandtypeattribute (package_service_27_0) true)
-(expandtypeattribute (pan_result_prop_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_dir_27_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_dir_27_0) true)
-(expandtypeattribute (performanced_27_0) true)
-(expandtypeattribute (performanced_exec_27_0) true)
-(expandtypeattribute (perfprofd_27_0) true)
-(expandtypeattribute (perfprofd_data_file_27_0) true)
-(expandtypeattribute (perfprofd_exec_27_0) true)
-(expandtypeattribute (permission_service_27_0) true)
-(expandtypeattribute (persist_debug_prop_27_0) true)
-(expandtypeattribute (persistent_data_block_service_27_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
-(expandtypeattribute (pinner_service_27_0) true)
-(expandtypeattribute (pipefs_27_0) true)
-(expandtypeattribute (platform_app_27_0) true)
-(expandtypeattribute (pmsg_device_27_0) true)
-(expandtypeattribute (port_27_0) true)
-(expandtypeattribute (port_device_27_0) true)
-(expandtypeattribute (postinstall_27_0) true)
-(expandtypeattribute (postinstall_dexopt_27_0) true)
-(expandtypeattribute (postinstall_file_27_0) true)
-(expandtypeattribute (postinstall_mnt_dir_27_0) true)
-(expandtypeattribute (powerctl_prop_27_0) true)
-(expandtypeattribute (power_service_27_0) true)
-(expandtypeattribute (ppp_27_0) true)
-(expandtypeattribute (ppp_device_27_0) true)
-(expandtypeattribute (ppp_exec_27_0) true)
-(expandtypeattribute (preloads_data_file_27_0) true)
-(expandtypeattribute (preloads_media_file_27_0) true)
-(expandtypeattribute (preopt2cachename_27_0) true)
-(expandtypeattribute (preopt2cachename_exec_27_0) true)
-(expandtypeattribute (print_service_27_0) true)
-(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
-(expandtypeattribute (proc_bluetooth_writable_27_0) true)
-(expandtypeattribute (proc_cpuinfo_27_0) true)
-(expandtypeattribute (proc_drop_caches_27_0) true)
-(expandtypeattribute (processinfo_service_27_0) true)
-(expandtypeattribute (proc_interrupts_27_0) true)
-(expandtypeattribute (proc_iomem_27_0) true)
-(expandtypeattribute (proc_meminfo_27_0) true)
-(expandtypeattribute (proc_misc_27_0) true)
-(expandtypeattribute (proc_modules_27_0) true)
-(expandtypeattribute (proc_net_27_0) true)
-(expandtypeattribute (proc_overcommit_memory_27_0) true)
-(expandtypeattribute (proc_perf_27_0) true)
-(expandtypeattribute (proc_security_27_0) true)
-(expandtypeattribute (proc_stat_27_0) true)
-(expandtypeattribute (procstats_service_27_0) true)
-(expandtypeattribute (proc_sysrq_27_0) true)
-(expandtypeattribute (proc_timer_27_0) true)
-(expandtypeattribute (proc_tty_drivers_27_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
-(expandtypeattribute (proc_uid_io_stats_27_0) true)
-(expandtypeattribute (proc_uid_procstat_set_27_0) true)
-(expandtypeattribute (proc_uid_time_in_state_27_0) true)
-(expandtypeattribute (proc_zoneinfo_27_0) true)
-(expandtypeattribute (profman_27_0) true)
-(expandtypeattribute (profman_dump_data_file_27_0) true)
-(expandtypeattribute (profman_exec_27_0) true)
-(expandtypeattribute (properties_device_27_0) true)
-(expandtypeattribute (properties_serial_27_0) true)
-(expandtypeattribute (property_contexts_file_27_0) true)
-(expandtypeattribute (property_data_file_27_0) true)
-(expandtypeattribute (property_socket_27_0) true)
-(expandtypeattribute (pstorefs_27_0) true)
-(expandtypeattribute (ptmx_device_27_0) true)
-(expandtypeattribute (qtaguid_device_27_0) true)
-(expandtypeattribute (qtaguid_proc_27_0) true)
-(expandtypeattribute (racoon_27_0) true)
-(expandtypeattribute (racoon_exec_27_0) true)
-(expandtypeattribute (racoon_socket_27_0) true)
-(expandtypeattribute (radio_27_0) true)
-(expandtypeattribute (radio_data_file_27_0) true)
-(expandtypeattribute (radio_device_27_0) true)
-(expandtypeattribute (radio_prop_27_0) true)
-(expandtypeattribute (radio_service_27_0) true)
-(expandtypeattribute (ram_device_27_0) true)
-(expandtypeattribute (random_device_27_0) true)
-(expandtypeattribute (reboot_data_file_27_0) true)
-(expandtypeattribute (recovery_27_0) true)
-(expandtypeattribute (recovery_block_device_27_0) true)
-(expandtypeattribute (recovery_data_file_27_0) true)
-(expandtypeattribute (recovery_persist_27_0) true)
-(expandtypeattribute (recovery_persist_exec_27_0) true)
-(expandtypeattribute (recovery_refresh_27_0) true)
-(expandtypeattribute (recovery_refresh_exec_27_0) true)
-(expandtypeattribute (recovery_service_27_0) true)
-(expandtypeattribute (registry_service_27_0) true)
-(expandtypeattribute (resourcecache_data_file_27_0) true)
-(expandtypeattribute (restorecon_prop_27_0) true)
-(expandtypeattribute (restrictions_service_27_0) true)
-(expandtypeattribute (rild_27_0) true)
-(expandtypeattribute (rild_debug_socket_27_0) true)
-(expandtypeattribute (rild_socket_27_0) true)
-(expandtypeattribute (ringtone_file_27_0) true)
-(expandtypeattribute (root_block_device_27_0) true)
-(expandtypeattribute (rootfs_27_0) true)
-(expandtypeattribute (rpmsg_device_27_0) true)
-(expandtypeattribute (rtc_device_27_0) true)
-(expandtypeattribute (rttmanager_service_27_0) true)
-(expandtypeattribute (runas_27_0) true)
-(expandtypeattribute (runas_exec_27_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
-(expandtypeattribute (safemode_prop_27_0) true)
-(expandtypeattribute (same_process_hal_file_27_0) true)
-(expandtypeattribute (samplingprofiler_service_27_0) true)
-(expandtypeattribute (scheduling_policy_service_27_0) true)
-(expandtypeattribute (sdcardd_27_0) true)
-(expandtypeattribute (sdcardd_exec_27_0) true)
-(expandtypeattribute (sdcardfs_27_0) true)
-(expandtypeattribute (seapp_contexts_file_27_0) true)
-(expandtypeattribute (search_service_27_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
-(expandtypeattribute (selinuxfs_27_0) true)
-(expandtypeattribute (sensors_device_27_0) true)
-(expandtypeattribute (sensorservice_service_27_0) true)
-(expandtypeattribute (sepolicy_file_27_0) true)
-(expandtypeattribute (serial_device_27_0) true)
-(expandtypeattribute (serialno_prop_27_0) true)
-(expandtypeattribute (serial_service_27_0) true)
-(expandtypeattribute (service_contexts_file_27_0) true)
-(expandtypeattribute (servicediscovery_service_27_0) true)
-(expandtypeattribute (servicemanager_27_0) true)
-(expandtypeattribute (servicemanager_exec_27_0) true)
-(expandtypeattribute (settings_service_27_0) true)
-(expandtypeattribute (sgdisk_27_0) true)
-(expandtypeattribute (sgdisk_exec_27_0) true)
-(expandtypeattribute (shared_relro_27_0) true)
-(expandtypeattribute (shared_relro_file_27_0) true)
-(expandtypeattribute (shell_27_0) true)
-(expandtypeattribute (shell_data_file_27_0) true)
-(expandtypeattribute (shell_exec_27_0) true)
-(expandtypeattribute (shell_prop_27_0) true)
-(expandtypeattribute (shm_27_0) true)
-(expandtypeattribute (shortcut_manager_icons_27_0) true)
-(expandtypeattribute (shortcut_service_27_0) true)
-(expandtypeattribute (slideshow_27_0) true)
-(expandtypeattribute (socket_device_27_0) true)
-(expandtypeattribute (sockfs_27_0) true)
-(expandtypeattribute (statusbar_service_27_0) true)
-(expandtypeattribute (storaged_service_27_0) true)
-(expandtypeattribute (storage_file_27_0) true)
-(expandtypeattribute (storagestats_service_27_0) true)
-(expandtypeattribute (storage_stub_file_27_0) true)
-(expandtypeattribute (su_27_0) true)
-(expandtypeattribute (su_exec_27_0) true)
-(expandtypeattribute (surfaceflinger_27_0) true)
-(expandtypeattribute (surfaceflinger_service_27_0) true)
-(expandtypeattribute (swap_block_device_27_0) true)
-(expandtypeattribute (sysfs_27_0) true)
-(expandtypeattribute (sysfs_batteryinfo_27_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
-(expandtypeattribute (sysfs_hwrandom_27_0) true)
-(expandtypeattribute (sysfs_leds_27_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
-(expandtypeattribute (sysfs_mac_address_27_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
-(expandtypeattribute (sysfs_thermal_27_0) true)
-(expandtypeattribute (sysfs_uio_27_0) true)
-(expandtypeattribute (sysfs_usb_27_0) true)
-(expandtypeattribute (sysfs_usermodehelper_27_0) true)
-(expandtypeattribute (sysfs_vibrator_27_0) true)
-(expandtypeattribute (sysfs_wake_lock_27_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
-(expandtypeattribute (sysfs_zram_27_0) true)
-(expandtypeattribute (sysfs_zram_uevent_27_0) true)
-(expandtypeattribute (system_app_27_0) true)
-(expandtypeattribute (system_app_data_file_27_0) true)
-(expandtypeattribute (system_app_service_27_0) true)
-(expandtypeattribute (system_block_device_27_0) true)
-(expandtypeattribute (system_data_file_27_0) true)
-(expandtypeattribute (system_file_27_0) true)
-(expandtypeattribute (systemkeys_data_file_27_0) true)
-(expandtypeattribute (system_ndebug_socket_27_0) true)
-(expandtypeattribute (system_net_netd_hwservice_27_0) true)
-(expandtypeattribute (system_prop_27_0) true)
-(expandtypeattribute (system_radio_prop_27_0) true)
-(expandtypeattribute (system_server_27_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
-(expandtypeattribute (system_wpa_socket_27_0) true)
-(expandtypeattribute (task_service_27_0) true)
-(expandtypeattribute (tee_27_0) true)
-(expandtypeattribute (tee_data_file_27_0) true)
-(expandtypeattribute (tee_device_27_0) true)
-(expandtypeattribute (telecom_service_27_0) true)
-(expandtypeattribute (textclassification_service_27_0) true)
-(expandtypeattribute (textclassifier_data_file_27_0) true)
-(expandtypeattribute (textservices_service_27_0) true)
-(expandtypeattribute (thermalcallback_hwservice_27_0) true)
-(expandtypeattribute (thermal_service_27_0) true)
-(expandtypeattribute (thermalserviced_27_0) true)
-(expandtypeattribute (thermalserviced_exec_27_0) true)
-(expandtypeattribute (timezone_service_27_0) true)
-(expandtypeattribute (tmpfs_27_0) true)
-(expandtypeattribute (tombstoned_27_0) true)
-(expandtypeattribute (tombstone_data_file_27_0) true)
-(expandtypeattribute (tombstoned_crash_socket_27_0) true)
-(expandtypeattribute (tombstoned_exec_27_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
-(expandtypeattribute (toolbox_27_0) true)
-(expandtypeattribute (toolbox_exec_27_0) true)
-(expandtypeattribute (trust_service_27_0) true)
-(expandtypeattribute (tty_device_27_0) true)
-(expandtypeattribute (tun_device_27_0) true)
-(expandtypeattribute (tv_input_service_27_0) true)
-(expandtypeattribute (tzdatacheck_27_0) true)
-(expandtypeattribute (tzdatacheck_exec_27_0) true)
-(expandtypeattribute (ueventd_27_0) true)
-(expandtypeattribute (uhid_device_27_0) true)
-(expandtypeattribute (uimode_service_27_0) true)
-(expandtypeattribute (uio_device_27_0) true)
-(expandtypeattribute (uncrypt_27_0) true)
-(expandtypeattribute (uncrypt_exec_27_0) true)
-(expandtypeattribute (uncrypt_socket_27_0) true)
-(expandtypeattribute (unencrypted_data_file_27_0) true)
-(expandtypeattribute (unlabeled_27_0) true)
-(expandtypeattribute (untrusted_app_25_27_0) true)
-(expandtypeattribute (untrusted_app_27_0) true)
-(expandtypeattribute (untrusted_v2_app_27_0) true)
-(expandtypeattribute (update_engine_27_0) true)
-(expandtypeattribute (update_engine_data_file_27_0) true)
-(expandtypeattribute (update_engine_exec_27_0) true)
-(expandtypeattribute (update_engine_service_27_0) true)
-(expandtypeattribute (updatelock_service_27_0) true)
-(expandtypeattribute (update_verifier_27_0) true)
-(expandtypeattribute (update_verifier_exec_27_0) true)
-(expandtypeattribute (usagestats_service_27_0) true)
-(expandtypeattribute (usbaccessory_device_27_0) true)
-(expandtypeattribute (usb_device_27_0) true)
-(expandtypeattribute (usbfs_27_0) true)
-(expandtypeattribute (usb_service_27_0) true)
-(expandtypeattribute (userdata_block_device_27_0) true)
-(expandtypeattribute (usermodehelper_27_0) true)
-(expandtypeattribute (user_profile_data_file_27_0) true)
-(expandtypeattribute (user_service_27_0) true)
-(expandtypeattribute (vcs_device_27_0) true)
-(expandtypeattribute (vdc_27_0) true)
-(expandtypeattribute (vdc_exec_27_0) true)
-(expandtypeattribute (vendor_app_file_27_0) true)
-(expandtypeattribute (vendor_configs_file_27_0) true)
-(expandtypeattribute (vendor_file_27_0) true)
-(expandtypeattribute (vendor_framework_file_27_0) true)
-(expandtypeattribute (vendor_hal_file_27_0) true)
-(expandtypeattribute (vendor_overlay_file_27_0) true)
-(expandtypeattribute (vendor_shell_exec_27_0) true)
-(expandtypeattribute (vendor_toolbox_exec_27_0) true)
-(expandtypeattribute (vfat_27_0) true)
-(expandtypeattribute (vibrator_service_27_0) true)
-(expandtypeattribute (video_device_27_0) true)
-(expandtypeattribute (virtual_touchpad_27_0) true)
-(expandtypeattribute (virtual_touchpad_exec_27_0) true)
-(expandtypeattribute (virtual_touchpad_service_27_0) true)
-(expandtypeattribute (vndbinder_device_27_0) true)
-(expandtypeattribute (vndk_sp_file_27_0) true)
-(expandtypeattribute (vndservice_contexts_file_27_0) true)
-(expandtypeattribute (vndservicemanager_27_0) true)
-(expandtypeattribute (voiceinteraction_service_27_0) true)
-(expandtypeattribute (vold_27_0) true)
-(expandtypeattribute (vold_data_file_27_0) true)
-(expandtypeattribute (vold_device_27_0) true)
-(expandtypeattribute (vold_exec_27_0) true)
-(expandtypeattribute (vold_prop_27_0) true)
-(expandtypeattribute (vold_socket_27_0) true)
-(expandtypeattribute (vpn_data_file_27_0) true)
-(expandtypeattribute (vr_hwc_27_0) true)
-(expandtypeattribute (vr_hwc_exec_27_0) true)
-(expandtypeattribute (vr_hwc_service_27_0) true)
-(expandtypeattribute (vr_manager_service_27_0) true)
-(expandtypeattribute (wallpaper_file_27_0) true)
-(expandtypeattribute (wallpaper_service_27_0) true)
-(expandtypeattribute (watchdogd_27_0) true)
-(expandtypeattribute (watchdog_device_27_0) true)
-(expandtypeattribute (webviewupdate_service_27_0) true)
-(expandtypeattribute (webview_zygote_27_0) true)
-(expandtypeattribute (webview_zygote_exec_27_0) true)
-(expandtypeattribute (webview_zygote_socket_27_0) true)
-(expandtypeattribute (wifiaware_service_27_0) true)
-(expandtypeattribute (wificond_27_0) true)
-(expandtypeattribute (wificond_exec_27_0) true)
-(expandtypeattribute (wificond_service_27_0) true)
-(expandtypeattribute (wifi_data_file_27_0) true)
-(expandtypeattribute (wifi_log_prop_27_0) true)
-(expandtypeattribute (wifip2p_service_27_0) true)
-(expandtypeattribute (wifi_prop_27_0) true)
-(expandtypeattribute (wifiscanner_service_27_0) true)
-(expandtypeattribute (wifi_service_27_0) true)
-(expandtypeattribute (window_service_27_0) true)
-(expandtypeattribute (wpa_socket_27_0) true)
-(expandtypeattribute (zero_device_27_0) true)
-(expandtypeattribute (zoneinfo_data_file_27_0) true)
-(expandtypeattribute (zygote_27_0) true)
-(expandtypeattribute (zygote_exec_27_0) true)
-(expandtypeattribute (zygote_socket_27_0) true)
-(typeattributeset accessibility_service_27_0 (accessibility_service))
-(typeattributeset account_service_27_0 (account_service))
-(typeattributeset activity_service_27_0 (activity_service))
-(typeattributeset adbd_27_0 (adbd))
-(typeattributeset adb_data_file_27_0 (adb_data_file))
-(typeattributeset adbd_exec_27_0 (adbd_exec))
-(typeattributeset adbd_socket_27_0 (adbd_socket))
-(typeattributeset adb_keys_file_27_0 (adb_keys_file))
-(typeattributeset alarm_device_27_0 (alarm_device))
-(typeattributeset alarm_service_27_0 (alarm_service))
-(typeattributeset anr_data_file_27_0 (anr_data_file))
-(typeattributeset apk_data_file_27_0 (apk_data_file))
-(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file))
-(typeattributeset app_fuse_file_27_0 (app_fuse_file))
-(typeattributeset app_fusefs_27_0 (app_fusefs))
-(typeattributeset appops_service_27_0 (appops_service))
-(typeattributeset appwidget_service_27_0 (appwidget_service))
-(typeattributeset asec_apk_file_27_0 (asec_apk_file))
-(typeattributeset asec_image_file_27_0 (asec_image_file))
-(typeattributeset asec_public_file_27_0 (asec_public_file))
-(typeattributeset ashmem_device_27_0 (ashmem_device))
-(typeattributeset assetatlas_service_27_0 (assetatlas_service))
-(typeattributeset audio_data_file_27_0 (audio_data_file))
-(typeattributeset audio_device_27_0 (audio_device))
-(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
-(typeattributeset audio_prop_27_0 (audio_prop))
-(typeattributeset audio_seq_device_27_0 (audio_seq_device))
-(typeattributeset audioserver_27_0 (audioserver))
-(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
-(typeattributeset audioserver_service_27_0 (audioserver_service))
-(typeattributeset audio_service_27_0 (audio_service))
-(typeattributeset audio_timer_device_27_0 (audio_timer_device))
-(typeattributeset autofill_service_27_0 (autofill_service))
-(typeattributeset backup_data_file_27_0 (backup_data_file))
-(typeattributeset backup_service_27_0 (backup_service))
-(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
-(typeattributeset battery_service_27_0 (battery_service))
-(typeattributeset batterystats_service_27_0 (batterystats_service))
-(typeattributeset binder_device_27_0 (binder_device))
-(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
-(typeattributeset blkid_27_0 (blkid))
-(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
-(typeattributeset block_device_27_0 (block_device))
-(typeattributeset bluetooth_27_0 (bluetooth))
-(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_27_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
-(typeattributeset bootanim_27_0 (bootanim))
-(typeattributeset bootanim_exec_27_0 (bootanim_exec))
-(typeattributeset boot_block_device_27_0 (boot_block_device))
-(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
-(typeattributeset bootstat_27_0 (bootstat))
-(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_27_0 (bootstat_exec))
-(typeattributeset boottime_prop_27_0 (boottime_prop))
-(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
-(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
-(typeattributeset bufferhubd_27_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_27_0 (cache_backup_file))
-(typeattributeset cache_block_device_27_0 (cache_block_device))
-(typeattributeset cache_file_27_0 (cache_file))
-(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
-(typeattributeset camera_data_file_27_0 (camera_data_file))
-(typeattributeset camera_device_27_0 (camera_device))
-(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
-(typeattributeset cameraserver_27_0 (cameraserver))
-(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_27_0 (cameraserver_service))
-(typeattributeset cgroup_27_0 (cgroup))
-(typeattributeset charger_27_0 (charger))
-(typeattributeset clatd_27_0 (clatd))
-(typeattributeset clatd_exec_27_0 (clatd_exec))
-(typeattributeset clipboard_service_27_0 (clipboard_service))
-(typeattributeset commontime_management_service_27_0 (commontime_management_service))
-(typeattributeset companion_device_service_27_0 (companion_device_service))
-(typeattributeset configfs_27_0 (configfs))
-(typeattributeset config_prop_27_0 (config_prop))
-(typeattributeset connectivity_service_27_0 (connectivity_service))
-(typeattributeset connmetrics_service_27_0 (connmetrics_service))
-(typeattributeset console_device_27_0 (console_device))
-(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
-(typeattributeset content_service_27_0 (content_service))
-(typeattributeset contexthub_service_27_0 (contexthub_service))
-(typeattributeset coredump_file_27_0 (coredump_file))
-(typeattributeset country_detector_service_27_0 (country_detector_service))
-(typeattributeset coverage_service_27_0 (coverage_service))
-(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
-(typeattributeset cppreopts_27_0 (cppreopts))
-(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_27_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
-(typeattributeset crash_dump_27_0 (crash_dump))
-(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
-(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_27_0 (dalvik_prop))
-(typeattributeset dbinfo_service_27_0 (dbinfo_service))
-(typeattributeset debugfs_27_0
- ( debugfs
- debugfs_wakeup_sources))
-(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
-(typeattributeset debug_prop_27_0 (debug_prop))
-(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
-(typeattributeset default_android_service_27_0 (default_android_service))
-(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
-(typeattributeset default_prop_27_0
- ( default_prop
- pm_prop))
-(typeattributeset device_27_0 (device))
-(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_27_0 (deviceidle_service))
-(typeattributeset device_logging_prop_27_0 (device_logging_prop))
-(typeattributeset device_policy_service_27_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
-(typeattributeset devpts_27_0 (devpts))
-(typeattributeset dex2oat_27_0 (dex2oat))
-(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
-(typeattributeset dhcp_27_0 (dhcp))
-(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_27_0 (dhcp_exec))
-(typeattributeset dhcp_prop_27_0 (dhcp_prop))
-(typeattributeset diskstats_service_27_0 (diskstats_service))
-(typeattributeset display_service_27_0 (display_service))
-(typeattributeset dm_device_27_0 (dm_device))
-(typeattributeset dnsmasq_27_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_27_0 (DockObserver_service))
-(typeattributeset dreams_service_27_0 (dreams_service))
-(typeattributeset drm_data_file_27_0 (drm_data_file))
-(typeattributeset drmserver_27_0 (drmserver))
-(typeattributeset drmserver_exec_27_0 (drmserver_exec))
-(typeattributeset drmserver_service_27_0 (drmserver_service))
-(typeattributeset drmserver_socket_27_0 (drmserver_socket))
-(typeattributeset dropbox_service_27_0 (dropbox_service))
-(typeattributeset dumpstate_27_0 (dumpstate))
-(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_27_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
-(typeattributeset e2fs_27_0 (e2fs))
-(typeattributeset e2fs_exec_27_0 (e2fs_exec))
-(typeattributeset efs_file_27_0 (efs_file))
-(typeattributeset ephemeral_app_27_0 (ephemeral_app))
-(typeattributeset ethernet_service_27_0 (ethernet_service))
-(typeattributeset ffs_prop_27_0 (ffs_prop))
-(typeattributeset file_contexts_file_27_0 (file_contexts_file))
-(typeattributeset fingerprintd_27_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_27_0 (fingerprint_service))
-(typeattributeset firstboot_prop_27_0 (firstboot_prop))
-(typeattributeset font_service_27_0 (font_service))
-(typeattributeset frp_block_device_27_0 (frp_block_device))
-(typeattributeset fsck_27_0 (fsck))
-(typeattributeset fsck_exec_27_0 (fsck_exec))
-(typeattributeset fscklogs_27_0 (fscklogs))
-(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
-(typeattributeset full_device_27_0 (full_device))
-(typeattributeset functionfs_27_0 (functionfs))
-(typeattributeset fuse_27_0 (fuse))
-(typeattributeset fuse_device_27_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_27_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
-(typeattributeset gps_control_27_0 (gps_control))
-(typeattributeset gpu_device_27_0 (gpu_device))
-(typeattributeset gpu_service_27_0 (gpu_service))
-(typeattributeset graphics_device_27_0 (graphics_device))
-(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
-(typeattributeset hardware_service_27_0 (hardware_service))
-(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
-(typeattributeset healthd_27_0 (healthd))
-(typeattributeset healthd_exec_27_0 (healthd_exec))
-(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_27_0 (hwbinder_device))
-(typeattributeset hw_random_device_27_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_27_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_27_0 (i2c_device))
-(typeattributeset icon_file_27_0 (icon_file))
-(typeattributeset idmap_27_0 (idmap))
-(typeattributeset idmap_exec_27_0 (idmap_exec))
-(typeattributeset iio_device_27_0 (iio_device))
-(typeattributeset imms_service_27_0 (imms_service))
-(typeattributeset incident_27_0 (incident))
-(typeattributeset incidentd_27_0 (incidentd))
-(typeattributeset incident_data_file_27_0 (incident_data_file))
-(typeattributeset incident_service_27_0 (incident_service))
-(typeattributeset init_27_0 (init))
-(typeattributeset init_exec_27_0 (init_exec))
-(typeattributeset inotify_27_0 (inotify))
-(typeattributeset input_device_27_0 (input_device))
-(typeattributeset inputflinger_27_0 (inputflinger))
-(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_27_0 (inputflinger_service))
-(typeattributeset input_method_service_27_0 (input_method_service))
-(typeattributeset input_service_27_0 (input_service))
-(typeattributeset installd_27_0 (installd))
-(typeattributeset install_data_file_27_0 (install_data_file))
-(typeattributeset installd_exec_27_0 (installd_exec))
-(typeattributeset installd_service_27_0 (installd_service))
-(typeattributeset install_recovery_27_0 (install_recovery))
-(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
-(typeattributeset ion_device_27_0 (ion_device))
-(typeattributeset IProxyService_service_27_0 (IProxyService_service))
-(typeattributeset ipsec_service_27_0 (ipsec_service))
-(typeattributeset isolated_app_27_0 (isolated_app))
-(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
-(typeattributeset kernel_27_0 (kernel))
-(typeattributeset keychain_data_file_27_0 (keychain_data_file))
-(typeattributeset keychord_device_27_0 (keychord_device))
-(typeattributeset keystore_27_0 (keystore))
-(typeattributeset keystore_data_file_27_0 (keystore_data_file))
-(typeattributeset keystore_exec_27_0 (keystore_exec))
-(typeattributeset keystore_service_27_0 (keystore_service))
-(typeattributeset kmem_device_27_0 (kmem_device))
-(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_27_0 (kmsg_device))
-(typeattributeset labeledfs_27_0 (labeledfs))
-(typeattributeset launcherapps_service_27_0 (launcherapps_service))
-(typeattributeset lmkd_27_0 (lmkd))
-(typeattributeset lmkd_exec_27_0 (lmkd_exec))
-(typeattributeset lmkd_socket_27_0 (lmkd_socket))
-(typeattributeset location_service_27_0 (location_service))
-(typeattributeset lock_settings_service_27_0 (lock_settings_service))
-(typeattributeset logcat_exec_27_0 (logcat_exec))
-(typeattributeset logd_27_0 (logd))
-(typeattributeset logd_exec_27_0 (logd_exec))
-(typeattributeset logd_prop_27_0 (logd_prop))
-(typeattributeset logdr_socket_27_0 (logdr_socket))
-(typeattributeset logd_socket_27_0 (logd_socket))
-(typeattributeset logdw_socket_27_0 (logdw_socket))
-(typeattributeset logpersist_27_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_27_0 (log_prop))
-(typeattributeset log_tag_prop_27_0 (log_tag_prop))
-(typeattributeset loop_control_device_27_0 (loop_control_device))
-(typeattributeset loop_device_27_0 (loop_device))
-(typeattributeset mac_perms_file_27_0 (mac_perms_file))
-(typeattributeset mdnsd_27_0 (mdnsd))
-(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
-(typeattributeset mdns_socket_27_0 (mdns_socket))
-(typeattributeset mediacodec_27_0 (mediacodec))
-(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_27_0 (mediacodec_service))
-(typeattributeset media_data_file_27_0 (media_data_file))
-(typeattributeset mediadrmserver_27_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_27_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
-(typeattributeset mediametrics_27_0 (mediametrics))
-(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_27_0 (mediametrics_service))
-(typeattributeset media_projection_service_27_0 (media_projection_service))
-(typeattributeset mediaprovider_27_0 (mediaprovider))
-(typeattributeset media_router_service_27_0 (media_router_service))
-(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
-(typeattributeset mediaserver_27_0 (mediaserver))
-(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_27_0 (mediaserver_service))
-(typeattributeset media_session_service_27_0 (media_session_service))
-(typeattributeset meminfo_service_27_0 (meminfo_service))
-(typeattributeset metadata_block_device_27_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
-(typeattributeset midi_service_27_0 (midi_service))
-(typeattributeset misc_block_device_27_0 (misc_block_device))
-(typeattributeset misc_logd_file_27_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
-(typeattributeset mmc_prop_27_0 (mmc_prop))
-(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_27_0 (mnt_user_file))
-(typeattributeset modprobe_27_0 (modprobe))
-(typeattributeset mount_service_27_0 (mount_service))
-(typeattributeset mqueue_27_0 (mqueue))
-(typeattributeset mtd_device_27_0 (mtd_device))
-(typeattributeset mtp_27_0 (mtp))
-(typeattributeset mtp_device_27_0 (mtp_device))
-(typeattributeset mtpd_socket_27_0 (mtpd_socket))
-(typeattributeset mtp_exec_27_0 (mtp_exec))
-(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
-(typeattributeset netd_27_0 (netd))
-(typeattributeset net_data_file_27_0 (net_data_file))
-(typeattributeset netd_exec_27_0 (netd_exec))
-(typeattributeset netd_listener_service_27_0 (netd_listener_service))
-(typeattributeset net_dns_prop_27_0 (net_dns_prop))
-(typeattributeset netd_service_27_0 (netd_service))
-(typeattributeset netd_socket_27_0 (netd_socket))
-(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
-(typeattributeset netif_27_0 (netif))
-(typeattributeset netpolicy_service_27_0 (netpolicy_service))
-(typeattributeset net_radio_prop_27_0 (net_radio_prop))
-(typeattributeset netstats_service_27_0 (netstats_service))
-(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_27_0 (network_management_service))
-(typeattributeset network_score_service_27_0 (network_score_service))
-(typeattributeset network_time_update_service_27_0 (network_time_update_service))
-(typeattributeset nfc_27_0 (nfc))
-(typeattributeset nfc_data_file_27_0 (nfc_data_file))
-(typeattributeset nfc_device_27_0 (nfc_device))
-(typeattributeset nfc_prop_27_0 (nfc_prop))
-(typeattributeset nfc_service_27_0 (nfc_service))
-(typeattributeset node_27_0 (node))
-(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_27_0 (notification_service))
-(typeattributeset null_device_27_0 (null_device))
-(typeattributeset oemfs_27_0 (oemfs))
-(typeattributeset oem_lock_service_27_0 (oem_lock_service))
-(typeattributeset ota_data_file_27_0 (ota_data_file))
-(typeattributeset otadexopt_service_27_0 (otadexopt_service))
-(typeattributeset ota_package_file_27_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_27_0 (overlay_prop))
-(typeattributeset overlay_service_27_0 (overlay_service))
-(typeattributeset owntty_device_27_0 (owntty_device))
-(typeattributeset package_native_service_27_0 (package_native_service))
-(typeattributeset package_service_27_0 (package_service))
-(typeattributeset pan_result_prop_27_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
-(typeattributeset performanced_27_0 (performanced))
-(typeattributeset performanced_exec_27_0 (performanced_exec))
-(typeattributeset perfprofd_27_0 (perfprofd))
-(typeattributeset perfprofd_data_file_27_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_27_0 (perfprofd_exec))
-(typeattributeset permission_service_27_0 (permission_service))
-(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_27_0 (pinner_service))
-(typeattributeset pipefs_27_0 (pipefs))
-(typeattributeset platform_app_27_0 (platform_app))
-(typeattributeset pmsg_device_27_0 (pmsg_device))
-(typeattributeset port_27_0 (port))
-(typeattributeset port_device_27_0 (port_device))
-(typeattributeset postinstall_27_0 (postinstall))
-(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_27_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_27_0 (powerctl_prop))
-(typeattributeset power_service_27_0 (power_service))
-(typeattributeset ppp_27_0 (ppp))
-(typeattributeset ppp_device_27_0 (ppp_device))
-(typeattributeset ppp_exec_27_0 (ppp_exec))
-(typeattributeset preloads_data_file_27_0 (preloads_data_file))
-(typeattributeset preloads_media_file_27_0 (preloads_media_file))
-(typeattributeset preopt2cachename_27_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
-(typeattributeset print_service_27_0 (print_service))
-(typeattributeset priv_app_27_0 (priv_app))
-(typeattributeset proc_27_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_swaps
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
-(typeattributeset processinfo_service_27_0 (processinfo_service))
-(typeattributeset proc_interrupts_27_0 (proc_interrupts))
-(typeattributeset proc_iomem_27_0 (proc_iomem))
-(typeattributeset proc_meminfo_27_0 (proc_meminfo))
-(typeattributeset proc_misc_27_0 (proc_misc))
-(typeattributeset proc_modules_27_0 (proc_modules))
-(typeattributeset proc_net_27_0
- ( proc_net
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_27_0 (proc_perf))
-(typeattributeset proc_security_27_0 (proc_security))
-(typeattributeset proc_stat_27_0 (proc_stat))
-(typeattributeset procstats_service_27_0 (procstats_service))
-(typeattributeset proc_sysrq_27_0 (proc_sysrq))
-(typeattributeset proc_timer_27_0 (proc_timer))
-(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
-(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
-(typeattributeset profman_27_0 (profman))
-(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
-(typeattributeset profman_exec_27_0 (profman_exec))
-(typeattributeset properties_device_27_0 (properties_device))
-(typeattributeset properties_serial_27_0 (properties_serial))
-(typeattributeset property_contexts_file_27_0 (property_contexts_file))
-(typeattributeset property_data_file_27_0 (property_data_file))
-(typeattributeset property_socket_27_0 (property_socket))
-(typeattributeset pstorefs_27_0 (pstorefs))
-(typeattributeset ptmx_device_27_0 (ptmx_device))
-(typeattributeset qtaguid_device_27_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_27_0 (qtaguid_proc))
-(typeattributeset racoon_27_0 (racoon))
-(typeattributeset racoon_exec_27_0 (racoon_exec))
-(typeattributeset racoon_socket_27_0 (racoon_socket))
-(typeattributeset radio_27_0 (radio))
-(typeattributeset radio_data_file_27_0 (radio_data_file))
-(typeattributeset radio_device_27_0 (radio_device))
-(typeattributeset radio_prop_27_0 (radio_prop))
-(typeattributeset radio_service_27_0 (radio_service))
-(typeattributeset ram_device_27_0 (ram_device))
-(typeattributeset random_device_27_0 (random_device))
-(typeattributeset reboot_data_file_27_0 (reboot_data_file))
-(typeattributeset recovery_27_0 (recovery))
-(typeattributeset recovery_block_device_27_0 (recovery_block_device))
-(typeattributeset recovery_data_file_27_0 (recovery_data_file))
-(typeattributeset recovery_persist_27_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_27_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_27_0 (recovery_service))
-(typeattributeset registry_service_27_0 (registry_service))
-(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_27_0 (restorecon_prop))
-(typeattributeset restrictions_service_27_0 (restrictions_service))
-(typeattributeset rild_27_0 (rild))
-(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
-(typeattributeset rild_socket_27_0 (rild_socket))
-(typeattributeset ringtone_file_27_0 (ringtone_file))
-(typeattributeset root_block_device_27_0 (root_block_device))
-(typeattributeset rootfs_27_0 (rootfs))
-(typeattributeset rpmsg_device_27_0 (rpmsg_device))
-(typeattributeset rtc_device_27_0 (rtc_device))
-(typeattributeset rttmanager_service_27_0 (rttmanager_service))
-(typeattributeset runas_27_0 (runas))
-(typeattributeset runas_exec_27_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0 (same_process_hal_file))
-(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
-(typeattributeset sdcardd_27_0 (sdcardd))
-(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
-(typeattributeset sdcardfs_27_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
-(typeattributeset search_service_27_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_27_0 (selinuxfs))
-(typeattributeset sensors_device_27_0 (sensors_device))
-(typeattributeset sensorservice_service_27_0 (sensorservice_service))
-(typeattributeset sepolicy_file_27_0 (sepolicy_file))
-(typeattributeset serial_device_27_0 (serial_device))
-(typeattributeset serialno_prop_27_0 (serialno_prop))
-(typeattributeset serial_service_27_0 (serial_service))
-(typeattributeset service_contexts_file_27_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
-(typeattributeset servicemanager_27_0 (servicemanager))
-(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
-(typeattributeset settings_service_27_0 (settings_service))
-(typeattributeset sgdisk_27_0 (sgdisk))
-(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
-(typeattributeset shared_relro_27_0 (shared_relro))
-(typeattributeset shared_relro_file_27_0 (shared_relro_file))
-(typeattributeset shell_27_0 (shell))
-(typeattributeset shell_data_file_27_0 (shell_data_file))
-(typeattributeset shell_exec_27_0 (shell_exec))
-(typeattributeset shell_prop_27_0 (shell_prop))
-(typeattributeset shm_27_0 (shm))
-(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_27_0 (shortcut_service))
-(typeattributeset slideshow_27_0 (slideshow))
-(typeattributeset socket_device_27_0 (socket_device))
-(typeattributeset sockfs_27_0 (sockfs))
-(typeattributeset statusbar_service_27_0 (statusbar_service))
-(typeattributeset storaged_service_27_0 (storaged_service))
-(typeattributeset storage_file_27_0 (storage_file))
-(typeattributeset storagestats_service_27_0 (storagestats_service))
-(typeattributeset storage_stub_file_27_0 (storage_stub_file))
-(typeattributeset su_27_0 (su))
-(typeattributeset su_exec_27_0 (su_exec))
-(typeattributeset surfaceflinger_27_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_27_0 (swap_block_device))
-(typeattributeset sysfs_27_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_27_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_27_0 (sysfs_uio))
-(typeattributeset sysfs_usb_27_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_27_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
-(typeattributeset system_app_27_0 (system_app))
-(typeattributeset system_app_data_file_27_0 (system_app_data_file))
-(typeattributeset system_app_service_27_0 (system_app_service))
-(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0
- ( system_data_file
- vendor_data_file))
-(typeattributeset system_file_27_0 (system_file))
-(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_27_0 (system_prop))
-(typeattributeset system_radio_prop_27_0 (system_radio_prop))
-(typeattributeset system_server_27_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
-(typeattributeset task_service_27_0 (task_service))
-(typeattributeset tee_27_0 (tee))
-(typeattributeset tee_data_file_27_0 (tee_data_file))
-(typeattributeset tee_device_27_0 (tee_device))
-(typeattributeset telecom_service_27_0 (telecom_service))
-(typeattributeset textclassification_service_27_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
-(typeattributeset textservices_service_27_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_27_0 (thermal_service))
-(typeattributeset thermalserviced_27_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
-(typeattributeset timezone_service_27_0 (timezone_service))
-(typeattributeset tmpfs_27_0 (tmpfs))
-(typeattributeset tombstoned_27_0 (tombstoned))
-(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_27_0 (toolbox))
-(typeattributeset toolbox_exec_27_0 (toolbox_exec))
-(typeattributeset trust_service_27_0 (trust_service))
-(typeattributeset tty_device_27_0 (tty_device))
-(typeattributeset tun_device_27_0 (tun_device))
-(typeattributeset tv_input_service_27_0 (tv_input_service))
-(typeattributeset tzdatacheck_27_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
-(typeattributeset ueventd_27_0 (ueventd))
-(typeattributeset uhid_device_27_0 (uhid_device))
-(typeattributeset uimode_service_27_0 (uimode_service))
-(typeattributeset uio_device_27_0 (uio_device))
-(typeattributeset uncrypt_27_0 (uncrypt))
-(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
-(typeattributeset unlabeled_27_0 (unlabeled))
-(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
-(typeattributeset update_engine_27_0 (update_engine))
-(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_27_0 (update_engine_exec))
-(typeattributeset update_engine_service_27_0 (update_engine_service))
-(typeattributeset updatelock_service_27_0 (updatelock_service))
-(typeattributeset update_verifier_27_0 (update_verifier))
-(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
-(typeattributeset usagestats_service_27_0 (usagestats_service))
-(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
-(typeattributeset usb_device_27_0 (usb_device))
-(typeattributeset usbfs_27_0 (usbfs))
-(typeattributeset usb_service_27_0 (usb_service))
-(typeattributeset userdata_block_device_27_0 (userdata_block_device))
-(typeattributeset usermodehelper_27_0 (usermodehelper))
-(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
-(typeattributeset user_service_27_0 (user_service))
-(typeattributeset vcs_device_27_0 (vcs_device))
-(typeattributeset vdc_27_0 (vdc))
-(typeattributeset vdc_exec_27_0 (vdc_exec))
-(typeattributeset vendor_app_file_27_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
-(typeattributeset vendor_file_27_0 (vendor_file))
-(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
-(typeattributeset vfat_27_0 (vfat))
-(typeattributeset vibrator_service_27_0 (vibrator_service))
-(typeattributeset video_device_27_0 (video_device))
-(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_27_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_27_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
-(typeattributeset vold_27_0 (vold))
-(typeattributeset vold_data_file_27_0 (vold_data_file))
-(typeattributeset vold_device_27_0 (vold_device))
-(typeattributeset vold_exec_27_0 (vold_exec))
-(typeattributeset vold_prop_27_0 (vold_prop))
-(typeattributeset vold_socket_27_0 (vold_socket))
-(typeattributeset vpn_data_file_27_0 (vpn_data_file))
-(typeattributeset vr_hwc_27_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_27_0 (vr_manager_service))
-(typeattributeset wallpaper_file_27_0 (wallpaper_file))
-(typeattributeset wallpaper_service_27_0 (wallpaper_service))
-(typeattributeset watchdogd_27_0 (watchdogd))
-(typeattributeset watchdog_device_27_0 (watchdog_device))
-(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
-(typeattributeset webview_zygote_27_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_27_0 (wifiaware_service))
-(typeattributeset wificond_27_0 (wificond))
-(typeattributeset wificond_exec_27_0 (wificond_exec))
-(typeattributeset wificond_service_27_0 (wificond_service))
-(typeattributeset wifi_data_file_27_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_27_0 (wifip2p_service))
-(typeattributeset wifi_prop_27_0 (wifi_prop))
-(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
-(typeattributeset wifi_service_27_0 (wifi_service))
-(typeattributeset window_service_27_0 (window_service))
-(typeattributeset wpa_socket_27_0 (wpa_socket))
-(typeattributeset zero_device_27_0 (zero_device))
-(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
-(typeattributeset zygote_27_0 (zygote))
-(typeattributeset zygote_exec_27_0 (zygote_exec))
-(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
deleted file mode 100644
index 747478c..0000000
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
+++ /dev/null
@@ -1,133 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( atrace
- binder_calls_stats_service
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bootloader_boot_reason_prop
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- cgroup_bpf
- crossprofileapps_service
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- exfat
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- fingerprint_vendor_data_file
- fs_bpf
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_lowpan_hwservice
- hal_secure_element_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_hostapd_hwservice
- incident_helper
- incident_helper_exec
- last_boot_reason_prop
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaextractor_update_service
- metadata_file
- mnt_vendor_file
- network_watchlist_data_file
- network_watchlist_service
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- perfprofd_service
- property_info
- secure_element
- secure_element_device
- secure_element_service
- secure_element_tmpfs
- slice_service
- stats
- stats_data_file
- stats_exec
- stats_service
- statscompanion_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- storaged_data_file
- system_boot_reason_prop
- system_update_service
- test_boot_reason_prop
- tombstone_wifi_data_file
- trace_data_file
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- traceur_app
- traceur_app_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_default_prop
- vendor_init
- vendor_security_patch_level_prop
- vendor_shell
- vold_metadata_file
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- wm_trace_data_file
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(typeattribute priv_objects)
-(typeattributeset priv_objects (untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/28.0/vendor_sepolicy.cil b/prebuilts/api/28.0/vendor_sepolicy.cil
deleted file mode 100644
index e116208..0000000
--- a/prebuilts/api/28.0/vendor_sepolicy.cil
+++ /dev/null
@@ -1,1300 +0,0 @@
-(genfscon nsfs / (u object_r nsfs ((s0) (s0))))
-(genfscon sysfs /devices/platform/9020000.goldfish_battery/power_supply (u object_r sysfs_batteryinfo ((s0) (s0))))
-(genfscon sysfs /devices/platform/ANDR0001:00/properties/android (u object_r sysfs_dt_firmware_android ((s0) (s0))))
-(genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net (u object_r sysfs_net ((s0) (s0))))
-(genfscon sysfs /devices/platform/GFSH0001:00/power_supply (u object_r sysfs_batteryinfo ((s0) (s0))))
-(genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net (u object_r sysfs_net ((s0) (s0))))
-(genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net (u object_r sysfs_net ((s0) (s0))))
-(genfscon sysfs /devices/platform/GFSH0007:00/rtc (u object_r sysfs_rtc ((s0) (s0))))
-(genfscon sysfs /devices/pnp0/00:00/rtc (u object_r sysfs_rtc ((s0) (s0))))
-(typeattributeset dev_type (device_28_0 alarm_device_28_0 ashmem_device_28_0 audio_device_28_0 audio_timer_device_28_0 audio_seq_device_28_0 binder_device_28_0 hwbinder_device_28_0 vndbinder_device_28_0 block_device_28_0 camera_device_28_0 dm_device_28_0 keychord_device_28_0 loop_control_device_28_0 loop_device_28_0 pmsg_device_28_0 radio_device_28_0 ram_device_28_0 rtc_device_28_0 vold_device_28_0 console_device_28_0 cpuctl_device_28_0 fscklogs_28_0 full_device_28_0 gpu_device_28_0 graphics_device_28_0 hw_random_device_28_0 input_device_28_0 kmem_device_28_0 port_device_28_0 lowpan_device_28_0 mtd_device_28_0 mtp_device_28_0 nfc_device_28_0 ptmx_device_28_0 kmsg_device_28_0 kmsg_debug_device_28_0 null_device_28_0 random_device_28_0 secure_element_device_28_0 sensors_device_28_0 serial_device_28_0 socket_device_28_0 owntty_device_28_0 tty_device_28_0 video_device_28_0 vcs_device_28_0 zero_device_28_0 fuse_device_28_0 iio_device_28_0 ion_device_28_0 qtaguid_device_28_0 watchdog_device_28_0 uhid_device_28_0 uio_device_28_0 tun_device_28_0 usbaccessory_device_28_0 usb_device_28_0 properties_device_28_0 properties_serial_28_0 property_info_28_0 i2c_device_28_0 hci_attach_dev_28_0 rpmsg_device_28_0 root_block_device_28_0 frp_block_device_28_0 system_block_device_28_0 recovery_block_device_28_0 boot_block_device_28_0 userdata_block_device_28_0 cache_block_device_28_0 swap_block_device_28_0 metadata_block_device_28_0 misc_block_device_28_0 ppp_device_28_0 tee_device_28_0 qemu_device))
-(typeattributeset domain (adbd_28_0 audioserver_28_0 blkid_28_0 blkid_untrusted_28_0 bluetooth_28_0 bootanim_28_0 bootstat_28_0 bufferhubd_28_0 cameraserver_28_0 charger_28_0 clatd_28_0 cppreopts_28_0 crash_dump_28_0 dex2oat_28_0 dhcp_28_0 dnsmasq_28_0 drmserver_28_0 dumpstate_28_0 e2fs_28_0 ephemeral_app_28_0 fingerprintd_28_0 fsck_28_0 fsck_untrusted_28_0 gatekeeperd_28_0 healthd_28_0 hwservicemanager_28_0 idmap_28_0 incident_28_0 incident_helper_28_0 incidentd_28_0 init_28_0 inputflinger_28_0 install_recovery_28_0 installd_28_0 isolated_app_28_0 kernel_28_0 keystore_28_0 lmkd_28_0 logd_28_0 logpersist_28_0 mdnsd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediametrics_28_0 mediaprovider_28_0 mediaserver_28_0 modprobe_28_0 mtp_28_0 netd_28_0 netutils_wrapper_28_0 nfc_28_0 otapreopt_chroot_28_0 otapreopt_slot_28_0 performanced_28_0 perfprofd_28_0 platform_app_28_0 postinstall_28_0 postinstall_dexopt_28_0 ppp_28_0 preopt2cachename_28_0 priv_app_28_0 profman_28_0 racoon_28_0 radio_28_0 recovery_28_0 recovery_persist_28_0 recovery_refresh_28_0 runas_28_0 sdcardd_28_0 secure_element_28_0 servicemanager_28_0 sgdisk_28_0 shared_relro_28_0 shell_28_0 slideshow_28_0 su_28_0 surfaceflinger_28_0 system_app_28_0 system_server_28_0 tee_28_0 thermalserviced_28_0 tombstoned_28_0 toolbox_28_0 traced_probes_28_0 traceur_app_28_0 tzdatacheck_28_0 ueventd_28_0 uncrypt_28_0 untrusted_app_28_0 untrusted_app_27_28_0 untrusted_app_25_28_0 untrusted_v2_app_28_0 update_engine_28_0 update_verifier_28_0 usbd_28_0 vdc_28_0 vendor_init_28_0 vendor_shell_28_0 virtual_touchpad_28_0 vndservicemanager_28_0 vold_28_0 vold_prepare_subdirs_28_0 vr_hwc_28_0 watchdogd_28_0 webview_zygote_28_0 wificond_28_0 wpantund_28_0 zygote_28_0 hal_audio_default hal_audiocontrol_default hal_authsecret_default hal_bluetooth_default hal_bootctl_default hal_broadcastradio_default hal_camera_default hal_cas_default hal_configstore_default hal_confirmationui_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_evs_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_lowpan_default hal_memtrack_default hal_nfc_default hal_power_default hal_radio_config_default hal_radio_default hal_secure_element_default hal_sensors_default hal_tetheroffload_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vehicle_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_hostapd_default hal_wifi_offload_default hal_wifi_supplicant_default rild vendor_modprobe createns dhcpclient dhcpserver execns goldfish_setup hal_drm_clearkey hal_drm_widevine hostapd_nohidl ipv6proxy qemu_props))
-(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0 sysfs_writable nsfs firmware_file))
-(typeattributeset contextmount_type (oemfs_28_0 app_fusefs_28_0 firmware_file))
-(typeattributeset file_type (adbd_exec_28_0 bootanim_exec_28_0 bootstat_exec_28_0 bufferhubd_exec_28_0 cameraserver_exec_28_0 clatd_exec_28_0 cppreopts_exec_28_0 crash_dump_exec_28_0 dex2oat_exec_28_0 dhcp_exec_28_0 dnsmasq_exec_28_0 drmserver_exec_28_0 drmserver_socket_28_0 dumpstate_exec_28_0 e2fs_exec_28_0 unlabeled_28_0 system_file_28_0 vendor_hal_file_28_0 vendor_file_28_0 vendor_app_file_28_0 vendor_configs_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0 vendor_framework_file_28_0 vendor_overlay_file_28_0 metadata_file_28_0 vold_metadata_file_28_0 runtime_event_log_tags_file_28_0 logcat_exec_28_0 coredump_file_28_0 system_data_file_28_0 vendor_data_file_28_0 unencrypted_data_file_28_0 install_data_file_28_0 drm_data_file_28_0 adb_data_file_28_0 anr_data_file_28_0 tombstone_data_file_28_0 tombstone_wifi_data_file_28_0 apk_data_file_28_0 apk_tmp_file_28_0 apk_private_data_file_28_0 apk_private_tmp_file_28_0 dalvikcache_data_file_28_0 ota_data_file_28_0 ota_package_file_28_0 user_profile_data_file_28_0 profman_dump_data_file_28_0 resourcecache_data_file_28_0 shell_data_file_28_0 property_data_file_28_0 bootchart_data_file_28_0 heapdump_data_file_28_0 nativetest_data_file_28_0 ringtone_file_28_0 preloads_data_file_28_0 preloads_media_file_28_0 dhcp_data_file_28_0 mnt_media_rw_file_28_0 mnt_user_file_28_0 mnt_expand_file_28_0 storage_file_28_0 mnt_media_rw_stub_file_28_0 storage_stub_file_28_0 mnt_vendor_file_28_0 postinstall_mnt_dir_28_0 postinstall_file_28_0 adb_keys_file_28_0 audio_data_file_28_0 audioserver_data_file_28_0 bluetooth_data_file_28_0 bluetooth_logs_data_file_28_0 bootstat_data_file_28_0 boottrace_data_file_28_0 camera_data_file_28_0 gatekeeper_data_file_28_0 incident_data_file_28_0 keychain_data_file_28_0 keystore_data_file_28_0 media_data_file_28_0 media_rw_data_file_28_0 misc_user_data_file_28_0 net_data_file_28_0 network_watchlist_data_file_28_0 nfc_data_file_28_0 radio_data_file_28_0 recovery_data_file_28_0 shared_relro_file_28_0 systemkeys_data_file_28_0 textclassifier_data_file_28_0 trace_data_file_28_0 vpn_data_file_28_0 wifi_data_file_28_0 zoneinfo_data_file_28_0 vold_data_file_28_0 perfprofd_data_file_28_0 tee_data_file_28_0 update_engine_data_file_28_0 update_engine_log_data_file_28_0 method_trace_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 cache_file_28_0 cache_backup_file_28_0 cache_private_backup_file_28_0 cache_recovery_file_28_0 efs_file_28_0 wallpaper_file_28_0 shortcut_manager_icons_28_0 icon_file_28_0 asec_apk_file_28_0 asec_public_file_28_0 asec_image_file_28_0 backup_data_file_28_0 bluetooth_efs_file_28_0 fingerprintd_data_file_28_0 fingerprint_vendor_data_file_28_0 app_fuse_file_28_0 adbd_socket_28_0 bluetooth_socket_28_0 dnsproxyd_socket_28_0 dumpstate_socket_28_0 fwmarkd_socket_28_0 lmkd_socket_28_0 logd_socket_28_0 logdr_socket_28_0 logdw_socket_28_0 mdns_socket_28_0 mdnsd_socket_28_0 misc_logd_file_28_0 mtpd_socket_28_0 netd_socket_28_0 property_socket_28_0 racoon_socket_28_0 rild_socket_28_0 rild_debug_socket_28_0 system_wpa_socket_28_0 system_ndebug_socket_28_0 tombstoned_crash_socket_28_0 tombstoned_java_trace_socket_28_0 tombstoned_intercept_socket_28_0 traced_producer_socket_28_0 traced_consumer_socket_28_0 uncrypt_socket_28_0 wpa_socket_28_0 zygote_socket_28_0 gps_control_28_0 pdx_display_dir_28_0 pdx_performance_dir_28_0 pdx_bufferhub_dir_28_0 pdx_display_client_endpoint_socket_28_0 pdx_display_manager_endpoint_socket_28_0 pdx_display_screenshot_endpoint_socket_28_0 pdx_display_vsync_endpoint_socket_28_0 pdx_performance_client_endpoint_socket_28_0 pdx_bufferhub_client_endpoint_socket_28_0 file_contexts_file_28_0 mac_perms_file_28_0 property_contexts_file_28_0 seapp_contexts_file_28_0 sepolicy_file_28_0 service_contexts_file_28_0 nonplat_service_contexts_file_28_0 hwservice_contexts_file_28_0 vndservice_contexts_file_28_0 audiohal_data_file_28_0 fingerprintd_exec_28_0 fsck_exec_28_0 gatekeeperd_exec_28_0 healthd_exec_28_0 hwservicemanager_exec_28_0 idmap_exec_28_0 init_exec_28_0 inputflinger_exec_28_0 install_recovery_exec_28_0 installd_exec_28_0 keystore_exec_28_0 lmkd_exec_28_0 logd_exec_28_0 mediacodec_exec_28_0 mediadrmserver_exec_28_0 mediaextractor_exec_28_0 mediametrics_exec_28_0 mediaserver_exec_28_0 mtp_exec_28_0 netd_exec_28_0 netutils_wrapper_exec_28_0 otapreopt_chroot_exec_28_0 otapreopt_slot_exec_28_0 performanced_exec_28_0 perfprofd_exec_28_0 ppp_exec_28_0 preopt2cachename_exec_28_0 profman_exec_28_0 racoon_exec_28_0 recovery_persist_exec_28_0 recovery_refresh_exec_28_0 runas_exec_28_0 sdcardd_exec_28_0 servicemanager_exec_28_0 sgdisk_exec_28_0 shell_exec_28_0 su_exec_28_0 thermalserviced_exec_28_0 tombstoned_exec_28_0 toolbox_exec_28_0 tzdatacheck_exec_28_0 uncrypt_exec_28_0 update_engine_exec_28_0 update_verifier_exec_28_0 usbd_exec_28_0 vdc_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0 virtual_touchpad_exec_28_0 vold_exec_28_0 vold_prepare_subdirs_exec_28_0 vr_hwc_exec_28_0 webview_zygote_exec_28_0 wificond_exec_28_0 wpantund_exec_28_0 zygote_exec_28_0 hostapd_data_file wpa_data_file hal_audio_default_exec hal_audio_default_tmpfs hal_audiocontrol_default_exec hal_audiocontrol_default_tmpfs hal_authsecret_default_exec hal_authsecret_default_tmpfs hal_bluetooth_default_exec hal_bluetooth_default_tmpfs hal_bootctl_default_exec hal_bootctl_default_tmpfs hal_broadcastradio_default_exec hal_broadcastradio_default_tmpfs hal_camera_default_exec hal_camera_default_tmpfs hal_cas_default_exec hal_cas_default_tmpfs hal_configstore_default_exec hal_configstore_default_tmpfs hal_confirmationui_default_exec hal_confirmationui_default_tmpfs hal_contexthub_default_exec hal_contexthub_default_tmpfs hal_drm_default_exec hal_drm_default_tmpfs hal_dumpstate_default_exec hal_dumpstate_default_tmpfs hal_evs_default_exec hal_evs_default_tmpfs hal_fingerprint_default_exec hal_fingerprint_default_tmpfs hal_gatekeeper_default_exec hal_gatekeeper_default_tmpfs hal_gnss_default_exec hal_gnss_default_tmpfs hal_graphics_allocator_default_exec hal_graphics_allocator_default_tmpfs hal_graphics_composer_default_exec hal_graphics_composer_default_tmpfs hal_health_default_exec hal_health_default_tmpfs hal_ir_default_exec hal_ir_default_tmpfs hal_keymaster_default_exec hal_keymaster_default_tmpfs hal_light_default_exec hal_light_default_tmpfs hal_lowpan_default_exec hal_lowpan_default_tmpfs hal_memtrack_default_exec hal_memtrack_default_tmpfs hal_nfc_default_exec hal_nfc_default_tmpfs mediacodec_tmpfs hal_power_default_exec hal_power_default_tmpfs hal_radio_config_default_exec hal_radio_config_default_tmpfs hal_radio_default_exec hal_radio_default_tmpfs hal_secure_element_default_exec hal_secure_element_default_tmpfs hal_sensors_default_exec hal_sensors_default_tmpfs hal_tetheroffload_default_exec hal_tetheroffload_default_tmpfs hal_thermal_default_exec hal_thermal_default_tmpfs hal_tv_cec_default_exec hal_tv_cec_default_tmpfs hal_tv_input_default_exec hal_tv_input_default_tmpfs hal_usb_default_exec hal_usb_default_tmpfs hal_vehicle_default_exec hal_vehicle_default_tmpfs hal_vibrator_default_exec hal_vibrator_default_tmpfs hal_vr_default_exec hal_vr_default_tmpfs hal_wifi_default_exec hal_wifi_default_tmpfs hal_wifi_hostapd_default_exec hal_wifi_hostapd_default_tmpfs hal_wifi_offload_default_exec hal_wifi_offload_default_tmpfs hal_wifi_supplicant_default_exec hal_wifi_supplicant_default_tmpfs rild_exec rild_tmpfs tee_exec tee_tmpfs vndservicemanager_exec vndservicemanager_tmpfs createns_exec createns_tmpfs dhcpclient_exec dhcpclient_tmpfs dhcpserver_exec dhcpserver_tmpfs execns_exec execns_tmpfs varrun_file mediadrm_vendor_data_file goldfish_setup_exec goldfish_setup_tmpfs hal_drm_clearkey_exec hal_drm_clearkey_tmpfs hal_drm_widevine_exec hal_drm_widevine_tmpfs hostapd_nohidl_exec hostapd_nohidl_tmpfs ipv6proxy_exec ipv6proxy_tmpfs qemu_props_exec qemu_props_tmpfs persist_file))
-(typeattributeset exec_type (adbd_exec_28_0 bootanim_exec_28_0 bootstat_exec_28_0 bufferhubd_exec_28_0 cameraserver_exec_28_0 clatd_exec_28_0 cppreopts_exec_28_0 crash_dump_exec_28_0 dex2oat_exec_28_0 dhcp_exec_28_0 dnsmasq_exec_28_0 drmserver_exec_28_0 dumpstate_exec_28_0 e2fs_exec_28_0 logcat_exec_28_0 fingerprintd_exec_28_0 fsck_exec_28_0 gatekeeperd_exec_28_0 healthd_exec_28_0 hwservicemanager_exec_28_0 idmap_exec_28_0 init_exec_28_0 inputflinger_exec_28_0 install_recovery_exec_28_0 installd_exec_28_0 keystore_exec_28_0 lmkd_exec_28_0 logd_exec_28_0 mediacodec_exec_28_0 mediadrmserver_exec_28_0 mediaextractor_exec_28_0 mediametrics_exec_28_0 mediaserver_exec_28_0 mtp_exec_28_0 netd_exec_28_0 netutils_wrapper_exec_28_0 otapreopt_chroot_exec_28_0 otapreopt_slot_exec_28_0 performanced_exec_28_0 perfprofd_exec_28_0 ppp_exec_28_0 preopt2cachename_exec_28_0 profman_exec_28_0 racoon_exec_28_0 recovery_persist_exec_28_0 recovery_refresh_exec_28_0 runas_exec_28_0 sdcardd_exec_28_0 servicemanager_exec_28_0 sgdisk_exec_28_0 shell_exec_28_0 su_exec_28_0 thermalserviced_exec_28_0 tombstoned_exec_28_0 toolbox_exec_28_0 tzdatacheck_exec_28_0 uncrypt_exec_28_0 update_engine_exec_28_0 update_verifier_exec_28_0 usbd_exec_28_0 vdc_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0 virtual_touchpad_exec_28_0 vold_exec_28_0 vold_prepare_subdirs_exec_28_0 vr_hwc_exec_28_0 webview_zygote_exec_28_0 wificond_exec_28_0 wpantund_exec_28_0 zygote_exec_28_0 hal_audio_default_exec hal_audiocontrol_default_exec hal_authsecret_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_broadcastradio_default_exec hal_camera_default_exec hal_cas_default_exec hal_configstore_default_exec hal_confirmationui_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_evs_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_lowpan_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_radio_config_default_exec hal_radio_default_exec hal_secure_element_default_exec hal_sensors_default_exec hal_tetheroffload_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vehicle_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_hostapd_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec rild_exec tee_exec vndservicemanager_exec createns_exec dhcpclient_exec dhcpserver_exec execns_exec goldfish_setup_exec hal_drm_clearkey_exec hal_drm_widevine_exec hostapd_nohidl_exec ipv6proxy_exec qemu_props_exec))
-(typeattributeset data_file_type (system_data_file_28_0 vendor_data_file_28_0 unencrypted_data_file_28_0 install_data_file_28_0 drm_data_file_28_0 adb_data_file_28_0 anr_data_file_28_0 tombstone_data_file_28_0 tombstone_wifi_data_file_28_0 apk_data_file_28_0 apk_tmp_file_28_0 apk_private_data_file_28_0 apk_private_tmp_file_28_0 dalvikcache_data_file_28_0 ota_data_file_28_0 ota_package_file_28_0 user_profile_data_file_28_0 profman_dump_data_file_28_0 resourcecache_data_file_28_0 shell_data_file_28_0 property_data_file_28_0 bootchart_data_file_28_0 heapdump_data_file_28_0 nativetest_data_file_28_0 ringtone_file_28_0 preloads_data_file_28_0 preloads_media_file_28_0 dhcp_data_file_28_0 adb_keys_file_28_0 audio_data_file_28_0 audioserver_data_file_28_0 bluetooth_data_file_28_0 bluetooth_logs_data_file_28_0 bootstat_data_file_28_0 boottrace_data_file_28_0 camera_data_file_28_0 gatekeeper_data_file_28_0 incident_data_file_28_0 keychain_data_file_28_0 keystore_data_file_28_0 media_data_file_28_0 media_rw_data_file_28_0 misc_user_data_file_28_0 net_data_file_28_0 network_watchlist_data_file_28_0 nfc_data_file_28_0 radio_data_file_28_0 recovery_data_file_28_0 shared_relro_file_28_0 systemkeys_data_file_28_0 textclassifier_data_file_28_0 trace_data_file_28_0 vpn_data_file_28_0 wifi_data_file_28_0 zoneinfo_data_file_28_0 vold_data_file_28_0 perfprofd_data_file_28_0 tee_data_file_28_0 update_engine_data_file_28_0 update_engine_log_data_file_28_0 method_trace_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 cache_file_28_0 cache_backup_file_28_0 cache_private_backup_file_28_0 cache_recovery_file_28_0 wallpaper_file_28_0 shortcut_manager_icons_28_0 icon_file_28_0 asec_apk_file_28_0 asec_public_file_28_0 asec_image_file_28_0 backup_data_file_28_0 fingerprintd_data_file_28_0 fingerprint_vendor_data_file_28_0 app_fuse_file_28_0 bluetooth_socket_28_0 misc_logd_file_28_0 system_wpa_socket_28_0 system_ndebug_socket_28_0 wpa_socket_28_0 audiohal_data_file_28_0 hostapd_data_file wpa_data_file varrun_file mediadrm_vendor_data_file))
-(typeattributeset vendor_file_type (vendor_hal_file_28_0 vendor_file_28_0 vendor_app_file_28_0 vendor_configs_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0 vendor_framework_file_28_0 vendor_overlay_file_28_0 mediacodec_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0 hal_audio_default_exec hal_audiocontrol_default_exec hal_authsecret_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_broadcastradio_default_exec hal_camera_default_exec hal_cas_default_exec hal_configstore_default_exec hal_confirmationui_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_evs_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_lowpan_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_radio_config_default_exec hal_radio_default_exec hal_secure_element_default_exec hal_sensors_default_exec hal_tetheroffload_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vehicle_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_hostapd_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec rild_exec tee_exec vndservicemanager_exec createns_exec dhcpclient_exec dhcpserver_exec execns_exec goldfish_setup_exec hal_drm_clearkey_exec hal_drm_widevine_exec hostapd_nohidl_exec ipv6proxy_exec qemu_props_exec))
-(typeattributeset sysfs_type (sysfs_usermodehelper_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 sysfs_writable))
-(typeattributeset property_type (audio_prop_28_0 boottime_prop_28_0 bluetooth_a2dp_offload_prop_28_0 bluetooth_prop_28_0 bootloader_boot_reason_prop_28_0 config_prop_28_0 cppreopt_prop_28_0 ctl_bootanim_prop_28_0 ctl_bugreport_prop_28_0 ctl_console_prop_28_0 ctl_default_prop_28_0 ctl_dumpstate_prop_28_0 ctl_fuse_prop_28_0 ctl_interface_restart_prop_28_0 ctl_interface_start_prop_28_0 ctl_interface_stop_prop_28_0 ctl_mdnsd_prop_28_0 ctl_restart_prop_28_0 ctl_rildaemon_prop_28_0 ctl_sigstop_prop_28_0 ctl_start_prop_28_0 ctl_stop_prop_28_0 dalvik_prop_28_0 debuggerd_prop_28_0 debug_prop_28_0 default_prop_28_0 device_logging_prop_28_0 dhcp_prop_28_0 dumpstate_options_prop_28_0 dumpstate_prop_28_0 exported_secure_prop_28_0 ffs_prop_28_0 fingerprint_prop_28_0 firstboot_prop_28_0 hwservicemanager_prop_28_0 last_boot_reason_prop_28_0 logd_prop_28_0 logpersistd_logging_prop_28_0 log_prop_28_0 log_tag_prop_28_0 lowpan_prop_28_0 mmc_prop_28_0 net_dns_prop_28_0 net_radio_prop_28_0 netd_stable_secret_prop_28_0 nfc_prop_28_0 overlay_prop_28_0 pan_result_prop_28_0 persist_debug_prop_28_0 persistent_properties_ready_prop_28_0 pm_prop_28_0 powerctl_prop_28_0 radio_prop_28_0 restorecon_prop_28_0 safemode_prop_28_0 serialno_prop_28_0 shell_prop_28_0 system_boot_reason_prop_28_0 system_prop_28_0 system_radio_prop_28_0 test_boot_reason_prop_28_0 traced_enabled_prop_28_0 vold_prop_28_0 wifi_log_prop_28_0 wifi_prop_28_0 vendor_security_patch_level_prop_28_0 exported_audio_prop_28_0 exported_bluetooth_prop_28_0 exported_config_prop_28_0 exported_dalvik_prop_28_0 exported_default_prop_28_0 exported_dumpstate_prop_28_0 exported_ffs_prop_28_0 exported_fingerprint_prop_28_0 exported_overlay_prop_28_0 exported_pm_prop_28_0 exported_radio_prop_28_0 exported_system_prop_28_0 exported_system_radio_prop_28_0 exported_vold_prop_28_0 exported_wifi_prop_28_0 exported2_config_prop_28_0 exported2_default_prop_28_0 exported2_radio_prop_28_0 exported2_system_prop_28_0 exported2_vold_prop_28_0 exported3_default_prop_28_0 exported3_radio_prop_28_0 exported3_system_prop_28_0 vendor_default_prop_28_0 qemu_prop qemu_cmdline radio_noril_prop net_eth0_prop net_share_prop))
-(typeattributeset mlstrustedobject (alarm_device_28_0 ashmem_device_28_0 binder_device_28_0 hwbinder_device_28_0 pmsg_device_28_0 gpu_device_28_0 mtp_device_28_0 ptmx_device_28_0 null_device_28_0 random_device_28_0 owntty_device_28_0 zero_device_28_0 fuse_device_28_0 ion_device_28_0 tun_device_28_0 usbaccessory_device_28_0 usb_device_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 selinuxfs_28_0 cgroup_28_0 sysfs_28_0 sysfs_bluetooth_writable_28_0 sysfs_kernel_notes_28_0 sysfs_nfc_power_writable_28_0 inotify_28_0 devpts_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 functionfs_28_0 anr_data_file_28_0 tombstone_data_file_28_0 apk_tmp_file_28_0 apk_private_tmp_file_28_0 ota_package_file_28_0 user_profile_data_file_28_0 shell_data_file_28_0 heapdump_data_file_28_0 ringtone_file_28_0 media_rw_data_file_28_0 radio_data_file_28_0 trace_data_file_28_0 perfprofd_data_file_28_0 method_trace_data_file_28_0 system_app_data_file_28_0 cache_file_28_0 cache_backup_file_28_0 cache_recovery_file_28_0 wallpaper_file_28_0 shortcut_manager_icons_28_0 asec_apk_file_28_0 backup_data_file_28_0 app_fuse_file_28_0 dnsproxyd_socket_28_0 fwmarkd_socket_28_0 logd_socket_28_0 logdr_socket_28_0 logdw_socket_28_0 mdnsd_socket_28_0 property_socket_28_0 system_ndebug_socket_28_0 tombstoned_crash_socket_28_0 tombstoned_java_trace_socket_28_0 traced_producer_socket_28_0 pdx_display_client_endpoint_socket_28_0 pdx_display_manager_endpoint_socket_28_0 pdx_display_screenshot_endpoint_socket_28_0 pdx_display_vsync_endpoint_socket_28_0 pdx_performance_client_endpoint_socket_28_0 pdx_bufferhub_client_endpoint_socket_28_0 qemu_device sysfs_writable varrun_file))
-(typeattributeset netdomain (clatd_28_0 dhcp_28_0 dnsmasq_28_0 drmserver_28_0 dumpstate_28_0 mediadrmserver_28_0 mediaserver_28_0 mtp_28_0 netd_28_0 ppp_28_0 racoon_28_0 radio_28_0 shell_28_0 su_28_0 update_engine_28_0 wpantund_28_0 hal_wifi_hostapd_default hal_wifi_supplicant_default rild dhcpclient dhcpserver hostapd_nohidl ipv6proxy))
-(typeattributeset data_between_core_and_vendor_violators (hal_fingerprint_default))
-(typeattributeset system_writes_vendor_properties_violators (bootanim_28_0 surfaceflinger_28_0 zygote_28_0))
-(typeattributeset halserverdomain (hal_audio_default hal_audiocontrol_default hal_authsecret_default hal_bluetooth_default hal_bootctl_default hal_broadcastradio_default hal_camera_default hal_cas_default hal_configstore_default hal_confirmationui_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_evs_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_lowpan_default hal_memtrack_default hal_nfc_default hal_power_default hal_radio_config_default hal_radio_default hal_secure_element_default hal_sensors_default hal_tetheroffload_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vehicle_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_hostapd_default hal_wifi_offload_default hal_wifi_supplicant_default rild hal_drm_clearkey hal_drm_widevine))
-(typeattributeset halclientdomain (bootanim_28_0 bufferhubd_28_0 cameraserver_28_0 dumpstate_28_0 gatekeeperd_28_0 healthd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediaserver_28_0 radio_28_0 su_28_0 thermalserviced_28_0 update_engine_28_0 update_verifier_28_0 vold_28_0 vr_hwc_28_0 wpantund_28_0 hal_audio_default hal_camera_default hal_drm_default hal_drm_widevine))
-(typeattributeset hal_audio (hal_audio_default))
-(typeattributeset hal_audio_server (hal_audio_default))
-(typeattributeset hal_bootctl (hal_bootctl_default))
-(typeattributeset hal_bootctl_server (hal_bootctl_default))
-(typeattributeset hal_camera (hal_camera_default))
-(typeattributeset hal_camera_server (hal_camera_default))
-(typeattributeset hal_drm (hal_drm_default hal_drm_clearkey hal_drm_widevine))
-(typeattributeset hal_drm_server (hal_drm_default hal_drm_clearkey hal_drm_widevine))
-(typeattributeset hal_cas (hal_cas_default))
-(typeattributeset hal_cas_server (hal_cas_default))
-(typeattributeset hal_allocator_client (mediacodec_28_0 mediaserver_28_0 su_28_0 hal_audio_default))
-(typeattributeset hal_audiocontrol (hal_audiocontrol_default))
-(typeattributeset hal_audiocontrol_server (hal_audiocontrol_default))
-(typeattributeset hal_authsecret (hal_authsecret_default))
-(typeattributeset hal_authsecret_server (hal_authsecret_default))
-(typeattributeset hal_bluetooth (hal_bluetooth_default))
-(typeattributeset hal_bluetooth_server (hal_bluetooth_default))
-(typeattributeset hal_broadcastradio (hal_broadcastradio_default))
-(typeattributeset hal_broadcastradio_server (hal_broadcastradio_default))
-(typeattributeset hal_configstore (hal_configstore_default))
-(typeattributeset hal_configstore_server (hal_configstore_default))
-(typeattributeset hal_confirmationui (hal_confirmationui_default))
-(typeattributeset hal_confirmationui_server (hal_confirmationui_default))
-(typeattributeset hal_contexthub (hal_contexthub_default))
-(typeattributeset hal_contexthub_server (hal_contexthub_default))
-(typeattributeset hal_dumpstate (hal_dumpstate_default))
-(typeattributeset hal_dumpstate_server (hal_dumpstate_default))
-(typeattributeset hal_evs (hal_evs_default))
-(typeattributeset hal_evs_server (hal_evs_default))
-(typeattributeset hal_fingerprint (hal_fingerprint_default))
-(typeattributeset hal_fingerprint_server (hal_fingerprint_default))
-(typeattributeset hal_gatekeeper (hal_gatekeeper_default))
-(typeattributeset hal_gatekeeper_server (hal_gatekeeper_default))
-(typeattributeset hal_gnss (hal_gnss_default))
-(typeattributeset hal_gnss_server (hal_gnss_default))
-(typeattributeset hal_graphics_allocator (hal_graphics_allocator_default))
-(typeattributeset hal_graphics_allocator_server (hal_graphics_allocator_default))
-(typeattributeset hal_graphics_composer (hal_graphics_composer_default))
-(typeattributeset hal_graphics_composer_client (bootanim_28_0 su_28_0 hal_camera_default hal_drm_default hal_drm_widevine))
-(typeattributeset hal_graphics_composer_server (hal_graphics_composer_default))
-(typeattributeset hal_health (hal_health_default))
-(typeattributeset hal_health_server (hal_health_default))
-(typeattributeset hal_ir (hal_ir_default))
-(typeattributeset hal_ir_server (hal_ir_default))
-(typeattributeset hal_keymaster (hal_keymaster_default))
-(typeattributeset hal_keymaster_server (hal_keymaster_default))
-(typeattributeset hal_light (hal_light_default))
-(typeattributeset hal_light_server (hal_light_default))
-(typeattributeset hal_lowpan (hal_lowpan_default))
-(typeattributeset hal_lowpan_server (hal_lowpan_default))
-(typeattributeset hal_memtrack (hal_memtrack_default))
-(typeattributeset hal_memtrack_server (hal_memtrack_default))
-(typeattributeset hal_nfc (hal_nfc_default))
-(typeattributeset hal_nfc_server (hal_nfc_default))
-(typeattributeset hal_power (hal_power_default))
-(typeattributeset hal_power_server (hal_power_default))
-(typeattributeset hal_secure_element (hal_secure_element_default))
-(typeattributeset hal_secure_element_server (hal_secure_element_default))
-(typeattributeset hal_sensors (hal_sensors_default))
-(typeattributeset hal_sensors_server (hal_sensors_default))
-(typeattributeset hal_telephony (hal_radio_config_default hal_radio_default rild))
-(typeattributeset hal_telephony_server (hal_radio_config_default hal_radio_default rild))
-(typeattributeset hal_tetheroffload (hal_tetheroffload_default))
-(typeattributeset hal_tetheroffload_server (hal_tetheroffload_default))
-(typeattributeset hal_thermal (hal_thermal_default))
-(typeattributeset hal_thermal_server (hal_thermal_default))
-(typeattributeset hal_tv_cec (hal_tv_cec_default))
-(typeattributeset hal_tv_cec_server (hal_tv_cec_default))
-(typeattributeset hal_tv_input (hal_tv_input_default))
-(typeattributeset hal_tv_input_server (hal_tv_input_default))
-(typeattributeset hal_usb (hal_usb_default))
-(typeattributeset hal_usb_server (hal_usb_default))
-(typeattributeset hal_vehicle (hal_vehicle_default))
-(typeattributeset hal_vehicle_server (hal_vehicle_default))
-(typeattributeset hal_vibrator (hal_vibrator_default))
-(typeattributeset hal_vibrator_server (hal_vibrator_default))
-(typeattributeset hal_vr (hal_vr_default))
-(typeattributeset hal_vr_server (hal_vr_default))
-(typeattributeset hal_wifi (hal_wifi_default))
-(typeattributeset hal_wifi_server (hal_wifi_default))
-(typeattributeset hal_wifi_hostapd (hal_wifi_hostapd_default))
-(typeattributeset hal_wifi_hostapd_server (hal_wifi_hostapd_default))
-(typeattributeset hal_wifi_offload (hal_wifi_offload_default))
-(typeattributeset hal_wifi_offload_server (hal_wifi_offload_default))
-(typeattributeset hal_wifi_supplicant (hal_wifi_supplicant_default))
-(typeattributeset hal_wifi_supplicant_server (hal_wifi_supplicant_default))
-(type hostapd_data_file)
-(roletype object_r hostapd_data_file)
-(type wpa_data_file)
-(roletype object_r wpa_data_file)
-(type hal_audio_default)
-(roletype object_r hal_audio_default)
-(type hal_audio_default_exec)
-(roletype object_r hal_audio_default_exec)
-(type hal_audio_default_tmpfs)
-(roletype object_r hal_audio_default_tmpfs)
-(type hal_audiocontrol_default)
-(roletype object_r hal_audiocontrol_default)
-(type hal_audiocontrol_default_exec)
-(roletype object_r hal_audiocontrol_default_exec)
-(type hal_audiocontrol_default_tmpfs)
-(roletype object_r hal_audiocontrol_default_tmpfs)
-(type hal_authsecret_default)
-(roletype object_r hal_authsecret_default)
-(type hal_authsecret_default_exec)
-(roletype object_r hal_authsecret_default_exec)
-(type hal_authsecret_default_tmpfs)
-(roletype object_r hal_authsecret_default_tmpfs)
-(type hal_bluetooth_default)
-(roletype object_r hal_bluetooth_default)
-(type hal_bluetooth_default_exec)
-(roletype object_r hal_bluetooth_default_exec)
-(type hal_bluetooth_default_tmpfs)
-(roletype object_r hal_bluetooth_default_tmpfs)
-(type hal_bootctl_default)
-(roletype object_r hal_bootctl_default)
-(type hal_bootctl_default_exec)
-(roletype object_r hal_bootctl_default_exec)
-(type hal_bootctl_default_tmpfs)
-(roletype object_r hal_bootctl_default_tmpfs)
-(type hal_broadcastradio_default)
-(roletype object_r hal_broadcastradio_default)
-(type hal_broadcastradio_default_exec)
-(roletype object_r hal_broadcastradio_default_exec)
-(type hal_broadcastradio_default_tmpfs)
-(roletype object_r hal_broadcastradio_default_tmpfs)
-(type hal_camera_default)
-(roletype object_r hal_camera_default)
-(type hal_camera_default_exec)
-(roletype object_r hal_camera_default_exec)
-(type hal_camera_default_tmpfs)
-(roletype object_r hal_camera_default_tmpfs)
-(type hal_cas_default)
-(roletype object_r hal_cas_default)
-(type hal_cas_default_exec)
-(roletype object_r hal_cas_default_exec)
-(type hal_cas_default_tmpfs)
-(roletype object_r hal_cas_default_tmpfs)
-(type hal_configstore_default)
-(roletype object_r hal_configstore_default)
-(type hal_configstore_default_exec)
-(roletype object_r hal_configstore_default_exec)
-(type hal_configstore_default_tmpfs)
-(roletype object_r hal_configstore_default_tmpfs)
-(type hal_confirmationui_default)
-(roletype object_r hal_confirmationui_default)
-(type hal_confirmationui_default_exec)
-(roletype object_r hal_confirmationui_default_exec)
-(type hal_confirmationui_default_tmpfs)
-(roletype object_r hal_confirmationui_default_tmpfs)
-(type hal_contexthub_default)
-(roletype object_r hal_contexthub_default)
-(type hal_contexthub_default_exec)
-(roletype object_r hal_contexthub_default_exec)
-(type hal_contexthub_default_tmpfs)
-(roletype object_r hal_contexthub_default_tmpfs)
-(type hal_drm_default)
-(roletype object_r hal_drm_default)
-(type hal_drm_default_exec)
-(roletype object_r hal_drm_default_exec)
-(type hal_drm_default_tmpfs)
-(roletype object_r hal_drm_default_tmpfs)
-(type hal_dumpstate_default)
-(roletype object_r hal_dumpstate_default)
-(type hal_dumpstate_default_exec)
-(roletype object_r hal_dumpstate_default_exec)
-(type hal_dumpstate_default_tmpfs)
-(roletype object_r hal_dumpstate_default_tmpfs)
-(type hal_evs_default)
-(roletype object_r hal_evs_default)
-(type hal_evs_default_exec)
-(roletype object_r hal_evs_default_exec)
-(type hal_evs_default_tmpfs)
-(roletype object_r hal_evs_default_tmpfs)
-(type hal_fingerprint_default)
-(roletype object_r hal_fingerprint_default)
-(type hal_fingerprint_default_exec)
-(roletype object_r hal_fingerprint_default_exec)
-(type hal_fingerprint_default_tmpfs)
-(roletype object_r hal_fingerprint_default_tmpfs)
-(type hal_gatekeeper_default)
-(roletype object_r hal_gatekeeper_default)
-(type hal_gatekeeper_default_exec)
-(roletype object_r hal_gatekeeper_default_exec)
-(type hal_gatekeeper_default_tmpfs)
-(roletype object_r hal_gatekeeper_default_tmpfs)
-(type hal_gnss_default)
-(roletype object_r hal_gnss_default)
-(type hal_gnss_default_exec)
-(roletype object_r hal_gnss_default_exec)
-(type hal_gnss_default_tmpfs)
-(roletype object_r hal_gnss_default_tmpfs)
-(type hal_graphics_allocator_default)
-(roletype object_r hal_graphics_allocator_default)
-(type hal_graphics_allocator_default_exec)
-(roletype object_r hal_graphics_allocator_default_exec)
-(type hal_graphics_allocator_default_tmpfs)
-(roletype object_r hal_graphics_allocator_default_tmpfs)
-(type hal_graphics_composer_default)
-(roletype object_r hal_graphics_composer_default)
-(type hal_graphics_composer_default_exec)
-(roletype object_r hal_graphics_composer_default_exec)
-(type hal_graphics_composer_default_tmpfs)
-(roletype object_r hal_graphics_composer_default_tmpfs)
-(type hal_health_default)
-(roletype object_r hal_health_default)
-(type hal_health_default_exec)
-(roletype object_r hal_health_default_exec)
-(type hal_health_default_tmpfs)
-(roletype object_r hal_health_default_tmpfs)
-(type hal_ir_default)
-(roletype object_r hal_ir_default)
-(type hal_ir_default_exec)
-(roletype object_r hal_ir_default_exec)
-(type hal_ir_default_tmpfs)
-(roletype object_r hal_ir_default_tmpfs)
-(type hal_keymaster_default)
-(roletype object_r hal_keymaster_default)
-(type hal_keymaster_default_exec)
-(roletype object_r hal_keymaster_default_exec)
-(type hal_keymaster_default_tmpfs)
-(roletype object_r hal_keymaster_default_tmpfs)
-(type hal_light_default)
-(roletype object_r hal_light_default)
-(type hal_light_default_exec)
-(roletype object_r hal_light_default_exec)
-(type hal_light_default_tmpfs)
-(roletype object_r hal_light_default_tmpfs)
-(type hal_lowpan_default)
-(roletype object_r hal_lowpan_default)
-(type hal_lowpan_default_exec)
-(roletype object_r hal_lowpan_default_exec)
-(type hal_lowpan_default_tmpfs)
-(roletype object_r hal_lowpan_default_tmpfs)
-(type hal_memtrack_default)
-(roletype object_r hal_memtrack_default)
-(type hal_memtrack_default_exec)
-(roletype object_r hal_memtrack_default_exec)
-(type hal_memtrack_default_tmpfs)
-(roletype object_r hal_memtrack_default_tmpfs)
-(type hal_nfc_default)
-(roletype object_r hal_nfc_default)
-(type hal_nfc_default_exec)
-(roletype object_r hal_nfc_default_exec)
-(type hal_nfc_default_tmpfs)
-(roletype object_r hal_nfc_default_tmpfs)
-(type mediacodec_tmpfs)
-(roletype object_r mediacodec_tmpfs)
-(type hal_power_default)
-(roletype object_r hal_power_default)
-(type hal_power_default_exec)
-(roletype object_r hal_power_default_exec)
-(type hal_power_default_tmpfs)
-(roletype object_r hal_power_default_tmpfs)
-(type hal_radio_config_default)
-(roletype object_r hal_radio_config_default)
-(type hal_radio_config_default_exec)
-(roletype object_r hal_radio_config_default_exec)
-(type hal_radio_config_default_tmpfs)
-(roletype object_r hal_radio_config_default_tmpfs)
-(type hal_radio_default)
-(roletype object_r hal_radio_default)
-(type hal_radio_default_exec)
-(roletype object_r hal_radio_default_exec)
-(type hal_radio_default_tmpfs)
-(roletype object_r hal_radio_default_tmpfs)
-(type hal_secure_element_default)
-(roletype object_r hal_secure_element_default)
-(type hal_secure_element_default_exec)
-(roletype object_r hal_secure_element_default_exec)
-(type hal_secure_element_default_tmpfs)
-(roletype object_r hal_secure_element_default_tmpfs)
-(type hal_sensors_default)
-(roletype object_r hal_sensors_default)
-(type hal_sensors_default_exec)
-(roletype object_r hal_sensors_default_exec)
-(type hal_sensors_default_tmpfs)
-(roletype object_r hal_sensors_default_tmpfs)
-(type hal_tetheroffload_default)
-(roletype object_r hal_tetheroffload_default)
-(type hal_tetheroffload_default_exec)
-(roletype object_r hal_tetheroffload_default_exec)
-(type hal_tetheroffload_default_tmpfs)
-(roletype object_r hal_tetheroffload_default_tmpfs)
-(type hal_thermal_default)
-(roletype object_r hal_thermal_default)
-(type hal_thermal_default_exec)
-(roletype object_r hal_thermal_default_exec)
-(type hal_thermal_default_tmpfs)
-(roletype object_r hal_thermal_default_tmpfs)
-(type hal_tv_cec_default)
-(roletype object_r hal_tv_cec_default)
-(type hal_tv_cec_default_exec)
-(roletype object_r hal_tv_cec_default_exec)
-(type hal_tv_cec_default_tmpfs)
-(roletype object_r hal_tv_cec_default_tmpfs)
-(type hal_tv_input_default)
-(roletype object_r hal_tv_input_default)
-(type hal_tv_input_default_exec)
-(roletype object_r hal_tv_input_default_exec)
-(type hal_tv_input_default_tmpfs)
-(roletype object_r hal_tv_input_default_tmpfs)
-(type hal_usb_default)
-(roletype object_r hal_usb_default)
-(type hal_usb_default_exec)
-(roletype object_r hal_usb_default_exec)
-(type hal_usb_default_tmpfs)
-(roletype object_r hal_usb_default_tmpfs)
-(type hal_vehicle_default)
-(roletype object_r hal_vehicle_default)
-(type hal_vehicle_default_exec)
-(roletype object_r hal_vehicle_default_exec)
-(type hal_vehicle_default_tmpfs)
-(roletype object_r hal_vehicle_default_tmpfs)
-(type hal_vibrator_default)
-(roletype object_r hal_vibrator_default)
-(type hal_vibrator_default_exec)
-(roletype object_r hal_vibrator_default_exec)
-(type hal_vibrator_default_tmpfs)
-(roletype object_r hal_vibrator_default_tmpfs)
-(type hal_vr_default)
-(roletype object_r hal_vr_default)
-(type hal_vr_default_exec)
-(roletype object_r hal_vr_default_exec)
-(type hal_vr_default_tmpfs)
-(roletype object_r hal_vr_default_tmpfs)
-(type hal_wifi_default)
-(roletype object_r hal_wifi_default)
-(type hal_wifi_default_exec)
-(roletype object_r hal_wifi_default_exec)
-(type hal_wifi_default_tmpfs)
-(roletype object_r hal_wifi_default_tmpfs)
-(type hal_wifi_hostapd_default)
-(roletype object_r hal_wifi_hostapd_default)
-(type hal_wifi_hostapd_default_exec)
-(roletype object_r hal_wifi_hostapd_default_exec)
-(type hal_wifi_hostapd_default_tmpfs)
-(roletype object_r hal_wifi_hostapd_default_tmpfs)
-(type hal_wifi_offload_default)
-(roletype object_r hal_wifi_offload_default)
-(type hal_wifi_offload_default_exec)
-(roletype object_r hal_wifi_offload_default_exec)
-(type hal_wifi_offload_default_tmpfs)
-(roletype object_r hal_wifi_offload_default_tmpfs)
-(type hal_wifi_supplicant_default)
-(roletype object_r hal_wifi_supplicant_default)
-(type hal_wifi_supplicant_default_exec)
-(roletype object_r hal_wifi_supplicant_default_exec)
-(type hal_wifi_supplicant_default_tmpfs)
-(roletype object_r hal_wifi_supplicant_default_tmpfs)
-(type rild)
-(roletype object_r rild)
-(type rild_exec)
-(roletype object_r rild_exec)
-(type rild_tmpfs)
-(roletype object_r rild_tmpfs)
-(type tee_exec)
-(roletype object_r tee_exec)
-(type tee_tmpfs)
-(roletype object_r tee_tmpfs)
-(type vendor_modprobe)
-(roletype object_r vendor_modprobe)
-(type vndservicemanager_exec)
-(roletype object_r vndservicemanager_exec)
-(type vndservicemanager_tmpfs)
-(roletype object_r vndservicemanager_tmpfs)
-(type createns)
-(roletype object_r createns)
-(type createns_exec)
-(roletype object_r createns_exec)
-(type createns_tmpfs)
-(roletype object_r createns_tmpfs)
-(type qemu_device)
-(roletype object_r qemu_device)
-(type dhcpclient)
-(roletype object_r dhcpclient)
-(type dhcpclient_exec)
-(roletype object_r dhcpclient_exec)
-(type dhcpclient_tmpfs)
-(roletype object_r dhcpclient_tmpfs)
-(type dhcpserver)
-(roletype object_r dhcpserver)
-(type dhcpserver_exec)
-(roletype object_r dhcpserver_exec)
-(type dhcpserver_tmpfs)
-(roletype object_r dhcpserver_tmpfs)
-(type execns)
-(roletype object_r execns)
-(type execns_exec)
-(roletype object_r execns_exec)
-(type execns_tmpfs)
-(roletype object_r execns_tmpfs)
-(type sysfs_writable)
-(roletype object_r sysfs_writable)
-(type varrun_file)
-(roletype object_r varrun_file)
-(type mediadrm_vendor_data_file)
-(roletype object_r mediadrm_vendor_data_file)
-(type nsfs)
-(roletype object_r nsfs)
-(type goldfish_setup)
-(roletype object_r goldfish_setup)
-(type goldfish_setup_exec)
-(roletype object_r goldfish_setup_exec)
-(type goldfish_setup_tmpfs)
-(roletype object_r goldfish_setup_tmpfs)
-(type hal_drm_clearkey)
-(roletype object_r hal_drm_clearkey)
-(type hal_drm_clearkey_exec)
-(roletype object_r hal_drm_clearkey_exec)
-(type hal_drm_clearkey_tmpfs)
-(roletype object_r hal_drm_clearkey_tmpfs)
-(type hal_drm_widevine)
-(roletype object_r hal_drm_widevine)
-(type hal_drm_widevine_exec)
-(roletype object_r hal_drm_widevine_exec)
-(type hal_drm_widevine_tmpfs)
-(roletype object_r hal_drm_widevine_tmpfs)
-(type hostapd_nohidl)
-(roletype object_r hostapd_nohidl)
-(type hostapd_nohidl_exec)
-(roletype object_r hostapd_nohidl_exec)
-(type hostapd_nohidl_tmpfs)
-(roletype object_r hostapd_nohidl_tmpfs)
-(type ipv6proxy)
-(roletype object_r ipv6proxy)
-(type ipv6proxy_exec)
-(roletype object_r ipv6proxy_exec)
-(type ipv6proxy_tmpfs)
-(roletype object_r ipv6proxy_tmpfs)
-(type qemu_prop)
-(roletype object_r qemu_prop)
-(type qemu_cmdline)
-(roletype object_r qemu_cmdline)
-(type radio_noril_prop)
-(roletype object_r radio_noril_prop)
-(type net_eth0_prop)
-(roletype object_r net_eth0_prop)
-(type net_share_prop)
-(roletype object_r net_share_prop)
-(type qemu_props)
-(roletype object_r qemu_props)
-(type qemu_props_exec)
-(roletype object_r qemu_props_exec)
-(type qemu_props_tmpfs)
-(roletype object_r qemu_props_tmpfs)
-(type persist_file)
-(roletype object_r persist_file)
-(type firmware_file)
-(roletype object_r firmware_file)
-(allow init_28_0 hal_audio_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_audio_default (process (transition)))
-(allow hal_audio_default hal_audio_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_audio_default (process (noatsecure)))
-(allow init_28_0 hal_audio_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_audio_default_exec process hal_audio_default)
-(typetransition hal_audio_default tmpfs_28_0 file hal_audio_default_tmpfs)
-(allow hal_audio_default hal_audio_default_tmpfs (file (read write getattr map)))
-(allow hal_audio_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_audiocontrol_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_audiocontrol_default (process (transition)))
-(allow hal_audiocontrol_default hal_audiocontrol_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_audiocontrol_default (process (noatsecure)))
-(allow init_28_0 hal_audiocontrol_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_audiocontrol_default_exec process hal_audiocontrol_default)
-(typetransition hal_audiocontrol_default tmpfs_28_0 file hal_audiocontrol_default_tmpfs)
-(allow hal_audiocontrol_default hal_audiocontrol_default_tmpfs (file (read write getattr map)))
-(allow hal_audiocontrol_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_authsecret_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_authsecret_default (process (transition)))
-(allow hal_authsecret_default hal_authsecret_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_authsecret_default (process (noatsecure)))
-(allow init_28_0 hal_authsecret_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_authsecret_default_exec process hal_authsecret_default)
-(typetransition hal_authsecret_default tmpfs_28_0 file hal_authsecret_default_tmpfs)
-(allow hal_authsecret_default hal_authsecret_default_tmpfs (file (read write getattr map)))
-(allow hal_authsecret_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_bluetooth_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_bluetooth_default (process (transition)))
-(allow hal_bluetooth_default hal_bluetooth_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_bluetooth_default (process (noatsecure)))
-(allow init_28_0 hal_bluetooth_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_bluetooth_default_exec process hal_bluetooth_default)
-(typetransition hal_bluetooth_default tmpfs_28_0 file hal_bluetooth_default_tmpfs)
-(allow hal_bluetooth_default hal_bluetooth_default_tmpfs (file (read write getattr map)))
-(allow hal_bluetooth_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_bootctl_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_bootctl_default (process (transition)))
-(allow hal_bootctl_default hal_bootctl_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_bootctl_default (process (noatsecure)))
-(allow init_28_0 hal_bootctl_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_bootctl_default_exec process hal_bootctl_default)
-(typetransition hal_bootctl_default tmpfs_28_0 file hal_bootctl_default_tmpfs)
-(allow hal_bootctl_default hal_bootctl_default_tmpfs (file (read write getattr map)))
-(allow hal_bootctl_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_broadcastradio_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_broadcastradio_default (process (transition)))
-(allow hal_broadcastradio_default hal_broadcastradio_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_broadcastradio_default (process (noatsecure)))
-(allow init_28_0 hal_broadcastradio_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_broadcastradio_default_exec process hal_broadcastradio_default)
-(typetransition hal_broadcastradio_default tmpfs_28_0 file hal_broadcastradio_default_tmpfs)
-(allow hal_broadcastradio_default hal_broadcastradio_default_tmpfs (file (read write getattr map)))
-(allow hal_broadcastradio_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_camera_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_camera_default (process (transition)))
-(allow hal_camera_default hal_camera_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_camera_default (process (noatsecure)))
-(allow init_28_0 hal_camera_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_camera_default_exec process hal_camera_default)
-(typetransition hal_camera_default tmpfs_28_0 file hal_camera_default_tmpfs)
-(allow hal_camera_default hal_camera_default_tmpfs (file (read write getattr map)))
-(allow hal_camera_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_camera_default fwk_sensor_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_camera_default dumpstate_28_0 (fd (use)))
-(allow hal_camera_default dumpstate_28_0 (fifo_file (write)))
-(allow init_28_0 hal_cas_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_cas_default (process (transition)))
-(allow hal_cas_default hal_cas_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_cas_default (process (noatsecure)))
-(allow init_28_0 hal_cas_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_cas_default_exec process hal_cas_default)
-(typetransition hal_cas_default tmpfs_28_0 file hal_cas_default_tmpfs)
-(allow hal_cas_default hal_cas_default_tmpfs (file (read write getattr map)))
-(allow hal_cas_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_cas_default vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_cas_default vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 hal_cas_default (dir (search)))
-(allow vndservicemanager_28_0 hal_cas_default (file (read open)))
-(allow vndservicemanager_28_0 hal_cas_default (process (getattr)))
-(allow init_28_0 hal_configstore_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_configstore_default (process (transition)))
-(allow hal_configstore_default hal_configstore_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_configstore_default (process (noatsecure)))
-(allow init_28_0 hal_configstore_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_configstore_default_exec process hal_configstore_default)
-(typetransition hal_configstore_default tmpfs_28_0 file hal_configstore_default_tmpfs)
-(allow hal_configstore_default hal_configstore_default_tmpfs (file (read write getattr map)))
-(allow hal_configstore_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_confirmationui_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_confirmationui_default (process (transition)))
-(allow hal_confirmationui_default hal_confirmationui_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_confirmationui_default (process (noatsecure)))
-(allow init_28_0 hal_confirmationui_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_confirmationui_default_exec process hal_confirmationui_default)
-(typetransition hal_confirmationui_default tmpfs_28_0 file hal_confirmationui_default_tmpfs)
-(allow hal_confirmationui_default hal_confirmationui_default_tmpfs (file (read write getattr map)))
-(allow hal_confirmationui_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_contexthub_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_contexthub_default (process (transition)))
-(allow hal_contexthub_default hal_contexthub_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_contexthub_default (process (noatsecure)))
-(allow init_28_0 hal_contexthub_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_contexthub_default_exec process hal_contexthub_default)
-(typetransition hal_contexthub_default tmpfs_28_0 file hal_contexthub_default_tmpfs)
-(allow hal_contexthub_default hal_contexthub_default_tmpfs (file (read write getattr map)))
-(allow hal_contexthub_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_drm_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_drm_default (process (transition)))
-(allow hal_drm_default hal_drm_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_drm_default (process (noatsecure)))
-(allow init_28_0 hal_drm_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_drm_default_exec process hal_drm_default)
-(typetransition hal_drm_default tmpfs_28_0 file hal_drm_default_tmpfs)
-(allow hal_drm_default hal_drm_default_tmpfs (file (read write getattr map)))
-(allow hal_drm_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_drm_default mediacodec_28_0 (fd (use)))
-(allow hal_drm_default base_typeattr_43_28_0 (fd (use)))
-(allow hal_drm_default hal_allocator_server (fd (use)))
-(allow init_28_0 hal_dumpstate_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_dumpstate_default (process (transition)))
-(allow hal_dumpstate_default hal_dumpstate_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_dumpstate_default (process (noatsecure)))
-(allow init_28_0 hal_dumpstate_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_dumpstate_default_exec process hal_dumpstate_default)
-(typetransition hal_dumpstate_default tmpfs_28_0 file hal_dumpstate_default_tmpfs)
-(allow hal_dumpstate_default hal_dumpstate_default_tmpfs (file (read write getattr map)))
-(allow hal_dumpstate_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_evs_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_evs_default (process (transition)))
-(allow hal_evs_default hal_evs_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_evs_default (process (noatsecure)))
-(allow init_28_0 hal_evs_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_evs_default_exec process hal_evs_default)
-(typetransition hal_evs_default tmpfs_28_0 file hal_evs_default_tmpfs)
-(allow hal_evs_default hal_evs_default_tmpfs (file (read write getattr map)))
-(allow hal_evs_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_evs_default hal_graphics_allocator_default (fd (use)))
-(allow init_28_0 hal_fingerprint_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_fingerprint_default (process (transition)))
-(allow hal_fingerprint_default hal_fingerprint_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_fingerprint_default (process (noatsecure)))
-(allow init_28_0 hal_fingerprint_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_fingerprint_default_exec process hal_fingerprint_default)
-(typetransition hal_fingerprint_default tmpfs_28_0 file hal_fingerprint_default_tmpfs)
-(allow hal_fingerprint_default hal_fingerprint_default_tmpfs (file (read write getattr map)))
-(allow hal_fingerprint_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_gatekeeper_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_gatekeeper_default (process (transition)))
-(allow hal_gatekeeper_default hal_gatekeeper_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_gatekeeper_default (process (noatsecure)))
-(allow init_28_0 hal_gatekeeper_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_gatekeeper_default_exec process hal_gatekeeper_default)
-(typetransition hal_gatekeeper_default tmpfs_28_0 file hal_gatekeeper_default_tmpfs)
-(allow hal_gatekeeper_default hal_gatekeeper_default_tmpfs (file (read write getattr map)))
-(allow hal_gatekeeper_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_gnss_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_gnss_default (process (transition)))
-(allow hal_gnss_default hal_gnss_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_gnss_default (process (noatsecure)))
-(allow init_28_0 hal_gnss_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_gnss_default_exec process hal_gnss_default)
-(typetransition hal_gnss_default tmpfs_28_0 file hal_gnss_default_tmpfs)
-(allow hal_gnss_default hal_gnss_default_tmpfs (file (read write getattr map)))
-(allow hal_gnss_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_gnss system_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow hal_gnss system_file_28_0 (file (ioctl read getattr lock map open)))
-(allow hal_gnss system_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 hal_graphics_allocator_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_graphics_allocator_default (process (transition)))
-(allow hal_graphics_allocator_default hal_graphics_allocator_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_graphics_allocator_default (process (noatsecure)))
-(allow init_28_0 hal_graphics_allocator_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_graphics_allocator_default_exec process hal_graphics_allocator_default)
-(typetransition hal_graphics_allocator_default tmpfs_28_0 file hal_graphics_allocator_default_tmpfs)
-(allow hal_graphics_allocator_default hal_graphics_allocator_default_tmpfs (file (read write getattr map)))
-(allow hal_graphics_allocator_default tmpfs_28_0 (dir (getattr search)))
-(dontaudit hal_graphics_allocator_default unlabeled_28_0 (dir (search)))
-(allow init_28_0 hal_graphics_composer_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_graphics_composer_default (process (transition)))
-(allow hal_graphics_composer_default hal_graphics_composer_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_graphics_composer_default (process (noatsecure)))
-(allow init_28_0 hal_graphics_composer_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_graphics_composer_default_exec process hal_graphics_composer_default)
-(typetransition hal_graphics_composer_default tmpfs_28_0 file hal_graphics_composer_default_tmpfs)
-(allow hal_graphics_composer_default hal_graphics_composer_default_tmpfs (file (read write getattr map)))
-(allow hal_graphics_composer_default tmpfs_28_0 (dir (getattr search)))
-(dontaudit hal_graphics_composer_default unlabeled_28_0 (dir (search)))
-(allow init_28_0 hal_health_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_health_default (process (transition)))
-(allow hal_health_default hal_health_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_health_default (process (noatsecure)))
-(allow init_28_0 hal_health_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_health_default_exec process hal_health_default)
-(typetransition hal_health_default tmpfs_28_0 file hal_health_default_tmpfs)
-(allow hal_health_default hal_health_default_tmpfs (file (read write getattr map)))
-(allow hal_health_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_ir_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_ir_default (process (transition)))
-(allow hal_ir_default hal_ir_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_ir_default (process (noatsecure)))
-(allow init_28_0 hal_ir_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_ir_default_exec process hal_ir_default)
-(typetransition hal_ir_default tmpfs_28_0 file hal_ir_default_tmpfs)
-(allow hal_ir_default hal_ir_default_tmpfs (file (read write getattr map)))
-(allow hal_ir_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_keymaster_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_keymaster_default (process (transition)))
-(allow hal_keymaster_default hal_keymaster_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_keymaster_default (process (noatsecure)))
-(allow init_28_0 hal_keymaster_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_keymaster_default_exec process hal_keymaster_default)
-(typetransition hal_keymaster_default tmpfs_28_0 file hal_keymaster_default_tmpfs)
-(allow hal_keymaster_default hal_keymaster_default_tmpfs (file (read write getattr map)))
-(allow hal_keymaster_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_keymaster_default vendor_security_patch_level_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow init_28_0 hal_light_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_light_default (process (transition)))
-(allow hal_light_default hal_light_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_light_default (process (noatsecure)))
-(allow init_28_0 hal_light_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_light_default_exec process hal_light_default)
-(typetransition hal_light_default tmpfs_28_0 file hal_light_default_tmpfs)
-(allow hal_light_default hal_light_default_tmpfs (file (read write getattr map)))
-(allow hal_light_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_lowpan_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_lowpan_default (process (transition)))
-(allow hal_lowpan_default hal_lowpan_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_lowpan_default (process (noatsecure)))
-(allow init_28_0 hal_lowpan_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_lowpan_default_exec process hal_lowpan_default)
-(typetransition hal_lowpan_default tmpfs_28_0 file hal_lowpan_default_tmpfs)
-(allow hal_lowpan_default hal_lowpan_default_tmpfs (file (read write getattr map)))
-(allow hal_lowpan_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_memtrack_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_memtrack_default (process (transition)))
-(allow hal_memtrack_default hal_memtrack_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_memtrack_default (process (noatsecure)))
-(allow init_28_0 hal_memtrack_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_memtrack_default_exec process hal_memtrack_default)
-(typetransition hal_memtrack_default tmpfs_28_0 file hal_memtrack_default_tmpfs)
-(allow hal_memtrack_default hal_memtrack_default_tmpfs (file (read write getattr map)))
-(allow hal_memtrack_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_nfc_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_nfc_default (process (transition)))
-(allow hal_nfc_default hal_nfc_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_nfc_default (process (noatsecure)))
-(allow init_28_0 hal_nfc_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_nfc_default_exec process hal_nfc_default)
-(typetransition hal_nfc_default tmpfs_28_0 file hal_nfc_default_tmpfs)
-(allow hal_nfc_default hal_nfc_default_tmpfs (file (read write getattr map)))
-(allow hal_nfc_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 mediacodec_exec_28_0 (file (read getattr map execute open)))
-(allow init_28_0 mediacodec_28_0 (process (transition)))
-(allow mediacodec_28_0 mediacodec_exec_28_0 (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 mediacodec_28_0 (process (noatsecure)))
-(allow init_28_0 mediacodec_28_0 (process (siginh rlimitinh)))
-(typetransition init_28_0 mediacodec_exec_28_0 process mediacodec)
-(typetransition mediacodec_28_0 tmpfs_28_0 file mediacodec_tmpfs)
-(allow mediacodec_28_0 mediacodec_tmpfs (file (read write getattr map)))
-(allow mediacodec_28_0 tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_power_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_power_default (process (transition)))
-(allow hal_power_default hal_power_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_power_default (process (noatsecure)))
-(allow init_28_0 hal_power_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_power_default_exec process hal_power_default)
-(typetransition hal_power_default tmpfs_28_0 file hal_power_default_tmpfs)
-(allow hal_power_default hal_power_default_tmpfs (file (read write getattr map)))
-(allow hal_power_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_radio_config_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_radio_config_default (process (transition)))
-(allow hal_radio_config_default hal_radio_config_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_radio_config_default (process (noatsecure)))
-(allow init_28_0 hal_radio_config_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_radio_config_default_exec process hal_radio_config_default)
-(typetransition hal_radio_config_default tmpfs_28_0 file hal_radio_config_default_tmpfs)
-(allow hal_radio_config_default hal_radio_config_default_tmpfs (file (read write getattr map)))
-(allow hal_radio_config_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_radio_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_radio_default (process (transition)))
-(allow hal_radio_default hal_radio_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_radio_default (process (noatsecure)))
-(allow init_28_0 hal_radio_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_radio_default_exec process hal_radio_default)
-(typetransition hal_radio_default tmpfs_28_0 file hal_radio_default_tmpfs)
-(allow hal_radio_default hal_radio_default_tmpfs (file (read write getattr map)))
-(allow hal_radio_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_secure_element_default secure_element_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow init_28_0 hal_secure_element_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_secure_element_default (process (transition)))
-(allow hal_secure_element_default hal_secure_element_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_secure_element_default (process (noatsecure)))
-(allow init_28_0 hal_secure_element_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_secure_element_default_exec process hal_secure_element_default)
-(typetransition hal_secure_element_default tmpfs_28_0 file hal_secure_element_default_tmpfs)
-(allow hal_secure_element_default hal_secure_element_default_tmpfs (file (read write getattr map)))
-(allow hal_secure_element_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_sensors_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_sensors_default (process (transition)))
-(allow hal_sensors_default hal_sensors_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_sensors_default (process (noatsecure)))
-(allow init_28_0 hal_sensors_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_sensors_default_exec process hal_sensors_default)
-(typetransition hal_sensors_default tmpfs_28_0 file hal_sensors_default_tmpfs)
-(allow hal_sensors_default hal_sensors_default_tmpfs (file (read write getattr map)))
-(allow hal_sensors_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_sensors_default fwk_scheduler_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_sensors_default hal_graphics_allocator_default (fd (use)))
-(allow hal_sensors_default ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow hal_sensors_default sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow hal_sensors_default self (capability2 (block_suspend)))
-(allow hal_sensors_default self (cap2_userns (block_suspend)))
-(allow init_28_0 hal_tetheroffload_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_tetheroffload_default (process (transition)))
-(allow hal_tetheroffload_default hal_tetheroffload_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_tetheroffload_default (process (noatsecure)))
-(allow init_28_0 hal_tetheroffload_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_tetheroffload_default_exec process hal_tetheroffload_default)
-(typetransition hal_tetheroffload_default tmpfs_28_0 file hal_tetheroffload_default_tmpfs)
-(allow hal_tetheroffload_default hal_tetheroffload_default_tmpfs (file (read write getattr map)))
-(allow hal_tetheroffload_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_thermal_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_thermal_default (process (transition)))
-(allow hal_thermal_default hal_thermal_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_thermal_default (process (noatsecure)))
-(allow init_28_0 hal_thermal_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_thermal_default_exec process hal_thermal_default)
-(typetransition hal_thermal_default tmpfs_28_0 file hal_thermal_default_tmpfs)
-(allow hal_thermal_default hal_thermal_default_tmpfs (file (read write getattr map)))
-(allow hal_thermal_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_tv_cec_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_tv_cec_default (process (transition)))
-(allow hal_tv_cec_default hal_tv_cec_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_tv_cec_default (process (noatsecure)))
-(allow init_28_0 hal_tv_cec_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_tv_cec_default_exec process hal_tv_cec_default)
-(typetransition hal_tv_cec_default tmpfs_28_0 file hal_tv_cec_default_tmpfs)
-(allow hal_tv_cec_default hal_tv_cec_default_tmpfs (file (read write getattr map)))
-(allow hal_tv_cec_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_tv_input_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_tv_input_default (process (transition)))
-(allow hal_tv_input_default hal_tv_input_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_tv_input_default (process (noatsecure)))
-(allow init_28_0 hal_tv_input_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_tv_input_default_exec process hal_tv_input_default)
-(typetransition hal_tv_input_default tmpfs_28_0 file hal_tv_input_default_tmpfs)
-(allow hal_tv_input_default hal_tv_input_default_tmpfs (file (read write getattr map)))
-(allow hal_tv_input_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_usb_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_usb_default (process (transition)))
-(allow hal_usb_default hal_usb_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_usb_default (process (noatsecure)))
-(allow init_28_0 hal_usb_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_usb_default_exec process hal_usb_default)
-(typetransition hal_usb_default tmpfs_28_0 file hal_usb_default_tmpfs)
-(allow hal_usb_default hal_usb_default_tmpfs (file (read write getattr map)))
-(allow hal_usb_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_vehicle_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_vehicle_default (process (transition)))
-(allow hal_vehicle_default hal_vehicle_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_vehicle_default (process (noatsecure)))
-(allow init_28_0 hal_vehicle_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_vehicle_default_exec process hal_vehicle_default)
-(typetransition hal_vehicle_default tmpfs_28_0 file hal_vehicle_default_tmpfs)
-(allow hal_vehicle_default hal_vehicle_default_tmpfs (file (read write getattr map)))
-(allow hal_vehicle_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_vibrator_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_vibrator_default (process (transition)))
-(allow hal_vibrator_default hal_vibrator_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_vibrator_default (process (noatsecure)))
-(allow init_28_0 hal_vibrator_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_vibrator_default_exec process hal_vibrator_default)
-(typetransition hal_vibrator_default tmpfs_28_0 file hal_vibrator_default_tmpfs)
-(allow hal_vibrator_default hal_vibrator_default_tmpfs (file (read write getattr map)))
-(allow hal_vibrator_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_vr_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_vr_default (process (transition)))
-(allow hal_vr_default hal_vr_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_vr_default (process (noatsecure)))
-(allow init_28_0 hal_vr_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_vr_default_exec process hal_vr_default)
-(typetransition hal_vr_default tmpfs_28_0 file hal_vr_default_tmpfs)
-(allow hal_vr_default hal_vr_default_tmpfs (file (read write getattr map)))
-(allow hal_vr_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_wifi_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_wifi_default (process (transition)))
-(allow hal_wifi_default hal_wifi_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_wifi_default (process (noatsecure)))
-(allow init_28_0 hal_wifi_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_wifi_default_exec process hal_wifi_default)
-(typetransition hal_wifi_default tmpfs_28_0 file hal_wifi_default_tmpfs)
-(allow hal_wifi_default hal_wifi_default_tmpfs (file (read write getattr map)))
-(allow hal_wifi_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_wifi_hostapd_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_wifi_hostapd_default (process (transition)))
-(allow hal_wifi_hostapd_default hal_wifi_hostapd_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_wifi_hostapd_default (process (noatsecure)))
-(allow init_28_0 hal_wifi_hostapd_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_wifi_hostapd_default_exec process hal_wifi_hostapd_default)
-(typetransition hal_wifi_hostapd_default tmpfs_28_0 file hal_wifi_hostapd_default_tmpfs)
-(allow hal_wifi_hostapd_default hal_wifi_hostapd_default_tmpfs (file (read write getattr map)))
-(allow hal_wifi_hostapd_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_wifi_hostapd_default hostapd_data_file (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_hostapd_default hostapd_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_wifi_hostapd_default hostapd_data_file (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow init_28_0 hal_wifi_offload_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_wifi_offload_default (process (transition)))
-(allow hal_wifi_offload_default hal_wifi_offload_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_wifi_offload_default (process (noatsecure)))
-(allow init_28_0 hal_wifi_offload_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_wifi_offload_default_exec process hal_wifi_offload_default)
-(typetransition hal_wifi_offload_default tmpfs_28_0 file hal_wifi_offload_default_tmpfs)
-(allow hal_wifi_offload_default hal_wifi_offload_default_tmpfs (file (read write getattr map)))
-(allow hal_wifi_offload_default tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 hal_wifi_supplicant_default_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_wifi_supplicant_default (process (transition)))
-(allow hal_wifi_supplicant_default hal_wifi_supplicant_default_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_wifi_supplicant_default (process (noatsecure)))
-(allow init_28_0 hal_wifi_supplicant_default (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_wifi_supplicant_default_exec process hal_wifi_supplicant_default)
-(typetransition hal_wifi_supplicant_default tmpfs_28_0 file hal_wifi_supplicant_default_tmpfs)
-(allow hal_wifi_supplicant_default hal_wifi_supplicant_default_tmpfs (file (read write getattr map)))
-(allow hal_wifi_supplicant_default tmpfs_28_0 (dir (getattr search)))
-(allow hal_wifi_supplicant_default proc_net_28_0 (file (write)))
-(allow hal_wifi_supplicant_default hwservicemanager_28_0 (binder (call transfer)))
-(allow hwservicemanager_28_0 hal_wifi_supplicant_default (binder (call transfer)))
-(allow hwservicemanager_28_0 hal_wifi_supplicant_default (dir (search)))
-(allow hwservicemanager_28_0 hal_wifi_supplicant_default (file (read open)))
-(allow hwservicemanager_28_0 hal_wifi_supplicant_default (process (getattr)))
-(allow hal_wifi_supplicant_default system_wifi_keystore_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_wifi_supplicant_default wifi_keystore_service_server (binder (call transfer)))
-(allow wifi_keystore_service_server hal_wifi_supplicant_default (binder (transfer)))
-(allow hal_wifi_supplicant_default wifi_keystore_service_server (fd (use)))
-(allow hal_wifi_supplicant_default wpa_data_file (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_wifi_supplicant_default wpa_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_wifi_supplicant_default wpa_data_file (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_wifi_supplicant_default device_logging_prop_28_0 (file (ioctl read getattr lock map open)))
-(dontaudit hal_wifi_supplicant_default wifi_data_file_28_0 (dir (search)))
-(allow init_28_0 rild_exec (file (read getattr map execute open)))
-(allow init_28_0 rild (process (transition)))
-(allow rild rild_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 rild (process (noatsecure)))
-(allow init_28_0 rild (process (siginh rlimitinh)))
-(typetransition init_28_0 rild_exec process rild)
-(typetransition rild tmpfs_28_0 file rild_tmpfs)
-(allow rild rild_tmpfs (file (read write getattr map)))
-(allow rild tmpfs_28_0 (dir (getattr search)))
-(allow init_28_0 tee_exec (file (read getattr map execute open)))
-(allow init_28_0 tee_28_0 (process (transition)))
-(allow tee_28_0 tee_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 tee_28_0 (process (noatsecure)))
-(allow init_28_0 tee_28_0 (process (siginh rlimitinh)))
-(typetransition init_28_0 tee_exec process tee)
-(typetransition tee_28_0 tmpfs_28_0 file tee_tmpfs)
-(allow tee_28_0 tee_tmpfs (file (read write getattr map)))
-(allow tee_28_0 tmpfs_28_0 (dir (getattr search)))
-(allow tee_28_0 self (capability (dac_override)))
-(allow tee_28_0 self (cap_userns (dac_override)))
-(allow tee_28_0 tee_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow tee_28_0 tee_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow tee_28_0 tee_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow tee_28_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow tee_28_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow tee_28_0 ion_device_28_0 (chr_file (ioctl read getattr lock map open)))
-(allow tee_28_0 sysfs_type (dir (ioctl read getattr lock search open)))
-(allow tee_28_0 sysfs_type (file (ioctl read getattr lock map open)))
-(allow tee_28_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
-(allow tee_28_0 system_data_file_28_0 (file (read getattr)))
-(allow tee_28_0 system_data_file_28_0 (lnk_file (read getattr)))
-(allow init_28_0 vendor_toolbox_exec_28_0 (file (read getattr map execute open)))
-(allow init_28_0 vendor_modprobe (process (transition)))
-(allow vendor_modprobe vendor_toolbox_exec_28_0 (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 vendor_modprobe (process (noatsecure)))
-(allow init_28_0 vendor_modprobe (process (siginh rlimitinh)))
-(allow vendor_modprobe proc_modules_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_modprobe self (capability (sys_module)))
-(allow vendor_modprobe self (cap_userns (sys_module)))
-(allow vendor_modprobe kernel_28_0 (key (search)))
-(allow vendor_modprobe vendor_file_28_0 (system (module_load)))
-(allow vendor_modprobe vendor_file_28_0 (dir (ioctl read getattr lock search open)))
-(allow vendor_modprobe vendor_file_28_0 (file (ioctl read getattr lock map open)))
-(allow vendor_modprobe vendor_file_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow init_28_0 vndservicemanager_exec (file (read getattr map execute open)))
-(allow init_28_0 vndservicemanager_28_0 (process (transition)))
-(allow vndservicemanager_28_0 vndservicemanager_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 vndservicemanager_28_0 (process (noatsecure)))
-(allow init_28_0 vndservicemanager_28_0 (process (siginh rlimitinh)))
-(typetransition init_28_0 vndservicemanager_exec process vndservicemanager)
-(typetransition vndservicemanager_28_0 tmpfs_28_0 file vndservicemanager_tmpfs)
-(allow vndservicemanager_28_0 vndservicemanager_tmpfs (file (read write getattr map)))
-(allow vndservicemanager_28_0 tmpfs_28_0 (dir (getattr search)))
-(allow vndservicemanager_28_0 self (binder (set_context_mgr)))
-(allow vndservicemanager_28_0 base_typeattr_304_28_0 (binder (transfer)))
-(allow vndservicemanager_28_0 vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow vndservicemanager_28_0 vndservice_contexts_file_28_0 (file (ioctl read getattr lock map open)))
-(allow vndservicemanager_28_0 selinuxfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow vndservicemanager_28_0 selinuxfs_28_0 (file (ioctl read getattr lock map open)))
-(allow vndservicemanager_28_0 selinuxfs_28_0 (lnk_file (ioctl read getattr lock map open)))
-(allow vndservicemanager_28_0 selinuxfs_28_0 (file (write lock append map open)))
-(allow vndservicemanager_28_0 kernel_28_0 (security (compute_av)))
-(allow vndservicemanager_28_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
-(allow adbd_28_0 property_socket_28_0 (sock_file (write)))
-(allow adbd_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow adbd_28_0 ctl_mdnsd_prop_28_0 (property_service (set)))
-(allow adbd_28_0 ctl_mdnsd_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow audioserver_28_0 bootanim_28_0 (binder (call)))
-(allow bootanim_28_0 self (process (execmem)))
-(allow bootanim_28_0 ashmem_device_28_0 (chr_file (execute)))
-(dontaudit bootanim_28_0 system_data_file_28_0 (dir (read)))
-(allow bootanim_28_0 graphics_device_28_0 (chr_file (ioctl read open)))
-(allow bootanim_28_0 property_socket_28_0 (sock_file (write)))
-(allow bootanim_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow bootanim_28_0 qemu_prop (property_service (set)))
-(allow bootanim_28_0 qemu_prop (file (ioctl read getattr lock map open)))
-(allow cameraserver_28_0 system_file_28_0 (dir (read open)))
-(allow cameraserver_28_0 hal_allocator (fd (use)))
-(allow init_28_0 createns_exec (file (read getattr map execute open)))
-(allow init_28_0 createns (process (transition)))
-(allow createns createns_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 createns (process (noatsecure)))
-(allow init_28_0 createns (process (siginh rlimitinh)))
-(typetransition init_28_0 createns_exec process createns)
-(typetransition createns tmpfs_28_0 file createns_tmpfs)
-(allow createns createns_tmpfs (file (read write getattr map)))
-(allow createns tmpfs_28_0 (dir (getattr search)))
-(allow createns self (capability (setgid setuid net_raw sys_admin)))
-(allow createns varrun_file (dir (write add_name search)))
-(allow createns varrun_file (file (read write create mounton open)))
-(allow goldfish_setup createns_exec (file (read getattr map execute open)))
-(allow goldfish_setup createns (process (transition)))
-(allow createns createns_exec (file (read getattr map execute entrypoint open)))
-(allow createns goldfish_setup (process (sigchld)))
-(dontaudit goldfish_setup createns (process (noatsecure)))
-(allow goldfish_setup createns (process (siginh rlimitinh)))
-(typetransition goldfish_setup createns_exec process createns)
-(allow createns goldfish_setup (fd (use)))
-(allow init_28_0 dhcpclient_exec (file (read getattr map execute open)))
-(allow init_28_0 dhcpclient (process (transition)))
-(allow dhcpclient dhcpclient_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 dhcpclient (process (noatsecure)))
-(allow init_28_0 dhcpclient (process (siginh rlimitinh)))
-(typetransition init_28_0 dhcpclient_exec process dhcpclient)
-(typetransition dhcpclient tmpfs_28_0 file dhcpclient_tmpfs)
-(allow dhcpclient dhcpclient_tmpfs (file (read write getattr map)))
-(allow dhcpclient tmpfs_28_0 (dir (getattr search)))
-(allow dhcpclient execns (fd (use)))
-(allow dhcpclient property_socket_28_0 (sock_file (write)))
-(allow dhcpclient init_28_0 (unix_stream_socket (connectto)))
-(allow dhcpclient net_eth0_prop (property_service (set)))
-(allow dhcpclient net_eth0_prop (file (ioctl read getattr lock map open)))
-(allow dhcpclient self (capability (net_admin net_raw)))
-(allow dhcpclient self (udp_socket (create)))
-(allow dhcpclient self (netlink_route_socket (write nlmsg_write)))
-(allow dhcpclient varrun_file (dir (search)))
-(allow dhcpclient self (packet_socket (read write create bind)))
-(allowx dhcpclient self (ioctl udp_socket (0x8914 0x8916 0x891c 0x8922 0x8927)))
-(allow init_28_0 dhcpserver_exec (file (read getattr map execute open)))
-(allow init_28_0 dhcpserver (process (transition)))
-(allow dhcpserver dhcpserver_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 dhcpserver (process (noatsecure)))
-(allow init_28_0 dhcpserver (process (siginh rlimitinh)))
-(typetransition init_28_0 dhcpserver_exec process dhcpserver)
-(typetransition dhcpserver tmpfs_28_0 file dhcpserver_tmpfs)
-(allow dhcpserver dhcpserver_tmpfs (file (read write getattr map)))
-(allow dhcpserver tmpfs_28_0 (dir (getattr search)))
-(allow dhcpserver execns (fd (use)))
-(allow dhcpserver net_eth0_prop (file (ioctl read getattr lock map open)))
-(allow dhcpserver self (udp_socket (ioctl create bind setopt)))
-(allow dhcpserver self (capability (net_bind_service net_raw)))
-(allow domain qemu_device (chr_file (ioctl read write getattr lock append map open)))
-(allow domain qemu_prop (file (ioctl read getattr lock map open)))
-(allow init_28_0 execns_exec (file (read getattr map execute open)))
-(allow init_28_0 execns (process (transition)))
-(allow execns execns_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 execns (process (noatsecure)))
-(allow init_28_0 execns (process (siginh rlimitinh)))
-(typetransition init_28_0 execns_exec process execns)
-(typetransition execns tmpfs_28_0 file execns_tmpfs)
-(allow execns execns_tmpfs (file (read write getattr map)))
-(allow execns tmpfs_28_0 (dir (getattr search)))
-(allow execns varrun_file (dir (search)))
-(allow execns varrun_file (file (ioctl read getattr lock map open)))
-(allow execns self (capability (setgid setuid sys_admin)))
-(allow execns nsfs (file (read open)))
-(allow init_28_0 execns_exec (file (read getattr map execute open)))
-(allow init_28_0 execns (process (transition)))
-(allow execns execns_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 execns (process (noatsecure)))
-(allow init_28_0 execns (process (siginh rlimitinh)))
-(typetransition init_28_0 execns_exec process execns)
-(allow execns dhcpclient_exec (file (read getattr map execute open)))
-(allow execns dhcpclient (process (transition)))
-(allow dhcpclient dhcpclient_exec (file (read getattr map execute entrypoint open)))
-(allow dhcpclient execns (process (sigchld)))
-(dontaudit execns dhcpclient (process (noatsecure)))
-(allow execns dhcpclient (process (siginh rlimitinh)))
-(typetransition execns dhcpclient_exec process dhcpclient)
-(allow execns dhcpserver_exec (file (read getattr map execute open)))
-(allow execns dhcpserver (process (transition)))
-(allow dhcpserver dhcpserver_exec (file (read getattr map execute entrypoint open)))
-(allow dhcpserver execns (process (sigchld)))
-(dontaudit execns dhcpserver (process (noatsecure)))
-(allow execns dhcpserver (process (siginh rlimitinh)))
-(typetransition execns dhcpserver_exec process dhcpserver)
-(allow execns hostapd_nohidl_exec (file (read getattr map execute open)))
-(allow execns hostapd_nohidl (process (transition)))
-(allow hostapd_nohidl hostapd_nohidl_exec (file (read getattr map execute entrypoint open)))
-(allow hostapd_nohidl execns (process (sigchld)))
-(dontaudit execns hostapd_nohidl (process (noatsecure)))
-(allow execns hostapd_nohidl (process (siginh rlimitinh)))
-(typetransition execns hostapd_nohidl_exec process hostapd_nohidl)
-(allow execns createns (file (read)))
-(allow execns createns (dir (search)))
-(allow execns createns (lnk_file (read)))
-(allow init_28_0 goldfish_setup_exec (file (read getattr map execute open)))
-(allow init_28_0 goldfish_setup (process (transition)))
-(allow goldfish_setup goldfish_setup_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 goldfish_setup (process (noatsecure)))
-(allow init_28_0 goldfish_setup (process (siginh rlimitinh)))
-(typetransition init_28_0 goldfish_setup_exec process goldfish_setup)
-(typetransition goldfish_setup tmpfs_28_0 file goldfish_setup_tmpfs)
-(allow goldfish_setup goldfish_setup_tmpfs (file (read write getattr map)))
-(allow goldfish_setup tmpfs_28_0 (dir (getattr search)))
-(allow goldfish_setup self (capability (net_admin net_raw)))
-(allow goldfish_setup self (udp_socket (ioctl create)))
-(allow goldfish_setup vendor_toolbox_exec_28_0 (file (execute_no_trans)))
-(allowx goldfish_setup self (ioctl udp_socket (0x6900 0x6902)))
-(allowx goldfish_setup self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx goldfish_setup self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(allow goldfish_setup sysfs_wake_lock_28_0 (file (ioctl read write getattr lock append map open)))
-(allow goldfish_setup self (capability2 (block_suspend)))
-(allow goldfish_setup self (cap2_userns (block_suspend)))
-(allow goldfish_setup vendor_shell_exec_28_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow goldfish_setup property_socket_28_0 (sock_file (write)))
-(allow goldfish_setup init_28_0 (unix_stream_socket (connectto)))
-(allow goldfish_setup ctl_default_prop_28_0 (property_service (set)))
-(allow goldfish_setup ctl_default_prop_28_0 (file (ioctl read getattr lock map open)))
-(allow goldfish_setup self (netlink_route_socket (read write create getattr bind setopt nlmsg_read nlmsg_write)))
-(allow goldfish_setup self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
-(allow goldfish_setup self (capability (sys_module sys_admin)))
-(allow goldfish_setup varrun_file (dir (read write mounton add_name remove_name search open)))
-(allow goldfish_setup varrun_file (file (read write create getattr unlink mounton open)))
-(allow goldfish_setup execns_exec (file (ioctl read getattr lock map execute execute_no_trans open)))
-(allow goldfish_setup proc_net_28_0 (file (ioctl read write getattr lock append map open)))
-(allow goldfish_setup proc_28_0 (file (ioctl read getattr lock map open)))
-(allow goldfish_setup nsfs (file (ioctl read getattr lock map open)))
-(allow goldfish_setup system_data_file_28_0 (dir (getattr)))
-(allow goldfish_setup kernel_28_0 (system (module_request)))
-(allow goldfish_setup property_socket_28_0 (sock_file (write)))
-(allow goldfish_setup init_28_0 (unix_stream_socket (connectto)))
-(allow goldfish_setup qemu_prop (property_service (set)))
-(allow goldfish_setup qemu_prop (file (ioctl read getattr lock map open)))
-(allow goldfish_setup net_share_prop (file (ioctl read getattr lock map open)))
-(allow goldfish_setup system_file_28_0 (file (execute_no_trans)))
-(allow goldfish_setup goldfish_setup_exec (file (execute_no_trans)))
-(allow goldfish_setup createns_exec (file (read getattr map execute open)))
-(allow goldfish_setup createns (process (transition)))
-(allow createns createns_exec (file (read getattr map execute entrypoint open)))
-(allow createns goldfish_setup (process (sigchld)))
-(dontaudit goldfish_setup createns (process (noatsecure)))
-(allow goldfish_setup createns (process (siginh rlimitinh)))
-(typetransition goldfish_setup createns_exec process createns)
-(allow goldfish_setup sysfs_28_0 (file (read open)))
-(allow goldfish_setup system_file_28_0 (file (lock)))
-(allow goldfish_setup self (rawip_socket (create getopt setopt)))
-(allow goldfish_setup createns (file (read)))
-(allow goldfish_setup createns (dir (search)))
-(allow goldfish_setup createns (lnk_file (read)))
-(allow hal_camera_default vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_camera_default vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 hal_camera_default (dir (search)))
-(allow vndservicemanager_28_0 hal_camera_default (file (read open)))
-(allow vndservicemanager_28_0 hal_camera_default (process (getattr)))
-(allow hal_camera_default hal_graphics_mapper_hwservice_28_0 (hwservice_manager (find)))
-(allow hal_cas_default vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_cas_default vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 hal_cas_default (dir (search)))
-(allow vndservicemanager_28_0 hal_cas_default (file (read open)))
-(allow vndservicemanager_28_0 hal_cas_default (process (getattr)))
-(allow init_28_0 hal_drm_clearkey_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_drm_clearkey (process (transition)))
-(allow hal_drm_clearkey hal_drm_clearkey_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_drm_clearkey (process (noatsecure)))
-(allow init_28_0 hal_drm_clearkey (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_drm_clearkey_exec process hal_drm_clearkey)
-(typetransition hal_drm_clearkey tmpfs_28_0 file hal_drm_clearkey_tmpfs)
-(allow hal_drm_clearkey hal_drm_clearkey_tmpfs (file (read write getattr map)))
-(allow hal_drm_clearkey tmpfs_28_0 (dir (getattr search)))
-(allow hal_drm_clearkey vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_drm_clearkey vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 hal_drm_clearkey (dir (search)))
-(allow vndservicemanager_28_0 hal_drm_clearkey (file (read open)))
-(allow vndservicemanager_28_0 hal_drm_clearkey (process (getattr)))
-(allow hal_drm_clearkey base_typeattr_43_28_0 (fd (use)))
-(allow hal_drm_default vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_drm_default vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 hal_drm_default (dir (search)))
-(allow vndservicemanager_28_0 hal_drm_default (file (read open)))
-(allow vndservicemanager_28_0 hal_drm_default (process (getattr)))
-(allow init_28_0 hal_drm_widevine_exec (file (read getattr map execute open)))
-(allow init_28_0 hal_drm_widevine (process (transition)))
-(allow hal_drm_widevine hal_drm_widevine_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hal_drm_widevine (process (noatsecure)))
-(allow init_28_0 hal_drm_widevine (process (siginh rlimitinh)))
-(typetransition init_28_0 hal_drm_widevine_exec process hal_drm_widevine)
-(typetransition hal_drm_widevine tmpfs_28_0 file hal_drm_widevine_tmpfs)
-(allow hal_drm_widevine hal_drm_widevine_tmpfs (file (read write getattr map)))
-(allow hal_drm_widevine tmpfs_28_0 (dir (getattr search)))
-(allow hal_drm mediacodec_28_0 (fd (use)))
-(allow hal_drm base_typeattr_43_28_0 (fd (use)))
-(allow hal_drm_widevine vndbinder_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow hal_drm_widevine vndservicemanager_28_0 (binder (call transfer)))
-(allow vndservicemanager_28_0 hal_drm_widevine (dir (search)))
-(allow vndservicemanager_28_0 hal_drm_widevine (file (read open)))
-(allow vndservicemanager_28_0 hal_drm_widevine (process (getattr)))
-(allow hal_drm_widevine hal_allocator_server (fd (use)))
-(allow hal_drm_widevine mediadrm_vendor_data_file (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
-(allow hal_drm_widevine mediadrm_vendor_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_fingerprint_default fingerprintd_data_file_28_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(allow hal_fingerprint_default fingerprintd_data_file_28_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
-(allow hal_gnss_default vndbinder_device_28_0 (chr_file (ioctl read write open)))
-(allow hal_graphics_allocator_default graphics_device_28_0 (dir (search)))
-(allow hal_graphics_allocator_default graphics_device_28_0 (chr_file (ioctl read write open)))
-(allow hal_graphics_composer_default vndbinder_device_28_0 (chr_file (ioctl read write open)))
-(allow hal_wifi_default hal_wifi_default (netlink_route_socket (read write create bind nlmsg_read)))
-(allow healthd_28_0 sysfs_28_0 (dir (ioctl read getattr lock search open)))
-(allow init_28_0 hostapd_nohidl_exec (file (read getattr map execute open)))
-(allow init_28_0 hostapd_nohidl (process (transition)))
-(allow hostapd_nohidl hostapd_nohidl_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 hostapd_nohidl (process (noatsecure)))
-(allow init_28_0 hostapd_nohidl (process (siginh rlimitinh)))
-(typetransition init_28_0 hostapd_nohidl_exec process hostapd_nohidl)
-(typetransition hostapd_nohidl tmpfs_28_0 file hostapd_nohidl_tmpfs)
-(allow hostapd_nohidl hostapd_nohidl_tmpfs (file (read write getattr map)))
-(allow hostapd_nohidl tmpfs_28_0 (dir (getattr search)))
-(allow hostapd_nohidl execns (fd (use)))
-(allow hostapd_nohidl self (capability (net_admin net_raw)))
-(allow hostapd_nohidl self (netlink_generic_socket (read write create getattr bind setopt)))
-(allow hostapd_nohidl self (netlink_route_socket (nlmsg_write)))
-(allow hostapd_nohidl self (packet_socket (create setopt)))
-(allowx hostapd_nohidl self (ioctl udp_socket (0x6900 0x6902)))
-(allowx hostapd_nohidl self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
-(allowx hostapd_nohidl self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
-(dontaudit hostapd_nohidl sysfs_net_28_0 (dir (search)))
-(allow init_28_0 tmpfs_28_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
-(dontaudit init_28_0 kernel_28_0 (system (module_request)))
-(allow init_28_0 ipv6proxy_exec (file (read getattr map execute open)))
-(allow init_28_0 ipv6proxy (process (transition)))
-(allow ipv6proxy ipv6proxy_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 ipv6proxy (process (noatsecure)))
-(allow init_28_0 ipv6proxy (process (siginh rlimitinh)))
-(typetransition init_28_0 ipv6proxy_exec process ipv6proxy)
-(typetransition ipv6proxy tmpfs_28_0 file ipv6proxy_tmpfs)
-(allow ipv6proxy ipv6proxy_tmpfs (file (read write getattr map)))
-(allow ipv6proxy tmpfs_28_0 (dir (getattr search)))
-(allow execns ipv6proxy_exec (file (read getattr map execute open)))
-(allow execns ipv6proxy (process (transition)))
-(allow ipv6proxy ipv6proxy_exec (file (read getattr map execute entrypoint open)))
-(allow ipv6proxy execns (process (sigchld)))
-(dontaudit execns ipv6proxy (process (noatsecure)))
-(allow execns ipv6proxy (process (siginh rlimitinh)))
-(typetransition execns ipv6proxy_exec process ipv6proxy)
-(allow ipv6proxy execns (fd (use)))
-(allow ipv6proxy self (capability (net_admin net_raw sys_module sys_admin)))
-(allow ipv6proxy self (packet_socket (read create bind)))
-(allow ipv6proxy self (netlink_route_socket (nlmsg_write)))
-(allow ipv6proxy varrun_file (dir (search)))
-(allowx ipv6proxy self (ioctl udp_socket (0x8914 0x8927)))
-(allow init_28_0 logcat_exec_28_0 (file (read getattr map execute open)))
-(allow init_28_0 logpersist_28_0 (process (transition)))
-(allow logpersist_28_0 logcat_exec_28_0 (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 logpersist_28_0 (process (noatsecure)))
-(allow init_28_0 logpersist_28_0 (process (siginh rlimitinh)))
-(typetransition init_28_0 logcat_exec_28_0 process logpersist)
-(allow logpersist_28_0 logdr_socket_28_0 (sock_file (write)))
-(allow logpersist_28_0 logd_28_0 (unix_stream_socket (connectto)))
-(allow logpersist_28_0 serial_device_28_0 (chr_file (write open)))
-(allow logpersist_28_0 qemu_cmdline (file (ioctl read getattr lock map open)))
-(allow mediacodec_28_0 system_file_28_0 (dir (read open)))
-(dontaudit netd_28_0 self (capability (sys_module)))
-(dontaudit netd_28_0 kernel_28_0 (system (module_request)))
-(dontaudit priv_app_28_0 firstboot_prop_28_0 (file (getattr open)))
-(dontaudit priv_app_28_0 device_28_0 (dir (read open)))
-(dontaudit priv_app_28_0 proc_interrupts_28_0 (file (read getattr open)))
-(dontaudit priv_app_28_0 proc_modules_28_0 (file (read getattr open)))
-(allow init_28_0 qemu_props_exec (file (read getattr map execute open)))
-(allow init_28_0 qemu_props (process (transition)))
-(allow qemu_props qemu_props_exec (file (read getattr map execute entrypoint open)))
-(dontaudit init_28_0 qemu_props (process (noatsecure)))
-(allow init_28_0 qemu_props (process (siginh rlimitinh)))
-(typetransition init_28_0 qemu_props_exec process qemu_props)
-(typetransition qemu_props tmpfs_28_0 file qemu_props_tmpfs)
-(allow qemu_props qemu_props_tmpfs (file (read write getattr map)))
-(allow qemu_props tmpfs_28_0 (dir (getattr search)))
-(allow qemu_props property_socket_28_0 (sock_file (write)))
-(allow qemu_props init_28_0 (unix_stream_socket (connectto)))
-(allow qemu_props qemu_prop (property_service (set)))
-(allow qemu_props qemu_prop (file (ioctl read getattr lock map open)))
-(allow qemu_props property_socket_28_0 (sock_file (write)))
-(allow qemu_props init_28_0 (unix_stream_socket (connectto)))
-(allow qemu_props qemu_cmdline (property_service (set)))
-(allow qemu_props qemu_cmdline (file (ioctl read getattr lock map open)))
-(allow radio_28_0 net_eth0_prop (file (ioctl read getattr lock map open)))
-(allow rild net_eth0_prop (file (ioctl read getattr lock map open)))
-(allow shell_28_0 serial_device_28_0 (chr_file (ioctl read write getattr lock append map open)))
-(allow surfaceflinger_28_0 self (process (execmem)))
-(allow surfaceflinger_28_0 ashmem_device_28_0 (chr_file (execute)))
-(allow surfaceflinger_28_0 property_socket_28_0 (sock_file (write)))
-(allow surfaceflinger_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow surfaceflinger_28_0 qemu_prop (property_service (set)))
-(allow surfaceflinger_28_0 qemu_prop (file (ioctl read getattr lock map open)))
-(allow system_server_28_0 radio_noril_prop (file (ioctl read getattr lock map open)))
-(allow vendor_init_28_0 qemu_prop (property_service (set)))
-(allow vendor_init_28_0 qemu_prop (file (ioctl read getattr lock map open)))
-(dontaudit vold_28_0 kernel_28_0 (system (module_request)))
-(allow vold_28_0 nsfs (file (ioctl read getattr lock map open)))
-(allow zygote_28_0 property_socket_28_0 (sock_file (write)))
-(allow zygote_28_0 init_28_0 (unix_stream_socket (connectto)))
-(allow zygote_28_0 qemu_prop (property_service (set)))
-(allow zygote_28_0 qemu_prop (file (ioctl read getattr lock map open)))
-(dontaudit webview_zygote_28_0 mnt_expand_file_28_0 (dir (getattr)))
-(typetransition hal_wifi_supplicant_default wifi_data_file_28_0 dir "sockets" wpa_socket)
-(typeattribute base_typeattr_304_28_0)
-(typeattributeset base_typeattr_304_28_0 ((and (domain) ((not (coredomain init_28_0 vendor_init_28_0))))))
diff --git a/prebuilts/api/29.0/plat_pub_versioned.cil b/prebuilts/api/29.0/plat_pub_versioned.cil
deleted file mode 100644
index b80abeb..0000000
--- a/prebuilts/api/29.0/plat_pub_versioned.cil
+++ /dev/null
@@ -1,2208 +0,0 @@
-(type DockObserver_service)
-(type IProxyService_service)
-(type accessibility_service)
-(type account_service)
-(type activity_service)
-(type activity_task_service)
-(type adb_data_file)
-(type adb_keys_file)
-(type adb_service)
-(type adbd)
-(type adbd_exec)
-(type adbd_socket)
-(type alarm_service)
-(type anr_data_file)
-(type apex_data_file)
-(type apex_metadata_file)
-(type apex_mnt_dir)
-(type apex_service)
-(type apexd)
-(type apexd_exec)
-(type apexd_prop)
-(type apk_data_file)
-(type apk_private_data_file)
-(type apk_private_tmp_file)
-(type apk_tmp_file)
-(type app_binding_service)
-(type app_data_file)
-(type app_fuse_file)
-(type app_fusefs)
-(type app_prediction_service)
-(type app_zygote)
-(type app_zygote_tmpfs)
-(type appdomain_tmpfs)
-(type appops_service)
-(type appwidget_service)
-(type asec_apk_file)
-(type asec_image_file)
-(type asec_public_file)
-(type ashmem_device)
-(type ashmemd)
-(type assetatlas_service)
-(type audio_data_file)
-(type audio_device)
-(type audio_prop)
-(type audio_service)
-(type audiohal_data_file)
-(type audioserver)
-(type audioserver_data_file)
-(type audioserver_service)
-(type audioserver_tmpfs)
-(type autofill_service)
-(type backup_data_file)
-(type backup_service)
-(type battery_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type binder_calls_stats_service)
-(type binder_device)
-(type binfmt_miscfs)
-(type biometric_service)
-(type blkid)
-(type blkid_untrusted)
-(type block_device)
-(type bluetooth)
-(type bluetooth_a2dp_offload_prop)
-(type bluetooth_audio_hal_prop)
-(type bluetooth_data_file)
-(type bluetooth_efs_file)
-(type bluetooth_logs_data_file)
-(type bluetooth_manager_service)
-(type bluetooth_prop)
-(type bluetooth_service)
-(type bluetooth_socket)
-(type boot_block_device)
-(type bootanim)
-(type bootanim_exec)
-(type bootchart_data_file)
-(type bootloader_boot_reason_prop)
-(type bootstat)
-(type bootstat_data_file)
-(type bootstat_exec)
-(type boottime_prop)
-(type boottrace_data_file)
-(type bpf_progs_loaded_prop)
-(type broadcastradio_service)
-(type bufferhubd)
-(type bufferhubd_exec)
-(type bugreport_service)
-(type cache_backup_file)
-(type cache_block_device)
-(type cache_file)
-(type cache_private_backup_file)
-(type cache_recovery_file)
-(type camera_data_file)
-(type camera_device)
-(type cameraproxy_service)
-(type cameraserver)
-(type cameraserver_exec)
-(type cameraserver_service)
-(type cameraserver_tmpfs)
-(type cgroup)
-(type cgroup_bpf)
-(type cgroup_desc_file)
-(type cgroup_rc_file)
-(type charger)
-(type charger_exec)
-(type clatd)
-(type clatd_exec)
-(type clipboard_service)
-(type color_display_service)
-(type companion_device_service)
-(type config_prop)
-(type configfs)
-(type connectivity_service)
-(type connmetrics_service)
-(type console_device)
-(type consumer_ir_service)
-(type content_capture_service)
-(type content_service)
-(type content_suggestions_service)
-(type contexthub_service)
-(type coredump_file)
-(type country_detector_service)
-(type coverage_service)
-(type cppreopt_prop)
-(type cpu_variant_prop)
-(type cpuinfo_service)
-(type crash_dump)
-(type crash_dump_exec)
-(type crossprofileapps_service)
-(type ctl_adbd_prop)
-(type ctl_bootanim_prop)
-(type ctl_bugreport_prop)
-(type ctl_console_prop)
-(type ctl_default_prop)
-(type ctl_dumpstate_prop)
-(type ctl_fuse_prop)
-(type ctl_gsid_prop)
-(type ctl_interface_restart_prop)
-(type ctl_interface_start_prop)
-(type ctl_interface_stop_prop)
-(type ctl_mdnsd_prop)
-(type ctl_restart_prop)
-(type ctl_rildaemon_prop)
-(type ctl_sigstop_prop)
-(type ctl_start_prop)
-(type ctl_stop_prop)
-(type dalvik_prop)
-(type dalvikcache_data_file)
-(type dbinfo_service)
-(type debug_prop)
-(type debugfs)
-(type debugfs_mmc)
-(type debugfs_trace_marker)
-(type debugfs_tracing)
-(type debugfs_tracing_debug)
-(type debugfs_tracing_instances)
-(type debugfs_wakeup_sources)
-(type debugfs_wifi_tracing)
-(type debuggerd_prop)
-(type default_android_hwservice)
-(type default_android_service)
-(type default_android_vndservice)
-(type default_prop)
-(type dev_cpu_variant)
-(type device)
-(type device_config_activity_manager_native_boot_prop)
-(type device_config_boot_count_prop)
-(type device_config_input_native_boot_prop)
-(type device_config_media_native_prop)
-(type device_config_netd_native_prop)
-(type device_config_reset_performed_prop)
-(type device_config_runtime_native_boot_prop)
-(type device_config_runtime_native_prop)
-(type device_config_service)
-(type device_identifiers_service)
-(type device_logging_prop)
-(type device_policy_service)
-(type deviceidle_service)
-(type devicestoragemonitor_service)
-(type devpts)
-(type dhcp)
-(type dhcp_data_file)
-(type dhcp_exec)
-(type dhcp_prop)
-(type diskstats_service)
-(type display_service)
-(type dm_device)
-(type dnsmasq)
-(type dnsmasq_exec)
-(type dnsproxyd_socket)
-(type dnsresolver_service)
-(type dreams_service)
-(type drm_data_file)
-(type drmserver)
-(type drmserver_exec)
-(type drmserver_service)
-(type drmserver_socket)
-(type dropbox_data_file)
-(type dropbox_service)
-(type dumpstate)
-(type dumpstate_exec)
-(type dumpstate_options_prop)
-(type dumpstate_prop)
-(type dumpstate_service)
-(type dumpstate_socket)
-(type dynamic_system_prop)
-(type e2fs)
-(type e2fs_exec)
-(type efs_file)
-(type ephemeral_app)
-(type ethernet_service)
-(type exfat)
-(type exported2_config_prop)
-(type exported2_default_prop)
-(type exported2_radio_prop)
-(type exported2_system_prop)
-(type exported2_vold_prop)
-(type exported3_default_prop)
-(type exported3_radio_prop)
-(type exported3_system_prop)
-(type exported_audio_prop)
-(type exported_bluetooth_prop)
-(type exported_config_prop)
-(type exported_dalvik_prop)
-(type exported_default_prop)
-(type exported_dumpstate_prop)
-(type exported_ffs_prop)
-(type exported_fingerprint_prop)
-(type exported_overlay_prop)
-(type exported_pm_prop)
-(type exported_radio_prop)
-(type exported_secure_prop)
-(type exported_system_prop)
-(type exported_system_radio_prop)
-(type exported_vold_prop)
-(type exported_wifi_prop)
-(type external_vibrator_service)
-(type face_service)
-(type face_vendor_data_file)
-(type fastbootd)
-(type ffs_prop)
-(type file_contexts_file)
-(type fingerprint_prop)
-(type fingerprint_service)
-(type fingerprint_vendor_data_file)
-(type fingerprintd)
-(type fingerprintd_data_file)
-(type fingerprintd_exec)
-(type fingerprintd_service)
-(type firstboot_prop)
-(type flags_health_check)
-(type flags_health_check_exec)
-(type font_service)
-(type frp_block_device)
-(type fs_bpf)
-(type fsck)
-(type fsck_exec)
-(type fsck_untrusted)
-(type fscklogs)
-(type functionfs)
-(type fuse)
-(type fuse_device)
-(type fwk_bufferhub_hwservice)
-(type fwk_camera_hwservice)
-(type fwk_display_hwservice)
-(type fwk_scheduler_hwservice)
-(type fwk_sensor_hwservice)
-(type fwk_stats_hwservice)
-(type fwmarkd_socket)
-(type gatekeeper_data_file)
-(type gatekeeper_service)
-(type gatekeeperd)
-(type gatekeeperd_exec)
-(type gfxinfo_service)
-(type gps_control)
-(type gpu_device)
-(type gpu_service)
-(type gpuservice)
-(type graphics_device)
-(type graphicsstats_service)
-(type gsi_data_file)
-(type gsi_metadata_file)
-(type gsid_prop)
-(type hal_atrace_hwservice)
-(type hal_audio_hwservice)
-(type hal_audiocontrol_hwservice)
-(type hal_authsecret_hwservice)
-(type hal_bluetooth_hwservice)
-(type hal_bootctl_hwservice)
-(type hal_broadcastradio_hwservice)
-(type hal_camera_hwservice)
-(type hal_cas_hwservice)
-(type hal_codec2_hwservice)
-(type hal_configstore_ISurfaceFlingerConfigs)
-(type hal_confirmationui_hwservice)
-(type hal_contexthub_hwservice)
-(type hal_drm_hwservice)
-(type hal_dumpstate_hwservice)
-(type hal_evs_hwservice)
-(type hal_face_hwservice)
-(type hal_fingerprint_hwservice)
-(type hal_fingerprint_service)
-(type hal_gatekeeper_hwservice)
-(type hal_gnss_hwservice)
-(type hal_graphics_allocator_hwservice)
-(type hal_graphics_composer_hwservice)
-(type hal_graphics_composer_server_tmpfs)
-(type hal_graphics_mapper_hwservice)
-(type hal_health_hwservice)
-(type hal_health_storage_hwservice)
-(type hal_input_classifier_hwservice)
-(type hal_ir_hwservice)
-(type hal_keymaster_hwservice)
-(type hal_light_hwservice)
-(type hal_lowpan_hwservice)
-(type hal_memtrack_hwservice)
-(type hal_neuralnetworks_hwservice)
-(type hal_nfc_hwservice)
-(type hal_oemlock_hwservice)
-(type hal_omx_hwservice)
-(type hal_power_hwservice)
-(type hal_power_stats_hwservice)
-(type hal_renderscript_hwservice)
-(type hal_secure_element_hwservice)
-(type hal_sensors_hwservice)
-(type hal_telephony_hwservice)
-(type hal_tetheroffload_hwservice)
-(type hal_thermal_hwservice)
-(type hal_tv_cec_hwservice)
-(type hal_tv_input_hwservice)
-(type hal_usb_gadget_hwservice)
-(type hal_usb_hwservice)
-(type hal_vehicle_hwservice)
-(type hal_vibrator_hwservice)
-(type hal_vr_hwservice)
-(type hal_weaver_hwservice)
-(type hal_wifi_hostapd_hwservice)
-(type hal_wifi_hwservice)
-(type hal_wifi_offload_hwservice)
-(type hal_wifi_supplicant_hwservice)
-(type hardware_properties_service)
-(type hardware_service)
-(type hci_attach_dev)
-(type hdmi_control_service)
-(type healthd)
-(type healthd_exec)
-(type heapdump_data_file)
-(type heapprofd)
-(type heapprofd_enabled_prop)
-(type heapprofd_prop)
-(type heapprofd_socket)
-(type hidl_allocator_hwservice)
-(type hidl_base_hwservice)
-(type hidl_manager_hwservice)
-(type hidl_memory_hwservice)
-(type hidl_token_hwservice)
-(type hw_random_device)
-(type hwbinder_device)
-(type hwservice_contexts_file)
-(type hwservicemanager)
-(type hwservicemanager_exec)
-(type hwservicemanager_prop)
-(type icon_file)
-(type idmap)
-(type idmap_exec)
-(type idmap_service)
-(type iio_device)
-(type imms_service)
-(type incident)
-(type incident_data_file)
-(type incident_helper)
-(type incident_service)
-(type incidentd)
-(type init)
-(type init_exec)
-(type init_tmpfs)
-(type inotify)
-(type input_device)
-(type input_method_service)
-(type input_service)
-(type inputflinger)
-(type inputflinger_exec)
-(type inputflinger_service)
-(type install_data_file)
-(type install_recovery)
-(type install_recovery_exec)
-(type installd)
-(type installd_exec)
-(type installd_service)
-(type ion_device)
-(type iorapd)
-(type iorapd_data_file)
-(type iorapd_exec)
-(type iorapd_service)
-(type iorapd_tmpfs)
-(type ipsec_service)
-(type iris_service)
-(type iris_vendor_data_file)
-(type isolated_app)
-(type jobscheduler_service)
-(type kernel)
-(type keychain_data_file)
-(type keychord_device)
-(type keystore)
-(type keystore_data_file)
-(type keystore_exec)
-(type keystore_service)
-(type kmsg_debug_device)
-(type kmsg_device)
-(type labeledfs)
-(type last_boot_reason_prop)
-(type launcherapps_service)
-(type llkd)
-(type llkd_exec)
-(type llkd_prop)
-(type lmkd)
-(type lmkd_exec)
-(type lmkd_socket)
-(type location_service)
-(type lock_settings_service)
-(type log_prop)
-(type log_tag_prop)
-(type logcat_exec)
-(type logd)
-(type logd_exec)
-(type logd_prop)
-(type logd_socket)
-(type logdr_socket)
-(type logdw_socket)
-(type logpersist)
-(type logpersistd_logging_prop)
-(type loop_control_device)
-(type loop_device)
-(type looper_stats_service)
-(type lowpan_device)
-(type lowpan_prop)
-(type lowpan_service)
-(type lpdump_service)
-(type lpdumpd_prop)
-(type mac_perms_file)
-(type mdns_socket)
-(type mdnsd)
-(type mdnsd_socket)
-(type media_data_file)
-(type media_projection_service)
-(type media_router_service)
-(type media_rw_data_file)
-(type media_session_service)
-(type mediacodec_service)
-(type mediadrmserver)
-(type mediadrmserver_exec)
-(type mediadrmserver_service)
-(type mediaextractor)
-(type mediaextractor_exec)
-(type mediaextractor_service)
-(type mediaextractor_tmpfs)
-(type mediametrics)
-(type mediametrics_exec)
-(type mediametrics_service)
-(type mediaprovider)
-(type mediaserver)
-(type mediaserver_exec)
-(type mediaserver_service)
-(type mediaserver_tmpfs)
-(type mediaswcodec)
-(type mediaswcodec_exec)
-(type meminfo_service)
-(type metadata_block_device)
-(type metadata_file)
-(type method_trace_data_file)
-(type midi_service)
-(type misc_block_device)
-(type misc_logd_file)
-(type misc_user_data_file)
-(type mmc_prop)
-(type mnt_expand_file)
-(type mnt_media_rw_file)
-(type mnt_media_rw_stub_file)
-(type mnt_product_file)
-(type mnt_user_file)
-(type mnt_vendor_file)
-(type modprobe)
-(type mount_service)
-(type mqueue)
-(type mtp)
-(type mtp_device)
-(type mtp_exec)
-(type mtpd_socket)
-(type nativetest_data_file)
-(type net_data_file)
-(type net_dns_prop)
-(type net_radio_prop)
-(type netd)
-(type netd_exec)
-(type netd_listener_service)
-(type netd_service)
-(type netd_stable_secret_prop)
-(type netif)
-(type netpolicy_service)
-(type netstats_service)
-(type netutils_wrapper)
-(type netutils_wrapper_exec)
-(type network_management_service)
-(type network_score_service)
-(type network_stack)
-(type network_stack_service)
-(type network_time_update_service)
-(type network_watchlist_data_file)
-(type network_watchlist_service)
-(type nfc)
-(type nfc_data_file)
-(type nfc_device)
-(type nfc_prop)
-(type nfc_service)
-(type nnapi_ext_deny_product_prop)
-(type node)
-(type nonplat_service_contexts_file)
-(type notification_service)
-(type null_device)
-(type oem_lock_service)
-(type oemfs)
-(type ota_data_file)
-(type ota_package_file)
-(type otadexopt_service)
-(type overlay_prop)
-(type overlay_service)
-(type overlayfs_file)
-(type owntty_device)
-(type package_native_service)
-(type package_service)
-(type packages_list_file)
-(type pan_result_prop)
-(type password_slot_metadata_file)
-(type pdx_bufferhub_client_channel_socket)
-(type pdx_bufferhub_client_endpoint_socket)
-(type pdx_bufferhub_dir)
-(type pdx_display_client_channel_socket)
-(type pdx_display_client_endpoint_socket)
-(type pdx_display_dir)
-(type pdx_display_manager_channel_socket)
-(type pdx_display_manager_endpoint_socket)
-(type pdx_display_screenshot_channel_socket)
-(type pdx_display_screenshot_endpoint_socket)
-(type pdx_display_vsync_channel_socket)
-(type pdx_display_vsync_endpoint_socket)
-(type pdx_performance_client_channel_socket)
-(type pdx_performance_client_endpoint_socket)
-(type pdx_performance_dir)
-(type perfetto)
-(type performanced)
-(type performanced_exec)
-(type perfprofd)
-(type perfprofd_data_file)
-(type perfprofd_exec)
-(type perfprofd_service)
-(type permission_service)
-(type permissionmgr_service)
-(type persist_debug_prop)
-(type persistent_data_block_service)
-(type persistent_properties_ready_prop)
-(type pinner_service)
-(type pipefs)
-(type platform_app)
-(type pm_prop)
-(type pmsg_device)
-(type port)
-(type port_device)
-(type postinstall)
-(type postinstall_apex_mnt_dir)
-(type postinstall_file)
-(type postinstall_mnt_dir)
-(type power_service)
-(type powerctl_prop)
-(type ppp)
-(type ppp_device)
-(type ppp_exec)
-(type preloads_data_file)
-(type preloads_media_file)
-(type print_service)
-(type priv_app)
-(type privapp_data_file)
-(type proc)
-(type proc_abi)
-(type proc_asound)
-(type proc_bluetooth_writable)
-(type proc_buddyinfo)
-(type proc_cmdline)
-(type proc_cpuinfo)
-(type proc_dirty)
-(type proc_diskstats)
-(type proc_drop_caches)
-(type proc_extra_free_kbytes)
-(type proc_filesystems)
-(type proc_fs_verity)
-(type proc_hostname)
-(type proc_hung_task)
-(type proc_interrupts)
-(type proc_iomem)
-(type proc_keys)
-(type proc_kmsg)
-(type proc_loadavg)
-(type proc_max_map_count)
-(type proc_meminfo)
-(type proc_min_free_order_shift)
-(type proc_misc)
-(type proc_modules)
-(type proc_mounts)
-(type proc_net)
-(type proc_net_tcp_udp)
-(type proc_overcommit_memory)
-(type proc_page_cluster)
-(type proc_pagetypeinfo)
-(type proc_panic)
-(type proc_perf)
-(type proc_pid_max)
-(type proc_pipe_conf)
-(type proc_pressure_cpu)
-(type proc_pressure_io)
-(type proc_pressure_mem)
-(type proc_qtaguid_ctrl)
-(type proc_qtaguid_stat)
-(type proc_random)
-(type proc_sched)
-(type proc_security)
-(type proc_slabinfo)
-(type proc_stat)
-(type proc_swaps)
-(type proc_sysrq)
-(type proc_timer)
-(type proc_tty_drivers)
-(type proc_uid_concurrent_active_time)
-(type proc_uid_concurrent_policy_time)
-(type proc_uid_cpupower)
-(type proc_uid_cputime_removeuid)
-(type proc_uid_cputime_showstat)
-(type proc_uid_io_stats)
-(type proc_uid_procstat_set)
-(type proc_uid_time_in_state)
-(type proc_uptime)
-(type proc_version)
-(type proc_vmallocinfo)
-(type proc_vmstat)
-(type proc_zoneinfo)
-(type processinfo_service)
-(type procstats_service)
-(type profman)
-(type profman_dump_data_file)
-(type profman_exec)
-(type properties_device)
-(type properties_serial)
-(type property_contexts_file)
-(type property_data_file)
-(type property_info)
-(type property_socket)
-(type pstorefs)
-(type ptmx_device)
-(type qtaguid_device)
-(type racoon)
-(type racoon_exec)
-(type racoon_socket)
-(type radio)
-(type radio_data_file)
-(type radio_device)
-(type radio_prop)
-(type radio_service)
-(type ram_device)
-(type random_device)
-(type recovery)
-(type recovery_block_device)
-(type recovery_data_file)
-(type recovery_persist)
-(type recovery_persist_exec)
-(type recovery_refresh)
-(type recovery_refresh_exec)
-(type recovery_service)
-(type recovery_socket)
-(type registry_service)
-(type resourcecache_data_file)
-(type restorecon_prop)
-(type restrictions_service)
-(type rild_debug_socket)
-(type rild_socket)
-(type ringtone_file)
-(type role_service)
-(type rollback_service)
-(type root_block_device)
-(type rootfs)
-(type rpmsg_device)
-(type rs)
-(type rs_exec)
-(type rss_hwm_reset)
-(type rtc_device)
-(type rttmanager_service)
-(type runas)
-(type runas_app)
-(type runas_exec)
-(type runtime_event_log_tags_file)
-(type runtime_service)
-(type safemode_prop)
-(type same_process_hal_file)
-(type samplingprofiler_service)
-(type scheduling_policy_service)
-(type sdcard_block_device)
-(type sdcardd)
-(type sdcardd_exec)
-(type sdcardfs)
-(type seapp_contexts_file)
-(type search_service)
-(type sec_key_att_app_id_provider_service)
-(type secure_element)
-(type secure_element_device)
-(type secure_element_service)
-(type selinuxfs)
-(type sensor_privacy_service)
-(type sensors_device)
-(type sensorservice_service)
-(type sepolicy_file)
-(type serial_device)
-(type serial_service)
-(type serialno_prop)
-(type server_configurable_flags_data_file)
-(type service_contexts_file)
-(type servicediscovery_service)
-(type servicemanager)
-(type servicemanager_exec)
-(type settings_service)
-(type sgdisk)
-(type sgdisk_exec)
-(type shared_relro)
-(type shared_relro_file)
-(type shell)
-(type shell_data_file)
-(type shell_exec)
-(type shell_prop)
-(type shm)
-(type shortcut_manager_icons)
-(type shortcut_service)
-(type simpleperf_app_runner)
-(type simpleperf_app_runner_exec)
-(type slice_service)
-(type slideshow)
-(type socket_device)
-(type sockfs)
-(type staging_data_file)
-(type stats_data_file)
-(type statsd)
-(type statsd_exec)
-(type statsdw_socket)
-(type statusbar_service)
-(type storage_file)
-(type storage_stub_file)
-(type storaged_service)
-(type storagestats_service)
-(type su)
-(type su_exec)
-(type super_block_device)
-(type surfaceflinger)
-(type surfaceflinger_service)
-(type surfaceflinger_tmpfs)
-(type swap_block_device)
-(type sysfs)
-(type sysfs_android_usb)
-(type sysfs_batteryinfo)
-(type sysfs_bluetooth_writable)
-(type sysfs_devices_block)
-(type sysfs_devices_system_cpu)
-(type sysfs_dm)
-(type sysfs_dt_firmware_android)
-(type sysfs_extcon)
-(type sysfs_fs_ext4_features)
-(type sysfs_fs_f2fs)
-(type sysfs_hwrandom)
-(type sysfs_ipv4)
-(type sysfs_kernel_notes)
-(type sysfs_leds)
-(type sysfs_loop)
-(type sysfs_lowmemorykiller)
-(type sysfs_mac_address)
-(type sysfs_net)
-(type sysfs_nfc_power_writable)
-(type sysfs_power)
-(type sysfs_rtc)
-(type sysfs_switch)
-(type sysfs_thermal)
-(type sysfs_transparent_hugepage)
-(type sysfs_uio)
-(type sysfs_usb)
-(type sysfs_usermodehelper)
-(type sysfs_vibrator)
-(type sysfs_wake_lock)
-(type sysfs_wakeup_reasons)
-(type sysfs_wlan_fwpath)
-(type sysfs_zram)
-(type sysfs_zram_uevent)
-(type system_app)
-(type system_app_data_file)
-(type system_app_service)
-(type system_asan_options_file)
-(type system_block_device)
-(type system_boot_reason_prop)
-(type system_bootstrap_lib_file)
-(type system_data_file)
-(type system_event_log_tags_file)
-(type system_file)
-(type system_lib_file)
-(type system_linker_config_file)
-(type system_linker_exec)
-(type system_lmk_prop)
-(type system_ndebug_socket)
-(type system_net_netd_hwservice)
-(type system_prop)
-(type system_radio_prop)
-(type system_seccomp_policy_file)
-(type system_security_cacerts_file)
-(type system_server)
-(type system_server_tmpfs)
-(type system_suspend_control_service)
-(type system_suspend_hwservice)
-(type system_trace_prop)
-(type system_update_service)
-(type system_wifi_keystore_hwservice)
-(type system_wpa_socket)
-(type system_zoneinfo_file)
-(type systemkeys_data_file)
-(type task_profiles_file)
-(type task_service)
-(type tcpdump_exec)
-(type tee)
-(type tee_data_file)
-(type tee_device)
-(type telecom_service)
-(type test_boot_reason_prop)
-(type test_harness_prop)
-(type testharness_service)
-(type textclassification_service)
-(type textclassifier_data_file)
-(type textservices_service)
-(type thermal_service)
-(type thermalcallback_hwservice)
-(type time_prop)
-(type timedetector_service)
-(type timezone_service)
-(type tmpfs)
-(type tombstone_data_file)
-(type tombstone_wifi_data_file)
-(type tombstoned)
-(type tombstoned_crash_socket)
-(type tombstoned_exec)
-(type tombstoned_intercept_socket)
-(type tombstoned_java_trace_socket)
-(type toolbox)
-(type toolbox_exec)
-(type trace_data_file)
-(type traced)
-(type traced_consumer_socket)
-(type traced_enabled_prop)
-(type traced_lazy_prop)
-(type traced_probes)
-(type traced_producer_socket)
-(type traceur_app)
-(type trust_service)
-(type tty_device)
-(type tun_device)
-(type tv_input_service)
-(type tzdatacheck)
-(type tzdatacheck_exec)
-(type ueventd)
-(type ueventd_tmpfs)
-(type uhid_device)
-(type uimode_service)
-(type uio_device)
-(type uncrypt)
-(type uncrypt_exec)
-(type uncrypt_socket)
-(type unencrypted_data_file)
-(type unlabeled)
-(type untrusted_app)
-(type untrusted_app_25)
-(type untrusted_app_27)
-(type update_engine)
-(type update_engine_data_file)
-(type update_engine_exec)
-(type update_engine_log_data_file)
-(type update_engine_service)
-(type update_verifier)
-(type update_verifier_exec)
-(type updatelock_service)
-(type uri_grants_service)
-(type usagestats_service)
-(type usb_device)
-(type usb_service)
-(type usbaccessory_device)
-(type usbd)
-(type usbd_exec)
-(type usbfs)
-(type use_memfd_prop)
-(type user_profile_data_file)
-(type user_service)
-(type userdata_block_device)
-(type usermodehelper)
-(type vdc)
-(type vdc_exec)
-(type vendor_app_file)
-(type vendor_cgroup_desc_file)
-(type vendor_configs_file)
-(type vendor_data_file)
-(type vendor_default_prop)
-(type vendor_file)
-(type vendor_framework_file)
-(type vendor_hal_file)
-(type vendor_idc_file)
-(type vendor_init)
-(type vendor_keychars_file)
-(type vendor_keylayout_file)
-(type vendor_overlay_file)
-(type vendor_public_lib_file)
-(type vendor_security_patch_level_prop)
-(type vendor_shell)
-(type vendor_shell_exec)
-(type vendor_task_profiles_file)
-(type vendor_toolbox_exec)
-(type vfat)
-(type vibrator_service)
-(type video_device)
-(type virtual_touchpad)
-(type virtual_touchpad_exec)
-(type virtual_touchpad_service)
-(type vndbinder_device)
-(type vndk_sp_file)
-(type vndservice_contexts_file)
-(type vndservicemanager)
-(type voiceinteraction_service)
-(type vold)
-(type vold_data_file)
-(type vold_device)
-(type vold_exec)
-(type vold_metadata_file)
-(type vold_prepare_subdirs)
-(type vold_prepare_subdirs_exec)
-(type vold_prop)
-(type vold_service)
-(type vpn_data_file)
-(type vr_hwc)
-(type vr_hwc_exec)
-(type vr_hwc_service)
-(type vr_manager_service)
-(type vrflinger_vsync_service)
-(type wallpaper_file)
-(type wallpaper_service)
-(type watchdog_device)
-(type watchdogd)
-(type watchdogd_exec)
-(type webview_zygote)
-(type webview_zygote_exec)
-(type webview_zygote_tmpfs)
-(type webviewupdate_service)
-(type wifi_data_file)
-(type wifi_log_prop)
-(type wifi_prop)
-(type wifi_service)
-(type wifiaware_service)
-(type wificond)
-(type wificond_exec)
-(type wificond_service)
-(type wifip2p_service)
-(type wifiscanner_service)
-(type window_service)
-(type wpa_socket)
-(type wpantund)
-(type wpantund_exec)
-(type wpantund_service)
-(type zero_device)
-(type zoneinfo_data_file)
-(type zygote)
-(type zygote_exec)
-(type zygote_socket)
-(type zygote_tmpfs)
-(typeattribute DockObserver_service_29_0)
-(typeattribute IProxyService_service_29_0)
-(typeattribute accessibility_service_29_0)
-(typeattribute account_service_29_0)
-(typeattribute activity_service_29_0)
-(typeattribute activity_task_service_29_0)
-(typeattribute adb_data_file_29_0)
-(typeattribute adb_keys_file_29_0)
-(typeattribute adb_service_29_0)
-(typeattribute adbd_29_0)
-(typeattribute adbd_exec_29_0)
-(typeattribute adbd_socket_29_0)
-(typeattribute alarm_service_29_0)
-(typeattribute anr_data_file_29_0)
-(typeattribute apex_data_file_29_0)
-(typeattribute apex_metadata_file_29_0)
-(typeattribute apex_mnt_dir_29_0)
-(typeattribute apex_service_29_0)
-(typeattribute apexd_29_0)
-(typeattribute apexd_exec_29_0)
-(typeattribute apexd_prop_29_0)
-(typeattribute apk_data_file_29_0)
-(typeattribute apk_private_data_file_29_0)
-(typeattribute apk_private_tmp_file_29_0)
-(typeattribute apk_tmp_file_29_0)
-(typeattribute app_api_service)
-(typeattribute app_binding_service_29_0)
-(typeattribute app_data_file_29_0)
-(typeattribute app_fuse_file_29_0)
-(typeattribute app_fusefs_29_0)
-(typeattribute app_prediction_service_29_0)
-(typeattribute app_zygote_29_0)
-(typeattribute app_zygote_tmpfs_29_0)
-(typeattribute appdomain)
-(typeattribute appdomain_tmpfs_29_0)
-(typeattribute appops_service_29_0)
-(typeattribute appwidget_service_29_0)
-(typeattribute asec_apk_file_29_0)
-(typeattribute asec_image_file_29_0)
-(typeattribute asec_public_file_29_0)
-(typeattribute ashmem_device_29_0)
-(typeattribute ashmemd_29_0)
-(typeattribute assetatlas_service_29_0)
-(typeattribute audio_data_file_29_0)
-(typeattribute audio_device_29_0)
-(typeattribute audio_prop_29_0)
-(typeattribute audio_service_29_0)
-(typeattribute audiohal_data_file_29_0)
-(typeattribute audioserver_29_0)
-(typeattribute audioserver_data_file_29_0)
-(typeattribute audioserver_service_29_0)
-(typeattribute audioserver_tmpfs_29_0)
-(typeattribute autofill_service_29_0)
-(typeattribute backup_data_file_29_0)
-(typeattribute backup_service_29_0)
-(typeattribute battery_service_29_0)
-(typeattribute batteryproperties_service_29_0)
-(typeattribute batterystats_service_29_0)
-(typeattribute binder_calls_stats_service_29_0)
-(typeattribute binder_device_29_0)
-(typeattribute binder_in_vendor_violators)
-(typeattribute binderservicedomain)
-(typeattribute binfmt_miscfs_29_0)
-(typeattribute biometric_service_29_0)
-(typeattribute blkid_29_0)
-(typeattribute blkid_untrusted_29_0)
-(typeattribute block_device_29_0)
-(typeattribute bluetooth_29_0)
-(typeattribute bluetooth_a2dp_offload_prop_29_0)
-(typeattribute bluetooth_audio_hal_prop_29_0)
-(typeattribute bluetooth_data_file_29_0)
-(typeattribute bluetooth_efs_file_29_0)
-(typeattribute bluetooth_logs_data_file_29_0)
-(typeattribute bluetooth_manager_service_29_0)
-(typeattribute bluetooth_prop_29_0)
-(typeattribute bluetooth_service_29_0)
-(typeattribute bluetooth_socket_29_0)
-(typeattribute bluetoothdomain)
-(typeattribute boot_block_device_29_0)
-(typeattribute bootanim_29_0)
-(typeattribute bootanim_exec_29_0)
-(typeattribute bootchart_data_file_29_0)
-(typeattribute bootloader_boot_reason_prop_29_0)
-(typeattribute bootstat_29_0)
-(typeattribute bootstat_data_file_29_0)
-(typeattribute bootstat_exec_29_0)
-(typeattribute boottime_prop_29_0)
-(typeattribute boottrace_data_file_29_0)
-(typeattribute bpf_progs_loaded_prop_29_0)
-(typeattribute broadcastradio_service_29_0)
-(typeattribute bufferhubd_29_0)
-(typeattribute bufferhubd_exec_29_0)
-(typeattribute bugreport_service_29_0)
-(typeattribute cache_backup_file_29_0)
-(typeattribute cache_block_device_29_0)
-(typeattribute cache_file_29_0)
-(typeattribute cache_private_backup_file_29_0)
-(typeattribute cache_recovery_file_29_0)
-(typeattribute camera_data_file_29_0)
-(typeattribute camera_device_29_0)
-(typeattribute camera_service_server)
-(typeattribute cameraproxy_service_29_0)
-(typeattribute cameraserver_29_0)
-(typeattribute cameraserver_exec_29_0)
-(typeattribute cameraserver_service_29_0)
-(typeattribute cameraserver_tmpfs_29_0)
-(typeattribute cgroup_29_0)
-(typeattribute cgroup_bpf_29_0)
-(typeattribute cgroup_desc_file_29_0)
-(typeattribute cgroup_rc_file_29_0)
-(typeattribute charger_29_0)
-(typeattribute charger_exec_29_0)
-(typeattribute clatd_29_0)
-(typeattribute clatd_exec_29_0)
-(typeattribute clipboard_service_29_0)
-(typeattribute color_display_service_29_0)
-(typeattribute companion_device_service_29_0)
-(typeattribute config_prop_29_0)
-(typeattribute configfs_29_0)
-(typeattribute connectivity_service_29_0)
-(typeattribute connmetrics_service_29_0)
-(typeattribute console_device_29_0)
-(typeattribute consumer_ir_service_29_0)
-(typeattribute content_capture_service_29_0)
-(typeattribute content_service_29_0)
-(typeattribute content_suggestions_service_29_0)
-(typeattribute contexthub_service_29_0)
-(typeattribute contextmount_type)
-(typeattribute core_data_file_type)
-(typeattribute core_property_type)
-(typeattribute coredomain)
-(typeattribute coredomain_hwservice)
-(typeattribute coredomain_socket)
-(typeattribute coredump_file_29_0)
-(typeattribute country_detector_service_29_0)
-(typeattribute coverage_service_29_0)
-(typeattribute cppreopt_prop_29_0)
-(typeattribute cpu_variant_prop_29_0)
-(typeattribute cpuinfo_service_29_0)
-(typeattribute crash_dump_29_0)
-(typeattribute crash_dump_exec_29_0)
-(typeattribute crossprofileapps_service_29_0)
-(typeattribute ctl_adbd_prop_29_0)
-(typeattribute ctl_bootanim_prop_29_0)
-(typeattribute ctl_bugreport_prop_29_0)
-(typeattribute ctl_console_prop_29_0)
-(typeattribute ctl_default_prop_29_0)
-(typeattribute ctl_dumpstate_prop_29_0)
-(typeattribute ctl_fuse_prop_29_0)
-(typeattribute ctl_gsid_prop_29_0)
-(typeattribute ctl_interface_restart_prop_29_0)
-(typeattribute ctl_interface_start_prop_29_0)
-(typeattribute ctl_interface_stop_prop_29_0)
-(typeattribute ctl_mdnsd_prop_29_0)
-(typeattribute ctl_restart_prop_29_0)
-(typeattribute ctl_rildaemon_prop_29_0)
-(typeattribute ctl_sigstop_prop_29_0)
-(typeattribute ctl_start_prop_29_0)
-(typeattribute ctl_stop_prop_29_0)
-(typeattribute dalvik_prop_29_0)
-(typeattribute dalvikcache_data_file_29_0)
-(typeattribute data_between_core_and_vendor_violators)
-(typeattribute data_file_type)
-(typeattribute dbinfo_service_29_0)
-(typeattribute debug_prop_29_0)
-(typeattribute debugfs_29_0)
-(typeattribute debugfs_mmc_29_0)
-(typeattribute debugfs_trace_marker_29_0)
-(typeattribute debugfs_tracing_29_0)
-(typeattribute debugfs_tracing_debug_29_0)
-(typeattribute debugfs_tracing_instances_29_0)
-(typeattribute debugfs_type)
-(typeattribute debugfs_wakeup_sources_29_0)
-(typeattribute debugfs_wifi_tracing_29_0)
-(typeattribute debuggerd_prop_29_0)
-(typeattribute default_android_hwservice_29_0)
-(typeattribute default_android_service_29_0)
-(typeattribute default_android_vndservice_29_0)
-(typeattribute default_prop_29_0)
-(typeattribute dev_cpu_variant_29_0)
-(typeattribute dev_type)
-(typeattribute device_29_0)
-(typeattribute device_config_activity_manager_native_boot_prop_29_0)
-(typeattribute device_config_boot_count_prop_29_0)
-(typeattribute device_config_input_native_boot_prop_29_0)
-(typeattribute device_config_media_native_prop_29_0)
-(typeattribute device_config_netd_native_prop_29_0)
-(typeattribute device_config_reset_performed_prop_29_0)
-(typeattribute device_config_runtime_native_boot_prop_29_0)
-(typeattribute device_config_runtime_native_prop_29_0)
-(typeattribute device_config_service_29_0)
-(typeattribute device_identifiers_service_29_0)
-(typeattribute device_logging_prop_29_0)
-(typeattribute device_policy_service_29_0)
-(typeattribute deviceidle_service_29_0)
-(typeattribute devicestoragemonitor_service_29_0)
-(typeattribute devpts_29_0)
-(typeattribute dhcp_29_0)
-(typeattribute dhcp_data_file_29_0)
-(typeattribute dhcp_exec_29_0)
-(typeattribute dhcp_prop_29_0)
-(typeattribute diskstats_service_29_0)
-(typeattribute display_service_29_0)
-(typeattribute display_service_server)
-(typeattribute dm_device_29_0)
-(typeattribute dnsmasq_29_0)
-(typeattribute dnsmasq_exec_29_0)
-(typeattribute dnsproxyd_socket_29_0)
-(typeattribute dnsresolver_service_29_0)
-(typeattribute domain)
-(typeattribute dreams_service_29_0)
-(typeattribute drm_data_file_29_0)
-(typeattribute drmserver_29_0)
-(typeattribute drmserver_exec_29_0)
-(typeattribute drmserver_service_29_0)
-(typeattribute drmserver_socket_29_0)
-(typeattribute dropbox_data_file_29_0)
-(typeattribute dropbox_service_29_0)
-(typeattribute dumpstate_29_0)
-(typeattribute dumpstate_exec_29_0)
-(typeattribute dumpstate_options_prop_29_0)
-(typeattribute dumpstate_prop_29_0)
-(typeattribute dumpstate_service_29_0)
-(typeattribute dumpstate_socket_29_0)
-(typeattribute dynamic_system_prop_29_0)
-(typeattribute e2fs_29_0)
-(typeattribute e2fs_exec_29_0)
-(typeattribute efs_file_29_0)
-(typeattribute ephemeral_app_29_0)
-(typeattribute ephemeral_app_api_service)
-(typeattribute ethernet_service_29_0)
-(typeattribute exec_type)
-(typeattribute exfat_29_0)
-(typeattribute exported2_config_prop_29_0)
-(typeattribute exported2_default_prop_29_0)
-(typeattribute exported2_radio_prop_29_0)
-(typeattribute exported2_system_prop_29_0)
-(typeattribute exported2_vold_prop_29_0)
-(typeattribute exported3_default_prop_29_0)
-(typeattribute exported3_radio_prop_29_0)
-(typeattribute exported3_system_prop_29_0)
-(typeattribute exported_audio_prop_29_0)
-(typeattribute exported_bluetooth_prop_29_0)
-(typeattribute exported_config_prop_29_0)
-(typeattribute exported_dalvik_prop_29_0)
-(typeattribute exported_default_prop_29_0)
-(typeattribute exported_dumpstate_prop_29_0)
-(typeattribute exported_ffs_prop_29_0)
-(typeattribute exported_fingerprint_prop_29_0)
-(typeattribute exported_overlay_prop_29_0)
-(typeattribute exported_pm_prop_29_0)
-(typeattribute exported_radio_prop_29_0)
-(typeattribute exported_secure_prop_29_0)
-(typeattribute exported_system_prop_29_0)
-(typeattribute exported_system_radio_prop_29_0)
-(typeattribute exported_vold_prop_29_0)
-(typeattribute exported_wifi_prop_29_0)
-(typeattribute extended_core_property_type)
-(typeattribute external_vibrator_service_29_0)
-(typeattribute face_service_29_0)
-(typeattribute face_vendor_data_file_29_0)
-(typeattribute fastbootd_29_0)
-(typeattribute ffs_prop_29_0)
-(typeattribute file_contexts_file_29_0)
-(typeattribute file_type)
-(typeattribute fingerprint_prop_29_0)
-(typeattribute fingerprint_service_29_0)
-(typeattribute fingerprint_vendor_data_file_29_0)
-(typeattribute fingerprintd_29_0)
-(typeattribute fingerprintd_data_file_29_0)
-(typeattribute fingerprintd_exec_29_0)
-(typeattribute fingerprintd_service_29_0)
-(typeattribute firstboot_prop_29_0)
-(typeattribute flags_health_check_29_0)
-(typeattribute flags_health_check_exec_29_0)
-(typeattribute font_service_29_0)
-(typeattribute frp_block_device_29_0)
-(typeattribute fs_bpf_29_0)
-(typeattribute fs_type)
-(typeattribute fsck_29_0)
-(typeattribute fsck_exec_29_0)
-(typeattribute fsck_untrusted_29_0)
-(typeattribute fscklogs_29_0)
-(typeattribute functionfs_29_0)
-(typeattribute fuse_29_0)
-(typeattribute fuse_device_29_0)
-(typeattribute fwk_bufferhub_hwservice_29_0)
-(typeattribute fwk_camera_hwservice_29_0)
-(typeattribute fwk_display_hwservice_29_0)
-(typeattribute fwk_scheduler_hwservice_29_0)
-(typeattribute fwk_sensor_hwservice_29_0)
-(typeattribute fwk_stats_hwservice_29_0)
-(typeattribute fwmarkd_socket_29_0)
-(typeattribute gatekeeper_data_file_29_0)
-(typeattribute gatekeeper_service_29_0)
-(typeattribute gatekeeperd_29_0)
-(typeattribute gatekeeperd_exec_29_0)
-(typeattribute gfxinfo_service_29_0)
-(typeattribute gps_control_29_0)
-(typeattribute gpu_device_29_0)
-(typeattribute gpu_service_29_0)
-(typeattribute gpuservice_29_0)
-(typeattribute graphics_device_29_0)
-(typeattribute graphicsstats_service_29_0)
-(typeattribute gsi_data_file_29_0)
-(typeattribute gsi_metadata_file_29_0)
-(typeattribute gsid_prop_29_0)
-(typeattribute hal_allocator)
-(typeattribute hal_allocator_client)
-(typeattribute hal_allocator_server)
-(typeattribute hal_atrace)
-(typeattribute hal_atrace_client)
-(typeattribute hal_atrace_hwservice_29_0)
-(typeattribute hal_atrace_server)
-(typeattribute hal_audio)
-(typeattribute hal_audio_client)
-(typeattribute hal_audio_hwservice_29_0)
-(typeattribute hal_audio_server)
-(typeattribute hal_audiocontrol)
-(typeattribute hal_audiocontrol_client)
-(typeattribute hal_audiocontrol_hwservice_29_0)
-(typeattribute hal_audiocontrol_server)
-(typeattribute hal_authsecret)
-(typeattribute hal_authsecret_client)
-(typeattribute hal_authsecret_hwservice_29_0)
-(typeattribute hal_authsecret_server)
-(typeattribute hal_automotive_socket_exemption)
-(typeattribute hal_bluetooth)
-(typeattribute hal_bluetooth_client)
-(typeattribute hal_bluetooth_hwservice_29_0)
-(typeattribute hal_bluetooth_server)
-(typeattribute hal_bootctl)
-(typeattribute hal_bootctl_client)
-(typeattribute hal_bootctl_hwservice_29_0)
-(typeattribute hal_bootctl_server)
-(typeattribute hal_broadcastradio)
-(typeattribute hal_broadcastradio_client)
-(typeattribute hal_broadcastradio_hwservice_29_0)
-(typeattribute hal_broadcastradio_server)
-(typeattribute hal_bufferhub)
-(typeattribute hal_bufferhub_client)
-(typeattribute hal_bufferhub_server)
-(typeattribute hal_camera)
-(typeattribute hal_camera_client)
-(typeattribute hal_camera_hwservice_29_0)
-(typeattribute hal_camera_server)
-(typeattribute hal_cas)
-(typeattribute hal_cas_client)
-(typeattribute hal_cas_hwservice_29_0)
-(typeattribute hal_cas_server)
-(typeattribute hal_codec2_hwservice_29_0)
-(typeattribute hal_configstore)
-(typeattribute hal_configstore_ISurfaceFlingerConfigs_29_0)
-(typeattribute hal_configstore_client)
-(typeattribute hal_configstore_server)
-(typeattribute hal_confirmationui)
-(typeattribute hal_confirmationui_client)
-(typeattribute hal_confirmationui_hwservice_29_0)
-(typeattribute hal_confirmationui_server)
-(typeattribute hal_contexthub)
-(typeattribute hal_contexthub_client)
-(typeattribute hal_contexthub_hwservice_29_0)
-(typeattribute hal_contexthub_server)
-(typeattribute hal_drm)
-(typeattribute hal_drm_client)
-(typeattribute hal_drm_hwservice_29_0)
-(typeattribute hal_drm_server)
-(typeattribute hal_dumpstate)
-(typeattribute hal_dumpstate_client)
-(typeattribute hal_dumpstate_hwservice_29_0)
-(typeattribute hal_dumpstate_server)
-(typeattribute hal_evs)
-(typeattribute hal_evs_client)
-(typeattribute hal_evs_hwservice_29_0)
-(typeattribute hal_evs_server)
-(typeattribute hal_face)
-(typeattribute hal_face_client)
-(typeattribute hal_face_hwservice_29_0)
-(typeattribute hal_face_server)
-(typeattribute hal_fingerprint)
-(typeattribute hal_fingerprint_client)
-(typeattribute hal_fingerprint_hwservice_29_0)
-(typeattribute hal_fingerprint_server)
-(typeattribute hal_fingerprint_service_29_0)
-(typeattribute hal_gatekeeper)
-(typeattribute hal_gatekeeper_client)
-(typeattribute hal_gatekeeper_hwservice_29_0)
-(typeattribute hal_gatekeeper_server)
-(typeattribute hal_gnss)
-(typeattribute hal_gnss_client)
-(typeattribute hal_gnss_hwservice_29_0)
-(typeattribute hal_gnss_server)
-(typeattribute hal_graphics_allocator)
-(typeattribute hal_graphics_allocator_client)
-(typeattribute hal_graphics_allocator_hwservice_29_0)
-(typeattribute hal_graphics_allocator_server)
-(typeattribute hal_graphics_composer)
-(typeattribute hal_graphics_composer_client)
-(typeattribute hal_graphics_composer_client_tmpfs)
-(typeattribute hal_graphics_composer_hwservice_29_0)
-(typeattribute hal_graphics_composer_server)
-(typeattribute hal_graphics_composer_server_tmpfs_29_0)
-(typeattribute hal_graphics_mapper_hwservice_29_0)
-(typeattribute hal_health)
-(typeattribute hal_health_client)
-(typeattribute hal_health_hwservice_29_0)
-(typeattribute hal_health_server)
-(typeattribute hal_health_storage)
-(typeattribute hal_health_storage_client)
-(typeattribute hal_health_storage_hwservice_29_0)
-(typeattribute hal_health_storage_server)
-(typeattribute hal_input_classifier)
-(typeattribute hal_input_classifier_client)
-(typeattribute hal_input_classifier_hwservice_29_0)
-(typeattribute hal_input_classifier_server)
-(typeattribute hal_ir)
-(typeattribute hal_ir_client)
-(typeattribute hal_ir_hwservice_29_0)
-(typeattribute hal_ir_server)
-(typeattribute hal_keymaster)
-(typeattribute hal_keymaster_client)
-(typeattribute hal_keymaster_hwservice_29_0)
-(typeattribute hal_keymaster_server)
-(typeattribute hal_light)
-(typeattribute hal_light_client)
-(typeattribute hal_light_hwservice_29_0)
-(typeattribute hal_light_server)
-(typeattribute hal_lowpan)
-(typeattribute hal_lowpan_client)
-(typeattribute hal_lowpan_hwservice_29_0)
-(typeattribute hal_lowpan_server)
-(typeattribute hal_memtrack)
-(typeattribute hal_memtrack_client)
-(typeattribute hal_memtrack_hwservice_29_0)
-(typeattribute hal_memtrack_server)
-(typeattribute hal_neuralnetworks)
-(typeattribute hal_neuralnetworks_client)
-(typeattribute hal_neuralnetworks_hwservice_29_0)
-(typeattribute hal_neuralnetworks_server)
-(typeattribute hal_nfc)
-(typeattribute hal_nfc_client)
-(typeattribute hal_nfc_hwservice_29_0)
-(typeattribute hal_nfc_server)
-(typeattribute hal_oemlock)
-(typeattribute hal_oemlock_client)
-(typeattribute hal_oemlock_hwservice_29_0)
-(typeattribute hal_oemlock_server)
-(typeattribute hal_omx)
-(typeattribute hal_omx_client)
-(typeattribute hal_omx_hwservice_29_0)
-(typeattribute hal_omx_server)
-(typeattribute hal_power)
-(typeattribute hal_power_client)
-(typeattribute hal_power_hwservice_29_0)
-(typeattribute hal_power_server)
-(typeattribute hal_power_stats)
-(typeattribute hal_power_stats_client)
-(typeattribute hal_power_stats_hwservice_29_0)
-(typeattribute hal_power_stats_server)
-(typeattribute hal_renderscript_hwservice_29_0)
-(typeattribute hal_secure_element)
-(typeattribute hal_secure_element_client)
-(typeattribute hal_secure_element_hwservice_29_0)
-(typeattribute hal_secure_element_server)
-(typeattribute hal_sensors)
-(typeattribute hal_sensors_client)
-(typeattribute hal_sensors_hwservice_29_0)
-(typeattribute hal_sensors_server)
-(typeattribute hal_telephony)
-(typeattribute hal_telephony_client)
-(typeattribute hal_telephony_hwservice_29_0)
-(typeattribute hal_telephony_server)
-(typeattribute hal_tetheroffload)
-(typeattribute hal_tetheroffload_client)
-(typeattribute hal_tetheroffload_hwservice_29_0)
-(typeattribute hal_tetheroffload_server)
-(typeattribute hal_thermal)
-(typeattribute hal_thermal_client)
-(typeattribute hal_thermal_hwservice_29_0)
-(typeattribute hal_thermal_server)
-(typeattribute hal_tv_cec)
-(typeattribute hal_tv_cec_client)
-(typeattribute hal_tv_cec_hwservice_29_0)
-(typeattribute hal_tv_cec_server)
-(typeattribute hal_tv_input)
-(typeattribute hal_tv_input_client)
-(typeattribute hal_tv_input_hwservice_29_0)
-(typeattribute hal_tv_input_server)
-(typeattribute hal_usb)
-(typeattribute hal_usb_client)
-(typeattribute hal_usb_gadget)
-(typeattribute hal_usb_gadget_client)
-(typeattribute hal_usb_gadget_hwservice_29_0)
-(typeattribute hal_usb_gadget_server)
-(typeattribute hal_usb_hwservice_29_0)
-(typeattribute hal_usb_server)
-(typeattribute hal_vehicle)
-(typeattribute hal_vehicle_client)
-(typeattribute hal_vehicle_hwservice_29_0)
-(typeattribute hal_vehicle_server)
-(typeattribute hal_vibrator)
-(typeattribute hal_vibrator_client)
-(typeattribute hal_vibrator_hwservice_29_0)
-(typeattribute hal_vibrator_server)
-(typeattribute hal_vr)
-(typeattribute hal_vr_client)
-(typeattribute hal_vr_hwservice_29_0)
-(typeattribute hal_vr_server)
-(typeattribute hal_weaver)
-(typeattribute hal_weaver_client)
-(typeattribute hal_weaver_hwservice_29_0)
-(typeattribute hal_weaver_server)
-(typeattribute hal_wifi)
-(typeattribute hal_wifi_client)
-(typeattribute hal_wifi_hostapd)
-(typeattribute hal_wifi_hostapd_client)
-(typeattribute hal_wifi_hostapd_hwservice_29_0)
-(typeattribute hal_wifi_hostapd_server)
-(typeattribute hal_wifi_hwservice_29_0)
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_hwservice_29_0)
-(typeattribute hal_wifi_offload_server)
-(typeattribute hal_wifi_server)
-(typeattribute hal_wifi_supplicant)
-(typeattribute hal_wifi_supplicant_client)
-(typeattribute hal_wifi_supplicant_hwservice_29_0)
-(typeattribute hal_wifi_supplicant_server)
-(typeattribute halclientdomain)
-(typeattribute halserverdomain)
-(typeattribute hardware_properties_service_29_0)
-(typeattribute hardware_service_29_0)
-(typeattribute hci_attach_dev_29_0)
-(typeattribute hdmi_control_service_29_0)
-(typeattribute healthd_29_0)
-(typeattribute healthd_exec_29_0)
-(typeattribute heapdump_data_file_29_0)
-(typeattribute heapprofd_29_0)
-(typeattribute heapprofd_enabled_prop_29_0)
-(typeattribute heapprofd_prop_29_0)
-(typeattribute heapprofd_socket_29_0)
-(typeattribute hidl_allocator_hwservice_29_0)
-(typeattribute hidl_base_hwservice_29_0)
-(typeattribute hidl_manager_hwservice_29_0)
-(typeattribute hidl_memory_hwservice_29_0)
-(typeattribute hidl_token_hwservice_29_0)
-(typeattribute hw_random_device_29_0)
-(typeattribute hwbinder_device_29_0)
-(typeattribute hwservice_contexts_file_29_0)
-(typeattribute hwservice_manager_type)
-(typeattribute hwservicemanager_29_0)
-(typeattribute hwservicemanager_exec_29_0)
-(typeattribute hwservicemanager_prop_29_0)
-(typeattribute icon_file_29_0)
-(typeattribute idmap_29_0)
-(typeattribute idmap_exec_29_0)
-(typeattribute idmap_service_29_0)
-(typeattribute iio_device_29_0)
-(typeattribute imms_service_29_0)
-(typeattribute incident_29_0)
-(typeattribute incident_data_file_29_0)
-(typeattribute incident_helper_29_0)
-(typeattribute incident_service_29_0)
-(typeattribute incidentd_29_0)
-(typeattribute init_29_0)
-(typeattribute init_exec_29_0)
-(typeattribute init_tmpfs_29_0)
-(typeattribute inotify_29_0)
-(typeattribute input_device_29_0)
-(typeattribute input_method_service_29_0)
-(typeattribute input_service_29_0)
-(typeattribute inputflinger_29_0)
-(typeattribute inputflinger_exec_29_0)
-(typeattribute inputflinger_service_29_0)
-(typeattribute install_data_file_29_0)
-(typeattribute install_recovery_29_0)
-(typeattribute install_recovery_exec_29_0)
-(typeattribute installd_29_0)
-(typeattribute installd_exec_29_0)
-(typeattribute installd_service_29_0)
-(typeattribute ion_device_29_0)
-(typeattribute iorapd_29_0)
-(typeattribute iorapd_data_file_29_0)
-(typeattribute iorapd_exec_29_0)
-(typeattribute iorapd_service_29_0)
-(typeattribute iorapd_tmpfs_29_0)
-(typeattribute ipsec_service_29_0)
-(typeattribute iris_service_29_0)
-(typeattribute iris_vendor_data_file_29_0)
-(typeattribute isolated_app_29_0)
-(typeattribute jobscheduler_service_29_0)
-(typeattribute kernel_29_0)
-(typeattribute keychain_data_file_29_0)
-(typeattribute keychord_device_29_0)
-(typeattribute keystore_29_0)
-(typeattribute keystore_data_file_29_0)
-(typeattribute keystore_exec_29_0)
-(typeattribute keystore_service_29_0)
-(typeattribute kmsg_debug_device_29_0)
-(typeattribute kmsg_device_29_0)
-(typeattribute labeledfs_29_0)
-(typeattribute last_boot_reason_prop_29_0)
-(typeattribute launcherapps_service_29_0)
-(typeattribute llkd_29_0)
-(typeattribute llkd_exec_29_0)
-(typeattribute llkd_prop_29_0)
-(typeattribute lmkd_29_0)
-(typeattribute lmkd_exec_29_0)
-(typeattribute lmkd_socket_29_0)
-(typeattribute location_service_29_0)
-(typeattribute lock_settings_service_29_0)
-(typeattribute log_prop_29_0)
-(typeattribute log_property_type)
-(typeattribute log_tag_prop_29_0)
-(typeattribute logcat_exec_29_0)
-(typeattribute logd_29_0)
-(typeattribute logd_exec_29_0)
-(typeattribute logd_prop_29_0)
-(typeattribute logd_socket_29_0)
-(typeattribute logdr_socket_29_0)
-(typeattribute logdw_socket_29_0)
-(typeattribute logpersist_29_0)
-(typeattribute logpersistd_logging_prop_29_0)
-(typeattribute loop_control_device_29_0)
-(typeattribute loop_device_29_0)
-(typeattribute looper_stats_service_29_0)
-(typeattribute lowpan_device_29_0)
-(typeattribute lowpan_prop_29_0)
-(typeattribute lowpan_service_29_0)
-(typeattribute lpdump_service_29_0)
-(typeattribute lpdumpd_prop_29_0)
-(typeattribute mac_perms_file_29_0)
-(typeattribute mdns_socket_29_0)
-(typeattribute mdnsd_29_0)
-(typeattribute mdnsd_socket_29_0)
-(typeattribute media_data_file_29_0)
-(typeattribute media_projection_service_29_0)
-(typeattribute media_router_service_29_0)
-(typeattribute media_rw_data_file_29_0)
-(typeattribute media_session_service_29_0)
-(typeattribute mediacodec_service_29_0)
-(typeattribute mediadrmserver_29_0)
-(typeattribute mediadrmserver_exec_29_0)
-(typeattribute mediadrmserver_service_29_0)
-(typeattribute mediaextractor_29_0)
-(typeattribute mediaextractor_exec_29_0)
-(typeattribute mediaextractor_service_29_0)
-(typeattribute mediaextractor_tmpfs_29_0)
-(typeattribute mediametrics_29_0)
-(typeattribute mediametrics_exec_29_0)
-(typeattribute mediametrics_service_29_0)
-(typeattribute mediaprovider_29_0)
-(typeattribute mediaserver_29_0)
-(typeattribute mediaserver_exec_29_0)
-(typeattribute mediaserver_service_29_0)
-(typeattribute mediaserver_tmpfs_29_0)
-(typeattribute mediaswcodec_29_0)
-(typeattribute mediaswcodec_exec_29_0)
-(typeattribute mediaswcodec_server)
-(typeattribute meminfo_service_29_0)
-(typeattribute metadata_block_device_29_0)
-(typeattribute metadata_file_29_0)
-(typeattribute method_trace_data_file_29_0)
-(typeattribute midi_service_29_0)
-(typeattribute misc_block_device_29_0)
-(typeattribute misc_logd_file_29_0)
-(typeattribute misc_user_data_file_29_0)
-(typeattribute mlstrustedobject)
-(typeattribute mlstrustedsubject)
-(typeattribute mmc_prop_29_0)
-(typeattribute mnt_expand_file_29_0)
-(typeattribute mnt_media_rw_file_29_0)
-(typeattribute mnt_media_rw_stub_file_29_0)
-(typeattribute mnt_product_file_29_0)
-(typeattribute mnt_user_file_29_0)
-(typeattribute mnt_vendor_file_29_0)
-(typeattribute modprobe_29_0)
-(typeattribute mount_service_29_0)
-(typeattribute mqueue_29_0)
-(typeattribute mtp_29_0)
-(typeattribute mtp_device_29_0)
-(typeattribute mtp_exec_29_0)
-(typeattribute mtpd_socket_29_0)
-(typeattribute nativetest_data_file_29_0)
-(typeattribute net_data_file_29_0)
-(typeattribute net_dns_prop_29_0)
-(typeattribute net_radio_prop_29_0)
-(typeattribute netd_29_0)
-(typeattribute netd_exec_29_0)
-(typeattribute netd_listener_service_29_0)
-(typeattribute netd_service_29_0)
-(typeattribute netd_stable_secret_prop_29_0)
-(typeattribute netdomain)
-(typeattribute netif_29_0)
-(typeattribute netif_type)
-(typeattribute netpolicy_service_29_0)
-(typeattribute netstats_service_29_0)
-(typeattribute netutils_wrapper_29_0)
-(typeattribute netutils_wrapper_exec_29_0)
-(typeattribute network_management_service_29_0)
-(typeattribute network_score_service_29_0)
-(typeattribute network_stack_29_0)
-(typeattribute network_stack_service_29_0)
-(typeattribute network_time_update_service_29_0)
-(typeattribute network_watchlist_data_file_29_0)
-(typeattribute network_watchlist_service_29_0)
-(typeattribute nfc_29_0)
-(typeattribute nfc_data_file_29_0)
-(typeattribute nfc_device_29_0)
-(typeattribute nfc_prop_29_0)
-(typeattribute nfc_service_29_0)
-(typeattribute nnapi_ext_deny_product_prop_29_0)
-(typeattribute node_29_0)
-(typeattribute node_type)
-(typeattribute nonplat_service_contexts_file_29_0)
-(typeattribute notification_service_29_0)
-(typeattribute null_device_29_0)
-(typeattribute oem_lock_service_29_0)
-(typeattribute oemfs_29_0)
-(typeattribute ota_data_file_29_0)
-(typeattribute ota_package_file_29_0)
-(typeattribute otadexopt_service_29_0)
-(typeattribute overlay_prop_29_0)
-(typeattribute overlay_service_29_0)
-(typeattribute overlayfs_file_29_0)
-(typeattribute owntty_device_29_0)
-(typeattribute package_native_service_29_0)
-(typeattribute package_service_29_0)
-(typeattribute packages_list_file_29_0)
-(typeattribute pan_result_prop_29_0)
-(typeattribute password_slot_metadata_file_29_0)
-(typeattribute pdx_bufferhub_client_channel_socket_29_0)
-(typeattribute pdx_bufferhub_client_channel_socket_type)
-(typeattribute pdx_bufferhub_client_endpoint_dir_type)
-(typeattribute pdx_bufferhub_client_endpoint_socket_29_0)
-(typeattribute pdx_bufferhub_client_endpoint_socket_type)
-(typeattribute pdx_bufferhub_client_server_type)
-(typeattribute pdx_bufferhub_dir_29_0)
-(typeattribute pdx_channel_socket_type)
-(typeattribute pdx_display_client_channel_socket_29_0)
-(typeattribute pdx_display_client_channel_socket_type)
-(typeattribute pdx_display_client_endpoint_dir_type)
-(typeattribute pdx_display_client_endpoint_socket_29_0)
-(typeattribute pdx_display_client_endpoint_socket_type)
-(typeattribute pdx_display_client_server_type)
-(typeattribute pdx_display_dir_29_0)
-(typeattribute pdx_display_manager_channel_socket_29_0)
-(typeattribute pdx_display_manager_channel_socket_type)
-(typeattribute pdx_display_manager_endpoint_dir_type)
-(typeattribute pdx_display_manager_endpoint_socket_29_0)
-(typeattribute pdx_display_manager_endpoint_socket_type)
-(typeattribute pdx_display_manager_server_type)
-(typeattribute pdx_display_screenshot_channel_socket_29_0)
-(typeattribute pdx_display_screenshot_channel_socket_type)
-(typeattribute pdx_display_screenshot_endpoint_dir_type)
-(typeattribute pdx_display_screenshot_endpoint_socket_29_0)
-(typeattribute pdx_display_screenshot_endpoint_socket_type)
-(typeattribute pdx_display_screenshot_server_type)
-(typeattribute pdx_display_vsync_channel_socket_29_0)
-(typeattribute pdx_display_vsync_channel_socket_type)
-(typeattribute pdx_display_vsync_endpoint_dir_type)
-(typeattribute pdx_display_vsync_endpoint_socket_29_0)
-(typeattribute pdx_display_vsync_endpoint_socket_type)
-(typeattribute pdx_display_vsync_server_type)
-(typeattribute pdx_endpoint_dir_type)
-(typeattribute pdx_endpoint_socket_type)
-(typeattribute pdx_performance_client_channel_socket_29_0)
-(typeattribute pdx_performance_client_channel_socket_type)
-(typeattribute pdx_performance_client_endpoint_dir_type)
-(typeattribute pdx_performance_client_endpoint_socket_29_0)
-(typeattribute pdx_performance_client_endpoint_socket_type)
-(typeattribute pdx_performance_client_server_type)
-(typeattribute pdx_performance_dir_29_0)
-(typeattribute perfetto_29_0)
-(typeattribute performanced_29_0)
-(typeattribute performanced_exec_29_0)
-(typeattribute perfprofd_29_0)
-(typeattribute perfprofd_data_file_29_0)
-(typeattribute perfprofd_exec_29_0)
-(typeattribute perfprofd_service_29_0)
-(typeattribute permission_service_29_0)
-(typeattribute permissionmgr_service_29_0)
-(typeattribute persist_debug_prop_29_0)
-(typeattribute persistent_data_block_service_29_0)
-(typeattribute persistent_properties_ready_prop_29_0)
-(typeattribute pinner_service_29_0)
-(typeattribute pipefs_29_0)
-(typeattribute platform_app_29_0)
-(typeattribute pm_prop_29_0)
-(typeattribute pmsg_device_29_0)
-(typeattribute port_29_0)
-(typeattribute port_device_29_0)
-(typeattribute port_type)
-(typeattribute postinstall_29_0)
-(typeattribute postinstall_apex_mnt_dir_29_0)
-(typeattribute postinstall_file_29_0)
-(typeattribute postinstall_mnt_dir_29_0)
-(typeattribute power_service_29_0)
-(typeattribute powerctl_prop_29_0)
-(typeattribute ppp_29_0)
-(typeattribute ppp_device_29_0)
-(typeattribute ppp_exec_29_0)
-(typeattribute preloads_data_file_29_0)
-(typeattribute preloads_media_file_29_0)
-(typeattribute print_service_29_0)
-(typeattribute priv_app_29_0)
-(typeattribute privapp_data_file_29_0)
-(typeattribute proc_29_0)
-(typeattribute proc_abi_29_0)
-(typeattribute proc_asound_29_0)
-(typeattribute proc_bluetooth_writable_29_0)
-(typeattribute proc_buddyinfo_29_0)
-(typeattribute proc_cmdline_29_0)
-(typeattribute proc_cpuinfo_29_0)
-(typeattribute proc_dirty_29_0)
-(typeattribute proc_diskstats_29_0)
-(typeattribute proc_drop_caches_29_0)
-(typeattribute proc_extra_free_kbytes_29_0)
-(typeattribute proc_filesystems_29_0)
-(typeattribute proc_fs_verity_29_0)
-(typeattribute proc_hostname_29_0)
-(typeattribute proc_hung_task_29_0)
-(typeattribute proc_interrupts_29_0)
-(typeattribute proc_iomem_29_0)
-(typeattribute proc_keys_29_0)
-(typeattribute proc_kmsg_29_0)
-(typeattribute proc_loadavg_29_0)
-(typeattribute proc_max_map_count_29_0)
-(typeattribute proc_meminfo_29_0)
-(typeattribute proc_min_free_order_shift_29_0)
-(typeattribute proc_misc_29_0)
-(typeattribute proc_modules_29_0)
-(typeattribute proc_mounts_29_0)
-(typeattribute proc_net_29_0)
-(typeattribute proc_net_tcp_udp_29_0)
-(typeattribute proc_net_type)
-(typeattribute proc_overcommit_memory_29_0)
-(typeattribute proc_page_cluster_29_0)
-(typeattribute proc_pagetypeinfo_29_0)
-(typeattribute proc_panic_29_0)
-(typeattribute proc_perf_29_0)
-(typeattribute proc_pid_max_29_0)
-(typeattribute proc_pipe_conf_29_0)
-(typeattribute proc_pressure_cpu_29_0)
-(typeattribute proc_pressure_io_29_0)
-(typeattribute proc_pressure_mem_29_0)
-(typeattribute proc_qtaguid_ctrl_29_0)
-(typeattribute proc_qtaguid_stat_29_0)
-(typeattribute proc_random_29_0)
-(typeattribute proc_sched_29_0)
-(typeattribute proc_security_29_0)
-(typeattribute proc_slabinfo_29_0)
-(typeattribute proc_stat_29_0)
-(typeattribute proc_swaps_29_0)
-(typeattribute proc_sysrq_29_0)
-(typeattribute proc_timer_29_0)
-(typeattribute proc_tty_drivers_29_0)
-(typeattribute proc_type)
-(typeattribute proc_uid_concurrent_active_time_29_0)
-(typeattribute proc_uid_concurrent_policy_time_29_0)
-(typeattribute proc_uid_cpupower_29_0)
-(typeattribute proc_uid_cputime_removeuid_29_0)
-(typeattribute proc_uid_cputime_showstat_29_0)
-(typeattribute proc_uid_io_stats_29_0)
-(typeattribute proc_uid_procstat_set_29_0)
-(typeattribute proc_uid_time_in_state_29_0)
-(typeattribute proc_uptime_29_0)
-(typeattribute proc_version_29_0)
-(typeattribute proc_vmallocinfo_29_0)
-(typeattribute proc_vmstat_29_0)
-(typeattribute proc_zoneinfo_29_0)
-(typeattribute processinfo_service_29_0)
-(typeattribute procstats_service_29_0)
-(typeattribute profman_29_0)
-(typeattribute profman_dump_data_file_29_0)
-(typeattribute profman_exec_29_0)
-(typeattribute properties_device_29_0)
-(typeattribute properties_serial_29_0)
-(typeattribute property_contexts_file_29_0)
-(typeattribute property_data_file_29_0)
-(typeattribute property_info_29_0)
-(typeattribute property_socket_29_0)
-(typeattribute property_type)
-(typeattribute pstorefs_29_0)
-(typeattribute ptmx_device_29_0)
-(typeattribute qtaguid_device_29_0)
-(typeattribute racoon_29_0)
-(typeattribute racoon_exec_29_0)
-(typeattribute racoon_socket_29_0)
-(typeattribute radio_29_0)
-(typeattribute radio_data_file_29_0)
-(typeattribute radio_device_29_0)
-(typeattribute radio_prop_29_0)
-(typeattribute radio_service_29_0)
-(typeattribute ram_device_29_0)
-(typeattribute random_device_29_0)
-(typeattribute recovery_29_0)
-(typeattribute recovery_block_device_29_0)
-(typeattribute recovery_data_file_29_0)
-(typeattribute recovery_persist_29_0)
-(typeattribute recovery_persist_exec_29_0)
-(typeattribute recovery_refresh_29_0)
-(typeattribute recovery_refresh_exec_29_0)
-(typeattribute recovery_service_29_0)
-(typeattribute recovery_socket_29_0)
-(typeattribute registry_service_29_0)
-(typeattribute resourcecache_data_file_29_0)
-(typeattribute restorecon_prop_29_0)
-(typeattribute restrictions_service_29_0)
-(typeattribute rild_debug_socket_29_0)
-(typeattribute rild_socket_29_0)
-(typeattribute ringtone_file_29_0)
-(typeattribute role_service_29_0)
-(typeattribute rollback_service_29_0)
-(typeattribute root_block_device_29_0)
-(typeattribute rootfs_29_0)
-(typeattribute rpmsg_device_29_0)
-(typeattribute rs_29_0)
-(typeattribute rs_exec_29_0)
-(typeattribute rss_hwm_reset_29_0)
-(typeattribute rtc_device_29_0)
-(typeattribute rttmanager_service_29_0)
-(typeattribute runas_29_0)
-(typeattribute runas_app_29_0)
-(typeattribute runas_exec_29_0)
-(typeattribute runtime_event_log_tags_file_29_0)
-(typeattribute runtime_service_29_0)
-(typeattribute safemode_prop_29_0)
-(typeattribute same_process_hal_file_29_0)
-(typeattribute same_process_hwservice)
-(typeattribute samplingprofiler_service_29_0)
-(typeattribute scheduler_service_server)
-(typeattribute scheduling_policy_service_29_0)
-(typeattribute sdcard_block_device_29_0)
-(typeattribute sdcard_type)
-(typeattribute sdcardd_29_0)
-(typeattribute sdcardd_exec_29_0)
-(typeattribute sdcardfs_29_0)
-(typeattribute seapp_contexts_file_29_0)
-(typeattribute search_service_29_0)
-(typeattribute sec_key_att_app_id_provider_service_29_0)
-(typeattribute secure_element_29_0)
-(typeattribute secure_element_device_29_0)
-(typeattribute secure_element_service_29_0)
-(typeattribute selinuxfs_29_0)
-(typeattribute sensor_privacy_service_29_0)
-(typeattribute sensor_service_server)
-(typeattribute sensors_device_29_0)
-(typeattribute sensorservice_service_29_0)
-(typeattribute sepolicy_file_29_0)
-(typeattribute serial_device_29_0)
-(typeattribute serial_service_29_0)
-(typeattribute serialno_prop_29_0)
-(typeattribute server_configurable_flags_data_file_29_0)
-(typeattribute service_contexts_file_29_0)
-(typeattribute service_manager_type)
-(typeattribute servicediscovery_service_29_0)
-(typeattribute servicemanager_29_0)
-(typeattribute servicemanager_exec_29_0)
-(typeattribute settings_service_29_0)
-(typeattribute sgdisk_29_0)
-(typeattribute sgdisk_exec_29_0)
-(typeattribute shared_relro_29_0)
-(typeattribute shared_relro_file_29_0)
-(typeattribute shell_29_0)
-(typeattribute shell_data_file_29_0)
-(typeattribute shell_exec_29_0)
-(typeattribute shell_prop_29_0)
-(typeattribute shm_29_0)
-(typeattribute shortcut_manager_icons_29_0)
-(typeattribute shortcut_service_29_0)
-(typeattribute simpleperf_app_runner_29_0)
-(typeattribute simpleperf_app_runner_exec_29_0)
-(typeattribute slice_service_29_0)
-(typeattribute slideshow_29_0)
-(typeattribute socket_between_core_and_vendor_violators)
-(typeattribute socket_device_29_0)
-(typeattribute sockfs_29_0)
-(typeattribute staging_data_file_29_0)
-(typeattribute stats_data_file_29_0)
-(typeattribute stats_service_server)
-(typeattribute statsd_29_0)
-(typeattribute statsd_exec_29_0)
-(typeattribute statsdw_socket_29_0)
-(typeattribute statusbar_service_29_0)
-(typeattribute storage_file_29_0)
-(typeattribute storage_stub_file_29_0)
-(typeattribute storaged_service_29_0)
-(typeattribute storagestats_service_29_0)
-(typeattribute su_29_0)
-(typeattribute su_exec_29_0)
-(typeattribute super_block_device_29_0)
-(typeattribute super_block_device_type)
-(typeattribute surfaceflinger_29_0)
-(typeattribute surfaceflinger_service_29_0)
-(typeattribute surfaceflinger_tmpfs_29_0)
-(typeattribute swap_block_device_29_0)
-(typeattribute sysfs_29_0)
-(typeattribute sysfs_android_usb_29_0)
-(typeattribute sysfs_batteryinfo_29_0)
-(typeattribute sysfs_bluetooth_writable_29_0)
-(typeattribute sysfs_devices_block_29_0)
-(typeattribute sysfs_devices_system_cpu_29_0)
-(typeattribute sysfs_dm_29_0)
-(typeattribute sysfs_dt_firmware_android_29_0)
-(typeattribute sysfs_extcon_29_0)
-(typeattribute sysfs_fs_ext4_features_29_0)
-(typeattribute sysfs_fs_f2fs_29_0)
-(typeattribute sysfs_hwrandom_29_0)
-(typeattribute sysfs_ipv4_29_0)
-(typeattribute sysfs_kernel_notes_29_0)
-(typeattribute sysfs_leds_29_0)
-(typeattribute sysfs_loop_29_0)
-(typeattribute sysfs_lowmemorykiller_29_0)
-(typeattribute sysfs_mac_address_29_0)
-(typeattribute sysfs_net_29_0)
-(typeattribute sysfs_nfc_power_writable_29_0)
-(typeattribute sysfs_power_29_0)
-(typeattribute sysfs_rtc_29_0)
-(typeattribute sysfs_switch_29_0)
-(typeattribute sysfs_thermal_29_0)
-(typeattribute sysfs_transparent_hugepage_29_0)
-(typeattribute sysfs_type)
-(typeattribute sysfs_uio_29_0)
-(typeattribute sysfs_usb_29_0)
-(typeattribute sysfs_usermodehelper_29_0)
-(typeattribute sysfs_vibrator_29_0)
-(typeattribute sysfs_wake_lock_29_0)
-(typeattribute sysfs_wakeup_reasons_29_0)
-(typeattribute sysfs_wlan_fwpath_29_0)
-(typeattribute sysfs_zram_29_0)
-(typeattribute sysfs_zram_uevent_29_0)
-(typeattribute system_api_service)
-(typeattribute system_app_29_0)
-(typeattribute system_app_data_file_29_0)
-(typeattribute system_app_service_29_0)
-(typeattribute system_asan_options_file_29_0)
-(typeattribute system_block_device_29_0)
-(typeattribute system_boot_reason_prop_29_0)
-(typeattribute system_bootstrap_lib_file_29_0)
-(typeattribute system_data_file_29_0)
-(typeattribute system_event_log_tags_file_29_0)
-(typeattribute system_executes_vendor_violators)
-(typeattribute system_file_29_0)
-(typeattribute system_file_type)
-(typeattribute system_lib_file_29_0)
-(typeattribute system_linker_config_file_29_0)
-(typeattribute system_linker_exec_29_0)
-(typeattribute system_lmk_prop_29_0)
-(typeattribute system_ndebug_socket_29_0)
-(typeattribute system_net_netd_hwservice_29_0)
-(typeattribute system_prop_29_0)
-(typeattribute system_radio_prop_29_0)
-(typeattribute system_seccomp_policy_file_29_0)
-(typeattribute system_security_cacerts_file_29_0)
-(typeattribute system_server_29_0)
-(typeattribute system_server_service)
-(typeattribute system_server_tmpfs_29_0)
-(typeattribute system_suspend_control_service_29_0)
-(typeattribute system_suspend_hwservice_29_0)
-(typeattribute system_suspend_server)
-(typeattribute system_trace_prop_29_0)
-(typeattribute system_update_service_29_0)
-(typeattribute system_wifi_keystore_hwservice_29_0)
-(typeattribute system_wpa_socket_29_0)
-(typeattribute system_writes_mnt_vendor_violators)
-(typeattribute system_writes_vendor_properties_violators)
-(typeattribute system_zoneinfo_file_29_0)
-(typeattribute systemkeys_data_file_29_0)
-(typeattribute task_profiles_file_29_0)
-(typeattribute task_service_29_0)
-(typeattribute tcpdump_exec_29_0)
-(typeattribute tee_29_0)
-(typeattribute tee_data_file_29_0)
-(typeattribute tee_device_29_0)
-(typeattribute telecom_service_29_0)
-(typeattribute test_boot_reason_prop_29_0)
-(typeattribute test_harness_prop_29_0)
-(typeattribute testharness_service_29_0)
-(typeattribute textclassification_service_29_0)
-(typeattribute textclassifier_data_file_29_0)
-(typeattribute textservices_service_29_0)
-(typeattribute thermal_service_29_0)
-(typeattribute thermalcallback_hwservice_29_0)
-(typeattribute time_prop_29_0)
-(typeattribute timedetector_service_29_0)
-(typeattribute timezone_service_29_0)
-(typeattribute tmpfs_29_0)
-(typeattribute tombstone_data_file_29_0)
-(typeattribute tombstone_wifi_data_file_29_0)
-(typeattribute tombstoned_29_0)
-(typeattribute tombstoned_crash_socket_29_0)
-(typeattribute tombstoned_exec_29_0)
-(typeattribute tombstoned_intercept_socket_29_0)
-(typeattribute tombstoned_java_trace_socket_29_0)
-(typeattribute toolbox_29_0)
-(typeattribute toolbox_exec_29_0)
-(typeattribute trace_data_file_29_0)
-(typeattribute traced_29_0)
-(typeattribute traced_consumer_socket_29_0)
-(typeattribute traced_enabled_prop_29_0)
-(typeattribute traced_lazy_prop_29_0)
-(typeattribute traced_probes_29_0)
-(typeattribute traced_producer_socket_29_0)
-(typeattribute traceur_app_29_0)
-(typeattribute trust_service_29_0)
-(typeattribute tty_device_29_0)
-(typeattribute tun_device_29_0)
-(typeattribute tv_input_service_29_0)
-(typeattribute tzdatacheck_29_0)
-(typeattribute tzdatacheck_exec_29_0)
-(typeattribute ueventd_29_0)
-(typeattribute ueventd_tmpfs_29_0)
-(typeattribute uhid_device_29_0)
-(typeattribute uimode_service_29_0)
-(typeattribute uio_device_29_0)
-(typeattribute uncrypt_29_0)
-(typeattribute uncrypt_exec_29_0)
-(typeattribute uncrypt_socket_29_0)
-(typeattribute unencrypted_data_file_29_0)
-(typeattribute unlabeled_29_0)
-(typeattribute untrusted_app_25_29_0)
-(typeattribute untrusted_app_27_29_0)
-(typeattribute untrusted_app_29_0)
-(typeattribute untrusted_app_all)
-(typeattribute untrusted_app_visible_halserver_violators)
-(typeattribute untrusted_app_visible_hwservice_violators)
-(typeattribute update_engine_29_0)
-(typeattribute update_engine_common)
-(typeattribute update_engine_data_file_29_0)
-(typeattribute update_engine_exec_29_0)
-(typeattribute update_engine_log_data_file_29_0)
-(typeattribute update_engine_service_29_0)
-(typeattribute update_verifier_29_0)
-(typeattribute update_verifier_exec_29_0)
-(typeattribute updatelock_service_29_0)
-(typeattribute uri_grants_service_29_0)
-(typeattribute usagestats_service_29_0)
-(typeattribute usb_device_29_0)
-(typeattribute usb_service_29_0)
-(typeattribute usbaccessory_device_29_0)
-(typeattribute usbd_29_0)
-(typeattribute usbd_exec_29_0)
-(typeattribute usbfs_29_0)
-(typeattribute use_memfd_prop_29_0)
-(typeattribute user_profile_data_file_29_0)
-(typeattribute user_service_29_0)
-(typeattribute userdata_block_device_29_0)
-(typeattribute usermodehelper_29_0)
-(typeattribute vdc_29_0)
-(typeattribute vdc_exec_29_0)
-(typeattribute vendor_app_file_29_0)
-(typeattribute vendor_cgroup_desc_file_29_0)
-(typeattribute vendor_configs_file_29_0)
-(typeattribute vendor_data_file_29_0)
-(typeattribute vendor_default_prop_29_0)
-(typeattribute vendor_executes_system_violators)
-(typeattribute vendor_file_29_0)
-(typeattribute vendor_file_type)
-(typeattribute vendor_framework_file_29_0)
-(typeattribute vendor_hal_file_29_0)
-(typeattribute vendor_idc_file_29_0)
-(typeattribute vendor_init_29_0)
-(typeattribute vendor_keychars_file_29_0)
-(typeattribute vendor_keylayout_file_29_0)
-(typeattribute vendor_overlay_file_29_0)
-(typeattribute vendor_public_lib_file_29_0)
-(typeattribute vendor_security_patch_level_prop_29_0)
-(typeattribute vendor_shell_29_0)
-(typeattribute vendor_shell_exec_29_0)
-(typeattribute vendor_task_profiles_file_29_0)
-(typeattribute vendor_toolbox_exec_29_0)
-(typeattribute vfat_29_0)
-(typeattribute vibrator_service_29_0)
-(typeattribute video_device_29_0)
-(typeattribute virtual_touchpad_29_0)
-(typeattribute virtual_touchpad_exec_29_0)
-(typeattribute virtual_touchpad_service_29_0)
-(typeattribute vndbinder_device_29_0)
-(typeattribute vndk_sp_file_29_0)
-(typeattribute vndservice_contexts_file_29_0)
-(typeattribute vndservice_manager_type)
-(typeattribute vndservicemanager_29_0)
-(typeattribute voiceinteraction_service_29_0)
-(typeattribute vold_29_0)
-(typeattribute vold_data_file_29_0)
-(typeattribute vold_device_29_0)
-(typeattribute vold_exec_29_0)
-(typeattribute vold_metadata_file_29_0)
-(typeattribute vold_prepare_subdirs_29_0)
-(typeattribute vold_prepare_subdirs_exec_29_0)
-(typeattribute vold_prop_29_0)
-(typeattribute vold_service_29_0)
-(typeattribute vpn_data_file_29_0)
-(typeattribute vr_hwc_29_0)
-(typeattribute vr_hwc_exec_29_0)
-(typeattribute vr_hwc_service_29_0)
-(typeattribute vr_manager_service_29_0)
-(typeattribute vrflinger_vsync_service_29_0)
-(typeattribute wallpaper_file_29_0)
-(typeattribute wallpaper_service_29_0)
-(typeattribute watchdog_device_29_0)
-(typeattribute watchdogd_29_0)
-(typeattribute watchdogd_exec_29_0)
-(typeattribute webview_zygote_29_0)
-(typeattribute webview_zygote_exec_29_0)
-(typeattribute webview_zygote_tmpfs_29_0)
-(typeattribute webviewupdate_service_29_0)
-(typeattribute wifi_data_file_29_0)
-(typeattribute wifi_keystore_service_server)
-(typeattribute wifi_log_prop_29_0)
-(typeattribute wifi_prop_29_0)
-(typeattribute wifi_service_29_0)
-(typeattribute wifiaware_service_29_0)
-(typeattribute wificond_29_0)
-(typeattribute wificond_exec_29_0)
-(typeattribute wificond_service_29_0)
-(typeattribute wifip2p_service_29_0)
-(typeattribute wifiscanner_service_29_0)
-(typeattribute window_service_29_0)
-(typeattribute wpa_socket_29_0)
-(typeattribute wpantund_29_0)
-(typeattribute wpantund_exec_29_0)
-(typeattribute wpantund_service_29_0)
-(typeattribute zero_device_29_0)
-(typeattribute zoneinfo_data_file_29_0)
-(typeattribute zygote_29_0)
-(typeattribute zygote_exec_29_0)
-(typeattribute zygote_socket_29_0)
-(typeattribute zygote_tmpfs_29_0)
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
deleted file mode 100644
index 60f42b9..0000000
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.cil
+++ /dev/null
@@ -1,785 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_keystore)
-(typeattribute hal_wifi_keystore_client)
-(typeattribute hal_wifi_keystore_server)
-
-;; types removed from current policy
-(type untrusted_v2_app)
-(type asan_reboot_prop)
-(type commontime_management_service)
-(type log_device)
-(type mediacasserver_service)
-(type mediacodec)
-(type mediacodec_exec)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type tracing_shell_writable)
-(type tracing_shell_writable_debug)
-(type vold_socket)
-(type webview_zygote_socket)
-(type rild)
-(type netd_socket)
-
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0
- ( debugfs
- debugfs_wakeup_sources
- ))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0
- ( default_prop pm_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset hal_omx_server (mediacodec_26_0))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset perfprofd_26_0 (perfprofd))
-(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0
- ( qtaguid_proc
- proc_qtaguid_ctrl))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_26_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
deleted file mode 100644
index 45e1dd9..0000000
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,223 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- adbd_exec
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- atrace
- binder_calls_stats_service
- biometric_service
- bootloader_boot_reason_prop
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- broadcastradio_service
- cgroup_bpf
- charger_exec
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- e2fs
- e2fs_exec
- exfat
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- fastbootd
- fingerprint_vendor_data_file
- flags_health_check
- flags_health_check_exec
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_broadcastradio_hwservice
- hal_cas_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_lowpan_hwservice
- hal_neuralnetworks_hwservice
- hal_secure_element_hwservice
- hal_tetheroffload_hwservice
- hal_wifi_hostapd_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_offload_hwservice
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- kmsg_debug_device
- last_boot_reason_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- mediaextractor_update_service
- mediaprovider_tmpfs
- metadata_file
- mnt_product_file
- mnt_vendor_file
- netd_stable_secret_prop
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- overlayfs_file
- package_native_service
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- perfprofd_service
- property_info
- recovery_socket
- role_service
- runas_app
- runtime_service
- secure_element
- secure_element_device
- secure_element_tmpfs
- secure_element_service
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- staging_data_file
- stats
- stats_data_file
- stats_exec
- stats_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- statscompanion_service
- storaged_data_file
- super_block_device
- sysfs_fs_ext4_features
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_net_netd_hwservice
- system_update_service
- test_boot_reason_prop
- thermal_service
- thermalcallback_hwservice
- thermalserviced
- thermalserviced_exec
- thermalserviced_tmpfs
- time_prop
- timedetector_service
- timezone_service
- tombstoned_java_trace_socket
- tombstone_wifi_data_file
- trace_data_file
- traceur_app
- traceur_app_tmpfs
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- vendor_default_prop
- vendor_security_patch_level_prop
- uri_grants_service
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_init
- vendor_shell
- vold_metadata_file
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vrflinger_vsync_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- wm_trace_data_file))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- adbd_tmpfs
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
deleted file mode 100644
index 8c8f82f..0000000
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.cil
+++ /dev/null
@@ -1,1507 +0,0 @@
-;; types removed from current policy
-(type commontime_management_service)
-(type mediacodec)
-(type mediacodec_exec)
-(type netd_socket)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type rild)
-(type untrusted_v2_app)
-(type webview_zygote_socket)
-(type vold_socket)
-
-(expandtypeattribute (accessibility_service_27_0) true)
-(expandtypeattribute (account_service_27_0) true)
-(expandtypeattribute (activity_service_27_0) true)
-(expandtypeattribute (adbd_27_0) true)
-(expandtypeattribute (adb_data_file_27_0) true)
-(expandtypeattribute (adbd_exec_27_0) true)
-(expandtypeattribute (adbd_socket_27_0) true)
-(expandtypeattribute (adb_keys_file_27_0) true)
-(expandtypeattribute (alarm_device_27_0) true)
-(expandtypeattribute (alarm_service_27_0) true)
-(expandtypeattribute (anr_data_file_27_0) true)
-(expandtypeattribute (apk_data_file_27_0) true)
-(expandtypeattribute (apk_private_data_file_27_0) true)
-(expandtypeattribute (apk_private_tmp_file_27_0) true)
-(expandtypeattribute (apk_tmp_file_27_0) true)
-(expandtypeattribute (app_data_file_27_0) true)
-(expandtypeattribute (app_fuse_file_27_0) true)
-(expandtypeattribute (app_fusefs_27_0) true)
-(expandtypeattribute (appops_service_27_0) true)
-(expandtypeattribute (appwidget_service_27_0) true)
-(expandtypeattribute (asec_apk_file_27_0) true)
-(expandtypeattribute (asec_image_file_27_0) true)
-(expandtypeattribute (asec_public_file_27_0) true)
-(expandtypeattribute (ashmem_device_27_0) true)
-(expandtypeattribute (assetatlas_service_27_0) true)
-(expandtypeattribute (audio_data_file_27_0) true)
-(expandtypeattribute (audio_device_27_0) true)
-(expandtypeattribute (audiohal_data_file_27_0) true)
-(expandtypeattribute (audio_prop_27_0) true)
-(expandtypeattribute (audio_seq_device_27_0) true)
-(expandtypeattribute (audioserver_27_0) true)
-(expandtypeattribute (audioserver_data_file_27_0) true)
-(expandtypeattribute (audioserver_service_27_0) true)
-(expandtypeattribute (audio_service_27_0) true)
-(expandtypeattribute (audio_timer_device_27_0) true)
-(expandtypeattribute (autofill_service_27_0) true)
-(expandtypeattribute (backup_data_file_27_0) true)
-(expandtypeattribute (backup_service_27_0) true)
-(expandtypeattribute (batteryproperties_service_27_0) true)
-(expandtypeattribute (battery_service_27_0) true)
-(expandtypeattribute (batterystats_service_27_0) true)
-(expandtypeattribute (binder_device_27_0) true)
-(expandtypeattribute (binfmt_miscfs_27_0) true)
-(expandtypeattribute (blkid_27_0) true)
-(expandtypeattribute (blkid_untrusted_27_0) true)
-(expandtypeattribute (block_device_27_0) true)
-(expandtypeattribute (bluetooth_27_0) true)
-(expandtypeattribute (bluetooth_data_file_27_0) true)
-(expandtypeattribute (bluetooth_efs_file_27_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
-(expandtypeattribute (bluetooth_manager_service_27_0) true)
-(expandtypeattribute (bluetooth_prop_27_0) true)
-(expandtypeattribute (bluetooth_service_27_0) true)
-(expandtypeattribute (bluetooth_socket_27_0) true)
-(expandtypeattribute (bootanim_27_0) true)
-(expandtypeattribute (bootanim_exec_27_0) true)
-(expandtypeattribute (boot_block_device_27_0) true)
-(expandtypeattribute (bootchart_data_file_27_0) true)
-(expandtypeattribute (bootstat_27_0) true)
-(expandtypeattribute (bootstat_data_file_27_0) true)
-(expandtypeattribute (bootstat_exec_27_0) true)
-(expandtypeattribute (boottime_prop_27_0) true)
-(expandtypeattribute (boottrace_data_file_27_0) true)
-(expandtypeattribute (broadcastradio_service_27_0) true)
-(expandtypeattribute (bufferhubd_27_0) true)
-(expandtypeattribute (bufferhubd_exec_27_0) true)
-(expandtypeattribute (cache_backup_file_27_0) true)
-(expandtypeattribute (cache_block_device_27_0) true)
-(expandtypeattribute (cache_file_27_0) true)
-(expandtypeattribute (cache_private_backup_file_27_0) true)
-(expandtypeattribute (cache_recovery_file_27_0) true)
-(expandtypeattribute (camera_data_file_27_0) true)
-(expandtypeattribute (camera_device_27_0) true)
-(expandtypeattribute (cameraproxy_service_27_0) true)
-(expandtypeattribute (cameraserver_27_0) true)
-(expandtypeattribute (cameraserver_exec_27_0) true)
-(expandtypeattribute (cameraserver_service_27_0) true)
-(expandtypeattribute (cgroup_27_0) true)
-(expandtypeattribute (charger_27_0) true)
-(expandtypeattribute (clatd_27_0) true)
-(expandtypeattribute (clatd_exec_27_0) true)
-(expandtypeattribute (clipboard_service_27_0) true)
-(expandtypeattribute (commontime_management_service_27_0) true)
-(expandtypeattribute (companion_device_service_27_0) true)
-(expandtypeattribute (configfs_27_0) true)
-(expandtypeattribute (config_prop_27_0) true)
-(expandtypeattribute (connectivity_service_27_0) true)
-(expandtypeattribute (connmetrics_service_27_0) true)
-(expandtypeattribute (console_device_27_0) true)
-(expandtypeattribute (consumer_ir_service_27_0) true)
-(expandtypeattribute (content_service_27_0) true)
-(expandtypeattribute (contexthub_service_27_0) true)
-(expandtypeattribute (coredump_file_27_0) true)
-(expandtypeattribute (country_detector_service_27_0) true)
-(expandtypeattribute (coverage_service_27_0) true)
-(expandtypeattribute (cppreopt_prop_27_0) true)
-(expandtypeattribute (cppreopts_27_0) true)
-(expandtypeattribute (cppreopts_exec_27_0) true)
-(expandtypeattribute (cpuctl_device_27_0) true)
-(expandtypeattribute (cpuinfo_service_27_0) true)
-(expandtypeattribute (crash_dump_27_0) true)
-(expandtypeattribute (crash_dump_exec_27_0) true)
-(expandtypeattribute (ctl_bootanim_prop_27_0) true)
-(expandtypeattribute (ctl_bugreport_prop_27_0) true)
-(expandtypeattribute (ctl_console_prop_27_0) true)
-(expandtypeattribute (ctl_default_prop_27_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
-(expandtypeattribute (ctl_fuse_prop_27_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
-(expandtypeattribute (dalvikcache_data_file_27_0) true)
-(expandtypeattribute (dalvik_prop_27_0) true)
-(expandtypeattribute (dbinfo_service_27_0) true)
-(expandtypeattribute (debugfs_27_0) true)
-(expandtypeattribute (debugfs_mmc_27_0) true)
-(expandtypeattribute (debugfs_trace_marker_27_0) true)
-(expandtypeattribute (debugfs_tracing_27_0) true)
-(expandtypeattribute (debugfs_tracing_debug_27_0) true)
-(expandtypeattribute (debugfs_tracing_instances_27_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
-(expandtypeattribute (debuggerd_prop_27_0) true)
-(expandtypeattribute (debug_prop_27_0) true)
-(expandtypeattribute (default_android_hwservice_27_0) true)
-(expandtypeattribute (default_android_service_27_0) true)
-(expandtypeattribute (default_android_vndservice_27_0) true)
-(expandtypeattribute (default_prop_27_0) true)
-(expandtypeattribute (device_27_0) true)
-(expandtypeattribute (device_identifiers_service_27_0) true)
-(expandtypeattribute (deviceidle_service_27_0) true)
-(expandtypeattribute (device_logging_prop_27_0) true)
-(expandtypeattribute (device_policy_service_27_0) true)
-(expandtypeattribute (devicestoragemonitor_service_27_0) true)
-(expandtypeattribute (devpts_27_0) true)
-(expandtypeattribute (dex2oat_27_0) true)
-(expandtypeattribute (dex2oat_exec_27_0) true)
-(expandtypeattribute (dhcp_27_0) true)
-(expandtypeattribute (dhcp_data_file_27_0) true)
-(expandtypeattribute (dhcp_exec_27_0) true)
-(expandtypeattribute (dhcp_prop_27_0) true)
-(expandtypeattribute (diskstats_service_27_0) true)
-(expandtypeattribute (display_service_27_0) true)
-(expandtypeattribute (dm_device_27_0) true)
-(expandtypeattribute (dnsmasq_27_0) true)
-(expandtypeattribute (dnsmasq_exec_27_0) true)
-(expandtypeattribute (dnsproxyd_socket_27_0) true)
-(expandtypeattribute (DockObserver_service_27_0) true)
-(expandtypeattribute (dreams_service_27_0) true)
-(expandtypeattribute (drm_data_file_27_0) true)
-(expandtypeattribute (drmserver_27_0) true)
-(expandtypeattribute (drmserver_exec_27_0) true)
-(expandtypeattribute (drmserver_service_27_0) true)
-(expandtypeattribute (drmserver_socket_27_0) true)
-(expandtypeattribute (dropbox_service_27_0) true)
-(expandtypeattribute (dumpstate_27_0) true)
-(expandtypeattribute (dumpstate_exec_27_0) true)
-(expandtypeattribute (dumpstate_options_prop_27_0) true)
-(expandtypeattribute (dumpstate_prop_27_0) true)
-(expandtypeattribute (dumpstate_service_27_0) true)
-(expandtypeattribute (dumpstate_socket_27_0) true)
-(expandtypeattribute (e2fs_27_0) true)
-(expandtypeattribute (e2fs_exec_27_0) true)
-(expandtypeattribute (efs_file_27_0) true)
-(expandtypeattribute (ephemeral_app_27_0) true)
-(expandtypeattribute (ethernet_service_27_0) true)
-(expandtypeattribute (ffs_prop_27_0) true)
-(expandtypeattribute (file_contexts_file_27_0) true)
-(expandtypeattribute (fingerprintd_27_0) true)
-(expandtypeattribute (fingerprintd_data_file_27_0) true)
-(expandtypeattribute (fingerprintd_exec_27_0) true)
-(expandtypeattribute (fingerprintd_service_27_0) true)
-(expandtypeattribute (fingerprint_prop_27_0) true)
-(expandtypeattribute (fingerprint_service_27_0) true)
-(expandtypeattribute (firstboot_prop_27_0) true)
-(expandtypeattribute (font_service_27_0) true)
-(expandtypeattribute (frp_block_device_27_0) true)
-(expandtypeattribute (fsck_27_0) true)
-(expandtypeattribute (fsck_exec_27_0) true)
-(expandtypeattribute (fscklogs_27_0) true)
-(expandtypeattribute (fsck_untrusted_27_0) true)
-(expandtypeattribute (full_device_27_0) true)
-(expandtypeattribute (functionfs_27_0) true)
-(expandtypeattribute (fuse_27_0) true)
-(expandtypeattribute (fuse_device_27_0) true)
-(expandtypeattribute (fwk_display_hwservice_27_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
-(expandtypeattribute (fwmarkd_socket_27_0) true)
-(expandtypeattribute (gatekeeperd_27_0) true)
-(expandtypeattribute (gatekeeper_data_file_27_0) true)
-(expandtypeattribute (gatekeeperd_exec_27_0) true)
-(expandtypeattribute (gatekeeper_service_27_0) true)
-(expandtypeattribute (gfxinfo_service_27_0) true)
-(expandtypeattribute (gps_control_27_0) true)
-(expandtypeattribute (gpu_device_27_0) true)
-(expandtypeattribute (gpu_service_27_0) true)
-(expandtypeattribute (graphics_device_27_0) true)
-(expandtypeattribute (graphicsstats_service_27_0) true)
-(expandtypeattribute (hal_audio_hwservice_27_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
-(expandtypeattribute (hal_camera_hwservice_27_0) true)
-(expandtypeattribute (hal_cas_hwservice_27_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
-(expandtypeattribute (hal_drm_hwservice_27_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_service_27_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
-(expandtypeattribute (hal_gnss_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
-(expandtypeattribute (hal_health_hwservice_27_0) true)
-(expandtypeattribute (hal_ir_hwservice_27_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
-(expandtypeattribute (hal_light_hwservice_27_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
-(expandtypeattribute (hal_nfc_hwservice_27_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
-(expandtypeattribute (hal_omx_hwservice_27_0) true)
-(expandtypeattribute (hal_power_hwservice_27_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
-(expandtypeattribute (hal_sensors_hwservice_27_0) true)
-(expandtypeattribute (hal_telephony_hwservice_27_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
-(expandtypeattribute (hal_thermal_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
-(expandtypeattribute (hal_usb_hwservice_27_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
-(expandtypeattribute (hal_vr_hwservice_27_0) true)
-(expandtypeattribute (hal_weaver_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
-(expandtypeattribute (hardware_properties_service_27_0) true)
-(expandtypeattribute (hardware_service_27_0) true)
-(expandtypeattribute (hci_attach_dev_27_0) true)
-(expandtypeattribute (hdmi_control_service_27_0) true)
-(expandtypeattribute (healthd_27_0) true)
-(expandtypeattribute (healthd_exec_27_0) true)
-(expandtypeattribute (heapdump_data_file_27_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
-(expandtypeattribute (hidl_base_hwservice_27_0) true)
-(expandtypeattribute (hidl_manager_hwservice_27_0) true)
-(expandtypeattribute (hidl_memory_hwservice_27_0) true)
-(expandtypeattribute (hidl_token_hwservice_27_0) true)
-(expandtypeattribute (hwbinder_device_27_0) true)
-(expandtypeattribute (hw_random_device_27_0) true)
-(expandtypeattribute (hwservice_contexts_file_27_0) true)
-(expandtypeattribute (hwservicemanager_27_0) true)
-(expandtypeattribute (hwservicemanager_exec_27_0) true)
-(expandtypeattribute (hwservicemanager_prop_27_0) true)
-(expandtypeattribute (i2c_device_27_0) true)
-(expandtypeattribute (icon_file_27_0) true)
-(expandtypeattribute (idmap_27_0) true)
-(expandtypeattribute (idmap_exec_27_0) true)
-(expandtypeattribute (iio_device_27_0) true)
-(expandtypeattribute (imms_service_27_0) true)
-(expandtypeattribute (incident_27_0) true)
-(expandtypeattribute (incidentd_27_0) true)
-(expandtypeattribute (incident_data_file_27_0) true)
-(expandtypeattribute (incident_service_27_0) true)
-(expandtypeattribute (init_27_0) true)
-(expandtypeattribute (init_exec_27_0) true)
-(expandtypeattribute (inotify_27_0) true)
-(expandtypeattribute (input_device_27_0) true)
-(expandtypeattribute (inputflinger_27_0) true)
-(expandtypeattribute (inputflinger_exec_27_0) true)
-(expandtypeattribute (inputflinger_service_27_0) true)
-(expandtypeattribute (input_method_service_27_0) true)
-(expandtypeattribute (input_service_27_0) true)
-(expandtypeattribute (installd_27_0) true)
-(expandtypeattribute (install_data_file_27_0) true)
-(expandtypeattribute (installd_exec_27_0) true)
-(expandtypeattribute (installd_service_27_0) true)
-(expandtypeattribute (install_recovery_27_0) true)
-(expandtypeattribute (install_recovery_exec_27_0) true)
-(expandtypeattribute (ion_device_27_0) true)
-(expandtypeattribute (IProxyService_service_27_0) true)
-(expandtypeattribute (ipsec_service_27_0) true)
-(expandtypeattribute (isolated_app_27_0) true)
-(expandtypeattribute (jobscheduler_service_27_0) true)
-(expandtypeattribute (kernel_27_0) true)
-(expandtypeattribute (keychain_data_file_27_0) true)
-(expandtypeattribute (keychord_device_27_0) true)
-(expandtypeattribute (keystore_27_0) true)
-(expandtypeattribute (keystore_data_file_27_0) true)
-(expandtypeattribute (keystore_exec_27_0) true)
-(expandtypeattribute (keystore_service_27_0) true)
-(expandtypeattribute (kmem_device_27_0) true)
-(expandtypeattribute (kmsg_debug_device_27_0) true)
-(expandtypeattribute (kmsg_device_27_0) true)
-(expandtypeattribute (labeledfs_27_0) true)
-(expandtypeattribute (launcherapps_service_27_0) true)
-(expandtypeattribute (lmkd_27_0) true)
-(expandtypeattribute (lmkd_exec_27_0) true)
-(expandtypeattribute (lmkd_socket_27_0) true)
-(expandtypeattribute (location_service_27_0) true)
-(expandtypeattribute (lock_settings_service_27_0) true)
-(expandtypeattribute (logcat_exec_27_0) true)
-(expandtypeattribute (logd_27_0) true)
-(expandtypeattribute (logd_exec_27_0) true)
-(expandtypeattribute (logd_prop_27_0) true)
-(expandtypeattribute (logdr_socket_27_0) true)
-(expandtypeattribute (logd_socket_27_0) true)
-(expandtypeattribute (logdw_socket_27_0) true)
-(expandtypeattribute (logpersist_27_0) true)
-(expandtypeattribute (logpersistd_logging_prop_27_0) true)
-(expandtypeattribute (log_prop_27_0) true)
-(expandtypeattribute (log_tag_prop_27_0) true)
-(expandtypeattribute (loop_control_device_27_0) true)
-(expandtypeattribute (loop_device_27_0) true)
-(expandtypeattribute (mac_perms_file_27_0) true)
-(expandtypeattribute (mdnsd_27_0) true)
-(expandtypeattribute (mdnsd_socket_27_0) true)
-(expandtypeattribute (mdns_socket_27_0) true)
-(expandtypeattribute (mediacodec_27_0) true)
-(expandtypeattribute (mediacodec_exec_27_0) true)
-(expandtypeattribute (mediacodec_service_27_0) true)
-(expandtypeattribute (media_data_file_27_0) true)
-(expandtypeattribute (mediadrmserver_27_0) true)
-(expandtypeattribute (mediadrmserver_exec_27_0) true)
-(expandtypeattribute (mediadrmserver_service_27_0) true)
-(expandtypeattribute (mediaextractor_27_0) true)
-(expandtypeattribute (mediaextractor_exec_27_0) true)
-(expandtypeattribute (mediaextractor_service_27_0) true)
-(expandtypeattribute (mediametrics_27_0) true)
-(expandtypeattribute (mediametrics_exec_27_0) true)
-(expandtypeattribute (mediametrics_service_27_0) true)
-(expandtypeattribute (media_projection_service_27_0) true)
-(expandtypeattribute (mediaprovider_27_0) true)
-(expandtypeattribute (media_router_service_27_0) true)
-(expandtypeattribute (media_rw_data_file_27_0) true)
-(expandtypeattribute (mediaserver_27_0) true)
-(expandtypeattribute (mediaserver_exec_27_0) true)
-(expandtypeattribute (mediaserver_service_27_0) true)
-(expandtypeattribute (media_session_service_27_0) true)
-(expandtypeattribute (meminfo_service_27_0) true)
-(expandtypeattribute (metadata_block_device_27_0) true)
-(expandtypeattribute (method_trace_data_file_27_0) true)
-(expandtypeattribute (midi_service_27_0) true)
-(expandtypeattribute (misc_block_device_27_0) true)
-(expandtypeattribute (misc_logd_file_27_0) true)
-(expandtypeattribute (misc_user_data_file_27_0) true)
-(expandtypeattribute (mmc_prop_27_0) true)
-(expandtypeattribute (mnt_expand_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
-(expandtypeattribute (mnt_user_file_27_0) true)
-(expandtypeattribute (modprobe_27_0) true)
-(expandtypeattribute (mount_service_27_0) true)
-(expandtypeattribute (mqueue_27_0) true)
-(expandtypeattribute (mtd_device_27_0) true)
-(expandtypeattribute (mtp_27_0) true)
-(expandtypeattribute (mtp_device_27_0) true)
-(expandtypeattribute (mtpd_socket_27_0) true)
-(expandtypeattribute (mtp_exec_27_0) true)
-(expandtypeattribute (nativetest_data_file_27_0) true)
-(expandtypeattribute (netd_27_0) true)
-(expandtypeattribute (net_data_file_27_0) true)
-(expandtypeattribute (netd_exec_27_0) true)
-(expandtypeattribute (netd_listener_service_27_0) true)
-(expandtypeattribute (net_dns_prop_27_0) true)
-(expandtypeattribute (netd_service_27_0) true)
-(expandtypeattribute (netd_socket_27_0) true)
-(expandtypeattribute (netd_stable_secret_prop_27_0) true)
-(expandtypeattribute (netif_27_0) true)
-(expandtypeattribute (netpolicy_service_27_0) true)
-(expandtypeattribute (net_radio_prop_27_0) true)
-(expandtypeattribute (netstats_service_27_0) true)
-(expandtypeattribute (netutils_wrapper_27_0) true)
-(expandtypeattribute (netutils_wrapper_exec_27_0) true)
-(expandtypeattribute (network_management_service_27_0) true)
-(expandtypeattribute (network_score_service_27_0) true)
-(expandtypeattribute (network_time_update_service_27_0) true)
-(expandtypeattribute (nfc_27_0) true)
-(expandtypeattribute (nfc_data_file_27_0) true)
-(expandtypeattribute (nfc_device_27_0) true)
-(expandtypeattribute (nfc_prop_27_0) true)
-(expandtypeattribute (nfc_service_27_0) true)
-(expandtypeattribute (node_27_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
-(expandtypeattribute (notification_service_27_0) true)
-(expandtypeattribute (null_device_27_0) true)
-(expandtypeattribute (oemfs_27_0) true)
-(expandtypeattribute (oem_lock_service_27_0) true)
-(expandtypeattribute (ota_data_file_27_0) true)
-(expandtypeattribute (otadexopt_service_27_0) true)
-(expandtypeattribute (ota_package_file_27_0) true)
-(expandtypeattribute (otapreopt_chroot_27_0) true)
-(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
-(expandtypeattribute (otapreopt_slot_27_0) true)
-(expandtypeattribute (otapreopt_slot_exec_27_0) true)
-(expandtypeattribute (overlay_prop_27_0) true)
-(expandtypeattribute (overlay_service_27_0) true)
-(expandtypeattribute (owntty_device_27_0) true)
-(expandtypeattribute (package_native_service_27_0) true)
-(expandtypeattribute (package_service_27_0) true)
-(expandtypeattribute (pan_result_prop_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_dir_27_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_dir_27_0) true)
-(expandtypeattribute (performanced_27_0) true)
-(expandtypeattribute (performanced_exec_27_0) true)
-(expandtypeattribute (perfprofd_27_0) true)
-(expandtypeattribute (perfprofd_data_file_27_0) true)
-(expandtypeattribute (perfprofd_exec_27_0) true)
-(expandtypeattribute (permission_service_27_0) true)
-(expandtypeattribute (persist_debug_prop_27_0) true)
-(expandtypeattribute (persistent_data_block_service_27_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
-(expandtypeattribute (pinner_service_27_0) true)
-(expandtypeattribute (pipefs_27_0) true)
-(expandtypeattribute (platform_app_27_0) true)
-(expandtypeattribute (pmsg_device_27_0) true)
-(expandtypeattribute (port_27_0) true)
-(expandtypeattribute (port_device_27_0) true)
-(expandtypeattribute (postinstall_27_0) true)
-(expandtypeattribute (postinstall_dexopt_27_0) true)
-(expandtypeattribute (postinstall_file_27_0) true)
-(expandtypeattribute (postinstall_mnt_dir_27_0) true)
-(expandtypeattribute (powerctl_prop_27_0) true)
-(expandtypeattribute (power_service_27_0) true)
-(expandtypeattribute (ppp_27_0) true)
-(expandtypeattribute (ppp_device_27_0) true)
-(expandtypeattribute (ppp_exec_27_0) true)
-(expandtypeattribute (preloads_data_file_27_0) true)
-(expandtypeattribute (preloads_media_file_27_0) true)
-(expandtypeattribute (preopt2cachename_27_0) true)
-(expandtypeattribute (preopt2cachename_exec_27_0) true)
-(expandtypeattribute (print_service_27_0) true)
-(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
-(expandtypeattribute (proc_bluetooth_writable_27_0) true)
-(expandtypeattribute (proc_cpuinfo_27_0) true)
-(expandtypeattribute (proc_drop_caches_27_0) true)
-(expandtypeattribute (processinfo_service_27_0) true)
-(expandtypeattribute (proc_interrupts_27_0) true)
-(expandtypeattribute (proc_iomem_27_0) true)
-(expandtypeattribute (proc_meminfo_27_0) true)
-(expandtypeattribute (proc_misc_27_0) true)
-(expandtypeattribute (proc_modules_27_0) true)
-(expandtypeattribute (proc_net_27_0) true)
-(expandtypeattribute (proc_overcommit_memory_27_0) true)
-(expandtypeattribute (proc_perf_27_0) true)
-(expandtypeattribute (proc_security_27_0) true)
-(expandtypeattribute (proc_stat_27_0) true)
-(expandtypeattribute (procstats_service_27_0) true)
-(expandtypeattribute (proc_sysrq_27_0) true)
-(expandtypeattribute (proc_timer_27_0) true)
-(expandtypeattribute (proc_tty_drivers_27_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
-(expandtypeattribute (proc_uid_io_stats_27_0) true)
-(expandtypeattribute (proc_uid_procstat_set_27_0) true)
-(expandtypeattribute (proc_uid_time_in_state_27_0) true)
-(expandtypeattribute (proc_zoneinfo_27_0) true)
-(expandtypeattribute (profman_27_0) true)
-(expandtypeattribute (profman_dump_data_file_27_0) true)
-(expandtypeattribute (profman_exec_27_0) true)
-(expandtypeattribute (properties_device_27_0) true)
-(expandtypeattribute (properties_serial_27_0) true)
-(expandtypeattribute (property_contexts_file_27_0) true)
-(expandtypeattribute (property_data_file_27_0) true)
-(expandtypeattribute (property_socket_27_0) true)
-(expandtypeattribute (pstorefs_27_0) true)
-(expandtypeattribute (ptmx_device_27_0) true)
-(expandtypeattribute (qtaguid_device_27_0) true)
-(expandtypeattribute (qtaguid_proc_27_0) true)
-(expandtypeattribute (racoon_27_0) true)
-(expandtypeattribute (racoon_exec_27_0) true)
-(expandtypeattribute (racoon_socket_27_0) true)
-(expandtypeattribute (radio_27_0) true)
-(expandtypeattribute (radio_data_file_27_0) true)
-(expandtypeattribute (radio_device_27_0) true)
-(expandtypeattribute (radio_prop_27_0) true)
-(expandtypeattribute (radio_service_27_0) true)
-(expandtypeattribute (ram_device_27_0) true)
-(expandtypeattribute (random_device_27_0) true)
-(expandtypeattribute (reboot_data_file_27_0) true)
-(expandtypeattribute (recovery_27_0) true)
-(expandtypeattribute (recovery_block_device_27_0) true)
-(expandtypeattribute (recovery_data_file_27_0) true)
-(expandtypeattribute (recovery_persist_27_0) true)
-(expandtypeattribute (recovery_persist_exec_27_0) true)
-(expandtypeattribute (recovery_refresh_27_0) true)
-(expandtypeattribute (recovery_refresh_exec_27_0) true)
-(expandtypeattribute (recovery_service_27_0) true)
-(expandtypeattribute (registry_service_27_0) true)
-(expandtypeattribute (resourcecache_data_file_27_0) true)
-(expandtypeattribute (restorecon_prop_27_0) true)
-(expandtypeattribute (restrictions_service_27_0) true)
-(expandtypeattribute (rild_27_0) true)
-(expandtypeattribute (rild_debug_socket_27_0) true)
-(expandtypeattribute (rild_socket_27_0) true)
-(expandtypeattribute (ringtone_file_27_0) true)
-(expandtypeattribute (root_block_device_27_0) true)
-(expandtypeattribute (rootfs_27_0) true)
-(expandtypeattribute (rpmsg_device_27_0) true)
-(expandtypeattribute (rtc_device_27_0) true)
-(expandtypeattribute (rttmanager_service_27_0) true)
-(expandtypeattribute (runas_27_0) true)
-(expandtypeattribute (runas_exec_27_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
-(expandtypeattribute (safemode_prop_27_0) true)
-(expandtypeattribute (same_process_hal_file_27_0) true)
-(expandtypeattribute (samplingprofiler_service_27_0) true)
-(expandtypeattribute (scheduling_policy_service_27_0) true)
-(expandtypeattribute (sdcardd_27_0) true)
-(expandtypeattribute (sdcardd_exec_27_0) true)
-(expandtypeattribute (sdcardfs_27_0) true)
-(expandtypeattribute (seapp_contexts_file_27_0) true)
-(expandtypeattribute (search_service_27_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
-(expandtypeattribute (selinuxfs_27_0) true)
-(expandtypeattribute (sensors_device_27_0) true)
-(expandtypeattribute (sensorservice_service_27_0) true)
-(expandtypeattribute (sepolicy_file_27_0) true)
-(expandtypeattribute (serial_device_27_0) true)
-(expandtypeattribute (serialno_prop_27_0) true)
-(expandtypeattribute (serial_service_27_0) true)
-(expandtypeattribute (service_contexts_file_27_0) true)
-(expandtypeattribute (servicediscovery_service_27_0) true)
-(expandtypeattribute (servicemanager_27_0) true)
-(expandtypeattribute (servicemanager_exec_27_0) true)
-(expandtypeattribute (settings_service_27_0) true)
-(expandtypeattribute (sgdisk_27_0) true)
-(expandtypeattribute (sgdisk_exec_27_0) true)
-(expandtypeattribute (shared_relro_27_0) true)
-(expandtypeattribute (shared_relro_file_27_0) true)
-(expandtypeattribute (shell_27_0) true)
-(expandtypeattribute (shell_data_file_27_0) true)
-(expandtypeattribute (shell_exec_27_0) true)
-(expandtypeattribute (shell_prop_27_0) true)
-(expandtypeattribute (shm_27_0) true)
-(expandtypeattribute (shortcut_manager_icons_27_0) true)
-(expandtypeattribute (shortcut_service_27_0) true)
-(expandtypeattribute (slideshow_27_0) true)
-(expandtypeattribute (socket_device_27_0) true)
-(expandtypeattribute (sockfs_27_0) true)
-(expandtypeattribute (statusbar_service_27_0) true)
-(expandtypeattribute (storaged_service_27_0) true)
-(expandtypeattribute (storage_file_27_0) true)
-(expandtypeattribute (storagestats_service_27_0) true)
-(expandtypeattribute (storage_stub_file_27_0) true)
-(expandtypeattribute (su_27_0) true)
-(expandtypeattribute (su_exec_27_0) true)
-(expandtypeattribute (surfaceflinger_27_0) true)
-(expandtypeattribute (surfaceflinger_service_27_0) true)
-(expandtypeattribute (swap_block_device_27_0) true)
-(expandtypeattribute (sysfs_27_0) true)
-(expandtypeattribute (sysfs_batteryinfo_27_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
-(expandtypeattribute (sysfs_hwrandom_27_0) true)
-(expandtypeattribute (sysfs_leds_27_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
-(expandtypeattribute (sysfs_mac_address_27_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
-(expandtypeattribute (sysfs_thermal_27_0) true)
-(expandtypeattribute (sysfs_uio_27_0) true)
-(expandtypeattribute (sysfs_usb_27_0) true)
-(expandtypeattribute (sysfs_usermodehelper_27_0) true)
-(expandtypeattribute (sysfs_vibrator_27_0) true)
-(expandtypeattribute (sysfs_wake_lock_27_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
-(expandtypeattribute (sysfs_zram_27_0) true)
-(expandtypeattribute (sysfs_zram_uevent_27_0) true)
-(expandtypeattribute (system_app_27_0) true)
-(expandtypeattribute (system_app_data_file_27_0) true)
-(expandtypeattribute (system_app_service_27_0) true)
-(expandtypeattribute (system_block_device_27_0) true)
-(expandtypeattribute (system_data_file_27_0) true)
-(expandtypeattribute (system_file_27_0) true)
-(expandtypeattribute (systemkeys_data_file_27_0) true)
-(expandtypeattribute (system_ndebug_socket_27_0) true)
-(expandtypeattribute (system_net_netd_hwservice_27_0) true)
-(expandtypeattribute (system_prop_27_0) true)
-(expandtypeattribute (system_radio_prop_27_0) true)
-(expandtypeattribute (system_server_27_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
-(expandtypeattribute (system_wpa_socket_27_0) true)
-(expandtypeattribute (task_service_27_0) true)
-(expandtypeattribute (tee_27_0) true)
-(expandtypeattribute (tee_data_file_27_0) true)
-(expandtypeattribute (tee_device_27_0) true)
-(expandtypeattribute (telecom_service_27_0) true)
-(expandtypeattribute (textclassification_service_27_0) true)
-(expandtypeattribute (textclassifier_data_file_27_0) true)
-(expandtypeattribute (textservices_service_27_0) true)
-(expandtypeattribute (thermalcallback_hwservice_27_0) true)
-(expandtypeattribute (thermal_service_27_0) true)
-(expandtypeattribute (thermalserviced_27_0) true)
-(expandtypeattribute (thermalserviced_exec_27_0) true)
-(expandtypeattribute (timezone_service_27_0) true)
-(expandtypeattribute (tmpfs_27_0) true)
-(expandtypeattribute (tombstoned_27_0) true)
-(expandtypeattribute (tombstone_data_file_27_0) true)
-(expandtypeattribute (tombstoned_crash_socket_27_0) true)
-(expandtypeattribute (tombstoned_exec_27_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
-(expandtypeattribute (toolbox_27_0) true)
-(expandtypeattribute (toolbox_exec_27_0) true)
-(expandtypeattribute (trust_service_27_0) true)
-(expandtypeattribute (tty_device_27_0) true)
-(expandtypeattribute (tun_device_27_0) true)
-(expandtypeattribute (tv_input_service_27_0) true)
-(expandtypeattribute (tzdatacheck_27_0) true)
-(expandtypeattribute (tzdatacheck_exec_27_0) true)
-(expandtypeattribute (ueventd_27_0) true)
-(expandtypeattribute (uhid_device_27_0) true)
-(expandtypeattribute (uimode_service_27_0) true)
-(expandtypeattribute (uio_device_27_0) true)
-(expandtypeattribute (uncrypt_27_0) true)
-(expandtypeattribute (uncrypt_exec_27_0) true)
-(expandtypeattribute (uncrypt_socket_27_0) true)
-(expandtypeattribute (unencrypted_data_file_27_0) true)
-(expandtypeattribute (unlabeled_27_0) true)
-(expandtypeattribute (untrusted_app_25_27_0) true)
-(expandtypeattribute (untrusted_app_27_0) true)
-(expandtypeattribute (untrusted_v2_app_27_0) true)
-(expandtypeattribute (update_engine_27_0) true)
-(expandtypeattribute (update_engine_data_file_27_0) true)
-(expandtypeattribute (update_engine_exec_27_0) true)
-(expandtypeattribute (update_engine_service_27_0) true)
-(expandtypeattribute (updatelock_service_27_0) true)
-(expandtypeattribute (update_verifier_27_0) true)
-(expandtypeattribute (update_verifier_exec_27_0) true)
-(expandtypeattribute (usagestats_service_27_0) true)
-(expandtypeattribute (usbaccessory_device_27_0) true)
-(expandtypeattribute (usb_device_27_0) true)
-(expandtypeattribute (usbfs_27_0) true)
-(expandtypeattribute (usb_service_27_0) true)
-(expandtypeattribute (userdata_block_device_27_0) true)
-(expandtypeattribute (usermodehelper_27_0) true)
-(expandtypeattribute (user_profile_data_file_27_0) true)
-(expandtypeattribute (user_service_27_0) true)
-(expandtypeattribute (vcs_device_27_0) true)
-(expandtypeattribute (vdc_27_0) true)
-(expandtypeattribute (vdc_exec_27_0) true)
-(expandtypeattribute (vendor_app_file_27_0) true)
-(expandtypeattribute (vendor_configs_file_27_0) true)
-(expandtypeattribute (vendor_file_27_0) true)
-(expandtypeattribute (vendor_framework_file_27_0) true)
-(expandtypeattribute (vendor_hal_file_27_0) true)
-(expandtypeattribute (vendor_overlay_file_27_0) true)
-(expandtypeattribute (vendor_shell_exec_27_0) true)
-(expandtypeattribute (vendor_toolbox_exec_27_0) true)
-(expandtypeattribute (vfat_27_0) true)
-(expandtypeattribute (vibrator_service_27_0) true)
-(expandtypeattribute (video_device_27_0) true)
-(expandtypeattribute (virtual_touchpad_27_0) true)
-(expandtypeattribute (virtual_touchpad_exec_27_0) true)
-(expandtypeattribute (virtual_touchpad_service_27_0) true)
-(expandtypeattribute (vndbinder_device_27_0) true)
-(expandtypeattribute (vndk_sp_file_27_0) true)
-(expandtypeattribute (vndservice_contexts_file_27_0) true)
-(expandtypeattribute (vndservicemanager_27_0) true)
-(expandtypeattribute (voiceinteraction_service_27_0) true)
-(expandtypeattribute (vold_27_0) true)
-(expandtypeattribute (vold_data_file_27_0) true)
-(expandtypeattribute (vold_device_27_0) true)
-(expandtypeattribute (vold_exec_27_0) true)
-(expandtypeattribute (vold_prop_27_0) true)
-(expandtypeattribute (vold_socket_27_0) true)
-(expandtypeattribute (vpn_data_file_27_0) true)
-(expandtypeattribute (vr_hwc_27_0) true)
-(expandtypeattribute (vr_hwc_exec_27_0) true)
-(expandtypeattribute (vr_hwc_service_27_0) true)
-(expandtypeattribute (vr_manager_service_27_0) true)
-(expandtypeattribute (wallpaper_file_27_0) true)
-(expandtypeattribute (wallpaper_service_27_0) true)
-(expandtypeattribute (watchdogd_27_0) true)
-(expandtypeattribute (watchdog_device_27_0) true)
-(expandtypeattribute (webviewupdate_service_27_0) true)
-(expandtypeattribute (webview_zygote_27_0) true)
-(expandtypeattribute (webview_zygote_exec_27_0) true)
-(expandtypeattribute (webview_zygote_socket_27_0) true)
-(expandtypeattribute (wifiaware_service_27_0) true)
-(expandtypeattribute (wificond_27_0) true)
-(expandtypeattribute (wificond_exec_27_0) true)
-(expandtypeattribute (wificond_service_27_0) true)
-(expandtypeattribute (wifi_data_file_27_0) true)
-(expandtypeattribute (wifi_log_prop_27_0) true)
-(expandtypeattribute (wifip2p_service_27_0) true)
-(expandtypeattribute (wifi_prop_27_0) true)
-(expandtypeattribute (wifiscanner_service_27_0) true)
-(expandtypeattribute (wifi_service_27_0) true)
-(expandtypeattribute (window_service_27_0) true)
-(expandtypeattribute (wpa_socket_27_0) true)
-(expandtypeattribute (zero_device_27_0) true)
-(expandtypeattribute (zoneinfo_data_file_27_0) true)
-(expandtypeattribute (zygote_27_0) true)
-(expandtypeattribute (zygote_exec_27_0) true)
-(expandtypeattribute (zygote_socket_27_0) true)
-(typeattributeset accessibility_service_27_0 (accessibility_service))
-(typeattributeset account_service_27_0 (account_service))
-(typeattributeset activity_service_27_0 (activity_service))
-(typeattributeset adbd_27_0 (adbd))
-(typeattributeset adb_data_file_27_0 (adb_data_file))
-(typeattributeset adbd_exec_27_0 (adbd_exec))
-(typeattributeset adbd_socket_27_0 (adbd_socket))
-(typeattributeset adb_keys_file_27_0 (adb_keys_file))
-(typeattributeset alarm_device_27_0 (alarm_device))
-(typeattributeset alarm_service_27_0 (alarm_service))
-(typeattributeset anr_data_file_27_0 (anr_data_file))
-(typeattributeset apk_data_file_27_0 (apk_data_file))
-(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_27_0 (app_fuse_file))
-(typeattributeset app_fusefs_27_0 (app_fusefs))
-(typeattributeset appops_service_27_0 (appops_service))
-(typeattributeset appwidget_service_27_0 (appwidget_service))
-(typeattributeset asec_apk_file_27_0 (asec_apk_file))
-(typeattributeset asec_image_file_27_0 (asec_image_file))
-(typeattributeset asec_public_file_27_0 (asec_public_file))
-(typeattributeset ashmem_device_27_0 (ashmem_device))
-(typeattributeset assetatlas_service_27_0 (assetatlas_service))
-(typeattributeset audio_data_file_27_0 (audio_data_file))
-(typeattributeset audio_device_27_0 (audio_device))
-(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
-(typeattributeset audio_prop_27_0 (audio_prop))
-(typeattributeset audio_seq_device_27_0 (audio_seq_device))
-(typeattributeset audioserver_27_0 (audioserver))
-(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
-(typeattributeset audioserver_service_27_0 (audioserver_service))
-(typeattributeset audio_service_27_0 (audio_service))
-(typeattributeset audio_timer_device_27_0 (audio_timer_device))
-(typeattributeset autofill_service_27_0 (autofill_service))
-(typeattributeset backup_data_file_27_0 (backup_data_file))
-(typeattributeset backup_service_27_0 (backup_service))
-(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
-(typeattributeset battery_service_27_0 (battery_service))
-(typeattributeset batterystats_service_27_0 (batterystats_service))
-(typeattributeset binder_device_27_0 (binder_device))
-(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
-(typeattributeset blkid_27_0 (blkid))
-(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
-(typeattributeset block_device_27_0 (block_device))
-(typeattributeset bluetooth_27_0 (bluetooth))
-(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_27_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
-(typeattributeset bootanim_27_0 (bootanim))
-(typeattributeset bootanim_exec_27_0 (bootanim_exec))
-(typeattributeset boot_block_device_27_0 (boot_block_device))
-(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
-(typeattributeset bootstat_27_0 (bootstat))
-(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_27_0 (bootstat_exec))
-(typeattributeset boottime_prop_27_0 (boottime_prop))
-(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
-(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
-(typeattributeset bufferhubd_27_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_27_0 (cache_backup_file))
-(typeattributeset cache_block_device_27_0 (cache_block_device))
-(typeattributeset cache_file_27_0 (cache_file))
-(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
-(typeattributeset camera_data_file_27_0 (camera_data_file))
-(typeattributeset camera_device_27_0 (camera_device))
-(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
-(typeattributeset cameraserver_27_0 (cameraserver))
-(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_27_0 (cameraserver_service))
-(typeattributeset cgroup_27_0 (cgroup))
-(typeattributeset charger_27_0 (charger))
-(typeattributeset clatd_27_0 (clatd))
-(typeattributeset clatd_exec_27_0 (clatd_exec))
-(typeattributeset clipboard_service_27_0 (clipboard_service))
-(typeattributeset commontime_management_service_27_0 (commontime_management_service))
-(typeattributeset companion_device_service_27_0 (companion_device_service))
-(typeattributeset configfs_27_0 (configfs))
-(typeattributeset config_prop_27_0 (config_prop))
-(typeattributeset connectivity_service_27_0 (connectivity_service))
-(typeattributeset connmetrics_service_27_0 (connmetrics_service))
-(typeattributeset console_device_27_0 (console_device))
-(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
-(typeattributeset content_service_27_0 (content_service))
-(typeattributeset contexthub_service_27_0 (contexthub_service))
-(typeattributeset coredump_file_27_0 (coredump_file))
-(typeattributeset country_detector_service_27_0 (country_detector_service))
-(typeattributeset coverage_service_27_0 (coverage_service))
-(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
-(typeattributeset cppreopts_27_0 (cppreopts))
-(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_27_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
-(typeattributeset crash_dump_27_0 (crash_dump))
-(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_27_0 (dalvik_prop))
-(typeattributeset dbinfo_service_27_0 (dbinfo_service))
-(typeattributeset debugfs_27_0
- ( debugfs
- debugfs_wakeup_sources))
-(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
-(typeattributeset debug_prop_27_0 (debug_prop))
-(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
-(typeattributeset default_android_service_27_0 (default_android_service))
-(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
-(typeattributeset default_prop_27_0
- ( default_prop
- pm_prop))
-(typeattributeset device_27_0 (device))
-(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_27_0 (deviceidle_service))
-(typeattributeset device_logging_prop_27_0 (device_logging_prop))
-(typeattributeset device_policy_service_27_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
-(typeattributeset devpts_27_0 (devpts))
-(typeattributeset dex2oat_27_0 (dex2oat))
-(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
-(typeattributeset dhcp_27_0 (dhcp))
-(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_27_0 (dhcp_exec))
-(typeattributeset dhcp_prop_27_0 (dhcp_prop))
-(typeattributeset diskstats_service_27_0 (diskstats_service))
-(typeattributeset display_service_27_0 (display_service))
-(typeattributeset dm_device_27_0 (dm_device))
-(typeattributeset dnsmasq_27_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_27_0 (DockObserver_service))
-(typeattributeset dreams_service_27_0 (dreams_service))
-(typeattributeset drm_data_file_27_0 (drm_data_file))
-(typeattributeset drmserver_27_0 (drmserver))
-(typeattributeset drmserver_exec_27_0 (drmserver_exec))
-(typeattributeset drmserver_service_27_0 (drmserver_service))
-(typeattributeset drmserver_socket_27_0 (drmserver_socket))
-(typeattributeset dropbox_service_27_0 (dropbox_service))
-(typeattributeset dumpstate_27_0 (dumpstate))
-(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_27_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
-(typeattributeset e2fs_27_0 (e2fs))
-(typeattributeset e2fs_exec_27_0 (e2fs_exec))
-(typeattributeset efs_file_27_0 (efs_file))
-(typeattributeset ephemeral_app_27_0 (ephemeral_app))
-(typeattributeset ethernet_service_27_0 (ethernet_service))
-(typeattributeset ffs_prop_27_0 (ffs_prop))
-(typeattributeset file_contexts_file_27_0 (file_contexts_file))
-(typeattributeset fingerprintd_27_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_27_0 (fingerprint_service))
-(typeattributeset firstboot_prop_27_0 (firstboot_prop))
-(typeattributeset font_service_27_0 (font_service))
-(typeattributeset frp_block_device_27_0 (frp_block_device))
-(typeattributeset fsck_27_0 (fsck))
-(typeattributeset fsck_exec_27_0 (fsck_exec))
-(typeattributeset fscklogs_27_0 (fscklogs))
-(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
-(typeattributeset full_device_27_0 (full_device))
-(typeattributeset functionfs_27_0 (functionfs))
-(typeattributeset fuse_27_0 (fuse))
-(typeattributeset fuse_device_27_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_27_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
-(typeattributeset gps_control_27_0 (gps_control))
-(typeattributeset gpu_device_27_0 (gpu_device))
-(typeattributeset gpu_service_27_0 (gpu_service))
-(typeattributeset graphics_device_27_0 (graphics_device))
-(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
-(typeattributeset hardware_service_27_0 (hardware_service))
-(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
-(typeattributeset healthd_27_0 (healthd))
-(typeattributeset healthd_exec_27_0 (healthd_exec))
-(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_27_0 (hwbinder_device))
-(typeattributeset hw_random_device_27_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_27_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_27_0 (i2c_device))
-(typeattributeset icon_file_27_0 (icon_file))
-(typeattributeset idmap_27_0 (idmap))
-(typeattributeset idmap_exec_27_0 (idmap_exec))
-(typeattributeset iio_device_27_0 (iio_device))
-(typeattributeset imms_service_27_0 (imms_service))
-(typeattributeset incident_27_0 (incident))
-(typeattributeset incidentd_27_0 (incidentd))
-(typeattributeset incident_data_file_27_0 (incident_data_file))
-(typeattributeset incident_service_27_0 (incident_service))
-(typeattributeset init_27_0 (init))
-(typeattributeset init_exec_27_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_27_0 (inotify))
-(typeattributeset input_device_27_0 (input_device))
-(typeattributeset inputflinger_27_0 (inputflinger))
-(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_27_0 (inputflinger_service))
-(typeattributeset input_method_service_27_0 (input_method_service))
-(typeattributeset input_service_27_0 (input_service))
-(typeattributeset installd_27_0 (installd))
-(typeattributeset install_data_file_27_0 (install_data_file))
-(typeattributeset installd_exec_27_0 (installd_exec))
-(typeattributeset installd_service_27_0 (installd_service))
-(typeattributeset install_recovery_27_0 (install_recovery))
-(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
-(typeattributeset ion_device_27_0 (ion_device))
-(typeattributeset IProxyService_service_27_0 (IProxyService_service))
-(typeattributeset ipsec_service_27_0 (ipsec_service))
-(typeattributeset isolated_app_27_0 (isolated_app))
-(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
-(typeattributeset kernel_27_0 (kernel))
-(typeattributeset keychain_data_file_27_0 (keychain_data_file))
-(typeattributeset keychord_device_27_0 (keychord_device))
-(typeattributeset keystore_27_0 (keystore))
-(typeattributeset keystore_data_file_27_0 (keystore_data_file))
-(typeattributeset keystore_exec_27_0 (keystore_exec))
-(typeattributeset keystore_service_27_0 (keystore_service))
-(typeattributeset kmem_device_27_0 (kmem_device))
-(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_27_0 (kmsg_device))
-(typeattributeset labeledfs_27_0 (labeledfs))
-(typeattributeset launcherapps_service_27_0 (launcherapps_service))
-(typeattributeset lmkd_27_0 (lmkd))
-(typeattributeset lmkd_exec_27_0 (lmkd_exec))
-(typeattributeset lmkd_socket_27_0 (lmkd_socket))
-(typeattributeset location_service_27_0 (location_service))
-(typeattributeset lock_settings_service_27_0 (lock_settings_service))
-(typeattributeset logcat_exec_27_0 (logcat_exec))
-(typeattributeset logd_27_0 (logd))
-(typeattributeset logd_exec_27_0 (logd_exec))
-(typeattributeset logd_prop_27_0 (logd_prop))
-(typeattributeset logdr_socket_27_0 (logdr_socket))
-(typeattributeset logd_socket_27_0 (logd_socket))
-(typeattributeset logdw_socket_27_0 (logdw_socket))
-(typeattributeset logpersist_27_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_27_0 (log_prop))
-(typeattributeset log_tag_prop_27_0 (log_tag_prop))
-(typeattributeset loop_control_device_27_0 (loop_control_device))
-(typeattributeset loop_device_27_0 (loop_device))
-(typeattributeset mac_perms_file_27_0 (mac_perms_file))
-(typeattributeset mdnsd_27_0 (mdnsd))
-(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
-(typeattributeset mdns_socket_27_0 (mdns_socket))
-(typeattributeset hal_omx_server (mediacodec_27_0))
-(typeattributeset mediacodec_27_0 (mediacodec))
-(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_27_0 (mediacodec_service))
-(typeattributeset media_data_file_27_0 (media_data_file))
-(typeattributeset mediadrmserver_27_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_27_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
-(typeattributeset mediametrics_27_0 (mediametrics))
-(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_27_0 (mediametrics_service))
-(typeattributeset media_projection_service_27_0 (media_projection_service))
-(typeattributeset mediaprovider_27_0 (mediaprovider))
-(typeattributeset media_router_service_27_0 (media_router_service))
-(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
-(typeattributeset mediaserver_27_0 (mediaserver))
-(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_27_0 (mediaserver_service))
-(typeattributeset media_session_service_27_0 (media_session_service))
-(typeattributeset meminfo_service_27_0 (meminfo_service))
-(typeattributeset metadata_block_device_27_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
-(typeattributeset midi_service_27_0 (midi_service))
-(typeattributeset misc_block_device_27_0 (misc_block_device))
-(typeattributeset misc_logd_file_27_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
-(typeattributeset mmc_prop_27_0 (mmc_prop))
-(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_27_0 (mnt_user_file))
-(typeattributeset modprobe_27_0 (modprobe))
-(typeattributeset mount_service_27_0 (mount_service))
-(typeattributeset mqueue_27_0 (mqueue))
-(typeattributeset mtd_device_27_0 (mtd_device))
-(typeattributeset mtp_27_0 (mtp))
-(typeattributeset mtp_device_27_0 (mtp_device))
-(typeattributeset mtpd_socket_27_0 (mtpd_socket))
-(typeattributeset mtp_exec_27_0 (mtp_exec))
-(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
-(typeattributeset netd_27_0 (netd))
-(typeattributeset net_data_file_27_0 (net_data_file))
-(typeattributeset netd_exec_27_0 (netd_exec))
-(typeattributeset netd_listener_service_27_0 (netd_listener_service))
-(typeattributeset net_dns_prop_27_0 (net_dns_prop))
-(typeattributeset netd_service_27_0 (netd_service))
-(typeattributeset netd_socket_27_0 (netd_socket))
-(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
-(typeattributeset netif_27_0 (netif))
-(typeattributeset netpolicy_service_27_0 (netpolicy_service))
-(typeattributeset net_radio_prop_27_0 (net_radio_prop))
-(typeattributeset netstats_service_27_0 (netstats_service))
-(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_27_0 (network_management_service))
-(typeattributeset network_score_service_27_0 (network_score_service))
-(typeattributeset network_time_update_service_27_0 (network_time_update_service))
-(typeattributeset nfc_27_0 (nfc))
-(typeattributeset nfc_data_file_27_0 (nfc_data_file))
-(typeattributeset nfc_device_27_0 (nfc_device))
-(typeattributeset nfc_prop_27_0 (nfc_prop))
-(typeattributeset nfc_service_27_0 (nfc_service))
-(typeattributeset node_27_0 (node))
-(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_27_0 (notification_service))
-(typeattributeset null_device_27_0 (null_device))
-(typeattributeset oemfs_27_0 (oemfs))
-(typeattributeset oem_lock_service_27_0 (oem_lock_service))
-(typeattributeset ota_data_file_27_0 (ota_data_file))
-(typeattributeset otadexopt_service_27_0 (otadexopt_service))
-(typeattributeset ota_package_file_27_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_27_0 (overlay_prop))
-(typeattributeset overlay_service_27_0 (overlay_service))
-(typeattributeset owntty_device_27_0 (owntty_device))
-(typeattributeset package_native_service_27_0 (package_native_service))
-(typeattributeset package_service_27_0 (package_service))
-(typeattributeset pan_result_prop_27_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
-(typeattributeset performanced_27_0 (performanced))
-(typeattributeset performanced_exec_27_0 (performanced_exec))
-(typeattributeset perfprofd_27_0 (perfprofd))
-(typeattributeset perfprofd_data_file_27_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_27_0 (perfprofd_exec))
-(typeattributeset permission_service_27_0 (permission_service))
-(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_27_0 (pinner_service))
-(typeattributeset pipefs_27_0 (pipefs))
-(typeattributeset platform_app_27_0 (platform_app))
-(typeattributeset pmsg_device_27_0 (pmsg_device))
-(typeattributeset port_27_0 (port))
-(typeattributeset port_device_27_0 (port_device))
-(typeattributeset postinstall_27_0 (postinstall))
-(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_27_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_27_0 (powerctl_prop))
-(typeattributeset power_service_27_0 (power_service))
-(typeattributeset ppp_27_0 (ppp))
-(typeattributeset ppp_device_27_0 (ppp_device))
-(typeattributeset ppp_exec_27_0 (ppp_exec))
-(typeattributeset preloads_data_file_27_0 (preloads_data_file))
-(typeattributeset preloads_media_file_27_0 (preloads_media_file))
-(typeattributeset preopt2cachename_27_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
-(typeattributeset print_service_27_0 (print_service))
-(typeattributeset priv_app_27_0 (priv_app))
-(typeattributeset proc_27_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
-(typeattributeset processinfo_service_27_0 (processinfo_service))
-(typeattributeset proc_interrupts_27_0 (proc_interrupts))
-(typeattributeset proc_iomem_27_0 (proc_iomem))
-(typeattributeset proc_meminfo_27_0 (proc_meminfo))
-(typeattributeset proc_misc_27_0 (proc_misc))
-(typeattributeset proc_modules_27_0 (proc_modules))
-(typeattributeset proc_net_27_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_27_0 (proc_perf))
-(typeattributeset proc_security_27_0 (proc_security))
-(typeattributeset proc_stat_27_0 (proc_stat))
-(typeattributeset procstats_service_27_0 (procstats_service))
-(typeattributeset proc_sysrq_27_0 (proc_sysrq))
-(typeattributeset proc_timer_27_0 (proc_timer))
-(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
-(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
-(typeattributeset profman_27_0 (profman))
-(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
-(typeattributeset profman_exec_27_0 (profman_exec))
-(typeattributeset properties_device_27_0 (properties_device))
-(typeattributeset properties_serial_27_0 (properties_serial))
-(typeattributeset property_contexts_file_27_0 (property_contexts_file))
-(typeattributeset property_data_file_27_0 (property_data_file))
-(typeattributeset property_socket_27_0 (property_socket))
-(typeattributeset pstorefs_27_0 (pstorefs))
-(typeattributeset ptmx_device_27_0 (ptmx_device))
-(typeattributeset qtaguid_device_27_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_27_0
- ( proc_qtaguid_ctrl
- qtaguid_proc))
-(typeattributeset racoon_27_0 (racoon))
-(typeattributeset racoon_exec_27_0 (racoon_exec))
-(typeattributeset racoon_socket_27_0 (racoon_socket))
-(typeattributeset radio_27_0 (radio))
-(typeattributeset radio_data_file_27_0 (radio_data_file))
-(typeattributeset radio_device_27_0 (radio_device))
-(typeattributeset radio_prop_27_0 (radio_prop))
-(typeattributeset radio_service_27_0 (radio_service))
-(typeattributeset ram_device_27_0 (ram_device))
-(typeattributeset random_device_27_0 (random_device))
-(typeattributeset reboot_data_file_27_0 (reboot_data_file))
-(typeattributeset recovery_27_0 (recovery))
-(typeattributeset recovery_block_device_27_0 (recovery_block_device))
-(typeattributeset recovery_data_file_27_0 (recovery_data_file))
-(typeattributeset recovery_persist_27_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_27_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_27_0 (recovery_service))
-(typeattributeset registry_service_27_0 (registry_service))
-(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_27_0 (restorecon_prop))
-(typeattributeset restrictions_service_27_0 (restrictions_service))
-(typeattributeset rild_27_0 (rild))
-(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
-(typeattributeset rild_socket_27_0 (rild_socket))
-(typeattributeset ringtone_file_27_0 (ringtone_file))
-(typeattributeset root_block_device_27_0 (root_block_device))
-(typeattributeset rootfs_27_0 (rootfs))
-(typeattributeset rpmsg_device_27_0 (rpmsg_device))
-(typeattributeset rtc_device_27_0 (rtc_device))
-(typeattributeset rttmanager_service_27_0 (rttmanager_service))
-(typeattributeset runas_27_0 (runas))
-(typeattributeset runas_exec_27_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
-(typeattributeset sdcardd_27_0 (sdcardd))
-(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
-(typeattributeset sdcardfs_27_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
-(typeattributeset search_service_27_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_27_0 (selinuxfs))
-(typeattributeset sensors_device_27_0 (sensors_device))
-(typeattributeset sensorservice_service_27_0 (sensorservice_service))
-(typeattributeset sepolicy_file_27_0 (sepolicy_file))
-(typeattributeset serial_device_27_0 (serial_device))
-(typeattributeset serialno_prop_27_0 (serialno_prop))
-(typeattributeset serial_service_27_0 (serial_service))
-(typeattributeset service_contexts_file_27_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
-(typeattributeset servicemanager_27_0 (servicemanager))
-(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
-(typeattributeset settings_service_27_0 (settings_service))
-(typeattributeset sgdisk_27_0 (sgdisk))
-(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
-(typeattributeset shared_relro_27_0 (shared_relro))
-(typeattributeset shared_relro_file_27_0 (shared_relro_file))
-(typeattributeset shell_27_0 (shell))
-(typeattributeset shell_data_file_27_0 (shell_data_file))
-(typeattributeset shell_exec_27_0 (shell_exec))
-(typeattributeset shell_prop_27_0 (shell_prop))
-(typeattributeset shm_27_0 (shm))
-(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_27_0 (shortcut_service))
-(typeattributeset slideshow_27_0 (slideshow))
-(typeattributeset socket_device_27_0 (socket_device))
-(typeattributeset sockfs_27_0 (sockfs))
-(typeattributeset statusbar_service_27_0 (statusbar_service))
-(typeattributeset storaged_service_27_0 (storaged_service))
-(typeattributeset storage_file_27_0 (storage_file))
-(typeattributeset storagestats_service_27_0 (storagestats_service))
-(typeattributeset storage_stub_file_27_0 (storage_stub_file))
-(typeattributeset su_27_0 (su))
-(typeattributeset su_exec_27_0 (su_exec))
-(typeattributeset surfaceflinger_27_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_27_0 (swap_block_device))
-(typeattributeset sysfs_27_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_27_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_27_0 (sysfs_uio))
-(typeattributeset sysfs_usb_27_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_27_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
-(typeattributeset system_app_27_0 (system_app))
-(typeattributeset system_app_data_file_27_0 (system_app_data_file))
-(typeattributeset system_app_service_27_0 (system_app_service))
-(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_27_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_27_0 (system_prop))
-(typeattributeset system_radio_prop_27_0 (system_radio_prop))
-(typeattributeset system_server_27_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
-(typeattributeset task_service_27_0 (task_service))
-(typeattributeset tee_27_0 (tee))
-(typeattributeset tee_data_file_27_0 (tee_data_file))
-(typeattributeset tee_device_27_0 (tee_device))
-(typeattributeset telecom_service_27_0 (telecom_service))
-(typeattributeset textclassification_service_27_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
-(typeattributeset textservices_service_27_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_27_0 (thermal_service))
-(typeattributeset thermalserviced_27_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
-(typeattributeset timezone_service_27_0 (timezone_service))
-(typeattributeset tmpfs_27_0 (tmpfs))
-(typeattributeset tombstoned_27_0 (tombstoned))
-(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_27_0 (toolbox))
-(typeattributeset toolbox_exec_27_0 (toolbox_exec))
-(typeattributeset trust_service_27_0 (trust_service))
-(typeattributeset tty_device_27_0 (tty_device))
-(typeattributeset tun_device_27_0 (tun_device))
-(typeattributeset tv_input_service_27_0 (tv_input_service))
-(typeattributeset tzdatacheck_27_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
-(typeattributeset ueventd_27_0 (ueventd))
-(typeattributeset uhid_device_27_0 (uhid_device))
-(typeattributeset uimode_service_27_0 (uimode_service))
-(typeattributeset uio_device_27_0 (uio_device))
-(typeattributeset uncrypt_27_0 (uncrypt))
-(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
-(typeattributeset unlabeled_27_0 (unlabeled))
-(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
-(typeattributeset update_engine_27_0 (update_engine))
-(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_27_0 (update_engine_exec))
-(typeattributeset update_engine_service_27_0 (update_engine_service))
-(typeattributeset updatelock_service_27_0 (updatelock_service))
-(typeattributeset update_verifier_27_0 (update_verifier))
-(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
-(typeattributeset usagestats_service_27_0 (usagestats_service))
-(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
-(typeattributeset usb_device_27_0 (usb_device))
-(typeattributeset usbfs_27_0 (usbfs))
-(typeattributeset usb_service_27_0 (usb_service))
-(typeattributeset userdata_block_device_27_0 (userdata_block_device))
-(typeattributeset usermodehelper_27_0 (usermodehelper))
-(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
-(typeattributeset user_service_27_0 (user_service))
-(typeattributeset vcs_device_27_0 (vcs_device))
-(typeattributeset vdc_27_0 (vdc))
-(typeattributeset vdc_exec_27_0 (vdc_exec))
-(typeattributeset vendor_app_file_27_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
-(typeattributeset vendor_file_27_0 (vendor_file))
-(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
-(typeattributeset vfat_27_0 (vfat))
-(typeattributeset vibrator_service_27_0 (vibrator_service))
-(typeattributeset video_device_27_0 (video_device))
-(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_27_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_27_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
-(typeattributeset vold_27_0 (vold))
-(typeattributeset vold_data_file_27_0 (vold_data_file))
-(typeattributeset vold_device_27_0 (vold_device))
-(typeattributeset vold_exec_27_0 (vold_exec))
-(typeattributeset vold_prop_27_0 (vold_prop))
-(typeattributeset vold_socket_27_0 (vold_socket))
-(typeattributeset vpn_data_file_27_0 (vpn_data_file))
-(typeattributeset vr_hwc_27_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_27_0 (vr_manager_service))
-(typeattributeset wallpaper_file_27_0 (wallpaper_file))
-(typeattributeset wallpaper_service_27_0 (wallpaper_service))
-(typeattributeset watchdogd_27_0 (watchdogd))
-(typeattributeset watchdog_device_27_0 (watchdog_device))
-(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
-(typeattributeset webview_zygote_27_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_27_0 (wifiaware_service))
-(typeattributeset wificond_27_0 (wificond))
-(typeattributeset wificond_exec_27_0 (wificond_exec))
-(typeattributeset wificond_service_27_0 (wificond_service))
-(typeattributeset wifi_data_file_27_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_27_0 (wifip2p_service))
-(typeattributeset wifi_prop_27_0 (wifi_prop))
-(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
-(typeattributeset wifi_service_27_0 (wifi_service))
-(typeattributeset window_service_27_0 (window_service))
-(typeattributeset wpa_socket_27_0 (wpa_socket))
-(typeattributeset zero_device_27_0 (zero_device))
-(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
-(typeattributeset zygote_27_0 (zygote))
-(typeattributeset zygote_exec_27_0 (zygote_exec))
-(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
deleted file mode 100644
index 0e830f8..0000000
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
+++ /dev/null
@@ -1,200 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- atrace
- binder_calls_stats_service
- biometric_service
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bootloader_boot_reason_prop
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- cgroup_bpf
- charger_exec
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- exfat
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- fastbootd
- flags_health_check
- flags_health_check_exec
- fingerprint_vendor_data_file
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_lowpan_hwservice
- hal_secure_element_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_hostapd_hwservice
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- last_boot_reason_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaextractor_update_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- metadata_file
- mnt_product_file
- mnt_vendor_file
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- overlayfs_file
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- perfprofd_service
- property_info
- recovery_socket
- role_service
- runas_app
- runtime_service
- secure_element
- secure_element_device
- secure_element_service
- secure_element_tmpfs
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- stats
- stats_data_file
- stats_exec
- stats_service
- statscompanion_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- storaged_data_file
- super_block_device
- staging_data_file
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_update_service
- test_boot_reason_prop
- time_prop
- timedetector_service
- tombstone_wifi_data_file
- trace_data_file
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- traceur_app
- traceur_app_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- uri_grants_service
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_default_prop
- vendor_init
- vendor_security_patch_level_prop
- vendor_shell
- vold_metadata_file
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vrflinger_vsync_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wm_trace_data_file
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/29.0/vendor_sepolicy.cil b/prebuilts/api/29.0/vendor_sepolicy.cil
deleted file mode 100644
index 4a3aac3..0000000
--- a/prebuilts/api/29.0/vendor_sepolicy.cil
+++ /dev/null
@@ -1 +0,0 @@
-;; empty stub
diff --git a/prebuilts/api/30.0/plat_pub_versioned.cil b/prebuilts/api/30.0/plat_pub_versioned.cil
deleted file mode 100644
index 3942219..0000000
--- a/prebuilts/api/30.0/plat_pub_versioned.cil
+++ /dev/null
@@ -1,3011 +0,0 @@
-(type DockObserver_service)
-(type IProxyService_service)
-(type accessibility_service)
-(type account_service)
-(type activity_service)
-(type activity_task_service)
-(type adb_data_file)
-(type adb_keys_file)
-(type adb_service)
-(type adbd)
-(type adbd_exec)
-(type adbd_prop)
-(type adbd_socket)
-(type aidl_lazy_test_server)
-(type aidl_lazy_test_server_exec)
-(type aidl_lazy_test_service)
-(type alarm_service)
-(type anr_data_file)
-(type apex_data_file)
-(type apex_metadata_file)
-(type apex_mnt_dir)
-(type apex_module_data_file)
-(type apex_permission_data_file)
-(type apex_rollback_data_file)
-(type apex_service)
-(type apex_wifi_data_file)
-(type apexd)
-(type apexd_exec)
-(type apexd_prop)
-(type apk_data_file)
-(type apk_private_data_file)
-(type apk_private_tmp_file)
-(type apk_tmp_file)
-(type apk_verity_prop)
-(type app_binding_service)
-(type app_data_file)
-(type app_fuse_file)
-(type app_fusefs)
-(type app_integrity_service)
-(type app_prediction_service)
-(type app_search_service)
-(type app_zygote)
-(type app_zygote_tmpfs)
-(type appdomain_tmpfs)
-(type appops_service)
-(type appwidget_service)
-(type art_apex_dir)
-(type asec_apk_file)
-(type asec_image_file)
-(type asec_public_file)
-(type ashmem_device)
-(type ashmem_libcutils_device)
-(type assetatlas_service)
-(type audio_data_file)
-(type audio_device)
-(type audio_prop)
-(type audio_service)
-(type audiohal_data_file)
-(type audioserver)
-(type audioserver_data_file)
-(type audioserver_service)
-(type audioserver_tmpfs)
-(type auth_service)
-(type autofill_service)
-(type backup_data_file)
-(type backup_service)
-(type battery_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type binder_cache_bluetooth_server_prop)
-(type binder_cache_system_server_prop)
-(type binder_cache_telephony_server_prop)
-(type binder_calls_stats_service)
-(type binder_device)
-(type binderfs)
-(type binderfs_logs)
-(type binderfs_logs_proc)
-(type binfmt_miscfs)
-(type biometric_service)
-(type blkid)
-(type blkid_untrusted)
-(type blob_store_service)
-(type block_device)
-(type bluetooth)
-(type bluetooth_a2dp_offload_prop)
-(type bluetooth_audio_hal_prop)
-(type bluetooth_data_file)
-(type bluetooth_efs_file)
-(type bluetooth_logs_data_file)
-(type bluetooth_manager_service)
-(type bluetooth_prop)
-(type bluetooth_service)
-(type bluetooth_socket)
-(type boot_block_device)
-(type bootanim)
-(type bootanim_exec)
-(type bootchart_data_file)
-(type bootloader_boot_reason_prop)
-(type bootstat)
-(type bootstat_data_file)
-(type bootstat_exec)
-(type boottime_prop)
-(type boottime_public_prop)
-(type boottrace_data_file)
-(type bpf_progs_loaded_prop)
-(type bq_config_prop)
-(type broadcastradio_service)
-(type bufferhubd)
-(type bufferhubd_exec)
-(type bugreport_service)
-(type cache_backup_file)
-(type cache_block_device)
-(type cache_file)
-(type cache_private_backup_file)
-(type cache_recovery_file)
-(type cacheinfo_service)
-(type camera_data_file)
-(type camera_device)
-(type cameraproxy_service)
-(type cameraserver)
-(type cameraserver_exec)
-(type cameraserver_service)
-(type cameraserver_tmpfs)
-(type cgroup)
-(type cgroup_bpf)
-(type cgroup_desc_file)
-(type cgroup_rc_file)
-(type charger)
-(type charger_exec)
-(type charger_prop)
-(type clipboard_service)
-(type cold_boot_done_prop)
-(type color_display_service)
-(type companion_device_service)
-(type config_prop)
-(type configfs)
-(type connectivity_service)
-(type connmetrics_service)
-(type console_device)
-(type consumer_ir_service)
-(type content_capture_service)
-(type content_service)
-(type content_suggestions_service)
-(type contexthub_service)
-(type coredump_file)
-(type country_detector_service)
-(type coverage_service)
-(type cppreopt_prop)
-(type cpu_variant_prop)
-(type cpuinfo_service)
-(type crash_dump)
-(type crash_dump_exec)
-(type credstore)
-(type credstore_data_file)
-(type credstore_exec)
-(type credstore_service)
-(type crossprofileapps_service)
-(type ctl_adbd_prop)
-(type ctl_apexd_prop)
-(type ctl_bootanim_prop)
-(type ctl_bugreport_prop)
-(type ctl_console_prop)
-(type ctl_default_prop)
-(type ctl_dumpstate_prop)
-(type ctl_fuse_prop)
-(type ctl_gsid_prop)
-(type ctl_interface_restart_prop)
-(type ctl_interface_start_prop)
-(type ctl_interface_stop_prop)
-(type ctl_mdnsd_prop)
-(type ctl_restart_prop)
-(type ctl_rildaemon_prop)
-(type ctl_sigstop_prop)
-(type ctl_start_prop)
-(type ctl_stop_prop)
-(type dalvik_prop)
-(type dalvikcache_data_file)
-(type dataloader_manager_service)
-(type dbinfo_service)
-(type debug_prop)
-(type debugfs)
-(type debugfs_kprobes)
-(type debugfs_mmc)
-(type debugfs_trace_marker)
-(type debugfs_tracing)
-(type debugfs_tracing_debug)
-(type debugfs_tracing_instances)
-(type debugfs_wakeup_sources)
-(type debugfs_wifi_tracing)
-(type debuggerd_prop)
-(type default_android_hwservice)
-(type default_android_service)
-(type default_android_vndservice)
-(type default_prop)
-(type dev_cpu_variant)
-(type device)
-(type device_config_activity_manager_native_boot_prop)
-(type device_config_boot_count_prop)
-(type device_config_configuration_prop)
-(type device_config_input_native_boot_prop)
-(type device_config_media_native_prop)
-(type device_config_netd_native_prop)
-(type device_config_reset_performed_prop)
-(type device_config_runtime_native_boot_prop)
-(type device_config_runtime_native_prop)
-(type device_config_service)
-(type device_config_storage_native_boot_prop)
-(type device_config_sys_traced_prop)
-(type device_config_window_manager_native_boot_prop)
-(type device_identifiers_service)
-(type device_logging_prop)
-(type device_policy_service)
-(type deviceidle_service)
-(type devicestoragemonitor_service)
-(type devpts)
-(type dhcp)
-(type dhcp_data_file)
-(type dhcp_exec)
-(type dhcp_prop)
-(type diskstats_service)
-(type display_service)
-(type dm_device)
-(type dnsmasq)
-(type dnsmasq_exec)
-(type dnsproxyd_socket)
-(type dnsresolver_service)
-(type dreams_service)
-(type drm_data_file)
-(type drmserver)
-(type drmserver_exec)
-(type drmserver_service)
-(type drmserver_socket)
-(type dropbox_data_file)
-(type dropbox_service)
-(type dumpstate)
-(type dumpstate_exec)
-(type dumpstate_options_prop)
-(type dumpstate_prop)
-(type dumpstate_service)
-(type dumpstate_socket)
-(type dynamic_system_prop)
-(type e2fs)
-(type e2fs_exec)
-(type efs_file)
-(type emergency_affordance_service)
-(type ephemeral_app)
-(type ethernet_service)
-(type exfat)
-(type exported2_config_prop)
-(type exported2_default_prop)
-(type exported2_radio_prop)
-(type exported2_system_prop)
-(type exported2_vold_prop)
-(type exported3_default_prop)
-(type exported3_radio_prop)
-(type exported3_system_prop)
-(type exported_audio_prop)
-(type exported_bluetooth_prop)
-(type exported_camera_prop)
-(type exported_config_prop)
-(type exported_dalvik_prop)
-(type exported_default_prop)
-(type exported_dumpstate_prop)
-(type exported_ffs_prop)
-(type exported_fingerprint_prop)
-(type exported_overlay_prop)
-(type exported_pm_prop)
-(type exported_radio_prop)
-(type exported_secure_prop)
-(type exported_system_prop)
-(type exported_system_radio_prop)
-(type exported_vold_prop)
-(type exported_wifi_prop)
-(type external_vibrator_service)
-(type face_service)
-(type face_vendor_data_file)
-(type fastbootd)
-(type fastbootd_protocol_prop)
-(type ffs_prop)
-(type file_contexts_file)
-(type file_integrity_service)
-(type fingerprint_prop)
-(type fingerprint_service)
-(type fingerprint_vendor_data_file)
-(type fingerprintd)
-(type fingerprintd_data_file)
-(type fingerprintd_exec)
-(type fingerprintd_service)
-(type firstboot_prop)
-(type flags_health_check)
-(type flags_health_check_exec)
-(type font_service)
-(type frp_block_device)
-(type fs_bpf)
-(type fsck)
-(type fsck_exec)
-(type fsck_untrusted)
-(type fscklogs)
-(type functionfs)
-(type fuse)
-(type fuse_device)
-(type fusectlfs)
-(type fwk_automotive_display_hwservice)
-(type fwk_bufferhub_hwservice)
-(type fwk_camera_hwservice)
-(type fwk_display_hwservice)
-(type fwk_scheduler_hwservice)
-(type fwk_sensor_hwservice)
-(type fwk_stats_hwservice)
-(type fwmarkd_socket)
-(type gatekeeper_data_file)
-(type gatekeeper_service)
-(type gatekeeperd)
-(type gatekeeperd_exec)
-(type gfxinfo_service)
-(type gmscore_app)
-(type gps_control)
-(type gpu_device)
-(type gpu_service)
-(type gpuservice)
-(type graphics_config_prop)
-(type graphics_device)
-(type graphicsstats_service)
-(type gsi_data_file)
-(type gsi_metadata_file)
-(type gsid_prop)
-(type hal_atrace_hwservice)
-(type hal_audio_hwservice)
-(type hal_audiocontrol_hwservice)
-(type hal_authsecret_hwservice)
-(type hal_bluetooth_hwservice)
-(type hal_bootctl_hwservice)
-(type hal_broadcastradio_hwservice)
-(type hal_camera_hwservice)
-(type hal_can_bus_hwservice)
-(type hal_can_controller_hwservice)
-(type hal_cas_hwservice)
-(type hal_codec2_hwservice)
-(type hal_configstore_ISurfaceFlingerConfigs)
-(type hal_confirmationui_hwservice)
-(type hal_contexthub_hwservice)
-(type hal_drm_hwservice)
-(type hal_dumpstate_hwservice)
-(type hal_evs_hwservice)
-(type hal_face_hwservice)
-(type hal_fingerprint_hwservice)
-(type hal_fingerprint_service)
-(type hal_gatekeeper_hwservice)
-(type hal_gnss_hwservice)
-(type hal_graphics_allocator_hwservice)
-(type hal_graphics_composer_hwservice)
-(type hal_graphics_composer_server_tmpfs)
-(type hal_graphics_mapper_hwservice)
-(type hal_health_hwservice)
-(type hal_health_storage_hwservice)
-(type hal_identity_service)
-(type hal_input_classifier_hwservice)
-(type hal_ir_hwservice)
-(type hal_keymaster_hwservice)
-(type hal_light_hwservice)
-(type hal_light_service)
-(type hal_lowpan_hwservice)
-(type hal_memtrack_hwservice)
-(type hal_neuralnetworks_hwservice)
-(type hal_nfc_hwservice)
-(type hal_oemlock_hwservice)
-(type hal_omx_hwservice)
-(type hal_power_hwservice)
-(type hal_power_service)
-(type hal_power_stats_hwservice)
-(type hal_rebootescrow_service)
-(type hal_renderscript_hwservice)
-(type hal_secure_element_hwservice)
-(type hal_sensors_hwservice)
-(type hal_telephony_hwservice)
-(type hal_tetheroffload_hwservice)
-(type hal_thermal_hwservice)
-(type hal_tv_cec_hwservice)
-(type hal_tv_input_hwservice)
-(type hal_tv_tuner_hwservice)
-(type hal_usb_gadget_hwservice)
-(type hal_usb_hwservice)
-(type hal_vehicle_hwservice)
-(type hal_vibrator_hwservice)
-(type hal_vibrator_service)
-(type hal_vr_hwservice)
-(type hal_weaver_hwservice)
-(type hal_wifi_hostapd_hwservice)
-(type hal_wifi_hwservice)
-(type hal_wifi_supplicant_hwservice)
-(type hardware_properties_service)
-(type hardware_service)
-(type hci_attach_dev)
-(type hdmi_control_service)
-(type healthd)
-(type healthd_exec)
-(type heapdump_data_file)
-(type heapprofd)
-(type heapprofd_enabled_prop)
-(type heapprofd_prop)
-(type heapprofd_socket)
-(type hidl_allocator_hwservice)
-(type hidl_base_hwservice)
-(type hidl_manager_hwservice)
-(type hidl_memory_hwservice)
-(type hidl_token_hwservice)
-(type hw_random_device)
-(type hwbinder_device)
-(type hwservice_contexts_file)
-(type hwservicemanager)
-(type hwservicemanager_exec)
-(type hwservicemanager_prop)
-(type icon_file)
-(type idmap)
-(type idmap_exec)
-(type idmap_service)
-(type iio_device)
-(type imms_service)
-(type incident)
-(type incident_data_file)
-(type incident_helper)
-(type incident_service)
-(type incidentd)
-(type incremental_control_file)
-(type incremental_prop)
-(type incremental_service)
-(type init)
-(type init_exec)
-(type init_perf_lsm_hooks_prop)
-(type init_svc_debug_prop)
-(type init_tmpfs)
-(type inotify)
-(type input_device)
-(type input_method_service)
-(type input_service)
-(type inputflinger)
-(type inputflinger_exec)
-(type inputflinger_service)
-(type install_data_file)
-(type installd)
-(type installd_exec)
-(type installd_service)
-(type ion_device)
-(type iorap_inode2filename)
-(type iorap_inode2filename_exec)
-(type iorap_inode2filename_tmpfs)
-(type iorap_prefetcherd)
-(type iorap_prefetcherd_exec)
-(type iorap_prefetcherd_tmpfs)
-(type iorapd)
-(type iorapd_data_file)
-(type iorapd_exec)
-(type iorapd_service)
-(type iorapd_tmpfs)
-(type ipsec_service)
-(type iris_service)
-(type iris_vendor_data_file)
-(type isolated_app)
-(type jobscheduler_service)
-(type kernel)
-(type keychain_data_file)
-(type keychord_device)
-(type keystore)
-(type keystore_data_file)
-(type keystore_exec)
-(type keystore_service)
-(type kmsg_debug_device)
-(type kmsg_device)
-(type labeledfs)
-(type last_boot_reason_prop)
-(type launcherapps_service)
-(type light_service)
-(type linkerconfig_file)
-(type llkd)
-(type llkd_exec)
-(type llkd_prop)
-(type lmkd)
-(type lmkd_exec)
-(type lmkd_prop)
-(type lmkd_socket)
-(type location_service)
-(type lock_settings_service)
-(type log_prop)
-(type log_tag_prop)
-(type logcat_exec)
-(type logd)
-(type logd_exec)
-(type logd_prop)
-(type logd_socket)
-(type logdr_socket)
-(type logdw_socket)
-(type logpersist)
-(type logpersistd_logging_prop)
-(type loop_control_device)
-(type loop_device)
-(type looper_stats_service)
-(type lowpan_device)
-(type lowpan_prop)
-(type lowpan_service)
-(type lpdump_service)
-(type lpdumpd_prop)
-(type mac_perms_file)
-(type mdns_socket)
-(type mdnsd)
-(type mdnsd_socket)
-(type media_data_file)
-(type media_projection_service)
-(type media_router_service)
-(type media_rw_data_file)
-(type media_session_service)
-(type media_variant_prop)
-(type mediadrmserver)
-(type mediadrmserver_exec)
-(type mediadrmserver_service)
-(type mediaextractor)
-(type mediaextractor_exec)
-(type mediaextractor_service)
-(type mediaextractor_tmpfs)
-(type mediametrics)
-(type mediametrics_exec)
-(type mediametrics_service)
-(type mediaprovider)
-(type mediaserver)
-(type mediaserver_exec)
-(type mediaserver_service)
-(type mediaserver_tmpfs)
-(type mediaswcodec)
-(type mediaswcodec_exec)
-(type mediatranscoding)
-(type mediatranscoding_exec)
-(type mediatranscoding_service)
-(type meminfo_service)
-(type metadata_block_device)
-(type metadata_bootstat_file)
-(type metadata_file)
-(type method_trace_data_file)
-(type midi_service)
-(type mirror_data_file)
-(type misc_block_device)
-(type misc_logd_file)
-(type misc_user_data_file)
-(type mmc_prop)
-(type mnt_expand_file)
-(type mnt_media_rw_file)
-(type mnt_media_rw_stub_file)
-(type mnt_pass_through_file)
-(type mnt_product_file)
-(type mnt_sdcard_file)
-(type mnt_user_file)
-(type mnt_vendor_file)
-(type mock_ota_prop)
-(type modprobe)
-(type module_sdkextensions_prop)
-(type mount_service)
-(type mqueue)
-(type mtp)
-(type mtp_device)
-(type mtp_exec)
-(type mtpd_socket)
-(type nativetest_data_file)
-(type net_data_file)
-(type net_dns_prop)
-(type net_radio_prop)
-(type netd)
-(type netd_exec)
-(type netd_listener_service)
-(type netd_service)
-(type netd_stable_secret_prop)
-(type netif)
-(type netpolicy_service)
-(type netstats_service)
-(type netutils_wrapper)
-(type netutils_wrapper_exec)
-(type network_management_service)
-(type network_score_service)
-(type network_stack)
-(type network_stack_service)
-(type network_time_update_service)
-(type network_watchlist_data_file)
-(type network_watchlist_service)
-(type nfc)
-(type nfc_data_file)
-(type nfc_device)
-(type nfc_prop)
-(type nfc_service)
-(type nnapi_ext_deny_product_prop)
-(type node)
-(type nonplat_service_contexts_file)
-(type notification_service)
-(type null_device)
-(type oem_lock_service)
-(type oemfs)
-(type ota_data_file)
-(type ota_metadata_file)
-(type ota_package_file)
-(type ota_prop)
-(type otadexopt_service)
-(type overlay_prop)
-(type overlay_service)
-(type overlayfs_file)
-(type owntty_device)
-(type package_native_service)
-(type package_service)
-(type packages_list_file)
-(type pan_result_prop)
-(type password_slot_metadata_file)
-(type pdx_bufferhub_client_channel_socket)
-(type pdx_bufferhub_client_endpoint_socket)
-(type pdx_bufferhub_dir)
-(type pdx_display_client_channel_socket)
-(type pdx_display_client_endpoint_socket)
-(type pdx_display_dir)
-(type pdx_display_manager_channel_socket)
-(type pdx_display_manager_endpoint_socket)
-(type pdx_display_screenshot_channel_socket)
-(type pdx_display_screenshot_endpoint_socket)
-(type pdx_display_vsync_channel_socket)
-(type pdx_display_vsync_endpoint_socket)
-(type pdx_performance_client_channel_socket)
-(type pdx_performance_client_endpoint_socket)
-(type pdx_performance_dir)
-(type perfetto)
-(type performanced)
-(type performanced_exec)
-(type permission_service)
-(type permissionmgr_service)
-(type persist_debug_prop)
-(type persistent_data_block_service)
-(type persistent_properties_ready_prop)
-(type pinner_service)
-(type pipefs)
-(type platform_app)
-(type platform_compat_service)
-(type pm_prop)
-(type pmsg_device)
-(type port)
-(type port_device)
-(type postinstall)
-(type postinstall_apex_mnt_dir)
-(type postinstall_file)
-(type postinstall_mnt_dir)
-(type power_service)
-(type powerctl_prop)
-(type ppp)
-(type ppp_device)
-(type ppp_exec)
-(type preloads_data_file)
-(type preloads_media_file)
-(type prereboot_data_file)
-(type print_service)
-(type priv_app)
-(type privapp_data_file)
-(type proc)
-(type proc_abi)
-(type proc_asound)
-(type proc_bluetooth_writable)
-(type proc_buddyinfo)
-(type proc_cmdline)
-(type proc_cpuinfo)
-(type proc_dirty)
-(type proc_diskstats)
-(type proc_drop_caches)
-(type proc_extra_free_kbytes)
-(type proc_filesystems)
-(type proc_fs_verity)
-(type proc_hostname)
-(type proc_hung_task)
-(type proc_interrupts)
-(type proc_iomem)
-(type proc_keys)
-(type proc_kmsg)
-(type proc_kpageflags)
-(type proc_loadavg)
-(type proc_lowmemorykiller)
-(type proc_max_map_count)
-(type proc_meminfo)
-(type proc_min_free_order_shift)
-(type proc_misc)
-(type proc_modules)
-(type proc_mounts)
-(type proc_net)
-(type proc_net_tcp_udp)
-(type proc_overcommit_memory)
-(type proc_page_cluster)
-(type proc_pagetypeinfo)
-(type proc_panic)
-(type proc_perf)
-(type proc_pid_max)
-(type proc_pipe_conf)
-(type proc_pressure_cpu)
-(type proc_pressure_io)
-(type proc_pressure_mem)
-(type proc_qtaguid_ctrl)
-(type proc_qtaguid_stat)
-(type proc_random)
-(type proc_sched)
-(type proc_security)
-(type proc_slabinfo)
-(type proc_stat)
-(type proc_swaps)
-(type proc_sysrq)
-(type proc_timer)
-(type proc_tty_drivers)
-(type proc_uid_concurrent_active_time)
-(type proc_uid_concurrent_policy_time)
-(type proc_uid_cpupower)
-(type proc_uid_cputime_removeuid)
-(type proc_uid_cputime_showstat)
-(type proc_uid_io_stats)
-(type proc_uid_procstat_set)
-(type proc_uid_time_in_state)
-(type proc_uptime)
-(type proc_version)
-(type proc_vmallocinfo)
-(type proc_vmstat)
-(type proc_zoneinfo)
-(type processinfo_service)
-(type procstats_service)
-(type profman)
-(type profman_dump_data_file)
-(type profman_exec)
-(type properties_device)
-(type properties_serial)
-(type property_contexts_file)
-(type property_data_file)
-(type property_info)
-(type property_socket)
-(type pstorefs)
-(type ptmx_device)
-(type qtaguid_device)
-(type racoon)
-(type racoon_exec)
-(type racoon_socket)
-(type radio)
-(type radio_data_file)
-(type radio_device)
-(type radio_prop)
-(type radio_service)
-(type ram_device)
-(type random_device)
-(type rebootescrow_hal_prop)
-(type recovery)
-(type recovery_block_device)
-(type recovery_data_file)
-(type recovery_persist)
-(type recovery_persist_exec)
-(type recovery_refresh)
-(type recovery_refresh_exec)
-(type recovery_service)
-(type recovery_socket)
-(type registry_service)
-(type resourcecache_data_file)
-(type restorecon_prop)
-(type restrictions_service)
-(type rild_debug_socket)
-(type rild_socket)
-(type ringtone_file)
-(type role_service)
-(type rollback_service)
-(type root_block_device)
-(type rootfs)
-(type rpmsg_device)
-(type rs)
-(type rs_exec)
-(type rss_hwm_reset)
-(type rtc_device)
-(type rttmanager_service)
-(type runas)
-(type runas_app)
-(type runas_exec)
-(type runtime_event_log_tags_file)
-(type runtime_service)
-(type safemode_prop)
-(type same_process_hal_file)
-(type samplingprofiler_service)
-(type scheduling_policy_service)
-(type sdcard_block_device)
-(type sdcardd)
-(type sdcardd_exec)
-(type sdcardfs)
-(type seapp_contexts_file)
-(type search_service)
-(type sec_key_att_app_id_provider_service)
-(type secure_element)
-(type secure_element_device)
-(type secure_element_service)
-(type securityfs)
-(type selinuxfs)
-(type sensor_privacy_service)
-(type sensors_device)
-(type sensorservice_service)
-(type sepolicy_file)
-(type serial_device)
-(type serial_service)
-(type serialno_prop)
-(type server_configurable_flags_data_file)
-(type service_contexts_file)
-(type service_manager_service)
-(type service_manager_vndservice)
-(type servicediscovery_service)
-(type servicemanager)
-(type servicemanager_exec)
-(type settings_service)
-(type sgdisk)
-(type sgdisk_exec)
-(type shared_relro)
-(type shared_relro_file)
-(type shell)
-(type shell_data_file)
-(type shell_exec)
-(type shell_prop)
-(type shm)
-(type shortcut_manager_icons)
-(type shortcut_service)
-(type simpleperf)
-(type simpleperf_app_runner)
-(type simpleperf_app_runner_exec)
-(type slice_service)
-(type slideshow)
-(type snapshotctl_log_data_file)
-(type socket_device)
-(type socket_hook_prop)
-(type sockfs)
-(type sota_prop)
-(type soundtrigger_middleware_service)
-(type staged_install_file)
-(type staging_data_file)
-(type stats_data_file)
-(type statsd)
-(type statsd_exec)
-(type statsdw_socket)
-(type statusbar_service)
-(type storage_config_prop)
-(type storage_file)
-(type storage_stub_file)
-(type storaged_service)
-(type storagestats_service)
-(type su)
-(type su_exec)
-(type super_block_device)
-(type surfaceflinger)
-(type surfaceflinger_display_prop)
-(type surfaceflinger_service)
-(type surfaceflinger_tmpfs)
-(type swap_block_device)
-(type sysfs)
-(type sysfs_android_usb)
-(type sysfs_batteryinfo)
-(type sysfs_bluetooth_writable)
-(type sysfs_devices_block)
-(type sysfs_devices_system_cpu)
-(type sysfs_dm)
-(type sysfs_dm_verity)
-(type sysfs_dt_firmware_android)
-(type sysfs_extcon)
-(type sysfs_fs_ext4_features)
-(type sysfs_fs_f2fs)
-(type sysfs_hwrandom)
-(type sysfs_ion)
-(type sysfs_ipv4)
-(type sysfs_kernel_notes)
-(type sysfs_leds)
-(type sysfs_loop)
-(type sysfs_lowmemorykiller)
-(type sysfs_net)
-(type sysfs_nfc_power_writable)
-(type sysfs_power)
-(type sysfs_rtc)
-(type sysfs_suspend_stats)
-(type sysfs_switch)
-(type sysfs_thermal)
-(type sysfs_transparent_hugepage)
-(type sysfs_uio)
-(type sysfs_usb)
-(type sysfs_usermodehelper)
-(type sysfs_vibrator)
-(type sysfs_wake_lock)
-(type sysfs_wakeup)
-(type sysfs_wakeup_reasons)
-(type sysfs_wlan_fwpath)
-(type sysfs_zram)
-(type sysfs_zram_uevent)
-(type system_adbd_prop)
-(type system_app)
-(type system_app_data_file)
-(type system_app_service)
-(type system_asan_options_file)
-(type system_block_device)
-(type system_boot_reason_prop)
-(type system_bootstrap_lib_file)
-(type system_config_service)
-(type system_data_file)
-(type system_data_root_file)
-(type system_event_log_tags_file)
-(type system_file)
-(type system_group_file)
-(type system_jvmti_agent_prop)
-(type system_lib_file)
-(type system_linker_config_file)
-(type system_linker_exec)
-(type system_lmk_prop)
-(type system_ndebug_socket)
-(type system_net_netd_hwservice)
-(type system_passwd_file)
-(type system_prop)
-(type system_radio_prop)
-(type system_seccomp_policy_file)
-(type system_security_cacerts_file)
-(type system_server)
-(type system_server_tmpfs)
-(type system_suspend_control_service)
-(type system_suspend_hwservice)
-(type system_trace_prop)
-(type system_unsolzygote_socket)
-(type system_update_service)
-(type system_wifi_keystore_hwservice)
-(type system_wpa_socket)
-(type system_zoneinfo_file)
-(type systemkeys_data_file)
-(type task_profiles_file)
-(type task_service)
-(type tcpdump_exec)
-(type tee)
-(type tee_data_file)
-(type tee_device)
-(type telecom_service)
-(type test_boot_reason_prop)
-(type test_harness_prop)
-(type testharness_service)
-(type tethering_service)
-(type textclassification_service)
-(type textclassifier_data_file)
-(type textservices_service)
-(type theme_prop)
-(type thermal_service)
-(type thermalcallback_hwservice)
-(type time_prop)
-(type timedetector_service)
-(type timezone_service)
-(type timezonedetector_service)
-(type tmpfs)
-(type tombstone_data_file)
-(type tombstone_wifi_data_file)
-(type tombstoned)
-(type tombstoned_crash_socket)
-(type tombstoned_exec)
-(type tombstoned_intercept_socket)
-(type tombstoned_java_trace_socket)
-(type toolbox)
-(type toolbox_exec)
-(type trace_data_file)
-(type traced)
-(type traced_consumer_socket)
-(type traced_enabled_prop)
-(type traced_lazy_prop)
-(type traced_perf)
-(type traced_perf_enabled_prop)
-(type traced_perf_socket)
-(type traced_probes)
-(type traced_producer_socket)
-(type traceur_app)
-(type trust_service)
-(type tty_device)
-(type tun_device)
-(type tv_input_service)
-(type tv_tuner_resource_mgr_service)
-(type tzdatacheck)
-(type tzdatacheck_exec)
-(type ueventd)
-(type ueventd_tmpfs)
-(type uhid_device)
-(type uimode_service)
-(type uio_device)
-(type uncrypt)
-(type uncrypt_exec)
-(type uncrypt_socket)
-(type unencrypted_data_file)
-(type unlabeled)
-(type untrusted_app)
-(type untrusted_app_25)
-(type untrusted_app_27)
-(type untrusted_app_29)
-(type update_engine)
-(type update_engine_data_file)
-(type update_engine_exec)
-(type update_engine_log_data_file)
-(type update_engine_service)
-(type update_verifier)
-(type update_verifier_exec)
-(type updatelock_service)
-(type uri_grants_service)
-(type usagestats_service)
-(type usb_device)
-(type usb_serial_device)
-(type usb_service)
-(type usbaccessory_device)
-(type usbd)
-(type usbd_exec)
-(type usbfs)
-(type use_memfd_prop)
-(type user_profile_data_file)
-(type user_service)
-(type userdata_block_device)
-(type usermodehelper)
-(type userspace_reboot_config_prop)
-(type userspace_reboot_exported_prop)
-(type userspace_reboot_log_prop)
-(type userspace_reboot_test_prop)
-(type vdc)
-(type vdc_exec)
-(type vehicle_hal_prop)
-(type vendor_apex_file)
-(type vendor_app_file)
-(type vendor_cgroup_desc_file)
-(type vendor_configs_file)
-(type vendor_data_file)
-(type vendor_default_prop)
-(type vendor_file)
-(type vendor_framework_file)
-(type vendor_hal_file)
-(type vendor_idc_file)
-(type vendor_init)
-(type vendor_keychars_file)
-(type vendor_keylayout_file)
-(type vendor_misc_writer)
-(type vendor_misc_writer_exec)
-(type vendor_overlay_file)
-(type vendor_public_lib_file)
-(type vendor_security_patch_level_prop)
-(type vendor_service_contexts_file)
-(type vendor_shell)
-(type vendor_shell_exec)
-(type vendor_socket_hook_prop)
-(type vendor_task_profiles_file)
-(type vendor_toolbox_exec)
-(type vfat)
-(type vibrator_service)
-(type video_device)
-(type virtual_ab_prop)
-(type virtual_touchpad)
-(type virtual_touchpad_exec)
-(type virtual_touchpad_service)
-(type vndbinder_device)
-(type vndk_prop)
-(type vndk_sp_file)
-(type vndservice_contexts_file)
-(type vndservicemanager)
-(type voiceinteraction_service)
-(type vold)
-(type vold_data_file)
-(type vold_device)
-(type vold_exec)
-(type vold_metadata_file)
-(type vold_prepare_subdirs)
-(type vold_prepare_subdirs_exec)
-(type vold_prop)
-(type vold_service)
-(type vpn_data_file)
-(type vr_hwc)
-(type vr_hwc_exec)
-(type vr_hwc_service)
-(type vr_manager_service)
-(type vrflinger_vsync_service)
-(type wallpaper_file)
-(type wallpaper_service)
-(type watchdog_device)
-(type watchdogd)
-(type watchdogd_exec)
-(type webview_zygote)
-(type webview_zygote_exec)
-(type webview_zygote_tmpfs)
-(type webviewupdate_service)
-(type wifi_data_file)
-(type wifi_log_prop)
-(type wifi_prop)
-(type wifi_service)
-(type wifiaware_service)
-(type wificond)
-(type wificond_exec)
-(type wifinl80211_service)
-(type wifip2p_service)
-(type wifiscanner_service)
-(type window_service)
-(type wpa_socket)
-(type wpantund)
-(type wpantund_exec)
-(type wpantund_service)
-(type zero_device)
-(type zoneinfo_data_file)
-(type zygote)
-(type zygote_exec)
-(type zygote_socket)
-(type zygote_tmpfs)
-(typeattribute DockObserver_service_30_0)
-(typeattribute IProxyService_service_30_0)
-(typeattribute accessibility_service_30_0)
-(typeattribute account_service_30_0)
-(typeattribute activity_service_30_0)
-(typeattribute activity_task_service_30_0)
-(typeattribute adb_data_file_30_0)
-(typeattribute adb_keys_file_30_0)
-(typeattribute adb_service_30_0)
-(typeattribute adbd_30_0)
-(typeattribute adbd_exec_30_0)
-(typeattribute adbd_prop_30_0)
-(typeattribute adbd_socket_30_0)
-(typeattribute aidl_lazy_test_server_30_0)
-(typeattribute aidl_lazy_test_server_exec_30_0)
-(typeattribute aidl_lazy_test_service_30_0)
-(typeattribute alarm_service_30_0)
-(typeattribute anr_data_file_30_0)
-(typeattribute apex_data_file_30_0)
-(typeattribute apex_metadata_file_30_0)
-(typeattribute apex_mnt_dir_30_0)
-(typeattribute apex_module_data_file_30_0)
-(typeattribute apex_permission_data_file_30_0)
-(typeattribute apex_rollback_data_file_30_0)
-(typeattribute apex_service_30_0)
-(typeattribute apex_wifi_data_file_30_0)
-(typeattribute apexd_30_0)
-(typeattribute apexd_exec_30_0)
-(typeattribute apexd_prop_30_0)
-(typeattribute apk_data_file_30_0)
-(typeattribute apk_private_data_file_30_0)
-(typeattribute apk_private_tmp_file_30_0)
-(typeattribute apk_tmp_file_30_0)
-(typeattribute apk_verity_prop_30_0)
-(typeattribute app_api_service)
-(typeattribute app_binding_service_30_0)
-(typeattribute app_data_file_30_0)
-(typeattribute app_fuse_file_30_0)
-(typeattribute app_fusefs_30_0)
-(typeattribute app_integrity_service_30_0)
-(typeattribute app_prediction_service_30_0)
-(typeattribute app_search_service_30_0)
-(typeattribute app_zygote_30_0)
-(typeattribute app_zygote_tmpfs_30_0)
-(typeattribute appdomain)
-(typeattribute appdomain_tmpfs_30_0)
-(typeattribute appops_service_30_0)
-(typeattribute appwidget_service_30_0)
-(typeattribute art_apex_dir_30_0)
-(typeattribute asec_apk_file_30_0)
-(typeattribute asec_image_file_30_0)
-(typeattribute asec_public_file_30_0)
-(typeattribute ashmem_device_30_0)
-(typeattribute ashmem_libcutils_device_30_0)
-(typeattribute assetatlas_service_30_0)
-(typeattribute audio_data_file_30_0)
-(typeattribute audio_device_30_0)
-(typeattribute audio_prop_30_0)
-(typeattribute audio_service_30_0)
-(typeattribute audiohal_data_file_30_0)
-(typeattribute audioserver_30_0)
-(typeattribute audioserver_data_file_30_0)
-(typeattribute audioserver_service_30_0)
-(typeattribute audioserver_tmpfs_30_0)
-(typeattribute auth_service_30_0)
-(typeattribute autofill_service_30_0)
-(typeattribute automotive_display_service_server)
-(typeattribute backup_data_file_30_0)
-(typeattribute backup_service_30_0)
-(typeattribute base_typeattr_100_30_0)
-(typeattribute base_typeattr_101_30_0)
-(typeattribute base_typeattr_102_30_0)
-(typeattribute base_typeattr_103_30_0)
-(typeattribute base_typeattr_104_30_0)
-(typeattribute base_typeattr_105_30_0)
-(typeattribute base_typeattr_106_30_0)
-(typeattribute base_typeattr_107_30_0)
-(typeattribute base_typeattr_108_30_0)
-(typeattribute base_typeattr_109_30_0)
-(typeattribute base_typeattr_10_30_0)
-(typeattribute base_typeattr_110_30_0)
-(typeattribute base_typeattr_111_30_0)
-(typeattribute base_typeattr_112_30_0)
-(typeattribute base_typeattr_113_30_0)
-(typeattribute base_typeattr_114_30_0)
-(typeattribute base_typeattr_115_30_0)
-(typeattribute base_typeattr_116_30_0)
-(typeattribute base_typeattr_117_30_0)
-(typeattribute base_typeattr_118_30_0)
-(typeattribute base_typeattr_119_30_0)
-(typeattribute base_typeattr_11_30_0)
-(typeattribute base_typeattr_120_30_0)
-(typeattribute base_typeattr_121_30_0)
-(typeattribute base_typeattr_122_30_0)
-(typeattribute base_typeattr_123_30_0)
-(typeattribute base_typeattr_124_30_0)
-(typeattribute base_typeattr_125_30_0)
-(typeattribute base_typeattr_126_30_0)
-(typeattribute base_typeattr_127_30_0)
-(typeattribute base_typeattr_128_30_0)
-(typeattribute base_typeattr_129_30_0)
-(typeattribute base_typeattr_12_30_0)
-(typeattribute base_typeattr_130_30_0)
-(typeattribute base_typeattr_131_30_0)
-(typeattribute base_typeattr_132_30_0)
-(typeattribute base_typeattr_133_30_0)
-(typeattribute base_typeattr_134_30_0)
-(typeattribute base_typeattr_135_30_0)
-(typeattribute base_typeattr_136_30_0)
-(typeattribute base_typeattr_137_30_0)
-(typeattribute base_typeattr_138_30_0)
-(typeattribute base_typeattr_139_30_0)
-(typeattribute base_typeattr_13_30_0)
-(typeattribute base_typeattr_140_30_0)
-(typeattribute base_typeattr_141_30_0)
-(typeattribute base_typeattr_142_30_0)
-(typeattribute base_typeattr_143_30_0)
-(typeattribute base_typeattr_144_30_0)
-(typeattribute base_typeattr_145_30_0)
-(typeattribute base_typeattr_146_30_0)
-(typeattribute base_typeattr_147_30_0)
-(typeattribute base_typeattr_148_30_0)
-(typeattribute base_typeattr_149_30_0)
-(typeattribute base_typeattr_14_30_0)
-(typeattribute base_typeattr_150_30_0)
-(typeattribute base_typeattr_151_30_0)
-(typeattribute base_typeattr_152_30_0)
-(typeattribute base_typeattr_153_30_0)
-(typeattribute base_typeattr_154_30_0)
-(typeattribute base_typeattr_155_30_0)
-(typeattribute base_typeattr_156_30_0)
-(typeattribute base_typeattr_157_30_0)
-(typeattribute base_typeattr_158_30_0)
-(typeattribute base_typeattr_159_30_0)
-(typeattribute base_typeattr_15_30_0)
-(typeattribute base_typeattr_160_30_0)
-(typeattribute base_typeattr_161_30_0)
-(typeattribute base_typeattr_162_30_0)
-(typeattribute base_typeattr_163_30_0)
-(typeattribute base_typeattr_164_30_0)
-(typeattribute base_typeattr_165_30_0)
-(typeattribute base_typeattr_166_30_0)
-(typeattribute base_typeattr_167_30_0)
-(typeattribute base_typeattr_168_30_0)
-(typeattribute base_typeattr_169_30_0)
-(typeattribute base_typeattr_16_30_0)
-(typeattribute base_typeattr_170_30_0)
-(typeattribute base_typeattr_171_30_0)
-(typeattribute base_typeattr_172_30_0)
-(typeattribute base_typeattr_173_30_0)
-(typeattribute base_typeattr_174_30_0)
-(typeattribute base_typeattr_175_30_0)
-(typeattribute base_typeattr_176_30_0)
-(typeattribute base_typeattr_177_30_0)
-(typeattribute base_typeattr_178_30_0)
-(typeattribute base_typeattr_179_30_0)
-(typeattribute base_typeattr_17_30_0)
-(typeattribute base_typeattr_180_30_0)
-(typeattribute base_typeattr_181_30_0)
-(typeattribute base_typeattr_182_30_0)
-(typeattribute base_typeattr_183_30_0)
-(typeattribute base_typeattr_184_30_0)
-(typeattribute base_typeattr_185_30_0)
-(typeattribute base_typeattr_186_30_0)
-(typeattribute base_typeattr_187_30_0)
-(typeattribute base_typeattr_188_30_0)
-(typeattribute base_typeattr_189_30_0)
-(typeattribute base_typeattr_18_30_0)
-(typeattribute base_typeattr_190_30_0)
-(typeattribute base_typeattr_191_30_0)
-(typeattribute base_typeattr_192_30_0)
-(typeattribute base_typeattr_193_30_0)
-(typeattribute base_typeattr_194_30_0)
-(typeattribute base_typeattr_195_30_0)
-(typeattribute base_typeattr_196_30_0)
-(typeattribute base_typeattr_197_30_0)
-(typeattribute base_typeattr_198_30_0)
-(typeattribute base_typeattr_199_30_0)
-(typeattribute base_typeattr_19_30_0)
-(typeattribute base_typeattr_1_30_0)
-(typeattribute base_typeattr_200_30_0)
-(typeattribute base_typeattr_201_30_0)
-(typeattribute base_typeattr_202_30_0)
-(typeattribute base_typeattr_203_30_0)
-(typeattribute base_typeattr_204_30_0)
-(typeattribute base_typeattr_205_30_0)
-(typeattribute base_typeattr_206_30_0)
-(typeattribute base_typeattr_207_30_0)
-(typeattribute base_typeattr_208_30_0)
-(typeattribute base_typeattr_209_30_0)
-(typeattribute base_typeattr_20_30_0)
-(typeattribute base_typeattr_210_30_0)
-(typeattribute base_typeattr_211_30_0)
-(typeattribute base_typeattr_212_30_0)
-(typeattribute base_typeattr_213_30_0)
-(typeattribute base_typeattr_214_30_0)
-(typeattribute base_typeattr_215_30_0)
-(typeattribute base_typeattr_216_30_0)
-(typeattribute base_typeattr_217_30_0)
-(typeattribute base_typeattr_218_30_0)
-(typeattribute base_typeattr_219_30_0)
-(typeattribute base_typeattr_21_30_0)
-(typeattribute base_typeattr_220_30_0)
-(typeattribute base_typeattr_221_30_0)
-(typeattribute base_typeattr_222_30_0)
-(typeattribute base_typeattr_223_30_0)
-(typeattribute base_typeattr_224_30_0)
-(typeattribute base_typeattr_225_30_0)
-(typeattribute base_typeattr_226_30_0)
-(typeattribute base_typeattr_227_30_0)
-(typeattribute base_typeattr_228_30_0)
-(typeattribute base_typeattr_229_30_0)
-(typeattribute base_typeattr_22_30_0)
-(typeattribute base_typeattr_230_30_0)
-(typeattribute base_typeattr_231_30_0)
-(typeattribute base_typeattr_232_30_0)
-(typeattribute base_typeattr_233_30_0)
-(typeattribute base_typeattr_234_30_0)
-(typeattribute base_typeattr_235_30_0)
-(typeattribute base_typeattr_236_30_0)
-(typeattribute base_typeattr_237_30_0)
-(typeattribute base_typeattr_238_30_0)
-(typeattribute base_typeattr_239_30_0)
-(typeattribute base_typeattr_23_30_0)
-(typeattribute base_typeattr_240_30_0)
-(typeattribute base_typeattr_241_30_0)
-(typeattribute base_typeattr_242_30_0)
-(typeattribute base_typeattr_243_30_0)
-(typeattribute base_typeattr_244_30_0)
-(typeattribute base_typeattr_245_30_0)
-(typeattribute base_typeattr_246_30_0)
-(typeattribute base_typeattr_247_30_0)
-(typeattribute base_typeattr_248_30_0)
-(typeattribute base_typeattr_249_30_0)
-(typeattribute base_typeattr_24_30_0)
-(typeattribute base_typeattr_250_30_0)
-(typeattribute base_typeattr_251_30_0)
-(typeattribute base_typeattr_252_30_0)
-(typeattribute base_typeattr_253_30_0)
-(typeattribute base_typeattr_254_30_0)
-(typeattribute base_typeattr_255_30_0)
-(typeattribute base_typeattr_256_30_0)
-(typeattribute base_typeattr_257_30_0)
-(typeattribute base_typeattr_258_30_0)
-(typeattribute base_typeattr_259_30_0)
-(typeattribute base_typeattr_25_30_0)
-(typeattribute base_typeattr_260_30_0)
-(typeattribute base_typeattr_261_30_0)
-(typeattribute base_typeattr_262_30_0)
-(typeattribute base_typeattr_263_30_0)
-(typeattribute base_typeattr_264_30_0)
-(typeattribute base_typeattr_265_30_0)
-(typeattribute base_typeattr_266_30_0)
-(typeattribute base_typeattr_267_30_0)
-(typeattribute base_typeattr_268_30_0)
-(typeattribute base_typeattr_269_30_0)
-(typeattribute base_typeattr_26_30_0)
-(typeattribute base_typeattr_270_30_0)
-(typeattribute base_typeattr_271_30_0)
-(typeattribute base_typeattr_272_30_0)
-(typeattribute base_typeattr_273_30_0)
-(typeattribute base_typeattr_274_30_0)
-(typeattribute base_typeattr_275_30_0)
-(typeattribute base_typeattr_276_30_0)
-(typeattribute base_typeattr_277_30_0)
-(typeattribute base_typeattr_278_30_0)
-(typeattribute base_typeattr_279_30_0)
-(typeattribute base_typeattr_27_30_0)
-(typeattribute base_typeattr_280_30_0)
-(typeattribute base_typeattr_281_30_0)
-(typeattribute base_typeattr_282_30_0)
-(typeattribute base_typeattr_283_30_0)
-(typeattribute base_typeattr_284_30_0)
-(typeattribute base_typeattr_285_30_0)
-(typeattribute base_typeattr_286_30_0)
-(typeattribute base_typeattr_287_30_0)
-(typeattribute base_typeattr_288_30_0)
-(typeattribute base_typeattr_289_30_0)
-(typeattribute base_typeattr_28_30_0)
-(typeattribute base_typeattr_290_30_0)
-(typeattribute base_typeattr_291_30_0)
-(typeattribute base_typeattr_292_30_0)
-(typeattribute base_typeattr_293_30_0)
-(typeattribute base_typeattr_294_30_0)
-(typeattribute base_typeattr_295_30_0)
-(typeattribute base_typeattr_296_30_0)
-(typeattribute base_typeattr_297_30_0)
-(typeattribute base_typeattr_298_30_0)
-(typeattribute base_typeattr_299_30_0)
-(typeattribute base_typeattr_29_30_0)
-(typeattribute base_typeattr_2_30_0)
-(typeattribute base_typeattr_300_30_0)
-(typeattribute base_typeattr_301_30_0)
-(typeattribute base_typeattr_302_30_0)
-(typeattribute base_typeattr_303_30_0)
-(typeattribute base_typeattr_304_30_0)
-(typeattribute base_typeattr_305_30_0)
-(typeattribute base_typeattr_306_30_0)
-(typeattribute base_typeattr_307_30_0)
-(typeattribute base_typeattr_308_30_0)
-(typeattribute base_typeattr_309_30_0)
-(typeattribute base_typeattr_30_30_0)
-(typeattribute base_typeattr_310_30_0)
-(typeattribute base_typeattr_311_30_0)
-(typeattribute base_typeattr_312_30_0)
-(typeattribute base_typeattr_313_30_0)
-(typeattribute base_typeattr_314_30_0)
-(typeattribute base_typeattr_315_30_0)
-(typeattribute base_typeattr_316_30_0)
-(typeattribute base_typeattr_317_30_0)
-(typeattribute base_typeattr_318_30_0)
-(typeattribute base_typeattr_319_30_0)
-(typeattribute base_typeattr_31_30_0)
-(typeattribute base_typeattr_320_30_0)
-(typeattribute base_typeattr_321_30_0)
-(typeattribute base_typeattr_322_30_0)
-(typeattribute base_typeattr_323_30_0)
-(typeattribute base_typeattr_324_30_0)
-(typeattribute base_typeattr_325_30_0)
-(typeattribute base_typeattr_326_30_0)
-(typeattribute base_typeattr_327_30_0)
-(typeattribute base_typeattr_328_30_0)
-(typeattribute base_typeattr_329_30_0)
-(typeattribute base_typeattr_32_30_0)
-(typeattribute base_typeattr_330_30_0)
-(typeattribute base_typeattr_331_30_0)
-(typeattribute base_typeattr_332_30_0)
-(typeattribute base_typeattr_333_30_0)
-(typeattribute base_typeattr_334_30_0)
-(typeattribute base_typeattr_335_30_0)
-(typeattribute base_typeattr_336_30_0)
-(typeattribute base_typeattr_337_30_0)
-(typeattribute base_typeattr_338_30_0)
-(typeattribute base_typeattr_339_30_0)
-(typeattribute base_typeattr_33_30_0)
-(typeattribute base_typeattr_340_30_0)
-(typeattribute base_typeattr_341_30_0)
-(typeattribute base_typeattr_342_30_0)
-(typeattribute base_typeattr_343_30_0)
-(typeattribute base_typeattr_344_30_0)
-(typeattribute base_typeattr_345_30_0)
-(typeattribute base_typeattr_346_30_0)
-(typeattribute base_typeattr_347_30_0)
-(typeattribute base_typeattr_348_30_0)
-(typeattribute base_typeattr_349_30_0)
-(typeattribute base_typeattr_34_30_0)
-(typeattribute base_typeattr_350_30_0)
-(typeattribute base_typeattr_351_30_0)
-(typeattribute base_typeattr_352_30_0)
-(typeattribute base_typeattr_353_30_0)
-(typeattribute base_typeattr_354_30_0)
-(typeattribute base_typeattr_355_30_0)
-(typeattribute base_typeattr_356_30_0)
-(typeattribute base_typeattr_357_30_0)
-(typeattribute base_typeattr_358_30_0)
-(typeattribute base_typeattr_359_30_0)
-(typeattribute base_typeattr_35_30_0)
-(typeattribute base_typeattr_360_30_0)
-(typeattribute base_typeattr_361_30_0)
-(typeattribute base_typeattr_362_30_0)
-(typeattribute base_typeattr_363_30_0)
-(typeattribute base_typeattr_364_30_0)
-(typeattribute base_typeattr_365_30_0)
-(typeattribute base_typeattr_366_30_0)
-(typeattribute base_typeattr_367_30_0)
-(typeattribute base_typeattr_368_30_0)
-(typeattribute base_typeattr_369_30_0)
-(typeattribute base_typeattr_36_30_0)
-(typeattribute base_typeattr_370_30_0)
-(typeattribute base_typeattr_371_30_0)
-(typeattribute base_typeattr_372_30_0)
-(typeattribute base_typeattr_373_30_0)
-(typeattribute base_typeattr_374_30_0)
-(typeattribute base_typeattr_375_30_0)
-(typeattribute base_typeattr_376_30_0)
-(typeattribute base_typeattr_377_30_0)
-(typeattribute base_typeattr_378_30_0)
-(typeattribute base_typeattr_379_30_0)
-(typeattribute base_typeattr_37_30_0)
-(typeattribute base_typeattr_380_30_0)
-(typeattribute base_typeattr_381_30_0)
-(typeattribute base_typeattr_382_30_0)
-(typeattribute base_typeattr_383_30_0)
-(typeattribute base_typeattr_384_30_0)
-(typeattribute base_typeattr_385_30_0)
-(typeattribute base_typeattr_386_30_0)
-(typeattribute base_typeattr_387_30_0)
-(typeattribute base_typeattr_388_30_0)
-(typeattribute base_typeattr_389_30_0)
-(typeattribute base_typeattr_38_30_0)
-(typeattribute base_typeattr_390_30_0)
-(typeattribute base_typeattr_391_30_0)
-(typeattribute base_typeattr_392_30_0)
-(typeattribute base_typeattr_393_30_0)
-(typeattribute base_typeattr_394_30_0)
-(typeattribute base_typeattr_395_30_0)
-(typeattribute base_typeattr_396_30_0)
-(typeattribute base_typeattr_397_30_0)
-(typeattribute base_typeattr_398_30_0)
-(typeattribute base_typeattr_399_30_0)
-(typeattribute base_typeattr_39_30_0)
-(typeattribute base_typeattr_3_30_0)
-(typeattribute base_typeattr_400_30_0)
-(typeattribute base_typeattr_401_30_0)
-(typeattribute base_typeattr_402_30_0)
-(typeattribute base_typeattr_403_30_0)
-(typeattribute base_typeattr_404_30_0)
-(typeattribute base_typeattr_405_30_0)
-(typeattribute base_typeattr_406_30_0)
-(typeattribute base_typeattr_407_30_0)
-(typeattribute base_typeattr_408_30_0)
-(typeattribute base_typeattr_409_30_0)
-(typeattribute base_typeattr_40_30_0)
-(typeattribute base_typeattr_410_30_0)
-(typeattribute base_typeattr_411_30_0)
-(typeattribute base_typeattr_412_30_0)
-(typeattribute base_typeattr_413_30_0)
-(typeattribute base_typeattr_414_30_0)
-(typeattribute base_typeattr_415_30_0)
-(typeattribute base_typeattr_416_30_0)
-(typeattribute base_typeattr_417_30_0)
-(typeattribute base_typeattr_418_30_0)
-(typeattribute base_typeattr_419_30_0)
-(typeattribute base_typeattr_41_30_0)
-(typeattribute base_typeattr_420_30_0)
-(typeattribute base_typeattr_421_30_0)
-(typeattribute base_typeattr_422_30_0)
-(typeattribute base_typeattr_423_30_0)
-(typeattribute base_typeattr_424_30_0)
-(typeattribute base_typeattr_425_30_0)
-(typeattribute base_typeattr_426_30_0)
-(typeattribute base_typeattr_427_30_0)
-(typeattribute base_typeattr_428_30_0)
-(typeattribute base_typeattr_429_30_0)
-(typeattribute base_typeattr_42_30_0)
-(typeattribute base_typeattr_430_30_0)
-(typeattribute base_typeattr_431_30_0)
-(typeattribute base_typeattr_432_30_0)
-(typeattribute base_typeattr_433_30_0)
-(typeattribute base_typeattr_434_30_0)
-(typeattribute base_typeattr_435_30_0)
-(typeattribute base_typeattr_436_30_0)
-(typeattribute base_typeattr_437_30_0)
-(typeattribute base_typeattr_438_30_0)
-(typeattribute base_typeattr_439_30_0)
-(typeattribute base_typeattr_43_30_0)
-(typeattribute base_typeattr_440_30_0)
-(typeattribute base_typeattr_441_30_0)
-(typeattribute base_typeattr_442_30_0)
-(typeattribute base_typeattr_443_30_0)
-(typeattribute base_typeattr_444_30_0)
-(typeattribute base_typeattr_445_30_0)
-(typeattribute base_typeattr_446_30_0)
-(typeattribute base_typeattr_447_30_0)
-(typeattribute base_typeattr_448_30_0)
-(typeattribute base_typeattr_449_30_0)
-(typeattribute base_typeattr_44_30_0)
-(typeattribute base_typeattr_450_30_0)
-(typeattribute base_typeattr_451_30_0)
-(typeattribute base_typeattr_452_30_0)
-(typeattribute base_typeattr_453_30_0)
-(typeattribute base_typeattr_454_30_0)
-(typeattribute base_typeattr_455_30_0)
-(typeattribute base_typeattr_456_30_0)
-(typeattribute base_typeattr_457_30_0)
-(typeattribute base_typeattr_458_30_0)
-(typeattribute base_typeattr_459_30_0)
-(typeattribute base_typeattr_45_30_0)
-(typeattribute base_typeattr_460_30_0)
-(typeattribute base_typeattr_461_30_0)
-(typeattribute base_typeattr_462_30_0)
-(typeattribute base_typeattr_463_30_0)
-(typeattribute base_typeattr_464_30_0)
-(typeattribute base_typeattr_465_30_0)
-(typeattribute base_typeattr_466_30_0)
-(typeattribute base_typeattr_467_30_0)
-(typeattribute base_typeattr_468_30_0)
-(typeattribute base_typeattr_469_30_0)
-(typeattribute base_typeattr_46_30_0)
-(typeattribute base_typeattr_470_30_0)
-(typeattribute base_typeattr_471_30_0)
-(typeattribute base_typeattr_472_30_0)
-(typeattribute base_typeattr_473_30_0)
-(typeattribute base_typeattr_474_30_0)
-(typeattribute base_typeattr_475_30_0)
-(typeattribute base_typeattr_476_30_0)
-(typeattribute base_typeattr_477_30_0)
-(typeattribute base_typeattr_478_30_0)
-(typeattribute base_typeattr_479_30_0)
-(typeattribute base_typeattr_47_30_0)
-(typeattribute base_typeattr_480_30_0)
-(typeattribute base_typeattr_481_30_0)
-(typeattribute base_typeattr_482_30_0)
-(typeattribute base_typeattr_483_30_0)
-(typeattribute base_typeattr_484_30_0)
-(typeattribute base_typeattr_485_30_0)
-(typeattribute base_typeattr_486_30_0)
-(typeattribute base_typeattr_487_30_0)
-(typeattribute base_typeattr_488_30_0)
-(typeattribute base_typeattr_489_30_0)
-(typeattribute base_typeattr_48_30_0)
-(typeattribute base_typeattr_490_30_0)
-(typeattribute base_typeattr_491_30_0)
-(typeattribute base_typeattr_492_30_0)
-(typeattribute base_typeattr_493_30_0)
-(typeattribute base_typeattr_494_30_0)
-(typeattribute base_typeattr_495_30_0)
-(typeattribute base_typeattr_496_30_0)
-(typeattribute base_typeattr_497_30_0)
-(typeattribute base_typeattr_498_30_0)
-(typeattribute base_typeattr_499_30_0)
-(typeattribute base_typeattr_49_30_0)
-(typeattribute base_typeattr_4_30_0)
-(typeattribute base_typeattr_500_30_0)
-(typeattribute base_typeattr_501_30_0)
-(typeattribute base_typeattr_502_30_0)
-(typeattribute base_typeattr_503_30_0)
-(typeattribute base_typeattr_504_30_0)
-(typeattribute base_typeattr_505_30_0)
-(typeattribute base_typeattr_506_30_0)
-(typeattribute base_typeattr_507_30_0)
-(typeattribute base_typeattr_508_30_0)
-(typeattribute base_typeattr_509_30_0)
-(typeattribute base_typeattr_50_30_0)
-(typeattribute base_typeattr_510_30_0)
-(typeattribute base_typeattr_511_30_0)
-(typeattribute base_typeattr_512_30_0)
-(typeattribute base_typeattr_513_30_0)
-(typeattribute base_typeattr_514_30_0)
-(typeattribute base_typeattr_515_30_0)
-(typeattribute base_typeattr_516_30_0)
-(typeattribute base_typeattr_517_30_0)
-(typeattribute base_typeattr_518_30_0)
-(typeattribute base_typeattr_519_30_0)
-(typeattribute base_typeattr_51_30_0)
-(typeattribute base_typeattr_520_30_0)
-(typeattribute base_typeattr_521_30_0)
-(typeattribute base_typeattr_522_30_0)
-(typeattribute base_typeattr_523_30_0)
-(typeattribute base_typeattr_524_30_0)
-(typeattribute base_typeattr_525_30_0)
-(typeattribute base_typeattr_526_30_0)
-(typeattribute base_typeattr_527_30_0)
-(typeattribute base_typeattr_528_30_0)
-(typeattribute base_typeattr_529_30_0)
-(typeattribute base_typeattr_52_30_0)
-(typeattribute base_typeattr_530_30_0)
-(typeattribute base_typeattr_531_30_0)
-(typeattribute base_typeattr_532_30_0)
-(typeattribute base_typeattr_533_30_0)
-(typeattribute base_typeattr_534_30_0)
-(typeattribute base_typeattr_535_30_0)
-(typeattribute base_typeattr_536_30_0)
-(typeattribute base_typeattr_537_30_0)
-(typeattribute base_typeattr_538_30_0)
-(typeattribute base_typeattr_539_30_0)
-(typeattribute base_typeattr_53_30_0)
-(typeattribute base_typeattr_540_30_0)
-(typeattribute base_typeattr_541_30_0)
-(typeattribute base_typeattr_542_30_0)
-(typeattribute base_typeattr_543_30_0)
-(typeattribute base_typeattr_544_30_0)
-(typeattribute base_typeattr_545_30_0)
-(typeattribute base_typeattr_546_30_0)
-(typeattribute base_typeattr_547_30_0)
-(typeattribute base_typeattr_548_30_0)
-(typeattribute base_typeattr_54_30_0)
-(typeattribute base_typeattr_55_30_0)
-(typeattribute base_typeattr_56_30_0)
-(typeattribute base_typeattr_57_30_0)
-(typeattribute base_typeattr_58_30_0)
-(typeattribute base_typeattr_59_30_0)
-(typeattribute base_typeattr_5_30_0)
-(typeattribute base_typeattr_60_30_0)
-(typeattribute base_typeattr_61_30_0)
-(typeattribute base_typeattr_62_30_0)
-(typeattribute base_typeattr_63_30_0)
-(typeattribute base_typeattr_64_30_0)
-(typeattribute base_typeattr_65_30_0)
-(typeattribute base_typeattr_66_30_0)
-(typeattribute base_typeattr_67_30_0)
-(typeattribute base_typeattr_68_30_0)
-(typeattribute base_typeattr_69_30_0)
-(typeattribute base_typeattr_6_30_0)
-(typeattribute base_typeattr_70_30_0)
-(typeattribute base_typeattr_71_30_0)
-(typeattribute base_typeattr_72_30_0)
-(typeattribute base_typeattr_73_30_0)
-(typeattribute base_typeattr_74_30_0)
-(typeattribute base_typeattr_75_30_0)
-(typeattribute base_typeattr_76_30_0)
-(typeattribute base_typeattr_77_30_0)
-(typeattribute base_typeattr_78_30_0)
-(typeattribute base_typeattr_79_30_0)
-(typeattribute base_typeattr_7_30_0)
-(typeattribute base_typeattr_80_30_0)
-(typeattribute base_typeattr_81_30_0)
-(typeattribute base_typeattr_82_30_0)
-(typeattribute base_typeattr_83_30_0)
-(typeattribute base_typeattr_84_30_0)
-(typeattribute base_typeattr_85_30_0)
-(typeattribute base_typeattr_86_30_0)
-(typeattribute base_typeattr_87_30_0)
-(typeattribute base_typeattr_88_30_0)
-(typeattribute base_typeattr_89_30_0)
-(typeattribute base_typeattr_8_30_0)
-(typeattribute base_typeattr_90_30_0)
-(typeattribute base_typeattr_91_30_0)
-(typeattribute base_typeattr_92_30_0)
-(typeattribute base_typeattr_93_30_0)
-(typeattribute base_typeattr_94_30_0)
-(typeattribute base_typeattr_95_30_0)
-(typeattribute base_typeattr_96_30_0)
-(typeattribute base_typeattr_97_30_0)
-(typeattribute base_typeattr_98_30_0)
-(typeattribute base_typeattr_99_30_0)
-(typeattribute base_typeattr_9_30_0)
-(typeattribute battery_service_30_0)
-(typeattribute batteryproperties_service_30_0)
-(typeattribute batterystats_service_30_0)
-(typeattribute binder_cache_bluetooth_server_prop_30_0)
-(typeattribute binder_cache_system_server_prop_30_0)
-(typeattribute binder_cache_telephony_server_prop_30_0)
-(typeattribute binder_calls_stats_service_30_0)
-(typeattribute binder_device_30_0)
-(typeattribute binder_in_vendor_violators)
-(typeattribute binderfs_30_0)
-(typeattribute binderfs_logs_30_0)
-(typeattribute binderfs_logs_proc_30_0)
-(typeattribute binderservicedomain)
-(typeattribute binfmt_miscfs_30_0)
-(typeattribute biometric_service_30_0)
-(typeattribute blkid_30_0)
-(typeattribute blkid_untrusted_30_0)
-(typeattribute blob_store_service_30_0)
-(typeattribute block_device_30_0)
-(typeattribute bluetooth_30_0)
-(typeattribute bluetooth_a2dp_offload_prop_30_0)
-(typeattribute bluetooth_audio_hal_prop_30_0)
-(typeattribute bluetooth_data_file_30_0)
-(typeattribute bluetooth_efs_file_30_0)
-(typeattribute bluetooth_logs_data_file_30_0)
-(typeattribute bluetooth_manager_service_30_0)
-(typeattribute bluetooth_prop_30_0)
-(typeattribute bluetooth_service_30_0)
-(typeattribute bluetooth_socket_30_0)
-(typeattribute bluetoothdomain)
-(typeattribute boot_block_device_30_0)
-(typeattribute bootanim_30_0)
-(typeattribute bootanim_exec_30_0)
-(typeattribute bootchart_data_file_30_0)
-(typeattribute bootloader_boot_reason_prop_30_0)
-(typeattribute bootstat_30_0)
-(typeattribute bootstat_data_file_30_0)
-(typeattribute bootstat_exec_30_0)
-(typeattribute boottime_prop_30_0)
-(typeattribute boottime_public_prop_30_0)
-(typeattribute boottrace_data_file_30_0)
-(typeattribute bpf_progs_loaded_prop_30_0)
-(typeattribute bq_config_prop_30_0)
-(typeattribute broadcastradio_service_30_0)
-(typeattribute bufferhubd_30_0)
-(typeattribute bufferhubd_exec_30_0)
-(typeattribute bugreport_service_30_0)
-(typeattribute cache_backup_file_30_0)
-(typeattribute cache_block_device_30_0)
-(typeattribute cache_file_30_0)
-(typeattribute cache_private_backup_file_30_0)
-(typeattribute cache_recovery_file_30_0)
-(typeattribute cacheinfo_service_30_0)
-(typeattribute camera_data_file_30_0)
-(typeattribute camera_device_30_0)
-(typeattribute camera_service_server)
-(typeattribute cameraproxy_service_30_0)
-(typeattribute cameraserver_30_0)
-(typeattribute cameraserver_exec_30_0)
-(typeattribute cameraserver_service_30_0)
-(typeattribute cameraserver_tmpfs_30_0)
-(typeattribute cgroup_30_0)
-(typeattribute cgroup_bpf_30_0)
-(typeattribute cgroup_desc_file_30_0)
-(typeattribute cgroup_rc_file_30_0)
-(typeattribute charger_30_0)
-(typeattribute charger_exec_30_0)
-(typeattribute charger_prop_30_0)
-(typeattribute clipboard_service_30_0)
-(typeattribute cold_boot_done_prop_30_0)
-(typeattribute color_display_service_30_0)
-(typeattribute companion_device_service_30_0)
-(typeattribute config_prop_30_0)
-(typeattribute configfs_30_0)
-(typeattribute connectivity_service_30_0)
-(typeattribute connmetrics_service_30_0)
-(typeattribute console_device_30_0)
-(typeattribute consumer_ir_service_30_0)
-(typeattribute content_capture_service_30_0)
-(typeattribute content_service_30_0)
-(typeattribute content_suggestions_service_30_0)
-(typeattribute contexthub_service_30_0)
-(typeattribute contextmount_type)
-(typeattribute core_data_file_type)
-(typeattribute core_property_type)
-(typeattribute coredomain)
-(typeattribute coredomain_hwservice)
-(typeattribute coredomain_socket)
-(typeattribute coredump_file_30_0)
-(typeattribute country_detector_service_30_0)
-(typeattribute coverage_service_30_0)
-(typeattribute cppreopt_prop_30_0)
-(typeattribute cpu_variant_prop_30_0)
-(typeattribute cpuinfo_service_30_0)
-(typeattribute crash_dump_30_0)
-(typeattribute crash_dump_exec_30_0)
-(typeattribute credstore_30_0)
-(typeattribute credstore_data_file_30_0)
-(typeattribute credstore_exec_30_0)
-(typeattribute credstore_service_30_0)
-(typeattribute crossprofileapps_service_30_0)
-(typeattribute ctl_adbd_prop_30_0)
-(typeattribute ctl_apexd_prop_30_0)
-(typeattribute ctl_bootanim_prop_30_0)
-(typeattribute ctl_bugreport_prop_30_0)
-(typeattribute ctl_console_prop_30_0)
-(typeattribute ctl_default_prop_30_0)
-(typeattribute ctl_dumpstate_prop_30_0)
-(typeattribute ctl_fuse_prop_30_0)
-(typeattribute ctl_gsid_prop_30_0)
-(typeattribute ctl_interface_restart_prop_30_0)
-(typeattribute ctl_interface_start_prop_30_0)
-(typeattribute ctl_interface_stop_prop_30_0)
-(typeattribute ctl_mdnsd_prop_30_0)
-(typeattribute ctl_restart_prop_30_0)
-(typeattribute ctl_rildaemon_prop_30_0)
-(typeattribute ctl_sigstop_prop_30_0)
-(typeattribute ctl_start_prop_30_0)
-(typeattribute ctl_stop_prop_30_0)
-(typeattribute dalvik_prop_30_0)
-(typeattribute dalvikcache_data_file_30_0)
-(typeattribute data_between_core_and_vendor_violators)
-(typeattribute data_file_type)
-(typeattribute dataloader_manager_service_30_0)
-(typeattribute dbinfo_service_30_0)
-(typeattribute debug_prop_30_0)
-(typeattribute debugfs_30_0)
-(typeattribute debugfs_kprobes_30_0)
-(typeattribute debugfs_mmc_30_0)
-(typeattribute debugfs_trace_marker_30_0)
-(typeattribute debugfs_tracing_30_0)
-(typeattribute debugfs_tracing_debug_30_0)
-(typeattribute debugfs_tracing_instances_30_0)
-(typeattribute debugfs_type)
-(typeattribute debugfs_wakeup_sources_30_0)
-(typeattribute debugfs_wifi_tracing_30_0)
-(typeattribute debuggerd_prop_30_0)
-(typeattribute default_android_hwservice_30_0)
-(typeattribute default_android_service_30_0)
-(typeattribute default_android_vndservice_30_0)
-(typeattribute default_prop_30_0)
-(typeattribute dev_cpu_variant_30_0)
-(typeattribute dev_type)
-(typeattribute device_30_0)
-(typeattribute device_config_activity_manager_native_boot_prop_30_0)
-(typeattribute device_config_boot_count_prop_30_0)
-(typeattribute device_config_configuration_prop_30_0)
-(typeattribute device_config_input_native_boot_prop_30_0)
-(typeattribute device_config_media_native_prop_30_0)
-(typeattribute device_config_netd_native_prop_30_0)
-(typeattribute device_config_reset_performed_prop_30_0)
-(typeattribute device_config_runtime_native_boot_prop_30_0)
-(typeattribute device_config_runtime_native_prop_30_0)
-(typeattribute device_config_service_30_0)
-(typeattribute device_config_storage_native_boot_prop_30_0)
-(typeattribute device_config_sys_traced_prop_30_0)
-(typeattribute device_config_window_manager_native_boot_prop_30_0)
-(typeattribute device_identifiers_service_30_0)
-(typeattribute device_logging_prop_30_0)
-(typeattribute device_policy_service_30_0)
-(typeattribute deviceidle_service_30_0)
-(typeattribute devicestoragemonitor_service_30_0)
-(typeattribute devpts_30_0)
-(typeattribute dhcp_30_0)
-(typeattribute dhcp_data_file_30_0)
-(typeattribute dhcp_exec_30_0)
-(typeattribute dhcp_prop_30_0)
-(typeattribute diskstats_service_30_0)
-(typeattribute display_service_30_0)
-(typeattribute display_service_server)
-(typeattribute dm_device_30_0)
-(typeattribute dnsmasq_30_0)
-(typeattribute dnsmasq_exec_30_0)
-(typeattribute dnsproxyd_socket_30_0)
-(typeattribute dnsresolver_service_30_0)
-(typeattribute domain)
-(typeattribute dreams_service_30_0)
-(typeattribute drm_data_file_30_0)
-(typeattribute drmserver_30_0)
-(typeattribute drmserver_exec_30_0)
-(typeattribute drmserver_service_30_0)
-(typeattribute drmserver_socket_30_0)
-(typeattribute dropbox_data_file_30_0)
-(typeattribute dropbox_service_30_0)
-(typeattribute dumpstate_30_0)
-(typeattribute dumpstate_exec_30_0)
-(typeattribute dumpstate_options_prop_30_0)
-(typeattribute dumpstate_prop_30_0)
-(typeattribute dumpstate_service_30_0)
-(typeattribute dumpstate_socket_30_0)
-(typeattribute dynamic_system_prop_30_0)
-(typeattribute e2fs_30_0)
-(typeattribute e2fs_exec_30_0)
-(typeattribute efs_file_30_0)
-(typeattribute emergency_affordance_service_30_0)
-(typeattribute ephemeral_app_30_0)
-(typeattribute ephemeral_app_api_service)
-(typeattribute ethernet_service_30_0)
-(typeattribute exec_type)
-(typeattribute exfat_30_0)
-(typeattribute exported2_config_prop_30_0)
-(typeattribute exported2_default_prop_30_0)
-(typeattribute exported2_radio_prop_30_0)
-(typeattribute exported2_system_prop_30_0)
-(typeattribute exported2_vold_prop_30_0)
-(typeattribute exported3_default_prop_30_0)
-(typeattribute exported3_radio_prop_30_0)
-(typeattribute exported3_system_prop_30_0)
-(typeattribute exported_audio_prop_30_0)
-(typeattribute exported_bluetooth_prop_30_0)
-(typeattribute exported_camera_prop_30_0)
-(typeattribute exported_config_prop_30_0)
-(typeattribute exported_dalvik_prop_30_0)
-(typeattribute exported_default_prop_30_0)
-(typeattribute exported_dumpstate_prop_30_0)
-(typeattribute exported_ffs_prop_30_0)
-(typeattribute exported_fingerprint_prop_30_0)
-(typeattribute exported_overlay_prop_30_0)
-(typeattribute exported_pm_prop_30_0)
-(typeattribute exported_radio_prop_30_0)
-(typeattribute exported_secure_prop_30_0)
-(typeattribute exported_system_prop_30_0)
-(typeattribute exported_system_radio_prop_30_0)
-(typeattribute exported_vold_prop_30_0)
-(typeattribute exported_wifi_prop_30_0)
-(typeattribute extended_core_property_type)
-(typeattribute external_vibrator_service_30_0)
-(typeattribute face_service_30_0)
-(typeattribute face_vendor_data_file_30_0)
-(typeattribute fastbootd_30_0)
-(typeattribute fastbootd_protocol_prop_30_0)
-(typeattribute ffs_prop_30_0)
-(typeattribute file_contexts_file_30_0)
-(typeattribute file_integrity_service_30_0)
-(typeattribute file_type)
-(typeattribute fingerprint_prop_30_0)
-(typeattribute fingerprint_service_30_0)
-(typeattribute fingerprint_vendor_data_file_30_0)
-(typeattribute fingerprintd_30_0)
-(typeattribute fingerprintd_data_file_30_0)
-(typeattribute fingerprintd_exec_30_0)
-(typeattribute fingerprintd_service_30_0)
-(typeattribute firstboot_prop_30_0)
-(typeattribute flags_health_check_30_0)
-(typeattribute flags_health_check_exec_30_0)
-(typeattribute font_service_30_0)
-(typeattribute frp_block_device_30_0)
-(typeattribute fs_bpf_30_0)
-(typeattribute fs_type)
-(typeattribute fsck_30_0)
-(typeattribute fsck_exec_30_0)
-(typeattribute fsck_untrusted_30_0)
-(typeattribute fscklogs_30_0)
-(typeattribute functionfs_30_0)
-(typeattribute fuse_30_0)
-(typeattribute fuse_device_30_0)
-(typeattribute fusectlfs_30_0)
-(typeattribute fwk_automotive_display_hwservice_30_0)
-(typeattribute fwk_bufferhub_hwservice_30_0)
-(typeattribute fwk_camera_hwservice_30_0)
-(typeattribute fwk_display_hwservice_30_0)
-(typeattribute fwk_scheduler_hwservice_30_0)
-(typeattribute fwk_sensor_hwservice_30_0)
-(typeattribute fwk_stats_hwservice_30_0)
-(typeattribute fwmarkd_socket_30_0)
-(typeattribute gatekeeper_data_file_30_0)
-(typeattribute gatekeeper_service_30_0)
-(typeattribute gatekeeperd_30_0)
-(typeattribute gatekeeperd_exec_30_0)
-(typeattribute gfxinfo_service_30_0)
-(typeattribute gmscore_app_30_0)
-(typeattribute gps_control_30_0)
-(typeattribute gpu_device_30_0)
-(typeattribute gpu_service_30_0)
-(typeattribute gpuservice_30_0)
-(typeattribute graphics_config_prop_30_0)
-(typeattribute graphics_device_30_0)
-(typeattribute graphicsstats_service_30_0)
-(typeattribute gsi_data_file_30_0)
-(typeattribute gsi_metadata_file_30_0)
-(typeattribute gsid_prop_30_0)
-(typeattribute hal_allocator)
-(typeattribute hal_allocator_client)
-(typeattribute hal_allocator_server)
-(typeattribute hal_atrace)
-(typeattribute hal_atrace_client)
-(typeattribute hal_atrace_hwservice_30_0)
-(typeattribute hal_atrace_server)
-(typeattribute hal_audio)
-(typeattribute hal_audio_client)
-(typeattribute hal_audio_hwservice_30_0)
-(typeattribute hal_audio_server)
-(typeattribute hal_audiocontrol)
-(typeattribute hal_audiocontrol_client)
-(typeattribute hal_audiocontrol_hwservice_30_0)
-(typeattribute hal_audiocontrol_server)
-(typeattribute hal_authsecret)
-(typeattribute hal_authsecret_client)
-(typeattribute hal_authsecret_hwservice_30_0)
-(typeattribute hal_authsecret_server)
-(typeattribute hal_automotive_socket_exemption)
-(typeattribute hal_bluetooth)
-(typeattribute hal_bluetooth_client)
-(typeattribute hal_bluetooth_hwservice_30_0)
-(typeattribute hal_bluetooth_server)
-(typeattribute hal_bootctl)
-(typeattribute hal_bootctl_client)
-(typeattribute hal_bootctl_hwservice_30_0)
-(typeattribute hal_bootctl_server)
-(typeattribute hal_broadcastradio)
-(typeattribute hal_broadcastradio_client)
-(typeattribute hal_broadcastradio_hwservice_30_0)
-(typeattribute hal_broadcastradio_server)
-(typeattribute hal_bufferhub)
-(typeattribute hal_bufferhub_client)
-(typeattribute hal_bufferhub_server)
-(typeattribute hal_camera)
-(typeattribute hal_camera_client)
-(typeattribute hal_camera_hwservice_30_0)
-(typeattribute hal_camera_server)
-(typeattribute hal_can_bus)
-(typeattribute hal_can_bus_client)
-(typeattribute hal_can_bus_hwservice_30_0)
-(typeattribute hal_can_bus_server)
-(typeattribute hal_can_controller)
-(typeattribute hal_can_controller_client)
-(typeattribute hal_can_controller_hwservice_30_0)
-(typeattribute hal_can_controller_server)
-(typeattribute hal_cas)
-(typeattribute hal_cas_client)
-(typeattribute hal_cas_hwservice_30_0)
-(typeattribute hal_cas_server)
-(typeattribute hal_codec2)
-(typeattribute hal_codec2_client)
-(typeattribute hal_codec2_hwservice_30_0)
-(typeattribute hal_codec2_server)
-(typeattribute hal_configstore)
-(typeattribute hal_configstore_ISurfaceFlingerConfigs_30_0)
-(typeattribute hal_configstore_client)
-(typeattribute hal_configstore_server)
-(typeattribute hal_confirmationui)
-(typeattribute hal_confirmationui_client)
-(typeattribute hal_confirmationui_hwservice_30_0)
-(typeattribute hal_confirmationui_server)
-(typeattribute hal_contexthub)
-(typeattribute hal_contexthub_client)
-(typeattribute hal_contexthub_hwservice_30_0)
-(typeattribute hal_contexthub_server)
-(typeattribute hal_drm)
-(typeattribute hal_drm_client)
-(typeattribute hal_drm_hwservice_30_0)
-(typeattribute hal_drm_server)
-(typeattribute hal_dumpstate)
-(typeattribute hal_dumpstate_client)
-(typeattribute hal_dumpstate_hwservice_30_0)
-(typeattribute hal_dumpstate_server)
-(typeattribute hal_evs)
-(typeattribute hal_evs_client)
-(typeattribute hal_evs_hwservice_30_0)
-(typeattribute hal_evs_server)
-(typeattribute hal_face)
-(typeattribute hal_face_client)
-(typeattribute hal_face_hwservice_30_0)
-(typeattribute hal_face_server)
-(typeattribute hal_fingerprint)
-(typeattribute hal_fingerprint_client)
-(typeattribute hal_fingerprint_hwservice_30_0)
-(typeattribute hal_fingerprint_server)
-(typeattribute hal_fingerprint_service_30_0)
-(typeattribute hal_gatekeeper)
-(typeattribute hal_gatekeeper_client)
-(typeattribute hal_gatekeeper_hwservice_30_0)
-(typeattribute hal_gatekeeper_server)
-(typeattribute hal_gnss)
-(typeattribute hal_gnss_client)
-(typeattribute hal_gnss_hwservice_30_0)
-(typeattribute hal_gnss_server)
-(typeattribute hal_graphics_allocator)
-(typeattribute hal_graphics_allocator_client)
-(typeattribute hal_graphics_allocator_hwservice_30_0)
-(typeattribute hal_graphics_allocator_server)
-(typeattribute hal_graphics_composer)
-(typeattribute hal_graphics_composer_client)
-(typeattribute hal_graphics_composer_client_tmpfs)
-(typeattribute hal_graphics_composer_hwservice_30_0)
-(typeattribute hal_graphics_composer_server)
-(typeattribute hal_graphics_composer_server_tmpfs_30_0)
-(typeattribute hal_graphics_mapper_hwservice_30_0)
-(typeattribute hal_health)
-(typeattribute hal_health_client)
-(typeattribute hal_health_hwservice_30_0)
-(typeattribute hal_health_server)
-(typeattribute hal_health_storage)
-(typeattribute hal_health_storage_client)
-(typeattribute hal_health_storage_hwservice_30_0)
-(typeattribute hal_health_storage_server)
-(typeattribute hal_identity)
-(typeattribute hal_identity_client)
-(typeattribute hal_identity_server)
-(typeattribute hal_identity_service_30_0)
-(typeattribute hal_input_classifier)
-(typeattribute hal_input_classifier_client)
-(typeattribute hal_input_classifier_hwservice_30_0)
-(typeattribute hal_input_classifier_server)
-(typeattribute hal_ir)
-(typeattribute hal_ir_client)
-(typeattribute hal_ir_hwservice_30_0)
-(typeattribute hal_ir_server)
-(typeattribute hal_keymaster)
-(typeattribute hal_keymaster_client)
-(typeattribute hal_keymaster_hwservice_30_0)
-(typeattribute hal_keymaster_server)
-(typeattribute hal_light)
-(typeattribute hal_light_client)
-(typeattribute hal_light_hwservice_30_0)
-(typeattribute hal_light_server)
-(typeattribute hal_light_service_30_0)
-(typeattribute hal_lowpan)
-(typeattribute hal_lowpan_client)
-(typeattribute hal_lowpan_hwservice_30_0)
-(typeattribute hal_lowpan_server)
-(typeattribute hal_memtrack)
-(typeattribute hal_memtrack_client)
-(typeattribute hal_memtrack_hwservice_30_0)
-(typeattribute hal_memtrack_server)
-(typeattribute hal_neuralnetworks)
-(typeattribute hal_neuralnetworks_client)
-(typeattribute hal_neuralnetworks_hwservice_30_0)
-(typeattribute hal_neuralnetworks_server)
-(typeattribute hal_nfc)
-(typeattribute hal_nfc_client)
-(typeattribute hal_nfc_hwservice_30_0)
-(typeattribute hal_nfc_server)
-(typeattribute hal_oemlock)
-(typeattribute hal_oemlock_client)
-(typeattribute hal_oemlock_hwservice_30_0)
-(typeattribute hal_oemlock_server)
-(typeattribute hal_omx)
-(typeattribute hal_omx_client)
-(typeattribute hal_omx_hwservice_30_0)
-(typeattribute hal_omx_server)
-(typeattribute hal_power)
-(typeattribute hal_power_client)
-(typeattribute hal_power_hwservice_30_0)
-(typeattribute hal_power_server)
-(typeattribute hal_power_service_30_0)
-(typeattribute hal_power_stats)
-(typeattribute hal_power_stats_client)
-(typeattribute hal_power_stats_hwservice_30_0)
-(typeattribute hal_power_stats_server)
-(typeattribute hal_rebootescrow)
-(typeattribute hal_rebootescrow_client)
-(typeattribute hal_rebootescrow_server)
-(typeattribute hal_rebootescrow_service_30_0)
-(typeattribute hal_renderscript_hwservice_30_0)
-(typeattribute hal_secure_element)
-(typeattribute hal_secure_element_client)
-(typeattribute hal_secure_element_hwservice_30_0)
-(typeattribute hal_secure_element_server)
-(typeattribute hal_sensors)
-(typeattribute hal_sensors_client)
-(typeattribute hal_sensors_hwservice_30_0)
-(typeattribute hal_sensors_server)
-(typeattribute hal_telephony)
-(typeattribute hal_telephony_client)
-(typeattribute hal_telephony_hwservice_30_0)
-(typeattribute hal_telephony_server)
-(typeattribute hal_tetheroffload)
-(typeattribute hal_tetheroffload_client)
-(typeattribute hal_tetheroffload_hwservice_30_0)
-(typeattribute hal_tetheroffload_server)
-(typeattribute hal_thermal)
-(typeattribute hal_thermal_client)
-(typeattribute hal_thermal_hwservice_30_0)
-(typeattribute hal_thermal_server)
-(typeattribute hal_tv_cec)
-(typeattribute hal_tv_cec_client)
-(typeattribute hal_tv_cec_hwservice_30_0)
-(typeattribute hal_tv_cec_server)
-(typeattribute hal_tv_input)
-(typeattribute hal_tv_input_client)
-(typeattribute hal_tv_input_hwservice_30_0)
-(typeattribute hal_tv_input_server)
-(typeattribute hal_tv_tuner)
-(typeattribute hal_tv_tuner_client)
-(typeattribute hal_tv_tuner_hwservice_30_0)
-(typeattribute hal_tv_tuner_server)
-(typeattribute hal_usb)
-(typeattribute hal_usb_client)
-(typeattribute hal_usb_gadget)
-(typeattribute hal_usb_gadget_client)
-(typeattribute hal_usb_gadget_hwservice_30_0)
-(typeattribute hal_usb_gadget_server)
-(typeattribute hal_usb_hwservice_30_0)
-(typeattribute hal_usb_server)
-(typeattribute hal_vehicle)
-(typeattribute hal_vehicle_client)
-(typeattribute hal_vehicle_hwservice_30_0)
-(typeattribute hal_vehicle_server)
-(typeattribute hal_vibrator)
-(typeattribute hal_vibrator_client)
-(typeattribute hal_vibrator_hwservice_30_0)
-(typeattribute hal_vibrator_server)
-(typeattribute hal_vibrator_service_30_0)
-(typeattribute hal_vr)
-(typeattribute hal_vr_client)
-(typeattribute hal_vr_hwservice_30_0)
-(typeattribute hal_vr_server)
-(typeattribute hal_weaver)
-(typeattribute hal_weaver_client)
-(typeattribute hal_weaver_hwservice_30_0)
-(typeattribute hal_weaver_server)
-(typeattribute hal_wifi)
-(typeattribute hal_wifi_client)
-(typeattribute hal_wifi_hostapd)
-(typeattribute hal_wifi_hostapd_client)
-(typeattribute hal_wifi_hostapd_hwservice_30_0)
-(typeattribute hal_wifi_hostapd_server)
-(typeattribute hal_wifi_hwservice_30_0)
-(typeattribute hal_wifi_server)
-(typeattribute hal_wifi_supplicant)
-(typeattribute hal_wifi_supplicant_client)
-(typeattribute hal_wifi_supplicant_hwservice_30_0)
-(typeattribute hal_wifi_supplicant_server)
-(typeattribute halclientdomain)
-(typeattribute halserverdomain)
-(typeattribute hardware_properties_service_30_0)
-(typeattribute hardware_service_30_0)
-(typeattribute hci_attach_dev_30_0)
-(typeattribute hdmi_control_service_30_0)
-(typeattribute healthd_30_0)
-(typeattribute healthd_exec_30_0)
-(typeattribute heapdump_data_file_30_0)
-(typeattribute heapprofd_30_0)
-(typeattribute heapprofd_enabled_prop_30_0)
-(typeattribute heapprofd_prop_30_0)
-(typeattribute heapprofd_socket_30_0)
-(typeattribute hidl_allocator_hwservice_30_0)
-(typeattribute hidl_base_hwservice_30_0)
-(typeattribute hidl_manager_hwservice_30_0)
-(typeattribute hidl_memory_hwservice_30_0)
-(typeattribute hidl_token_hwservice_30_0)
-(typeattribute hw_random_device_30_0)
-(typeattribute hwbinder_device_30_0)
-(typeattribute hwservice_contexts_file_30_0)
-(typeattribute hwservice_manager_type)
-(typeattribute hwservicemanager_30_0)
-(typeattribute hwservicemanager_exec_30_0)
-(typeattribute hwservicemanager_prop_30_0)
-(typeattribute icon_file_30_0)
-(typeattribute idmap_30_0)
-(typeattribute idmap_exec_30_0)
-(typeattribute idmap_service_30_0)
-(typeattribute iio_device_30_0)
-(typeattribute imms_service_30_0)
-(typeattribute incident_30_0)
-(typeattribute incident_data_file_30_0)
-(typeattribute incident_helper_30_0)
-(typeattribute incident_service_30_0)
-(typeattribute incidentd_30_0)
-(typeattribute incremental_control_file_30_0)
-(typeattribute incremental_prop_30_0)
-(typeattribute incremental_service_30_0)
-(typeattribute init_30_0)
-(typeattribute init_exec_30_0)
-(typeattribute init_perf_lsm_hooks_prop_30_0)
-(typeattribute init_svc_debug_prop_30_0)
-(typeattribute init_tmpfs_30_0)
-(typeattribute inotify_30_0)
-(typeattribute input_device_30_0)
-(typeattribute input_method_service_30_0)
-(typeattribute input_service_30_0)
-(typeattribute inputflinger_30_0)
-(typeattribute inputflinger_exec_30_0)
-(typeattribute inputflinger_service_30_0)
-(typeattribute install_data_file_30_0)
-(typeattribute installd_30_0)
-(typeattribute installd_exec_30_0)
-(typeattribute installd_service_30_0)
-(typeattribute ion_device_30_0)
-(typeattribute iorap_inode2filename_30_0)
-(typeattribute iorap_inode2filename_exec_30_0)
-(typeattribute iorap_inode2filename_tmpfs_30_0)
-(typeattribute iorap_prefetcherd_30_0)
-(typeattribute iorap_prefetcherd_exec_30_0)
-(typeattribute iorap_prefetcherd_tmpfs_30_0)
-(typeattribute iorapd_30_0)
-(typeattribute iorapd_data_file_30_0)
-(typeattribute iorapd_exec_30_0)
-(typeattribute iorapd_service_30_0)
-(typeattribute iorapd_tmpfs_30_0)
-(typeattribute ipsec_service_30_0)
-(typeattribute iris_service_30_0)
-(typeattribute iris_vendor_data_file_30_0)
-(typeattribute isolated_app_30_0)
-(typeattribute jobscheduler_service_30_0)
-(typeattribute kernel_30_0)
-(typeattribute keychain_data_file_30_0)
-(typeattribute keychord_device_30_0)
-(typeattribute keystore_30_0)
-(typeattribute keystore_data_file_30_0)
-(typeattribute keystore_exec_30_0)
-(typeattribute keystore_service_30_0)
-(typeattribute kmsg_debug_device_30_0)
-(typeattribute kmsg_device_30_0)
-(typeattribute labeledfs_30_0)
-(typeattribute last_boot_reason_prop_30_0)
-(typeattribute launcherapps_service_30_0)
-(typeattribute light_service_30_0)
-(typeattribute linkerconfig_file_30_0)
-(typeattribute llkd_30_0)
-(typeattribute llkd_exec_30_0)
-(typeattribute llkd_prop_30_0)
-(typeattribute lmkd_30_0)
-(typeattribute lmkd_exec_30_0)
-(typeattribute lmkd_prop_30_0)
-(typeattribute lmkd_socket_30_0)
-(typeattribute location_service_30_0)
-(typeattribute lock_settings_service_30_0)
-(typeattribute log_prop_30_0)
-(typeattribute log_property_type)
-(typeattribute log_tag_prop_30_0)
-(typeattribute logcat_exec_30_0)
-(typeattribute logd_30_0)
-(typeattribute logd_exec_30_0)
-(typeattribute logd_prop_30_0)
-(typeattribute logd_socket_30_0)
-(typeattribute logdr_socket_30_0)
-(typeattribute logdw_socket_30_0)
-(typeattribute logpersist_30_0)
-(typeattribute logpersistd_logging_prop_30_0)
-(typeattribute loop_control_device_30_0)
-(typeattribute loop_device_30_0)
-(typeattribute looper_stats_service_30_0)
-(typeattribute lowpan_device_30_0)
-(typeattribute lowpan_prop_30_0)
-(typeattribute lowpan_service_30_0)
-(typeattribute lpdump_service_30_0)
-(typeattribute lpdumpd_prop_30_0)
-(typeattribute mac_perms_file_30_0)
-(typeattribute mdns_socket_30_0)
-(typeattribute mdnsd_30_0)
-(typeattribute mdnsd_socket_30_0)
-(typeattribute media_data_file_30_0)
-(typeattribute media_projection_service_30_0)
-(typeattribute media_router_service_30_0)
-(typeattribute media_rw_data_file_30_0)
-(typeattribute media_session_service_30_0)
-(typeattribute media_variant_prop_30_0)
-(typeattribute mediadrmserver_30_0)
-(typeattribute mediadrmserver_exec_30_0)
-(typeattribute mediadrmserver_service_30_0)
-(typeattribute mediaextractor_30_0)
-(typeattribute mediaextractor_exec_30_0)
-(typeattribute mediaextractor_service_30_0)
-(typeattribute mediaextractor_tmpfs_30_0)
-(typeattribute mediametrics_30_0)
-(typeattribute mediametrics_exec_30_0)
-(typeattribute mediametrics_service_30_0)
-(typeattribute mediaprovider_30_0)
-(typeattribute mediaserver_30_0)
-(typeattribute mediaserver_exec_30_0)
-(typeattribute mediaserver_service_30_0)
-(typeattribute mediaserver_tmpfs_30_0)
-(typeattribute mediaswcodec_30_0)
-(typeattribute mediaswcodec_exec_30_0)
-(typeattribute mediatranscoding_30_0)
-(typeattribute mediatranscoding_exec_30_0)
-(typeattribute mediatranscoding_service_30_0)
-(typeattribute meminfo_service_30_0)
-(typeattribute metadata_block_device_30_0)
-(typeattribute metadata_bootstat_file_30_0)
-(typeattribute metadata_file_30_0)
-(typeattribute method_trace_data_file_30_0)
-(typeattribute midi_service_30_0)
-(typeattribute mirror_data_file_30_0)
-(typeattribute misc_block_device_30_0)
-(typeattribute misc_logd_file_30_0)
-(typeattribute misc_user_data_file_30_0)
-(typeattribute mlstrustedobject)
-(typeattribute mlstrustedsubject)
-(typeattribute mmc_prop_30_0)
-(typeattribute mnt_expand_file_30_0)
-(typeattribute mnt_media_rw_file_30_0)
-(typeattribute mnt_media_rw_stub_file_30_0)
-(typeattribute mnt_pass_through_file_30_0)
-(typeattribute mnt_product_file_30_0)
-(typeattribute mnt_sdcard_file_30_0)
-(typeattribute mnt_user_file_30_0)
-(typeattribute mnt_vendor_file_30_0)
-(typeattribute mock_ota_prop_30_0)
-(typeattribute modprobe_30_0)
-(typeattribute module_sdkextensions_prop_30_0)
-(typeattribute mount_service_30_0)
-(typeattribute mqueue_30_0)
-(typeattribute mtp_30_0)
-(typeattribute mtp_device_30_0)
-(typeattribute mtp_exec_30_0)
-(typeattribute mtpd_socket_30_0)
-(typeattribute nativetest_data_file_30_0)
-(typeattribute net_data_file_30_0)
-(typeattribute net_dns_prop_30_0)
-(typeattribute net_radio_prop_30_0)
-(typeattribute netd_30_0)
-(typeattribute netd_exec_30_0)
-(typeattribute netd_listener_service_30_0)
-(typeattribute netd_service_30_0)
-(typeattribute netd_stable_secret_prop_30_0)
-(typeattribute netdomain)
-(typeattribute netif_30_0)
-(typeattribute netif_type)
-(typeattribute netpolicy_service_30_0)
-(typeattribute netstats_service_30_0)
-(typeattribute netutils_wrapper_30_0)
-(typeattribute netutils_wrapper_exec_30_0)
-(typeattribute network_management_service_30_0)
-(typeattribute network_score_service_30_0)
-(typeattribute network_stack_30_0)
-(typeattribute network_stack_service_30_0)
-(typeattribute network_time_update_service_30_0)
-(typeattribute network_watchlist_data_file_30_0)
-(typeattribute network_watchlist_service_30_0)
-(typeattribute nfc_30_0)
-(typeattribute nfc_data_file_30_0)
-(typeattribute nfc_device_30_0)
-(typeattribute nfc_prop_30_0)
-(typeattribute nfc_service_30_0)
-(typeattribute nnapi_ext_deny_product_prop_30_0)
-(typeattribute node_30_0)
-(typeattribute node_type)
-(typeattribute nonplat_service_contexts_file_30_0)
-(typeattribute notification_service_30_0)
-(typeattribute null_device_30_0)
-(typeattribute oem_lock_service_30_0)
-(typeattribute oemfs_30_0)
-(typeattribute ota_data_file_30_0)
-(typeattribute ota_metadata_file_30_0)
-(typeattribute ota_package_file_30_0)
-(typeattribute ota_prop_30_0)
-(typeattribute otadexopt_service_30_0)
-(typeattribute overlay_prop_30_0)
-(typeattribute overlay_service_30_0)
-(typeattribute overlayfs_file_30_0)
-(typeattribute owntty_device_30_0)
-(typeattribute package_native_service_30_0)
-(typeattribute package_service_30_0)
-(typeattribute packages_list_file_30_0)
-(typeattribute pan_result_prop_30_0)
-(typeattribute password_slot_metadata_file_30_0)
-(typeattribute pdx_bufferhub_client_channel_socket_30_0)
-(typeattribute pdx_bufferhub_client_channel_socket_type)
-(typeattribute pdx_bufferhub_client_endpoint_dir_type)
-(typeattribute pdx_bufferhub_client_endpoint_socket_30_0)
-(typeattribute pdx_bufferhub_client_endpoint_socket_type)
-(typeattribute pdx_bufferhub_client_server_type)
-(typeattribute pdx_bufferhub_dir_30_0)
-(typeattribute pdx_channel_socket_type)
-(typeattribute pdx_display_client_channel_socket_30_0)
-(typeattribute pdx_display_client_channel_socket_type)
-(typeattribute pdx_display_client_endpoint_dir_type)
-(typeattribute pdx_display_client_endpoint_socket_30_0)
-(typeattribute pdx_display_client_endpoint_socket_type)
-(typeattribute pdx_display_client_server_type)
-(typeattribute pdx_display_dir_30_0)
-(typeattribute pdx_display_manager_channel_socket_30_0)
-(typeattribute pdx_display_manager_channel_socket_type)
-(typeattribute pdx_display_manager_endpoint_dir_type)
-(typeattribute pdx_display_manager_endpoint_socket_30_0)
-(typeattribute pdx_display_manager_endpoint_socket_type)
-(typeattribute pdx_display_manager_server_type)
-(typeattribute pdx_display_screenshot_channel_socket_30_0)
-(typeattribute pdx_display_screenshot_channel_socket_type)
-(typeattribute pdx_display_screenshot_endpoint_dir_type)
-(typeattribute pdx_display_screenshot_endpoint_socket_30_0)
-(typeattribute pdx_display_screenshot_endpoint_socket_type)
-(typeattribute pdx_display_screenshot_server_type)
-(typeattribute pdx_display_vsync_channel_socket_30_0)
-(typeattribute pdx_display_vsync_channel_socket_type)
-(typeattribute pdx_display_vsync_endpoint_dir_type)
-(typeattribute pdx_display_vsync_endpoint_socket_30_0)
-(typeattribute pdx_display_vsync_endpoint_socket_type)
-(typeattribute pdx_display_vsync_server_type)
-(typeattribute pdx_endpoint_dir_type)
-(typeattribute pdx_endpoint_socket_type)
-(typeattribute pdx_performance_client_channel_socket_30_0)
-(typeattribute pdx_performance_client_channel_socket_type)
-(typeattribute pdx_performance_client_endpoint_dir_type)
-(typeattribute pdx_performance_client_endpoint_socket_30_0)
-(typeattribute pdx_performance_client_endpoint_socket_type)
-(typeattribute pdx_performance_client_server_type)
-(typeattribute pdx_performance_dir_30_0)
-(typeattribute perfetto_30_0)
-(typeattribute performanced_30_0)
-(typeattribute performanced_exec_30_0)
-(typeattribute permission_service_30_0)
-(typeattribute permissionmgr_service_30_0)
-(typeattribute persist_debug_prop_30_0)
-(typeattribute persistent_data_block_service_30_0)
-(typeattribute persistent_properties_ready_prop_30_0)
-(typeattribute pinner_service_30_0)
-(typeattribute pipefs_30_0)
-(typeattribute platform_app_30_0)
-(typeattribute platform_compat_service_30_0)
-(typeattribute pm_prop_30_0)
-(typeattribute pmsg_device_30_0)
-(typeattribute port_30_0)
-(typeattribute port_device_30_0)
-(typeattribute port_type)
-(typeattribute postinstall_30_0)
-(typeattribute postinstall_apex_mnt_dir_30_0)
-(typeattribute postinstall_file_30_0)
-(typeattribute postinstall_mnt_dir_30_0)
-(typeattribute power_service_30_0)
-(typeattribute powerctl_prop_30_0)
-(typeattribute ppp_30_0)
-(typeattribute ppp_device_30_0)
-(typeattribute ppp_exec_30_0)
-(typeattribute preloads_data_file_30_0)
-(typeattribute preloads_media_file_30_0)
-(typeattribute prereboot_data_file_30_0)
-(typeattribute print_service_30_0)
-(typeattribute priv_app_30_0)
-(typeattribute privapp_data_file_30_0)
-(typeattribute proc_30_0)
-(typeattribute proc_abi_30_0)
-(typeattribute proc_asound_30_0)
-(typeattribute proc_bluetooth_writable_30_0)
-(typeattribute proc_buddyinfo_30_0)
-(typeattribute proc_cmdline_30_0)
-(typeattribute proc_cpuinfo_30_0)
-(typeattribute proc_dirty_30_0)
-(typeattribute proc_diskstats_30_0)
-(typeattribute proc_drop_caches_30_0)
-(typeattribute proc_extra_free_kbytes_30_0)
-(typeattribute proc_filesystems_30_0)
-(typeattribute proc_fs_verity_30_0)
-(typeattribute proc_hostname_30_0)
-(typeattribute proc_hung_task_30_0)
-(typeattribute proc_interrupts_30_0)
-(typeattribute proc_iomem_30_0)
-(typeattribute proc_keys_30_0)
-(typeattribute proc_kmsg_30_0)
-(typeattribute proc_kpageflags_30_0)
-(typeattribute proc_loadavg_30_0)
-(typeattribute proc_lowmemorykiller_30_0)
-(typeattribute proc_max_map_count_30_0)
-(typeattribute proc_meminfo_30_0)
-(typeattribute proc_min_free_order_shift_30_0)
-(typeattribute proc_misc_30_0)
-(typeattribute proc_modules_30_0)
-(typeattribute proc_mounts_30_0)
-(typeattribute proc_net_30_0)
-(typeattribute proc_net_tcp_udp_30_0)
-(typeattribute proc_net_type)
-(typeattribute proc_overcommit_memory_30_0)
-(typeattribute proc_page_cluster_30_0)
-(typeattribute proc_pagetypeinfo_30_0)
-(typeattribute proc_panic_30_0)
-(typeattribute proc_perf_30_0)
-(typeattribute proc_pid_max_30_0)
-(typeattribute proc_pipe_conf_30_0)
-(typeattribute proc_pressure_cpu_30_0)
-(typeattribute proc_pressure_io_30_0)
-(typeattribute proc_pressure_mem_30_0)
-(typeattribute proc_qtaguid_ctrl_30_0)
-(typeattribute proc_qtaguid_stat_30_0)
-(typeattribute proc_random_30_0)
-(typeattribute proc_sched_30_0)
-(typeattribute proc_security_30_0)
-(typeattribute proc_slabinfo_30_0)
-(typeattribute proc_stat_30_0)
-(typeattribute proc_swaps_30_0)
-(typeattribute proc_sysrq_30_0)
-(typeattribute proc_timer_30_0)
-(typeattribute proc_tty_drivers_30_0)
-(typeattribute proc_type)
-(typeattribute proc_uid_concurrent_active_time_30_0)
-(typeattribute proc_uid_concurrent_policy_time_30_0)
-(typeattribute proc_uid_cpupower_30_0)
-(typeattribute proc_uid_cputime_removeuid_30_0)
-(typeattribute proc_uid_cputime_showstat_30_0)
-(typeattribute proc_uid_io_stats_30_0)
-(typeattribute proc_uid_procstat_set_30_0)
-(typeattribute proc_uid_time_in_state_30_0)
-(typeattribute proc_uptime_30_0)
-(typeattribute proc_version_30_0)
-(typeattribute proc_vmallocinfo_30_0)
-(typeattribute proc_vmstat_30_0)
-(typeattribute proc_zoneinfo_30_0)
-(typeattribute processinfo_service_30_0)
-(typeattribute procstats_service_30_0)
-(typeattribute profman_30_0)
-(typeattribute profman_dump_data_file_30_0)
-(typeattribute profman_exec_30_0)
-(typeattribute properties_device_30_0)
-(typeattribute properties_serial_30_0)
-(typeattribute property_contexts_file_30_0)
-(typeattribute property_data_file_30_0)
-(typeattribute property_info_30_0)
-(typeattribute property_socket_30_0)
-(typeattribute property_type)
-(typeattribute protected_hwservice)
-(typeattribute pstorefs_30_0)
-(typeattribute ptmx_device_30_0)
-(typeattribute qtaguid_device_30_0)
-(typeattribute racoon_30_0)
-(typeattribute racoon_exec_30_0)
-(typeattribute racoon_socket_30_0)
-(typeattribute radio_30_0)
-(typeattribute radio_data_file_30_0)
-(typeattribute radio_device_30_0)
-(typeattribute radio_prop_30_0)
-(typeattribute radio_service_30_0)
-(typeattribute ram_device_30_0)
-(typeattribute random_device_30_0)
-(typeattribute rebootescrow_hal_prop_30_0)
-(typeattribute recovery_30_0)
-(typeattribute recovery_block_device_30_0)
-(typeattribute recovery_data_file_30_0)
-(typeattribute recovery_persist_30_0)
-(typeattribute recovery_persist_exec_30_0)
-(typeattribute recovery_refresh_30_0)
-(typeattribute recovery_refresh_exec_30_0)
-(typeattribute recovery_service_30_0)
-(typeattribute recovery_socket_30_0)
-(typeattribute registry_service_30_0)
-(typeattribute resourcecache_data_file_30_0)
-(typeattribute restorecon_prop_30_0)
-(typeattribute restrictions_service_30_0)
-(typeattribute rild_debug_socket_30_0)
-(typeattribute rild_socket_30_0)
-(typeattribute ringtone_file_30_0)
-(typeattribute role_service_30_0)
-(typeattribute rollback_service_30_0)
-(typeattribute root_block_device_30_0)
-(typeattribute rootfs_30_0)
-(typeattribute rpmsg_device_30_0)
-(typeattribute rs_30_0)
-(typeattribute rs_exec_30_0)
-(typeattribute rss_hwm_reset_30_0)
-(typeattribute rtc_device_30_0)
-(typeattribute rttmanager_service_30_0)
-(typeattribute runas_30_0)
-(typeattribute runas_app_30_0)
-(typeattribute runas_exec_30_0)
-(typeattribute runtime_event_log_tags_file_30_0)
-(typeattribute runtime_service_30_0)
-(typeattribute safemode_prop_30_0)
-(typeattribute same_process_hal_file_30_0)
-(typeattribute same_process_hwservice)
-(typeattribute samplingprofiler_service_30_0)
-(typeattribute scheduler_service_server)
-(typeattribute scheduling_policy_service_30_0)
-(typeattribute sdcard_block_device_30_0)
-(typeattribute sdcard_type)
-(typeattribute sdcardd_30_0)
-(typeattribute sdcardd_exec_30_0)
-(typeattribute sdcardfs_30_0)
-(typeattribute seapp_contexts_file_30_0)
-(typeattribute search_service_30_0)
-(typeattribute sec_key_att_app_id_provider_service_30_0)
-(typeattribute secure_element_30_0)
-(typeattribute secure_element_device_30_0)
-(typeattribute secure_element_service_30_0)
-(typeattribute securityfs_30_0)
-(typeattribute selinuxfs_30_0)
-(typeattribute sensor_privacy_service_30_0)
-(typeattribute sensor_service_server)
-(typeattribute sensors_device_30_0)
-(typeattribute sensorservice_service_30_0)
-(typeattribute sepolicy_file_30_0)
-(typeattribute serial_device_30_0)
-(typeattribute serial_service_30_0)
-(typeattribute serialno_prop_30_0)
-(typeattribute server_configurable_flags_data_file_30_0)
-(typeattribute service_contexts_file_30_0)
-(typeattribute service_manager_service_30_0)
-(typeattribute service_manager_type)
-(typeattribute service_manager_vndservice_30_0)
-(typeattribute servicediscovery_service_30_0)
-(typeattribute servicemanager_30_0)
-(typeattribute servicemanager_exec_30_0)
-(typeattribute settings_service_30_0)
-(typeattribute sgdisk_30_0)
-(typeattribute sgdisk_exec_30_0)
-(typeattribute shared_relro_30_0)
-(typeattribute shared_relro_file_30_0)
-(typeattribute shell_30_0)
-(typeattribute shell_data_file_30_0)
-(typeattribute shell_exec_30_0)
-(typeattribute shell_prop_30_0)
-(typeattribute shm_30_0)
-(typeattribute shortcut_manager_icons_30_0)
-(typeattribute shortcut_service_30_0)
-(typeattribute simpleperf_30_0)
-(typeattribute simpleperf_app_runner_30_0)
-(typeattribute simpleperf_app_runner_exec_30_0)
-(typeattribute slice_service_30_0)
-(typeattribute slideshow_30_0)
-(typeattribute snapshotctl_log_data_file_30_0)
-(typeattribute socket_between_core_and_vendor_violators)
-(typeattribute socket_device_30_0)
-(typeattribute socket_hook_prop_30_0)
-(typeattribute sockfs_30_0)
-(typeattribute sota_prop_30_0)
-(typeattribute soundtrigger_middleware_service_30_0)
-(typeattribute staged_install_file_30_0)
-(typeattribute staging_data_file_30_0)
-(typeattribute stats_data_file_30_0)
-(typeattribute stats_service_server)
-(typeattribute statsd_30_0)
-(typeattribute statsd_exec_30_0)
-(typeattribute statsdw_socket_30_0)
-(typeattribute statusbar_service_30_0)
-(typeattribute storage_config_prop_30_0)
-(typeattribute storage_file_30_0)
-(typeattribute storage_stub_file_30_0)
-(typeattribute storaged_service_30_0)
-(typeattribute storagestats_service_30_0)
-(typeattribute su_30_0)
-(typeattribute su_exec_30_0)
-(typeattribute super_block_device_30_0)
-(typeattribute super_block_device_type)
-(typeattribute surfaceflinger_30_0)
-(typeattribute surfaceflinger_display_prop_30_0)
-(typeattribute surfaceflinger_service_30_0)
-(typeattribute surfaceflinger_tmpfs_30_0)
-(typeattribute swap_block_device_30_0)
-(typeattribute sysfs_30_0)
-(typeattribute sysfs_android_usb_30_0)
-(typeattribute sysfs_batteryinfo_30_0)
-(typeattribute sysfs_bluetooth_writable_30_0)
-(typeattribute sysfs_devices_block_30_0)
-(typeattribute sysfs_devices_system_cpu_30_0)
-(typeattribute sysfs_dm_30_0)
-(typeattribute sysfs_dm_verity_30_0)
-(typeattribute sysfs_dt_firmware_android_30_0)
-(typeattribute sysfs_extcon_30_0)
-(typeattribute sysfs_fs_ext4_features_30_0)
-(typeattribute sysfs_fs_f2fs_30_0)
-(typeattribute sysfs_hwrandom_30_0)
-(typeattribute sysfs_ion_30_0)
-(typeattribute sysfs_ipv4_30_0)
-(typeattribute sysfs_kernel_notes_30_0)
-(typeattribute sysfs_leds_30_0)
-(typeattribute sysfs_loop_30_0)
-(typeattribute sysfs_lowmemorykiller_30_0)
-(typeattribute sysfs_net_30_0)
-(typeattribute sysfs_nfc_power_writable_30_0)
-(typeattribute sysfs_power_30_0)
-(typeattribute sysfs_rtc_30_0)
-(typeattribute sysfs_suspend_stats_30_0)
-(typeattribute sysfs_switch_30_0)
-(typeattribute sysfs_thermal_30_0)
-(typeattribute sysfs_transparent_hugepage_30_0)
-(typeattribute sysfs_type)
-(typeattribute sysfs_uio_30_0)
-(typeattribute sysfs_usb_30_0)
-(typeattribute sysfs_usermodehelper_30_0)
-(typeattribute sysfs_vibrator_30_0)
-(typeattribute sysfs_wake_lock_30_0)
-(typeattribute sysfs_wakeup_30_0)
-(typeattribute sysfs_wakeup_reasons_30_0)
-(typeattribute sysfs_wlan_fwpath_30_0)
-(typeattribute sysfs_zram_30_0)
-(typeattribute sysfs_zram_uevent_30_0)
-(typeattribute system_adbd_prop_30_0)
-(typeattribute system_api_service)
-(typeattribute system_app_30_0)
-(typeattribute system_app_data_file_30_0)
-(typeattribute system_app_service_30_0)
-(typeattribute system_asan_options_file_30_0)
-(typeattribute system_block_device_30_0)
-(typeattribute system_boot_reason_prop_30_0)
-(typeattribute system_bootstrap_lib_file_30_0)
-(typeattribute system_config_service_30_0)
-(typeattribute system_data_file_30_0)
-(typeattribute system_data_root_file_30_0)
-(typeattribute system_event_log_tags_file_30_0)
-(typeattribute system_executes_vendor_violators)
-(typeattribute system_file_30_0)
-(typeattribute system_file_type)
-(typeattribute system_group_file_30_0)
-(typeattribute system_internal_property_type)
-(typeattribute system_jvmti_agent_prop_30_0)
-(typeattribute system_lib_file_30_0)
-(typeattribute system_linker_config_file_30_0)
-(typeattribute system_linker_exec_30_0)
-(typeattribute system_lmk_prop_30_0)
-(typeattribute system_ndebug_socket_30_0)
-(typeattribute system_net_netd_hwservice_30_0)
-(typeattribute system_passwd_file_30_0)
-(typeattribute system_prop_30_0)
-(typeattribute system_property_type)
-(typeattribute system_public_property_type)
-(typeattribute system_radio_prop_30_0)
-(typeattribute system_restricted_property_type)
-(typeattribute system_seccomp_policy_file_30_0)
-(typeattribute system_security_cacerts_file_30_0)
-(typeattribute system_server_30_0)
-(typeattribute system_server_service)
-(typeattribute system_server_tmpfs_30_0)
-(typeattribute system_suspend_control_service_30_0)
-(typeattribute system_suspend_hwservice_30_0)
-(typeattribute system_suspend_server)
-(typeattribute system_trace_prop_30_0)
-(typeattribute system_unsolzygote_socket_30_0)
-(typeattribute system_update_service_30_0)
-(typeattribute system_wifi_keystore_hwservice_30_0)
-(typeattribute system_wpa_socket_30_0)
-(typeattribute system_writes_mnt_vendor_violators)
-(typeattribute system_writes_vendor_properties_violators)
-(typeattribute system_zoneinfo_file_30_0)
-(typeattribute systemkeys_data_file_30_0)
-(typeattribute task_profiles_file_30_0)
-(typeattribute task_service_30_0)
-(typeattribute tcpdump_exec_30_0)
-(typeattribute tee_30_0)
-(typeattribute tee_data_file_30_0)
-(typeattribute tee_device_30_0)
-(typeattribute telecom_service_30_0)
-(typeattribute test_boot_reason_prop_30_0)
-(typeattribute test_harness_prop_30_0)
-(typeattribute testharness_service_30_0)
-(typeattribute tethering_service_30_0)
-(typeattribute textclassification_service_30_0)
-(typeattribute textclassifier_data_file_30_0)
-(typeattribute textservices_service_30_0)
-(typeattribute theme_prop_30_0)
-(typeattribute thermal_service_30_0)
-(typeattribute thermalcallback_hwservice_30_0)
-(typeattribute time_prop_30_0)
-(typeattribute timedetector_service_30_0)
-(typeattribute timezone_service_30_0)
-(typeattribute timezonedetector_service_30_0)
-(typeattribute tmpfs_30_0)
-(typeattribute tombstone_data_file_30_0)
-(typeattribute tombstone_wifi_data_file_30_0)
-(typeattribute tombstoned_30_0)
-(typeattribute tombstoned_crash_socket_30_0)
-(typeattribute tombstoned_exec_30_0)
-(typeattribute tombstoned_intercept_socket_30_0)
-(typeattribute tombstoned_java_trace_socket_30_0)
-(typeattribute toolbox_30_0)
-(typeattribute toolbox_exec_30_0)
-(typeattribute trace_data_file_30_0)
-(typeattribute traced_30_0)
-(typeattribute traced_consumer_socket_30_0)
-(typeattribute traced_enabled_prop_30_0)
-(typeattribute traced_lazy_prop_30_0)
-(typeattribute traced_perf_30_0)
-(typeattribute traced_perf_enabled_prop_30_0)
-(typeattribute traced_perf_socket_30_0)
-(typeattribute traced_probes_30_0)
-(typeattribute traced_producer_socket_30_0)
-(typeattribute traceur_app_30_0)
-(typeattribute trust_service_30_0)
-(typeattribute tty_device_30_0)
-(typeattribute tun_device_30_0)
-(typeattribute tv_input_service_30_0)
-(typeattribute tv_tuner_resource_mgr_service_30_0)
-(typeattribute tzdatacheck_30_0)
-(typeattribute tzdatacheck_exec_30_0)
-(typeattribute ueventd_30_0)
-(typeattribute ueventd_tmpfs_30_0)
-(typeattribute uhid_device_30_0)
-(typeattribute uimode_service_30_0)
-(typeattribute uio_device_30_0)
-(typeattribute uncrypt_30_0)
-(typeattribute uncrypt_exec_30_0)
-(typeattribute uncrypt_socket_30_0)
-(typeattribute unencrypted_data_file_30_0)
-(typeattribute unlabeled_30_0)
-(typeattribute untrusted_app_25_30_0)
-(typeattribute untrusted_app_27_30_0)
-(typeattribute untrusted_app_29_30_0)
-(typeattribute untrusted_app_30_0)
-(typeattribute untrusted_app_all)
-(typeattribute untrusted_app_visible_halserver_violators)
-(typeattribute untrusted_app_visible_hwservice_violators)
-(typeattribute update_engine_30_0)
-(typeattribute update_engine_common)
-(typeattribute update_engine_data_file_30_0)
-(typeattribute update_engine_exec_30_0)
-(typeattribute update_engine_log_data_file_30_0)
-(typeattribute update_engine_service_30_0)
-(typeattribute update_verifier_30_0)
-(typeattribute update_verifier_exec_30_0)
-(typeattribute updatelock_service_30_0)
-(typeattribute uri_grants_service_30_0)
-(typeattribute usagestats_service_30_0)
-(typeattribute usb_device_30_0)
-(typeattribute usb_serial_device_30_0)
-(typeattribute usb_service_30_0)
-(typeattribute usbaccessory_device_30_0)
-(typeattribute usbd_30_0)
-(typeattribute usbd_exec_30_0)
-(typeattribute usbfs_30_0)
-(typeattribute use_memfd_prop_30_0)
-(typeattribute user_profile_data_file_30_0)
-(typeattribute user_service_30_0)
-(typeattribute userdata_block_device_30_0)
-(typeattribute usermodehelper_30_0)
-(typeattribute userspace_reboot_config_prop_30_0)
-(typeattribute userspace_reboot_exported_prop_30_0)
-(typeattribute userspace_reboot_log_prop_30_0)
-(typeattribute userspace_reboot_test_prop_30_0)
-(typeattribute vdc_30_0)
-(typeattribute vdc_exec_30_0)
-(typeattribute vehicle_hal_prop_30_0)
-(typeattribute vendor_apex_file_30_0)
-(typeattribute vendor_app_file_30_0)
-(typeattribute vendor_cgroup_desc_file_30_0)
-(typeattribute vendor_configs_file_30_0)
-(typeattribute vendor_data_file_30_0)
-(typeattribute vendor_default_prop_30_0)
-(typeattribute vendor_executes_system_violators)
-(typeattribute vendor_file_30_0)
-(typeattribute vendor_file_type)
-(typeattribute vendor_framework_file_30_0)
-(typeattribute vendor_hal_file_30_0)
-(typeattribute vendor_idc_file_30_0)
-(typeattribute vendor_init_30_0)
-(typeattribute vendor_internal_property_type)
-(typeattribute vendor_keychars_file_30_0)
-(typeattribute vendor_keylayout_file_30_0)
-(typeattribute vendor_misc_writer_30_0)
-(typeattribute vendor_misc_writer_exec_30_0)
-(typeattribute vendor_overlay_file_30_0)
-(typeattribute vendor_property_type)
-(typeattribute vendor_public_lib_file_30_0)
-(typeattribute vendor_public_property_type)
-(typeattribute vendor_restricted_property_type)
-(typeattribute vendor_security_patch_level_prop_30_0)
-(typeattribute vendor_service)
-(typeattribute vendor_service_contexts_file_30_0)
-(typeattribute vendor_shell_30_0)
-(typeattribute vendor_shell_exec_30_0)
-(typeattribute vendor_socket_hook_prop_30_0)
-(typeattribute vendor_task_profiles_file_30_0)
-(typeattribute vendor_toolbox_exec_30_0)
-(typeattribute vfat_30_0)
-(typeattribute vibrator_service_30_0)
-(typeattribute video_device_30_0)
-(typeattribute virtual_ab_prop_30_0)
-(typeattribute virtual_touchpad_30_0)
-(typeattribute virtual_touchpad_exec_30_0)
-(typeattribute virtual_touchpad_service_30_0)
-(typeattribute vndbinder_device_30_0)
-(typeattribute vndk_prop_30_0)
-(typeattribute vndk_sp_file_30_0)
-(typeattribute vndservice_contexts_file_30_0)
-(typeattribute vndservice_manager_type)
-(typeattribute vndservicemanager_30_0)
-(typeattribute voiceinteraction_service_30_0)
-(typeattribute vold_30_0)
-(typeattribute vold_data_file_30_0)
-(typeattribute vold_device_30_0)
-(typeattribute vold_exec_30_0)
-(typeattribute vold_metadata_file_30_0)
-(typeattribute vold_prepare_subdirs_30_0)
-(typeattribute vold_prepare_subdirs_exec_30_0)
-(typeattribute vold_prop_30_0)
-(typeattribute vold_service_30_0)
-(typeattribute vpn_data_file_30_0)
-(typeattribute vr_hwc_30_0)
-(typeattribute vr_hwc_exec_30_0)
-(typeattribute vr_hwc_service_30_0)
-(typeattribute vr_manager_service_30_0)
-(typeattribute vrflinger_vsync_service_30_0)
-(typeattribute wallpaper_file_30_0)
-(typeattribute wallpaper_service_30_0)
-(typeattribute watchdog_device_30_0)
-(typeattribute watchdogd_30_0)
-(typeattribute watchdogd_exec_30_0)
-(typeattribute webview_zygote_30_0)
-(typeattribute webview_zygote_exec_30_0)
-(typeattribute webview_zygote_tmpfs_30_0)
-(typeattribute webviewupdate_service_30_0)
-(typeattribute wifi_data_file_30_0)
-(typeattribute wifi_keystore_service_server)
-(typeattribute wifi_log_prop_30_0)
-(typeattribute wifi_prop_30_0)
-(typeattribute wifi_service_30_0)
-(typeattribute wifiaware_service_30_0)
-(typeattribute wificond_30_0)
-(typeattribute wificond_exec_30_0)
-(typeattribute wifinl80211_service_30_0)
-(typeattribute wifip2p_service_30_0)
-(typeattribute wifiscanner_service_30_0)
-(typeattribute window_service_30_0)
-(typeattribute wpa_socket_30_0)
-(typeattribute wpantund_30_0)
-(typeattribute wpantund_exec_30_0)
-(typeattribute wpantund_service_30_0)
-(typeattribute zero_device_30_0)
-(typeattribute zoneinfo_data_file_30_0)
-(typeattribute zygote_30_0)
-(typeattribute zygote_exec_30_0)
-(typeattribute zygote_socket_30_0)
-(typeattribute zygote_tmpfs_30_0)
diff --git a/prebuilts/api/30.0/private/compat/26.0/26.0.cil b/prebuilts/api/30.0/private/compat/26.0/26.0.cil
deleted file mode 100644
index 498bca5..0000000
--- a/prebuilts/api/30.0/private/compat/26.0/26.0.cil
+++ /dev/null
@@ -1,786 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_keystore)
-(typeattribute hal_wifi_keystore_client)
-(typeattribute hal_wifi_keystore_server)
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type untrusted_v2_app)
-(type asan_reboot_prop)
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type log_device)
-(type mediacasserver_service)
-(type mediacodec)
-(type mediacodec_exec)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type tracing_shell_writable)
-(type tracing_shell_writable_debug)
-(type vold_socket)
-(type webview_zygote_socket)
-(type rild)
-(type netd_socket)
-
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0
- ( debugfs
- debugfs_wakeup_sources
- ))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0
- ( default_prop pm_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset hal_omx_server (mediacodec_26_0))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0
- ( qtaguid_proc
- proc_qtaguid_ctrl))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_26_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/30.0/private/compat/26.0/26.0.compat.cil b/prebuilts/api/30.0/private/compat/26.0/26.0.compat.cil
deleted file mode 100644
index 30af58c..0000000
--- a/prebuilts/api/30.0/private/compat/26.0/26.0.compat.cil
+++ /dev/null
@@ -1,5 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/prebuilts/api/30.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/30.0/private/compat/26.0/26.0.ignore.cil
deleted file mode 100644
index b395855..0000000
--- a/prebuilts/api/30.0/private/compat/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,229 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- adbd_exec
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- atrace
- binder_calls_stats_service
- biometric_service
- bootloader_boot_reason_prop
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- broadcastradio_service
- cgroup_bpf
- charger_exec
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- e2fs
- e2fs_exec
- exfat
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- fastbootd
- fingerprint_vendor_data_file
- flags_health_check
- flags_health_check_exec
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_broadcastradio_hwservice
- hal_cas_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_lowpan_hwservice
- hal_neuralnetworks_hwservice
- hal_secure_element_hwservice
- hal_tetheroffload_hwservice
- hal_wifi_hostapd_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_offload_hwservice
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- kmsg_debug_device
- last_boot_reason_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- mediaextractor_update_service
- mediaprovider_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- netd_stable_secret_prop
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- overlayfs_file
- package_native_service
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- recovery_socket
- role_service
- runas_app
- art_apex_dir
- runtime_service
- secure_element
- secure_element_device
- secure_element_tmpfs
- secure_element_service
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- staging_data_file
- stats
- stats_data_file
- stats_exec
- stats_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- statscompanion_service
- storaged_data_file
- super_block_device
- sysfs_fs_ext4_features
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_net_netd_hwservice
- system_update_service
- test_boot_reason_prop
- thermal_service
- thermalcallback_hwservice
- thermalserviced
- thermalserviced_exec
- thermalserviced_tmpfs
- time_prop
- timedetector_service
- timezone_service
- tombstoned_java_trace_socket
- tombstone_wifi_data_file
- trace_data_file
- traceur_app
- traceur_app_tmpfs
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- vendor_default_prop
- vendor_security_patch_level_prop
- uri_grants_service
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_init
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_metadata_file
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vrflinger_vsync_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- wm_trace_data_file))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- adbd_tmpfs
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/30.0/private/compat/27.0/27.0.cil b/prebuilts/api/30.0/private/compat/27.0/27.0.cil
deleted file mode 100644
index 0d883c0..0000000
--- a/prebuilts/api/30.0/private/compat/27.0/27.0.cil
+++ /dev/null
@@ -1,1507 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type mediacodec)
-(type mediacodec_exec)
-(type netd_socket)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type rild)
-(type untrusted_v2_app)
-(type webview_zygote_socket)
-(type vold_socket)
-
-(expandtypeattribute (accessibility_service_27_0) true)
-(expandtypeattribute (account_service_27_0) true)
-(expandtypeattribute (activity_service_27_0) true)
-(expandtypeattribute (adbd_27_0) true)
-(expandtypeattribute (adb_data_file_27_0) true)
-(expandtypeattribute (adbd_exec_27_0) true)
-(expandtypeattribute (adbd_socket_27_0) true)
-(expandtypeattribute (adb_keys_file_27_0) true)
-(expandtypeattribute (alarm_device_27_0) true)
-(expandtypeattribute (alarm_service_27_0) true)
-(expandtypeattribute (anr_data_file_27_0) true)
-(expandtypeattribute (apk_data_file_27_0) true)
-(expandtypeattribute (apk_private_data_file_27_0) true)
-(expandtypeattribute (apk_private_tmp_file_27_0) true)
-(expandtypeattribute (apk_tmp_file_27_0) true)
-(expandtypeattribute (app_data_file_27_0) true)
-(expandtypeattribute (app_fuse_file_27_0) true)
-(expandtypeattribute (app_fusefs_27_0) true)
-(expandtypeattribute (appops_service_27_0) true)
-(expandtypeattribute (appwidget_service_27_0) true)
-(expandtypeattribute (asec_apk_file_27_0) true)
-(expandtypeattribute (asec_image_file_27_0) true)
-(expandtypeattribute (asec_public_file_27_0) true)
-(expandtypeattribute (ashmem_device_27_0) true)
-(expandtypeattribute (assetatlas_service_27_0) true)
-(expandtypeattribute (audio_data_file_27_0) true)
-(expandtypeattribute (audio_device_27_0) true)
-(expandtypeattribute (audiohal_data_file_27_0) true)
-(expandtypeattribute (audio_prop_27_0) true)
-(expandtypeattribute (audio_seq_device_27_0) true)
-(expandtypeattribute (audioserver_27_0) true)
-(expandtypeattribute (audioserver_data_file_27_0) true)
-(expandtypeattribute (audioserver_service_27_0) true)
-(expandtypeattribute (audio_service_27_0) true)
-(expandtypeattribute (audio_timer_device_27_0) true)
-(expandtypeattribute (autofill_service_27_0) true)
-(expandtypeattribute (backup_data_file_27_0) true)
-(expandtypeattribute (backup_service_27_0) true)
-(expandtypeattribute (batteryproperties_service_27_0) true)
-(expandtypeattribute (battery_service_27_0) true)
-(expandtypeattribute (batterystats_service_27_0) true)
-(expandtypeattribute (binder_device_27_0) true)
-(expandtypeattribute (binfmt_miscfs_27_0) true)
-(expandtypeattribute (blkid_27_0) true)
-(expandtypeattribute (blkid_untrusted_27_0) true)
-(expandtypeattribute (block_device_27_0) true)
-(expandtypeattribute (bluetooth_27_0) true)
-(expandtypeattribute (bluetooth_data_file_27_0) true)
-(expandtypeattribute (bluetooth_efs_file_27_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
-(expandtypeattribute (bluetooth_manager_service_27_0) true)
-(expandtypeattribute (bluetooth_prop_27_0) true)
-(expandtypeattribute (bluetooth_service_27_0) true)
-(expandtypeattribute (bluetooth_socket_27_0) true)
-(expandtypeattribute (bootanim_27_0) true)
-(expandtypeattribute (bootanim_exec_27_0) true)
-(expandtypeattribute (boot_block_device_27_0) true)
-(expandtypeattribute (bootchart_data_file_27_0) true)
-(expandtypeattribute (bootstat_27_0) true)
-(expandtypeattribute (bootstat_data_file_27_0) true)
-(expandtypeattribute (bootstat_exec_27_0) true)
-(expandtypeattribute (boottime_prop_27_0) true)
-(expandtypeattribute (boottrace_data_file_27_0) true)
-(expandtypeattribute (broadcastradio_service_27_0) true)
-(expandtypeattribute (bufferhubd_27_0) true)
-(expandtypeattribute (bufferhubd_exec_27_0) true)
-(expandtypeattribute (cache_backup_file_27_0) true)
-(expandtypeattribute (cache_block_device_27_0) true)
-(expandtypeattribute (cache_file_27_0) true)
-(expandtypeattribute (cache_private_backup_file_27_0) true)
-(expandtypeattribute (cache_recovery_file_27_0) true)
-(expandtypeattribute (camera_data_file_27_0) true)
-(expandtypeattribute (camera_device_27_0) true)
-(expandtypeattribute (cameraproxy_service_27_0) true)
-(expandtypeattribute (cameraserver_27_0) true)
-(expandtypeattribute (cameraserver_exec_27_0) true)
-(expandtypeattribute (cameraserver_service_27_0) true)
-(expandtypeattribute (cgroup_27_0) true)
-(expandtypeattribute (charger_27_0) true)
-(expandtypeattribute (clatd_27_0) true)
-(expandtypeattribute (clatd_exec_27_0) true)
-(expandtypeattribute (clipboard_service_27_0) true)
-(expandtypeattribute (commontime_management_service_27_0) true)
-(expandtypeattribute (companion_device_service_27_0) true)
-(expandtypeattribute (configfs_27_0) true)
-(expandtypeattribute (config_prop_27_0) true)
-(expandtypeattribute (connectivity_service_27_0) true)
-(expandtypeattribute (connmetrics_service_27_0) true)
-(expandtypeattribute (console_device_27_0) true)
-(expandtypeattribute (consumer_ir_service_27_0) true)
-(expandtypeattribute (content_service_27_0) true)
-(expandtypeattribute (contexthub_service_27_0) true)
-(expandtypeattribute (coredump_file_27_0) true)
-(expandtypeattribute (country_detector_service_27_0) true)
-(expandtypeattribute (coverage_service_27_0) true)
-(expandtypeattribute (cppreopt_prop_27_0) true)
-(expandtypeattribute (cppreopts_27_0) true)
-(expandtypeattribute (cppreopts_exec_27_0) true)
-(expandtypeattribute (cpuctl_device_27_0) true)
-(expandtypeattribute (cpuinfo_service_27_0) true)
-(expandtypeattribute (crash_dump_27_0) true)
-(expandtypeattribute (crash_dump_exec_27_0) true)
-(expandtypeattribute (ctl_bootanim_prop_27_0) true)
-(expandtypeattribute (ctl_bugreport_prop_27_0) true)
-(expandtypeattribute (ctl_console_prop_27_0) true)
-(expandtypeattribute (ctl_default_prop_27_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
-(expandtypeattribute (ctl_fuse_prop_27_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
-(expandtypeattribute (dalvikcache_data_file_27_0) true)
-(expandtypeattribute (dalvik_prop_27_0) true)
-(expandtypeattribute (dbinfo_service_27_0) true)
-(expandtypeattribute (debugfs_27_0) true)
-(expandtypeattribute (debugfs_mmc_27_0) true)
-(expandtypeattribute (debugfs_trace_marker_27_0) true)
-(expandtypeattribute (debugfs_tracing_27_0) true)
-(expandtypeattribute (debugfs_tracing_debug_27_0) true)
-(expandtypeattribute (debugfs_tracing_instances_27_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
-(expandtypeattribute (debuggerd_prop_27_0) true)
-(expandtypeattribute (debug_prop_27_0) true)
-(expandtypeattribute (default_android_hwservice_27_0) true)
-(expandtypeattribute (default_android_service_27_0) true)
-(expandtypeattribute (default_android_vndservice_27_0) true)
-(expandtypeattribute (default_prop_27_0) true)
-(expandtypeattribute (device_27_0) true)
-(expandtypeattribute (device_identifiers_service_27_0) true)
-(expandtypeattribute (deviceidle_service_27_0) true)
-(expandtypeattribute (device_logging_prop_27_0) true)
-(expandtypeattribute (device_policy_service_27_0) true)
-(expandtypeattribute (devicestoragemonitor_service_27_0) true)
-(expandtypeattribute (devpts_27_0) true)
-(expandtypeattribute (dex2oat_27_0) true)
-(expandtypeattribute (dex2oat_exec_27_0) true)
-(expandtypeattribute (dhcp_27_0) true)
-(expandtypeattribute (dhcp_data_file_27_0) true)
-(expandtypeattribute (dhcp_exec_27_0) true)
-(expandtypeattribute (dhcp_prop_27_0) true)
-(expandtypeattribute (diskstats_service_27_0) true)
-(expandtypeattribute (display_service_27_0) true)
-(expandtypeattribute (dm_device_27_0) true)
-(expandtypeattribute (dnsmasq_27_0) true)
-(expandtypeattribute (dnsmasq_exec_27_0) true)
-(expandtypeattribute (dnsproxyd_socket_27_0) true)
-(expandtypeattribute (DockObserver_service_27_0) true)
-(expandtypeattribute (dreams_service_27_0) true)
-(expandtypeattribute (drm_data_file_27_0) true)
-(expandtypeattribute (drmserver_27_0) true)
-(expandtypeattribute (drmserver_exec_27_0) true)
-(expandtypeattribute (drmserver_service_27_0) true)
-(expandtypeattribute (drmserver_socket_27_0) true)
-(expandtypeattribute (dropbox_service_27_0) true)
-(expandtypeattribute (dumpstate_27_0) true)
-(expandtypeattribute (dumpstate_exec_27_0) true)
-(expandtypeattribute (dumpstate_options_prop_27_0) true)
-(expandtypeattribute (dumpstate_prop_27_0) true)
-(expandtypeattribute (dumpstate_service_27_0) true)
-(expandtypeattribute (dumpstate_socket_27_0) true)
-(expandtypeattribute (e2fs_27_0) true)
-(expandtypeattribute (e2fs_exec_27_0) true)
-(expandtypeattribute (efs_file_27_0) true)
-(expandtypeattribute (ephemeral_app_27_0) true)
-(expandtypeattribute (ethernet_service_27_0) true)
-(expandtypeattribute (ffs_prop_27_0) true)
-(expandtypeattribute (file_contexts_file_27_0) true)
-(expandtypeattribute (fingerprintd_27_0) true)
-(expandtypeattribute (fingerprintd_data_file_27_0) true)
-(expandtypeattribute (fingerprintd_exec_27_0) true)
-(expandtypeattribute (fingerprintd_service_27_0) true)
-(expandtypeattribute (fingerprint_prop_27_0) true)
-(expandtypeattribute (fingerprint_service_27_0) true)
-(expandtypeattribute (firstboot_prop_27_0) true)
-(expandtypeattribute (font_service_27_0) true)
-(expandtypeattribute (frp_block_device_27_0) true)
-(expandtypeattribute (fsck_27_0) true)
-(expandtypeattribute (fsck_exec_27_0) true)
-(expandtypeattribute (fscklogs_27_0) true)
-(expandtypeattribute (fsck_untrusted_27_0) true)
-(expandtypeattribute (full_device_27_0) true)
-(expandtypeattribute (functionfs_27_0) true)
-(expandtypeattribute (fuse_27_0) true)
-(expandtypeattribute (fuse_device_27_0) true)
-(expandtypeattribute (fwk_display_hwservice_27_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
-(expandtypeattribute (fwmarkd_socket_27_0) true)
-(expandtypeattribute (gatekeeperd_27_0) true)
-(expandtypeattribute (gatekeeper_data_file_27_0) true)
-(expandtypeattribute (gatekeeperd_exec_27_0) true)
-(expandtypeattribute (gatekeeper_service_27_0) true)
-(expandtypeattribute (gfxinfo_service_27_0) true)
-(expandtypeattribute (gps_control_27_0) true)
-(expandtypeattribute (gpu_device_27_0) true)
-(expandtypeattribute (gpu_service_27_0) true)
-(expandtypeattribute (graphics_device_27_0) true)
-(expandtypeattribute (graphicsstats_service_27_0) true)
-(expandtypeattribute (hal_audio_hwservice_27_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
-(expandtypeattribute (hal_camera_hwservice_27_0) true)
-(expandtypeattribute (hal_cas_hwservice_27_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
-(expandtypeattribute (hal_drm_hwservice_27_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_service_27_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
-(expandtypeattribute (hal_gnss_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
-(expandtypeattribute (hal_health_hwservice_27_0) true)
-(expandtypeattribute (hal_ir_hwservice_27_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
-(expandtypeattribute (hal_light_hwservice_27_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
-(expandtypeattribute (hal_nfc_hwservice_27_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
-(expandtypeattribute (hal_omx_hwservice_27_0) true)
-(expandtypeattribute (hal_power_hwservice_27_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
-(expandtypeattribute (hal_sensors_hwservice_27_0) true)
-(expandtypeattribute (hal_telephony_hwservice_27_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
-(expandtypeattribute (hal_thermal_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
-(expandtypeattribute (hal_usb_hwservice_27_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
-(expandtypeattribute (hal_vr_hwservice_27_0) true)
-(expandtypeattribute (hal_weaver_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
-(expandtypeattribute (hardware_properties_service_27_0) true)
-(expandtypeattribute (hardware_service_27_0) true)
-(expandtypeattribute (hci_attach_dev_27_0) true)
-(expandtypeattribute (hdmi_control_service_27_0) true)
-(expandtypeattribute (healthd_27_0) true)
-(expandtypeattribute (healthd_exec_27_0) true)
-(expandtypeattribute (heapdump_data_file_27_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
-(expandtypeattribute (hidl_base_hwservice_27_0) true)
-(expandtypeattribute (hidl_manager_hwservice_27_0) true)
-(expandtypeattribute (hidl_memory_hwservice_27_0) true)
-(expandtypeattribute (hidl_token_hwservice_27_0) true)
-(expandtypeattribute (hwbinder_device_27_0) true)
-(expandtypeattribute (hw_random_device_27_0) true)
-(expandtypeattribute (hwservice_contexts_file_27_0) true)
-(expandtypeattribute (hwservicemanager_27_0) true)
-(expandtypeattribute (hwservicemanager_exec_27_0) true)
-(expandtypeattribute (hwservicemanager_prop_27_0) true)
-(expandtypeattribute (i2c_device_27_0) true)
-(expandtypeattribute (icon_file_27_0) true)
-(expandtypeattribute (idmap_27_0) true)
-(expandtypeattribute (idmap_exec_27_0) true)
-(expandtypeattribute (iio_device_27_0) true)
-(expandtypeattribute (imms_service_27_0) true)
-(expandtypeattribute (incident_27_0) true)
-(expandtypeattribute (incidentd_27_0) true)
-(expandtypeattribute (incident_data_file_27_0) true)
-(expandtypeattribute (incident_service_27_0) true)
-(expandtypeattribute (init_27_0) true)
-(expandtypeattribute (init_exec_27_0) true)
-(expandtypeattribute (inotify_27_0) true)
-(expandtypeattribute (input_device_27_0) true)
-(expandtypeattribute (inputflinger_27_0) true)
-(expandtypeattribute (inputflinger_exec_27_0) true)
-(expandtypeattribute (inputflinger_service_27_0) true)
-(expandtypeattribute (input_method_service_27_0) true)
-(expandtypeattribute (input_service_27_0) true)
-(expandtypeattribute (installd_27_0) true)
-(expandtypeattribute (install_data_file_27_0) true)
-(expandtypeattribute (installd_exec_27_0) true)
-(expandtypeattribute (installd_service_27_0) true)
-(expandtypeattribute (install_recovery_27_0) true)
-(expandtypeattribute (install_recovery_exec_27_0) true)
-(expandtypeattribute (ion_device_27_0) true)
-(expandtypeattribute (IProxyService_service_27_0) true)
-(expandtypeattribute (ipsec_service_27_0) true)
-(expandtypeattribute (isolated_app_27_0) true)
-(expandtypeattribute (jobscheduler_service_27_0) true)
-(expandtypeattribute (kernel_27_0) true)
-(expandtypeattribute (keychain_data_file_27_0) true)
-(expandtypeattribute (keychord_device_27_0) true)
-(expandtypeattribute (keystore_27_0) true)
-(expandtypeattribute (keystore_data_file_27_0) true)
-(expandtypeattribute (keystore_exec_27_0) true)
-(expandtypeattribute (keystore_service_27_0) true)
-(expandtypeattribute (kmem_device_27_0) true)
-(expandtypeattribute (kmsg_debug_device_27_0) true)
-(expandtypeattribute (kmsg_device_27_0) true)
-(expandtypeattribute (labeledfs_27_0) true)
-(expandtypeattribute (launcherapps_service_27_0) true)
-(expandtypeattribute (lmkd_27_0) true)
-(expandtypeattribute (lmkd_exec_27_0) true)
-(expandtypeattribute (lmkd_socket_27_0) true)
-(expandtypeattribute (location_service_27_0) true)
-(expandtypeattribute (lock_settings_service_27_0) true)
-(expandtypeattribute (logcat_exec_27_0) true)
-(expandtypeattribute (logd_27_0) true)
-(expandtypeattribute (logd_exec_27_0) true)
-(expandtypeattribute (logd_prop_27_0) true)
-(expandtypeattribute (logdr_socket_27_0) true)
-(expandtypeattribute (logd_socket_27_0) true)
-(expandtypeattribute (logdw_socket_27_0) true)
-(expandtypeattribute (logpersist_27_0) true)
-(expandtypeattribute (logpersistd_logging_prop_27_0) true)
-(expandtypeattribute (log_prop_27_0) true)
-(expandtypeattribute (log_tag_prop_27_0) true)
-(expandtypeattribute (loop_control_device_27_0) true)
-(expandtypeattribute (loop_device_27_0) true)
-(expandtypeattribute (mac_perms_file_27_0) true)
-(expandtypeattribute (mdnsd_27_0) true)
-(expandtypeattribute (mdnsd_socket_27_0) true)
-(expandtypeattribute (mdns_socket_27_0) true)
-(expandtypeattribute (mediacodec_27_0) true)
-(expandtypeattribute (mediacodec_exec_27_0) true)
-(expandtypeattribute (mediacodec_service_27_0) true)
-(expandtypeattribute (media_data_file_27_0) true)
-(expandtypeattribute (mediadrmserver_27_0) true)
-(expandtypeattribute (mediadrmserver_exec_27_0) true)
-(expandtypeattribute (mediadrmserver_service_27_0) true)
-(expandtypeattribute (mediaextractor_27_0) true)
-(expandtypeattribute (mediaextractor_exec_27_0) true)
-(expandtypeattribute (mediaextractor_service_27_0) true)
-(expandtypeattribute (mediametrics_27_0) true)
-(expandtypeattribute (mediametrics_exec_27_0) true)
-(expandtypeattribute (mediametrics_service_27_0) true)
-(expandtypeattribute (media_projection_service_27_0) true)
-(expandtypeattribute (mediaprovider_27_0) true)
-(expandtypeattribute (media_router_service_27_0) true)
-(expandtypeattribute (media_rw_data_file_27_0) true)
-(expandtypeattribute (mediaserver_27_0) true)
-(expandtypeattribute (mediaserver_exec_27_0) true)
-(expandtypeattribute (mediaserver_service_27_0) true)
-(expandtypeattribute (media_session_service_27_0) true)
-(expandtypeattribute (meminfo_service_27_0) true)
-(expandtypeattribute (metadata_block_device_27_0) true)
-(expandtypeattribute (method_trace_data_file_27_0) true)
-(expandtypeattribute (midi_service_27_0) true)
-(expandtypeattribute (misc_block_device_27_0) true)
-(expandtypeattribute (misc_logd_file_27_0) true)
-(expandtypeattribute (misc_user_data_file_27_0) true)
-(expandtypeattribute (mmc_prop_27_0) true)
-(expandtypeattribute (mnt_expand_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
-(expandtypeattribute (mnt_user_file_27_0) true)
-(expandtypeattribute (modprobe_27_0) true)
-(expandtypeattribute (mount_service_27_0) true)
-(expandtypeattribute (mqueue_27_0) true)
-(expandtypeattribute (mtd_device_27_0) true)
-(expandtypeattribute (mtp_27_0) true)
-(expandtypeattribute (mtp_device_27_0) true)
-(expandtypeattribute (mtpd_socket_27_0) true)
-(expandtypeattribute (mtp_exec_27_0) true)
-(expandtypeattribute (nativetest_data_file_27_0) true)
-(expandtypeattribute (netd_27_0) true)
-(expandtypeattribute (net_data_file_27_0) true)
-(expandtypeattribute (netd_exec_27_0) true)
-(expandtypeattribute (netd_listener_service_27_0) true)
-(expandtypeattribute (net_dns_prop_27_0) true)
-(expandtypeattribute (netd_service_27_0) true)
-(expandtypeattribute (netd_socket_27_0) true)
-(expandtypeattribute (netd_stable_secret_prop_27_0) true)
-(expandtypeattribute (netif_27_0) true)
-(expandtypeattribute (netpolicy_service_27_0) true)
-(expandtypeattribute (net_radio_prop_27_0) true)
-(expandtypeattribute (netstats_service_27_0) true)
-(expandtypeattribute (netutils_wrapper_27_0) true)
-(expandtypeattribute (netutils_wrapper_exec_27_0) true)
-(expandtypeattribute (network_management_service_27_0) true)
-(expandtypeattribute (network_score_service_27_0) true)
-(expandtypeattribute (network_time_update_service_27_0) true)
-(expandtypeattribute (nfc_27_0) true)
-(expandtypeattribute (nfc_data_file_27_0) true)
-(expandtypeattribute (nfc_device_27_0) true)
-(expandtypeattribute (nfc_prop_27_0) true)
-(expandtypeattribute (nfc_service_27_0) true)
-(expandtypeattribute (node_27_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
-(expandtypeattribute (notification_service_27_0) true)
-(expandtypeattribute (null_device_27_0) true)
-(expandtypeattribute (oemfs_27_0) true)
-(expandtypeattribute (oem_lock_service_27_0) true)
-(expandtypeattribute (ota_data_file_27_0) true)
-(expandtypeattribute (otadexopt_service_27_0) true)
-(expandtypeattribute (ota_package_file_27_0) true)
-(expandtypeattribute (otapreopt_chroot_27_0) true)
-(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
-(expandtypeattribute (otapreopt_slot_27_0) true)
-(expandtypeattribute (otapreopt_slot_exec_27_0) true)
-(expandtypeattribute (overlay_prop_27_0) true)
-(expandtypeattribute (overlay_service_27_0) true)
-(expandtypeattribute (owntty_device_27_0) true)
-(expandtypeattribute (package_native_service_27_0) true)
-(expandtypeattribute (package_service_27_0) true)
-(expandtypeattribute (pan_result_prop_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_dir_27_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_dir_27_0) true)
-(expandtypeattribute (performanced_27_0) true)
-(expandtypeattribute (performanced_exec_27_0) true)
-(expandtypeattribute (permission_service_27_0) true)
-(expandtypeattribute (persist_debug_prop_27_0) true)
-(expandtypeattribute (persistent_data_block_service_27_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
-(expandtypeattribute (pinner_service_27_0) true)
-(expandtypeattribute (pipefs_27_0) true)
-(expandtypeattribute (platform_app_27_0) true)
-(expandtypeattribute (pmsg_device_27_0) true)
-(expandtypeattribute (port_27_0) true)
-(expandtypeattribute (port_device_27_0) true)
-(expandtypeattribute (postinstall_27_0) true)
-(expandtypeattribute (postinstall_dexopt_27_0) true)
-(expandtypeattribute (postinstall_file_27_0) true)
-(expandtypeattribute (postinstall_mnt_dir_27_0) true)
-(expandtypeattribute (powerctl_prop_27_0) true)
-(expandtypeattribute (power_service_27_0) true)
-(expandtypeattribute (ppp_27_0) true)
-(expandtypeattribute (ppp_device_27_0) true)
-(expandtypeattribute (ppp_exec_27_0) true)
-(expandtypeattribute (preloads_data_file_27_0) true)
-(expandtypeattribute (preloads_media_file_27_0) true)
-(expandtypeattribute (preopt2cachename_27_0) true)
-(expandtypeattribute (preopt2cachename_exec_27_0) true)
-(expandtypeattribute (print_service_27_0) true)
-(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
-(expandtypeattribute (proc_bluetooth_writable_27_0) true)
-(expandtypeattribute (proc_cpuinfo_27_0) true)
-(expandtypeattribute (proc_drop_caches_27_0) true)
-(expandtypeattribute (processinfo_service_27_0) true)
-(expandtypeattribute (proc_interrupts_27_0) true)
-(expandtypeattribute (proc_iomem_27_0) true)
-(expandtypeattribute (proc_meminfo_27_0) true)
-(expandtypeattribute (proc_misc_27_0) true)
-(expandtypeattribute (proc_modules_27_0) true)
-(expandtypeattribute (proc_net_27_0) true)
-(expandtypeattribute (proc_overcommit_memory_27_0) true)
-(expandtypeattribute (proc_perf_27_0) true)
-(expandtypeattribute (proc_security_27_0) true)
-(expandtypeattribute (proc_stat_27_0) true)
-(expandtypeattribute (procstats_service_27_0) true)
-(expandtypeattribute (proc_sysrq_27_0) true)
-(expandtypeattribute (proc_timer_27_0) true)
-(expandtypeattribute (proc_tty_drivers_27_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
-(expandtypeattribute (proc_uid_io_stats_27_0) true)
-(expandtypeattribute (proc_uid_procstat_set_27_0) true)
-(expandtypeattribute (proc_uid_time_in_state_27_0) true)
-(expandtypeattribute (proc_zoneinfo_27_0) true)
-(expandtypeattribute (profman_27_0) true)
-(expandtypeattribute (profman_dump_data_file_27_0) true)
-(expandtypeattribute (profman_exec_27_0) true)
-(expandtypeattribute (properties_device_27_0) true)
-(expandtypeattribute (properties_serial_27_0) true)
-(expandtypeattribute (property_contexts_file_27_0) true)
-(expandtypeattribute (property_data_file_27_0) true)
-(expandtypeattribute (property_socket_27_0) true)
-(expandtypeattribute (pstorefs_27_0) true)
-(expandtypeattribute (ptmx_device_27_0) true)
-(expandtypeattribute (qtaguid_device_27_0) true)
-(expandtypeattribute (qtaguid_proc_27_0) true)
-(expandtypeattribute (racoon_27_0) true)
-(expandtypeattribute (racoon_exec_27_0) true)
-(expandtypeattribute (racoon_socket_27_0) true)
-(expandtypeattribute (radio_27_0) true)
-(expandtypeattribute (radio_data_file_27_0) true)
-(expandtypeattribute (radio_device_27_0) true)
-(expandtypeattribute (radio_prop_27_0) true)
-(expandtypeattribute (radio_service_27_0) true)
-(expandtypeattribute (ram_device_27_0) true)
-(expandtypeattribute (random_device_27_0) true)
-(expandtypeattribute (reboot_data_file_27_0) true)
-(expandtypeattribute (recovery_27_0) true)
-(expandtypeattribute (recovery_block_device_27_0) true)
-(expandtypeattribute (recovery_data_file_27_0) true)
-(expandtypeattribute (recovery_persist_27_0) true)
-(expandtypeattribute (recovery_persist_exec_27_0) true)
-(expandtypeattribute (recovery_refresh_27_0) true)
-(expandtypeattribute (recovery_refresh_exec_27_0) true)
-(expandtypeattribute (recovery_service_27_0) true)
-(expandtypeattribute (registry_service_27_0) true)
-(expandtypeattribute (resourcecache_data_file_27_0) true)
-(expandtypeattribute (restorecon_prop_27_0) true)
-(expandtypeattribute (restrictions_service_27_0) true)
-(expandtypeattribute (rild_27_0) true)
-(expandtypeattribute (rild_debug_socket_27_0) true)
-(expandtypeattribute (rild_socket_27_0) true)
-(expandtypeattribute (ringtone_file_27_0) true)
-(expandtypeattribute (root_block_device_27_0) true)
-(expandtypeattribute (rootfs_27_0) true)
-(expandtypeattribute (rpmsg_device_27_0) true)
-(expandtypeattribute (rtc_device_27_0) true)
-(expandtypeattribute (rttmanager_service_27_0) true)
-(expandtypeattribute (runas_27_0) true)
-(expandtypeattribute (runas_exec_27_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
-(expandtypeattribute (safemode_prop_27_0) true)
-(expandtypeattribute (same_process_hal_file_27_0) true)
-(expandtypeattribute (samplingprofiler_service_27_0) true)
-(expandtypeattribute (scheduling_policy_service_27_0) true)
-(expandtypeattribute (sdcardd_27_0) true)
-(expandtypeattribute (sdcardd_exec_27_0) true)
-(expandtypeattribute (sdcardfs_27_0) true)
-(expandtypeattribute (seapp_contexts_file_27_0) true)
-(expandtypeattribute (search_service_27_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
-(expandtypeattribute (selinuxfs_27_0) true)
-(expandtypeattribute (sensors_device_27_0) true)
-(expandtypeattribute (sensorservice_service_27_0) true)
-(expandtypeattribute (sepolicy_file_27_0) true)
-(expandtypeattribute (serial_device_27_0) true)
-(expandtypeattribute (serialno_prop_27_0) true)
-(expandtypeattribute (serial_service_27_0) true)
-(expandtypeattribute (service_contexts_file_27_0) true)
-(expandtypeattribute (servicediscovery_service_27_0) true)
-(expandtypeattribute (servicemanager_27_0) true)
-(expandtypeattribute (servicemanager_exec_27_0) true)
-(expandtypeattribute (settings_service_27_0) true)
-(expandtypeattribute (sgdisk_27_0) true)
-(expandtypeattribute (sgdisk_exec_27_0) true)
-(expandtypeattribute (shared_relro_27_0) true)
-(expandtypeattribute (shared_relro_file_27_0) true)
-(expandtypeattribute (shell_27_0) true)
-(expandtypeattribute (shell_data_file_27_0) true)
-(expandtypeattribute (shell_exec_27_0) true)
-(expandtypeattribute (shell_prop_27_0) true)
-(expandtypeattribute (shm_27_0) true)
-(expandtypeattribute (shortcut_manager_icons_27_0) true)
-(expandtypeattribute (shortcut_service_27_0) true)
-(expandtypeattribute (slideshow_27_0) true)
-(expandtypeattribute (socket_device_27_0) true)
-(expandtypeattribute (sockfs_27_0) true)
-(expandtypeattribute (statusbar_service_27_0) true)
-(expandtypeattribute (storaged_service_27_0) true)
-(expandtypeattribute (storage_file_27_0) true)
-(expandtypeattribute (storagestats_service_27_0) true)
-(expandtypeattribute (storage_stub_file_27_0) true)
-(expandtypeattribute (su_27_0) true)
-(expandtypeattribute (su_exec_27_0) true)
-(expandtypeattribute (surfaceflinger_27_0) true)
-(expandtypeattribute (surfaceflinger_service_27_0) true)
-(expandtypeattribute (swap_block_device_27_0) true)
-(expandtypeattribute (sysfs_27_0) true)
-(expandtypeattribute (sysfs_batteryinfo_27_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
-(expandtypeattribute (sysfs_hwrandom_27_0) true)
-(expandtypeattribute (sysfs_leds_27_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
-(expandtypeattribute (sysfs_mac_address_27_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
-(expandtypeattribute (sysfs_thermal_27_0) true)
-(expandtypeattribute (sysfs_uio_27_0) true)
-(expandtypeattribute (sysfs_usb_27_0) true)
-(expandtypeattribute (sysfs_usermodehelper_27_0) true)
-(expandtypeattribute (sysfs_vibrator_27_0) true)
-(expandtypeattribute (sysfs_wake_lock_27_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
-(expandtypeattribute (sysfs_zram_27_0) true)
-(expandtypeattribute (sysfs_zram_uevent_27_0) true)
-(expandtypeattribute (system_app_27_0) true)
-(expandtypeattribute (system_app_data_file_27_0) true)
-(expandtypeattribute (system_app_service_27_0) true)
-(expandtypeattribute (system_block_device_27_0) true)
-(expandtypeattribute (system_data_file_27_0) true)
-(expandtypeattribute (system_file_27_0) true)
-(expandtypeattribute (systemkeys_data_file_27_0) true)
-(expandtypeattribute (system_ndebug_socket_27_0) true)
-(expandtypeattribute (system_net_netd_hwservice_27_0) true)
-(expandtypeattribute (system_prop_27_0) true)
-(expandtypeattribute (system_radio_prop_27_0) true)
-(expandtypeattribute (system_server_27_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
-(expandtypeattribute (system_wpa_socket_27_0) true)
-(expandtypeattribute (task_service_27_0) true)
-(expandtypeattribute (tee_27_0) true)
-(expandtypeattribute (tee_data_file_27_0) true)
-(expandtypeattribute (tee_device_27_0) true)
-(expandtypeattribute (telecom_service_27_0) true)
-(expandtypeattribute (textclassification_service_27_0) true)
-(expandtypeattribute (textclassifier_data_file_27_0) true)
-(expandtypeattribute (textservices_service_27_0) true)
-(expandtypeattribute (thermalcallback_hwservice_27_0) true)
-(expandtypeattribute (thermal_service_27_0) true)
-(expandtypeattribute (thermalserviced_27_0) true)
-(expandtypeattribute (thermalserviced_exec_27_0) true)
-(expandtypeattribute (timezone_service_27_0) true)
-(expandtypeattribute (tmpfs_27_0) true)
-(expandtypeattribute (tombstoned_27_0) true)
-(expandtypeattribute (tombstone_data_file_27_0) true)
-(expandtypeattribute (tombstoned_crash_socket_27_0) true)
-(expandtypeattribute (tombstoned_exec_27_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
-(expandtypeattribute (toolbox_27_0) true)
-(expandtypeattribute (toolbox_exec_27_0) true)
-(expandtypeattribute (trust_service_27_0) true)
-(expandtypeattribute (tty_device_27_0) true)
-(expandtypeattribute (tun_device_27_0) true)
-(expandtypeattribute (tv_input_service_27_0) true)
-(expandtypeattribute (tzdatacheck_27_0) true)
-(expandtypeattribute (tzdatacheck_exec_27_0) true)
-(expandtypeattribute (ueventd_27_0) true)
-(expandtypeattribute (uhid_device_27_0) true)
-(expandtypeattribute (uimode_service_27_0) true)
-(expandtypeattribute (uio_device_27_0) true)
-(expandtypeattribute (uncrypt_27_0) true)
-(expandtypeattribute (uncrypt_exec_27_0) true)
-(expandtypeattribute (uncrypt_socket_27_0) true)
-(expandtypeattribute (unencrypted_data_file_27_0) true)
-(expandtypeattribute (unlabeled_27_0) true)
-(expandtypeattribute (untrusted_app_25_27_0) true)
-(expandtypeattribute (untrusted_app_27_0) true)
-(expandtypeattribute (untrusted_v2_app_27_0) true)
-(expandtypeattribute (update_engine_27_0) true)
-(expandtypeattribute (update_engine_data_file_27_0) true)
-(expandtypeattribute (update_engine_exec_27_0) true)
-(expandtypeattribute (update_engine_service_27_0) true)
-(expandtypeattribute (updatelock_service_27_0) true)
-(expandtypeattribute (update_verifier_27_0) true)
-(expandtypeattribute (update_verifier_exec_27_0) true)
-(expandtypeattribute (usagestats_service_27_0) true)
-(expandtypeattribute (usbaccessory_device_27_0) true)
-(expandtypeattribute (usb_device_27_0) true)
-(expandtypeattribute (usbfs_27_0) true)
-(expandtypeattribute (usb_service_27_0) true)
-(expandtypeattribute (userdata_block_device_27_0) true)
-(expandtypeattribute (usermodehelper_27_0) true)
-(expandtypeattribute (user_profile_data_file_27_0) true)
-(expandtypeattribute (user_service_27_0) true)
-(expandtypeattribute (vcs_device_27_0) true)
-(expandtypeattribute (vdc_27_0) true)
-(expandtypeattribute (vdc_exec_27_0) true)
-(expandtypeattribute (vendor_app_file_27_0) true)
-(expandtypeattribute (vendor_configs_file_27_0) true)
-(expandtypeattribute (vendor_file_27_0) true)
-(expandtypeattribute (vendor_framework_file_27_0) true)
-(expandtypeattribute (vendor_hal_file_27_0) true)
-(expandtypeattribute (vendor_overlay_file_27_0) true)
-(expandtypeattribute (vendor_shell_exec_27_0) true)
-(expandtypeattribute (vendor_toolbox_exec_27_0) true)
-(expandtypeattribute (vfat_27_0) true)
-(expandtypeattribute (vibrator_service_27_0) true)
-(expandtypeattribute (video_device_27_0) true)
-(expandtypeattribute (virtual_touchpad_27_0) true)
-(expandtypeattribute (virtual_touchpad_exec_27_0) true)
-(expandtypeattribute (virtual_touchpad_service_27_0) true)
-(expandtypeattribute (vndbinder_device_27_0) true)
-(expandtypeattribute (vndk_sp_file_27_0) true)
-(expandtypeattribute (vndservice_contexts_file_27_0) true)
-(expandtypeattribute (vndservicemanager_27_0) true)
-(expandtypeattribute (voiceinteraction_service_27_0) true)
-(expandtypeattribute (vold_27_0) true)
-(expandtypeattribute (vold_data_file_27_0) true)
-(expandtypeattribute (vold_device_27_0) true)
-(expandtypeattribute (vold_exec_27_0) true)
-(expandtypeattribute (vold_prop_27_0) true)
-(expandtypeattribute (vold_socket_27_0) true)
-(expandtypeattribute (vpn_data_file_27_0) true)
-(expandtypeattribute (vr_hwc_27_0) true)
-(expandtypeattribute (vr_hwc_exec_27_0) true)
-(expandtypeattribute (vr_hwc_service_27_0) true)
-(expandtypeattribute (vr_manager_service_27_0) true)
-(expandtypeattribute (wallpaper_file_27_0) true)
-(expandtypeattribute (wallpaper_service_27_0) true)
-(expandtypeattribute (watchdogd_27_0) true)
-(expandtypeattribute (watchdog_device_27_0) true)
-(expandtypeattribute (webviewupdate_service_27_0) true)
-(expandtypeattribute (webview_zygote_27_0) true)
-(expandtypeattribute (webview_zygote_exec_27_0) true)
-(expandtypeattribute (webview_zygote_socket_27_0) true)
-(expandtypeattribute (wifiaware_service_27_0) true)
-(expandtypeattribute (wificond_27_0) true)
-(expandtypeattribute (wificond_exec_27_0) true)
-(expandtypeattribute (wificond_service_27_0) true)
-(expandtypeattribute (wifi_data_file_27_0) true)
-(expandtypeattribute (wifi_log_prop_27_0) true)
-(expandtypeattribute (wifip2p_service_27_0) true)
-(expandtypeattribute (wifi_prop_27_0) true)
-(expandtypeattribute (wifiscanner_service_27_0) true)
-(expandtypeattribute (wifi_service_27_0) true)
-(expandtypeattribute (window_service_27_0) true)
-(expandtypeattribute (wpa_socket_27_0) true)
-(expandtypeattribute (zero_device_27_0) true)
-(expandtypeattribute (zoneinfo_data_file_27_0) true)
-(expandtypeattribute (zygote_27_0) true)
-(expandtypeattribute (zygote_exec_27_0) true)
-(expandtypeattribute (zygote_socket_27_0) true)
-(typeattributeset accessibility_service_27_0 (accessibility_service))
-(typeattributeset account_service_27_0 (account_service))
-(typeattributeset activity_service_27_0 (activity_service))
-(typeattributeset adbd_27_0 (adbd))
-(typeattributeset adb_data_file_27_0 (adb_data_file))
-(typeattributeset adbd_exec_27_0 (adbd_exec))
-(typeattributeset adbd_socket_27_0 (adbd_socket))
-(typeattributeset adb_keys_file_27_0 (adb_keys_file))
-(typeattributeset alarm_device_27_0 (alarm_device))
-(typeattributeset alarm_service_27_0 (alarm_service))
-(typeattributeset anr_data_file_27_0 (anr_data_file))
-(typeattributeset apk_data_file_27_0 (apk_data_file))
-(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_27_0 (app_fuse_file))
-(typeattributeset app_fusefs_27_0 (app_fusefs))
-(typeattributeset appops_service_27_0 (appops_service))
-(typeattributeset appwidget_service_27_0 (appwidget_service))
-(typeattributeset asec_apk_file_27_0 (asec_apk_file))
-(typeattributeset asec_image_file_27_0 (asec_image_file))
-(typeattributeset asec_public_file_27_0 (asec_public_file))
-(typeattributeset ashmem_device_27_0 (ashmem_device))
-(typeattributeset assetatlas_service_27_0 (assetatlas_service))
-(typeattributeset audio_data_file_27_0 (audio_data_file))
-(typeattributeset audio_device_27_0 (audio_device))
-(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
-(typeattributeset audio_prop_27_0 (audio_prop))
-(typeattributeset audio_seq_device_27_0 (audio_seq_device))
-(typeattributeset audioserver_27_0 (audioserver))
-(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
-(typeattributeset audioserver_service_27_0 (audioserver_service))
-(typeattributeset audio_service_27_0 (audio_service))
-(typeattributeset audio_timer_device_27_0 (audio_timer_device))
-(typeattributeset autofill_service_27_0 (autofill_service))
-(typeattributeset backup_data_file_27_0 (backup_data_file))
-(typeattributeset backup_service_27_0 (backup_service))
-(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
-(typeattributeset battery_service_27_0 (battery_service))
-(typeattributeset batterystats_service_27_0 (batterystats_service))
-(typeattributeset binder_device_27_0 (binder_device))
-(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
-(typeattributeset blkid_27_0 (blkid))
-(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
-(typeattributeset block_device_27_0 (block_device))
-(typeattributeset bluetooth_27_0 (bluetooth))
-(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_27_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
-(typeattributeset bootanim_27_0 (bootanim))
-(typeattributeset bootanim_exec_27_0 (bootanim_exec))
-(typeattributeset boot_block_device_27_0 (boot_block_device))
-(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
-(typeattributeset bootstat_27_0 (bootstat))
-(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_27_0 (bootstat_exec))
-(typeattributeset boottime_prop_27_0 (boottime_prop))
-(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
-(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
-(typeattributeset bufferhubd_27_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_27_0 (cache_backup_file))
-(typeattributeset cache_block_device_27_0 (cache_block_device))
-(typeattributeset cache_file_27_0 (cache_file))
-(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
-(typeattributeset camera_data_file_27_0 (camera_data_file))
-(typeattributeset camera_device_27_0 (camera_device))
-(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
-(typeattributeset cameraserver_27_0 (cameraserver))
-(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_27_0 (cameraserver_service))
-(typeattributeset cgroup_27_0 (cgroup))
-(typeattributeset charger_27_0 (charger))
-(typeattributeset clatd_27_0 (clatd))
-(typeattributeset clatd_exec_27_0 (clatd_exec))
-(typeattributeset clipboard_service_27_0 (clipboard_service))
-(typeattributeset commontime_management_service_27_0 (commontime_management_service))
-(typeattributeset companion_device_service_27_0 (companion_device_service))
-(typeattributeset configfs_27_0 (configfs))
-(typeattributeset config_prop_27_0 (config_prop))
-(typeattributeset connectivity_service_27_0 (connectivity_service))
-(typeattributeset connmetrics_service_27_0 (connmetrics_service))
-(typeattributeset console_device_27_0 (console_device))
-(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
-(typeattributeset content_service_27_0 (content_service))
-(typeattributeset contexthub_service_27_0 (contexthub_service))
-(typeattributeset coredump_file_27_0 (coredump_file))
-(typeattributeset country_detector_service_27_0 (country_detector_service))
-(typeattributeset coverage_service_27_0 (coverage_service))
-(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
-(typeattributeset cppreopts_27_0 (cppreopts))
-(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_27_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
-(typeattributeset crash_dump_27_0 (crash_dump))
-(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_27_0 (dalvik_prop))
-(typeattributeset dbinfo_service_27_0 (dbinfo_service))
-(typeattributeset debugfs_27_0
- ( debugfs
- debugfs_wakeup_sources))
-(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
-(typeattributeset debug_prop_27_0 (debug_prop))
-(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
-(typeattributeset default_android_service_27_0 (default_android_service))
-(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
-(typeattributeset default_prop_27_0
- ( default_prop
- pm_prop))
-(typeattributeset device_27_0 (device))
-(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_27_0 (deviceidle_service))
-(typeattributeset device_logging_prop_27_0 (device_logging_prop))
-(typeattributeset device_policy_service_27_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
-(typeattributeset devpts_27_0 (devpts))
-(typeattributeset dex2oat_27_0 (dex2oat))
-(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
-(typeattributeset dhcp_27_0 (dhcp))
-(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_27_0 (dhcp_exec))
-(typeattributeset dhcp_prop_27_0 (dhcp_prop))
-(typeattributeset diskstats_service_27_0 (diskstats_service))
-(typeattributeset display_service_27_0 (display_service))
-(typeattributeset dm_device_27_0 (dm_device))
-(typeattributeset dnsmasq_27_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_27_0 (DockObserver_service))
-(typeattributeset dreams_service_27_0 (dreams_service))
-(typeattributeset drm_data_file_27_0 (drm_data_file))
-(typeattributeset drmserver_27_0 (drmserver))
-(typeattributeset drmserver_exec_27_0 (drmserver_exec))
-(typeattributeset drmserver_service_27_0 (drmserver_service))
-(typeattributeset drmserver_socket_27_0 (drmserver_socket))
-(typeattributeset dropbox_service_27_0 (dropbox_service))
-(typeattributeset dumpstate_27_0 (dumpstate))
-(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_27_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
-(typeattributeset e2fs_27_0 (e2fs))
-(typeattributeset e2fs_exec_27_0 (e2fs_exec))
-(typeattributeset efs_file_27_0 (efs_file))
-(typeattributeset ephemeral_app_27_0 (ephemeral_app))
-(typeattributeset ethernet_service_27_0 (ethernet_service))
-(typeattributeset ffs_prop_27_0 (ffs_prop))
-(typeattributeset file_contexts_file_27_0 (file_contexts_file))
-(typeattributeset fingerprintd_27_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_27_0 (fingerprint_service))
-(typeattributeset firstboot_prop_27_0 (firstboot_prop))
-(typeattributeset font_service_27_0 (font_service))
-(typeattributeset frp_block_device_27_0 (frp_block_device))
-(typeattributeset fsck_27_0 (fsck))
-(typeattributeset fsck_exec_27_0 (fsck_exec))
-(typeattributeset fscklogs_27_0 (fscklogs))
-(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
-(typeattributeset full_device_27_0 (full_device))
-(typeattributeset functionfs_27_0 (functionfs))
-(typeattributeset fuse_27_0 (fuse))
-(typeattributeset fuse_device_27_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_27_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
-(typeattributeset gps_control_27_0 (gps_control))
-(typeattributeset gpu_device_27_0 (gpu_device))
-(typeattributeset gpu_service_27_0 (gpu_service))
-(typeattributeset graphics_device_27_0 (graphics_device))
-(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
-(typeattributeset hardware_service_27_0 (hardware_service))
-(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
-(typeattributeset healthd_27_0 (healthd))
-(typeattributeset healthd_exec_27_0 (healthd_exec))
-(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_27_0 (hwbinder_device))
-(typeattributeset hw_random_device_27_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_27_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_27_0 (i2c_device))
-(typeattributeset icon_file_27_0 (icon_file))
-(typeattributeset idmap_27_0 (idmap))
-(typeattributeset idmap_exec_27_0 (idmap_exec))
-(typeattributeset iio_device_27_0 (iio_device))
-(typeattributeset imms_service_27_0 (imms_service))
-(typeattributeset incident_27_0 (incident))
-(typeattributeset incidentd_27_0 (incidentd))
-(typeattributeset incident_data_file_27_0 (incident_data_file))
-(typeattributeset incident_service_27_0 (incident_service))
-(typeattributeset init_27_0 (init))
-(typeattributeset init_exec_27_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_27_0 (inotify))
-(typeattributeset input_device_27_0 (input_device))
-(typeattributeset inputflinger_27_0 (inputflinger))
-(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_27_0 (inputflinger_service))
-(typeattributeset input_method_service_27_0 (input_method_service))
-(typeattributeset input_service_27_0 (input_service))
-(typeattributeset installd_27_0 (installd))
-(typeattributeset install_data_file_27_0 (install_data_file))
-(typeattributeset installd_exec_27_0 (installd_exec))
-(typeattributeset installd_service_27_0 (installd_service))
-(typeattributeset install_recovery_27_0 (install_recovery))
-(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
-(typeattributeset ion_device_27_0 (ion_device))
-(typeattributeset IProxyService_service_27_0 (IProxyService_service))
-(typeattributeset ipsec_service_27_0 (ipsec_service))
-(typeattributeset isolated_app_27_0 (isolated_app))
-(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
-(typeattributeset kernel_27_0 (kernel))
-(typeattributeset keychain_data_file_27_0 (keychain_data_file))
-(typeattributeset keychord_device_27_0 (keychord_device))
-(typeattributeset keystore_27_0 (keystore))
-(typeattributeset keystore_data_file_27_0 (keystore_data_file))
-(typeattributeset keystore_exec_27_0 (keystore_exec))
-(typeattributeset keystore_service_27_0 (keystore_service))
-(typeattributeset kmem_device_27_0 (kmem_device))
-(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_27_0 (kmsg_device))
-(typeattributeset labeledfs_27_0 (labeledfs))
-(typeattributeset launcherapps_service_27_0 (launcherapps_service))
-(typeattributeset lmkd_27_0 (lmkd))
-(typeattributeset lmkd_exec_27_0 (lmkd_exec))
-(typeattributeset lmkd_socket_27_0 (lmkd_socket))
-(typeattributeset location_service_27_0 (location_service))
-(typeattributeset lock_settings_service_27_0 (lock_settings_service))
-(typeattributeset logcat_exec_27_0 (logcat_exec))
-(typeattributeset logd_27_0 (logd))
-(typeattributeset logd_exec_27_0 (logd_exec))
-(typeattributeset logd_prop_27_0 (logd_prop))
-(typeattributeset logdr_socket_27_0 (logdr_socket))
-(typeattributeset logd_socket_27_0 (logd_socket))
-(typeattributeset logdw_socket_27_0 (logdw_socket))
-(typeattributeset logpersist_27_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_27_0 (log_prop))
-(typeattributeset log_tag_prop_27_0 (log_tag_prop))
-(typeattributeset loop_control_device_27_0 (loop_control_device))
-(typeattributeset loop_device_27_0 (loop_device))
-(typeattributeset mac_perms_file_27_0 (mac_perms_file))
-(typeattributeset mdnsd_27_0 (mdnsd))
-(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
-(typeattributeset mdns_socket_27_0 (mdns_socket))
-(typeattributeset hal_omx_server (mediacodec_27_0))
-(typeattributeset mediacodec_27_0 (mediacodec))
-(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_27_0 (mediacodec_service))
-(typeattributeset media_data_file_27_0 (media_data_file))
-(typeattributeset mediadrmserver_27_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_27_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
-(typeattributeset mediametrics_27_0 (mediametrics))
-(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_27_0 (mediametrics_service))
-(typeattributeset media_projection_service_27_0 (media_projection_service))
-(typeattributeset mediaprovider_27_0 (mediaprovider))
-(typeattributeset media_router_service_27_0 (media_router_service))
-(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
-(typeattributeset mediaserver_27_0 (mediaserver))
-(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_27_0 (mediaserver_service))
-(typeattributeset media_session_service_27_0 (media_session_service))
-(typeattributeset meminfo_service_27_0 (meminfo_service))
-(typeattributeset metadata_block_device_27_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
-(typeattributeset midi_service_27_0 (midi_service))
-(typeattributeset misc_block_device_27_0 (misc_block_device))
-(typeattributeset misc_logd_file_27_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
-(typeattributeset mmc_prop_27_0 (mmc_prop))
-(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_27_0 (mnt_user_file))
-(typeattributeset modprobe_27_0 (modprobe))
-(typeattributeset mount_service_27_0 (mount_service))
-(typeattributeset mqueue_27_0 (mqueue))
-(typeattributeset mtd_device_27_0 (mtd_device))
-(typeattributeset mtp_27_0 (mtp))
-(typeattributeset mtp_device_27_0 (mtp_device))
-(typeattributeset mtpd_socket_27_0 (mtpd_socket))
-(typeattributeset mtp_exec_27_0 (mtp_exec))
-(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
-(typeattributeset netd_27_0 (netd))
-(typeattributeset net_data_file_27_0 (net_data_file))
-(typeattributeset netd_exec_27_0 (netd_exec))
-(typeattributeset netd_listener_service_27_0 (netd_listener_service))
-(typeattributeset net_dns_prop_27_0 (net_dns_prop))
-(typeattributeset netd_service_27_0 (netd_service))
-(typeattributeset netd_socket_27_0 (netd_socket))
-(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
-(typeattributeset netif_27_0 (netif))
-(typeattributeset netpolicy_service_27_0 (netpolicy_service))
-(typeattributeset net_radio_prop_27_0 (net_radio_prop))
-(typeattributeset netstats_service_27_0 (netstats_service))
-(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_27_0 (network_management_service))
-(typeattributeset network_score_service_27_0 (network_score_service))
-(typeattributeset network_time_update_service_27_0 (network_time_update_service))
-(typeattributeset nfc_27_0 (nfc))
-(typeattributeset nfc_data_file_27_0 (nfc_data_file))
-(typeattributeset nfc_device_27_0 (nfc_device))
-(typeattributeset nfc_prop_27_0 (nfc_prop))
-(typeattributeset nfc_service_27_0 (nfc_service))
-(typeattributeset node_27_0 (node))
-(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_27_0 (notification_service))
-(typeattributeset null_device_27_0 (null_device))
-(typeattributeset oemfs_27_0 (oemfs))
-(typeattributeset oem_lock_service_27_0 (oem_lock_service))
-(typeattributeset ota_data_file_27_0 (ota_data_file))
-(typeattributeset otadexopt_service_27_0 (otadexopt_service))
-(typeattributeset ota_package_file_27_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_27_0 (overlay_prop))
-(typeattributeset overlay_service_27_0 (overlay_service))
-(typeattributeset owntty_device_27_0 (owntty_device))
-(typeattributeset package_native_service_27_0 (package_native_service))
-(typeattributeset package_service_27_0 (package_service))
-(typeattributeset pan_result_prop_27_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
-(typeattributeset performanced_27_0 (performanced))
-(typeattributeset performanced_exec_27_0 (performanced_exec))
-(typeattributeset permission_service_27_0 (permission_service))
-(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_27_0 (pinner_service))
-(typeattributeset pipefs_27_0 (pipefs))
-(typeattributeset platform_app_27_0 (platform_app))
-(typeattributeset pmsg_device_27_0 (pmsg_device))
-(typeattributeset port_27_0 (port))
-(typeattributeset port_device_27_0 (port_device))
-(typeattributeset postinstall_27_0 (postinstall))
-(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_27_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_27_0 (powerctl_prop))
-(typeattributeset power_service_27_0 (power_service))
-(typeattributeset ppp_27_0 (ppp))
-(typeattributeset ppp_device_27_0 (ppp_device))
-(typeattributeset ppp_exec_27_0 (ppp_exec))
-(typeattributeset preloads_data_file_27_0 (preloads_data_file))
-(typeattributeset preloads_media_file_27_0 (preloads_media_file))
-(typeattributeset preopt2cachename_27_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
-(typeattributeset print_service_27_0 (print_service))
-(typeattributeset priv_app_27_0 (priv_app))
-(typeattributeset proc_27_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
-(typeattributeset processinfo_service_27_0 (processinfo_service))
-(typeattributeset proc_interrupts_27_0 (proc_interrupts))
-(typeattributeset proc_iomem_27_0 (proc_iomem))
-(typeattributeset proc_meminfo_27_0 (proc_meminfo))
-(typeattributeset proc_misc_27_0 (proc_misc))
-(typeattributeset proc_modules_27_0 (proc_modules))
-(typeattributeset proc_net_27_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_27_0 (proc_perf))
-(typeattributeset proc_security_27_0 (proc_security))
-(typeattributeset proc_stat_27_0 (proc_stat))
-(typeattributeset procstats_service_27_0 (procstats_service))
-(typeattributeset proc_sysrq_27_0 (proc_sysrq))
-(typeattributeset proc_timer_27_0 (proc_timer))
-(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
-(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
-(typeattributeset profman_27_0 (profman))
-(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
-(typeattributeset profman_exec_27_0 (profman_exec))
-(typeattributeset properties_device_27_0 (properties_device))
-(typeattributeset properties_serial_27_0 (properties_serial))
-(typeattributeset property_contexts_file_27_0 (property_contexts_file))
-(typeattributeset property_data_file_27_0 (property_data_file))
-(typeattributeset property_socket_27_0 (property_socket))
-(typeattributeset pstorefs_27_0 (pstorefs))
-(typeattributeset ptmx_device_27_0 (ptmx_device))
-(typeattributeset qtaguid_device_27_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_27_0
- ( proc_qtaguid_ctrl
- qtaguid_proc))
-(typeattributeset racoon_27_0 (racoon))
-(typeattributeset racoon_exec_27_0 (racoon_exec))
-(typeattributeset racoon_socket_27_0 (racoon_socket))
-(typeattributeset radio_27_0 (radio))
-(typeattributeset radio_data_file_27_0 (radio_data_file))
-(typeattributeset radio_device_27_0 (radio_device))
-(typeattributeset radio_prop_27_0 (radio_prop))
-(typeattributeset radio_service_27_0 (radio_service))
-(typeattributeset ram_device_27_0 (ram_device))
-(typeattributeset random_device_27_0 (random_device))
-(typeattributeset reboot_data_file_27_0 (reboot_data_file))
-(typeattributeset recovery_27_0 (recovery))
-(typeattributeset recovery_block_device_27_0 (recovery_block_device))
-(typeattributeset recovery_data_file_27_0 (recovery_data_file))
-(typeattributeset recovery_persist_27_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_27_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_27_0 (recovery_service))
-(typeattributeset registry_service_27_0 (registry_service))
-(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_27_0 (restorecon_prop))
-(typeattributeset restrictions_service_27_0 (restrictions_service))
-(typeattributeset rild_27_0 (rild))
-(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
-(typeattributeset rild_socket_27_0 (rild_socket))
-(typeattributeset ringtone_file_27_0 (ringtone_file))
-(typeattributeset root_block_device_27_0 (root_block_device))
-(typeattributeset rootfs_27_0 (rootfs))
-(typeattributeset rpmsg_device_27_0 (rpmsg_device))
-(typeattributeset rtc_device_27_0 (rtc_device))
-(typeattributeset rttmanager_service_27_0 (rttmanager_service))
-(typeattributeset runas_27_0 (runas))
-(typeattributeset runas_exec_27_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
-(typeattributeset sdcardd_27_0 (sdcardd))
-(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
-(typeattributeset sdcardfs_27_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
-(typeattributeset search_service_27_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_27_0 (selinuxfs))
-(typeattributeset sensors_device_27_0 (sensors_device))
-(typeattributeset sensorservice_service_27_0 (sensorservice_service))
-(typeattributeset sepolicy_file_27_0 (sepolicy_file))
-(typeattributeset serial_device_27_0 (serial_device))
-(typeattributeset serialno_prop_27_0 (serialno_prop))
-(typeattributeset serial_service_27_0 (serial_service))
-(typeattributeset service_contexts_file_27_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
-(typeattributeset servicemanager_27_0 (servicemanager))
-(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
-(typeattributeset settings_service_27_0 (settings_service))
-(typeattributeset sgdisk_27_0 (sgdisk))
-(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
-(typeattributeset shared_relro_27_0 (shared_relro))
-(typeattributeset shared_relro_file_27_0 (shared_relro_file))
-(typeattributeset shell_27_0 (shell))
-(typeattributeset shell_data_file_27_0 (shell_data_file))
-(typeattributeset shell_exec_27_0 (shell_exec))
-(typeattributeset shell_prop_27_0 (shell_prop))
-(typeattributeset shm_27_0 (shm))
-(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_27_0 (shortcut_service))
-(typeattributeset slideshow_27_0 (slideshow))
-(typeattributeset socket_device_27_0 (socket_device))
-(typeattributeset sockfs_27_0 (sockfs))
-(typeattributeset statusbar_service_27_0 (statusbar_service))
-(typeattributeset storaged_service_27_0 (storaged_service))
-(typeattributeset storage_file_27_0 (storage_file))
-(typeattributeset storagestats_service_27_0 (storagestats_service))
-(typeattributeset storage_stub_file_27_0 (storage_stub_file))
-(typeattributeset su_27_0 (su))
-(typeattributeset su_exec_27_0 (su_exec))
-(typeattributeset surfaceflinger_27_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_27_0 (swap_block_device))
-(typeattributeset sysfs_27_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_27_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_27_0 (sysfs_uio))
-(typeattributeset sysfs_usb_27_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_27_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
-(typeattributeset system_app_27_0 (system_app))
-(typeattributeset system_app_data_file_27_0 (system_app_data_file))
-(typeattributeset system_app_service_27_0 (system_app_service))
-(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_27_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_27_0 (system_prop))
-(typeattributeset system_radio_prop_27_0 (system_radio_prop))
-(typeattributeset system_server_27_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
-(typeattributeset task_service_27_0 (task_service))
-(typeattributeset tee_27_0 (tee))
-(typeattributeset tee_data_file_27_0 (tee_data_file))
-(typeattributeset tee_device_27_0 (tee_device))
-(typeattributeset telecom_service_27_0 (telecom_service))
-(typeattributeset textclassification_service_27_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
-(typeattributeset textservices_service_27_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_27_0 (thermal_service))
-(typeattributeset thermalserviced_27_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
-(typeattributeset timezone_service_27_0 (timezone_service))
-(typeattributeset tmpfs_27_0 (tmpfs))
-(typeattributeset tombstoned_27_0 (tombstoned))
-(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_27_0 (toolbox))
-(typeattributeset toolbox_exec_27_0 (toolbox_exec))
-(typeattributeset trust_service_27_0 (trust_service))
-(typeattributeset tty_device_27_0 (tty_device))
-(typeattributeset tun_device_27_0 (tun_device))
-(typeattributeset tv_input_service_27_0 (tv_input_service))
-(typeattributeset tzdatacheck_27_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
-(typeattributeset ueventd_27_0 (ueventd))
-(typeattributeset uhid_device_27_0 (uhid_device))
-(typeattributeset uimode_service_27_0 (uimode_service))
-(typeattributeset uio_device_27_0 (uio_device))
-(typeattributeset uncrypt_27_0 (uncrypt))
-(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
-(typeattributeset unlabeled_27_0 (unlabeled))
-(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
-(typeattributeset update_engine_27_0 (update_engine))
-(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_27_0 (update_engine_exec))
-(typeattributeset update_engine_service_27_0 (update_engine_service))
-(typeattributeset updatelock_service_27_0 (updatelock_service))
-(typeattributeset update_verifier_27_0 (update_verifier))
-(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
-(typeattributeset usagestats_service_27_0 (usagestats_service))
-(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
-(typeattributeset usb_device_27_0 (usb_device))
-(typeattributeset usbfs_27_0 (usbfs))
-(typeattributeset usb_service_27_0 (usb_service))
-(typeattributeset userdata_block_device_27_0 (userdata_block_device))
-(typeattributeset usermodehelper_27_0 (usermodehelper))
-(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
-(typeattributeset user_service_27_0 (user_service))
-(typeattributeset vcs_device_27_0 (vcs_device))
-(typeattributeset vdc_27_0 (vdc))
-(typeattributeset vdc_exec_27_0 (vdc_exec))
-(typeattributeset vendor_app_file_27_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
-(typeattributeset vendor_file_27_0 (vendor_file))
-(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
-(typeattributeset vfat_27_0 (vfat))
-(typeattributeset vibrator_service_27_0 (vibrator_service))
-(typeattributeset video_device_27_0 (video_device))
-(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_27_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_27_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
-(typeattributeset vold_27_0 (vold))
-(typeattributeset vold_data_file_27_0 (vold_data_file))
-(typeattributeset vold_device_27_0 (vold_device))
-(typeattributeset vold_exec_27_0 (vold_exec))
-(typeattributeset vold_prop_27_0 (vold_prop))
-(typeattributeset vold_socket_27_0 (vold_socket))
-(typeattributeset vpn_data_file_27_0 (vpn_data_file))
-(typeattributeset vr_hwc_27_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_27_0 (vr_manager_service))
-(typeattributeset wallpaper_file_27_0 (wallpaper_file))
-(typeattributeset wallpaper_service_27_0 (wallpaper_service))
-(typeattributeset watchdogd_27_0 (watchdogd))
-(typeattributeset watchdog_device_27_0 (watchdog_device))
-(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
-(typeattributeset webview_zygote_27_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_27_0 (wifiaware_service))
-(typeattributeset wificond_27_0 (wificond))
-(typeattributeset wificond_exec_27_0 (wificond_exec))
-(typeattributeset wificond_service_27_0 (wificond_service))
-(typeattributeset wifi_data_file_27_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_27_0 (wifip2p_service))
-(typeattributeset wifi_prop_27_0 (wifi_prop))
-(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
-(typeattributeset wifi_service_27_0 (wifi_service))
-(typeattributeset window_service_27_0 (window_service))
-(typeattributeset wpa_socket_27_0 (wpa_socket))
-(typeattributeset zero_device_27_0 (zero_device))
-(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
-(typeattributeset zygote_27_0 (zygote))
-(typeattributeset zygote_exec_27_0 (zygote_exec))
-(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/prebuilts/api/30.0/private/compat/27.0/27.0.compat.cil b/prebuilts/api/30.0/private/compat/27.0/27.0.compat.cil
deleted file mode 100644
index 30af58c..0000000
--- a/prebuilts/api/30.0/private/compat/27.0/27.0.compat.cil
+++ /dev/null
@@ -1,5 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/prebuilts/api/30.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/30.0/private/compat/27.0/27.0.ignore.cil
deleted file mode 100644
index cb500c9..0000000
--- a/prebuilts/api/30.0/private/compat/27.0/27.0.ignore.cil
+++ /dev/null
@@ -1,206 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- atrace
- binder_calls_stats_service
- biometric_service
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bootloader_boot_reason_prop
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- cgroup_bpf
- charger_exec
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- exfat
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- fastbootd
- flags_health_check
- flags_health_check_exec
- fingerprint_vendor_data_file
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_lowpan_hwservice
- hal_secure_element_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_hostapd_hwservice
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- last_boot_reason_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaextractor_update_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- overlayfs_file
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- recovery_socket
- role_service
- runas_app
- art_apex_dir
- runtime_service
- secure_element
- secure_element_device
- secure_element_service
- secure_element_tmpfs
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- stats
- stats_data_file
- stats_exec
- stats_service
- statscompanion_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- storaged_data_file
- super_block_device
- staging_data_file
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_update_service
- test_boot_reason_prop
- time_prop
- timedetector_service
- tombstone_wifi_data_file
- trace_data_file
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- traceur_app
- traceur_app_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- uri_grants_service
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_default_prop
- vendor_init
- vendor_security_patch_level_prop
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_metadata_file
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vrflinger_vsync_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wm_trace_data_file
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/30.0/vendor_sepolicy.cil b/prebuilts/api/30.0/vendor_sepolicy.cil
deleted file mode 100644
index 4a3aac3..0000000
--- a/prebuilts/api/30.0/vendor_sepolicy.cil
+++ /dev/null
@@ -1 +0,0 @@
-;; empty stub
diff --git a/prebuilts/api/31.0/plat_pub_versioned.cil b/prebuilts/api/31.0/plat_pub_versioned.cil
deleted file mode 100644
index 9a086c5..0000000
--- a/prebuilts/api/31.0/plat_pub_versioned.cil
+++ /dev/null
@@ -1,3301 +0,0 @@
-(type DockObserver_service)
-(type IProxyService_service)
-(type aac_drc_prop)
-(type aaudio_config_prop)
-(type ab_update_gki_prop)
-(type accessibility_service)
-(type account_service)
-(type activity_service)
-(type activity_task_service)
-(type adb_data_file)
-(type adb_keys_file)
-(type adb_service)
-(type adbd)
-(type adbd_config_prop)
-(type adbd_exec)
-(type adbd_socket)
-(type aidl_lazy_test_server)
-(type aidl_lazy_test_server_exec)
-(type aidl_lazy_test_service)
-(type alarm_service)
-(type anr_data_file)
-(type apc_service)
-(type apex_appsearch_data_file)
-(type apex_data_file)
-(type apex_info_file)
-(type apex_metadata_file)
-(type apex_mnt_dir)
-(type apex_module_data_file)
-(type apex_ota_reserved_file)
-(type apex_permission_data_file)
-(type apex_rollback_data_file)
-(type apex_scheduling_data_file)
-(type apex_service)
-(type apex_wifi_data_file)
-(type apexd)
-(type apexd_config_prop)
-(type apexd_exec)
-(type apexd_prop)
-(type apk_data_file)
-(type apk_private_data_file)
-(type apk_private_tmp_file)
-(type apk_tmp_file)
-(type apk_verity_prop)
-(type app_binding_service)
-(type app_data_file)
-(type app_fuse_file)
-(type app_fusefs)
-(type app_hibernation_service)
-(type app_integrity_service)
-(type app_prediction_service)
-(type app_search_service)
-(type app_zygote)
-(type app_zygote_tmpfs)
-(type appcompat_data_file)
-(type appdomain_tmpfs)
-(type appops_service)
-(type appwidget_service)
-(type arm64_memtag_prop)
-(type art_apex_dir)
-(type asec_apk_file)
-(type asec_image_file)
-(type asec_public_file)
-(type ashmem_device)
-(type ashmem_libcutils_device)
-(type assetatlas_service)
-(type atrace)
-(type audio_config_prop)
-(type audio_data_file)
-(type audio_device)
-(type audio_prop)
-(type audio_service)
-(type audiohal_data_file)
-(type audioserver)
-(type audioserver_data_file)
-(type audioserver_service)
-(type audioserver_tmpfs)
-(type auth_service)
-(type authorization_service)
-(type autofill_service)
-(type backup_data_file)
-(type backup_service)
-(type battery_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type binder_cache_bluetooth_server_prop)
-(type binder_cache_system_server_prop)
-(type binder_cache_telephony_server_prop)
-(type binder_calls_stats_service)
-(type binder_device)
-(type binderfs)
-(type binderfs_logs)
-(type binderfs_logs_proc)
-(type binfmt_miscfs)
-(type biometric_service)
-(type blkid)
-(type blkid_untrusted)
-(type blob_store_service)
-(type block_device)
-(type bluetooth)
-(type bluetooth_a2dp_offload_prop)
-(type bluetooth_audio_hal_prop)
-(type bluetooth_data_file)
-(type bluetooth_efs_file)
-(type bluetooth_logs_data_file)
-(type bluetooth_manager_service)
-(type bluetooth_prop)
-(type bluetooth_service)
-(type bluetooth_socket)
-(type boot_block_device)
-(type boot_status_prop)
-(type bootanim)
-(type bootanim_config_prop)
-(type bootanim_exec)
-(type bootanim_system_prop)
-(type bootchart_data_file)
-(type bootloader_boot_reason_prop)
-(type bootloader_prop)
-(type bootstat)
-(type bootstat_data_file)
-(type bootstat_exec)
-(type boottime_prop)
-(type boottime_public_prop)
-(type boottrace_data_file)
-(type bpf_progs_loaded_prop)
-(type bq_config_prop)
-(type broadcastradio_service)
-(type bufferhubd)
-(type bufferhubd_exec)
-(type bugreport_service)
-(type build_bootimage_prop)
-(type build_config_prop)
-(type build_odm_prop)
-(type build_prop)
-(type build_vendor_prop)
-(type cache_backup_file)
-(type cache_block_device)
-(type cache_file)
-(type cache_private_backup_file)
-(type cache_recovery_file)
-(type cacheinfo_service)
-(type camera2_extensions_prop)
-(type camera_calibration_prop)
-(type camera_config_prop)
-(type camera_data_file)
-(type camera_device)
-(type cameraproxy_service)
-(type cameraserver)
-(type cameraserver_exec)
-(type cameraserver_service)
-(type cameraserver_tmpfs)
-(type camerax_extensions_prop)
-(type cgroup)
-(type cgroup_desc_api_file)
-(type cgroup_desc_file)
-(type cgroup_rc_file)
-(type cgroup_v2)
-(type charger)
-(type charger_config_prop)
-(type charger_exec)
-(type charger_prop)
-(type charger_status_prop)
-(type clipboard_service)
-(type codec2_config_prop)
-(type cold_boot_done_prop)
-(type color_display_service)
-(type companion_device_service)
-(type config_prop)
-(type configfs)
-(type connectivity_service)
-(type connmetrics_service)
-(type console_device)
-(type consumer_ir_service)
-(type content_capture_service)
-(type content_service)
-(type content_suggestions_service)
-(type contexthub_service)
-(type coredump_file)
-(type country_detector_service)
-(type coverage_service)
-(type cppreopt_prop)
-(type cpu_variant_prop)
-(type cpuinfo_service)
-(type crash_dump)
-(type crash_dump_exec)
-(type credstore)
-(type credstore_data_file)
-(type credstore_exec)
-(type credstore_service)
-(type crossprofileapps_service)
-(type ctl_adbd_prop)
-(type ctl_apexd_prop)
-(type ctl_bootanim_prop)
-(type ctl_bugreport_prop)
-(type ctl_console_prop)
-(type ctl_default_prop)
-(type ctl_dumpstate_prop)
-(type ctl_fuse_prop)
-(type ctl_gsid_prop)
-(type ctl_interface_restart_prop)
-(type ctl_interface_start_prop)
-(type ctl_interface_stop_prop)
-(type ctl_mdnsd_prop)
-(type ctl_restart_prop)
-(type ctl_rildaemon_prop)
-(type ctl_sigstop_prop)
-(type ctl_start_prop)
-(type ctl_stop_prop)
-(type dalvik_config_prop)
-(type dalvik_prop)
-(type dalvik_runtime_prop)
-(type dalvikcache_data_file)
-(type dataloader_manager_service)
-(type dbinfo_service)
-(type dck_prop)
-(type debug_prop)
-(type debugfs)
-(type debugfs_bootreceiver_tracing)
-(type debugfs_kprobes)
-(type debugfs_mm_events_tracing)
-(type debugfs_mmc)
-(type debugfs_restriction_prop)
-(type debugfs_trace_marker)
-(type debugfs_tracing)
-(type debugfs_tracing_debug)
-(type debugfs_tracing_instances)
-(type debugfs_tracing_printk_formats)
-(type debugfs_wakeup_sources)
-(type debugfs_wifi_tracing)
-(type debuggerd_prop)
-(type default_android_hwservice)
-(type default_android_service)
-(type default_android_vndservice)
-(type default_prop)
-(type dev_cpu_variant)
-(type device)
-(type device_config_activity_manager_native_boot_prop)
-(type device_config_boot_count_prop)
-(type device_config_input_native_boot_prop)
-(type device_config_media_native_prop)
-(type device_config_netd_native_prop)
-(type device_config_reset_performed_prop)
-(type device_config_runtime_native_boot_prop)
-(type device_config_runtime_native_prop)
-(type device_config_service)
-(type device_identifiers_service)
-(type device_logging_prop)
-(type device_policy_service)
-(type device_state_service)
-(type deviceidle_service)
-(type devicestoragemonitor_service)
-(type devpts)
-(type dhcp)
-(type dhcp_data_file)
-(type dhcp_exec)
-(type dhcp_prop)
-(type diskstats_service)
-(type display_service)
-(type dm_device)
-(type dm_user_device)
-(type dmabuf_heap_device)
-(type dmabuf_system_heap_device)
-(type dmabuf_system_secure_heap_device)
-(type dnsmasq)
-(type dnsmasq_exec)
-(type dnsproxyd_socket)
-(type dnsresolver_service)
-(type domain_verification_service)
-(type dreams_service)
-(type drm_data_file)
-(type drm_service_config_prop)
-(type drmserver)
-(type drmserver_exec)
-(type drmserver_service)
-(type drmserver_socket)
-(type dropbox_data_file)
-(type dropbox_service)
-(type dumpstate)
-(type dumpstate_exec)
-(type dumpstate_options_prop)
-(type dumpstate_prop)
-(type dumpstate_service)
-(type dumpstate_socket)
-(type dynamic_system_prop)
-(type e2fs)
-(type e2fs_exec)
-(type efs_file)
-(type emergency_affordance_service)
-(type ephemeral_app)
-(type ethernet_service)
-(type exfat)
-(type exported3_system_prop)
-(type exported_bluetooth_prop)
-(type exported_camera_prop)
-(type exported_config_prop)
-(type exported_default_prop)
-(type exported_dumpstate_prop)
-(type exported_overlay_prop)
-(type exported_pm_prop)
-(type exported_secure_prop)
-(type exported_system_prop)
-(type external_vibrator_service)
-(type face_service)
-(type face_vendor_data_file)
-(type fastbootd)
-(type ffs_config_prop)
-(type ffs_control_prop)
-(type file_contexts_file)
-(type file_integrity_service)
-(type fingerprint_prop)
-(type fingerprint_service)
-(type fingerprint_vendor_data_file)
-(type fingerprintd)
-(type fingerprintd_data_file)
-(type fingerprintd_exec)
-(type fingerprintd_service)
-(type firstboot_prop)
-(type flags_health_check)
-(type flags_health_check_exec)
-(type font_service)
-(type framework_watchdog_config_prop)
-(type frp_block_device)
-(type fs_bpf)
-(type fs_bpf_tethering)
-(type fsck)
-(type fsck_exec)
-(type fsck_untrusted)
-(type fscklogs)
-(type functionfs)
-(type fuse)
-(type fuse_device)
-(type fusectlfs)
-(type fwk_automotive_display_hwservice)
-(type fwk_bufferhub_hwservice)
-(type fwk_camera_hwservice)
-(type fwk_display_hwservice)
-(type fwk_scheduler_hwservice)
-(type fwk_sensor_hwservice)
-(type fwk_stats_hwservice)
-(type fwk_stats_service)
-(type fwmarkd_socket)
-(type game_service)
-(type gatekeeper_data_file)
-(type gatekeeper_service)
-(type gatekeeperd)
-(type gatekeeperd_exec)
-(type gfxinfo_service)
-(type gmscore_app)
-(type gnss_device)
-(type gnss_time_update_service)
-(type gps_control)
-(type gpu_device)
-(type gpu_service)
-(type gpuservice)
-(type graphics_config_prop)
-(type graphics_device)
-(type graphicsstats_service)
-(type gsi_data_file)
-(type gsi_metadata_file)
-(type gsi_public_metadata_file)
-(type hal_atrace_hwservice)
-(type hal_audio_hwservice)
-(type hal_audio_service)
-(type hal_audiocontrol_hwservice)
-(type hal_audiocontrol_service)
-(type hal_authsecret_hwservice)
-(type hal_authsecret_service)
-(type hal_bluetooth_hwservice)
-(type hal_bootctl_hwservice)
-(type hal_broadcastradio_hwservice)
-(type hal_camera_hwservice)
-(type hal_can_bus_hwservice)
-(type hal_can_controller_hwservice)
-(type hal_cas_hwservice)
-(type hal_codec2_hwservice)
-(type hal_configstore_ISurfaceFlingerConfigs)
-(type hal_confirmationui_hwservice)
-(type hal_contexthub_hwservice)
-(type hal_drm_hwservice)
-(type hal_dumpstate_config_prop)
-(type hal_dumpstate_hwservice)
-(type hal_evs_hwservice)
-(type hal_face_hwservice)
-(type hal_face_service)
-(type hal_fingerprint_hwservice)
-(type hal_fingerprint_service)
-(type hal_gatekeeper_hwservice)
-(type hal_gnss_hwservice)
-(type hal_gnss_service)
-(type hal_graphics_allocator_hwservice)
-(type hal_graphics_composer_hwservice)
-(type hal_graphics_composer_server_tmpfs)
-(type hal_graphics_mapper_hwservice)
-(type hal_health_hwservice)
-(type hal_health_storage_hwservice)
-(type hal_health_storage_service)
-(type hal_identity_service)
-(type hal_input_classifier_hwservice)
-(type hal_instrumentation_prop)
-(type hal_ir_hwservice)
-(type hal_keymaster_hwservice)
-(type hal_keymint_service)
-(type hal_light_hwservice)
-(type hal_light_service)
-(type hal_lowpan_hwservice)
-(type hal_memtrack_hwservice)
-(type hal_memtrack_service)
-(type hal_neuralnetworks_hwservice)
-(type hal_neuralnetworks_service)
-(type hal_nfc_hwservice)
-(type hal_oemlock_hwservice)
-(type hal_oemlock_service)
-(type hal_omx_hwservice)
-(type hal_power_hwservice)
-(type hal_power_service)
-(type hal_power_stats_hwservice)
-(type hal_power_stats_service)
-(type hal_rebootescrow_service)
-(type hal_remotelyprovisionedcomponent_service)
-(type hal_renderscript_hwservice)
-(type hal_secure_element_hwservice)
-(type hal_secureclock_service)
-(type hal_sensors_hwservice)
-(type hal_sharedsecret_service)
-(type hal_telephony_hwservice)
-(type hal_tetheroffload_hwservice)
-(type hal_thermal_hwservice)
-(type hal_tv_cec_hwservice)
-(type hal_tv_input_hwservice)
-(type hal_tv_tuner_hwservice)
-(type hal_usb_gadget_hwservice)
-(type hal_usb_hwservice)
-(type hal_vehicle_hwservice)
-(type hal_vibrator_hwservice)
-(type hal_vibrator_service)
-(type hal_vr_hwservice)
-(type hal_weaver_hwservice)
-(type hal_weaver_service)
-(type hal_wifi_hostapd_hwservice)
-(type hal_wifi_hwservice)
-(type hal_wifi_supplicant_hwservice)
-(type hardware_properties_service)
-(type hardware_service)
-(type hci_attach_dev)
-(type hdmi_config_prop)
-(type hdmi_control_service)
-(type healthd)
-(type healthd_exec)
-(type heapdump_data_file)
-(type heapprofd)
-(type heapprofd_enabled_prop)
-(type heapprofd_prop)
-(type heapprofd_socket)
-(type hidl_allocator_hwservice)
-(type hidl_base_hwservice)
-(type hidl_manager_hwservice)
-(type hidl_memory_hwservice)
-(type hidl_token_hwservice)
-(type hint_service)
-(type hw_random_device)
-(type hw_timeout_multiplier_prop)
-(type hwbinder_device)
-(type hwservice_contexts_file)
-(type hwservicemanager)
-(type hwservicemanager_exec)
-(type hwservicemanager_prop)
-(type icon_file)
-(type idmap)
-(type idmap_exec)
-(type idmap_service)
-(type iio_device)
-(type imms_service)
-(type incident)
-(type incident_data_file)
-(type incident_helper)
-(type incident_service)
-(type incidentd)
-(type incremental_control_file)
-(type incremental_prop)
-(type incremental_service)
-(type init)
-(type init_exec)
-(type init_service_status_prop)
-(type init_tmpfs)
-(type inotify)
-(type input_device)
-(type input_method_service)
-(type input_service)
-(type inputflinger)
-(type inputflinger_exec)
-(type inputflinger_service)
-(type install_data_file)
-(type installd)
-(type installd_exec)
-(type installd_service)
-(type ion_device)
-(type iorap_inode2filename)
-(type iorap_inode2filename_exec)
-(type iorap_inode2filename_tmpfs)
-(type iorap_prefetcherd)
-(type iorap_prefetcherd_exec)
-(type iorap_prefetcherd_tmpfs)
-(type iorapd)
-(type iorapd_data_file)
-(type iorapd_exec)
-(type iorapd_service)
-(type iorapd_tmpfs)
-(type ipsec_service)
-(type iris_service)
-(type iris_vendor_data_file)
-(type isolated_app)
-(type jobscheduler_service)
-(type kernel)
-(type keychain_data_file)
-(type keychord_device)
-(type keyguard_config_prop)
-(type keystore)
-(type keystore2_key_contexts_file)
-(type keystore_compat_hal_service)
-(type keystore_data_file)
-(type keystore_exec)
-(type keystore_maintenance_service)
-(type keystore_metrics_service)
-(type keystore_service)
-(type kmsg_debug_device)
-(type kmsg_device)
-(type labeledfs)
-(type launcherapps_service)
-(type legacy_permission_service)
-(type legacykeystore_service)
-(type libc_debug_prop)
-(type light_service)
-(type linkerconfig_file)
-(type llkd)
-(type llkd_exec)
-(type llkd_prop)
-(type lmkd)
-(type lmkd_config_prop)
-(type lmkd_exec)
-(type lmkd_prop)
-(type lmkd_socket)
-(type location_service)
-(type location_time_zone_manager_service)
-(type lock_settings_service)
-(type log_prop)
-(type log_tag_prop)
-(type logcat_exec)
-(type logd)
-(type logd_exec)
-(type logd_prop)
-(type logd_socket)
-(type logdr_socket)
-(type logdw_socket)
-(type logpersist)
-(type logpersistd_logging_prop)
-(type loop_control_device)
-(type loop_device)
-(type looper_stats_service)
-(type lowpan_device)
-(type lowpan_prop)
-(type lowpan_service)
-(type lpdump_service)
-(type lpdumpd_prop)
-(type mac_perms_file)
-(type mdns_socket)
-(type mdnsd)
-(type mdnsd_socket)
-(type media_communication_service)
-(type media_config_prop)
-(type media_data_file)
-(type media_metrics_service)
-(type media_projection_service)
-(type media_router_service)
-(type media_rw_data_file)
-(type media_session_service)
-(type media_variant_prop)
-(type mediadrm_config_prop)
-(type mediadrmserver)
-(type mediadrmserver_exec)
-(type mediadrmserver_service)
-(type mediaextractor)
-(type mediaextractor_exec)
-(type mediaextractor_service)
-(type mediaextractor_tmpfs)
-(type mediametrics)
-(type mediametrics_exec)
-(type mediametrics_service)
-(type mediaprovider)
-(type mediaserver)
-(type mediaserver_exec)
-(type mediaserver_service)
-(type mediaserver_tmpfs)
-(type mediaswcodec)
-(type mediaswcodec_exec)
-(type mediatranscoding_service)
-(type meminfo_service)
-(type memtrackproxy_service)
-(type metadata_block_device)
-(type metadata_bootstat_file)
-(type metadata_file)
-(type method_trace_data_file)
-(type midi_service)
-(type mirror_data_file)
-(type misc_block_device)
-(type misc_logd_file)
-(type misc_user_data_file)
-(type mm_events_config_prop)
-(type mmc_prop)
-(type mnt_expand_file)
-(type mnt_media_rw_file)
-(type mnt_media_rw_stub_file)
-(type mnt_pass_through_file)
-(type mnt_product_file)
-(type mnt_sdcard_file)
-(type mnt_user_file)
-(type mnt_vendor_file)
-(type mock_ota_prop)
-(type modprobe)
-(type module_sdkextensions_prop)
-(type mount_service)
-(type mqueue)
-(type mtp)
-(type mtp_device)
-(type mtp_exec)
-(type mtpd_socket)
-(type music_recognition_service)
-(type nativetest_data_file)
-(type net_data_file)
-(type net_dns_prop)
-(type net_radio_prop)
-(type netd)
-(type netd_exec)
-(type netd_listener_service)
-(type netd_service)
-(type netif)
-(type netpolicy_service)
-(type netstats_service)
-(type netutils_wrapper)
-(type netutils_wrapper_exec)
-(type network_management_service)
-(type network_score_service)
-(type network_stack)
-(type network_stack_service)
-(type network_time_update_service)
-(type network_watchlist_data_file)
-(type network_watchlist_service)
-(type nfc)
-(type nfc_data_file)
-(type nfc_device)
-(type nfc_logs_data_file)
-(type nfc_prop)
-(type nfc_service)
-(type nnapi_ext_deny_product_prop)
-(type node)
-(type nonplat_service_contexts_file)
-(type notification_service)
-(type null_device)
-(type oem_lock_service)
-(type oem_unlock_prop)
-(type oemfs)
-(type ota_data_file)
-(type ota_metadata_file)
-(type ota_package_file)
-(type ota_prop)
-(type otadexopt_service)
-(type otapreopt_chroot)
-(type overlay_prop)
-(type overlay_service)
-(type overlayfs_file)
-(type owntty_device)
-(type pac_proxy_service)
-(type package_native_service)
-(type package_service)
-(type packagemanager_config_prop)
-(type packages_list_file)
-(type pan_result_prop)
-(type password_slot_metadata_file)
-(type pdx_bufferhub_client_channel_socket)
-(type pdx_bufferhub_client_endpoint_socket)
-(type pdx_bufferhub_dir)
-(type pdx_display_client_channel_socket)
-(type pdx_display_client_endpoint_socket)
-(type pdx_display_dir)
-(type pdx_display_manager_channel_socket)
-(type pdx_display_manager_endpoint_socket)
-(type pdx_display_screenshot_channel_socket)
-(type pdx_display_screenshot_endpoint_socket)
-(type pdx_display_vsync_channel_socket)
-(type pdx_display_vsync_endpoint_socket)
-(type pdx_performance_client_channel_socket)
-(type pdx_performance_client_endpoint_socket)
-(type pdx_performance_dir)
-(type people_service)
-(type perfetto)
-(type performanced)
-(type performanced_exec)
-(type permission_checker_service)
-(type permission_service)
-(type permissionmgr_service)
-(type persist_debug_prop)
-(type persist_vendor_debug_wifi_prop)
-(type persistent_data_block_service)
-(type persistent_properties_ready_prop)
-(type pinner_service)
-(type pipefs)
-(type platform_app)
-(type platform_compat_service)
-(type pmsg_device)
-(type port)
-(type port_device)
-(type postinstall)
-(type postinstall_apex_mnt_dir)
-(type postinstall_file)
-(type postinstall_mnt_dir)
-(type power_debug_prop)
-(type power_service)
-(type powerctl_prop)
-(type powerstats_service)
-(type ppp)
-(type ppp_device)
-(type ppp_exec)
-(type preloads_data_file)
-(type preloads_media_file)
-(type prereboot_data_file)
-(type print_service)
-(type priv_app)
-(type privapp_data_file)
-(type proc)
-(type proc_abi)
-(type proc_asound)
-(type proc_bluetooth_writable)
-(type proc_bootconfig)
-(type proc_buddyinfo)
-(type proc_cmdline)
-(type proc_cpuinfo)
-(type proc_dirty)
-(type proc_diskstats)
-(type proc_drop_caches)
-(type proc_extra_free_kbytes)
-(type proc_filesystems)
-(type proc_fs_verity)
-(type proc_hostname)
-(type proc_hung_task)
-(type proc_interrupts)
-(type proc_iomem)
-(type proc_kallsyms)
-(type proc_keys)
-(type proc_kmsg)
-(type proc_kpageflags)
-(type proc_loadavg)
-(type proc_locks)
-(type proc_lowmemorykiller)
-(type proc_max_map_count)
-(type proc_meminfo)
-(type proc_min_free_order_shift)
-(type proc_misc)
-(type proc_modules)
-(type proc_mounts)
-(type proc_net)
-(type proc_net_tcp_udp)
-(type proc_overcommit_memory)
-(type proc_page_cluster)
-(type proc_pagetypeinfo)
-(type proc_panic)
-(type proc_perf)
-(type proc_pid_max)
-(type proc_pipe_conf)
-(type proc_pressure_cpu)
-(type proc_pressure_io)
-(type proc_pressure_mem)
-(type proc_qtaguid_ctrl)
-(type proc_qtaguid_stat)
-(type proc_random)
-(type proc_sched)
-(type proc_security)
-(type proc_slabinfo)
-(type proc_stat)
-(type proc_swaps)
-(type proc_sysrq)
-(type proc_timer)
-(type proc_tty_drivers)
-(type proc_uid_concurrent_active_time)
-(type proc_uid_concurrent_policy_time)
-(type proc_uid_cpupower)
-(type proc_uid_cputime_removeuid)
-(type proc_uid_cputime_showstat)
-(type proc_uid_io_stats)
-(type proc_uid_procstat_set)
-(type proc_uid_time_in_state)
-(type proc_uptime)
-(type proc_vendor_sched)
-(type proc_version)
-(type proc_vmallocinfo)
-(type proc_vmstat)
-(type proc_zoneinfo)
-(type processinfo_service)
-(type procstats_service)
-(type profman)
-(type profman_dump_data_file)
-(type profman_exec)
-(type properties_device)
-(type properties_serial)
-(type property_contexts_file)
-(type property_data_file)
-(type property_info)
-(type property_service_version_prop)
-(type property_socket)
-(type provisioned_prop)
-(type pstorefs)
-(type ptmx_device)
-(type qemu_hw_prop)
-(type qemu_sf_lcd_density_prop)
-(type qtaguid_device)
-(type racoon)
-(type racoon_exec)
-(type racoon_socket)
-(type radio)
-(type radio_control_prop)
-(type radio_core_data_file)
-(type radio_data_file)
-(type radio_device)
-(type radio_prop)
-(type radio_service)
-(type ram_device)
-(type random_device)
-(type reboot_readiness_service)
-(type rebootescrow_hal_prop)
-(type recovery)
-(type recovery_block_device)
-(type recovery_config_prop)
-(type recovery_data_file)
-(type recovery_persist)
-(type recovery_persist_exec)
-(type recovery_refresh)
-(type recovery_refresh_exec)
-(type recovery_service)
-(type recovery_socket)
-(type registry_service)
-(type remoteprovisioning_service)
-(type resourcecache_data_file)
-(type restorecon_prop)
-(type restrictions_service)
-(type retaildemo_prop)
-(type rild_debug_socket)
-(type rild_socket)
-(type ringtone_file)
-(type role_service)
-(type rollback_service)
-(type root_block_device)
-(type rootfs)
-(type rpmsg_device)
-(type rs)
-(type rs_exec)
-(type rss_hwm_reset)
-(type rtc_device)
-(type rttmanager_service)
-(type runas)
-(type runas_app)
-(type runas_exec)
-(type runtime_event_log_tags_file)
-(type runtime_service)
-(type safemode_prop)
-(type same_process_hal_file)
-(type samplingprofiler_service)
-(type scheduling_policy_service)
-(type sdcard_block_device)
-(type sdcardd)
-(type sdcardd_exec)
-(type sdcardfs)
-(type seapp_contexts_file)
-(type search_service)
-(type search_ui_service)
-(type sec_key_att_app_id_provider_service)
-(type secure_element)
-(type secure_element_device)
-(type secure_element_service)
-(type securityfs)
-(type selinuxfs)
-(type sendbug_config_prop)
-(type sensor_privacy_service)
-(type sensors_device)
-(type sensorservice_service)
-(type sepolicy_file)
-(type serial_device)
-(type serial_service)
-(type serialno_prop)
-(type server_configurable_flags_data_file)
-(type service_contexts_file)
-(type service_manager_service)
-(type service_manager_vndservice)
-(type servicediscovery_service)
-(type servicemanager)
-(type servicemanager_exec)
-(type settings_service)
-(type sgdisk)
-(type sgdisk_exec)
-(type shared_relro)
-(type shared_relro_file)
-(type shell)
-(type shell_data_file)
-(type shell_exec)
-(type shell_prop)
-(type shell_test_data_file)
-(type shm)
-(type shortcut_manager_icons)
-(type shortcut_service)
-(type simpleperf)
-(type simpleperf_app_runner)
-(type simpleperf_app_runner_exec)
-(type slice_service)
-(type slideshow)
-(type smartspace_service)
-(type snapshotctl_log_data_file)
-(type snapuserd_socket)
-(type soc_prop)
-(type socket_device)
-(type socket_hook_prop)
-(type sockfs)
-(type sota_prop)
-(type soundtrigger_middleware_service)
-(type speech_recognition_service)
-(type sqlite_log_prop)
-(type staged_install_file)
-(type staging_data_file)
-(type stats_data_file)
-(type statsd)
-(type statsd_exec)
-(type statsdw_socket)
-(type statusbar_service)
-(type storage_config_prop)
-(type storage_file)
-(type storage_stub_file)
-(type storaged_service)
-(type storagemanager_config_prop)
-(type storagestats_service)
-(type su)
-(type su_exec)
-(type super_block_device)
-(type surfaceflinger)
-(type surfaceflinger_color_prop)
-(type surfaceflinger_display_prop)
-(type surfaceflinger_prop)
-(type surfaceflinger_service)
-(type surfaceflinger_tmpfs)
-(type suspend_prop)
-(type swap_block_device)
-(type sysfs)
-(type sysfs_android_usb)
-(type sysfs_batteryinfo)
-(type sysfs_block)
-(type sysfs_bluetooth_writable)
-(type sysfs_devfreq_cur)
-(type sysfs_devfreq_dir)
-(type sysfs_devices_block)
-(type sysfs_devices_cs_etm)
-(type sysfs_devices_system_cpu)
-(type sysfs_dm)
-(type sysfs_dm_verity)
-(type sysfs_dma_heap)
-(type sysfs_dmabuf_stats)
-(type sysfs_dt_firmware_android)
-(type sysfs_extcon)
-(type sysfs_fs_ext4_features)
-(type sysfs_fs_f2fs)
-(type sysfs_fs_incfs_features)
-(type sysfs_fs_incfs_metrics)
-(type sysfs_hwrandom)
-(type sysfs_ion)
-(type sysfs_ipv4)
-(type sysfs_kernel_notes)
-(type sysfs_leds)
-(type sysfs_loop)
-(type sysfs_lowmemorykiller)
-(type sysfs_net)
-(type sysfs_nfc_power_writable)
-(type sysfs_power)
-(type sysfs_rtc)
-(type sysfs_suspend_stats)
-(type sysfs_switch)
-(type sysfs_thermal)
-(type sysfs_transparent_hugepage)
-(type sysfs_uhid)
-(type sysfs_uio)
-(type sysfs_usb)
-(type sysfs_usermodehelper)
-(type sysfs_vendor_sched)
-(type sysfs_vibrator)
-(type sysfs_wake_lock)
-(type sysfs_wakeup)
-(type sysfs_wakeup_reasons)
-(type sysfs_wlan_fwpath)
-(type sysfs_zram)
-(type sysfs_zram_uevent)
-(type system_app)
-(type system_app_data_file)
-(type system_app_service)
-(type system_asan_options_file)
-(type system_block_device)
-(type system_boot_reason_prop)
-(type system_bootstrap_lib_file)
-(type system_config_service)
-(type system_data_file)
-(type system_data_root_file)
-(type system_event_log_tags_file)
-(type system_file)
-(type system_group_file)
-(type system_jvmti_agent_prop)
-(type system_lib_file)
-(type system_linker_config_file)
-(type system_linker_exec)
-(type system_lmk_prop)
-(type system_ndebug_socket)
-(type system_net_netd_hwservice)
-(type system_passwd_file)
-(type system_prop)
-(type system_seccomp_policy_file)
-(type system_security_cacerts_file)
-(type system_server)
-(type system_server_dumper_service)
-(type system_server_tmpfs)
-(type system_suspend_control_internal_service)
-(type system_suspend_control_service)
-(type system_suspend_hwservice)
-(type system_trace_prop)
-(type system_unsolzygote_socket)
-(type system_update_service)
-(type system_wifi_keystore_hwservice)
-(type system_wpa_socket)
-(type system_zoneinfo_file)
-(type systemkeys_data_file)
-(type systemsound_config_prop)
-(type task_profiles_api_file)
-(type task_profiles_file)
-(type task_service)
-(type tcpdump_exec)
-(type tee)
-(type tee_data_file)
-(type tee_device)
-(type telecom_service)
-(type telephony_config_prop)
-(type telephony_status_prop)
-(type test_boot_reason_prop)
-(type test_harness_prop)
-(type testharness_service)
-(type tethering_service)
-(type textclassification_service)
-(type textclassifier_data_file)
-(type textservices_service)
-(type texttospeech_service)
-(type theme_prop)
-(type thermal_service)
-(type time_prop)
-(type timedetector_service)
-(type timezone_service)
-(type timezonedetector_service)
-(type tmpfs)
-(type tombstone_config_prop)
-(type tombstone_data_file)
-(type tombstone_wifi_data_file)
-(type tombstoned)
-(type tombstoned_crash_socket)
-(type tombstoned_exec)
-(type tombstoned_intercept_socket)
-(type tombstoned_java_trace_socket)
-(type toolbox)
-(type toolbox_exec)
-(type trace_data_file)
-(type traced)
-(type traced_consumer_socket)
-(type traced_enabled_prop)
-(type traced_lazy_prop)
-(type traced_perf)
-(type traced_perf_socket)
-(type traced_probes)
-(type traced_producer_socket)
-(type traced_tmpfs)
-(type traceur_app)
-(type translation_service)
-(type trust_service)
-(type tty_device)
-(type tun_device)
-(type tv_input_service)
-(type tv_tuner_resource_mgr_service)
-(type tzdatacheck)
-(type tzdatacheck_exec)
-(type ueventd)
-(type ueventd_tmpfs)
-(type uhid_device)
-(type uimode_service)
-(type uio_device)
-(type uncrypt)
-(type uncrypt_exec)
-(type uncrypt_socket)
-(type unencrypted_data_file)
-(type unlabeled)
-(type untrusted_app)
-(type untrusted_app_25)
-(type untrusted_app_27)
-(type untrusted_app_29)
-(type update_engine)
-(type update_engine_data_file)
-(type update_engine_exec)
-(type update_engine_log_data_file)
-(type update_engine_service)
-(type update_engine_stable_service)
-(type update_verifier)
-(type update_verifier_exec)
-(type updatelock_service)
-(type uri_grants_service)
-(type usagestats_service)
-(type usb_config_prop)
-(type usb_control_prop)
-(type usb_device)
-(type usb_prop)
-(type usb_serial_device)
-(type usb_service)
-(type usbaccessory_device)
-(type usbd)
-(type usbd_exec)
-(type usbfs)
-(type use_memfd_prop)
-(type user_profile_data_file)
-(type user_profile_root_file)
-(type user_service)
-(type userdata_block_device)
-(type userdata_sysdev)
-(type usermodehelper)
-(type userspace_reboot_config_prop)
-(type userspace_reboot_exported_prop)
-(type userspace_reboot_metadata_file)
-(type uwb_service)
-(type vcn_management_service)
-(type vd_device)
-(type vdc)
-(type vdc_exec)
-(type vehicle_hal_prop)
-(type vendor_apex_file)
-(type vendor_app_file)
-(type vendor_cgroup_desc_file)
-(type vendor_configs_file)
-(type vendor_data_file)
-(type vendor_default_prop)
-(type vendor_file)
-(type vendor_framework_file)
-(type vendor_hal_file)
-(type vendor_idc_file)
-(type vendor_init)
-(type vendor_kernel_modules)
-(type vendor_keychars_file)
-(type vendor_keylayout_file)
-(type vendor_misc_writer)
-(type vendor_misc_writer_exec)
-(type vendor_modprobe)
-(type vendor_overlay_file)
-(type vendor_public_framework_file)
-(type vendor_public_lib_file)
-(type vendor_security_patch_level_prop)
-(type vendor_service_contexts_file)
-(type vendor_shell)
-(type vendor_shell_exec)
-(type vendor_socket_hook_prop)
-(type vendor_task_profiles_file)
-(type vendor_toolbox_exec)
-(type vfat)
-(type vibrator_manager_service)
-(type vibrator_service)
-(type video_device)
-(type virtual_ab_prop)
-(type virtual_touchpad)
-(type virtual_touchpad_exec)
-(type virtual_touchpad_service)
-(type virtualization_service)
-(type vndbinder_device)
-(type vndk_prop)
-(type vndk_sp_file)
-(type vndservice_contexts_file)
-(type vndservicemanager)
-(type voiceinteraction_service)
-(type vold)
-(type vold_config_prop)
-(type vold_data_file)
-(type vold_device)
-(type vold_exec)
-(type vold_metadata_file)
-(type vold_post_fs_data_prop)
-(type vold_prepare_subdirs)
-(type vold_prepare_subdirs_exec)
-(type vold_prop)
-(type vold_service)
-(type vold_status_prop)
-(type vpn_data_file)
-(type vpn_management_service)
-(type vr_hwc)
-(type vr_hwc_exec)
-(type vr_hwc_service)
-(type vr_manager_service)
-(type vrflinger_vsync_service)
-(type vts_config_prop)
-(type vts_status_prop)
-(type wallpaper_file)
-(type wallpaper_service)
-(type watchdog_device)
-(type watchdog_metadata_file)
-(type watchdogd)
-(type watchdogd_exec)
-(type webview_zygote)
-(type webview_zygote_exec)
-(type webview_zygote_tmpfs)
-(type webviewupdate_service)
-(type wifi_config_prop)
-(type wifi_data_file)
-(type wifi_hal_prop)
-(type wifi_key)
-(type wifi_log_prop)
-(type wifi_prop)
-(type wifi_service)
-(type wifiaware_service)
-(type wificond)
-(type wificond_exec)
-(type wifinl80211_service)
-(type wifip2p_service)
-(type wifiscanner_service)
-(type window_service)
-(type wpa_socket)
-(type wpantund)
-(type wpantund_exec)
-(type wpantund_service)
-(type zero_device)
-(type zoneinfo_data_file)
-(type zram_config_prop)
-(type zram_control_prop)
-(type zygote)
-(type zygote_config_prop)
-(type zygote_exec)
-(type zygote_socket)
-(type zygote_tmpfs)
-(typeattribute DockObserver_service_31_0)
-(typeattribute IProxyService_service_31_0)
-(typeattribute aac_drc_prop_31_0)
-(typeattribute aaudio_config_prop_31_0)
-(typeattribute ab_update_gki_prop_31_0)
-(typeattribute accessibility_service_31_0)
-(typeattribute account_service_31_0)
-(typeattribute activity_service_31_0)
-(typeattribute activity_task_service_31_0)
-(typeattribute adb_data_file_31_0)
-(typeattribute adb_keys_file_31_0)
-(typeattribute adb_service_31_0)
-(typeattribute adbd_31_0)
-(typeattribute adbd_config_prop_31_0)
-(typeattribute adbd_exec_31_0)
-(typeattribute adbd_socket_31_0)
-(typeattribute aidl_lazy_test_server_31_0)
-(typeattribute aidl_lazy_test_server_exec_31_0)
-(typeattribute aidl_lazy_test_service_31_0)
-(typeattribute alarm_service_31_0)
-(typeattribute anr_data_file_31_0)
-(typeattribute apc_service_31_0)
-(typeattribute apex_appsearch_data_file_31_0)
-(typeattribute apex_data_file_31_0)
-(typeattribute apex_info_file_31_0)
-(typeattribute apex_metadata_file_31_0)
-(typeattribute apex_mnt_dir_31_0)
-(typeattribute apex_module_data_file_31_0)
-(typeattribute apex_ota_reserved_file_31_0)
-(typeattribute apex_permission_data_file_31_0)
-(typeattribute apex_rollback_data_file_31_0)
-(typeattribute apex_scheduling_data_file_31_0)
-(typeattribute apex_service_31_0)
-(typeattribute apex_wifi_data_file_31_0)
-(typeattribute apexd_31_0)
-(typeattribute apexd_config_prop_31_0)
-(typeattribute apexd_exec_31_0)
-(typeattribute apexd_prop_31_0)
-(typeattribute apk_data_file_31_0)
-(typeattribute apk_private_data_file_31_0)
-(typeattribute apk_private_tmp_file_31_0)
-(typeattribute apk_tmp_file_31_0)
-(typeattribute apk_verity_prop_31_0)
-(typeattribute app_api_service)
-(typeattribute app_binding_service_31_0)
-(typeattribute app_data_file_31_0)
-(typeattribute app_data_file_type)
-(typeattribute app_fuse_file_31_0)
-(typeattribute app_fusefs_31_0)
-(typeattribute app_hibernation_service_31_0)
-(typeattribute app_integrity_service_31_0)
-(typeattribute app_prediction_service_31_0)
-(typeattribute app_search_service_31_0)
-(typeattribute app_zygote_31_0)
-(typeattribute app_zygote_tmpfs_31_0)
-(typeattribute appcompat_data_file_31_0)
-(typeattribute appdomain)
-(typeattribute appdomain_tmpfs_31_0)
-(typeattribute appops_service_31_0)
-(typeattribute appwidget_service_31_0)
-(typeattribute arm64_memtag_prop_31_0)
-(typeattribute art_apex_dir_31_0)
-(typeattribute asec_apk_file_31_0)
-(typeattribute asec_image_file_31_0)
-(typeattribute asec_public_file_31_0)
-(typeattribute ashmem_device_31_0)
-(typeattribute ashmem_libcutils_device_31_0)
-(typeattribute assetatlas_service_31_0)
-(typeattribute atrace_31_0)
-(typeattribute audio_config_prop_31_0)
-(typeattribute audio_data_file_31_0)
-(typeattribute audio_device_31_0)
-(typeattribute audio_prop_31_0)
-(typeattribute audio_service_31_0)
-(typeattribute audiohal_data_file_31_0)
-(typeattribute audioserver_31_0)
-(typeattribute audioserver_data_file_31_0)
-(typeattribute audioserver_service_31_0)
-(typeattribute audioserver_tmpfs_31_0)
-(typeattribute auth_service_31_0)
-(typeattribute authorization_service_31_0)
-(typeattribute autofill_service_31_0)
-(typeattribute automotive_display_service_server)
-(typeattribute backup_data_file_31_0)
-(typeattribute backup_service_31_0)
-(typeattribute base_typeattr_100_31_0)
-(typeattribute base_typeattr_101_31_0)
-(typeattribute base_typeattr_102_31_0)
-(typeattribute base_typeattr_103_31_0)
-(typeattribute base_typeattr_104_31_0)
-(typeattribute base_typeattr_105_31_0)
-(typeattribute base_typeattr_106_31_0)
-(typeattribute base_typeattr_107_31_0)
-(typeattribute base_typeattr_108_31_0)
-(typeattribute base_typeattr_109_31_0)
-(typeattribute base_typeattr_10_31_0)
-(typeattribute base_typeattr_110_31_0)
-(typeattribute base_typeattr_111_31_0)
-(typeattribute base_typeattr_112_31_0)
-(typeattribute base_typeattr_113_31_0)
-(typeattribute base_typeattr_114_31_0)
-(typeattribute base_typeattr_115_31_0)
-(typeattribute base_typeattr_116_31_0)
-(typeattribute base_typeattr_117_31_0)
-(typeattribute base_typeattr_118_31_0)
-(typeattribute base_typeattr_119_31_0)
-(typeattribute base_typeattr_11_31_0)
-(typeattribute base_typeattr_120_31_0)
-(typeattribute base_typeattr_121_31_0)
-(typeattribute base_typeattr_122_31_0)
-(typeattribute base_typeattr_123_31_0)
-(typeattribute base_typeattr_124_31_0)
-(typeattribute base_typeattr_125_31_0)
-(typeattribute base_typeattr_126_31_0)
-(typeattribute base_typeattr_127_31_0)
-(typeattribute base_typeattr_128_31_0)
-(typeattribute base_typeattr_129_31_0)
-(typeattribute base_typeattr_12_31_0)
-(typeattribute base_typeattr_130_31_0)
-(typeattribute base_typeattr_131_31_0)
-(typeattribute base_typeattr_132_31_0)
-(typeattribute base_typeattr_133_31_0)
-(typeattribute base_typeattr_134_31_0)
-(typeattribute base_typeattr_135_31_0)
-(typeattribute base_typeattr_136_31_0)
-(typeattribute base_typeattr_137_31_0)
-(typeattribute base_typeattr_138_31_0)
-(typeattribute base_typeattr_139_31_0)
-(typeattribute base_typeattr_13_31_0)
-(typeattribute base_typeattr_140_31_0)
-(typeattribute base_typeattr_141_31_0)
-(typeattribute base_typeattr_142_31_0)
-(typeattribute base_typeattr_143_31_0)
-(typeattribute base_typeattr_144_31_0)
-(typeattribute base_typeattr_145_31_0)
-(typeattribute base_typeattr_146_31_0)
-(typeattribute base_typeattr_147_31_0)
-(typeattribute base_typeattr_148_31_0)
-(typeattribute base_typeattr_149_31_0)
-(typeattribute base_typeattr_14_31_0)
-(typeattribute base_typeattr_150_31_0)
-(typeattribute base_typeattr_151_31_0)
-(typeattribute base_typeattr_152_31_0)
-(typeattribute base_typeattr_153_31_0)
-(typeattribute base_typeattr_154_31_0)
-(typeattribute base_typeattr_155_31_0)
-(typeattribute base_typeattr_156_31_0)
-(typeattribute base_typeattr_157_31_0)
-(typeattribute base_typeattr_158_31_0)
-(typeattribute base_typeattr_159_31_0)
-(typeattribute base_typeattr_15_31_0)
-(typeattribute base_typeattr_160_31_0)
-(typeattribute base_typeattr_161_31_0)
-(typeattribute base_typeattr_162_31_0)
-(typeattribute base_typeattr_163_31_0)
-(typeattribute base_typeattr_164_31_0)
-(typeattribute base_typeattr_165_31_0)
-(typeattribute base_typeattr_166_31_0)
-(typeattribute base_typeattr_167_31_0)
-(typeattribute base_typeattr_168_31_0)
-(typeattribute base_typeattr_169_31_0)
-(typeattribute base_typeattr_16_31_0)
-(typeattribute base_typeattr_170_31_0)
-(typeattribute base_typeattr_171_31_0)
-(typeattribute base_typeattr_172_31_0)
-(typeattribute base_typeattr_173_31_0)
-(typeattribute base_typeattr_174_31_0)
-(typeattribute base_typeattr_175_31_0)
-(typeattribute base_typeattr_176_31_0)
-(typeattribute base_typeattr_177_31_0)
-(typeattribute base_typeattr_178_31_0)
-(typeattribute base_typeattr_179_31_0)
-(typeattribute base_typeattr_17_31_0)
-(typeattribute base_typeattr_180_31_0)
-(typeattribute base_typeattr_181_31_0)
-(typeattribute base_typeattr_182_31_0)
-(typeattribute base_typeattr_183_31_0)
-(typeattribute base_typeattr_184_31_0)
-(typeattribute base_typeattr_185_31_0)
-(typeattribute base_typeattr_186_31_0)
-(typeattribute base_typeattr_187_31_0)
-(typeattribute base_typeattr_188_31_0)
-(typeattribute base_typeattr_189_31_0)
-(typeattribute base_typeattr_18_31_0)
-(typeattribute base_typeattr_190_31_0)
-(typeattribute base_typeattr_191_31_0)
-(typeattribute base_typeattr_192_31_0)
-(typeattribute base_typeattr_193_31_0)
-(typeattribute base_typeattr_194_31_0)
-(typeattribute base_typeattr_195_31_0)
-(typeattribute base_typeattr_196_31_0)
-(typeattribute base_typeattr_197_31_0)
-(typeattribute base_typeattr_198_31_0)
-(typeattribute base_typeattr_199_31_0)
-(typeattribute base_typeattr_19_31_0)
-(typeattribute base_typeattr_1_31_0)
-(typeattribute base_typeattr_200_31_0)
-(typeattribute base_typeattr_201_31_0)
-(typeattribute base_typeattr_202_31_0)
-(typeattribute base_typeattr_203_31_0)
-(typeattribute base_typeattr_204_31_0)
-(typeattribute base_typeattr_205_31_0)
-(typeattribute base_typeattr_206_31_0)
-(typeattribute base_typeattr_207_31_0)
-(typeattribute base_typeattr_208_31_0)
-(typeattribute base_typeattr_209_31_0)
-(typeattribute base_typeattr_20_31_0)
-(typeattribute base_typeattr_210_31_0)
-(typeattribute base_typeattr_211_31_0)
-(typeattribute base_typeattr_212_31_0)
-(typeattribute base_typeattr_213_31_0)
-(typeattribute base_typeattr_214_31_0)
-(typeattribute base_typeattr_215_31_0)
-(typeattribute base_typeattr_216_31_0)
-(typeattribute base_typeattr_217_31_0)
-(typeattribute base_typeattr_218_31_0)
-(typeattribute base_typeattr_219_31_0)
-(typeattribute base_typeattr_21_31_0)
-(typeattribute base_typeattr_220_31_0)
-(typeattribute base_typeattr_221_31_0)
-(typeattribute base_typeattr_222_31_0)
-(typeattribute base_typeattr_223_31_0)
-(typeattribute base_typeattr_224_31_0)
-(typeattribute base_typeattr_225_31_0)
-(typeattribute base_typeattr_226_31_0)
-(typeattribute base_typeattr_227_31_0)
-(typeattribute base_typeattr_228_31_0)
-(typeattribute base_typeattr_229_31_0)
-(typeattribute base_typeattr_22_31_0)
-(typeattribute base_typeattr_230_31_0)
-(typeattribute base_typeattr_231_31_0)
-(typeattribute base_typeattr_232_31_0)
-(typeattribute base_typeattr_233_31_0)
-(typeattribute base_typeattr_234_31_0)
-(typeattribute base_typeattr_235_31_0)
-(typeattribute base_typeattr_236_31_0)
-(typeattribute base_typeattr_237_31_0)
-(typeattribute base_typeattr_238_31_0)
-(typeattribute base_typeattr_239_31_0)
-(typeattribute base_typeattr_23_31_0)
-(typeattribute base_typeattr_240_31_0)
-(typeattribute base_typeattr_241_31_0)
-(typeattribute base_typeattr_242_31_0)
-(typeattribute base_typeattr_243_31_0)
-(typeattribute base_typeattr_244_31_0)
-(typeattribute base_typeattr_245_31_0)
-(typeattribute base_typeattr_246_31_0)
-(typeattribute base_typeattr_247_31_0)
-(typeattribute base_typeattr_248_31_0)
-(typeattribute base_typeattr_249_31_0)
-(typeattribute base_typeattr_24_31_0)
-(typeattribute base_typeattr_250_31_0)
-(typeattribute base_typeattr_251_31_0)
-(typeattribute base_typeattr_252_31_0)
-(typeattribute base_typeattr_253_31_0)
-(typeattribute base_typeattr_254_31_0)
-(typeattribute base_typeattr_255_31_0)
-(typeattribute base_typeattr_256_31_0)
-(typeattribute base_typeattr_257_31_0)
-(typeattribute base_typeattr_258_31_0)
-(typeattribute base_typeattr_259_31_0)
-(typeattribute base_typeattr_25_31_0)
-(typeattribute base_typeattr_260_31_0)
-(typeattribute base_typeattr_261_31_0)
-(typeattribute base_typeattr_262_31_0)
-(typeattribute base_typeattr_263_31_0)
-(typeattribute base_typeattr_264_31_0)
-(typeattribute base_typeattr_265_31_0)
-(typeattribute base_typeattr_266_31_0)
-(typeattribute base_typeattr_267_31_0)
-(typeattribute base_typeattr_268_31_0)
-(typeattribute base_typeattr_269_31_0)
-(typeattribute base_typeattr_26_31_0)
-(typeattribute base_typeattr_270_31_0)
-(typeattribute base_typeattr_271_31_0)
-(typeattribute base_typeattr_272_31_0)
-(typeattribute base_typeattr_273_31_0)
-(typeattribute base_typeattr_274_31_0)
-(typeattribute base_typeattr_275_31_0)
-(typeattribute base_typeattr_276_31_0)
-(typeattribute base_typeattr_277_31_0)
-(typeattribute base_typeattr_278_31_0)
-(typeattribute base_typeattr_279_31_0)
-(typeattribute base_typeattr_27_31_0)
-(typeattribute base_typeattr_280_31_0)
-(typeattribute base_typeattr_281_31_0)
-(typeattribute base_typeattr_282_31_0)
-(typeattribute base_typeattr_283_31_0)
-(typeattribute base_typeattr_284_31_0)
-(typeattribute base_typeattr_285_31_0)
-(typeattribute base_typeattr_286_31_0)
-(typeattribute base_typeattr_287_31_0)
-(typeattribute base_typeattr_288_31_0)
-(typeattribute base_typeattr_289_31_0)
-(typeattribute base_typeattr_28_31_0)
-(typeattribute base_typeattr_290_31_0)
-(typeattribute base_typeattr_291_31_0)
-(typeattribute base_typeattr_292_31_0)
-(typeattribute base_typeattr_293_31_0)
-(typeattribute base_typeattr_294_31_0)
-(typeattribute base_typeattr_295_31_0)
-(typeattribute base_typeattr_296_31_0)
-(typeattribute base_typeattr_297_31_0)
-(typeattribute base_typeattr_298_31_0)
-(typeattribute base_typeattr_299_31_0)
-(typeattribute base_typeattr_29_31_0)
-(typeattribute base_typeattr_2_31_0)
-(typeattribute base_typeattr_300_31_0)
-(typeattribute base_typeattr_301_31_0)
-(typeattribute base_typeattr_302_31_0)
-(typeattribute base_typeattr_303_31_0)
-(typeattribute base_typeattr_304_31_0)
-(typeattribute base_typeattr_305_31_0)
-(typeattribute base_typeattr_306_31_0)
-(typeattribute base_typeattr_307_31_0)
-(typeattribute base_typeattr_308_31_0)
-(typeattribute base_typeattr_309_31_0)
-(typeattribute base_typeattr_30_31_0)
-(typeattribute base_typeattr_310_31_0)
-(typeattribute base_typeattr_311_31_0)
-(typeattribute base_typeattr_312_31_0)
-(typeattribute base_typeattr_313_31_0)
-(typeattribute base_typeattr_314_31_0)
-(typeattribute base_typeattr_315_31_0)
-(typeattribute base_typeattr_316_31_0)
-(typeattribute base_typeattr_317_31_0)
-(typeattribute base_typeattr_318_31_0)
-(typeattribute base_typeattr_319_31_0)
-(typeattribute base_typeattr_31_31_0)
-(typeattribute base_typeattr_320_31_0)
-(typeattribute base_typeattr_321_31_0)
-(typeattribute base_typeattr_322_31_0)
-(typeattribute base_typeattr_323_31_0)
-(typeattribute base_typeattr_324_31_0)
-(typeattribute base_typeattr_325_31_0)
-(typeattribute base_typeattr_326_31_0)
-(typeattribute base_typeattr_327_31_0)
-(typeattribute base_typeattr_328_31_0)
-(typeattribute base_typeattr_329_31_0)
-(typeattribute base_typeattr_32_31_0)
-(typeattribute base_typeattr_330_31_0)
-(typeattribute base_typeattr_331_31_0)
-(typeattribute base_typeattr_332_31_0)
-(typeattribute base_typeattr_333_31_0)
-(typeattribute base_typeattr_334_31_0)
-(typeattribute base_typeattr_335_31_0)
-(typeattribute base_typeattr_336_31_0)
-(typeattribute base_typeattr_337_31_0)
-(typeattribute base_typeattr_338_31_0)
-(typeattribute base_typeattr_339_31_0)
-(typeattribute base_typeattr_33_31_0)
-(typeattribute base_typeattr_340_31_0)
-(typeattribute base_typeattr_341_31_0)
-(typeattribute base_typeattr_342_31_0)
-(typeattribute base_typeattr_343_31_0)
-(typeattribute base_typeattr_344_31_0)
-(typeattribute base_typeattr_345_31_0)
-(typeattribute base_typeattr_346_31_0)
-(typeattribute base_typeattr_347_31_0)
-(typeattribute base_typeattr_348_31_0)
-(typeattribute base_typeattr_349_31_0)
-(typeattribute base_typeattr_34_31_0)
-(typeattribute base_typeattr_350_31_0)
-(typeattribute base_typeattr_351_31_0)
-(typeattribute base_typeattr_352_31_0)
-(typeattribute base_typeattr_353_31_0)
-(typeattribute base_typeattr_354_31_0)
-(typeattribute base_typeattr_355_31_0)
-(typeattribute base_typeattr_356_31_0)
-(typeattribute base_typeattr_357_31_0)
-(typeattribute base_typeattr_358_31_0)
-(typeattribute base_typeattr_359_31_0)
-(typeattribute base_typeattr_35_31_0)
-(typeattribute base_typeattr_360_31_0)
-(typeattribute base_typeattr_361_31_0)
-(typeattribute base_typeattr_362_31_0)
-(typeattribute base_typeattr_363_31_0)
-(typeattribute base_typeattr_364_31_0)
-(typeattribute base_typeattr_365_31_0)
-(typeattribute base_typeattr_366_31_0)
-(typeattribute base_typeattr_367_31_0)
-(typeattribute base_typeattr_368_31_0)
-(typeattribute base_typeattr_369_31_0)
-(typeattribute base_typeattr_36_31_0)
-(typeattribute base_typeattr_370_31_0)
-(typeattribute base_typeattr_371_31_0)
-(typeattribute base_typeattr_372_31_0)
-(typeattribute base_typeattr_373_31_0)
-(typeattribute base_typeattr_374_31_0)
-(typeattribute base_typeattr_375_31_0)
-(typeattribute base_typeattr_376_31_0)
-(typeattribute base_typeattr_377_31_0)
-(typeattribute base_typeattr_378_31_0)
-(typeattribute base_typeattr_379_31_0)
-(typeattribute base_typeattr_37_31_0)
-(typeattribute base_typeattr_380_31_0)
-(typeattribute base_typeattr_381_31_0)
-(typeattribute base_typeattr_382_31_0)
-(typeattribute base_typeattr_383_31_0)
-(typeattribute base_typeattr_384_31_0)
-(typeattribute base_typeattr_385_31_0)
-(typeattribute base_typeattr_386_31_0)
-(typeattribute base_typeattr_387_31_0)
-(typeattribute base_typeattr_388_31_0)
-(typeattribute base_typeattr_389_31_0)
-(typeattribute base_typeattr_38_31_0)
-(typeattribute base_typeattr_390_31_0)
-(typeattribute base_typeattr_391_31_0)
-(typeattribute base_typeattr_392_31_0)
-(typeattribute base_typeattr_393_31_0)
-(typeattribute base_typeattr_394_31_0)
-(typeattribute base_typeattr_395_31_0)
-(typeattribute base_typeattr_396_31_0)
-(typeattribute base_typeattr_397_31_0)
-(typeattribute base_typeattr_398_31_0)
-(typeattribute base_typeattr_399_31_0)
-(typeattribute base_typeattr_39_31_0)
-(typeattribute base_typeattr_3_31_0)
-(typeattribute base_typeattr_400_31_0)
-(typeattribute base_typeattr_401_31_0)
-(typeattribute base_typeattr_402_31_0)
-(typeattribute base_typeattr_403_31_0)
-(typeattribute base_typeattr_404_31_0)
-(typeattribute base_typeattr_405_31_0)
-(typeattribute base_typeattr_406_31_0)
-(typeattribute base_typeattr_407_31_0)
-(typeattribute base_typeattr_408_31_0)
-(typeattribute base_typeattr_409_31_0)
-(typeattribute base_typeattr_40_31_0)
-(typeattribute base_typeattr_410_31_0)
-(typeattribute base_typeattr_411_31_0)
-(typeattribute base_typeattr_412_31_0)
-(typeattribute base_typeattr_413_31_0)
-(typeattribute base_typeattr_414_31_0)
-(typeattribute base_typeattr_415_31_0)
-(typeattribute base_typeattr_416_31_0)
-(typeattribute base_typeattr_417_31_0)
-(typeattribute base_typeattr_418_31_0)
-(typeattribute base_typeattr_419_31_0)
-(typeattribute base_typeattr_41_31_0)
-(typeattribute base_typeattr_420_31_0)
-(typeattribute base_typeattr_421_31_0)
-(typeattribute base_typeattr_422_31_0)
-(typeattribute base_typeattr_423_31_0)
-(typeattribute base_typeattr_424_31_0)
-(typeattribute base_typeattr_425_31_0)
-(typeattribute base_typeattr_426_31_0)
-(typeattribute base_typeattr_427_31_0)
-(typeattribute base_typeattr_428_31_0)
-(typeattribute base_typeattr_429_31_0)
-(typeattribute base_typeattr_42_31_0)
-(typeattribute base_typeattr_430_31_0)
-(typeattribute base_typeattr_431_31_0)
-(typeattribute base_typeattr_432_31_0)
-(typeattribute base_typeattr_433_31_0)
-(typeattribute base_typeattr_434_31_0)
-(typeattribute base_typeattr_435_31_0)
-(typeattribute base_typeattr_436_31_0)
-(typeattribute base_typeattr_437_31_0)
-(typeattribute base_typeattr_438_31_0)
-(typeattribute base_typeattr_439_31_0)
-(typeattribute base_typeattr_43_31_0)
-(typeattribute base_typeattr_440_31_0)
-(typeattribute base_typeattr_441_31_0)
-(typeattribute base_typeattr_442_31_0)
-(typeattribute base_typeattr_443_31_0)
-(typeattribute base_typeattr_444_31_0)
-(typeattribute base_typeattr_445_31_0)
-(typeattribute base_typeattr_446_31_0)
-(typeattribute base_typeattr_447_31_0)
-(typeattribute base_typeattr_448_31_0)
-(typeattribute base_typeattr_449_31_0)
-(typeattribute base_typeattr_44_31_0)
-(typeattribute base_typeattr_450_31_0)
-(typeattribute base_typeattr_451_31_0)
-(typeattribute base_typeattr_452_31_0)
-(typeattribute base_typeattr_453_31_0)
-(typeattribute base_typeattr_454_31_0)
-(typeattribute base_typeattr_455_31_0)
-(typeattribute base_typeattr_456_31_0)
-(typeattribute base_typeattr_457_31_0)
-(typeattribute base_typeattr_458_31_0)
-(typeattribute base_typeattr_459_31_0)
-(typeattribute base_typeattr_45_31_0)
-(typeattribute base_typeattr_460_31_0)
-(typeattribute base_typeattr_461_31_0)
-(typeattribute base_typeattr_462_31_0)
-(typeattribute base_typeattr_463_31_0)
-(typeattribute base_typeattr_464_31_0)
-(typeattribute base_typeattr_465_31_0)
-(typeattribute base_typeattr_466_31_0)
-(typeattribute base_typeattr_467_31_0)
-(typeattribute base_typeattr_468_31_0)
-(typeattribute base_typeattr_469_31_0)
-(typeattribute base_typeattr_46_31_0)
-(typeattribute base_typeattr_470_31_0)
-(typeattribute base_typeattr_471_31_0)
-(typeattribute base_typeattr_472_31_0)
-(typeattribute base_typeattr_473_31_0)
-(typeattribute base_typeattr_474_31_0)
-(typeattribute base_typeattr_475_31_0)
-(typeattribute base_typeattr_476_31_0)
-(typeattribute base_typeattr_477_31_0)
-(typeattribute base_typeattr_478_31_0)
-(typeattribute base_typeattr_479_31_0)
-(typeattribute base_typeattr_47_31_0)
-(typeattribute base_typeattr_480_31_0)
-(typeattribute base_typeattr_481_31_0)
-(typeattribute base_typeattr_482_31_0)
-(typeattribute base_typeattr_483_31_0)
-(typeattribute base_typeattr_484_31_0)
-(typeattribute base_typeattr_485_31_0)
-(typeattribute base_typeattr_486_31_0)
-(typeattribute base_typeattr_487_31_0)
-(typeattribute base_typeattr_488_31_0)
-(typeattribute base_typeattr_489_31_0)
-(typeattribute base_typeattr_48_31_0)
-(typeattribute base_typeattr_490_31_0)
-(typeattribute base_typeattr_491_31_0)
-(typeattribute base_typeattr_492_31_0)
-(typeattribute base_typeattr_493_31_0)
-(typeattribute base_typeattr_494_31_0)
-(typeattribute base_typeattr_495_31_0)
-(typeattribute base_typeattr_496_31_0)
-(typeattribute base_typeattr_497_31_0)
-(typeattribute base_typeattr_498_31_0)
-(typeattribute base_typeattr_499_31_0)
-(typeattribute base_typeattr_49_31_0)
-(typeattribute base_typeattr_4_31_0)
-(typeattribute base_typeattr_500_31_0)
-(typeattribute base_typeattr_501_31_0)
-(typeattribute base_typeattr_502_31_0)
-(typeattribute base_typeattr_503_31_0)
-(typeattribute base_typeattr_504_31_0)
-(typeattribute base_typeattr_505_31_0)
-(typeattribute base_typeattr_506_31_0)
-(typeattribute base_typeattr_507_31_0)
-(typeattribute base_typeattr_508_31_0)
-(typeattribute base_typeattr_509_31_0)
-(typeattribute base_typeattr_50_31_0)
-(typeattribute base_typeattr_510_31_0)
-(typeattribute base_typeattr_511_31_0)
-(typeattribute base_typeattr_512_31_0)
-(typeattribute base_typeattr_513_31_0)
-(typeattribute base_typeattr_514_31_0)
-(typeattribute base_typeattr_515_31_0)
-(typeattribute base_typeattr_516_31_0)
-(typeattribute base_typeattr_517_31_0)
-(typeattribute base_typeattr_518_31_0)
-(typeattribute base_typeattr_519_31_0)
-(typeattribute base_typeattr_51_31_0)
-(typeattribute base_typeattr_520_31_0)
-(typeattribute base_typeattr_521_31_0)
-(typeattribute base_typeattr_522_31_0)
-(typeattribute base_typeattr_523_31_0)
-(typeattribute base_typeattr_524_31_0)
-(typeattribute base_typeattr_525_31_0)
-(typeattribute base_typeattr_526_31_0)
-(typeattribute base_typeattr_527_31_0)
-(typeattribute base_typeattr_528_31_0)
-(typeattribute base_typeattr_529_31_0)
-(typeattribute base_typeattr_52_31_0)
-(typeattribute base_typeattr_530_31_0)
-(typeattribute base_typeattr_531_31_0)
-(typeattribute base_typeattr_532_31_0)
-(typeattribute base_typeattr_533_31_0)
-(typeattribute base_typeattr_534_31_0)
-(typeattribute base_typeattr_535_31_0)
-(typeattribute base_typeattr_536_31_0)
-(typeattribute base_typeattr_537_31_0)
-(typeattribute base_typeattr_538_31_0)
-(typeattribute base_typeattr_539_31_0)
-(typeattribute base_typeattr_53_31_0)
-(typeattribute base_typeattr_54_31_0)
-(typeattribute base_typeattr_55_31_0)
-(typeattribute base_typeattr_56_31_0)
-(typeattribute base_typeattr_57_31_0)
-(typeattribute base_typeattr_58_31_0)
-(typeattribute base_typeattr_59_31_0)
-(typeattribute base_typeattr_5_31_0)
-(typeattribute base_typeattr_60_31_0)
-(typeattribute base_typeattr_61_31_0)
-(typeattribute base_typeattr_62_31_0)
-(typeattribute base_typeattr_63_31_0)
-(typeattribute base_typeattr_64_31_0)
-(typeattribute base_typeattr_65_31_0)
-(typeattribute base_typeattr_66_31_0)
-(typeattribute base_typeattr_67_31_0)
-(typeattribute base_typeattr_68_31_0)
-(typeattribute base_typeattr_69_31_0)
-(typeattribute base_typeattr_6_31_0)
-(typeattribute base_typeattr_70_31_0)
-(typeattribute base_typeattr_71_31_0)
-(typeattribute base_typeattr_72_31_0)
-(typeattribute base_typeattr_73_31_0)
-(typeattribute base_typeattr_74_31_0)
-(typeattribute base_typeattr_75_31_0)
-(typeattribute base_typeattr_76_31_0)
-(typeattribute base_typeattr_77_31_0)
-(typeattribute base_typeattr_78_31_0)
-(typeattribute base_typeattr_79_31_0)
-(typeattribute base_typeattr_7_31_0)
-(typeattribute base_typeattr_80_31_0)
-(typeattribute base_typeattr_81_31_0)
-(typeattribute base_typeattr_82_31_0)
-(typeattribute base_typeattr_83_31_0)
-(typeattribute base_typeattr_84_31_0)
-(typeattribute base_typeattr_85_31_0)
-(typeattribute base_typeattr_86_31_0)
-(typeattribute base_typeattr_87_31_0)
-(typeattribute base_typeattr_88_31_0)
-(typeattribute base_typeattr_89_31_0)
-(typeattribute base_typeattr_8_31_0)
-(typeattribute base_typeattr_90_31_0)
-(typeattribute base_typeattr_91_31_0)
-(typeattribute base_typeattr_92_31_0)
-(typeattribute base_typeattr_93_31_0)
-(typeattribute base_typeattr_94_31_0)
-(typeattribute base_typeattr_95_31_0)
-(typeattribute base_typeattr_96_31_0)
-(typeattribute base_typeattr_97_31_0)
-(typeattribute base_typeattr_98_31_0)
-(typeattribute base_typeattr_99_31_0)
-(typeattribute base_typeattr_9_31_0)
-(typeattribute battery_service_31_0)
-(typeattribute batteryproperties_service_31_0)
-(typeattribute batterystats_service_31_0)
-(typeattribute bdev_type)
-(typeattribute binder_cache_bluetooth_server_prop_31_0)
-(typeattribute binder_cache_system_server_prop_31_0)
-(typeattribute binder_cache_telephony_server_prop_31_0)
-(typeattribute binder_calls_stats_service_31_0)
-(typeattribute binder_device_31_0)
-(typeattribute binderfs_31_0)
-(typeattribute binderfs_logs_31_0)
-(typeattribute binderfs_logs_proc_31_0)
-(typeattribute binderservicedomain)
-(typeattribute binfmt_miscfs_31_0)
-(typeattribute biometric_service_31_0)
-(typeattribute blkid_31_0)
-(typeattribute blkid_untrusted_31_0)
-(typeattribute blob_store_service_31_0)
-(typeattribute block_device_31_0)
-(typeattribute bluetooth_31_0)
-(typeattribute bluetooth_a2dp_offload_prop_31_0)
-(typeattribute bluetooth_audio_hal_prop_31_0)
-(typeattribute bluetooth_data_file_31_0)
-(typeattribute bluetooth_efs_file_31_0)
-(typeattribute bluetooth_logs_data_file_31_0)
-(typeattribute bluetooth_manager_service_31_0)
-(typeattribute bluetooth_prop_31_0)
-(typeattribute bluetooth_service_31_0)
-(typeattribute bluetooth_socket_31_0)
-(typeattribute bluetoothdomain)
-(typeattribute boot_block_device_31_0)
-(typeattribute boot_status_prop_31_0)
-(typeattribute bootanim_31_0)
-(typeattribute bootanim_config_prop_31_0)
-(typeattribute bootanim_exec_31_0)
-(typeattribute bootanim_system_prop_31_0)
-(typeattribute bootchart_data_file_31_0)
-(typeattribute bootloader_boot_reason_prop_31_0)
-(typeattribute bootloader_prop_31_0)
-(typeattribute bootstat_31_0)
-(typeattribute bootstat_data_file_31_0)
-(typeattribute bootstat_exec_31_0)
-(typeattribute boottime_prop_31_0)
-(typeattribute boottime_public_prop_31_0)
-(typeattribute boottrace_data_file_31_0)
-(typeattribute bpf_progs_loaded_prop_31_0)
-(typeattribute bq_config_prop_31_0)
-(typeattribute broadcastradio_service_31_0)
-(typeattribute bufferhubd_31_0)
-(typeattribute bufferhubd_exec_31_0)
-(typeattribute bugreport_service_31_0)
-(typeattribute build_bootimage_prop_31_0)
-(typeattribute build_config_prop_31_0)
-(typeattribute build_odm_prop_31_0)
-(typeattribute build_prop_31_0)
-(typeattribute build_vendor_prop_31_0)
-(typeattribute cache_backup_file_31_0)
-(typeattribute cache_block_device_31_0)
-(typeattribute cache_file_31_0)
-(typeattribute cache_private_backup_file_31_0)
-(typeattribute cache_recovery_file_31_0)
-(typeattribute cacheinfo_service_31_0)
-(typeattribute camera2_extensions_prop_31_0)
-(typeattribute camera_calibration_prop_31_0)
-(typeattribute camera_config_prop_31_0)
-(typeattribute camera_data_file_31_0)
-(typeattribute camera_device_31_0)
-(typeattribute camera_service_server)
-(typeattribute cameraproxy_service_31_0)
-(typeattribute cameraserver_31_0)
-(typeattribute cameraserver_exec_31_0)
-(typeattribute cameraserver_service_31_0)
-(typeattribute cameraserver_tmpfs_31_0)
-(typeattribute camerax_extensions_prop_31_0)
-(typeattribute cgroup_31_0)
-(typeattribute cgroup_desc_api_file_31_0)
-(typeattribute cgroup_desc_file_31_0)
-(typeattribute cgroup_rc_file_31_0)
-(typeattribute cgroup_v2_31_0)
-(typeattribute charger_31_0)
-(typeattribute charger_config_prop_31_0)
-(typeattribute charger_exec_31_0)
-(typeattribute charger_prop_31_0)
-(typeattribute charger_status_prop_31_0)
-(typeattribute clipboard_service_31_0)
-(typeattribute codec2_config_prop_31_0)
-(typeattribute cold_boot_done_prop_31_0)
-(typeattribute color_display_service_31_0)
-(typeattribute companion_device_service_31_0)
-(typeattribute config_prop_31_0)
-(typeattribute configfs_31_0)
-(typeattribute connectivity_service_31_0)
-(typeattribute connmetrics_service_31_0)
-(typeattribute console_device_31_0)
-(typeattribute consumer_ir_service_31_0)
-(typeattribute content_capture_service_31_0)
-(typeattribute content_service_31_0)
-(typeattribute content_suggestions_service_31_0)
-(typeattribute contexthub_service_31_0)
-(typeattribute contextmount_type)
-(typeattribute core_data_file_type)
-(typeattribute core_property_type)
-(typeattribute coredomain)
-(typeattribute coredomain_hwservice)
-(typeattribute coredomain_socket)
-(typeattribute coredump_file_31_0)
-(typeattribute country_detector_service_31_0)
-(typeattribute coverage_service_31_0)
-(typeattribute cppreopt_prop_31_0)
-(typeattribute cpu_variant_prop_31_0)
-(typeattribute cpuinfo_service_31_0)
-(typeattribute crash_dump_31_0)
-(typeattribute crash_dump_exec_31_0)
-(typeattribute credstore_31_0)
-(typeattribute credstore_data_file_31_0)
-(typeattribute credstore_exec_31_0)
-(typeattribute credstore_service_31_0)
-(typeattribute crossprofileapps_service_31_0)
-(typeattribute ctl_adbd_prop_31_0)
-(typeattribute ctl_apexd_prop_31_0)
-(typeattribute ctl_bootanim_prop_31_0)
-(typeattribute ctl_bugreport_prop_31_0)
-(typeattribute ctl_console_prop_31_0)
-(typeattribute ctl_default_prop_31_0)
-(typeattribute ctl_dumpstate_prop_31_0)
-(typeattribute ctl_fuse_prop_31_0)
-(typeattribute ctl_gsid_prop_31_0)
-(typeattribute ctl_interface_restart_prop_31_0)
-(typeattribute ctl_interface_start_prop_31_0)
-(typeattribute ctl_interface_stop_prop_31_0)
-(typeattribute ctl_mdnsd_prop_31_0)
-(typeattribute ctl_restart_prop_31_0)
-(typeattribute ctl_rildaemon_prop_31_0)
-(typeattribute ctl_sigstop_prop_31_0)
-(typeattribute ctl_start_prop_31_0)
-(typeattribute ctl_stop_prop_31_0)
-(typeattribute dalvik_config_prop_31_0)
-(typeattribute dalvik_prop_31_0)
-(typeattribute dalvik_runtime_prop_31_0)
-(typeattribute dalvikcache_data_file_31_0)
-(typeattribute data_between_core_and_vendor_violators)
-(typeattribute data_file_type)
-(typeattribute dataloader_manager_service_31_0)
-(typeattribute dbinfo_service_31_0)
-(typeattribute dck_prop_31_0)
-(typeattribute debug_prop_31_0)
-(typeattribute debugfs_31_0)
-(typeattribute debugfs_bootreceiver_tracing_31_0)
-(typeattribute debugfs_kprobes_31_0)
-(typeattribute debugfs_mm_events_tracing_31_0)
-(typeattribute debugfs_mmc_31_0)
-(typeattribute debugfs_restriction_prop_31_0)
-(typeattribute debugfs_trace_marker_31_0)
-(typeattribute debugfs_tracing_31_0)
-(typeattribute debugfs_tracing_debug_31_0)
-(typeattribute debugfs_tracing_instances_31_0)
-(typeattribute debugfs_tracing_printk_formats_31_0)
-(typeattribute debugfs_type)
-(typeattribute debugfs_wakeup_sources_31_0)
-(typeattribute debugfs_wifi_tracing_31_0)
-(typeattribute debuggerd_prop_31_0)
-(typeattribute default_android_hwservice_31_0)
-(typeattribute default_android_service_31_0)
-(typeattribute default_android_vndservice_31_0)
-(typeattribute default_prop_31_0)
-(typeattribute dev_cpu_variant_31_0)
-(typeattribute dev_type)
-(typeattribute device_31_0)
-(typeattribute device_config_activity_manager_native_boot_prop_31_0)
-(typeattribute device_config_boot_count_prop_31_0)
-(typeattribute device_config_input_native_boot_prop_31_0)
-(typeattribute device_config_media_native_prop_31_0)
-(typeattribute device_config_netd_native_prop_31_0)
-(typeattribute device_config_reset_performed_prop_31_0)
-(typeattribute device_config_runtime_native_boot_prop_31_0)
-(typeattribute device_config_runtime_native_prop_31_0)
-(typeattribute device_config_service_31_0)
-(typeattribute device_identifiers_service_31_0)
-(typeattribute device_logging_prop_31_0)
-(typeattribute device_policy_service_31_0)
-(typeattribute device_state_service_31_0)
-(typeattribute deviceidle_service_31_0)
-(typeattribute devicestoragemonitor_service_31_0)
-(typeattribute devpts_31_0)
-(typeattribute dhcp_31_0)
-(typeattribute dhcp_data_file_31_0)
-(typeattribute dhcp_exec_31_0)
-(typeattribute dhcp_prop_31_0)
-(typeattribute diskstats_service_31_0)
-(typeattribute display_service_31_0)
-(typeattribute display_service_server)
-(typeattribute dm_device_31_0)
-(typeattribute dm_user_device_31_0)
-(typeattribute dmabuf_heap_device_31_0)
-(typeattribute dmabuf_heap_device_type)
-(typeattribute dmabuf_system_heap_device_31_0)
-(typeattribute dmabuf_system_secure_heap_device_31_0)
-(typeattribute dnsmasq_31_0)
-(typeattribute dnsmasq_exec_31_0)
-(typeattribute dnsproxyd_socket_31_0)
-(typeattribute dnsresolver_service_31_0)
-(typeattribute domain)
-(typeattribute domain_verification_service_31_0)
-(typeattribute dreams_service_31_0)
-(typeattribute drm_data_file_31_0)
-(typeattribute drm_service_config_prop_31_0)
-(typeattribute drmserver_31_0)
-(typeattribute drmserver_exec_31_0)
-(typeattribute drmserver_service_31_0)
-(typeattribute drmserver_socket_31_0)
-(typeattribute dropbox_data_file_31_0)
-(typeattribute dropbox_service_31_0)
-(typeattribute dumpstate_31_0)
-(typeattribute dumpstate_exec_31_0)
-(typeattribute dumpstate_options_prop_31_0)
-(typeattribute dumpstate_prop_31_0)
-(typeattribute dumpstate_service_31_0)
-(typeattribute dumpstate_socket_31_0)
-(typeattribute dynamic_system_prop_31_0)
-(typeattribute e2fs_31_0)
-(typeattribute e2fs_exec_31_0)
-(typeattribute efs_file_31_0)
-(typeattribute emergency_affordance_service_31_0)
-(typeattribute ephemeral_app_31_0)
-(typeattribute ephemeral_app_api_service)
-(typeattribute ethernet_service_31_0)
-(typeattribute exec_type)
-(typeattribute exfat_31_0)
-(typeattribute exported3_system_prop_31_0)
-(typeattribute exported_bluetooth_prop_31_0)
-(typeattribute exported_camera_prop_31_0)
-(typeattribute exported_config_prop_31_0)
-(typeattribute exported_default_prop_31_0)
-(typeattribute exported_dumpstate_prop_31_0)
-(typeattribute exported_overlay_prop_31_0)
-(typeattribute exported_pm_prop_31_0)
-(typeattribute exported_secure_prop_31_0)
-(typeattribute exported_system_prop_31_0)
-(typeattribute extended_core_property_type)
-(typeattribute external_vibrator_service_31_0)
-(typeattribute face_service_31_0)
-(typeattribute face_vendor_data_file_31_0)
-(typeattribute fastbootd_31_0)
-(typeattribute ffs_config_prop_31_0)
-(typeattribute ffs_control_prop_31_0)
-(typeattribute file_contexts_file_31_0)
-(typeattribute file_integrity_service_31_0)
-(typeattribute file_type)
-(typeattribute fingerprint_prop_31_0)
-(typeattribute fingerprint_service_31_0)
-(typeattribute fingerprint_vendor_data_file_31_0)
-(typeattribute fingerprintd_31_0)
-(typeattribute fingerprintd_data_file_31_0)
-(typeattribute fingerprintd_exec_31_0)
-(typeattribute fingerprintd_service_31_0)
-(typeattribute firstboot_prop_31_0)
-(typeattribute flags_health_check_31_0)
-(typeattribute flags_health_check_exec_31_0)
-(typeattribute font_service_31_0)
-(typeattribute framework_watchdog_config_prop_31_0)
-(typeattribute frp_block_device_31_0)
-(typeattribute fs_bpf_31_0)
-(typeattribute fs_bpf_tethering_31_0)
-(typeattribute fs_type)
-(typeattribute fsck_31_0)
-(typeattribute fsck_exec_31_0)
-(typeattribute fsck_untrusted_31_0)
-(typeattribute fscklogs_31_0)
-(typeattribute functionfs_31_0)
-(typeattribute fuse_31_0)
-(typeattribute fuse_device_31_0)
-(typeattribute fusectlfs_31_0)
-(typeattribute fwk_automotive_display_hwservice_31_0)
-(typeattribute fwk_bufferhub_hwservice_31_0)
-(typeattribute fwk_camera_hwservice_31_0)
-(typeattribute fwk_display_hwservice_31_0)
-(typeattribute fwk_scheduler_hwservice_31_0)
-(typeattribute fwk_sensor_hwservice_31_0)
-(typeattribute fwk_stats_hwservice_31_0)
-(typeattribute fwk_stats_service_31_0)
-(typeattribute fwmarkd_socket_31_0)
-(typeattribute game_service_31_0)
-(typeattribute gatekeeper_data_file_31_0)
-(typeattribute gatekeeper_service_31_0)
-(typeattribute gatekeeperd_31_0)
-(typeattribute gatekeeperd_exec_31_0)
-(typeattribute gfxinfo_service_31_0)
-(typeattribute gmscore_app_31_0)
-(typeattribute gnss_device_31_0)
-(typeattribute gnss_time_update_service_31_0)
-(typeattribute gps_control_31_0)
-(typeattribute gpu_device_31_0)
-(typeattribute gpu_service_31_0)
-(typeattribute gpuservice_31_0)
-(typeattribute graphics_config_prop_31_0)
-(typeattribute graphics_device_31_0)
-(typeattribute graphicsstats_service_31_0)
-(typeattribute gsi_data_file_31_0)
-(typeattribute gsi_metadata_file_31_0)
-(typeattribute gsi_metadata_file_type)
-(typeattribute gsi_public_metadata_file_31_0)
-(typeattribute hal_allocator)
-(typeattribute hal_allocator_client)
-(typeattribute hal_allocator_server)
-(typeattribute hal_atrace)
-(typeattribute hal_atrace_client)
-(typeattribute hal_atrace_hwservice_31_0)
-(typeattribute hal_atrace_server)
-(typeattribute hal_audio)
-(typeattribute hal_audio_client)
-(typeattribute hal_audio_hwservice_31_0)
-(typeattribute hal_audio_server)
-(typeattribute hal_audio_service_31_0)
-(typeattribute hal_audiocontrol)
-(typeattribute hal_audiocontrol_client)
-(typeattribute hal_audiocontrol_hwservice_31_0)
-(typeattribute hal_audiocontrol_server)
-(typeattribute hal_audiocontrol_service_31_0)
-(typeattribute hal_authsecret)
-(typeattribute hal_authsecret_client)
-(typeattribute hal_authsecret_hwservice_31_0)
-(typeattribute hal_authsecret_server)
-(typeattribute hal_authsecret_service_31_0)
-(typeattribute hal_automotive_socket_exemption)
-(typeattribute hal_bluetooth)
-(typeattribute hal_bluetooth_client)
-(typeattribute hal_bluetooth_hwservice_31_0)
-(typeattribute hal_bluetooth_server)
-(typeattribute hal_bootctl)
-(typeattribute hal_bootctl_client)
-(typeattribute hal_bootctl_hwservice_31_0)
-(typeattribute hal_bootctl_server)
-(typeattribute hal_broadcastradio)
-(typeattribute hal_broadcastradio_client)
-(typeattribute hal_broadcastradio_hwservice_31_0)
-(typeattribute hal_broadcastradio_server)
-(typeattribute hal_bufferhub)
-(typeattribute hal_bufferhub_client)
-(typeattribute hal_bufferhub_server)
-(typeattribute hal_camera)
-(typeattribute hal_camera_client)
-(typeattribute hal_camera_hwservice_31_0)
-(typeattribute hal_camera_server)
-(typeattribute hal_can_bus)
-(typeattribute hal_can_bus_client)
-(typeattribute hal_can_bus_hwservice_31_0)
-(typeattribute hal_can_bus_server)
-(typeattribute hal_can_controller)
-(typeattribute hal_can_controller_client)
-(typeattribute hal_can_controller_hwservice_31_0)
-(typeattribute hal_can_controller_server)
-(typeattribute hal_cas)
-(typeattribute hal_cas_client)
-(typeattribute hal_cas_hwservice_31_0)
-(typeattribute hal_cas_server)
-(typeattribute hal_codec2)
-(typeattribute hal_codec2_client)
-(typeattribute hal_codec2_hwservice_31_0)
-(typeattribute hal_codec2_server)
-(typeattribute hal_configstore)
-(typeattribute hal_configstore_ISurfaceFlingerConfigs_31_0)
-(typeattribute hal_configstore_client)
-(typeattribute hal_configstore_server)
-(typeattribute hal_confirmationui)
-(typeattribute hal_confirmationui_client)
-(typeattribute hal_confirmationui_hwservice_31_0)
-(typeattribute hal_confirmationui_server)
-(typeattribute hal_contexthub)
-(typeattribute hal_contexthub_client)
-(typeattribute hal_contexthub_hwservice_31_0)
-(typeattribute hal_contexthub_server)
-(typeattribute hal_drm)
-(typeattribute hal_drm_client)
-(typeattribute hal_drm_hwservice_31_0)
-(typeattribute hal_drm_server)
-(typeattribute hal_dumpstate)
-(typeattribute hal_dumpstate_client)
-(typeattribute hal_dumpstate_config_prop_31_0)
-(typeattribute hal_dumpstate_hwservice_31_0)
-(typeattribute hal_dumpstate_server)
-(typeattribute hal_evs)
-(typeattribute hal_evs_client)
-(typeattribute hal_evs_hwservice_31_0)
-(typeattribute hal_evs_server)
-(typeattribute hal_face)
-(typeattribute hal_face_client)
-(typeattribute hal_face_hwservice_31_0)
-(typeattribute hal_face_server)
-(typeattribute hal_face_service_31_0)
-(typeattribute hal_fingerprint)
-(typeattribute hal_fingerprint_client)
-(typeattribute hal_fingerprint_hwservice_31_0)
-(typeattribute hal_fingerprint_server)
-(typeattribute hal_fingerprint_service_31_0)
-(typeattribute hal_gatekeeper)
-(typeattribute hal_gatekeeper_client)
-(typeattribute hal_gatekeeper_hwservice_31_0)
-(typeattribute hal_gatekeeper_server)
-(typeattribute hal_gnss)
-(typeattribute hal_gnss_client)
-(typeattribute hal_gnss_hwservice_31_0)
-(typeattribute hal_gnss_server)
-(typeattribute hal_gnss_service_31_0)
-(typeattribute hal_graphics_allocator)
-(typeattribute hal_graphics_allocator_client)
-(typeattribute hal_graphics_allocator_hwservice_31_0)
-(typeattribute hal_graphics_allocator_server)
-(typeattribute hal_graphics_composer)
-(typeattribute hal_graphics_composer_client)
-(typeattribute hal_graphics_composer_client_tmpfs)
-(typeattribute hal_graphics_composer_hwservice_31_0)
-(typeattribute hal_graphics_composer_server)
-(typeattribute hal_graphics_composer_server_tmpfs_31_0)
-(typeattribute hal_graphics_mapper_hwservice_31_0)
-(typeattribute hal_health)
-(typeattribute hal_health_client)
-(typeattribute hal_health_hwservice_31_0)
-(typeattribute hal_health_server)
-(typeattribute hal_health_storage)
-(typeattribute hal_health_storage_client)
-(typeattribute hal_health_storage_hwservice_31_0)
-(typeattribute hal_health_storage_server)
-(typeattribute hal_health_storage_service_31_0)
-(typeattribute hal_identity)
-(typeattribute hal_identity_client)
-(typeattribute hal_identity_server)
-(typeattribute hal_identity_service_31_0)
-(typeattribute hal_input_classifier)
-(typeattribute hal_input_classifier_client)
-(typeattribute hal_input_classifier_hwservice_31_0)
-(typeattribute hal_input_classifier_server)
-(typeattribute hal_instrumentation_prop_31_0)
-(typeattribute hal_ir)
-(typeattribute hal_ir_client)
-(typeattribute hal_ir_hwservice_31_0)
-(typeattribute hal_ir_server)
-(typeattribute hal_keymaster)
-(typeattribute hal_keymaster_client)
-(typeattribute hal_keymaster_hwservice_31_0)
-(typeattribute hal_keymaster_server)
-(typeattribute hal_keymint)
-(typeattribute hal_keymint_client)
-(typeattribute hal_keymint_server)
-(typeattribute hal_keymint_service_31_0)
-(typeattribute hal_light)
-(typeattribute hal_light_client)
-(typeattribute hal_light_hwservice_31_0)
-(typeattribute hal_light_server)
-(typeattribute hal_light_service_31_0)
-(typeattribute hal_lowpan)
-(typeattribute hal_lowpan_client)
-(typeattribute hal_lowpan_hwservice_31_0)
-(typeattribute hal_lowpan_server)
-(typeattribute hal_memtrack)
-(typeattribute hal_memtrack_client)
-(typeattribute hal_memtrack_hwservice_31_0)
-(typeattribute hal_memtrack_server)
-(typeattribute hal_memtrack_service_31_0)
-(typeattribute hal_neuralnetworks)
-(typeattribute hal_neuralnetworks_client)
-(typeattribute hal_neuralnetworks_hwservice_31_0)
-(typeattribute hal_neuralnetworks_server)
-(typeattribute hal_neuralnetworks_service_31_0)
-(typeattribute hal_nfc)
-(typeattribute hal_nfc_client)
-(typeattribute hal_nfc_hwservice_31_0)
-(typeattribute hal_nfc_server)
-(typeattribute hal_oemlock)
-(typeattribute hal_oemlock_client)
-(typeattribute hal_oemlock_hwservice_31_0)
-(typeattribute hal_oemlock_server)
-(typeattribute hal_oemlock_service_31_0)
-(typeattribute hal_omx)
-(typeattribute hal_omx_client)
-(typeattribute hal_omx_hwservice_31_0)
-(typeattribute hal_omx_server)
-(typeattribute hal_power)
-(typeattribute hal_power_client)
-(typeattribute hal_power_hwservice_31_0)
-(typeattribute hal_power_server)
-(typeattribute hal_power_service_31_0)
-(typeattribute hal_power_stats)
-(typeattribute hal_power_stats_client)
-(typeattribute hal_power_stats_hwservice_31_0)
-(typeattribute hal_power_stats_server)
-(typeattribute hal_power_stats_service_31_0)
-(typeattribute hal_rebootescrow)
-(typeattribute hal_rebootescrow_client)
-(typeattribute hal_rebootescrow_server)
-(typeattribute hal_rebootescrow_service_31_0)
-(typeattribute hal_remotelyprovisionedcomponent_service_31_0)
-(typeattribute hal_renderscript_hwservice_31_0)
-(typeattribute hal_secure_element)
-(typeattribute hal_secure_element_client)
-(typeattribute hal_secure_element_hwservice_31_0)
-(typeattribute hal_secure_element_server)
-(typeattribute hal_secureclock_service_31_0)
-(typeattribute hal_sensors)
-(typeattribute hal_sensors_client)
-(typeattribute hal_sensors_hwservice_31_0)
-(typeattribute hal_sensors_server)
-(typeattribute hal_sharedsecret_service_31_0)
-(typeattribute hal_telephony)
-(typeattribute hal_telephony_client)
-(typeattribute hal_telephony_hwservice_31_0)
-(typeattribute hal_telephony_server)
-(typeattribute hal_tetheroffload)
-(typeattribute hal_tetheroffload_client)
-(typeattribute hal_tetheroffload_hwservice_31_0)
-(typeattribute hal_tetheroffload_server)
-(typeattribute hal_thermal)
-(typeattribute hal_thermal_client)
-(typeattribute hal_thermal_hwservice_31_0)
-(typeattribute hal_thermal_server)
-(typeattribute hal_tv_cec)
-(typeattribute hal_tv_cec_client)
-(typeattribute hal_tv_cec_hwservice_31_0)
-(typeattribute hal_tv_cec_server)
-(typeattribute hal_tv_input)
-(typeattribute hal_tv_input_client)
-(typeattribute hal_tv_input_hwservice_31_0)
-(typeattribute hal_tv_input_server)
-(typeattribute hal_tv_tuner)
-(typeattribute hal_tv_tuner_client)
-(typeattribute hal_tv_tuner_hwservice_31_0)
-(typeattribute hal_tv_tuner_server)
-(typeattribute hal_usb)
-(typeattribute hal_usb_client)
-(typeattribute hal_usb_gadget)
-(typeattribute hal_usb_gadget_client)
-(typeattribute hal_usb_gadget_hwservice_31_0)
-(typeattribute hal_usb_gadget_server)
-(typeattribute hal_usb_hwservice_31_0)
-(typeattribute hal_usb_server)
-(typeattribute hal_uwb)
-(typeattribute hal_uwb_client)
-(typeattribute hal_uwb_server)
-(typeattribute hal_vehicle)
-(typeattribute hal_vehicle_client)
-(typeattribute hal_vehicle_hwservice_31_0)
-(typeattribute hal_vehicle_server)
-(typeattribute hal_vibrator)
-(typeattribute hal_vibrator_client)
-(typeattribute hal_vibrator_hwservice_31_0)
-(typeattribute hal_vibrator_server)
-(typeattribute hal_vibrator_service_31_0)
-(typeattribute hal_vr)
-(typeattribute hal_vr_client)
-(typeattribute hal_vr_hwservice_31_0)
-(typeattribute hal_vr_server)
-(typeattribute hal_weaver)
-(typeattribute hal_weaver_client)
-(typeattribute hal_weaver_hwservice_31_0)
-(typeattribute hal_weaver_server)
-(typeattribute hal_weaver_service_31_0)
-(typeattribute hal_wifi)
-(typeattribute hal_wifi_client)
-(typeattribute hal_wifi_hostapd)
-(typeattribute hal_wifi_hostapd_client)
-(typeattribute hal_wifi_hostapd_hwservice_31_0)
-(typeattribute hal_wifi_hostapd_server)
-(typeattribute hal_wifi_hwservice_31_0)
-(typeattribute hal_wifi_server)
-(typeattribute hal_wifi_supplicant)
-(typeattribute hal_wifi_supplicant_client)
-(typeattribute hal_wifi_supplicant_hwservice_31_0)
-(typeattribute hal_wifi_supplicant_server)
-(typeattribute halclientdomain)
-(typeattribute halserverdomain)
-(typeattribute hardware_properties_service_31_0)
-(typeattribute hardware_service_31_0)
-(typeattribute hci_attach_dev_31_0)
-(typeattribute hdmi_config_prop_31_0)
-(typeattribute hdmi_control_service_31_0)
-(typeattribute healthd_31_0)
-(typeattribute healthd_exec_31_0)
-(typeattribute heapdump_data_file_31_0)
-(typeattribute heapprofd_31_0)
-(typeattribute heapprofd_enabled_prop_31_0)
-(typeattribute heapprofd_prop_31_0)
-(typeattribute heapprofd_socket_31_0)
-(typeattribute hidl_allocator_hwservice_31_0)
-(typeattribute hidl_base_hwservice_31_0)
-(typeattribute hidl_manager_hwservice_31_0)
-(typeattribute hidl_memory_hwservice_31_0)
-(typeattribute hidl_token_hwservice_31_0)
-(typeattribute hint_service_31_0)
-(typeattribute hw_random_device_31_0)
-(typeattribute hw_timeout_multiplier_prop_31_0)
-(typeattribute hwbinder_device_31_0)
-(typeattribute hwservice_contexts_file_31_0)
-(typeattribute hwservice_manager_type)
-(typeattribute hwservicemanager_31_0)
-(typeattribute hwservicemanager_exec_31_0)
-(typeattribute hwservicemanager_prop_31_0)
-(typeattribute icon_file_31_0)
-(typeattribute idmap_31_0)
-(typeattribute idmap_exec_31_0)
-(typeattribute idmap_service_31_0)
-(typeattribute iio_device_31_0)
-(typeattribute imms_service_31_0)
-(typeattribute incident_31_0)
-(typeattribute incident_data_file_31_0)
-(typeattribute incident_helper_31_0)
-(typeattribute incident_service_31_0)
-(typeattribute incidentd_31_0)
-(typeattribute incremental_control_file_31_0)
-(typeattribute incremental_prop_31_0)
-(typeattribute incremental_service_31_0)
-(typeattribute init_31_0)
-(typeattribute init_exec_31_0)
-(typeattribute init_service_status_prop_31_0)
-(typeattribute init_tmpfs_31_0)
-(typeattribute inotify_31_0)
-(typeattribute input_device_31_0)
-(typeattribute input_method_service_31_0)
-(typeattribute input_service_31_0)
-(typeattribute inputflinger_31_0)
-(typeattribute inputflinger_exec_31_0)
-(typeattribute inputflinger_service_31_0)
-(typeattribute install_data_file_31_0)
-(typeattribute installd_31_0)
-(typeattribute installd_exec_31_0)
-(typeattribute installd_service_31_0)
-(typeattribute ion_device_31_0)
-(typeattribute iorap_inode2filename_31_0)
-(typeattribute iorap_inode2filename_exec_31_0)
-(typeattribute iorap_inode2filename_tmpfs_31_0)
-(typeattribute iorap_prefetcherd_31_0)
-(typeattribute iorap_prefetcherd_exec_31_0)
-(typeattribute iorap_prefetcherd_tmpfs_31_0)
-(typeattribute iorapd_31_0)
-(typeattribute iorapd_data_file_31_0)
-(typeattribute iorapd_exec_31_0)
-(typeattribute iorapd_service_31_0)
-(typeattribute iorapd_tmpfs_31_0)
-(typeattribute ipsec_service_31_0)
-(typeattribute iris_service_31_0)
-(typeattribute iris_vendor_data_file_31_0)
-(typeattribute isolated_app_31_0)
-(typeattribute jobscheduler_service_31_0)
-(typeattribute kernel_31_0)
-(typeattribute keychain_data_file_31_0)
-(typeattribute keychord_device_31_0)
-(typeattribute keyguard_config_prop_31_0)
-(typeattribute keystore2_key_contexts_file_31_0)
-(typeattribute keystore2_key_type)
-(typeattribute keystore_31_0)
-(typeattribute keystore_compat_hal_service_31_0)
-(typeattribute keystore_data_file_31_0)
-(typeattribute keystore_exec_31_0)
-(typeattribute keystore_maintenance_service_31_0)
-(typeattribute keystore_metrics_service_31_0)
-(typeattribute keystore_service_31_0)
-(typeattribute kmsg_debug_device_31_0)
-(typeattribute kmsg_device_31_0)
-(typeattribute labeledfs_31_0)
-(typeattribute launcherapps_service_31_0)
-(typeattribute legacy_permission_service_31_0)
-(typeattribute legacykeystore_service_31_0)
-(typeattribute libc_debug_prop_31_0)
-(typeattribute light_service_31_0)
-(typeattribute linkerconfig_file_31_0)
-(typeattribute llkd_31_0)
-(typeattribute llkd_exec_31_0)
-(typeattribute llkd_prop_31_0)
-(typeattribute lmkd_31_0)
-(typeattribute lmkd_config_prop_31_0)
-(typeattribute lmkd_exec_31_0)
-(typeattribute lmkd_prop_31_0)
-(typeattribute lmkd_socket_31_0)
-(typeattribute location_service_31_0)
-(typeattribute location_time_zone_manager_service_31_0)
-(typeattribute lock_settings_service_31_0)
-(typeattribute log_prop_31_0)
-(typeattribute log_property_type)
-(typeattribute log_tag_prop_31_0)
-(typeattribute logcat_exec_31_0)
-(typeattribute logd_31_0)
-(typeattribute logd_exec_31_0)
-(typeattribute logd_prop_31_0)
-(typeattribute logd_socket_31_0)
-(typeattribute logdr_socket_31_0)
-(typeattribute logdw_socket_31_0)
-(typeattribute logpersist_31_0)
-(typeattribute logpersistd_logging_prop_31_0)
-(typeattribute loop_control_device_31_0)
-(typeattribute loop_device_31_0)
-(typeattribute looper_stats_service_31_0)
-(typeattribute lowpan_device_31_0)
-(typeattribute lowpan_prop_31_0)
-(typeattribute lowpan_service_31_0)
-(typeattribute lpdump_service_31_0)
-(typeattribute lpdumpd_prop_31_0)
-(typeattribute mac_perms_file_31_0)
-(typeattribute mdns_socket_31_0)
-(typeattribute mdnsd_31_0)
-(typeattribute mdnsd_socket_31_0)
-(typeattribute media_communication_service_31_0)
-(typeattribute media_config_prop_31_0)
-(typeattribute media_data_file_31_0)
-(typeattribute media_metrics_service_31_0)
-(typeattribute media_projection_service_31_0)
-(typeattribute media_router_service_31_0)
-(typeattribute media_rw_data_file_31_0)
-(typeattribute media_session_service_31_0)
-(typeattribute media_variant_prop_31_0)
-(typeattribute mediadrm_config_prop_31_0)
-(typeattribute mediadrmserver_31_0)
-(typeattribute mediadrmserver_exec_31_0)
-(typeattribute mediadrmserver_service_31_0)
-(typeattribute mediaextractor_31_0)
-(typeattribute mediaextractor_exec_31_0)
-(typeattribute mediaextractor_service_31_0)
-(typeattribute mediaextractor_tmpfs_31_0)
-(typeattribute mediametrics_31_0)
-(typeattribute mediametrics_exec_31_0)
-(typeattribute mediametrics_service_31_0)
-(typeattribute mediaprovider_31_0)
-(typeattribute mediaserver_31_0)
-(typeattribute mediaserver_exec_31_0)
-(typeattribute mediaserver_service_31_0)
-(typeattribute mediaserver_tmpfs_31_0)
-(typeattribute mediaswcodec_31_0)
-(typeattribute mediaswcodec_exec_31_0)
-(typeattribute mediatranscoding_service_31_0)
-(typeattribute meminfo_service_31_0)
-(typeattribute memtrackproxy_service_31_0)
-(typeattribute metadata_block_device_31_0)
-(typeattribute metadata_bootstat_file_31_0)
-(typeattribute metadata_file_31_0)
-(typeattribute method_trace_data_file_31_0)
-(typeattribute midi_service_31_0)
-(typeattribute mirror_data_file_31_0)
-(typeattribute misc_block_device_31_0)
-(typeattribute misc_logd_file_31_0)
-(typeattribute misc_user_data_file_31_0)
-(typeattribute mlstrustedobject)
-(typeattribute mlstrustedsubject)
-(typeattribute mm_events_config_prop_31_0)
-(typeattribute mmc_prop_31_0)
-(typeattribute mnt_expand_file_31_0)
-(typeattribute mnt_media_rw_file_31_0)
-(typeattribute mnt_media_rw_stub_file_31_0)
-(typeattribute mnt_pass_through_file_31_0)
-(typeattribute mnt_product_file_31_0)
-(typeattribute mnt_sdcard_file_31_0)
-(typeattribute mnt_user_file_31_0)
-(typeattribute mnt_vendor_file_31_0)
-(typeattribute mock_ota_prop_31_0)
-(typeattribute modprobe_31_0)
-(typeattribute module_sdkextensions_prop_31_0)
-(typeattribute mount_service_31_0)
-(typeattribute mqueue_31_0)
-(typeattribute mtp_31_0)
-(typeattribute mtp_device_31_0)
-(typeattribute mtp_exec_31_0)
-(typeattribute mtpd_socket_31_0)
-(typeattribute music_recognition_service_31_0)
-(typeattribute nativetest_data_file_31_0)
-(typeattribute net_data_file_31_0)
-(typeattribute net_dns_prop_31_0)
-(typeattribute net_radio_prop_31_0)
-(typeattribute netd_31_0)
-(typeattribute netd_exec_31_0)
-(typeattribute netd_listener_service_31_0)
-(typeattribute netd_service_31_0)
-(typeattribute netdomain)
-(typeattribute netif_31_0)
-(typeattribute netif_type)
-(typeattribute netpolicy_service_31_0)
-(typeattribute netstats_service_31_0)
-(typeattribute netutils_wrapper_31_0)
-(typeattribute netutils_wrapper_exec_31_0)
-(typeattribute network_management_service_31_0)
-(typeattribute network_score_service_31_0)
-(typeattribute network_stack_31_0)
-(typeattribute network_stack_service_31_0)
-(typeattribute network_time_update_service_31_0)
-(typeattribute network_watchlist_data_file_31_0)
-(typeattribute network_watchlist_service_31_0)
-(typeattribute nfc_31_0)
-(typeattribute nfc_data_file_31_0)
-(typeattribute nfc_device_31_0)
-(typeattribute nfc_logs_data_file_31_0)
-(typeattribute nfc_prop_31_0)
-(typeattribute nfc_service_31_0)
-(typeattribute nnapi_ext_deny_product_prop_31_0)
-(typeattribute node_31_0)
-(typeattribute node_type)
-(typeattribute nonplat_service_contexts_file_31_0)
-(typeattribute notification_service_31_0)
-(typeattribute null_device_31_0)
-(typeattribute oem_lock_service_31_0)
-(typeattribute oem_unlock_prop_31_0)
-(typeattribute oemfs_31_0)
-(typeattribute ota_data_file_31_0)
-(typeattribute ota_metadata_file_31_0)
-(typeattribute ota_package_file_31_0)
-(typeattribute ota_prop_31_0)
-(typeattribute otadexopt_service_31_0)
-(typeattribute otapreopt_chroot_31_0)
-(typeattribute overlay_prop_31_0)
-(typeattribute overlay_service_31_0)
-(typeattribute overlayfs_file_31_0)
-(typeattribute owntty_device_31_0)
-(typeattribute pac_proxy_service_31_0)
-(typeattribute package_native_service_31_0)
-(typeattribute package_service_31_0)
-(typeattribute packagemanager_config_prop_31_0)
-(typeattribute packages_list_file_31_0)
-(typeattribute pan_result_prop_31_0)
-(typeattribute password_slot_metadata_file_31_0)
-(typeattribute pdx_bufferhub_client_channel_socket_31_0)
-(typeattribute pdx_bufferhub_client_channel_socket_type)
-(typeattribute pdx_bufferhub_client_endpoint_dir_type)
-(typeattribute pdx_bufferhub_client_endpoint_socket_31_0)
-(typeattribute pdx_bufferhub_client_endpoint_socket_type)
-(typeattribute pdx_bufferhub_client_server_type)
-(typeattribute pdx_bufferhub_dir_31_0)
-(typeattribute pdx_channel_socket_type)
-(typeattribute pdx_display_client_channel_socket_31_0)
-(typeattribute pdx_display_client_channel_socket_type)
-(typeattribute pdx_display_client_endpoint_dir_type)
-(typeattribute pdx_display_client_endpoint_socket_31_0)
-(typeattribute pdx_display_client_endpoint_socket_type)
-(typeattribute pdx_display_client_server_type)
-(typeattribute pdx_display_dir_31_0)
-(typeattribute pdx_display_manager_channel_socket_31_0)
-(typeattribute pdx_display_manager_channel_socket_type)
-(typeattribute pdx_display_manager_endpoint_dir_type)
-(typeattribute pdx_display_manager_endpoint_socket_31_0)
-(typeattribute pdx_display_manager_endpoint_socket_type)
-(typeattribute pdx_display_manager_server_type)
-(typeattribute pdx_display_screenshot_channel_socket_31_0)
-(typeattribute pdx_display_screenshot_channel_socket_type)
-(typeattribute pdx_display_screenshot_endpoint_dir_type)
-(typeattribute pdx_display_screenshot_endpoint_socket_31_0)
-(typeattribute pdx_display_screenshot_endpoint_socket_type)
-(typeattribute pdx_display_screenshot_server_type)
-(typeattribute pdx_display_vsync_channel_socket_31_0)
-(typeattribute pdx_display_vsync_channel_socket_type)
-(typeattribute pdx_display_vsync_endpoint_dir_type)
-(typeattribute pdx_display_vsync_endpoint_socket_31_0)
-(typeattribute pdx_display_vsync_endpoint_socket_type)
-(typeattribute pdx_display_vsync_server_type)
-(typeattribute pdx_endpoint_dir_type)
-(typeattribute pdx_endpoint_socket_type)
-(typeattribute pdx_performance_client_channel_socket_31_0)
-(typeattribute pdx_performance_client_channel_socket_type)
-(typeattribute pdx_performance_client_endpoint_dir_type)
-(typeattribute pdx_performance_client_endpoint_socket_31_0)
-(typeattribute pdx_performance_client_endpoint_socket_type)
-(typeattribute pdx_performance_client_server_type)
-(typeattribute pdx_performance_dir_31_0)
-(typeattribute people_service_31_0)
-(typeattribute perfetto_31_0)
-(typeattribute performanced_31_0)
-(typeattribute performanced_exec_31_0)
-(typeattribute permission_checker_service_31_0)
-(typeattribute permission_service_31_0)
-(typeattribute permissionmgr_service_31_0)
-(typeattribute persist_debug_prop_31_0)
-(typeattribute persist_vendor_debug_wifi_prop_31_0)
-(typeattribute persistent_data_block_service_31_0)
-(typeattribute persistent_properties_ready_prop_31_0)
-(typeattribute pinner_service_31_0)
-(typeattribute pipefs_31_0)
-(typeattribute platform_app_31_0)
-(typeattribute platform_compat_service_31_0)
-(typeattribute pmsg_device_31_0)
-(typeattribute port_31_0)
-(typeattribute port_device_31_0)
-(typeattribute port_type)
-(typeattribute postinstall_31_0)
-(typeattribute postinstall_apex_mnt_dir_31_0)
-(typeattribute postinstall_file_31_0)
-(typeattribute postinstall_mnt_dir_31_0)
-(typeattribute power_debug_prop_31_0)
-(typeattribute power_service_31_0)
-(typeattribute powerctl_prop_31_0)
-(typeattribute powerstats_service_31_0)
-(typeattribute ppp_31_0)
-(typeattribute ppp_device_31_0)
-(typeattribute ppp_exec_31_0)
-(typeattribute preloads_data_file_31_0)
-(typeattribute preloads_media_file_31_0)
-(typeattribute prereboot_data_file_31_0)
-(typeattribute print_service_31_0)
-(typeattribute priv_app_31_0)
-(typeattribute privapp_data_file_31_0)
-(typeattribute proc_31_0)
-(typeattribute proc_abi_31_0)
-(typeattribute proc_asound_31_0)
-(typeattribute proc_bluetooth_writable_31_0)
-(typeattribute proc_bootconfig_31_0)
-(typeattribute proc_buddyinfo_31_0)
-(typeattribute proc_cmdline_31_0)
-(typeattribute proc_cpuinfo_31_0)
-(typeattribute proc_dirty_31_0)
-(typeattribute proc_diskstats_31_0)
-(typeattribute proc_drop_caches_31_0)
-(typeattribute proc_extra_free_kbytes_31_0)
-(typeattribute proc_filesystems_31_0)
-(typeattribute proc_fs_verity_31_0)
-(typeattribute proc_hostname_31_0)
-(typeattribute proc_hung_task_31_0)
-(typeattribute proc_interrupts_31_0)
-(typeattribute proc_iomem_31_0)
-(typeattribute proc_kallsyms_31_0)
-(typeattribute proc_keys_31_0)
-(typeattribute proc_kmsg_31_0)
-(typeattribute proc_kpageflags_31_0)
-(typeattribute proc_loadavg_31_0)
-(typeattribute proc_locks_31_0)
-(typeattribute proc_lowmemorykiller_31_0)
-(typeattribute proc_max_map_count_31_0)
-(typeattribute proc_meminfo_31_0)
-(typeattribute proc_min_free_order_shift_31_0)
-(typeattribute proc_misc_31_0)
-(typeattribute proc_modules_31_0)
-(typeattribute proc_mounts_31_0)
-(typeattribute proc_net_31_0)
-(typeattribute proc_net_tcp_udp_31_0)
-(typeattribute proc_net_type)
-(typeattribute proc_overcommit_memory_31_0)
-(typeattribute proc_page_cluster_31_0)
-(typeattribute proc_pagetypeinfo_31_0)
-(typeattribute proc_panic_31_0)
-(typeattribute proc_perf_31_0)
-(typeattribute proc_pid_max_31_0)
-(typeattribute proc_pipe_conf_31_0)
-(typeattribute proc_pressure_cpu_31_0)
-(typeattribute proc_pressure_io_31_0)
-(typeattribute proc_pressure_mem_31_0)
-(typeattribute proc_qtaguid_ctrl_31_0)
-(typeattribute proc_qtaguid_stat_31_0)
-(typeattribute proc_random_31_0)
-(typeattribute proc_sched_31_0)
-(typeattribute proc_security_31_0)
-(typeattribute proc_slabinfo_31_0)
-(typeattribute proc_stat_31_0)
-(typeattribute proc_swaps_31_0)
-(typeattribute proc_sysrq_31_0)
-(typeattribute proc_timer_31_0)
-(typeattribute proc_tty_drivers_31_0)
-(typeattribute proc_type)
-(typeattribute proc_uid_concurrent_active_time_31_0)
-(typeattribute proc_uid_concurrent_policy_time_31_0)
-(typeattribute proc_uid_cpupower_31_0)
-(typeattribute proc_uid_cputime_removeuid_31_0)
-(typeattribute proc_uid_cputime_showstat_31_0)
-(typeattribute proc_uid_io_stats_31_0)
-(typeattribute proc_uid_procstat_set_31_0)
-(typeattribute proc_uid_time_in_state_31_0)
-(typeattribute proc_uptime_31_0)
-(typeattribute proc_vendor_sched_31_0)
-(typeattribute proc_version_31_0)
-(typeattribute proc_vmallocinfo_31_0)
-(typeattribute proc_vmstat_31_0)
-(typeattribute proc_zoneinfo_31_0)
-(typeattribute processinfo_service_31_0)
-(typeattribute procstats_service_31_0)
-(typeattribute profman_31_0)
-(typeattribute profman_dump_data_file_31_0)
-(typeattribute profman_exec_31_0)
-(typeattribute properties_device_31_0)
-(typeattribute properties_serial_31_0)
-(typeattribute property_contexts_file_31_0)
-(typeattribute property_data_file_31_0)
-(typeattribute property_info_31_0)
-(typeattribute property_service_version_prop_31_0)
-(typeattribute property_socket_31_0)
-(typeattribute property_type)
-(typeattribute protected_hwservice)
-(typeattribute protected_service)
-(typeattribute provisioned_prop_31_0)
-(typeattribute pstorefs_31_0)
-(typeattribute ptmx_device_31_0)
-(typeattribute qemu_hw_prop_31_0)
-(typeattribute qemu_sf_lcd_density_prop_31_0)
-(typeattribute qtaguid_device_31_0)
-(typeattribute racoon_31_0)
-(typeattribute racoon_exec_31_0)
-(typeattribute racoon_socket_31_0)
-(typeattribute radio_31_0)
-(typeattribute radio_control_prop_31_0)
-(typeattribute radio_core_data_file_31_0)
-(typeattribute radio_data_file_31_0)
-(typeattribute radio_device_31_0)
-(typeattribute radio_prop_31_0)
-(typeattribute radio_service_31_0)
-(typeattribute ram_device_31_0)
-(typeattribute random_device_31_0)
-(typeattribute reboot_readiness_service_31_0)
-(typeattribute rebootescrow_hal_prop_31_0)
-(typeattribute recovery_31_0)
-(typeattribute recovery_block_device_31_0)
-(typeattribute recovery_config_prop_31_0)
-(typeattribute recovery_data_file_31_0)
-(typeattribute recovery_persist_31_0)
-(typeattribute recovery_persist_exec_31_0)
-(typeattribute recovery_refresh_31_0)
-(typeattribute recovery_refresh_exec_31_0)
-(typeattribute recovery_service_31_0)
-(typeattribute recovery_socket_31_0)
-(typeattribute registry_service_31_0)
-(typeattribute remoteprovisioning_service_31_0)
-(typeattribute resourcecache_data_file_31_0)
-(typeattribute restorecon_prop_31_0)
-(typeattribute restrictions_service_31_0)
-(typeattribute retaildemo_prop_31_0)
-(typeattribute rild_debug_socket_31_0)
-(typeattribute rild_socket_31_0)
-(typeattribute ringtone_file_31_0)
-(typeattribute role_service_31_0)
-(typeattribute rollback_service_31_0)
-(typeattribute root_block_device_31_0)
-(typeattribute rootfs_31_0)
-(typeattribute rpmsg_device_31_0)
-(typeattribute rs_31_0)
-(typeattribute rs_exec_31_0)
-(typeattribute rss_hwm_reset_31_0)
-(typeattribute rtc_device_31_0)
-(typeattribute rttmanager_service_31_0)
-(typeattribute runas_31_0)
-(typeattribute runas_app_31_0)
-(typeattribute runas_exec_31_0)
-(typeattribute runtime_event_log_tags_file_31_0)
-(typeattribute runtime_service_31_0)
-(typeattribute safemode_prop_31_0)
-(typeattribute same_process_hal_file_31_0)
-(typeattribute same_process_hwservice)
-(typeattribute samplingprofiler_service_31_0)
-(typeattribute scheduler_service_server)
-(typeattribute scheduling_policy_service_31_0)
-(typeattribute sdcard_block_device_31_0)
-(typeattribute sdcard_type)
-(typeattribute sdcardd_31_0)
-(typeattribute sdcardd_exec_31_0)
-(typeattribute sdcardfs_31_0)
-(typeattribute seapp_contexts_file_31_0)
-(typeattribute search_service_31_0)
-(typeattribute search_ui_service_31_0)
-(typeattribute sec_key_att_app_id_provider_service_31_0)
-(typeattribute secure_element_31_0)
-(typeattribute secure_element_device_31_0)
-(typeattribute secure_element_service_31_0)
-(typeattribute securityfs_31_0)
-(typeattribute selinuxfs_31_0)
-(typeattribute sendbug_config_prop_31_0)
-(typeattribute sensor_privacy_service_31_0)
-(typeattribute sensor_service_server)
-(typeattribute sensors_device_31_0)
-(typeattribute sensorservice_service_31_0)
-(typeattribute sepolicy_file_31_0)
-(typeattribute serial_device_31_0)
-(typeattribute serial_service_31_0)
-(typeattribute serialno_prop_31_0)
-(typeattribute server_configurable_flags_data_file_31_0)
-(typeattribute service_contexts_file_31_0)
-(typeattribute service_manager_service_31_0)
-(typeattribute service_manager_type)
-(typeattribute service_manager_vndservice_31_0)
-(typeattribute servicediscovery_service_31_0)
-(typeattribute servicemanager_31_0)
-(typeattribute servicemanager_exec_31_0)
-(typeattribute settings_service_31_0)
-(typeattribute sgdisk_31_0)
-(typeattribute sgdisk_exec_31_0)
-(typeattribute shared_relro_31_0)
-(typeattribute shared_relro_file_31_0)
-(typeattribute shell_31_0)
-(typeattribute shell_data_file_31_0)
-(typeattribute shell_exec_31_0)
-(typeattribute shell_prop_31_0)
-(typeattribute shell_test_data_file_31_0)
-(typeattribute shm_31_0)
-(typeattribute shortcut_manager_icons_31_0)
-(typeattribute shortcut_service_31_0)
-(typeattribute simpleperf_31_0)
-(typeattribute simpleperf_app_runner_31_0)
-(typeattribute simpleperf_app_runner_exec_31_0)
-(typeattribute slice_service_31_0)
-(typeattribute slideshow_31_0)
-(typeattribute smartspace_service_31_0)
-(typeattribute snapshotctl_log_data_file_31_0)
-(typeattribute snapuserd_socket_31_0)
-(typeattribute soc_prop_31_0)
-(typeattribute socket_between_core_and_vendor_violators)
-(typeattribute socket_device_31_0)
-(typeattribute socket_hook_prop_31_0)
-(typeattribute sockfs_31_0)
-(typeattribute sota_prop_31_0)
-(typeattribute soundtrigger_middleware_service_31_0)
-(typeattribute speech_recognition_service_31_0)
-(typeattribute sqlite_log_prop_31_0)
-(typeattribute staged_install_file_31_0)
-(typeattribute staging_data_file_31_0)
-(typeattribute stats_data_file_31_0)
-(typeattribute stats_service_server)
-(typeattribute statsd_31_0)
-(typeattribute statsd_exec_31_0)
-(typeattribute statsdw_socket_31_0)
-(typeattribute statusbar_service_31_0)
-(typeattribute storage_config_prop_31_0)
-(typeattribute storage_file_31_0)
-(typeattribute storage_stub_file_31_0)
-(typeattribute storaged_service_31_0)
-(typeattribute storagemanager_config_prop_31_0)
-(typeattribute storagestats_service_31_0)
-(typeattribute su_31_0)
-(typeattribute su_exec_31_0)
-(typeattribute super_block_device_31_0)
-(typeattribute super_block_device_type)
-(typeattribute surfaceflinger_31_0)
-(typeattribute surfaceflinger_color_prop_31_0)
-(typeattribute surfaceflinger_display_prop_31_0)
-(typeattribute surfaceflinger_prop_31_0)
-(typeattribute surfaceflinger_service_31_0)
-(typeattribute surfaceflinger_tmpfs_31_0)
-(typeattribute suspend_prop_31_0)
-(typeattribute swap_block_device_31_0)
-(typeattribute sysfs_31_0)
-(typeattribute sysfs_android_usb_31_0)
-(typeattribute sysfs_batteryinfo_31_0)
-(typeattribute sysfs_block_31_0)
-(typeattribute sysfs_block_type)
-(typeattribute sysfs_bluetooth_writable_31_0)
-(typeattribute sysfs_devfreq_cur_31_0)
-(typeattribute sysfs_devfreq_dir_31_0)
-(typeattribute sysfs_devices_block_31_0)
-(typeattribute sysfs_devices_cs_etm_31_0)
-(typeattribute sysfs_devices_system_cpu_31_0)
-(typeattribute sysfs_dm_31_0)
-(typeattribute sysfs_dm_verity_31_0)
-(typeattribute sysfs_dma_heap_31_0)
-(typeattribute sysfs_dmabuf_stats_31_0)
-(typeattribute sysfs_dt_firmware_android_31_0)
-(typeattribute sysfs_extcon_31_0)
-(typeattribute sysfs_fs_ext4_features_31_0)
-(typeattribute sysfs_fs_f2fs_31_0)
-(typeattribute sysfs_fs_incfs_features_31_0)
-(typeattribute sysfs_fs_incfs_metrics_31_0)
-(typeattribute sysfs_hwrandom_31_0)
-(typeattribute sysfs_ion_31_0)
-(typeattribute sysfs_ipv4_31_0)
-(typeattribute sysfs_kernel_notes_31_0)
-(typeattribute sysfs_leds_31_0)
-(typeattribute sysfs_loop_31_0)
-(typeattribute sysfs_lowmemorykiller_31_0)
-(typeattribute sysfs_net_31_0)
-(typeattribute sysfs_nfc_power_writable_31_0)
-(typeattribute sysfs_power_31_0)
-(typeattribute sysfs_rtc_31_0)
-(typeattribute sysfs_suspend_stats_31_0)
-(typeattribute sysfs_switch_31_0)
-(typeattribute sysfs_thermal_31_0)
-(typeattribute sysfs_transparent_hugepage_31_0)
-(typeattribute sysfs_type)
-(typeattribute sysfs_uhid_31_0)
-(typeattribute sysfs_uio_31_0)
-(typeattribute sysfs_usb_31_0)
-(typeattribute sysfs_usermodehelper_31_0)
-(typeattribute sysfs_vendor_sched_31_0)
-(typeattribute sysfs_vibrator_31_0)
-(typeattribute sysfs_wake_lock_31_0)
-(typeattribute sysfs_wakeup_31_0)
-(typeattribute sysfs_wakeup_reasons_31_0)
-(typeattribute sysfs_wlan_fwpath_31_0)
-(typeattribute sysfs_zram_31_0)
-(typeattribute sysfs_zram_uevent_31_0)
-(typeattribute system_api_service)
-(typeattribute system_app_31_0)
-(typeattribute system_app_data_file_31_0)
-(typeattribute system_app_service_31_0)
-(typeattribute system_asan_options_file_31_0)
-(typeattribute system_block_device_31_0)
-(typeattribute system_boot_reason_prop_31_0)
-(typeattribute system_bootstrap_lib_file_31_0)
-(typeattribute system_config_service_31_0)
-(typeattribute system_data_file_31_0)
-(typeattribute system_data_root_file_31_0)
-(typeattribute system_event_log_tags_file_31_0)
-(typeattribute system_executes_vendor_violators)
-(typeattribute system_file_31_0)
-(typeattribute system_file_type)
-(typeattribute system_group_file_31_0)
-(typeattribute system_internal_property_type)
-(typeattribute system_jvmti_agent_prop_31_0)
-(typeattribute system_lib_file_31_0)
-(typeattribute system_linker_config_file_31_0)
-(typeattribute system_linker_exec_31_0)
-(typeattribute system_lmk_prop_31_0)
-(typeattribute system_ndebug_socket_31_0)
-(typeattribute system_net_netd_hwservice_31_0)
-(typeattribute system_passwd_file_31_0)
-(typeattribute system_prop_31_0)
-(typeattribute system_property_type)
-(typeattribute system_public_property_type)
-(typeattribute system_restricted_property_type)
-(typeattribute system_seccomp_policy_file_31_0)
-(typeattribute system_security_cacerts_file_31_0)
-(typeattribute system_server_31_0)
-(typeattribute system_server_dumper_service_31_0)
-(typeattribute system_server_service)
-(typeattribute system_server_tmpfs_31_0)
-(typeattribute system_suspend_control_internal_service_31_0)
-(typeattribute system_suspend_control_service_31_0)
-(typeattribute system_suspend_hwservice_31_0)
-(typeattribute system_suspend_internal_server)
-(typeattribute system_suspend_server)
-(typeattribute system_trace_prop_31_0)
-(typeattribute system_unsolzygote_socket_31_0)
-(typeattribute system_update_service_31_0)
-(typeattribute system_wifi_keystore_hwservice_31_0)
-(typeattribute system_wpa_socket_31_0)
-(typeattribute system_writes_mnt_vendor_violators)
-(typeattribute system_writes_vendor_properties_violators)
-(typeattribute system_zoneinfo_file_31_0)
-(typeattribute systemkeys_data_file_31_0)
-(typeattribute systemsound_config_prop_31_0)
-(typeattribute task_profiles_api_file_31_0)
-(typeattribute task_profiles_file_31_0)
-(typeattribute task_service_31_0)
-(typeattribute tcpdump_exec_31_0)
-(typeattribute tee_31_0)
-(typeattribute tee_data_file_31_0)
-(typeattribute tee_device_31_0)
-(typeattribute telecom_service_31_0)
-(typeattribute telephony_config_prop_31_0)
-(typeattribute telephony_status_prop_31_0)
-(typeattribute test_boot_reason_prop_31_0)
-(typeattribute test_harness_prop_31_0)
-(typeattribute testharness_service_31_0)
-(typeattribute tethering_service_31_0)
-(typeattribute textclassification_service_31_0)
-(typeattribute textclassifier_data_file_31_0)
-(typeattribute textservices_service_31_0)
-(typeattribute texttospeech_service_31_0)
-(typeattribute theme_prop_31_0)
-(typeattribute thermal_service_31_0)
-(typeattribute time_prop_31_0)
-(typeattribute timedetector_service_31_0)
-(typeattribute timezone_service_31_0)
-(typeattribute timezonedetector_service_31_0)
-(typeattribute tmpfs_31_0)
-(typeattribute tombstone_config_prop_31_0)
-(typeattribute tombstone_data_file_31_0)
-(typeattribute tombstone_wifi_data_file_31_0)
-(typeattribute tombstoned_31_0)
-(typeattribute tombstoned_crash_socket_31_0)
-(typeattribute tombstoned_exec_31_0)
-(typeattribute tombstoned_intercept_socket_31_0)
-(typeattribute tombstoned_java_trace_socket_31_0)
-(typeattribute toolbox_31_0)
-(typeattribute toolbox_exec_31_0)
-(typeattribute trace_data_file_31_0)
-(typeattribute traced_31_0)
-(typeattribute traced_consumer_socket_31_0)
-(typeattribute traced_enabled_prop_31_0)
-(typeattribute traced_lazy_prop_31_0)
-(typeattribute traced_perf_31_0)
-(typeattribute traced_perf_socket_31_0)
-(typeattribute traced_probes_31_0)
-(typeattribute traced_producer_socket_31_0)
-(typeattribute traced_tmpfs_31_0)
-(typeattribute tracefs_type)
-(typeattribute traceur_app_31_0)
-(typeattribute translation_service_31_0)
-(typeattribute trust_service_31_0)
-(typeattribute tty_device_31_0)
-(typeattribute tun_device_31_0)
-(typeattribute tv_input_service_31_0)
-(typeattribute tv_tuner_resource_mgr_service_31_0)
-(typeattribute tzdatacheck_31_0)
-(typeattribute tzdatacheck_exec_31_0)
-(typeattribute ueventd_31_0)
-(typeattribute ueventd_tmpfs_31_0)
-(typeattribute uhid_device_31_0)
-(typeattribute uimode_service_31_0)
-(typeattribute uio_device_31_0)
-(typeattribute uncrypt_31_0)
-(typeattribute uncrypt_exec_31_0)
-(typeattribute uncrypt_socket_31_0)
-(typeattribute unencrypted_data_file_31_0)
-(typeattribute unlabeled_31_0)
-(typeattribute untrusted_app_25_31_0)
-(typeattribute untrusted_app_27_31_0)
-(typeattribute untrusted_app_29_31_0)
-(typeattribute untrusted_app_31_0)
-(typeattribute untrusted_app_all)
-(typeattribute untrusted_app_visible_halserver_violators)
-(typeattribute untrusted_app_visible_hwservice_violators)
-(typeattribute update_engine_31_0)
-(typeattribute update_engine_common)
-(typeattribute update_engine_data_file_31_0)
-(typeattribute update_engine_exec_31_0)
-(typeattribute update_engine_log_data_file_31_0)
-(typeattribute update_engine_service_31_0)
-(typeattribute update_engine_stable_service_31_0)
-(typeattribute update_verifier_31_0)
-(typeattribute update_verifier_exec_31_0)
-(typeattribute updatelock_service_31_0)
-(typeattribute uri_grants_service_31_0)
-(typeattribute usagestats_service_31_0)
-(typeattribute usb_config_prop_31_0)
-(typeattribute usb_control_prop_31_0)
-(typeattribute usb_device_31_0)
-(typeattribute usb_prop_31_0)
-(typeattribute usb_serial_device_31_0)
-(typeattribute usb_service_31_0)
-(typeattribute usbaccessory_device_31_0)
-(typeattribute usbd_31_0)
-(typeattribute usbd_exec_31_0)
-(typeattribute usbfs_31_0)
-(typeattribute use_memfd_prop_31_0)
-(typeattribute user_profile_data_file_31_0)
-(typeattribute user_profile_root_file_31_0)
-(typeattribute user_service_31_0)
-(typeattribute userdata_block_device_31_0)
-(typeattribute userdata_sysdev_31_0)
-(typeattribute usermodehelper_31_0)
-(typeattribute userspace_reboot_config_prop_31_0)
-(typeattribute userspace_reboot_exported_prop_31_0)
-(typeattribute userspace_reboot_metadata_file_31_0)
-(typeattribute uwb_service_31_0)
-(typeattribute vcn_management_service_31_0)
-(typeattribute vd_device_31_0)
-(typeattribute vdc_31_0)
-(typeattribute vdc_exec_31_0)
-(typeattribute vehicle_hal_prop_31_0)
-(typeattribute vendor_apex_file_31_0)
-(typeattribute vendor_app_file_31_0)
-(typeattribute vendor_cgroup_desc_file_31_0)
-(typeattribute vendor_configs_file_31_0)
-(typeattribute vendor_data_file_31_0)
-(typeattribute vendor_default_prop_31_0)
-(typeattribute vendor_executes_system_violators)
-(typeattribute vendor_file_31_0)
-(typeattribute vendor_file_type)
-(typeattribute vendor_framework_file_31_0)
-(typeattribute vendor_hal_file_31_0)
-(typeattribute vendor_hwservice_type)
-(typeattribute vendor_idc_file_31_0)
-(typeattribute vendor_init_31_0)
-(typeattribute vendor_internal_property_type)
-(typeattribute vendor_kernel_modules_31_0)
-(typeattribute vendor_keychars_file_31_0)
-(typeattribute vendor_keylayout_file_31_0)
-(typeattribute vendor_misc_writer_31_0)
-(typeattribute vendor_misc_writer_exec_31_0)
-(typeattribute vendor_modprobe_31_0)
-(typeattribute vendor_overlay_file_31_0)
-(typeattribute vendor_property_type)
-(typeattribute vendor_public_framework_file_31_0)
-(typeattribute vendor_public_lib_file_31_0)
-(typeattribute vendor_public_property_type)
-(typeattribute vendor_restricted_property_type)
-(typeattribute vendor_security_patch_level_prop_31_0)
-(typeattribute vendor_service)
-(typeattribute vendor_service_contexts_file_31_0)
-(typeattribute vendor_shell_31_0)
-(typeattribute vendor_shell_exec_31_0)
-(typeattribute vendor_socket_hook_prop_31_0)
-(typeattribute vendor_task_profiles_file_31_0)
-(typeattribute vendor_toolbox_exec_31_0)
-(typeattribute vfat_31_0)
-(typeattribute vibrator_manager_service_31_0)
-(typeattribute vibrator_service_31_0)
-(typeattribute video_device_31_0)
-(typeattribute virtual_ab_prop_31_0)
-(typeattribute virtual_touchpad_31_0)
-(typeattribute virtual_touchpad_exec_31_0)
-(typeattribute virtual_touchpad_service_31_0)
-(typeattribute virtualization_service_31_0)
-(typeattribute vndbinder_device_31_0)
-(typeattribute vndk_prop_31_0)
-(typeattribute vndk_sp_file_31_0)
-(typeattribute vndservice_contexts_file_31_0)
-(typeattribute vndservice_manager_type)
-(typeattribute vndservicemanager_31_0)
-(typeattribute voiceinteraction_service_31_0)
-(typeattribute vold_31_0)
-(typeattribute vold_config_prop_31_0)
-(typeattribute vold_data_file_31_0)
-(typeattribute vold_device_31_0)
-(typeattribute vold_exec_31_0)
-(typeattribute vold_metadata_file_31_0)
-(typeattribute vold_post_fs_data_prop_31_0)
-(typeattribute vold_prepare_subdirs_31_0)
-(typeattribute vold_prepare_subdirs_exec_31_0)
-(typeattribute vold_prop_31_0)
-(typeattribute vold_service_31_0)
-(typeattribute vold_status_prop_31_0)
-(typeattribute vpn_data_file_31_0)
-(typeattribute vpn_management_service_31_0)
-(typeattribute vr_hwc_31_0)
-(typeattribute vr_hwc_exec_31_0)
-(typeattribute vr_hwc_service_31_0)
-(typeattribute vr_manager_service_31_0)
-(typeattribute vrflinger_vsync_service_31_0)
-(typeattribute vts_config_prop_31_0)
-(typeattribute vts_status_prop_31_0)
-(typeattribute wallpaper_file_31_0)
-(typeattribute wallpaper_service_31_0)
-(typeattribute watchdog_device_31_0)
-(typeattribute watchdog_metadata_file_31_0)
-(typeattribute watchdogd_31_0)
-(typeattribute watchdogd_exec_31_0)
-(typeattribute webview_zygote_31_0)
-(typeattribute webview_zygote_exec_31_0)
-(typeattribute webview_zygote_tmpfs_31_0)
-(typeattribute webviewupdate_service_31_0)
-(typeattribute wifi_config_prop_31_0)
-(typeattribute wifi_data_file_31_0)
-(typeattribute wifi_hal_prop_31_0)
-(typeattribute wifi_key_31_0)
-(typeattribute wifi_keystore_service_server)
-(typeattribute wifi_log_prop_31_0)
-(typeattribute wifi_prop_31_0)
-(typeattribute wifi_service_31_0)
-(typeattribute wifiaware_service_31_0)
-(typeattribute wificond_31_0)
-(typeattribute wificond_exec_31_0)
-(typeattribute wifinl80211_service_31_0)
-(typeattribute wifip2p_service_31_0)
-(typeattribute wifiscanner_service_31_0)
-(typeattribute window_service_31_0)
-(typeattribute wpa_socket_31_0)
-(typeattribute wpantund_31_0)
-(typeattribute wpantund_exec_31_0)
-(typeattribute wpantund_service_31_0)
-(typeattribute zero_device_31_0)
-(typeattribute zoneinfo_data_file_31_0)
-(typeattribute zram_config_prop_31_0)
-(typeattribute zram_control_prop_31_0)
-(typeattribute zygote_31_0)
-(typeattribute zygote_config_prop_31_0)
-(typeattribute zygote_exec_31_0)
-(typeattribute zygote_socket_31_0)
-(typeattribute zygote_tmpfs_31_0)
diff --git a/prebuilts/api/31.0/private/compat/26.0/26.0.cil b/prebuilts/api/31.0/private/compat/26.0/26.0.cil
deleted file mode 100644
index 498bca5..0000000
--- a/prebuilts/api/31.0/private/compat/26.0/26.0.cil
+++ /dev/null
@@ -1,786 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_keystore)
-(typeattribute hal_wifi_keystore_client)
-(typeattribute hal_wifi_keystore_server)
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type untrusted_v2_app)
-(type asan_reboot_prop)
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type log_device)
-(type mediacasserver_service)
-(type mediacodec)
-(type mediacodec_exec)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type tracing_shell_writable)
-(type tracing_shell_writable_debug)
-(type vold_socket)
-(type webview_zygote_socket)
-(type rild)
-(type netd_socket)
-
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0
- ( debugfs
- debugfs_wakeup_sources
- ))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0
- ( default_prop pm_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset hal_omx_server (mediacodec_26_0))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0
- ( qtaguid_proc
- proc_qtaguid_ctrl))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_26_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/31.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/31.0/private/compat/26.0/26.0.ignore.cil
deleted file mode 100644
index 98d5840..0000000
--- a/prebuilts/api/31.0/private/compat/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,238 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- adbd_exec
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- audio_config_prop
- atrace
- binder_calls_stats_service
- biometric_service
- boot_status_prop
- bootloader_boot_reason_prop
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- broadcastradio_service
- cgroup_bpf
- charger_exec
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- dalvik_config_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- e2fs
- e2fs_exec
- exfat
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_radio_prop
- exported3_system_prop
- fastbootd
- fingerprint_vendor_data_file
- flags_health_check
- flags_health_check_exec
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_broadcastradio_hwservice
- hal_cas_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_lowpan_hwservice
- hal_neuralnetworks_hwservice
- hal_secure_element_hwservice
- hal_tetheroffload_hwservice
- hal_wifi_hostapd_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_offload_hwservice
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- kmsg_debug_device
- last_boot_reason_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- lmkd_config_prop
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- mediaextractor_update_service
- mediaprovider_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- netd_stable_secret_prop
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- overlayfs_file
- package_native_service
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- recovery_socket
- role_service
- runas_app
- art_apex_dir
- runtime_service
- secure_element
- secure_element_device
- secure_element_tmpfs
- secure_element_service
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- staging_data_file
- stats
- stats_data_file
- stats_exec
- stats_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- statscompanion_service
- storaged_data_file
- super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
- sysfs_fs_ext4_features
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_net_netd_hwservice
- system_update_service
- systemsound_config_prop
- test_boot_reason_prop
- thermal_service
- thermalcallback_hwservice
- thermalserviced
- thermalserviced_exec
- thermalserviced_tmpfs
- time_prop
- timedetector_service
- timezone_service
- tombstoned_java_trace_socket
- tombstone_wifi_data_file
- trace_data_file
- traceur_app
- traceur_app_tmpfs
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- vendor_default_prop
- vendor_security_patch_level_prop
- uri_grants_service
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_init
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_config_prop
- vold_metadata_file
- vold_post_fs_data_prop
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vold_status_prop
- vrflinger_vsync_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- wm_trace_data_file))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- adbd_tmpfs
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/31.0/private/compat/27.0/27.0.cil b/prebuilts/api/31.0/private/compat/27.0/27.0.cil
deleted file mode 100644
index 0d883c0..0000000
--- a/prebuilts/api/31.0/private/compat/27.0/27.0.cil
+++ /dev/null
@@ -1,1507 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type mediacodec)
-(type mediacodec_exec)
-(type netd_socket)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type rild)
-(type untrusted_v2_app)
-(type webview_zygote_socket)
-(type vold_socket)
-
-(expandtypeattribute (accessibility_service_27_0) true)
-(expandtypeattribute (account_service_27_0) true)
-(expandtypeattribute (activity_service_27_0) true)
-(expandtypeattribute (adbd_27_0) true)
-(expandtypeattribute (adb_data_file_27_0) true)
-(expandtypeattribute (adbd_exec_27_0) true)
-(expandtypeattribute (adbd_socket_27_0) true)
-(expandtypeattribute (adb_keys_file_27_0) true)
-(expandtypeattribute (alarm_device_27_0) true)
-(expandtypeattribute (alarm_service_27_0) true)
-(expandtypeattribute (anr_data_file_27_0) true)
-(expandtypeattribute (apk_data_file_27_0) true)
-(expandtypeattribute (apk_private_data_file_27_0) true)
-(expandtypeattribute (apk_private_tmp_file_27_0) true)
-(expandtypeattribute (apk_tmp_file_27_0) true)
-(expandtypeattribute (app_data_file_27_0) true)
-(expandtypeattribute (app_fuse_file_27_0) true)
-(expandtypeattribute (app_fusefs_27_0) true)
-(expandtypeattribute (appops_service_27_0) true)
-(expandtypeattribute (appwidget_service_27_0) true)
-(expandtypeattribute (asec_apk_file_27_0) true)
-(expandtypeattribute (asec_image_file_27_0) true)
-(expandtypeattribute (asec_public_file_27_0) true)
-(expandtypeattribute (ashmem_device_27_0) true)
-(expandtypeattribute (assetatlas_service_27_0) true)
-(expandtypeattribute (audio_data_file_27_0) true)
-(expandtypeattribute (audio_device_27_0) true)
-(expandtypeattribute (audiohal_data_file_27_0) true)
-(expandtypeattribute (audio_prop_27_0) true)
-(expandtypeattribute (audio_seq_device_27_0) true)
-(expandtypeattribute (audioserver_27_0) true)
-(expandtypeattribute (audioserver_data_file_27_0) true)
-(expandtypeattribute (audioserver_service_27_0) true)
-(expandtypeattribute (audio_service_27_0) true)
-(expandtypeattribute (audio_timer_device_27_0) true)
-(expandtypeattribute (autofill_service_27_0) true)
-(expandtypeattribute (backup_data_file_27_0) true)
-(expandtypeattribute (backup_service_27_0) true)
-(expandtypeattribute (batteryproperties_service_27_0) true)
-(expandtypeattribute (battery_service_27_0) true)
-(expandtypeattribute (batterystats_service_27_0) true)
-(expandtypeattribute (binder_device_27_0) true)
-(expandtypeattribute (binfmt_miscfs_27_0) true)
-(expandtypeattribute (blkid_27_0) true)
-(expandtypeattribute (blkid_untrusted_27_0) true)
-(expandtypeattribute (block_device_27_0) true)
-(expandtypeattribute (bluetooth_27_0) true)
-(expandtypeattribute (bluetooth_data_file_27_0) true)
-(expandtypeattribute (bluetooth_efs_file_27_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
-(expandtypeattribute (bluetooth_manager_service_27_0) true)
-(expandtypeattribute (bluetooth_prop_27_0) true)
-(expandtypeattribute (bluetooth_service_27_0) true)
-(expandtypeattribute (bluetooth_socket_27_0) true)
-(expandtypeattribute (bootanim_27_0) true)
-(expandtypeattribute (bootanim_exec_27_0) true)
-(expandtypeattribute (boot_block_device_27_0) true)
-(expandtypeattribute (bootchart_data_file_27_0) true)
-(expandtypeattribute (bootstat_27_0) true)
-(expandtypeattribute (bootstat_data_file_27_0) true)
-(expandtypeattribute (bootstat_exec_27_0) true)
-(expandtypeattribute (boottime_prop_27_0) true)
-(expandtypeattribute (boottrace_data_file_27_0) true)
-(expandtypeattribute (broadcastradio_service_27_0) true)
-(expandtypeattribute (bufferhubd_27_0) true)
-(expandtypeattribute (bufferhubd_exec_27_0) true)
-(expandtypeattribute (cache_backup_file_27_0) true)
-(expandtypeattribute (cache_block_device_27_0) true)
-(expandtypeattribute (cache_file_27_0) true)
-(expandtypeattribute (cache_private_backup_file_27_0) true)
-(expandtypeattribute (cache_recovery_file_27_0) true)
-(expandtypeattribute (camera_data_file_27_0) true)
-(expandtypeattribute (camera_device_27_0) true)
-(expandtypeattribute (cameraproxy_service_27_0) true)
-(expandtypeattribute (cameraserver_27_0) true)
-(expandtypeattribute (cameraserver_exec_27_0) true)
-(expandtypeattribute (cameraserver_service_27_0) true)
-(expandtypeattribute (cgroup_27_0) true)
-(expandtypeattribute (charger_27_0) true)
-(expandtypeattribute (clatd_27_0) true)
-(expandtypeattribute (clatd_exec_27_0) true)
-(expandtypeattribute (clipboard_service_27_0) true)
-(expandtypeattribute (commontime_management_service_27_0) true)
-(expandtypeattribute (companion_device_service_27_0) true)
-(expandtypeattribute (configfs_27_0) true)
-(expandtypeattribute (config_prop_27_0) true)
-(expandtypeattribute (connectivity_service_27_0) true)
-(expandtypeattribute (connmetrics_service_27_0) true)
-(expandtypeattribute (console_device_27_0) true)
-(expandtypeattribute (consumer_ir_service_27_0) true)
-(expandtypeattribute (content_service_27_0) true)
-(expandtypeattribute (contexthub_service_27_0) true)
-(expandtypeattribute (coredump_file_27_0) true)
-(expandtypeattribute (country_detector_service_27_0) true)
-(expandtypeattribute (coverage_service_27_0) true)
-(expandtypeattribute (cppreopt_prop_27_0) true)
-(expandtypeattribute (cppreopts_27_0) true)
-(expandtypeattribute (cppreopts_exec_27_0) true)
-(expandtypeattribute (cpuctl_device_27_0) true)
-(expandtypeattribute (cpuinfo_service_27_0) true)
-(expandtypeattribute (crash_dump_27_0) true)
-(expandtypeattribute (crash_dump_exec_27_0) true)
-(expandtypeattribute (ctl_bootanim_prop_27_0) true)
-(expandtypeattribute (ctl_bugreport_prop_27_0) true)
-(expandtypeattribute (ctl_console_prop_27_0) true)
-(expandtypeattribute (ctl_default_prop_27_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
-(expandtypeattribute (ctl_fuse_prop_27_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
-(expandtypeattribute (dalvikcache_data_file_27_0) true)
-(expandtypeattribute (dalvik_prop_27_0) true)
-(expandtypeattribute (dbinfo_service_27_0) true)
-(expandtypeattribute (debugfs_27_0) true)
-(expandtypeattribute (debugfs_mmc_27_0) true)
-(expandtypeattribute (debugfs_trace_marker_27_0) true)
-(expandtypeattribute (debugfs_tracing_27_0) true)
-(expandtypeattribute (debugfs_tracing_debug_27_0) true)
-(expandtypeattribute (debugfs_tracing_instances_27_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
-(expandtypeattribute (debuggerd_prop_27_0) true)
-(expandtypeattribute (debug_prop_27_0) true)
-(expandtypeattribute (default_android_hwservice_27_0) true)
-(expandtypeattribute (default_android_service_27_0) true)
-(expandtypeattribute (default_android_vndservice_27_0) true)
-(expandtypeattribute (default_prop_27_0) true)
-(expandtypeattribute (device_27_0) true)
-(expandtypeattribute (device_identifiers_service_27_0) true)
-(expandtypeattribute (deviceidle_service_27_0) true)
-(expandtypeattribute (device_logging_prop_27_0) true)
-(expandtypeattribute (device_policy_service_27_0) true)
-(expandtypeattribute (devicestoragemonitor_service_27_0) true)
-(expandtypeattribute (devpts_27_0) true)
-(expandtypeattribute (dex2oat_27_0) true)
-(expandtypeattribute (dex2oat_exec_27_0) true)
-(expandtypeattribute (dhcp_27_0) true)
-(expandtypeattribute (dhcp_data_file_27_0) true)
-(expandtypeattribute (dhcp_exec_27_0) true)
-(expandtypeattribute (dhcp_prop_27_0) true)
-(expandtypeattribute (diskstats_service_27_0) true)
-(expandtypeattribute (display_service_27_0) true)
-(expandtypeattribute (dm_device_27_0) true)
-(expandtypeattribute (dnsmasq_27_0) true)
-(expandtypeattribute (dnsmasq_exec_27_0) true)
-(expandtypeattribute (dnsproxyd_socket_27_0) true)
-(expandtypeattribute (DockObserver_service_27_0) true)
-(expandtypeattribute (dreams_service_27_0) true)
-(expandtypeattribute (drm_data_file_27_0) true)
-(expandtypeattribute (drmserver_27_0) true)
-(expandtypeattribute (drmserver_exec_27_0) true)
-(expandtypeattribute (drmserver_service_27_0) true)
-(expandtypeattribute (drmserver_socket_27_0) true)
-(expandtypeattribute (dropbox_service_27_0) true)
-(expandtypeattribute (dumpstate_27_0) true)
-(expandtypeattribute (dumpstate_exec_27_0) true)
-(expandtypeattribute (dumpstate_options_prop_27_0) true)
-(expandtypeattribute (dumpstate_prop_27_0) true)
-(expandtypeattribute (dumpstate_service_27_0) true)
-(expandtypeattribute (dumpstate_socket_27_0) true)
-(expandtypeattribute (e2fs_27_0) true)
-(expandtypeattribute (e2fs_exec_27_0) true)
-(expandtypeattribute (efs_file_27_0) true)
-(expandtypeattribute (ephemeral_app_27_0) true)
-(expandtypeattribute (ethernet_service_27_0) true)
-(expandtypeattribute (ffs_prop_27_0) true)
-(expandtypeattribute (file_contexts_file_27_0) true)
-(expandtypeattribute (fingerprintd_27_0) true)
-(expandtypeattribute (fingerprintd_data_file_27_0) true)
-(expandtypeattribute (fingerprintd_exec_27_0) true)
-(expandtypeattribute (fingerprintd_service_27_0) true)
-(expandtypeattribute (fingerprint_prop_27_0) true)
-(expandtypeattribute (fingerprint_service_27_0) true)
-(expandtypeattribute (firstboot_prop_27_0) true)
-(expandtypeattribute (font_service_27_0) true)
-(expandtypeattribute (frp_block_device_27_0) true)
-(expandtypeattribute (fsck_27_0) true)
-(expandtypeattribute (fsck_exec_27_0) true)
-(expandtypeattribute (fscklogs_27_0) true)
-(expandtypeattribute (fsck_untrusted_27_0) true)
-(expandtypeattribute (full_device_27_0) true)
-(expandtypeattribute (functionfs_27_0) true)
-(expandtypeattribute (fuse_27_0) true)
-(expandtypeattribute (fuse_device_27_0) true)
-(expandtypeattribute (fwk_display_hwservice_27_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
-(expandtypeattribute (fwmarkd_socket_27_0) true)
-(expandtypeattribute (gatekeeperd_27_0) true)
-(expandtypeattribute (gatekeeper_data_file_27_0) true)
-(expandtypeattribute (gatekeeperd_exec_27_0) true)
-(expandtypeattribute (gatekeeper_service_27_0) true)
-(expandtypeattribute (gfxinfo_service_27_0) true)
-(expandtypeattribute (gps_control_27_0) true)
-(expandtypeattribute (gpu_device_27_0) true)
-(expandtypeattribute (gpu_service_27_0) true)
-(expandtypeattribute (graphics_device_27_0) true)
-(expandtypeattribute (graphicsstats_service_27_0) true)
-(expandtypeattribute (hal_audio_hwservice_27_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
-(expandtypeattribute (hal_camera_hwservice_27_0) true)
-(expandtypeattribute (hal_cas_hwservice_27_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
-(expandtypeattribute (hal_drm_hwservice_27_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_service_27_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
-(expandtypeattribute (hal_gnss_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
-(expandtypeattribute (hal_health_hwservice_27_0) true)
-(expandtypeattribute (hal_ir_hwservice_27_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
-(expandtypeattribute (hal_light_hwservice_27_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
-(expandtypeattribute (hal_nfc_hwservice_27_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
-(expandtypeattribute (hal_omx_hwservice_27_0) true)
-(expandtypeattribute (hal_power_hwservice_27_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
-(expandtypeattribute (hal_sensors_hwservice_27_0) true)
-(expandtypeattribute (hal_telephony_hwservice_27_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
-(expandtypeattribute (hal_thermal_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
-(expandtypeattribute (hal_usb_hwservice_27_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
-(expandtypeattribute (hal_vr_hwservice_27_0) true)
-(expandtypeattribute (hal_weaver_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
-(expandtypeattribute (hardware_properties_service_27_0) true)
-(expandtypeattribute (hardware_service_27_0) true)
-(expandtypeattribute (hci_attach_dev_27_0) true)
-(expandtypeattribute (hdmi_control_service_27_0) true)
-(expandtypeattribute (healthd_27_0) true)
-(expandtypeattribute (healthd_exec_27_0) true)
-(expandtypeattribute (heapdump_data_file_27_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
-(expandtypeattribute (hidl_base_hwservice_27_0) true)
-(expandtypeattribute (hidl_manager_hwservice_27_0) true)
-(expandtypeattribute (hidl_memory_hwservice_27_0) true)
-(expandtypeattribute (hidl_token_hwservice_27_0) true)
-(expandtypeattribute (hwbinder_device_27_0) true)
-(expandtypeattribute (hw_random_device_27_0) true)
-(expandtypeattribute (hwservice_contexts_file_27_0) true)
-(expandtypeattribute (hwservicemanager_27_0) true)
-(expandtypeattribute (hwservicemanager_exec_27_0) true)
-(expandtypeattribute (hwservicemanager_prop_27_0) true)
-(expandtypeattribute (i2c_device_27_0) true)
-(expandtypeattribute (icon_file_27_0) true)
-(expandtypeattribute (idmap_27_0) true)
-(expandtypeattribute (idmap_exec_27_0) true)
-(expandtypeattribute (iio_device_27_0) true)
-(expandtypeattribute (imms_service_27_0) true)
-(expandtypeattribute (incident_27_0) true)
-(expandtypeattribute (incidentd_27_0) true)
-(expandtypeattribute (incident_data_file_27_0) true)
-(expandtypeattribute (incident_service_27_0) true)
-(expandtypeattribute (init_27_0) true)
-(expandtypeattribute (init_exec_27_0) true)
-(expandtypeattribute (inotify_27_0) true)
-(expandtypeattribute (input_device_27_0) true)
-(expandtypeattribute (inputflinger_27_0) true)
-(expandtypeattribute (inputflinger_exec_27_0) true)
-(expandtypeattribute (inputflinger_service_27_0) true)
-(expandtypeattribute (input_method_service_27_0) true)
-(expandtypeattribute (input_service_27_0) true)
-(expandtypeattribute (installd_27_0) true)
-(expandtypeattribute (install_data_file_27_0) true)
-(expandtypeattribute (installd_exec_27_0) true)
-(expandtypeattribute (installd_service_27_0) true)
-(expandtypeattribute (install_recovery_27_0) true)
-(expandtypeattribute (install_recovery_exec_27_0) true)
-(expandtypeattribute (ion_device_27_0) true)
-(expandtypeattribute (IProxyService_service_27_0) true)
-(expandtypeattribute (ipsec_service_27_0) true)
-(expandtypeattribute (isolated_app_27_0) true)
-(expandtypeattribute (jobscheduler_service_27_0) true)
-(expandtypeattribute (kernel_27_0) true)
-(expandtypeattribute (keychain_data_file_27_0) true)
-(expandtypeattribute (keychord_device_27_0) true)
-(expandtypeattribute (keystore_27_0) true)
-(expandtypeattribute (keystore_data_file_27_0) true)
-(expandtypeattribute (keystore_exec_27_0) true)
-(expandtypeattribute (keystore_service_27_0) true)
-(expandtypeattribute (kmem_device_27_0) true)
-(expandtypeattribute (kmsg_debug_device_27_0) true)
-(expandtypeattribute (kmsg_device_27_0) true)
-(expandtypeattribute (labeledfs_27_0) true)
-(expandtypeattribute (launcherapps_service_27_0) true)
-(expandtypeattribute (lmkd_27_0) true)
-(expandtypeattribute (lmkd_exec_27_0) true)
-(expandtypeattribute (lmkd_socket_27_0) true)
-(expandtypeattribute (location_service_27_0) true)
-(expandtypeattribute (lock_settings_service_27_0) true)
-(expandtypeattribute (logcat_exec_27_0) true)
-(expandtypeattribute (logd_27_0) true)
-(expandtypeattribute (logd_exec_27_0) true)
-(expandtypeattribute (logd_prop_27_0) true)
-(expandtypeattribute (logdr_socket_27_0) true)
-(expandtypeattribute (logd_socket_27_0) true)
-(expandtypeattribute (logdw_socket_27_0) true)
-(expandtypeattribute (logpersist_27_0) true)
-(expandtypeattribute (logpersistd_logging_prop_27_0) true)
-(expandtypeattribute (log_prop_27_0) true)
-(expandtypeattribute (log_tag_prop_27_0) true)
-(expandtypeattribute (loop_control_device_27_0) true)
-(expandtypeattribute (loop_device_27_0) true)
-(expandtypeattribute (mac_perms_file_27_0) true)
-(expandtypeattribute (mdnsd_27_0) true)
-(expandtypeattribute (mdnsd_socket_27_0) true)
-(expandtypeattribute (mdns_socket_27_0) true)
-(expandtypeattribute (mediacodec_27_0) true)
-(expandtypeattribute (mediacodec_exec_27_0) true)
-(expandtypeattribute (mediacodec_service_27_0) true)
-(expandtypeattribute (media_data_file_27_0) true)
-(expandtypeattribute (mediadrmserver_27_0) true)
-(expandtypeattribute (mediadrmserver_exec_27_0) true)
-(expandtypeattribute (mediadrmserver_service_27_0) true)
-(expandtypeattribute (mediaextractor_27_0) true)
-(expandtypeattribute (mediaextractor_exec_27_0) true)
-(expandtypeattribute (mediaextractor_service_27_0) true)
-(expandtypeattribute (mediametrics_27_0) true)
-(expandtypeattribute (mediametrics_exec_27_0) true)
-(expandtypeattribute (mediametrics_service_27_0) true)
-(expandtypeattribute (media_projection_service_27_0) true)
-(expandtypeattribute (mediaprovider_27_0) true)
-(expandtypeattribute (media_router_service_27_0) true)
-(expandtypeattribute (media_rw_data_file_27_0) true)
-(expandtypeattribute (mediaserver_27_0) true)
-(expandtypeattribute (mediaserver_exec_27_0) true)
-(expandtypeattribute (mediaserver_service_27_0) true)
-(expandtypeattribute (media_session_service_27_0) true)
-(expandtypeattribute (meminfo_service_27_0) true)
-(expandtypeattribute (metadata_block_device_27_0) true)
-(expandtypeattribute (method_trace_data_file_27_0) true)
-(expandtypeattribute (midi_service_27_0) true)
-(expandtypeattribute (misc_block_device_27_0) true)
-(expandtypeattribute (misc_logd_file_27_0) true)
-(expandtypeattribute (misc_user_data_file_27_0) true)
-(expandtypeattribute (mmc_prop_27_0) true)
-(expandtypeattribute (mnt_expand_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
-(expandtypeattribute (mnt_user_file_27_0) true)
-(expandtypeattribute (modprobe_27_0) true)
-(expandtypeattribute (mount_service_27_0) true)
-(expandtypeattribute (mqueue_27_0) true)
-(expandtypeattribute (mtd_device_27_0) true)
-(expandtypeattribute (mtp_27_0) true)
-(expandtypeattribute (mtp_device_27_0) true)
-(expandtypeattribute (mtpd_socket_27_0) true)
-(expandtypeattribute (mtp_exec_27_0) true)
-(expandtypeattribute (nativetest_data_file_27_0) true)
-(expandtypeattribute (netd_27_0) true)
-(expandtypeattribute (net_data_file_27_0) true)
-(expandtypeattribute (netd_exec_27_0) true)
-(expandtypeattribute (netd_listener_service_27_0) true)
-(expandtypeattribute (net_dns_prop_27_0) true)
-(expandtypeattribute (netd_service_27_0) true)
-(expandtypeattribute (netd_socket_27_0) true)
-(expandtypeattribute (netd_stable_secret_prop_27_0) true)
-(expandtypeattribute (netif_27_0) true)
-(expandtypeattribute (netpolicy_service_27_0) true)
-(expandtypeattribute (net_radio_prop_27_0) true)
-(expandtypeattribute (netstats_service_27_0) true)
-(expandtypeattribute (netutils_wrapper_27_0) true)
-(expandtypeattribute (netutils_wrapper_exec_27_0) true)
-(expandtypeattribute (network_management_service_27_0) true)
-(expandtypeattribute (network_score_service_27_0) true)
-(expandtypeattribute (network_time_update_service_27_0) true)
-(expandtypeattribute (nfc_27_0) true)
-(expandtypeattribute (nfc_data_file_27_0) true)
-(expandtypeattribute (nfc_device_27_0) true)
-(expandtypeattribute (nfc_prop_27_0) true)
-(expandtypeattribute (nfc_service_27_0) true)
-(expandtypeattribute (node_27_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
-(expandtypeattribute (notification_service_27_0) true)
-(expandtypeattribute (null_device_27_0) true)
-(expandtypeattribute (oemfs_27_0) true)
-(expandtypeattribute (oem_lock_service_27_0) true)
-(expandtypeattribute (ota_data_file_27_0) true)
-(expandtypeattribute (otadexopt_service_27_0) true)
-(expandtypeattribute (ota_package_file_27_0) true)
-(expandtypeattribute (otapreopt_chroot_27_0) true)
-(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
-(expandtypeattribute (otapreopt_slot_27_0) true)
-(expandtypeattribute (otapreopt_slot_exec_27_0) true)
-(expandtypeattribute (overlay_prop_27_0) true)
-(expandtypeattribute (overlay_service_27_0) true)
-(expandtypeattribute (owntty_device_27_0) true)
-(expandtypeattribute (package_native_service_27_0) true)
-(expandtypeattribute (package_service_27_0) true)
-(expandtypeattribute (pan_result_prop_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_dir_27_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_dir_27_0) true)
-(expandtypeattribute (performanced_27_0) true)
-(expandtypeattribute (performanced_exec_27_0) true)
-(expandtypeattribute (permission_service_27_0) true)
-(expandtypeattribute (persist_debug_prop_27_0) true)
-(expandtypeattribute (persistent_data_block_service_27_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
-(expandtypeattribute (pinner_service_27_0) true)
-(expandtypeattribute (pipefs_27_0) true)
-(expandtypeattribute (platform_app_27_0) true)
-(expandtypeattribute (pmsg_device_27_0) true)
-(expandtypeattribute (port_27_0) true)
-(expandtypeattribute (port_device_27_0) true)
-(expandtypeattribute (postinstall_27_0) true)
-(expandtypeattribute (postinstall_dexopt_27_0) true)
-(expandtypeattribute (postinstall_file_27_0) true)
-(expandtypeattribute (postinstall_mnt_dir_27_0) true)
-(expandtypeattribute (powerctl_prop_27_0) true)
-(expandtypeattribute (power_service_27_0) true)
-(expandtypeattribute (ppp_27_0) true)
-(expandtypeattribute (ppp_device_27_0) true)
-(expandtypeattribute (ppp_exec_27_0) true)
-(expandtypeattribute (preloads_data_file_27_0) true)
-(expandtypeattribute (preloads_media_file_27_0) true)
-(expandtypeattribute (preopt2cachename_27_0) true)
-(expandtypeattribute (preopt2cachename_exec_27_0) true)
-(expandtypeattribute (print_service_27_0) true)
-(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
-(expandtypeattribute (proc_bluetooth_writable_27_0) true)
-(expandtypeattribute (proc_cpuinfo_27_0) true)
-(expandtypeattribute (proc_drop_caches_27_0) true)
-(expandtypeattribute (processinfo_service_27_0) true)
-(expandtypeattribute (proc_interrupts_27_0) true)
-(expandtypeattribute (proc_iomem_27_0) true)
-(expandtypeattribute (proc_meminfo_27_0) true)
-(expandtypeattribute (proc_misc_27_0) true)
-(expandtypeattribute (proc_modules_27_0) true)
-(expandtypeattribute (proc_net_27_0) true)
-(expandtypeattribute (proc_overcommit_memory_27_0) true)
-(expandtypeattribute (proc_perf_27_0) true)
-(expandtypeattribute (proc_security_27_0) true)
-(expandtypeattribute (proc_stat_27_0) true)
-(expandtypeattribute (procstats_service_27_0) true)
-(expandtypeattribute (proc_sysrq_27_0) true)
-(expandtypeattribute (proc_timer_27_0) true)
-(expandtypeattribute (proc_tty_drivers_27_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
-(expandtypeattribute (proc_uid_io_stats_27_0) true)
-(expandtypeattribute (proc_uid_procstat_set_27_0) true)
-(expandtypeattribute (proc_uid_time_in_state_27_0) true)
-(expandtypeattribute (proc_zoneinfo_27_0) true)
-(expandtypeattribute (profman_27_0) true)
-(expandtypeattribute (profman_dump_data_file_27_0) true)
-(expandtypeattribute (profman_exec_27_0) true)
-(expandtypeattribute (properties_device_27_0) true)
-(expandtypeattribute (properties_serial_27_0) true)
-(expandtypeattribute (property_contexts_file_27_0) true)
-(expandtypeattribute (property_data_file_27_0) true)
-(expandtypeattribute (property_socket_27_0) true)
-(expandtypeattribute (pstorefs_27_0) true)
-(expandtypeattribute (ptmx_device_27_0) true)
-(expandtypeattribute (qtaguid_device_27_0) true)
-(expandtypeattribute (qtaguid_proc_27_0) true)
-(expandtypeattribute (racoon_27_0) true)
-(expandtypeattribute (racoon_exec_27_0) true)
-(expandtypeattribute (racoon_socket_27_0) true)
-(expandtypeattribute (radio_27_0) true)
-(expandtypeattribute (radio_data_file_27_0) true)
-(expandtypeattribute (radio_device_27_0) true)
-(expandtypeattribute (radio_prop_27_0) true)
-(expandtypeattribute (radio_service_27_0) true)
-(expandtypeattribute (ram_device_27_0) true)
-(expandtypeattribute (random_device_27_0) true)
-(expandtypeattribute (reboot_data_file_27_0) true)
-(expandtypeattribute (recovery_27_0) true)
-(expandtypeattribute (recovery_block_device_27_0) true)
-(expandtypeattribute (recovery_data_file_27_0) true)
-(expandtypeattribute (recovery_persist_27_0) true)
-(expandtypeattribute (recovery_persist_exec_27_0) true)
-(expandtypeattribute (recovery_refresh_27_0) true)
-(expandtypeattribute (recovery_refresh_exec_27_0) true)
-(expandtypeattribute (recovery_service_27_0) true)
-(expandtypeattribute (registry_service_27_0) true)
-(expandtypeattribute (resourcecache_data_file_27_0) true)
-(expandtypeattribute (restorecon_prop_27_0) true)
-(expandtypeattribute (restrictions_service_27_0) true)
-(expandtypeattribute (rild_27_0) true)
-(expandtypeattribute (rild_debug_socket_27_0) true)
-(expandtypeattribute (rild_socket_27_0) true)
-(expandtypeattribute (ringtone_file_27_0) true)
-(expandtypeattribute (root_block_device_27_0) true)
-(expandtypeattribute (rootfs_27_0) true)
-(expandtypeattribute (rpmsg_device_27_0) true)
-(expandtypeattribute (rtc_device_27_0) true)
-(expandtypeattribute (rttmanager_service_27_0) true)
-(expandtypeattribute (runas_27_0) true)
-(expandtypeattribute (runas_exec_27_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
-(expandtypeattribute (safemode_prop_27_0) true)
-(expandtypeattribute (same_process_hal_file_27_0) true)
-(expandtypeattribute (samplingprofiler_service_27_0) true)
-(expandtypeattribute (scheduling_policy_service_27_0) true)
-(expandtypeattribute (sdcardd_27_0) true)
-(expandtypeattribute (sdcardd_exec_27_0) true)
-(expandtypeattribute (sdcardfs_27_0) true)
-(expandtypeattribute (seapp_contexts_file_27_0) true)
-(expandtypeattribute (search_service_27_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
-(expandtypeattribute (selinuxfs_27_0) true)
-(expandtypeattribute (sensors_device_27_0) true)
-(expandtypeattribute (sensorservice_service_27_0) true)
-(expandtypeattribute (sepolicy_file_27_0) true)
-(expandtypeattribute (serial_device_27_0) true)
-(expandtypeattribute (serialno_prop_27_0) true)
-(expandtypeattribute (serial_service_27_0) true)
-(expandtypeattribute (service_contexts_file_27_0) true)
-(expandtypeattribute (servicediscovery_service_27_0) true)
-(expandtypeattribute (servicemanager_27_0) true)
-(expandtypeattribute (servicemanager_exec_27_0) true)
-(expandtypeattribute (settings_service_27_0) true)
-(expandtypeattribute (sgdisk_27_0) true)
-(expandtypeattribute (sgdisk_exec_27_0) true)
-(expandtypeattribute (shared_relro_27_0) true)
-(expandtypeattribute (shared_relro_file_27_0) true)
-(expandtypeattribute (shell_27_0) true)
-(expandtypeattribute (shell_data_file_27_0) true)
-(expandtypeattribute (shell_exec_27_0) true)
-(expandtypeattribute (shell_prop_27_0) true)
-(expandtypeattribute (shm_27_0) true)
-(expandtypeattribute (shortcut_manager_icons_27_0) true)
-(expandtypeattribute (shortcut_service_27_0) true)
-(expandtypeattribute (slideshow_27_0) true)
-(expandtypeattribute (socket_device_27_0) true)
-(expandtypeattribute (sockfs_27_0) true)
-(expandtypeattribute (statusbar_service_27_0) true)
-(expandtypeattribute (storaged_service_27_0) true)
-(expandtypeattribute (storage_file_27_0) true)
-(expandtypeattribute (storagestats_service_27_0) true)
-(expandtypeattribute (storage_stub_file_27_0) true)
-(expandtypeattribute (su_27_0) true)
-(expandtypeattribute (su_exec_27_0) true)
-(expandtypeattribute (surfaceflinger_27_0) true)
-(expandtypeattribute (surfaceflinger_service_27_0) true)
-(expandtypeattribute (swap_block_device_27_0) true)
-(expandtypeattribute (sysfs_27_0) true)
-(expandtypeattribute (sysfs_batteryinfo_27_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
-(expandtypeattribute (sysfs_hwrandom_27_0) true)
-(expandtypeattribute (sysfs_leds_27_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
-(expandtypeattribute (sysfs_mac_address_27_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
-(expandtypeattribute (sysfs_thermal_27_0) true)
-(expandtypeattribute (sysfs_uio_27_0) true)
-(expandtypeattribute (sysfs_usb_27_0) true)
-(expandtypeattribute (sysfs_usermodehelper_27_0) true)
-(expandtypeattribute (sysfs_vibrator_27_0) true)
-(expandtypeattribute (sysfs_wake_lock_27_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
-(expandtypeattribute (sysfs_zram_27_0) true)
-(expandtypeattribute (sysfs_zram_uevent_27_0) true)
-(expandtypeattribute (system_app_27_0) true)
-(expandtypeattribute (system_app_data_file_27_0) true)
-(expandtypeattribute (system_app_service_27_0) true)
-(expandtypeattribute (system_block_device_27_0) true)
-(expandtypeattribute (system_data_file_27_0) true)
-(expandtypeattribute (system_file_27_0) true)
-(expandtypeattribute (systemkeys_data_file_27_0) true)
-(expandtypeattribute (system_ndebug_socket_27_0) true)
-(expandtypeattribute (system_net_netd_hwservice_27_0) true)
-(expandtypeattribute (system_prop_27_0) true)
-(expandtypeattribute (system_radio_prop_27_0) true)
-(expandtypeattribute (system_server_27_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
-(expandtypeattribute (system_wpa_socket_27_0) true)
-(expandtypeattribute (task_service_27_0) true)
-(expandtypeattribute (tee_27_0) true)
-(expandtypeattribute (tee_data_file_27_0) true)
-(expandtypeattribute (tee_device_27_0) true)
-(expandtypeattribute (telecom_service_27_0) true)
-(expandtypeattribute (textclassification_service_27_0) true)
-(expandtypeattribute (textclassifier_data_file_27_0) true)
-(expandtypeattribute (textservices_service_27_0) true)
-(expandtypeattribute (thermalcallback_hwservice_27_0) true)
-(expandtypeattribute (thermal_service_27_0) true)
-(expandtypeattribute (thermalserviced_27_0) true)
-(expandtypeattribute (thermalserviced_exec_27_0) true)
-(expandtypeattribute (timezone_service_27_0) true)
-(expandtypeattribute (tmpfs_27_0) true)
-(expandtypeattribute (tombstoned_27_0) true)
-(expandtypeattribute (tombstone_data_file_27_0) true)
-(expandtypeattribute (tombstoned_crash_socket_27_0) true)
-(expandtypeattribute (tombstoned_exec_27_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
-(expandtypeattribute (toolbox_27_0) true)
-(expandtypeattribute (toolbox_exec_27_0) true)
-(expandtypeattribute (trust_service_27_0) true)
-(expandtypeattribute (tty_device_27_0) true)
-(expandtypeattribute (tun_device_27_0) true)
-(expandtypeattribute (tv_input_service_27_0) true)
-(expandtypeattribute (tzdatacheck_27_0) true)
-(expandtypeattribute (tzdatacheck_exec_27_0) true)
-(expandtypeattribute (ueventd_27_0) true)
-(expandtypeattribute (uhid_device_27_0) true)
-(expandtypeattribute (uimode_service_27_0) true)
-(expandtypeattribute (uio_device_27_0) true)
-(expandtypeattribute (uncrypt_27_0) true)
-(expandtypeattribute (uncrypt_exec_27_0) true)
-(expandtypeattribute (uncrypt_socket_27_0) true)
-(expandtypeattribute (unencrypted_data_file_27_0) true)
-(expandtypeattribute (unlabeled_27_0) true)
-(expandtypeattribute (untrusted_app_25_27_0) true)
-(expandtypeattribute (untrusted_app_27_0) true)
-(expandtypeattribute (untrusted_v2_app_27_0) true)
-(expandtypeattribute (update_engine_27_0) true)
-(expandtypeattribute (update_engine_data_file_27_0) true)
-(expandtypeattribute (update_engine_exec_27_0) true)
-(expandtypeattribute (update_engine_service_27_0) true)
-(expandtypeattribute (updatelock_service_27_0) true)
-(expandtypeattribute (update_verifier_27_0) true)
-(expandtypeattribute (update_verifier_exec_27_0) true)
-(expandtypeattribute (usagestats_service_27_0) true)
-(expandtypeattribute (usbaccessory_device_27_0) true)
-(expandtypeattribute (usb_device_27_0) true)
-(expandtypeattribute (usbfs_27_0) true)
-(expandtypeattribute (usb_service_27_0) true)
-(expandtypeattribute (userdata_block_device_27_0) true)
-(expandtypeattribute (usermodehelper_27_0) true)
-(expandtypeattribute (user_profile_data_file_27_0) true)
-(expandtypeattribute (user_service_27_0) true)
-(expandtypeattribute (vcs_device_27_0) true)
-(expandtypeattribute (vdc_27_0) true)
-(expandtypeattribute (vdc_exec_27_0) true)
-(expandtypeattribute (vendor_app_file_27_0) true)
-(expandtypeattribute (vendor_configs_file_27_0) true)
-(expandtypeattribute (vendor_file_27_0) true)
-(expandtypeattribute (vendor_framework_file_27_0) true)
-(expandtypeattribute (vendor_hal_file_27_0) true)
-(expandtypeattribute (vendor_overlay_file_27_0) true)
-(expandtypeattribute (vendor_shell_exec_27_0) true)
-(expandtypeattribute (vendor_toolbox_exec_27_0) true)
-(expandtypeattribute (vfat_27_0) true)
-(expandtypeattribute (vibrator_service_27_0) true)
-(expandtypeattribute (video_device_27_0) true)
-(expandtypeattribute (virtual_touchpad_27_0) true)
-(expandtypeattribute (virtual_touchpad_exec_27_0) true)
-(expandtypeattribute (virtual_touchpad_service_27_0) true)
-(expandtypeattribute (vndbinder_device_27_0) true)
-(expandtypeattribute (vndk_sp_file_27_0) true)
-(expandtypeattribute (vndservice_contexts_file_27_0) true)
-(expandtypeattribute (vndservicemanager_27_0) true)
-(expandtypeattribute (voiceinteraction_service_27_0) true)
-(expandtypeattribute (vold_27_0) true)
-(expandtypeattribute (vold_data_file_27_0) true)
-(expandtypeattribute (vold_device_27_0) true)
-(expandtypeattribute (vold_exec_27_0) true)
-(expandtypeattribute (vold_prop_27_0) true)
-(expandtypeattribute (vold_socket_27_0) true)
-(expandtypeattribute (vpn_data_file_27_0) true)
-(expandtypeattribute (vr_hwc_27_0) true)
-(expandtypeattribute (vr_hwc_exec_27_0) true)
-(expandtypeattribute (vr_hwc_service_27_0) true)
-(expandtypeattribute (vr_manager_service_27_0) true)
-(expandtypeattribute (wallpaper_file_27_0) true)
-(expandtypeattribute (wallpaper_service_27_0) true)
-(expandtypeattribute (watchdogd_27_0) true)
-(expandtypeattribute (watchdog_device_27_0) true)
-(expandtypeattribute (webviewupdate_service_27_0) true)
-(expandtypeattribute (webview_zygote_27_0) true)
-(expandtypeattribute (webview_zygote_exec_27_0) true)
-(expandtypeattribute (webview_zygote_socket_27_0) true)
-(expandtypeattribute (wifiaware_service_27_0) true)
-(expandtypeattribute (wificond_27_0) true)
-(expandtypeattribute (wificond_exec_27_0) true)
-(expandtypeattribute (wificond_service_27_0) true)
-(expandtypeattribute (wifi_data_file_27_0) true)
-(expandtypeattribute (wifi_log_prop_27_0) true)
-(expandtypeattribute (wifip2p_service_27_0) true)
-(expandtypeattribute (wifi_prop_27_0) true)
-(expandtypeattribute (wifiscanner_service_27_0) true)
-(expandtypeattribute (wifi_service_27_0) true)
-(expandtypeattribute (window_service_27_0) true)
-(expandtypeattribute (wpa_socket_27_0) true)
-(expandtypeattribute (zero_device_27_0) true)
-(expandtypeattribute (zoneinfo_data_file_27_0) true)
-(expandtypeattribute (zygote_27_0) true)
-(expandtypeattribute (zygote_exec_27_0) true)
-(expandtypeattribute (zygote_socket_27_0) true)
-(typeattributeset accessibility_service_27_0 (accessibility_service))
-(typeattributeset account_service_27_0 (account_service))
-(typeattributeset activity_service_27_0 (activity_service))
-(typeattributeset adbd_27_0 (adbd))
-(typeattributeset adb_data_file_27_0 (adb_data_file))
-(typeattributeset adbd_exec_27_0 (adbd_exec))
-(typeattributeset adbd_socket_27_0 (adbd_socket))
-(typeattributeset adb_keys_file_27_0 (adb_keys_file))
-(typeattributeset alarm_device_27_0 (alarm_device))
-(typeattributeset alarm_service_27_0 (alarm_service))
-(typeattributeset anr_data_file_27_0 (anr_data_file))
-(typeattributeset apk_data_file_27_0 (apk_data_file))
-(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_27_0 (app_fuse_file))
-(typeattributeset app_fusefs_27_0 (app_fusefs))
-(typeattributeset appops_service_27_0 (appops_service))
-(typeattributeset appwidget_service_27_0 (appwidget_service))
-(typeattributeset asec_apk_file_27_0 (asec_apk_file))
-(typeattributeset asec_image_file_27_0 (asec_image_file))
-(typeattributeset asec_public_file_27_0 (asec_public_file))
-(typeattributeset ashmem_device_27_0 (ashmem_device))
-(typeattributeset assetatlas_service_27_0 (assetatlas_service))
-(typeattributeset audio_data_file_27_0 (audio_data_file))
-(typeattributeset audio_device_27_0 (audio_device))
-(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
-(typeattributeset audio_prop_27_0 (audio_prop))
-(typeattributeset audio_seq_device_27_0 (audio_seq_device))
-(typeattributeset audioserver_27_0 (audioserver))
-(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
-(typeattributeset audioserver_service_27_0 (audioserver_service))
-(typeattributeset audio_service_27_0 (audio_service))
-(typeattributeset audio_timer_device_27_0 (audio_timer_device))
-(typeattributeset autofill_service_27_0 (autofill_service))
-(typeattributeset backup_data_file_27_0 (backup_data_file))
-(typeattributeset backup_service_27_0 (backup_service))
-(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
-(typeattributeset battery_service_27_0 (battery_service))
-(typeattributeset batterystats_service_27_0 (batterystats_service))
-(typeattributeset binder_device_27_0 (binder_device))
-(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
-(typeattributeset blkid_27_0 (blkid))
-(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
-(typeattributeset block_device_27_0 (block_device))
-(typeattributeset bluetooth_27_0 (bluetooth))
-(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_27_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
-(typeattributeset bootanim_27_0 (bootanim))
-(typeattributeset bootanim_exec_27_0 (bootanim_exec))
-(typeattributeset boot_block_device_27_0 (boot_block_device))
-(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
-(typeattributeset bootstat_27_0 (bootstat))
-(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_27_0 (bootstat_exec))
-(typeattributeset boottime_prop_27_0 (boottime_prop))
-(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
-(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
-(typeattributeset bufferhubd_27_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_27_0 (cache_backup_file))
-(typeattributeset cache_block_device_27_0 (cache_block_device))
-(typeattributeset cache_file_27_0 (cache_file))
-(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
-(typeattributeset camera_data_file_27_0 (camera_data_file))
-(typeattributeset camera_device_27_0 (camera_device))
-(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
-(typeattributeset cameraserver_27_0 (cameraserver))
-(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_27_0 (cameraserver_service))
-(typeattributeset cgroup_27_0 (cgroup))
-(typeattributeset charger_27_0 (charger))
-(typeattributeset clatd_27_0 (clatd))
-(typeattributeset clatd_exec_27_0 (clatd_exec))
-(typeattributeset clipboard_service_27_0 (clipboard_service))
-(typeattributeset commontime_management_service_27_0 (commontime_management_service))
-(typeattributeset companion_device_service_27_0 (companion_device_service))
-(typeattributeset configfs_27_0 (configfs))
-(typeattributeset config_prop_27_0 (config_prop))
-(typeattributeset connectivity_service_27_0 (connectivity_service))
-(typeattributeset connmetrics_service_27_0 (connmetrics_service))
-(typeattributeset console_device_27_0 (console_device))
-(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
-(typeattributeset content_service_27_0 (content_service))
-(typeattributeset contexthub_service_27_0 (contexthub_service))
-(typeattributeset coredump_file_27_0 (coredump_file))
-(typeattributeset country_detector_service_27_0 (country_detector_service))
-(typeattributeset coverage_service_27_0 (coverage_service))
-(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
-(typeattributeset cppreopts_27_0 (cppreopts))
-(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_27_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
-(typeattributeset crash_dump_27_0 (crash_dump))
-(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_27_0 (dalvik_prop))
-(typeattributeset dbinfo_service_27_0 (dbinfo_service))
-(typeattributeset debugfs_27_0
- ( debugfs
- debugfs_wakeup_sources))
-(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
-(typeattributeset debug_prop_27_0 (debug_prop))
-(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
-(typeattributeset default_android_service_27_0 (default_android_service))
-(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
-(typeattributeset default_prop_27_0
- ( default_prop
- pm_prop))
-(typeattributeset device_27_0 (device))
-(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_27_0 (deviceidle_service))
-(typeattributeset device_logging_prop_27_0 (device_logging_prop))
-(typeattributeset device_policy_service_27_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
-(typeattributeset devpts_27_0 (devpts))
-(typeattributeset dex2oat_27_0 (dex2oat))
-(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
-(typeattributeset dhcp_27_0 (dhcp))
-(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_27_0 (dhcp_exec))
-(typeattributeset dhcp_prop_27_0 (dhcp_prop))
-(typeattributeset diskstats_service_27_0 (diskstats_service))
-(typeattributeset display_service_27_0 (display_service))
-(typeattributeset dm_device_27_0 (dm_device))
-(typeattributeset dnsmasq_27_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_27_0 (DockObserver_service))
-(typeattributeset dreams_service_27_0 (dreams_service))
-(typeattributeset drm_data_file_27_0 (drm_data_file))
-(typeattributeset drmserver_27_0 (drmserver))
-(typeattributeset drmserver_exec_27_0 (drmserver_exec))
-(typeattributeset drmserver_service_27_0 (drmserver_service))
-(typeattributeset drmserver_socket_27_0 (drmserver_socket))
-(typeattributeset dropbox_service_27_0 (dropbox_service))
-(typeattributeset dumpstate_27_0 (dumpstate))
-(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_27_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
-(typeattributeset e2fs_27_0 (e2fs))
-(typeattributeset e2fs_exec_27_0 (e2fs_exec))
-(typeattributeset efs_file_27_0 (efs_file))
-(typeattributeset ephemeral_app_27_0 (ephemeral_app))
-(typeattributeset ethernet_service_27_0 (ethernet_service))
-(typeattributeset ffs_prop_27_0 (ffs_prop))
-(typeattributeset file_contexts_file_27_0 (file_contexts_file))
-(typeattributeset fingerprintd_27_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_27_0 (fingerprint_service))
-(typeattributeset firstboot_prop_27_0 (firstboot_prop))
-(typeattributeset font_service_27_0 (font_service))
-(typeattributeset frp_block_device_27_0 (frp_block_device))
-(typeattributeset fsck_27_0 (fsck))
-(typeattributeset fsck_exec_27_0 (fsck_exec))
-(typeattributeset fscklogs_27_0 (fscklogs))
-(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
-(typeattributeset full_device_27_0 (full_device))
-(typeattributeset functionfs_27_0 (functionfs))
-(typeattributeset fuse_27_0 (fuse))
-(typeattributeset fuse_device_27_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_27_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
-(typeattributeset gps_control_27_0 (gps_control))
-(typeattributeset gpu_device_27_0 (gpu_device))
-(typeattributeset gpu_service_27_0 (gpu_service))
-(typeattributeset graphics_device_27_0 (graphics_device))
-(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
-(typeattributeset hardware_service_27_0 (hardware_service))
-(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
-(typeattributeset healthd_27_0 (healthd))
-(typeattributeset healthd_exec_27_0 (healthd_exec))
-(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_27_0 (hwbinder_device))
-(typeattributeset hw_random_device_27_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_27_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_27_0 (i2c_device))
-(typeattributeset icon_file_27_0 (icon_file))
-(typeattributeset idmap_27_0 (idmap))
-(typeattributeset idmap_exec_27_0 (idmap_exec))
-(typeattributeset iio_device_27_0 (iio_device))
-(typeattributeset imms_service_27_0 (imms_service))
-(typeattributeset incident_27_0 (incident))
-(typeattributeset incidentd_27_0 (incidentd))
-(typeattributeset incident_data_file_27_0 (incident_data_file))
-(typeattributeset incident_service_27_0 (incident_service))
-(typeattributeset init_27_0 (init))
-(typeattributeset init_exec_27_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_27_0 (inotify))
-(typeattributeset input_device_27_0 (input_device))
-(typeattributeset inputflinger_27_0 (inputflinger))
-(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_27_0 (inputflinger_service))
-(typeattributeset input_method_service_27_0 (input_method_service))
-(typeattributeset input_service_27_0 (input_service))
-(typeattributeset installd_27_0 (installd))
-(typeattributeset install_data_file_27_0 (install_data_file))
-(typeattributeset installd_exec_27_0 (installd_exec))
-(typeattributeset installd_service_27_0 (installd_service))
-(typeattributeset install_recovery_27_0 (install_recovery))
-(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
-(typeattributeset ion_device_27_0 (ion_device))
-(typeattributeset IProxyService_service_27_0 (IProxyService_service))
-(typeattributeset ipsec_service_27_0 (ipsec_service))
-(typeattributeset isolated_app_27_0 (isolated_app))
-(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
-(typeattributeset kernel_27_0 (kernel))
-(typeattributeset keychain_data_file_27_0 (keychain_data_file))
-(typeattributeset keychord_device_27_0 (keychord_device))
-(typeattributeset keystore_27_0 (keystore))
-(typeattributeset keystore_data_file_27_0 (keystore_data_file))
-(typeattributeset keystore_exec_27_0 (keystore_exec))
-(typeattributeset keystore_service_27_0 (keystore_service))
-(typeattributeset kmem_device_27_0 (kmem_device))
-(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_27_0 (kmsg_device))
-(typeattributeset labeledfs_27_0 (labeledfs))
-(typeattributeset launcherapps_service_27_0 (launcherapps_service))
-(typeattributeset lmkd_27_0 (lmkd))
-(typeattributeset lmkd_exec_27_0 (lmkd_exec))
-(typeattributeset lmkd_socket_27_0 (lmkd_socket))
-(typeattributeset location_service_27_0 (location_service))
-(typeattributeset lock_settings_service_27_0 (lock_settings_service))
-(typeattributeset logcat_exec_27_0 (logcat_exec))
-(typeattributeset logd_27_0 (logd))
-(typeattributeset logd_exec_27_0 (logd_exec))
-(typeattributeset logd_prop_27_0 (logd_prop))
-(typeattributeset logdr_socket_27_0 (logdr_socket))
-(typeattributeset logd_socket_27_0 (logd_socket))
-(typeattributeset logdw_socket_27_0 (logdw_socket))
-(typeattributeset logpersist_27_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_27_0 (log_prop))
-(typeattributeset log_tag_prop_27_0 (log_tag_prop))
-(typeattributeset loop_control_device_27_0 (loop_control_device))
-(typeattributeset loop_device_27_0 (loop_device))
-(typeattributeset mac_perms_file_27_0 (mac_perms_file))
-(typeattributeset mdnsd_27_0 (mdnsd))
-(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
-(typeattributeset mdns_socket_27_0 (mdns_socket))
-(typeattributeset hal_omx_server (mediacodec_27_0))
-(typeattributeset mediacodec_27_0 (mediacodec))
-(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_27_0 (mediacodec_service))
-(typeattributeset media_data_file_27_0 (media_data_file))
-(typeattributeset mediadrmserver_27_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_27_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
-(typeattributeset mediametrics_27_0 (mediametrics))
-(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_27_0 (mediametrics_service))
-(typeattributeset media_projection_service_27_0 (media_projection_service))
-(typeattributeset mediaprovider_27_0 (mediaprovider))
-(typeattributeset media_router_service_27_0 (media_router_service))
-(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
-(typeattributeset mediaserver_27_0 (mediaserver))
-(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_27_0 (mediaserver_service))
-(typeattributeset media_session_service_27_0 (media_session_service))
-(typeattributeset meminfo_service_27_0 (meminfo_service))
-(typeattributeset metadata_block_device_27_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
-(typeattributeset midi_service_27_0 (midi_service))
-(typeattributeset misc_block_device_27_0 (misc_block_device))
-(typeattributeset misc_logd_file_27_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
-(typeattributeset mmc_prop_27_0 (mmc_prop))
-(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_27_0 (mnt_user_file))
-(typeattributeset modprobe_27_0 (modprobe))
-(typeattributeset mount_service_27_0 (mount_service))
-(typeattributeset mqueue_27_0 (mqueue))
-(typeattributeset mtd_device_27_0 (mtd_device))
-(typeattributeset mtp_27_0 (mtp))
-(typeattributeset mtp_device_27_0 (mtp_device))
-(typeattributeset mtpd_socket_27_0 (mtpd_socket))
-(typeattributeset mtp_exec_27_0 (mtp_exec))
-(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
-(typeattributeset netd_27_0 (netd))
-(typeattributeset net_data_file_27_0 (net_data_file))
-(typeattributeset netd_exec_27_0 (netd_exec))
-(typeattributeset netd_listener_service_27_0 (netd_listener_service))
-(typeattributeset net_dns_prop_27_0 (net_dns_prop))
-(typeattributeset netd_service_27_0 (netd_service))
-(typeattributeset netd_socket_27_0 (netd_socket))
-(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
-(typeattributeset netif_27_0 (netif))
-(typeattributeset netpolicy_service_27_0 (netpolicy_service))
-(typeattributeset net_radio_prop_27_0 (net_radio_prop))
-(typeattributeset netstats_service_27_0 (netstats_service))
-(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_27_0 (network_management_service))
-(typeattributeset network_score_service_27_0 (network_score_service))
-(typeattributeset network_time_update_service_27_0 (network_time_update_service))
-(typeattributeset nfc_27_0 (nfc))
-(typeattributeset nfc_data_file_27_0 (nfc_data_file))
-(typeattributeset nfc_device_27_0 (nfc_device))
-(typeattributeset nfc_prop_27_0 (nfc_prop))
-(typeattributeset nfc_service_27_0 (nfc_service))
-(typeattributeset node_27_0 (node))
-(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_27_0 (notification_service))
-(typeattributeset null_device_27_0 (null_device))
-(typeattributeset oemfs_27_0 (oemfs))
-(typeattributeset oem_lock_service_27_0 (oem_lock_service))
-(typeattributeset ota_data_file_27_0 (ota_data_file))
-(typeattributeset otadexopt_service_27_0 (otadexopt_service))
-(typeattributeset ota_package_file_27_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_27_0 (overlay_prop))
-(typeattributeset overlay_service_27_0 (overlay_service))
-(typeattributeset owntty_device_27_0 (owntty_device))
-(typeattributeset package_native_service_27_0 (package_native_service))
-(typeattributeset package_service_27_0 (package_service))
-(typeattributeset pan_result_prop_27_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
-(typeattributeset performanced_27_0 (performanced))
-(typeattributeset performanced_exec_27_0 (performanced_exec))
-(typeattributeset permission_service_27_0 (permission_service))
-(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_27_0 (pinner_service))
-(typeattributeset pipefs_27_0 (pipefs))
-(typeattributeset platform_app_27_0 (platform_app))
-(typeattributeset pmsg_device_27_0 (pmsg_device))
-(typeattributeset port_27_0 (port))
-(typeattributeset port_device_27_0 (port_device))
-(typeattributeset postinstall_27_0 (postinstall))
-(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_27_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_27_0 (powerctl_prop))
-(typeattributeset power_service_27_0 (power_service))
-(typeattributeset ppp_27_0 (ppp))
-(typeattributeset ppp_device_27_0 (ppp_device))
-(typeattributeset ppp_exec_27_0 (ppp_exec))
-(typeattributeset preloads_data_file_27_0 (preloads_data_file))
-(typeattributeset preloads_media_file_27_0 (preloads_media_file))
-(typeattributeset preopt2cachename_27_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
-(typeattributeset print_service_27_0 (print_service))
-(typeattributeset priv_app_27_0 (priv_app))
-(typeattributeset proc_27_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
-(typeattributeset processinfo_service_27_0 (processinfo_service))
-(typeattributeset proc_interrupts_27_0 (proc_interrupts))
-(typeattributeset proc_iomem_27_0 (proc_iomem))
-(typeattributeset proc_meminfo_27_0 (proc_meminfo))
-(typeattributeset proc_misc_27_0 (proc_misc))
-(typeattributeset proc_modules_27_0 (proc_modules))
-(typeattributeset proc_net_27_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_27_0 (proc_perf))
-(typeattributeset proc_security_27_0 (proc_security))
-(typeattributeset proc_stat_27_0 (proc_stat))
-(typeattributeset procstats_service_27_0 (procstats_service))
-(typeattributeset proc_sysrq_27_0 (proc_sysrq))
-(typeattributeset proc_timer_27_0 (proc_timer))
-(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
-(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
-(typeattributeset profman_27_0 (profman))
-(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
-(typeattributeset profman_exec_27_0 (profman_exec))
-(typeattributeset properties_device_27_0 (properties_device))
-(typeattributeset properties_serial_27_0 (properties_serial))
-(typeattributeset property_contexts_file_27_0 (property_contexts_file))
-(typeattributeset property_data_file_27_0 (property_data_file))
-(typeattributeset property_socket_27_0 (property_socket))
-(typeattributeset pstorefs_27_0 (pstorefs))
-(typeattributeset ptmx_device_27_0 (ptmx_device))
-(typeattributeset qtaguid_device_27_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_27_0
- ( proc_qtaguid_ctrl
- qtaguid_proc))
-(typeattributeset racoon_27_0 (racoon))
-(typeattributeset racoon_exec_27_0 (racoon_exec))
-(typeattributeset racoon_socket_27_0 (racoon_socket))
-(typeattributeset radio_27_0 (radio))
-(typeattributeset radio_data_file_27_0 (radio_data_file))
-(typeattributeset radio_device_27_0 (radio_device))
-(typeattributeset radio_prop_27_0 (radio_prop))
-(typeattributeset radio_service_27_0 (radio_service))
-(typeattributeset ram_device_27_0 (ram_device))
-(typeattributeset random_device_27_0 (random_device))
-(typeattributeset reboot_data_file_27_0 (reboot_data_file))
-(typeattributeset recovery_27_0 (recovery))
-(typeattributeset recovery_block_device_27_0 (recovery_block_device))
-(typeattributeset recovery_data_file_27_0 (recovery_data_file))
-(typeattributeset recovery_persist_27_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_27_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_27_0 (recovery_service))
-(typeattributeset registry_service_27_0 (registry_service))
-(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_27_0 (restorecon_prop))
-(typeattributeset restrictions_service_27_0 (restrictions_service))
-(typeattributeset rild_27_0 (rild))
-(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
-(typeattributeset rild_socket_27_0 (rild_socket))
-(typeattributeset ringtone_file_27_0 (ringtone_file))
-(typeattributeset root_block_device_27_0 (root_block_device))
-(typeattributeset rootfs_27_0 (rootfs))
-(typeattributeset rpmsg_device_27_0 (rpmsg_device))
-(typeattributeset rtc_device_27_0 (rtc_device))
-(typeattributeset rttmanager_service_27_0 (rttmanager_service))
-(typeattributeset runas_27_0 (runas))
-(typeattributeset runas_exec_27_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
-(typeattributeset sdcardd_27_0 (sdcardd))
-(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
-(typeattributeset sdcardfs_27_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
-(typeattributeset search_service_27_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_27_0 (selinuxfs))
-(typeattributeset sensors_device_27_0 (sensors_device))
-(typeattributeset sensorservice_service_27_0 (sensorservice_service))
-(typeattributeset sepolicy_file_27_0 (sepolicy_file))
-(typeattributeset serial_device_27_0 (serial_device))
-(typeattributeset serialno_prop_27_0 (serialno_prop))
-(typeattributeset serial_service_27_0 (serial_service))
-(typeattributeset service_contexts_file_27_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
-(typeattributeset servicemanager_27_0 (servicemanager))
-(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
-(typeattributeset settings_service_27_0 (settings_service))
-(typeattributeset sgdisk_27_0 (sgdisk))
-(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
-(typeattributeset shared_relro_27_0 (shared_relro))
-(typeattributeset shared_relro_file_27_0 (shared_relro_file))
-(typeattributeset shell_27_0 (shell))
-(typeattributeset shell_data_file_27_0 (shell_data_file))
-(typeattributeset shell_exec_27_0 (shell_exec))
-(typeattributeset shell_prop_27_0 (shell_prop))
-(typeattributeset shm_27_0 (shm))
-(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_27_0 (shortcut_service))
-(typeattributeset slideshow_27_0 (slideshow))
-(typeattributeset socket_device_27_0 (socket_device))
-(typeattributeset sockfs_27_0 (sockfs))
-(typeattributeset statusbar_service_27_0 (statusbar_service))
-(typeattributeset storaged_service_27_0 (storaged_service))
-(typeattributeset storage_file_27_0 (storage_file))
-(typeattributeset storagestats_service_27_0 (storagestats_service))
-(typeattributeset storage_stub_file_27_0 (storage_stub_file))
-(typeattributeset su_27_0 (su))
-(typeattributeset su_exec_27_0 (su_exec))
-(typeattributeset surfaceflinger_27_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_27_0 (swap_block_device))
-(typeattributeset sysfs_27_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_27_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_27_0 (sysfs_uio))
-(typeattributeset sysfs_usb_27_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_27_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
-(typeattributeset system_app_27_0 (system_app))
-(typeattributeset system_app_data_file_27_0 (system_app_data_file))
-(typeattributeset system_app_service_27_0 (system_app_service))
-(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_27_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_27_0 (system_prop))
-(typeattributeset system_radio_prop_27_0 (system_radio_prop))
-(typeattributeset system_server_27_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
-(typeattributeset task_service_27_0 (task_service))
-(typeattributeset tee_27_0 (tee))
-(typeattributeset tee_data_file_27_0 (tee_data_file))
-(typeattributeset tee_device_27_0 (tee_device))
-(typeattributeset telecom_service_27_0 (telecom_service))
-(typeattributeset textclassification_service_27_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
-(typeattributeset textservices_service_27_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_27_0 (thermal_service))
-(typeattributeset thermalserviced_27_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
-(typeattributeset timezone_service_27_0 (timezone_service))
-(typeattributeset tmpfs_27_0 (tmpfs))
-(typeattributeset tombstoned_27_0 (tombstoned))
-(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_27_0 (toolbox))
-(typeattributeset toolbox_exec_27_0 (toolbox_exec))
-(typeattributeset trust_service_27_0 (trust_service))
-(typeattributeset tty_device_27_0 (tty_device))
-(typeattributeset tun_device_27_0 (tun_device))
-(typeattributeset tv_input_service_27_0 (tv_input_service))
-(typeattributeset tzdatacheck_27_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
-(typeattributeset ueventd_27_0 (ueventd))
-(typeattributeset uhid_device_27_0 (uhid_device))
-(typeattributeset uimode_service_27_0 (uimode_service))
-(typeattributeset uio_device_27_0 (uio_device))
-(typeattributeset uncrypt_27_0 (uncrypt))
-(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
-(typeattributeset unlabeled_27_0 (unlabeled))
-(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
-(typeattributeset update_engine_27_0 (update_engine))
-(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_27_0 (update_engine_exec))
-(typeattributeset update_engine_service_27_0 (update_engine_service))
-(typeattributeset updatelock_service_27_0 (updatelock_service))
-(typeattributeset update_verifier_27_0 (update_verifier))
-(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
-(typeattributeset usagestats_service_27_0 (usagestats_service))
-(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
-(typeattributeset usb_device_27_0 (usb_device))
-(typeattributeset usbfs_27_0 (usbfs))
-(typeattributeset usb_service_27_0 (usb_service))
-(typeattributeset userdata_block_device_27_0 (userdata_block_device))
-(typeattributeset usermodehelper_27_0 (usermodehelper))
-(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
-(typeattributeset user_service_27_0 (user_service))
-(typeattributeset vcs_device_27_0 (vcs_device))
-(typeattributeset vdc_27_0 (vdc))
-(typeattributeset vdc_exec_27_0 (vdc_exec))
-(typeattributeset vendor_app_file_27_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
-(typeattributeset vendor_file_27_0 (vendor_file))
-(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
-(typeattributeset vfat_27_0 (vfat))
-(typeattributeset vibrator_service_27_0 (vibrator_service))
-(typeattributeset video_device_27_0 (video_device))
-(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_27_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_27_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
-(typeattributeset vold_27_0 (vold))
-(typeattributeset vold_data_file_27_0 (vold_data_file))
-(typeattributeset vold_device_27_0 (vold_device))
-(typeattributeset vold_exec_27_0 (vold_exec))
-(typeattributeset vold_prop_27_0 (vold_prop))
-(typeattributeset vold_socket_27_0 (vold_socket))
-(typeattributeset vpn_data_file_27_0 (vpn_data_file))
-(typeattributeset vr_hwc_27_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_27_0 (vr_manager_service))
-(typeattributeset wallpaper_file_27_0 (wallpaper_file))
-(typeattributeset wallpaper_service_27_0 (wallpaper_service))
-(typeattributeset watchdogd_27_0 (watchdogd))
-(typeattributeset watchdog_device_27_0 (watchdog_device))
-(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
-(typeattributeset webview_zygote_27_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_27_0 (wifiaware_service))
-(typeattributeset wificond_27_0 (wificond))
-(typeattributeset wificond_exec_27_0 (wificond_exec))
-(typeattributeset wificond_service_27_0 (wificond_service))
-(typeattributeset wifi_data_file_27_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_27_0 (wifip2p_service))
-(typeattributeset wifi_prop_27_0 (wifi_prop))
-(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
-(typeattributeset wifi_service_27_0 (wifi_service))
-(typeattributeset window_service_27_0 (window_service))
-(typeattributeset wpa_socket_27_0 (wpa_socket))
-(typeattributeset zero_device_27_0 (zero_device))
-(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
-(typeattributeset zygote_27_0 (zygote))
-(typeattributeset zygote_exec_27_0 (zygote_exec))
-(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/prebuilts/api/31.0/private/compat/27.0/27.0.compat.cil b/prebuilts/api/31.0/private/compat/27.0/27.0.compat.cil
deleted file mode 100644
index 2e85b23..0000000
--- a/prebuilts/api/31.0/private/compat/27.0/27.0.compat.cil
+++ /dev/null
@@ -1,11 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/31.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/31.0/private/compat/27.0/27.0.ignore.cil
deleted file mode 100644
index 427f4d4..0000000
--- a/prebuilts/api/31.0/private/compat/27.0/27.0.ignore.cil
+++ /dev/null
@@ -1,260 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- aac_drc_prop
- aaudio_config_prop
- activity_task_service
- adb_service
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- art_apex_dir
- atrace
- audio_config_prop
- binder_calls_stats_service
- biometric_service
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- boot_status_prop
- bootanim_system_prop
- bootloader_boot_reason_prop
- bootloader_prop
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- build_bootimage_prop
- build_odm_prop
- build_prop
- build_vendor_prop
- camera_calibration_prop
- camera_config_prop
- cgroup_bpf
- charger_config_prop
- charger_exec
- charger_status_prop
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- dalvik_config_prop
- dalvik_runtime_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- drm_service_config_prop
- exfat
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- fastbootd
- ffs_config_prop
- ffs_control_prop
- flags_health_check
- flags_health_check_exec
- fingerprint_vendor_data_file
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_instrumentation_prop
- hal_lowpan_hwservice
- hal_secure_element_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_hostapd_hwservice
- hdmi_config_prop
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- init_service_status_private_prop
- init_service_status_prop
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- keyguard_config_prop
- last_boot_reason_prop
- libc_debug_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- lmkd_config_prop
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- media_config_prop
- mediadrm_config_prop
- mediaextractor_update_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- oem_unlock_prop
- overlayfs_file
- packagemanager_config_prop
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- property_service_version_prop
- provisioned_prop
- radio_control_prop
- recovery_config_prop
- recovery_socket
- retaildemo_prop
- role_service
- runas_app
- runtime_service
- secure_element
- secure_element_device
- secure_element_service
- secure_element_tmpfs
- sendbug_config_prop
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- stats
- stats_data_file
- stats_exec
- stats_service
- statscompanion_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- storaged_data_file
- super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
- staging_data_file
- storagemanager_config_prop
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_update_service
- systemsound_config_prop
- telephony_config_prop
- telephony_status_prop
- test_boot_reason_prop
- time_prop
- timedetector_service
- tombstone_config_prop
- tombstone_wifi_data_file
- trace_data_file
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- traceur_app
- traceur_app_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- uri_grants_service
- usb_config_prop
- usb_control_prop
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_default_prop
- vendor_init
- vendor_security_patch_level_prop
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_config_prop
- vold_metadata_file
- vold_post_fs_data_prop
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vold_status_prop
- vrflinger_vsync_service
- vts_config_prop
- vts_status_prop
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wifi_config_prop
- wifi_hal_prop
- wm_trace_data_file
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- zram_config_prop
- zram_control_prop))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/31.0/private/flags_health_check.te b/prebuilts/api/31.0/private/flags_health_check.te
index 6b15a35..55d1a9a 100644
--- a/prebuilts/api/31.0/private/flags_health_check.te
+++ b/prebuilts/api/31.0/private/flags_health_check.te
@@ -7,7 +7,6 @@
set_prop(flags_health_check, device_config_runtime_native_boot_prop)
set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
-set_prop(flags_health_check, device_config_lmkd_native_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
diff --git a/prebuilts/api/31.0/private/lmkd.te b/prebuilts/api/31.0/private/lmkd.te
index aee1b7f..ec9a93e 100644
--- a/prebuilts/api/31.0/private/lmkd.te
+++ b/prebuilts/api/31.0/private/lmkd.te
@@ -8,9 +8,6 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
-# Get persist.device_config.lmk_native.* properties.
-get_prop(lmkd, device_config_lmkd_native_prop)
-
allow lmkd fs_bpf:dir search;
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 587cf5e..29f4f1a 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -1,7 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
system_internal_prop(ctl_snapuserd_prop)
-system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index a51fa3a..e0700fe 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -237,7 +237,6 @@
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
-persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index 82b2a1f..73301c1 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -698,7 +698,6 @@
set_prop(system_server, device_config_activity_manager_native_boot_prop)
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
-set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
@@ -1214,7 +1213,6 @@
device_config_activity_manager_native_boot_prop
device_config_connectivity_prop
device_config_input_native_boot_prop
- device_config_lmkd_native_prop
device_config_netd_native_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
index 090e121..743647e 100644
--- a/prebuilts/api/31.0/private/zygote.te
+++ b/prebuilts/api/31.0/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/prebuilts/api/31.0/vendor_sepolicy.cil b/prebuilts/api/31.0/vendor_sepolicy.cil
deleted file mode 100644
index 4a3aac3..0000000
--- a/prebuilts/api/31.0/vendor_sepolicy.cil
+++ /dev/null
@@ -1 +0,0 @@
-;; empty stub
diff --git a/prebuilts/api/32.0/private/apexd.te b/prebuilts/api/32.0/private/apexd.te
index 09799bd..d43ed33 100644
--- a/prebuilts/api/32.0/private/apexd.te
+++ b/prebuilts/api/32.0/private/apexd.te
@@ -86,6 +86,7 @@
allow apexd apex_info_file:file relabelto;
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file rw_file_perms;
+allow apexd apex_info_file:file mounton;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
diff --git a/prebuilts/api/32.0/private/compat/26.0/26.0.cil b/prebuilts/api/32.0/private/compat/26.0/26.0.cil
deleted file mode 100644
index 498bca5..0000000
--- a/prebuilts/api/32.0/private/compat/26.0/26.0.cil
+++ /dev/null
@@ -1,786 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_keystore)
-(typeattribute hal_wifi_keystore_client)
-(typeattribute hal_wifi_keystore_server)
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type untrusted_v2_app)
-(type asan_reboot_prop)
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type log_device)
-(type mediacasserver_service)
-(type mediacodec)
-(type mediacodec_exec)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type tracing_shell_writable)
-(type tracing_shell_writable_debug)
-(type vold_socket)
-(type webview_zygote_socket)
-(type rild)
-(type netd_socket)
-
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0
- ( debugfs
- debugfs_wakeup_sources
- ))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0
- ( default_prop pm_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset hal_omx_server (mediacodec_26_0))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0
- ( qtaguid_proc
- proc_qtaguid_ctrl))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_26_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/32.0/private/compat/26.0/26.0.compat.cil b/prebuilts/api/32.0/private/compat/26.0/26.0.compat.cil
deleted file mode 100644
index 2e85b23..0000000
--- a/prebuilts/api/32.0/private/compat/26.0/26.0.compat.cil
+++ /dev/null
@@ -1,11 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/32.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/32.0/private/compat/26.0/26.0.ignore.cil
deleted file mode 100644
index 98d5840..0000000
--- a/prebuilts/api/32.0/private/compat/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,238 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- adbd_exec
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- audio_config_prop
- atrace
- binder_calls_stats_service
- biometric_service
- boot_status_prop
- bootloader_boot_reason_prop
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- broadcastradio_service
- cgroup_bpf
- charger_exec
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- dalvik_config_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- e2fs
- e2fs_exec
- exfat
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_radio_prop
- exported3_system_prop
- fastbootd
- fingerprint_vendor_data_file
- flags_health_check
- flags_health_check_exec
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_broadcastradio_hwservice
- hal_cas_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_lowpan_hwservice
- hal_neuralnetworks_hwservice
- hal_secure_element_hwservice
- hal_tetheroffload_hwservice
- hal_wifi_hostapd_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_offload_hwservice
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- kmsg_debug_device
- last_boot_reason_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- lmkd_config_prop
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- mediaextractor_update_service
- mediaprovider_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- netd_stable_secret_prop
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- overlayfs_file
- package_native_service
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- recovery_socket
- role_service
- runas_app
- art_apex_dir
- runtime_service
- secure_element
- secure_element_device
- secure_element_tmpfs
- secure_element_service
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- staging_data_file
- stats
- stats_data_file
- stats_exec
- stats_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- statscompanion_service
- storaged_data_file
- super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
- sysfs_fs_ext4_features
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_net_netd_hwservice
- system_update_service
- systemsound_config_prop
- test_boot_reason_prop
- thermal_service
- thermalcallback_hwservice
- thermalserviced
- thermalserviced_exec
- thermalserviced_tmpfs
- time_prop
- timedetector_service
- timezone_service
- tombstoned_java_trace_socket
- tombstone_wifi_data_file
- trace_data_file
- traceur_app
- traceur_app_tmpfs
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- vendor_default_prop
- vendor_security_patch_level_prop
- uri_grants_service
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_init
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_config_prop
- vold_metadata_file
- vold_post_fs_data_prop
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vold_status_prop
- vrflinger_vsync_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- wm_trace_data_file))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- adbd_tmpfs
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/32.0/private/compat/27.0/27.0.cil b/prebuilts/api/32.0/private/compat/27.0/27.0.cil
deleted file mode 100644
index 0d883c0..0000000
--- a/prebuilts/api/32.0/private/compat/27.0/27.0.cil
+++ /dev/null
@@ -1,1507 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type mediacodec)
-(type mediacodec_exec)
-(type netd_socket)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type rild)
-(type untrusted_v2_app)
-(type webview_zygote_socket)
-(type vold_socket)
-
-(expandtypeattribute (accessibility_service_27_0) true)
-(expandtypeattribute (account_service_27_0) true)
-(expandtypeattribute (activity_service_27_0) true)
-(expandtypeattribute (adbd_27_0) true)
-(expandtypeattribute (adb_data_file_27_0) true)
-(expandtypeattribute (adbd_exec_27_0) true)
-(expandtypeattribute (adbd_socket_27_0) true)
-(expandtypeattribute (adb_keys_file_27_0) true)
-(expandtypeattribute (alarm_device_27_0) true)
-(expandtypeattribute (alarm_service_27_0) true)
-(expandtypeattribute (anr_data_file_27_0) true)
-(expandtypeattribute (apk_data_file_27_0) true)
-(expandtypeattribute (apk_private_data_file_27_0) true)
-(expandtypeattribute (apk_private_tmp_file_27_0) true)
-(expandtypeattribute (apk_tmp_file_27_0) true)
-(expandtypeattribute (app_data_file_27_0) true)
-(expandtypeattribute (app_fuse_file_27_0) true)
-(expandtypeattribute (app_fusefs_27_0) true)
-(expandtypeattribute (appops_service_27_0) true)
-(expandtypeattribute (appwidget_service_27_0) true)
-(expandtypeattribute (asec_apk_file_27_0) true)
-(expandtypeattribute (asec_image_file_27_0) true)
-(expandtypeattribute (asec_public_file_27_0) true)
-(expandtypeattribute (ashmem_device_27_0) true)
-(expandtypeattribute (assetatlas_service_27_0) true)
-(expandtypeattribute (audio_data_file_27_0) true)
-(expandtypeattribute (audio_device_27_0) true)
-(expandtypeattribute (audiohal_data_file_27_0) true)
-(expandtypeattribute (audio_prop_27_0) true)
-(expandtypeattribute (audio_seq_device_27_0) true)
-(expandtypeattribute (audioserver_27_0) true)
-(expandtypeattribute (audioserver_data_file_27_0) true)
-(expandtypeattribute (audioserver_service_27_0) true)
-(expandtypeattribute (audio_service_27_0) true)
-(expandtypeattribute (audio_timer_device_27_0) true)
-(expandtypeattribute (autofill_service_27_0) true)
-(expandtypeattribute (backup_data_file_27_0) true)
-(expandtypeattribute (backup_service_27_0) true)
-(expandtypeattribute (batteryproperties_service_27_0) true)
-(expandtypeattribute (battery_service_27_0) true)
-(expandtypeattribute (batterystats_service_27_0) true)
-(expandtypeattribute (binder_device_27_0) true)
-(expandtypeattribute (binfmt_miscfs_27_0) true)
-(expandtypeattribute (blkid_27_0) true)
-(expandtypeattribute (blkid_untrusted_27_0) true)
-(expandtypeattribute (block_device_27_0) true)
-(expandtypeattribute (bluetooth_27_0) true)
-(expandtypeattribute (bluetooth_data_file_27_0) true)
-(expandtypeattribute (bluetooth_efs_file_27_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
-(expandtypeattribute (bluetooth_manager_service_27_0) true)
-(expandtypeattribute (bluetooth_prop_27_0) true)
-(expandtypeattribute (bluetooth_service_27_0) true)
-(expandtypeattribute (bluetooth_socket_27_0) true)
-(expandtypeattribute (bootanim_27_0) true)
-(expandtypeattribute (bootanim_exec_27_0) true)
-(expandtypeattribute (boot_block_device_27_0) true)
-(expandtypeattribute (bootchart_data_file_27_0) true)
-(expandtypeattribute (bootstat_27_0) true)
-(expandtypeattribute (bootstat_data_file_27_0) true)
-(expandtypeattribute (bootstat_exec_27_0) true)
-(expandtypeattribute (boottime_prop_27_0) true)
-(expandtypeattribute (boottrace_data_file_27_0) true)
-(expandtypeattribute (broadcastradio_service_27_0) true)
-(expandtypeattribute (bufferhubd_27_0) true)
-(expandtypeattribute (bufferhubd_exec_27_0) true)
-(expandtypeattribute (cache_backup_file_27_0) true)
-(expandtypeattribute (cache_block_device_27_0) true)
-(expandtypeattribute (cache_file_27_0) true)
-(expandtypeattribute (cache_private_backup_file_27_0) true)
-(expandtypeattribute (cache_recovery_file_27_0) true)
-(expandtypeattribute (camera_data_file_27_0) true)
-(expandtypeattribute (camera_device_27_0) true)
-(expandtypeattribute (cameraproxy_service_27_0) true)
-(expandtypeattribute (cameraserver_27_0) true)
-(expandtypeattribute (cameraserver_exec_27_0) true)
-(expandtypeattribute (cameraserver_service_27_0) true)
-(expandtypeattribute (cgroup_27_0) true)
-(expandtypeattribute (charger_27_0) true)
-(expandtypeattribute (clatd_27_0) true)
-(expandtypeattribute (clatd_exec_27_0) true)
-(expandtypeattribute (clipboard_service_27_0) true)
-(expandtypeattribute (commontime_management_service_27_0) true)
-(expandtypeattribute (companion_device_service_27_0) true)
-(expandtypeattribute (configfs_27_0) true)
-(expandtypeattribute (config_prop_27_0) true)
-(expandtypeattribute (connectivity_service_27_0) true)
-(expandtypeattribute (connmetrics_service_27_0) true)
-(expandtypeattribute (console_device_27_0) true)
-(expandtypeattribute (consumer_ir_service_27_0) true)
-(expandtypeattribute (content_service_27_0) true)
-(expandtypeattribute (contexthub_service_27_0) true)
-(expandtypeattribute (coredump_file_27_0) true)
-(expandtypeattribute (country_detector_service_27_0) true)
-(expandtypeattribute (coverage_service_27_0) true)
-(expandtypeattribute (cppreopt_prop_27_0) true)
-(expandtypeattribute (cppreopts_27_0) true)
-(expandtypeattribute (cppreopts_exec_27_0) true)
-(expandtypeattribute (cpuctl_device_27_0) true)
-(expandtypeattribute (cpuinfo_service_27_0) true)
-(expandtypeattribute (crash_dump_27_0) true)
-(expandtypeattribute (crash_dump_exec_27_0) true)
-(expandtypeattribute (ctl_bootanim_prop_27_0) true)
-(expandtypeattribute (ctl_bugreport_prop_27_0) true)
-(expandtypeattribute (ctl_console_prop_27_0) true)
-(expandtypeattribute (ctl_default_prop_27_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
-(expandtypeattribute (ctl_fuse_prop_27_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
-(expandtypeattribute (dalvikcache_data_file_27_0) true)
-(expandtypeattribute (dalvik_prop_27_0) true)
-(expandtypeattribute (dbinfo_service_27_0) true)
-(expandtypeattribute (debugfs_27_0) true)
-(expandtypeattribute (debugfs_mmc_27_0) true)
-(expandtypeattribute (debugfs_trace_marker_27_0) true)
-(expandtypeattribute (debugfs_tracing_27_0) true)
-(expandtypeattribute (debugfs_tracing_debug_27_0) true)
-(expandtypeattribute (debugfs_tracing_instances_27_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
-(expandtypeattribute (debuggerd_prop_27_0) true)
-(expandtypeattribute (debug_prop_27_0) true)
-(expandtypeattribute (default_android_hwservice_27_0) true)
-(expandtypeattribute (default_android_service_27_0) true)
-(expandtypeattribute (default_android_vndservice_27_0) true)
-(expandtypeattribute (default_prop_27_0) true)
-(expandtypeattribute (device_27_0) true)
-(expandtypeattribute (device_identifiers_service_27_0) true)
-(expandtypeattribute (deviceidle_service_27_0) true)
-(expandtypeattribute (device_logging_prop_27_0) true)
-(expandtypeattribute (device_policy_service_27_0) true)
-(expandtypeattribute (devicestoragemonitor_service_27_0) true)
-(expandtypeattribute (devpts_27_0) true)
-(expandtypeattribute (dex2oat_27_0) true)
-(expandtypeattribute (dex2oat_exec_27_0) true)
-(expandtypeattribute (dhcp_27_0) true)
-(expandtypeattribute (dhcp_data_file_27_0) true)
-(expandtypeattribute (dhcp_exec_27_0) true)
-(expandtypeattribute (dhcp_prop_27_0) true)
-(expandtypeattribute (diskstats_service_27_0) true)
-(expandtypeattribute (display_service_27_0) true)
-(expandtypeattribute (dm_device_27_0) true)
-(expandtypeattribute (dnsmasq_27_0) true)
-(expandtypeattribute (dnsmasq_exec_27_0) true)
-(expandtypeattribute (dnsproxyd_socket_27_0) true)
-(expandtypeattribute (DockObserver_service_27_0) true)
-(expandtypeattribute (dreams_service_27_0) true)
-(expandtypeattribute (drm_data_file_27_0) true)
-(expandtypeattribute (drmserver_27_0) true)
-(expandtypeattribute (drmserver_exec_27_0) true)
-(expandtypeattribute (drmserver_service_27_0) true)
-(expandtypeattribute (drmserver_socket_27_0) true)
-(expandtypeattribute (dropbox_service_27_0) true)
-(expandtypeattribute (dumpstate_27_0) true)
-(expandtypeattribute (dumpstate_exec_27_0) true)
-(expandtypeattribute (dumpstate_options_prop_27_0) true)
-(expandtypeattribute (dumpstate_prop_27_0) true)
-(expandtypeattribute (dumpstate_service_27_0) true)
-(expandtypeattribute (dumpstate_socket_27_0) true)
-(expandtypeattribute (e2fs_27_0) true)
-(expandtypeattribute (e2fs_exec_27_0) true)
-(expandtypeattribute (efs_file_27_0) true)
-(expandtypeattribute (ephemeral_app_27_0) true)
-(expandtypeattribute (ethernet_service_27_0) true)
-(expandtypeattribute (ffs_prop_27_0) true)
-(expandtypeattribute (file_contexts_file_27_0) true)
-(expandtypeattribute (fingerprintd_27_0) true)
-(expandtypeattribute (fingerprintd_data_file_27_0) true)
-(expandtypeattribute (fingerprintd_exec_27_0) true)
-(expandtypeattribute (fingerprintd_service_27_0) true)
-(expandtypeattribute (fingerprint_prop_27_0) true)
-(expandtypeattribute (fingerprint_service_27_0) true)
-(expandtypeattribute (firstboot_prop_27_0) true)
-(expandtypeattribute (font_service_27_0) true)
-(expandtypeattribute (frp_block_device_27_0) true)
-(expandtypeattribute (fsck_27_0) true)
-(expandtypeattribute (fsck_exec_27_0) true)
-(expandtypeattribute (fscklogs_27_0) true)
-(expandtypeattribute (fsck_untrusted_27_0) true)
-(expandtypeattribute (full_device_27_0) true)
-(expandtypeattribute (functionfs_27_0) true)
-(expandtypeattribute (fuse_27_0) true)
-(expandtypeattribute (fuse_device_27_0) true)
-(expandtypeattribute (fwk_display_hwservice_27_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
-(expandtypeattribute (fwmarkd_socket_27_0) true)
-(expandtypeattribute (gatekeeperd_27_0) true)
-(expandtypeattribute (gatekeeper_data_file_27_0) true)
-(expandtypeattribute (gatekeeperd_exec_27_0) true)
-(expandtypeattribute (gatekeeper_service_27_0) true)
-(expandtypeattribute (gfxinfo_service_27_0) true)
-(expandtypeattribute (gps_control_27_0) true)
-(expandtypeattribute (gpu_device_27_0) true)
-(expandtypeattribute (gpu_service_27_0) true)
-(expandtypeattribute (graphics_device_27_0) true)
-(expandtypeattribute (graphicsstats_service_27_0) true)
-(expandtypeattribute (hal_audio_hwservice_27_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
-(expandtypeattribute (hal_camera_hwservice_27_0) true)
-(expandtypeattribute (hal_cas_hwservice_27_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
-(expandtypeattribute (hal_drm_hwservice_27_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_service_27_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
-(expandtypeattribute (hal_gnss_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
-(expandtypeattribute (hal_health_hwservice_27_0) true)
-(expandtypeattribute (hal_ir_hwservice_27_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
-(expandtypeattribute (hal_light_hwservice_27_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
-(expandtypeattribute (hal_nfc_hwservice_27_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
-(expandtypeattribute (hal_omx_hwservice_27_0) true)
-(expandtypeattribute (hal_power_hwservice_27_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
-(expandtypeattribute (hal_sensors_hwservice_27_0) true)
-(expandtypeattribute (hal_telephony_hwservice_27_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
-(expandtypeattribute (hal_thermal_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
-(expandtypeattribute (hal_usb_hwservice_27_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
-(expandtypeattribute (hal_vr_hwservice_27_0) true)
-(expandtypeattribute (hal_weaver_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
-(expandtypeattribute (hardware_properties_service_27_0) true)
-(expandtypeattribute (hardware_service_27_0) true)
-(expandtypeattribute (hci_attach_dev_27_0) true)
-(expandtypeattribute (hdmi_control_service_27_0) true)
-(expandtypeattribute (healthd_27_0) true)
-(expandtypeattribute (healthd_exec_27_0) true)
-(expandtypeattribute (heapdump_data_file_27_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
-(expandtypeattribute (hidl_base_hwservice_27_0) true)
-(expandtypeattribute (hidl_manager_hwservice_27_0) true)
-(expandtypeattribute (hidl_memory_hwservice_27_0) true)
-(expandtypeattribute (hidl_token_hwservice_27_0) true)
-(expandtypeattribute (hwbinder_device_27_0) true)
-(expandtypeattribute (hw_random_device_27_0) true)
-(expandtypeattribute (hwservice_contexts_file_27_0) true)
-(expandtypeattribute (hwservicemanager_27_0) true)
-(expandtypeattribute (hwservicemanager_exec_27_0) true)
-(expandtypeattribute (hwservicemanager_prop_27_0) true)
-(expandtypeattribute (i2c_device_27_0) true)
-(expandtypeattribute (icon_file_27_0) true)
-(expandtypeattribute (idmap_27_0) true)
-(expandtypeattribute (idmap_exec_27_0) true)
-(expandtypeattribute (iio_device_27_0) true)
-(expandtypeattribute (imms_service_27_0) true)
-(expandtypeattribute (incident_27_0) true)
-(expandtypeattribute (incidentd_27_0) true)
-(expandtypeattribute (incident_data_file_27_0) true)
-(expandtypeattribute (incident_service_27_0) true)
-(expandtypeattribute (init_27_0) true)
-(expandtypeattribute (init_exec_27_0) true)
-(expandtypeattribute (inotify_27_0) true)
-(expandtypeattribute (input_device_27_0) true)
-(expandtypeattribute (inputflinger_27_0) true)
-(expandtypeattribute (inputflinger_exec_27_0) true)
-(expandtypeattribute (inputflinger_service_27_0) true)
-(expandtypeattribute (input_method_service_27_0) true)
-(expandtypeattribute (input_service_27_0) true)
-(expandtypeattribute (installd_27_0) true)
-(expandtypeattribute (install_data_file_27_0) true)
-(expandtypeattribute (installd_exec_27_0) true)
-(expandtypeattribute (installd_service_27_0) true)
-(expandtypeattribute (install_recovery_27_0) true)
-(expandtypeattribute (install_recovery_exec_27_0) true)
-(expandtypeattribute (ion_device_27_0) true)
-(expandtypeattribute (IProxyService_service_27_0) true)
-(expandtypeattribute (ipsec_service_27_0) true)
-(expandtypeattribute (isolated_app_27_0) true)
-(expandtypeattribute (jobscheduler_service_27_0) true)
-(expandtypeattribute (kernel_27_0) true)
-(expandtypeattribute (keychain_data_file_27_0) true)
-(expandtypeattribute (keychord_device_27_0) true)
-(expandtypeattribute (keystore_27_0) true)
-(expandtypeattribute (keystore_data_file_27_0) true)
-(expandtypeattribute (keystore_exec_27_0) true)
-(expandtypeattribute (keystore_service_27_0) true)
-(expandtypeattribute (kmem_device_27_0) true)
-(expandtypeattribute (kmsg_debug_device_27_0) true)
-(expandtypeattribute (kmsg_device_27_0) true)
-(expandtypeattribute (labeledfs_27_0) true)
-(expandtypeattribute (launcherapps_service_27_0) true)
-(expandtypeattribute (lmkd_27_0) true)
-(expandtypeattribute (lmkd_exec_27_0) true)
-(expandtypeattribute (lmkd_socket_27_0) true)
-(expandtypeattribute (location_service_27_0) true)
-(expandtypeattribute (lock_settings_service_27_0) true)
-(expandtypeattribute (logcat_exec_27_0) true)
-(expandtypeattribute (logd_27_0) true)
-(expandtypeattribute (logd_exec_27_0) true)
-(expandtypeattribute (logd_prop_27_0) true)
-(expandtypeattribute (logdr_socket_27_0) true)
-(expandtypeattribute (logd_socket_27_0) true)
-(expandtypeattribute (logdw_socket_27_0) true)
-(expandtypeattribute (logpersist_27_0) true)
-(expandtypeattribute (logpersistd_logging_prop_27_0) true)
-(expandtypeattribute (log_prop_27_0) true)
-(expandtypeattribute (log_tag_prop_27_0) true)
-(expandtypeattribute (loop_control_device_27_0) true)
-(expandtypeattribute (loop_device_27_0) true)
-(expandtypeattribute (mac_perms_file_27_0) true)
-(expandtypeattribute (mdnsd_27_0) true)
-(expandtypeattribute (mdnsd_socket_27_0) true)
-(expandtypeattribute (mdns_socket_27_0) true)
-(expandtypeattribute (mediacodec_27_0) true)
-(expandtypeattribute (mediacodec_exec_27_0) true)
-(expandtypeattribute (mediacodec_service_27_0) true)
-(expandtypeattribute (media_data_file_27_0) true)
-(expandtypeattribute (mediadrmserver_27_0) true)
-(expandtypeattribute (mediadrmserver_exec_27_0) true)
-(expandtypeattribute (mediadrmserver_service_27_0) true)
-(expandtypeattribute (mediaextractor_27_0) true)
-(expandtypeattribute (mediaextractor_exec_27_0) true)
-(expandtypeattribute (mediaextractor_service_27_0) true)
-(expandtypeattribute (mediametrics_27_0) true)
-(expandtypeattribute (mediametrics_exec_27_0) true)
-(expandtypeattribute (mediametrics_service_27_0) true)
-(expandtypeattribute (media_projection_service_27_0) true)
-(expandtypeattribute (mediaprovider_27_0) true)
-(expandtypeattribute (media_router_service_27_0) true)
-(expandtypeattribute (media_rw_data_file_27_0) true)
-(expandtypeattribute (mediaserver_27_0) true)
-(expandtypeattribute (mediaserver_exec_27_0) true)
-(expandtypeattribute (mediaserver_service_27_0) true)
-(expandtypeattribute (media_session_service_27_0) true)
-(expandtypeattribute (meminfo_service_27_0) true)
-(expandtypeattribute (metadata_block_device_27_0) true)
-(expandtypeattribute (method_trace_data_file_27_0) true)
-(expandtypeattribute (midi_service_27_0) true)
-(expandtypeattribute (misc_block_device_27_0) true)
-(expandtypeattribute (misc_logd_file_27_0) true)
-(expandtypeattribute (misc_user_data_file_27_0) true)
-(expandtypeattribute (mmc_prop_27_0) true)
-(expandtypeattribute (mnt_expand_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
-(expandtypeattribute (mnt_user_file_27_0) true)
-(expandtypeattribute (modprobe_27_0) true)
-(expandtypeattribute (mount_service_27_0) true)
-(expandtypeattribute (mqueue_27_0) true)
-(expandtypeattribute (mtd_device_27_0) true)
-(expandtypeattribute (mtp_27_0) true)
-(expandtypeattribute (mtp_device_27_0) true)
-(expandtypeattribute (mtpd_socket_27_0) true)
-(expandtypeattribute (mtp_exec_27_0) true)
-(expandtypeattribute (nativetest_data_file_27_0) true)
-(expandtypeattribute (netd_27_0) true)
-(expandtypeattribute (net_data_file_27_0) true)
-(expandtypeattribute (netd_exec_27_0) true)
-(expandtypeattribute (netd_listener_service_27_0) true)
-(expandtypeattribute (net_dns_prop_27_0) true)
-(expandtypeattribute (netd_service_27_0) true)
-(expandtypeattribute (netd_socket_27_0) true)
-(expandtypeattribute (netd_stable_secret_prop_27_0) true)
-(expandtypeattribute (netif_27_0) true)
-(expandtypeattribute (netpolicy_service_27_0) true)
-(expandtypeattribute (net_radio_prop_27_0) true)
-(expandtypeattribute (netstats_service_27_0) true)
-(expandtypeattribute (netutils_wrapper_27_0) true)
-(expandtypeattribute (netutils_wrapper_exec_27_0) true)
-(expandtypeattribute (network_management_service_27_0) true)
-(expandtypeattribute (network_score_service_27_0) true)
-(expandtypeattribute (network_time_update_service_27_0) true)
-(expandtypeattribute (nfc_27_0) true)
-(expandtypeattribute (nfc_data_file_27_0) true)
-(expandtypeattribute (nfc_device_27_0) true)
-(expandtypeattribute (nfc_prop_27_0) true)
-(expandtypeattribute (nfc_service_27_0) true)
-(expandtypeattribute (node_27_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
-(expandtypeattribute (notification_service_27_0) true)
-(expandtypeattribute (null_device_27_0) true)
-(expandtypeattribute (oemfs_27_0) true)
-(expandtypeattribute (oem_lock_service_27_0) true)
-(expandtypeattribute (ota_data_file_27_0) true)
-(expandtypeattribute (otadexopt_service_27_0) true)
-(expandtypeattribute (ota_package_file_27_0) true)
-(expandtypeattribute (otapreopt_chroot_27_0) true)
-(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
-(expandtypeattribute (otapreopt_slot_27_0) true)
-(expandtypeattribute (otapreopt_slot_exec_27_0) true)
-(expandtypeattribute (overlay_prop_27_0) true)
-(expandtypeattribute (overlay_service_27_0) true)
-(expandtypeattribute (owntty_device_27_0) true)
-(expandtypeattribute (package_native_service_27_0) true)
-(expandtypeattribute (package_service_27_0) true)
-(expandtypeattribute (pan_result_prop_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_dir_27_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_dir_27_0) true)
-(expandtypeattribute (performanced_27_0) true)
-(expandtypeattribute (performanced_exec_27_0) true)
-(expandtypeattribute (permission_service_27_0) true)
-(expandtypeattribute (persist_debug_prop_27_0) true)
-(expandtypeattribute (persistent_data_block_service_27_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
-(expandtypeattribute (pinner_service_27_0) true)
-(expandtypeattribute (pipefs_27_0) true)
-(expandtypeattribute (platform_app_27_0) true)
-(expandtypeattribute (pmsg_device_27_0) true)
-(expandtypeattribute (port_27_0) true)
-(expandtypeattribute (port_device_27_0) true)
-(expandtypeattribute (postinstall_27_0) true)
-(expandtypeattribute (postinstall_dexopt_27_0) true)
-(expandtypeattribute (postinstall_file_27_0) true)
-(expandtypeattribute (postinstall_mnt_dir_27_0) true)
-(expandtypeattribute (powerctl_prop_27_0) true)
-(expandtypeattribute (power_service_27_0) true)
-(expandtypeattribute (ppp_27_0) true)
-(expandtypeattribute (ppp_device_27_0) true)
-(expandtypeattribute (ppp_exec_27_0) true)
-(expandtypeattribute (preloads_data_file_27_0) true)
-(expandtypeattribute (preloads_media_file_27_0) true)
-(expandtypeattribute (preopt2cachename_27_0) true)
-(expandtypeattribute (preopt2cachename_exec_27_0) true)
-(expandtypeattribute (print_service_27_0) true)
-(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
-(expandtypeattribute (proc_bluetooth_writable_27_0) true)
-(expandtypeattribute (proc_cpuinfo_27_0) true)
-(expandtypeattribute (proc_drop_caches_27_0) true)
-(expandtypeattribute (processinfo_service_27_0) true)
-(expandtypeattribute (proc_interrupts_27_0) true)
-(expandtypeattribute (proc_iomem_27_0) true)
-(expandtypeattribute (proc_meminfo_27_0) true)
-(expandtypeattribute (proc_misc_27_0) true)
-(expandtypeattribute (proc_modules_27_0) true)
-(expandtypeattribute (proc_net_27_0) true)
-(expandtypeattribute (proc_overcommit_memory_27_0) true)
-(expandtypeattribute (proc_perf_27_0) true)
-(expandtypeattribute (proc_security_27_0) true)
-(expandtypeattribute (proc_stat_27_0) true)
-(expandtypeattribute (procstats_service_27_0) true)
-(expandtypeattribute (proc_sysrq_27_0) true)
-(expandtypeattribute (proc_timer_27_0) true)
-(expandtypeattribute (proc_tty_drivers_27_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
-(expandtypeattribute (proc_uid_io_stats_27_0) true)
-(expandtypeattribute (proc_uid_procstat_set_27_0) true)
-(expandtypeattribute (proc_uid_time_in_state_27_0) true)
-(expandtypeattribute (proc_zoneinfo_27_0) true)
-(expandtypeattribute (profman_27_0) true)
-(expandtypeattribute (profman_dump_data_file_27_0) true)
-(expandtypeattribute (profman_exec_27_0) true)
-(expandtypeattribute (properties_device_27_0) true)
-(expandtypeattribute (properties_serial_27_0) true)
-(expandtypeattribute (property_contexts_file_27_0) true)
-(expandtypeattribute (property_data_file_27_0) true)
-(expandtypeattribute (property_socket_27_0) true)
-(expandtypeattribute (pstorefs_27_0) true)
-(expandtypeattribute (ptmx_device_27_0) true)
-(expandtypeattribute (qtaguid_device_27_0) true)
-(expandtypeattribute (qtaguid_proc_27_0) true)
-(expandtypeattribute (racoon_27_0) true)
-(expandtypeattribute (racoon_exec_27_0) true)
-(expandtypeattribute (racoon_socket_27_0) true)
-(expandtypeattribute (radio_27_0) true)
-(expandtypeattribute (radio_data_file_27_0) true)
-(expandtypeattribute (radio_device_27_0) true)
-(expandtypeattribute (radio_prop_27_0) true)
-(expandtypeattribute (radio_service_27_0) true)
-(expandtypeattribute (ram_device_27_0) true)
-(expandtypeattribute (random_device_27_0) true)
-(expandtypeattribute (reboot_data_file_27_0) true)
-(expandtypeattribute (recovery_27_0) true)
-(expandtypeattribute (recovery_block_device_27_0) true)
-(expandtypeattribute (recovery_data_file_27_0) true)
-(expandtypeattribute (recovery_persist_27_0) true)
-(expandtypeattribute (recovery_persist_exec_27_0) true)
-(expandtypeattribute (recovery_refresh_27_0) true)
-(expandtypeattribute (recovery_refresh_exec_27_0) true)
-(expandtypeattribute (recovery_service_27_0) true)
-(expandtypeattribute (registry_service_27_0) true)
-(expandtypeattribute (resourcecache_data_file_27_0) true)
-(expandtypeattribute (restorecon_prop_27_0) true)
-(expandtypeattribute (restrictions_service_27_0) true)
-(expandtypeattribute (rild_27_0) true)
-(expandtypeattribute (rild_debug_socket_27_0) true)
-(expandtypeattribute (rild_socket_27_0) true)
-(expandtypeattribute (ringtone_file_27_0) true)
-(expandtypeattribute (root_block_device_27_0) true)
-(expandtypeattribute (rootfs_27_0) true)
-(expandtypeattribute (rpmsg_device_27_0) true)
-(expandtypeattribute (rtc_device_27_0) true)
-(expandtypeattribute (rttmanager_service_27_0) true)
-(expandtypeattribute (runas_27_0) true)
-(expandtypeattribute (runas_exec_27_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
-(expandtypeattribute (safemode_prop_27_0) true)
-(expandtypeattribute (same_process_hal_file_27_0) true)
-(expandtypeattribute (samplingprofiler_service_27_0) true)
-(expandtypeattribute (scheduling_policy_service_27_0) true)
-(expandtypeattribute (sdcardd_27_0) true)
-(expandtypeattribute (sdcardd_exec_27_0) true)
-(expandtypeattribute (sdcardfs_27_0) true)
-(expandtypeattribute (seapp_contexts_file_27_0) true)
-(expandtypeattribute (search_service_27_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
-(expandtypeattribute (selinuxfs_27_0) true)
-(expandtypeattribute (sensors_device_27_0) true)
-(expandtypeattribute (sensorservice_service_27_0) true)
-(expandtypeattribute (sepolicy_file_27_0) true)
-(expandtypeattribute (serial_device_27_0) true)
-(expandtypeattribute (serialno_prop_27_0) true)
-(expandtypeattribute (serial_service_27_0) true)
-(expandtypeattribute (service_contexts_file_27_0) true)
-(expandtypeattribute (servicediscovery_service_27_0) true)
-(expandtypeattribute (servicemanager_27_0) true)
-(expandtypeattribute (servicemanager_exec_27_0) true)
-(expandtypeattribute (settings_service_27_0) true)
-(expandtypeattribute (sgdisk_27_0) true)
-(expandtypeattribute (sgdisk_exec_27_0) true)
-(expandtypeattribute (shared_relro_27_0) true)
-(expandtypeattribute (shared_relro_file_27_0) true)
-(expandtypeattribute (shell_27_0) true)
-(expandtypeattribute (shell_data_file_27_0) true)
-(expandtypeattribute (shell_exec_27_0) true)
-(expandtypeattribute (shell_prop_27_0) true)
-(expandtypeattribute (shm_27_0) true)
-(expandtypeattribute (shortcut_manager_icons_27_0) true)
-(expandtypeattribute (shortcut_service_27_0) true)
-(expandtypeattribute (slideshow_27_0) true)
-(expandtypeattribute (socket_device_27_0) true)
-(expandtypeattribute (sockfs_27_0) true)
-(expandtypeattribute (statusbar_service_27_0) true)
-(expandtypeattribute (storaged_service_27_0) true)
-(expandtypeattribute (storage_file_27_0) true)
-(expandtypeattribute (storagestats_service_27_0) true)
-(expandtypeattribute (storage_stub_file_27_0) true)
-(expandtypeattribute (su_27_0) true)
-(expandtypeattribute (su_exec_27_0) true)
-(expandtypeattribute (surfaceflinger_27_0) true)
-(expandtypeattribute (surfaceflinger_service_27_0) true)
-(expandtypeattribute (swap_block_device_27_0) true)
-(expandtypeattribute (sysfs_27_0) true)
-(expandtypeattribute (sysfs_batteryinfo_27_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
-(expandtypeattribute (sysfs_hwrandom_27_0) true)
-(expandtypeattribute (sysfs_leds_27_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
-(expandtypeattribute (sysfs_mac_address_27_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
-(expandtypeattribute (sysfs_thermal_27_0) true)
-(expandtypeattribute (sysfs_uio_27_0) true)
-(expandtypeattribute (sysfs_usb_27_0) true)
-(expandtypeattribute (sysfs_usermodehelper_27_0) true)
-(expandtypeattribute (sysfs_vibrator_27_0) true)
-(expandtypeattribute (sysfs_wake_lock_27_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
-(expandtypeattribute (sysfs_zram_27_0) true)
-(expandtypeattribute (sysfs_zram_uevent_27_0) true)
-(expandtypeattribute (system_app_27_0) true)
-(expandtypeattribute (system_app_data_file_27_0) true)
-(expandtypeattribute (system_app_service_27_0) true)
-(expandtypeattribute (system_block_device_27_0) true)
-(expandtypeattribute (system_data_file_27_0) true)
-(expandtypeattribute (system_file_27_0) true)
-(expandtypeattribute (systemkeys_data_file_27_0) true)
-(expandtypeattribute (system_ndebug_socket_27_0) true)
-(expandtypeattribute (system_net_netd_hwservice_27_0) true)
-(expandtypeattribute (system_prop_27_0) true)
-(expandtypeattribute (system_radio_prop_27_0) true)
-(expandtypeattribute (system_server_27_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
-(expandtypeattribute (system_wpa_socket_27_0) true)
-(expandtypeattribute (task_service_27_0) true)
-(expandtypeattribute (tee_27_0) true)
-(expandtypeattribute (tee_data_file_27_0) true)
-(expandtypeattribute (tee_device_27_0) true)
-(expandtypeattribute (telecom_service_27_0) true)
-(expandtypeattribute (textclassification_service_27_0) true)
-(expandtypeattribute (textclassifier_data_file_27_0) true)
-(expandtypeattribute (textservices_service_27_0) true)
-(expandtypeattribute (thermalcallback_hwservice_27_0) true)
-(expandtypeattribute (thermal_service_27_0) true)
-(expandtypeattribute (thermalserviced_27_0) true)
-(expandtypeattribute (thermalserviced_exec_27_0) true)
-(expandtypeattribute (timezone_service_27_0) true)
-(expandtypeattribute (tmpfs_27_0) true)
-(expandtypeattribute (tombstoned_27_0) true)
-(expandtypeattribute (tombstone_data_file_27_0) true)
-(expandtypeattribute (tombstoned_crash_socket_27_0) true)
-(expandtypeattribute (tombstoned_exec_27_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
-(expandtypeattribute (toolbox_27_0) true)
-(expandtypeattribute (toolbox_exec_27_0) true)
-(expandtypeattribute (trust_service_27_0) true)
-(expandtypeattribute (tty_device_27_0) true)
-(expandtypeattribute (tun_device_27_0) true)
-(expandtypeattribute (tv_input_service_27_0) true)
-(expandtypeattribute (tzdatacheck_27_0) true)
-(expandtypeattribute (tzdatacheck_exec_27_0) true)
-(expandtypeattribute (ueventd_27_0) true)
-(expandtypeattribute (uhid_device_27_0) true)
-(expandtypeattribute (uimode_service_27_0) true)
-(expandtypeattribute (uio_device_27_0) true)
-(expandtypeattribute (uncrypt_27_0) true)
-(expandtypeattribute (uncrypt_exec_27_0) true)
-(expandtypeattribute (uncrypt_socket_27_0) true)
-(expandtypeattribute (unencrypted_data_file_27_0) true)
-(expandtypeattribute (unlabeled_27_0) true)
-(expandtypeattribute (untrusted_app_25_27_0) true)
-(expandtypeattribute (untrusted_app_27_0) true)
-(expandtypeattribute (untrusted_v2_app_27_0) true)
-(expandtypeattribute (update_engine_27_0) true)
-(expandtypeattribute (update_engine_data_file_27_0) true)
-(expandtypeattribute (update_engine_exec_27_0) true)
-(expandtypeattribute (update_engine_service_27_0) true)
-(expandtypeattribute (updatelock_service_27_0) true)
-(expandtypeattribute (update_verifier_27_0) true)
-(expandtypeattribute (update_verifier_exec_27_0) true)
-(expandtypeattribute (usagestats_service_27_0) true)
-(expandtypeattribute (usbaccessory_device_27_0) true)
-(expandtypeattribute (usb_device_27_0) true)
-(expandtypeattribute (usbfs_27_0) true)
-(expandtypeattribute (usb_service_27_0) true)
-(expandtypeattribute (userdata_block_device_27_0) true)
-(expandtypeattribute (usermodehelper_27_0) true)
-(expandtypeattribute (user_profile_data_file_27_0) true)
-(expandtypeattribute (user_service_27_0) true)
-(expandtypeattribute (vcs_device_27_0) true)
-(expandtypeattribute (vdc_27_0) true)
-(expandtypeattribute (vdc_exec_27_0) true)
-(expandtypeattribute (vendor_app_file_27_0) true)
-(expandtypeattribute (vendor_configs_file_27_0) true)
-(expandtypeattribute (vendor_file_27_0) true)
-(expandtypeattribute (vendor_framework_file_27_0) true)
-(expandtypeattribute (vendor_hal_file_27_0) true)
-(expandtypeattribute (vendor_overlay_file_27_0) true)
-(expandtypeattribute (vendor_shell_exec_27_0) true)
-(expandtypeattribute (vendor_toolbox_exec_27_0) true)
-(expandtypeattribute (vfat_27_0) true)
-(expandtypeattribute (vibrator_service_27_0) true)
-(expandtypeattribute (video_device_27_0) true)
-(expandtypeattribute (virtual_touchpad_27_0) true)
-(expandtypeattribute (virtual_touchpad_exec_27_0) true)
-(expandtypeattribute (virtual_touchpad_service_27_0) true)
-(expandtypeattribute (vndbinder_device_27_0) true)
-(expandtypeattribute (vndk_sp_file_27_0) true)
-(expandtypeattribute (vndservice_contexts_file_27_0) true)
-(expandtypeattribute (vndservicemanager_27_0) true)
-(expandtypeattribute (voiceinteraction_service_27_0) true)
-(expandtypeattribute (vold_27_0) true)
-(expandtypeattribute (vold_data_file_27_0) true)
-(expandtypeattribute (vold_device_27_0) true)
-(expandtypeattribute (vold_exec_27_0) true)
-(expandtypeattribute (vold_prop_27_0) true)
-(expandtypeattribute (vold_socket_27_0) true)
-(expandtypeattribute (vpn_data_file_27_0) true)
-(expandtypeattribute (vr_hwc_27_0) true)
-(expandtypeattribute (vr_hwc_exec_27_0) true)
-(expandtypeattribute (vr_hwc_service_27_0) true)
-(expandtypeattribute (vr_manager_service_27_0) true)
-(expandtypeattribute (wallpaper_file_27_0) true)
-(expandtypeattribute (wallpaper_service_27_0) true)
-(expandtypeattribute (watchdogd_27_0) true)
-(expandtypeattribute (watchdog_device_27_0) true)
-(expandtypeattribute (webviewupdate_service_27_0) true)
-(expandtypeattribute (webview_zygote_27_0) true)
-(expandtypeattribute (webview_zygote_exec_27_0) true)
-(expandtypeattribute (webview_zygote_socket_27_0) true)
-(expandtypeattribute (wifiaware_service_27_0) true)
-(expandtypeattribute (wificond_27_0) true)
-(expandtypeattribute (wificond_exec_27_0) true)
-(expandtypeattribute (wificond_service_27_0) true)
-(expandtypeattribute (wifi_data_file_27_0) true)
-(expandtypeattribute (wifi_log_prop_27_0) true)
-(expandtypeattribute (wifip2p_service_27_0) true)
-(expandtypeattribute (wifi_prop_27_0) true)
-(expandtypeattribute (wifiscanner_service_27_0) true)
-(expandtypeattribute (wifi_service_27_0) true)
-(expandtypeattribute (window_service_27_0) true)
-(expandtypeattribute (wpa_socket_27_0) true)
-(expandtypeattribute (zero_device_27_0) true)
-(expandtypeattribute (zoneinfo_data_file_27_0) true)
-(expandtypeattribute (zygote_27_0) true)
-(expandtypeattribute (zygote_exec_27_0) true)
-(expandtypeattribute (zygote_socket_27_0) true)
-(typeattributeset accessibility_service_27_0 (accessibility_service))
-(typeattributeset account_service_27_0 (account_service))
-(typeattributeset activity_service_27_0 (activity_service))
-(typeattributeset adbd_27_0 (adbd))
-(typeattributeset adb_data_file_27_0 (adb_data_file))
-(typeattributeset adbd_exec_27_0 (adbd_exec))
-(typeattributeset adbd_socket_27_0 (adbd_socket))
-(typeattributeset adb_keys_file_27_0 (adb_keys_file))
-(typeattributeset alarm_device_27_0 (alarm_device))
-(typeattributeset alarm_service_27_0 (alarm_service))
-(typeattributeset anr_data_file_27_0 (anr_data_file))
-(typeattributeset apk_data_file_27_0 (apk_data_file))
-(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_27_0 (app_fuse_file))
-(typeattributeset app_fusefs_27_0 (app_fusefs))
-(typeattributeset appops_service_27_0 (appops_service))
-(typeattributeset appwidget_service_27_0 (appwidget_service))
-(typeattributeset asec_apk_file_27_0 (asec_apk_file))
-(typeattributeset asec_image_file_27_0 (asec_image_file))
-(typeattributeset asec_public_file_27_0 (asec_public_file))
-(typeattributeset ashmem_device_27_0 (ashmem_device))
-(typeattributeset assetatlas_service_27_0 (assetatlas_service))
-(typeattributeset audio_data_file_27_0 (audio_data_file))
-(typeattributeset audio_device_27_0 (audio_device))
-(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
-(typeattributeset audio_prop_27_0 (audio_prop))
-(typeattributeset audio_seq_device_27_0 (audio_seq_device))
-(typeattributeset audioserver_27_0 (audioserver))
-(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
-(typeattributeset audioserver_service_27_0 (audioserver_service))
-(typeattributeset audio_service_27_0 (audio_service))
-(typeattributeset audio_timer_device_27_0 (audio_timer_device))
-(typeattributeset autofill_service_27_0 (autofill_service))
-(typeattributeset backup_data_file_27_0 (backup_data_file))
-(typeattributeset backup_service_27_0 (backup_service))
-(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
-(typeattributeset battery_service_27_0 (battery_service))
-(typeattributeset batterystats_service_27_0 (batterystats_service))
-(typeattributeset binder_device_27_0 (binder_device))
-(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
-(typeattributeset blkid_27_0 (blkid))
-(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
-(typeattributeset block_device_27_0 (block_device))
-(typeattributeset bluetooth_27_0 (bluetooth))
-(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_27_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
-(typeattributeset bootanim_27_0 (bootanim))
-(typeattributeset bootanim_exec_27_0 (bootanim_exec))
-(typeattributeset boot_block_device_27_0 (boot_block_device))
-(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
-(typeattributeset bootstat_27_0 (bootstat))
-(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_27_0 (bootstat_exec))
-(typeattributeset boottime_prop_27_0 (boottime_prop))
-(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
-(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
-(typeattributeset bufferhubd_27_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_27_0 (cache_backup_file))
-(typeattributeset cache_block_device_27_0 (cache_block_device))
-(typeattributeset cache_file_27_0 (cache_file))
-(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
-(typeattributeset camera_data_file_27_0 (camera_data_file))
-(typeattributeset camera_device_27_0 (camera_device))
-(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
-(typeattributeset cameraserver_27_0 (cameraserver))
-(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_27_0 (cameraserver_service))
-(typeattributeset cgroup_27_0 (cgroup))
-(typeattributeset charger_27_0 (charger))
-(typeattributeset clatd_27_0 (clatd))
-(typeattributeset clatd_exec_27_0 (clatd_exec))
-(typeattributeset clipboard_service_27_0 (clipboard_service))
-(typeattributeset commontime_management_service_27_0 (commontime_management_service))
-(typeattributeset companion_device_service_27_0 (companion_device_service))
-(typeattributeset configfs_27_0 (configfs))
-(typeattributeset config_prop_27_0 (config_prop))
-(typeattributeset connectivity_service_27_0 (connectivity_service))
-(typeattributeset connmetrics_service_27_0 (connmetrics_service))
-(typeattributeset console_device_27_0 (console_device))
-(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
-(typeattributeset content_service_27_0 (content_service))
-(typeattributeset contexthub_service_27_0 (contexthub_service))
-(typeattributeset coredump_file_27_0 (coredump_file))
-(typeattributeset country_detector_service_27_0 (country_detector_service))
-(typeattributeset coverage_service_27_0 (coverage_service))
-(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
-(typeattributeset cppreopts_27_0 (cppreopts))
-(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_27_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
-(typeattributeset crash_dump_27_0 (crash_dump))
-(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_27_0 (dalvik_prop))
-(typeattributeset dbinfo_service_27_0 (dbinfo_service))
-(typeattributeset debugfs_27_0
- ( debugfs
- debugfs_wakeup_sources))
-(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
-(typeattributeset debug_prop_27_0 (debug_prop))
-(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
-(typeattributeset default_android_service_27_0 (default_android_service))
-(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
-(typeattributeset default_prop_27_0
- ( default_prop
- pm_prop))
-(typeattributeset device_27_0 (device))
-(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_27_0 (deviceidle_service))
-(typeattributeset device_logging_prop_27_0 (device_logging_prop))
-(typeattributeset device_policy_service_27_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
-(typeattributeset devpts_27_0 (devpts))
-(typeattributeset dex2oat_27_0 (dex2oat))
-(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
-(typeattributeset dhcp_27_0 (dhcp))
-(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_27_0 (dhcp_exec))
-(typeattributeset dhcp_prop_27_0 (dhcp_prop))
-(typeattributeset diskstats_service_27_0 (diskstats_service))
-(typeattributeset display_service_27_0 (display_service))
-(typeattributeset dm_device_27_0 (dm_device))
-(typeattributeset dnsmasq_27_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_27_0 (DockObserver_service))
-(typeattributeset dreams_service_27_0 (dreams_service))
-(typeattributeset drm_data_file_27_0 (drm_data_file))
-(typeattributeset drmserver_27_0 (drmserver))
-(typeattributeset drmserver_exec_27_0 (drmserver_exec))
-(typeattributeset drmserver_service_27_0 (drmserver_service))
-(typeattributeset drmserver_socket_27_0 (drmserver_socket))
-(typeattributeset dropbox_service_27_0 (dropbox_service))
-(typeattributeset dumpstate_27_0 (dumpstate))
-(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_27_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
-(typeattributeset e2fs_27_0 (e2fs))
-(typeattributeset e2fs_exec_27_0 (e2fs_exec))
-(typeattributeset efs_file_27_0 (efs_file))
-(typeattributeset ephemeral_app_27_0 (ephemeral_app))
-(typeattributeset ethernet_service_27_0 (ethernet_service))
-(typeattributeset ffs_prop_27_0 (ffs_prop))
-(typeattributeset file_contexts_file_27_0 (file_contexts_file))
-(typeattributeset fingerprintd_27_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_27_0 (fingerprint_service))
-(typeattributeset firstboot_prop_27_0 (firstboot_prop))
-(typeattributeset font_service_27_0 (font_service))
-(typeattributeset frp_block_device_27_0 (frp_block_device))
-(typeattributeset fsck_27_0 (fsck))
-(typeattributeset fsck_exec_27_0 (fsck_exec))
-(typeattributeset fscklogs_27_0 (fscklogs))
-(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
-(typeattributeset full_device_27_0 (full_device))
-(typeattributeset functionfs_27_0 (functionfs))
-(typeattributeset fuse_27_0 (fuse))
-(typeattributeset fuse_device_27_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_27_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
-(typeattributeset gps_control_27_0 (gps_control))
-(typeattributeset gpu_device_27_0 (gpu_device))
-(typeattributeset gpu_service_27_0 (gpu_service))
-(typeattributeset graphics_device_27_0 (graphics_device))
-(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
-(typeattributeset hardware_service_27_0 (hardware_service))
-(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
-(typeattributeset healthd_27_0 (healthd))
-(typeattributeset healthd_exec_27_0 (healthd_exec))
-(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_27_0 (hwbinder_device))
-(typeattributeset hw_random_device_27_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_27_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_27_0 (i2c_device))
-(typeattributeset icon_file_27_0 (icon_file))
-(typeattributeset idmap_27_0 (idmap))
-(typeattributeset idmap_exec_27_0 (idmap_exec))
-(typeattributeset iio_device_27_0 (iio_device))
-(typeattributeset imms_service_27_0 (imms_service))
-(typeattributeset incident_27_0 (incident))
-(typeattributeset incidentd_27_0 (incidentd))
-(typeattributeset incident_data_file_27_0 (incident_data_file))
-(typeattributeset incident_service_27_0 (incident_service))
-(typeattributeset init_27_0 (init))
-(typeattributeset init_exec_27_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_27_0 (inotify))
-(typeattributeset input_device_27_0 (input_device))
-(typeattributeset inputflinger_27_0 (inputflinger))
-(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_27_0 (inputflinger_service))
-(typeattributeset input_method_service_27_0 (input_method_service))
-(typeattributeset input_service_27_0 (input_service))
-(typeattributeset installd_27_0 (installd))
-(typeattributeset install_data_file_27_0 (install_data_file))
-(typeattributeset installd_exec_27_0 (installd_exec))
-(typeattributeset installd_service_27_0 (installd_service))
-(typeattributeset install_recovery_27_0 (install_recovery))
-(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
-(typeattributeset ion_device_27_0 (ion_device))
-(typeattributeset IProxyService_service_27_0 (IProxyService_service))
-(typeattributeset ipsec_service_27_0 (ipsec_service))
-(typeattributeset isolated_app_27_0 (isolated_app))
-(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
-(typeattributeset kernel_27_0 (kernel))
-(typeattributeset keychain_data_file_27_0 (keychain_data_file))
-(typeattributeset keychord_device_27_0 (keychord_device))
-(typeattributeset keystore_27_0 (keystore))
-(typeattributeset keystore_data_file_27_0 (keystore_data_file))
-(typeattributeset keystore_exec_27_0 (keystore_exec))
-(typeattributeset keystore_service_27_0 (keystore_service))
-(typeattributeset kmem_device_27_0 (kmem_device))
-(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_27_0 (kmsg_device))
-(typeattributeset labeledfs_27_0 (labeledfs))
-(typeattributeset launcherapps_service_27_0 (launcherapps_service))
-(typeattributeset lmkd_27_0 (lmkd))
-(typeattributeset lmkd_exec_27_0 (lmkd_exec))
-(typeattributeset lmkd_socket_27_0 (lmkd_socket))
-(typeattributeset location_service_27_0 (location_service))
-(typeattributeset lock_settings_service_27_0 (lock_settings_service))
-(typeattributeset logcat_exec_27_0 (logcat_exec))
-(typeattributeset logd_27_0 (logd))
-(typeattributeset logd_exec_27_0 (logd_exec))
-(typeattributeset logd_prop_27_0 (logd_prop))
-(typeattributeset logdr_socket_27_0 (logdr_socket))
-(typeattributeset logd_socket_27_0 (logd_socket))
-(typeattributeset logdw_socket_27_0 (logdw_socket))
-(typeattributeset logpersist_27_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_27_0 (log_prop))
-(typeattributeset log_tag_prop_27_0 (log_tag_prop))
-(typeattributeset loop_control_device_27_0 (loop_control_device))
-(typeattributeset loop_device_27_0 (loop_device))
-(typeattributeset mac_perms_file_27_0 (mac_perms_file))
-(typeattributeset mdnsd_27_0 (mdnsd))
-(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
-(typeattributeset mdns_socket_27_0 (mdns_socket))
-(typeattributeset hal_omx_server (mediacodec_27_0))
-(typeattributeset mediacodec_27_0 (mediacodec))
-(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_27_0 (mediacodec_service))
-(typeattributeset media_data_file_27_0 (media_data_file))
-(typeattributeset mediadrmserver_27_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_27_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
-(typeattributeset mediametrics_27_0 (mediametrics))
-(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_27_0 (mediametrics_service))
-(typeattributeset media_projection_service_27_0 (media_projection_service))
-(typeattributeset mediaprovider_27_0 (mediaprovider))
-(typeattributeset media_router_service_27_0 (media_router_service))
-(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
-(typeattributeset mediaserver_27_0 (mediaserver))
-(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_27_0 (mediaserver_service))
-(typeattributeset media_session_service_27_0 (media_session_service))
-(typeattributeset meminfo_service_27_0 (meminfo_service))
-(typeattributeset metadata_block_device_27_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
-(typeattributeset midi_service_27_0 (midi_service))
-(typeattributeset misc_block_device_27_0 (misc_block_device))
-(typeattributeset misc_logd_file_27_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
-(typeattributeset mmc_prop_27_0 (mmc_prop))
-(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_27_0 (mnt_user_file))
-(typeattributeset modprobe_27_0 (modprobe))
-(typeattributeset mount_service_27_0 (mount_service))
-(typeattributeset mqueue_27_0 (mqueue))
-(typeattributeset mtd_device_27_0 (mtd_device))
-(typeattributeset mtp_27_0 (mtp))
-(typeattributeset mtp_device_27_0 (mtp_device))
-(typeattributeset mtpd_socket_27_0 (mtpd_socket))
-(typeattributeset mtp_exec_27_0 (mtp_exec))
-(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
-(typeattributeset netd_27_0 (netd))
-(typeattributeset net_data_file_27_0 (net_data_file))
-(typeattributeset netd_exec_27_0 (netd_exec))
-(typeattributeset netd_listener_service_27_0 (netd_listener_service))
-(typeattributeset net_dns_prop_27_0 (net_dns_prop))
-(typeattributeset netd_service_27_0 (netd_service))
-(typeattributeset netd_socket_27_0 (netd_socket))
-(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
-(typeattributeset netif_27_0 (netif))
-(typeattributeset netpolicy_service_27_0 (netpolicy_service))
-(typeattributeset net_radio_prop_27_0 (net_radio_prop))
-(typeattributeset netstats_service_27_0 (netstats_service))
-(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_27_0 (network_management_service))
-(typeattributeset network_score_service_27_0 (network_score_service))
-(typeattributeset network_time_update_service_27_0 (network_time_update_service))
-(typeattributeset nfc_27_0 (nfc))
-(typeattributeset nfc_data_file_27_0 (nfc_data_file))
-(typeattributeset nfc_device_27_0 (nfc_device))
-(typeattributeset nfc_prop_27_0 (nfc_prop))
-(typeattributeset nfc_service_27_0 (nfc_service))
-(typeattributeset node_27_0 (node))
-(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_27_0 (notification_service))
-(typeattributeset null_device_27_0 (null_device))
-(typeattributeset oemfs_27_0 (oemfs))
-(typeattributeset oem_lock_service_27_0 (oem_lock_service))
-(typeattributeset ota_data_file_27_0 (ota_data_file))
-(typeattributeset otadexopt_service_27_0 (otadexopt_service))
-(typeattributeset ota_package_file_27_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_27_0 (overlay_prop))
-(typeattributeset overlay_service_27_0 (overlay_service))
-(typeattributeset owntty_device_27_0 (owntty_device))
-(typeattributeset package_native_service_27_0 (package_native_service))
-(typeattributeset package_service_27_0 (package_service))
-(typeattributeset pan_result_prop_27_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
-(typeattributeset performanced_27_0 (performanced))
-(typeattributeset performanced_exec_27_0 (performanced_exec))
-(typeattributeset permission_service_27_0 (permission_service))
-(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_27_0 (pinner_service))
-(typeattributeset pipefs_27_0 (pipefs))
-(typeattributeset platform_app_27_0 (platform_app))
-(typeattributeset pmsg_device_27_0 (pmsg_device))
-(typeattributeset port_27_0 (port))
-(typeattributeset port_device_27_0 (port_device))
-(typeattributeset postinstall_27_0 (postinstall))
-(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_27_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_27_0 (powerctl_prop))
-(typeattributeset power_service_27_0 (power_service))
-(typeattributeset ppp_27_0 (ppp))
-(typeattributeset ppp_device_27_0 (ppp_device))
-(typeattributeset ppp_exec_27_0 (ppp_exec))
-(typeattributeset preloads_data_file_27_0 (preloads_data_file))
-(typeattributeset preloads_media_file_27_0 (preloads_media_file))
-(typeattributeset preopt2cachename_27_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
-(typeattributeset print_service_27_0 (print_service))
-(typeattributeset priv_app_27_0 (priv_app))
-(typeattributeset proc_27_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
-(typeattributeset processinfo_service_27_0 (processinfo_service))
-(typeattributeset proc_interrupts_27_0 (proc_interrupts))
-(typeattributeset proc_iomem_27_0 (proc_iomem))
-(typeattributeset proc_meminfo_27_0 (proc_meminfo))
-(typeattributeset proc_misc_27_0 (proc_misc))
-(typeattributeset proc_modules_27_0 (proc_modules))
-(typeattributeset proc_net_27_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_27_0 (proc_perf))
-(typeattributeset proc_security_27_0 (proc_security))
-(typeattributeset proc_stat_27_0 (proc_stat))
-(typeattributeset procstats_service_27_0 (procstats_service))
-(typeattributeset proc_sysrq_27_0 (proc_sysrq))
-(typeattributeset proc_timer_27_0 (proc_timer))
-(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
-(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
-(typeattributeset profman_27_0 (profman))
-(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
-(typeattributeset profman_exec_27_0 (profman_exec))
-(typeattributeset properties_device_27_0 (properties_device))
-(typeattributeset properties_serial_27_0 (properties_serial))
-(typeattributeset property_contexts_file_27_0 (property_contexts_file))
-(typeattributeset property_data_file_27_0 (property_data_file))
-(typeattributeset property_socket_27_0 (property_socket))
-(typeattributeset pstorefs_27_0 (pstorefs))
-(typeattributeset ptmx_device_27_0 (ptmx_device))
-(typeattributeset qtaguid_device_27_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_27_0
- ( proc_qtaguid_ctrl
- qtaguid_proc))
-(typeattributeset racoon_27_0 (racoon))
-(typeattributeset racoon_exec_27_0 (racoon_exec))
-(typeattributeset racoon_socket_27_0 (racoon_socket))
-(typeattributeset radio_27_0 (radio))
-(typeattributeset radio_data_file_27_0 (radio_data_file))
-(typeattributeset radio_device_27_0 (radio_device))
-(typeattributeset radio_prop_27_0 (radio_prop))
-(typeattributeset radio_service_27_0 (radio_service))
-(typeattributeset ram_device_27_0 (ram_device))
-(typeattributeset random_device_27_0 (random_device))
-(typeattributeset reboot_data_file_27_0 (reboot_data_file))
-(typeattributeset recovery_27_0 (recovery))
-(typeattributeset recovery_block_device_27_0 (recovery_block_device))
-(typeattributeset recovery_data_file_27_0 (recovery_data_file))
-(typeattributeset recovery_persist_27_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_27_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_27_0 (recovery_service))
-(typeattributeset registry_service_27_0 (registry_service))
-(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_27_0 (restorecon_prop))
-(typeattributeset restrictions_service_27_0 (restrictions_service))
-(typeattributeset rild_27_0 (rild))
-(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
-(typeattributeset rild_socket_27_0 (rild_socket))
-(typeattributeset ringtone_file_27_0 (ringtone_file))
-(typeattributeset root_block_device_27_0 (root_block_device))
-(typeattributeset rootfs_27_0 (rootfs))
-(typeattributeset rpmsg_device_27_0 (rpmsg_device))
-(typeattributeset rtc_device_27_0 (rtc_device))
-(typeattributeset rttmanager_service_27_0 (rttmanager_service))
-(typeattributeset runas_27_0 (runas))
-(typeattributeset runas_exec_27_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
-(typeattributeset sdcardd_27_0 (sdcardd))
-(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
-(typeattributeset sdcardfs_27_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
-(typeattributeset search_service_27_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_27_0 (selinuxfs))
-(typeattributeset sensors_device_27_0 (sensors_device))
-(typeattributeset sensorservice_service_27_0 (sensorservice_service))
-(typeattributeset sepolicy_file_27_0 (sepolicy_file))
-(typeattributeset serial_device_27_0 (serial_device))
-(typeattributeset serialno_prop_27_0 (serialno_prop))
-(typeattributeset serial_service_27_0 (serial_service))
-(typeattributeset service_contexts_file_27_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
-(typeattributeset servicemanager_27_0 (servicemanager))
-(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
-(typeattributeset settings_service_27_0 (settings_service))
-(typeattributeset sgdisk_27_0 (sgdisk))
-(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
-(typeattributeset shared_relro_27_0 (shared_relro))
-(typeattributeset shared_relro_file_27_0 (shared_relro_file))
-(typeattributeset shell_27_0 (shell))
-(typeattributeset shell_data_file_27_0 (shell_data_file))
-(typeattributeset shell_exec_27_0 (shell_exec))
-(typeattributeset shell_prop_27_0 (shell_prop))
-(typeattributeset shm_27_0 (shm))
-(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_27_0 (shortcut_service))
-(typeattributeset slideshow_27_0 (slideshow))
-(typeattributeset socket_device_27_0 (socket_device))
-(typeattributeset sockfs_27_0 (sockfs))
-(typeattributeset statusbar_service_27_0 (statusbar_service))
-(typeattributeset storaged_service_27_0 (storaged_service))
-(typeattributeset storage_file_27_0 (storage_file))
-(typeattributeset storagestats_service_27_0 (storagestats_service))
-(typeattributeset storage_stub_file_27_0 (storage_stub_file))
-(typeattributeset su_27_0 (su))
-(typeattributeset su_exec_27_0 (su_exec))
-(typeattributeset surfaceflinger_27_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_27_0 (swap_block_device))
-(typeattributeset sysfs_27_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_27_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_27_0 (sysfs_uio))
-(typeattributeset sysfs_usb_27_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_27_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
-(typeattributeset system_app_27_0 (system_app))
-(typeattributeset system_app_data_file_27_0 (system_app_data_file))
-(typeattributeset system_app_service_27_0 (system_app_service))
-(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_27_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_27_0 (system_prop))
-(typeattributeset system_radio_prop_27_0 (system_radio_prop))
-(typeattributeset system_server_27_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
-(typeattributeset task_service_27_0 (task_service))
-(typeattributeset tee_27_0 (tee))
-(typeattributeset tee_data_file_27_0 (tee_data_file))
-(typeattributeset tee_device_27_0 (tee_device))
-(typeattributeset telecom_service_27_0 (telecom_service))
-(typeattributeset textclassification_service_27_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
-(typeattributeset textservices_service_27_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_27_0 (thermal_service))
-(typeattributeset thermalserviced_27_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
-(typeattributeset timezone_service_27_0 (timezone_service))
-(typeattributeset tmpfs_27_0 (tmpfs))
-(typeattributeset tombstoned_27_0 (tombstoned))
-(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_27_0 (toolbox))
-(typeattributeset toolbox_exec_27_0 (toolbox_exec))
-(typeattributeset trust_service_27_0 (trust_service))
-(typeattributeset tty_device_27_0 (tty_device))
-(typeattributeset tun_device_27_0 (tun_device))
-(typeattributeset tv_input_service_27_0 (tv_input_service))
-(typeattributeset tzdatacheck_27_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
-(typeattributeset ueventd_27_0 (ueventd))
-(typeattributeset uhid_device_27_0 (uhid_device))
-(typeattributeset uimode_service_27_0 (uimode_service))
-(typeattributeset uio_device_27_0 (uio_device))
-(typeattributeset uncrypt_27_0 (uncrypt))
-(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
-(typeattributeset unlabeled_27_0 (unlabeled))
-(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
-(typeattributeset update_engine_27_0 (update_engine))
-(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_27_0 (update_engine_exec))
-(typeattributeset update_engine_service_27_0 (update_engine_service))
-(typeattributeset updatelock_service_27_0 (updatelock_service))
-(typeattributeset update_verifier_27_0 (update_verifier))
-(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
-(typeattributeset usagestats_service_27_0 (usagestats_service))
-(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
-(typeattributeset usb_device_27_0 (usb_device))
-(typeattributeset usbfs_27_0 (usbfs))
-(typeattributeset usb_service_27_0 (usb_service))
-(typeattributeset userdata_block_device_27_0 (userdata_block_device))
-(typeattributeset usermodehelper_27_0 (usermodehelper))
-(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
-(typeattributeset user_service_27_0 (user_service))
-(typeattributeset vcs_device_27_0 (vcs_device))
-(typeattributeset vdc_27_0 (vdc))
-(typeattributeset vdc_exec_27_0 (vdc_exec))
-(typeattributeset vendor_app_file_27_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
-(typeattributeset vendor_file_27_0 (vendor_file))
-(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
-(typeattributeset vfat_27_0 (vfat))
-(typeattributeset vibrator_service_27_0 (vibrator_service))
-(typeattributeset video_device_27_0 (video_device))
-(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_27_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_27_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
-(typeattributeset vold_27_0 (vold))
-(typeattributeset vold_data_file_27_0 (vold_data_file))
-(typeattributeset vold_device_27_0 (vold_device))
-(typeattributeset vold_exec_27_0 (vold_exec))
-(typeattributeset vold_prop_27_0 (vold_prop))
-(typeattributeset vold_socket_27_0 (vold_socket))
-(typeattributeset vpn_data_file_27_0 (vpn_data_file))
-(typeattributeset vr_hwc_27_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_27_0 (vr_manager_service))
-(typeattributeset wallpaper_file_27_0 (wallpaper_file))
-(typeattributeset wallpaper_service_27_0 (wallpaper_service))
-(typeattributeset watchdogd_27_0 (watchdogd))
-(typeattributeset watchdog_device_27_0 (watchdog_device))
-(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
-(typeattributeset webview_zygote_27_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_27_0 (wifiaware_service))
-(typeattributeset wificond_27_0 (wificond))
-(typeattributeset wificond_exec_27_0 (wificond_exec))
-(typeattributeset wificond_service_27_0 (wificond_service))
-(typeattributeset wifi_data_file_27_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_27_0 (wifip2p_service))
-(typeattributeset wifi_prop_27_0 (wifi_prop))
-(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
-(typeattributeset wifi_service_27_0 (wifi_service))
-(typeattributeset window_service_27_0 (window_service))
-(typeattributeset wpa_socket_27_0 (wpa_socket))
-(typeattributeset zero_device_27_0 (zero_device))
-(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
-(typeattributeset zygote_27_0 (zygote))
-(typeattributeset zygote_exec_27_0 (zygote_exec))
-(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/prebuilts/api/32.0/private/compat/27.0/27.0.compat.cil b/prebuilts/api/32.0/private/compat/27.0/27.0.compat.cil
deleted file mode 100644
index 2e85b23..0000000
--- a/prebuilts/api/32.0/private/compat/27.0/27.0.compat.cil
+++ /dev/null
@@ -1,11 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/32.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/32.0/private/compat/27.0/27.0.ignore.cil
deleted file mode 100644
index 427f4d4..0000000
--- a/prebuilts/api/32.0/private/compat/27.0/27.0.ignore.cil
+++ /dev/null
@@ -1,260 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- aac_drc_prop
- aaudio_config_prop
- activity_task_service
- adb_service
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- art_apex_dir
- atrace
- audio_config_prop
- binder_calls_stats_service
- biometric_service
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- boot_status_prop
- bootanim_system_prop
- bootloader_boot_reason_prop
- bootloader_prop
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- build_bootimage_prop
- build_odm_prop
- build_prop
- build_vendor_prop
- camera_calibration_prop
- camera_config_prop
- cgroup_bpf
- charger_config_prop
- charger_exec
- charger_status_prop
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- dalvik_config_prop
- dalvik_runtime_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- drm_service_config_prop
- exfat
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- fastbootd
- ffs_config_prop
- ffs_control_prop
- flags_health_check
- flags_health_check_exec
- fingerprint_vendor_data_file
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_instrumentation_prop
- hal_lowpan_hwservice
- hal_secure_element_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_hostapd_hwservice
- hdmi_config_prop
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- init_service_status_private_prop
- init_service_status_prop
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- keyguard_config_prop
- last_boot_reason_prop
- libc_debug_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- lmkd_config_prop
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- media_config_prop
- mediadrm_config_prop
- mediaextractor_update_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- oem_unlock_prop
- overlayfs_file
- packagemanager_config_prop
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- property_service_version_prop
- provisioned_prop
- radio_control_prop
- recovery_config_prop
- recovery_socket
- retaildemo_prop
- role_service
- runas_app
- runtime_service
- secure_element
- secure_element_device
- secure_element_service
- secure_element_tmpfs
- sendbug_config_prop
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- stats
- stats_data_file
- stats_exec
- stats_service
- statscompanion_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- storaged_data_file
- super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
- staging_data_file
- storagemanager_config_prop
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_update_service
- systemsound_config_prop
- telephony_config_prop
- telephony_status_prop
- test_boot_reason_prop
- time_prop
- timedetector_service
- tombstone_config_prop
- tombstone_wifi_data_file
- trace_data_file
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- traceur_app
- traceur_app_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- uri_grants_service
- usb_config_prop
- usb_control_prop
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_default_prop
- vendor_init
- vendor_security_patch_level_prop
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_config_prop
- vold_metadata_file
- vold_post_fs_data_prop
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vold_status_prop
- vrflinger_vsync_service
- vts_config_prop
- vts_status_prop
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wifi_config_prop
- wifi_hal_prop
- wm_trace_data_file
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- zram_config_prop
- zram_control_prop))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/32.0/private/file_contexts b/prebuilts/api/32.0/private/file_contexts
index 0330d88..48d98ff 100644
--- a/prebuilts/api/32.0/private/file_contexts
+++ b/prebuilts/api/32.0/private/file_contexts
@@ -475,7 +475,6 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
-/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
diff --git a/prebuilts/api/33.0/private/access_vectors b/prebuilts/api/33.0/private/access_vectors
new file mode 100644
index 0000000..6cd8c4e
--- /dev/null
+++ b/prebuilts/api/33.0/private/access_vectors
@@ -0,0 +1,791 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+ unlink
+ link
+ rename
+ execute
+ quotaon
+ mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+ perfmon
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ associate
+ quotamod
+ quotaget
+ watch
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class anon_inode
+inherits file
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+ getrlimit
+}
+
+class process2
+{
+ nnp_transition
+ nosuid_transition
+}
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+ validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+ module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_readpriv
+ nlmsg_getneigh
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+ attach_queue
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_endport
+{
+ manage_subnet
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+ association
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
+class property_service
+{
+ set
+}
+
+class service_manager
+{
+ add
+ find
+ list
+}
+
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class keystore_key
+{
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+ gen_unique_id
+}
+
+class keystore2
+{
+ add_auth
+ change_password
+ change_user
+ clear_ns
+ clear_uid
+ delete_all_keys
+ early_boot_ended
+ get_attestation_key
+ get_auth_token
+ get_state
+ list
+ lock
+ pull_metrics
+ report_off_body
+ reset
+ unlock
+}
+
+class keystore2_key
+{
+ convert_storage_key_to_ephemeral
+ delete
+ gen_unique_id
+ get_info
+ grant
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+ use_dev_id
+}
+
+class diced
+{
+ demote
+ demote_self
+ derive
+ get_attestation_chain
+ use_seal
+ use_sign
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
+
+class xdp_socket
+inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/prebuilts/api/33.0/private/adbd.te b/prebuilts/api/33.0/private/adbd.te
new file mode 100644
index 0000000..48fa849
--- /dev/null
+++ b/prebuilts/api/33.0/private/adbd.te
@@ -0,0 +1,235 @@
+### ADB daemon
+
+typeattribute adbd coredomain;
+typeattribute adbd mlstrustedsubject;
+
+init_daemon_domain(adbd)
+
+domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+ allow adbd self:process setcurrent;
+ allow adbd su:process dyntransition;
+')
+
+# When 'adb shell' is executed in recovery mode, adbd explicitly
+# switches into shell domain using setcon() because the shell executable
+# is not labeled as shell but as rootfs.
+recovery_only(`
+ domain_trans(adbd, rootfs, shell)
+ allow adbd shell:process dyntransition;
+
+ # Allows reboot fastboot to enter fastboot directly
+ unix_socket_connect(adbd, recovery, recovery)
+')
+
+# Control Perfetto traced and obtain traces from it.
+# Needed to allow port forwarding directly to traced.
+unix_socket_connect(adbd, traced_consumer, traced)
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:global_capability_class_set { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:global_capability_class_set setpcap;
+
+# ignore spurious denials for adbd when disk space is low.
+dontaudit adbd self:global_capability_class_set sys_resource;
+
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit adbd self:{ socket vsock_socket } create;
+
+# Allow adbd inside vm to forward vm's vsock.
+allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Create and use network sockets.
+net_domain(adbd)
+
+# Access /dev/usb-ffs/adb/ep0
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
+allowxperm adbd functionfs:file ioctl {
+ FUNCTIONFS_ENDPOINT_DESC
+ FUNCTIONFS_CLEAR_HALT
+};
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
+
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
+# adb push/pull sdcard.
+allow adbd tmpfs:dir search;
+allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
+allow adbd { sdcard_type fuse }:dir create_dir_perms;
+allow adbd { sdcard_type fuse }:file create_file_perms;
+
+# adb pull /data/anr/traces.txt
+allow adbd anr_data_file:dir r_dir_perms;
+allow adbd anr_data_file:file r_file_perms;
+
+# adb pull /vendor/framework/*
+allow adbd vendor_framework_file:dir r_dir_perms;
+allow adbd vendor_framework_file:file r_file_perms;
+
+# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+get_prop(adbd, ffs_config_prop)
+set_prop(adbd, ffs_control_prop)
+
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
+set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
+
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)
+
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
+# Read whether or not Test Harness Mode is enabled
+get_prop(adbd, test_harness_prop)
+
+# Read persist.adb.tls_server.enable property
+get_prop(adbd, system_adbd_prop)
+
+# Read device's overlayfs related properties and files
+userdebug_or_eng(`
+ get_prop(adbd, persistent_properties_ready_prop)
+ r_dir_file(adbd, sysfs_dt_firmware_android)
+')
+
+# Run /system/bin/bu
+allow adbd system_file:file rx_file_perms;
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+binder_call(adbd, gpuservice)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd gpu_device:dir r_dir_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
+
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
+
+# Read /data/misc/adb/adb_keys.
+allow adbd adb_keys_file:dir search;
+allow adbd adb_keys_file:file r_file_perms;
+
+userdebug_or_eng(`
+ # Write debugging information to /data/adb
+ # when persist.adb.trace_mask is set
+ # https://code.google.com/p/android/issues/detail?id=72895
+ allow adbd adb_data_file:dir rw_dir_perms;
+ allow adbd adb_data_file:file create_file_perms;
+')
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
+
+# Allow pulling config.gz for CTS purposes
+allow adbd config_gz:file r_file_perms;
+
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
+allow adbd gpu_service:service_manager find;
+allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir r_dir_perms;
+allow adbd mnt_user_file:lnk_file r_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow adbd media_rw_data_file:dir create_dir_perms;
+allow adbd media_rw_data_file:file create_file_perms;
+
+r_dir_file(adbd, apk_data_file)
+
+allow adbd rootfs:dir r_dir_perms;
+
+# Allow killing child "perfetto" binary processes, which auto-transition to
+# their own domain. Allows propagating termination of "adb shell perfetto ..."
+# invocations.
+allow adbd perfetto:process signal;
+
+# Allow to pull Perfetto traces.
+allow adbd perfetto_traces_data_file:file r_file_perms;
+allow adbd perfetto_traces_data_file:dir r_dir_perms;
+
+# Allow to push and manage configs in /data/misc/perfetto-configs.
+allow adbd perfetto_configs_data_file:dir rw_dir_perms;
+allow adbd perfetto_configs_data_file:file create_file_perms;
+
+# Connect to shell and use a socket transferred from it.
+# Used for e.g. abb.
+allow adbd shell:unix_stream_socket { read write shutdown };
+allow adbd shell:fd use;
+
+# Allow pull /vendor/apex files for CTS tests
+allow adbd vendor_apex_file:dir search;
+allow adbd vendor_apex_file:file r_file_perms;
+
+# Allow adb pull of updated apex files in /data/apex/active.
+allow adbd apex_data_file:dir search;
+allow adbd staging_data_file:file r_file_perms;
+
+# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
+allow adbd apex_info_file:file r_file_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
diff --git a/prebuilts/api/33.0/private/aidl_lazy_test_server.te b/prebuilts/api/33.0/private/aidl_lazy_test_server.te
new file mode 100644
index 0000000..33efde0
--- /dev/null
+++ b/prebuilts/api/33.0/private/aidl_lazy_test_server.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ typeattribute aidl_lazy_test_server coredomain;
+
+ init_daemon_domain(aidl_lazy_test_server)
+')
diff --git a/prebuilts/api/33.0/private/apex_test_prepostinstall.te b/prebuilts/api/33.0/private/apex_test_prepostinstall.te
new file mode 100644
index 0000000..f1bc214
--- /dev/null
+++ b/prebuilts/api/33.0/private/apex_test_prepostinstall.te
@@ -0,0 +1,20 @@
+# APEX pre- & post-install test.
+#
+# Allow to run pre- and post-install hooks for APEX test modules
+# in debuggable builds.
+
+type apex_test_prepostinstall, domain, coredomain;
+type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # /dev/zero
+ allow apex_test_prepostinstall apexd:fd use;
+ # Logwrapper.
+ create_pty(apex_test_prepostinstall)
+ # Logwrapper executing sh.
+ allow apex_test_prepostinstall shell_exec:file rx_file_perms;
+ # Logwrapper exec.
+ allow apex_test_prepostinstall system_file:file execute_no_trans;
+ # Ls.
+ allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
+')
diff --git a/prebuilts/api/33.0/private/apexd.te b/prebuilts/api/33.0/private/apexd.te
new file mode 100644
index 0000000..040651d
--- /dev/null
+++ b/prebuilts/api/33.0/private/apexd.te
@@ -0,0 +1,206 @@
+typeattribute apexd coredomain;
+
+init_daemon_domain(apexd)
+
+# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
+allow apexd apex_data_file:dir create_dir_perms;
+allow apexd apex_data_file:file create_file_perms;
+# Allow relabeling file created in /data/apex/decompressed
+allow apexd apex_data_file:file relabelfrom;
+
+# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
+allow apexd metadata_file:dir search;
+allow apexd apex_metadata_file:dir create_dir_perms;
+allow apexd apex_metadata_file:file create_file_perms;
+
+# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
+allow apexd sepolicy_metadata_file:dir create_dir_perms;
+allow apexd sepolicy_metadata_file:file create_file_perms;
+# Allow apexd to setup fs-verity for SEPolicy files in metadata
+allowxperm apexd sepolicy_metadata_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+# Allow reserving space on /data/apex/ota_reserved for apex decompression
+allow apexd apex_ota_reserved_file:dir create_dir_perms;
+allow apexd apex_ota_reserved_file:file create_file_perms;
+
+# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_data_file_type:dir { create_dir_perms relabelto };
+allow apexd apex_data_file_type:file { create_file_perms relabelto };
+allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
+allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
+allow apexd apex_rollback_data_file:dir create_dir_perms;
+allow apexd apex_rollback_data_file:file create_file_perms;
+
+# Allow apexd to read directories under /data/misc_de in order to snapshot and
+# restore apex data for all users.
+allow apexd system_data_file:dir r_dir_perms;
+
+# allow apexd to create loop devices with /dev/loop-control
+allow apexd loop_control_device:chr_file rw_file_perms;
+# allow apexd to access loop devices
+allow apexd loop_device:blk_file rw_file_perms;
+allowxperm apexd loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+ LOOP_CONFIGURE
+};
+# Allow apexd to access /dev/block
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
+
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
+# allow apexd to access /dev/block/dm-* (device-mapper entries)
+allow apexd dm_device:chr_file rw_file_perms;
+allow apexd dm_device:blk_file rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+# dac_override, chown, and fowner are needed for snapshot and restore
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
+
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for apexd to operate.
+dontaudit apexd self:global_capability_class_set fsetid;
+
+# allow apexd to create a mount point in /apex
+allow apexd apex_mnt_dir:dir create_dir_perms;
+# allow apexd to mount in /apex
+allow apexd apex_mnt_dir:filesystem { mount unmount };
+allow apexd apex_mnt_dir:dir mounton;
+# allow apexd to create symlinks in /apex
+allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
+allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
+allow apexd apex_info_file:file relabelto;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
+allow apexd apex_info_file:file mounton;
+
+# allow apexd to unlink apex files in /data/apex/active
+# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
+# because it doesn't have write permission for staging_data_file object.
+allow apexd staging_data_file:file unlink;
+
+# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
+allow apexd staging_data_file:dir r_dir_perms;
+allow apexd staging_data_file:file { r_file_perms link };
+# # Allow relabeling file created in /data/apex/decompressed
+allow apexd staging_data_file:file relabelto;
+
+# allow apexd to read files from /vendor/apex
+allow apexd vendor_apex_file:dir r_dir_perms;
+allow apexd vendor_apex_file:file r_file_perms;
+
+# Unmount and mount filesystems
+allow apexd labeledfs:filesystem { mount unmount };
+
+# /sys directory tree traversal
+allow apexd sysfs_type:dir search;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
+# Configure read-ahead of dm-verity and loop devices
+# for dm-X
+allow apexd sysfs_dm:dir r_dir_perms;
+allow apexd sysfs_dm:file rw_file_perms;
+# for loopX
+allow apexd sysfs_loop:dir r_dir_perms;
+allow apexd sysfs_loop:file rw_file_perms;
+
+# Allow apexd to log to the kernel.
+allow apexd kmsg_device:chr_file w_file_perms;
+
+# Allow apexd to reboot device. Required for rollbacks of apexes that are
+# not covered by rollback manager.
+set_prop(apexd, powerctl_prop)
+
+# Allow apexd to stop itself
+set_prop(apexd, ctl_apexd_prop)
+
+# Find the vold service, and call into vold to manage FS checkpoints
+allow apexd vold_service:service_manager find;
+binder_call(apexd, vold)
+
+# apexd is using bootstrap bionic
+use_bootstrap_libs(apexd)
+
+# Allow apexd to be invoked with logwrapper from init during userspace reboot.
+allow apexd devpts:chr_file { read write };
+
+# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
+# other processes
+create_pty(apexd)
+
+# Allow apexd to read file contexts when performing restorecon of snapshots.
+allow apexd file_contexts_file:file r_file_perms;
+
+# Allow apexd to execute toybox for snapshot & restore
+allow apexd toolbox_exec:file rx_file_perms;
+
+# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs.
+allowxperm apexd staging_data_file:file ioctl {
+ FS_IOC_GETFLAGS
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+};
+
+# Allow apexd to read ro.cold_boot_done prop.
+# apexd uses it to decide whether it needs to keep retrying polling for loop device.
+get_prop(apexd, cold_boot_done_prop)
+
+# Allow apexd to read per-device configuration properties.
+get_prop(apexd, apexd_config_prop)
+
+# Allow apexd to read apex selection properties.
+# These are used to choose between multi-installed APEXes at activation time.
+get_prop(apexd, apexd_select_prop)
+#
+# Allow apexd to read apexd_payload_metadata_prop
+get_prop(apexd, apexd_payload_metadata_prop)
+
+neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
+neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
+neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
+
+# only apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+neverallow { domain -apexd -init } apexd_prop:property_service set;
+
+# only apexd can write apex-info-list.xml
+neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+
+# Only apexd and init should be allowed to manage /apex mounts
+# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
+# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
+# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+
+# Allow for use in postinstall
+allow apexd otapreopt_chroot:fd use;
+allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
+allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
+allow apexd proc_filesystems:file r_file_perms;
+
+# Allow calling derive_classpath to gather BCP information for staged sessions
+domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
diff --git a/prebuilts/api/33.0/private/apexd_derive_classpath.te b/prebuilts/api/33.0/private/apexd_derive_classpath.te
new file mode 100644
index 0000000..d4c5496
--- /dev/null
+++ b/prebuilts/api/33.0/private/apexd_derive_classpath.te
@@ -0,0 +1,9 @@
+# Exclusive domain for apexd calling into derive_classpath binary
+type apexd_derive_classpath, domain, coredomain;
+
+# Allow the binary to write into output file at location /apex/derive_classpath_temp
+allow apexd_derive_classpath apexd:fd use;
+allow apexd_derive_classpath apex_mnt_dir:file { write open };
+# Allow the binary to log using logwrap
+allow apexd_derive_classpath apexd_devpts:chr_file { read write };
+
diff --git a/prebuilts/api/33.0/private/app.te b/prebuilts/api/33.0/private/app.te
new file mode 100644
index 0000000..b7da601
--- /dev/null
+++ b/prebuilts/api/33.0/private/app.te
@@ -0,0 +1,495 @@
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -sdk_sandbox
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -su
+ -sdk_sandbox
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Allow apps to read the Test Harness Mode property. This property is used in
+# the implementation of ActivityManager.isDeviceInTestHarnessMode()
+get_prop(appdomain, test_harness_prop)
+
+get_prop(appdomain, boot_status_prop)
+get_prop(appdomain, dalvik_config_prop)
+get_prop(appdomain, media_config_prop)
+get_prop(appdomain, packagemanager_config_prop)
+get_prop(appdomain, radio_control_prop)
+get_prop(appdomain, surfaceflinger_color_prop)
+get_prop(appdomain, systemsound_config_prop)
+get_prop(appdomain, telephony_config_prop)
+get_prop(appdomain, userspace_reboot_config_prop)
+get_prop(appdomain, vold_config_prop)
+get_prop(appdomain, adbd_config_prop)
+get_prop(appdomain, dck_prop)
+get_prop(appdomain, persist_wm_debug_prop)
+
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process)
+get_prop(appdomain, device_config_runtime_native_prop)
+get_prop(appdomain, device_config_runtime_native_boot_prop)
+
+userdebug_or_eng(`perfetto_producer({ appdomain })')
+
+# Prevent apps from causing presubmit failures.
+# Apps can cause selinux denials by accessing CE storage
+# and/or external storage. In either case, the selinux denial is
+# not the cause of the failure, but just a symptom that
+# storage isn't ready. Many apps handle the failure appropriately.
+#
+# Apps cannot access external storage before it becomes available.
+dontaudit appdomain storage_stub_file:dir getattr;
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
+# allowed to write to CE storage before it's available.
+# Attempting to do so will be blocked by both selinux and unix
+# permissions.
+dontaudit appdomain system_data_file:dir write;
+# Apps should not be reading vendor-defined properties.
+dontaudit appdomain vendor_default_prop:file read;
+
+# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
+allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+
+neverallow appdomain system_server:udp_socket {
+ accept append bind create ioctl listen lock name_bind
+ relabelfrom relabelto setattr shutdown };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump to allow for app crash reporting.
+# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
+# to allow renderscript to create privileged executable files.
+neverallow { appdomain -shell userdebug_or_eng(`-su') }
+ { domain -appdomain -crash_dump -rs }:process { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') }
+ { domain -appdomain }:process { dyntransition };
+
+# Don't allow regular apps access to storage configuration properties.
+neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
+# Allow to read sendbug.preferred.domain
+get_prop(appdomain, sendbug_config_prop)
+
+# Allow to read graphics related properties.
+get_prop(appdomain, graphics_config_prop)
+
+# Allow to read persist.config.calibration_fac
+get_prop(appdomain, camera_calibration_prop)
+
+# Allow to read db.log.detailed, db.log.slow_query_threshold*
+get_prop(appdomain, sqlite_log_prop)
+
+# Allow font file read by apps.
+allow appdomain font_data_file:file r_file_perms;
+allow appdomain font_data_file:dir r_dir_perms;
+
+# Enter /data/misc/apexdata/
+allow appdomain apex_module_data_file:dir search;
+# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
+allow appdomain apex_art_data_file:dir r_dir_perms;
+allow appdomain apex_art_data_file:file rx_file_perms;
+
+# Allow access to tombstones if an fd to one is given to you.
+# This is restricted by unix permissions, so an app must go through system_server to get one.
+allow appdomain tombstone_data_file:file { getattr read };
+neverallow appdomain tombstone_data_file:file ~{ getattr read };
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+
+# Perform binder IPC to sdk sandbox.
+binder_call(appdomain, sdk_sandbox)
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+
+#logd access
+control_logd({ appdomain -ephemeral_app -sdk_sandbox })
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+
+# For app fuse.
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+
+
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# For AppFuse.
+allow appdomain vold:fd use;
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+allow appdomain system_file:file x_file_perms;
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write map };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write map };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read map };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read map };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
+allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
+
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read map };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+
+allow appdomain zygote:unix_dgram_socket write;
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write map };
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
+# Sensitive app domains are not allowed to execute from /data
+# to prevent persistence attacks and ensure all code is executed
+# from read-only locations.
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ sdk_sandbox
+ system_app
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
+neverallow { appdomain -gmscore_app } checkin_data_file:file *;
diff --git a/prebuilts/api/33.0/private/app_neverallows.te b/prebuilts/api/33.0/private/app_neverallows.te
new file mode 100644
index 0000000..304f5a2
--- /dev/null
+++ b/prebuilts/api/33.0/private/app_neverallows.te
@@ -0,0 +1,256 @@
+###
+### neverallow rules for untrusted app domains
+###
+
+define(`all_untrusted_apps',`{
+ ephemeral_app
+ isolated_app
+ mediaprovider
+ mediaprovider_app
+ untrusted_app
+ untrusted_app_25
+ untrusted_app_27
+ untrusted_app_29
+ untrusted_app_30
+ untrusted_app_all
+}')
+# Receive or send uevent messages.
+neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow all_untrusted_apps domain:netlink_socket *;
+
+# Read or write kernel printk buffer
+neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow all_untrusted_apps service_manager_type:service_manager add;
+
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
+# Do not allow untrusted apps to connect to the property service
+# or set properties. b/10243159
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+
+# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } net_dns_prop:file read;
+
+# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
+
+# Shared libraries created by trusted components within an app home
+# directory can be dlopen()ed. To maintain the W^X property, these files
+# must never be writable to the app.
+neverallow all_untrusted_apps app_exec_data_file:file
+ { append create link relabelfrom relabelto rename setattr write };
+
+# Block calling execve() on files in an apps home directory.
+# This is a W^X violation (loading executable code from a writable
+# home directory). For compatibility, allow for targetApi <= 28.
+# b/112357170
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -runas_app
+} { app_data_file privapp_data_file }:file execute_no_trans;
+
+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
+# Do not allow untrusted apps to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and an untrusted app is allowed fork permission to itself.
+neverallow all_untrusted_apps mlstrustedsubject:process fork;
+
+# Do not allow untrusted apps to hard link to any files.
+# In particular, if an untrusted app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure untrusted apps never have this
+# capability.
+neverallow all_untrusted_apps file_type:file link;
+
+# Do not allow untrusted apps to access network MAC address file
+neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
+
+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
+
+# Apps may never access the default sysfs label.
+neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow all_untrusted_apps *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
+
+# Apps can read/write an already open vsock (e.g. created by
+# virtualizationservice) but nothing more than that (e.g. creating a
+# new vsock, etc.)
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
+
+# Disallow sending RTM_GETLINK messages on netlink sockets.
+neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+
+# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+} domain:netlink_route_socket nlmsg_getneigh;
+
+# Do not allow untrusted apps access to /cache
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted apps to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow { all_untrusted_apps -mediaprovider } {
+ fs_type
+ -sdcard_type
+ -fuse
+ file_type
+ -app_data_file # The apps sandbox itself
+ -privapp_data_file
+ -app_exec_data_file # stored within the app sandbox directory
+ -media_rw_data_file # Internal storage. Known that apps can
+ # leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
+ userdebug_or_eng(`
+ -method_trace_data_file # only on ro.debuggable=1
+ -coredump_file # userdebug/eng only
+ ')
+}:dir_file_class_set { create unlink };
+
+# No untrusted component except mediaprovider_app should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
+
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
+# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
+neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow all_untrusted_apps anr_data_file:file ~{ open append };
+neverallow all_untrusted_apps anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow all_untrusted_apps {
+ proc
+ proc_asound
+ proc_kmsg
+ proc_loadavg
+ proc_mounts
+ proc_pagetypeinfo
+ proc_slabinfo
+ proc_stat
+ proc_swaps
+ proc_uptime
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file { no_rw_file_perms no_x_file_perms };
+
+# /proc/filesystems is accessible to mediaprovider_app only since it handles
+# external storage
+neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
+
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
+# Do not allow untrusted apps access to preloads data files
+neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to the protected services
+# The two main reasons for this are:
+# 1. Protected HwBinder servers do not perform client authentication because
+# vendor code does not have a way to understand apps or their relation to
+# caller UID information and, even if it did, those services either operate
+# at a level below that of apps (e.g., HALs) or must not rely on app identity
+# for authorization. Thus, to be safe, the default assumption for all added
+# vendor services is that they treat all their clients as equally authorized
+# to perform operations offered by the service.
+# 2. HAL servers contain code with higher incidence rate of security issues
+# than system/core components and have access to lower layes of the stack
+# (all the way down to hardware) thus increasing opportunities for bypassing
+# the Android security model.
+neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
+neverallow all_untrusted_apps protected_service:service_manager find;
+
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
+neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
+
+# Untrusted apps are not allowed to use cgroups.
+neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
+
+# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
+# must not use it.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} mnt_sdcard_file:lnk_file *;
+
+# Only privileged apps may find the incident service
+neverallow all_untrusted_apps incident_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/app_zygote.te b/prebuilts/api/33.0/private/app_zygote.te
new file mode 100644
index 0000000..8a62341
--- /dev/null
+++ b/prebuilts/api/33.0/private/app_zygote.te
@@ -0,0 +1,177 @@
+typeattribute app_zygote coredomain;
+
+######
+###### Policy below is different from regular zygote-spawned apps
+######
+
+# Allow access to temporary files, which is normally permitted through
+# a domain macro.
+tmpfs_domain(app_zygote);
+
+# Set the UID/GID of the process.
+# This will be further limited to a range of isolated UIDs with seccomp.
+allow app_zygote self:global_capability_class_set { setgid setuid };
+# Drop capabilities from bounding set.
+allow app_zygote self:global_capability_class_set setpcap;
+# Switch SELinux context to isolated app domain.
+allow app_zygote self:process setcurrent;
+allow app_zygote isolated_app:process dyntransition;
+
+# For JIT
+allow app_zygote self:process execmem;
+
+# Allow app_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow app_zygote debugfs_trace_marker:file getattr;
+
+# get system_server process group
+allow app_zygote system_server:process getpgid;
+
+# Interaction between the app_zygote and its children.
+allow app_zygote isolated_app:process setpgid;
+
+# TODO (b/63631799) fix this access
+dontaudit app_zygote mnt_expand_file:dir getattr;
+
+# Get seapp_contexts
+allow app_zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(app_zygote)
+# Check SELinux permissions.
+selinux_check_access(app_zygote)
+
+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
+######
+###### Policy below is shared with regular zygote-spawned apps
+######
+
+# Child of zygote.
+allow app_zygote zygote:fd use;
+allow app_zygote zygote:process sigchld;
+
+# For ART (read /data/dalvik-cache).
+r_dir_file(app_zygote, dalvikcache_data_file);
+allow app_zygote dalvikcache_data_file:file execute;
+
+# For ART (allow userfaultfd and related ioctls)
+userfaultfd_use(app_zygote)
+
+# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
+allow app_zygote apex_module_data_file:dir search;
+# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
+r_dir_file(app_zygote, apex_art_data_file)
+
+# Allow reading/executing installed binaries to enable preloading
+# application data
+allow app_zygote apk_data_file:dir r_dir_perms;
+allow app_zygote apk_data_file:file { r_file_perms execute };
+
+# /oem accesses.
+allow app_zygote oemfs:dir search;
+
+# Allow app_zygote access to /vendor/overlay
+r_dir_file(app_zygote, vendor_overlay_file)
+
+allow app_zygote system_data_file:lnk_file r_file_perms;
+allow app_zygote system_data_file:file { getattr read map };
+
+# Send unsolicited message to system_server
+unix_socket_send(app_zygote, system_unsolzygote, system_server)
+
+# Allow the app_zygote to access the runtime feature flag properties.
+get_prop(app_zygote, device_config_runtime_native_prop)
+get_prop(app_zygote, device_config_runtime_native_boot_prop)
+
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow app_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow app_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow app_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for the zygote to fork a new
+# app_zygote child.
+neverallow { domain -zygote } app_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow app_zygote property_socket:sock_file write;
+neverallow app_zygote property_type:property_service set;
+
+# Should not have any access to data files.
+neverallow app_zygote app_data_file_type:file { rwx_file_perms };
+
+neverallow app_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps should not be able to access the driver directly.
+neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow app_zygote access to /cache.
+neverallow app_zygote cache_file:dir ~{ r_dir_perms };
+neverallow app_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow app_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+ sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+ x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+ pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+ rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+} *;
+
+# Only allow app_zygote to talk to the logd socket, and
+# su/heapprofd/traced_perf on eng/userdebug. This is because
+# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
+# Think twice before changing.
+neverallow app_zygote {
+ domain
+ -app_zygote
+ -logd
+ -system_server
+ userdebug_or_eng(`-su')
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
+}:unix_dgram_socket *;
+
+neverallow app_zygote {
+ domain
+ -app_zygote
+ userdebug_or_eng(`-su')
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
+}:unix_stream_socket *;
+
+# Never allow ptrace
+neverallow app_zygote *:process ptrace;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow app_zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
diff --git a/prebuilts/api/33.0/private/artd.te b/prebuilts/api/33.0/private/artd.te
new file mode 100644
index 0000000..0aa12dc
--- /dev/null
+++ b/prebuilts/api/33.0/private/artd.te
@@ -0,0 +1,16 @@
+# art service daemon
+type artd, domain;
+type artd_exec, system_file_type, exec_type, file_type;
+
+# Allow artd to publish a binder service and make binder calls.
+binder_use(artd)
+add_service(artd, artd_service)
+allow artd dumpstate:fifo_file { getattr write };
+
+typeattribute artd coredomain;
+
+init_daemon_domain(artd)
+
+# Allow query ART device config properties
+get_prop(artd, device_config_runtime_native_prop)
+get_prop(artd, device_config_runtime_native_boot_prop)
diff --git a/prebuilts/api/33.0/private/asan_extract.te b/prebuilts/api/33.0/private/asan_extract.te
new file mode 100644
index 0000000..69bcd50
--- /dev/null
+++ b/prebuilts/api/33.0/private/asan_extract.te
@@ -0,0 +1,11 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+ typeattribute asan_extract coredomain;
+ init_daemon_domain(asan_extract)
+
+ # We need to signal a reboot when done.
+ set_prop(asan_extract, powerctl_prop)
+')
diff --git a/prebuilts/api/33.0/private/atrace.te b/prebuilts/api/33.0/private/atrace.te
new file mode 100644
index 0000000..ca0e527
--- /dev/null
+++ b/prebuilts/api/33.0/private/atrace.te
@@ -0,0 +1,80 @@
+# Domain for atrace process.
+# It is spawned either by traced_probes or by init for the boottrace service.
+
+type atrace_exec, exec_type, file_type, system_file_type;
+
+# boottrace services uses /data/misc/boottrace/categories
+allow atrace boottrace_data_file:dir search;
+allow atrace boottrace_data_file:file r_file_perms;
+
+# Allow atrace to access tracefs.
+allow atrace debugfs_tracing:dir r_dir_perms;
+allow atrace debugfs_tracing:file rw_file_perms;
+allow atrace debugfs_trace_marker:file getattr;
+
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file { getattr write };
+
+# atrace sets debug.atrace.* properties
+set_prop(atrace, debug_prop)
+
+# atrace pokes all the binder-enabled processes at startup with a
+# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
+
+# Allow discovery of binder services.
+allow atrace {
+ service_manager_type
+ -apex_service
+ -dnsresolver_service
+ -dumpstate_service
+ -incident_service
+ -installd_service
+ -iorapd_service
+ -lpdump_service
+ -mdns_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
+ -default_android_service
+}:service_manager { find };
+allow atrace servicemanager:service_manager list;
+
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+ # List HAL interfaces.
+ allow atrace hwservicemanager:hwservice_manager list;
+ # Notify the camera HAL.
+ hal_client_domain(atrace, hal_camera)
+ hal_client_domain(atrace, hal_vibrator)
+')
+
+# Remove logspam from notification attempts to non-allowlisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
+userdebug_or_eng(`
+ # atrace is generally invoked as a standalone binary from shell or perf
+ # daemons like Perfetto traced_probes. However, in userdebug builds, there is
+ # a further option to run atrace as an init daemon for boot tracing.
+ init_daemon_domain(atrace)
+
+ allow atrace debugfs_tracing_debug:dir r_dir_perms;
+ allow atrace debugfs_tracing_debug:file rw_file_perms;
+')
diff --git a/prebuilts/api/33.0/private/attributes b/prebuilts/api/33.0/private/attributes
new file mode 100644
index 0000000..991bac1
--- /dev/null
+++ b/prebuilts/api/33.0/private/attributes
@@ -0,0 +1,12 @@
+hal_attribute(lazy_test);
+
+# This is applied to apps on vendor images with SDK <=30 only,
+# to exempt them from recent mls changes. It must not be applied
+# to any domain on newer system or vendor image.
+attribute mlsvendorcompat;
+
+# Attributes for property types having both system_property_type
+# and vendor_property_type. Such types are ill-formed because
+# property owner attributes must be exclusive.
+attribute system_and_vendor_property_type;
+expandattribute system_and_vendor_property_type false;
diff --git a/prebuilts/api/33.0/private/audioserver.te b/prebuilts/api/33.0/private/audioserver.te
new file mode 100644
index 0000000..ca29373
--- /dev/null
+++ b/prebuilts/api/33.0/private/audioserver.te
@@ -0,0 +1,106 @@
+# audioserver - audio services daemon
+
+typeattribute audioserver coredomain;
+
+type audioserver_exec, exec_type, file_type, system_file_type;
+init_daemon_domain(audioserver)
+tmpfs_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+r_dir_file(audioserver, fuse)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, appdomain)
+binder_service(audioserver)
+
+hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
+hal_client_domain(audioserver, hal_audio)
+
+userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
+')
+
+add_service(audioserver, audioserver_service)
+allow audioserver activity_service:service_manager find;
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver external_vibrator_service:service_manager find;
+allow audioserver package_native_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver permission_checker_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
+allow audioserver soundtrigger_middleware_service:service_manager find;
+
+# Allow read/write access to bluetooth-specific properties
+set_prop(audioserver, bluetooth_a2dp_offload_prop)
+set_prop(audioserver, bluetooth_audio_hal_prop)
+set_prop(audioserver, bluetooth_prop)
+set_prop(audioserver, exported_bluetooth_prop)
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
+not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
+not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
+
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+# Allow shell commands from ADB and shell for CTS testing/dumping
+allow audioserver adbd:fd use;
+allow audioserver adbd:unix_stream_socket { read write };
+allow audioserver shell:fifo_file { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow audioserver su:fd use;
+ allow audioserver su:fifo_file { read write };
+ allow audioserver su:unix_stream_socket { read write };
+')
+
+# Allow write access to log tag property
+set_prop(audioserver, log_tag_prop);
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+# Allow using wake locks
+wakelock_use(audioserver)
+
+# Allow reading audio config props, e.g. af.fast_track_multiplier
+get_prop(audioserver, audio_config_prop)
diff --git a/prebuilts/api/33.0/private/auditctl.te b/prebuilts/api/33.0/private/auditctl.te
new file mode 100644
index 0000000..f634d3d
--- /dev/null
+++ b/prebuilts/api/33.0/private/auditctl.te
@@ -0,0 +1,18 @@
+#
+# /system/bin/auditctl executed for logd
+#
+# Performs maintenance of the kernel auditing system, including
+# setting rate limits on SELinux denials.
+#
+
+type auditctl, domain, coredomain;
+type auditctl_exec, file_type, system_file_type, exec_type;
+
+# Uncomment the line below to put this domain into permissive
+# mode. This helps speed SELinux policy development.
+# userdebug_or_eng(`permissive auditctl;')
+
+init_daemon_domain(auditctl)
+
+allow auditctl self:global_capability_class_set audit_control;
+allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
diff --git a/prebuilts/api/33.0/private/automotive_display_service.te b/prebuilts/api/33.0/private/automotive_display_service.te
new file mode 100644
index 0000000..db20696
--- /dev/null
+++ b/prebuilts/api/33.0/private/automotive_display_service.te
@@ -0,0 +1,44 @@
+# Display proxy service for Automotive
+type automotive_display_service, domain, coredomain;
+type automotive_display_service_exec, system_file_type, exec_type, file_type;
+
+typeattribute automotive_display_service automotive_display_service_server;
+
+# Allow to add a display service to the hwservicemanager
+add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
+
+# Allow init to launch automotive display service
+init_daemon_domain(automotive_display_service)
+
+# Allow to use Binder IPC for SurfaceFlinger.
+binder_use(automotive_display_service)
+
+# Allow to use HwBinder IPC for HAL implementations.
+hwbinder_use(automotive_display_service)
+hal_client_domain(automotive_display_service, hal_graphics_composer)
+hal_client_domain(automotive_display_service, hal_graphics_allocator)
+
+# Allow to read the target property.
+get_prop(automotive_display_service, hwservicemanager_prop)
+
+# Allow to find SurfaceFlinger.
+allow automotive_display_service surfaceflinger_service:service_manager find;
+
+# Allow client domain to do binder IPC to serverdomain.
+binder_call(automotive_display_service, surfaceflinger)
+
+# Allow to use a graphics mapper
+allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# Allow to use hidl token service
+allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
+
+# Allow to access EGL files
+allow automotive_display_service gpu_device:chr_file rw_file_perms;
+allow automotive_display_service gpu_device:dir search;
+
+# Allow to add a service to the servicemanager
+add_service(automotive_display_service, fwk_automotive_display_service);
+
+# Allow to communicate with EVS services
+binder_call(automotive_display_service, hal_evs)
diff --git a/prebuilts/api/33.0/private/binderservicedomain.te b/prebuilts/api/33.0/private/binderservicedomain.te
new file mode 100644
index 0000000..7275954
--- /dev/null
+++ b/prebuilts/api/33.0/private/binderservicedomain.te
@@ -0,0 +1,24 @@
+# Rules common to all binder service domains
+
+# Allow dumpstate and incidentd to collect information from binder services
+allow binderservicedomain { dumpstate incidentd }:fd use;
+allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
+allow binderservicedomain shell_data_file:file { getattr write };
+
+# Allow dumpsys to work from adb shell or the serial console
+allow binderservicedomain devpts:chr_file rw_file_perms;
+allow binderservicedomain console_device:chr_file rw_file_perms;
+
+# Receive and write to a pipe received over Binder from an app.
+allow binderservicedomain appdomain:fd use;
+allow binderservicedomain appdomain:fifo_file write;
+
+# allow all services to run permission checks
+allow binderservicedomain permission_service:service_manager find;
+
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
+
+use_keystore(binderservicedomain)
diff --git a/prebuilts/api/33.0/private/blank_screen.te b/prebuilts/api/33.0/private/blank_screen.te
new file mode 100644
index 0000000..20d50cc
--- /dev/null
+++ b/prebuilts/api/33.0/private/blank_screen.te
@@ -0,0 +1,7 @@
+type blank_screen, domain, coredomain;
+type blank_screen_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(blank_screen)
+
+# hal_light_client has access to hal_light_server
+hal_client_domain(blank_screen, hal_light)
diff --git a/prebuilts/api/33.0/private/blkid.te b/prebuilts/api/33.0/private/blkid.te
new file mode 100644
index 0000000..4e972ab
--- /dev/null
+++ b/prebuilts/api/33.0/private/blkid.te
@@ -0,0 +1,22 @@
+# blkid called from vold
+
+typeattribute blkid coredomain;
+
+type blkid_exec, system_file_type, exec_type, file_type;
+
+# Allowed read-only access to encrypted devices to extract UUID/label
+allow blkid block_device:dir search;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid vold:fd use;
+allow blkid vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
+# Only allow entry from vold
+neverallow { domain -vold } blkid:process transition;
+neverallow * blkid:process dyntransition;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/private/blkid_untrusted.te b/prebuilts/api/33.0/private/blkid_untrusted.te
similarity index 100%
rename from prebuilts/api/26.0/private/blkid_untrusted.te
rename to prebuilts/api/33.0/private/blkid_untrusted.te
diff --git a/prebuilts/api/33.0/private/bluetooth.te b/prebuilts/api/33.0/private/bluetooth.te
new file mode 100644
index 0000000..d548e80
--- /dev/null
+++ b/prebuilts/api/33.0/private/bluetooth.te
@@ -0,0 +1,95 @@
+# bluetooth app
+
+typeattribute bluetooth coredomain, mlstrustedsubject;
+
+app_domain(bluetooth)
+net_domain(bluetooth)
+
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
+
+wakelock_use(bluetooth);
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set { create_file_perms link };
+allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
+allow bluetooth bluetooth_logs_data_file:file create_file_perms;
+
+# Socket creation under /data/misc/bluedroid.
+allow bluetooth bluetooth_socket:sock_file create_file_perms;
+
+allow bluetooth self:global_capability_class_set net_admin;
+allow bluetooth self:global_capability2_class_set wake_alarm;
+
+# tethering
+allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
+allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
+allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
+allow bluetooth tun_device:chr_file rw_file_perms;
+allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allow bluetooth efs_file:dir search;
+
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
+allow bluetooth gpu_device:chr_file rw_file_perms;
+allow bluetooth gpu_device:dir r_dir_perms;
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# For Bluetooth to check what profile are available
+allow bluetooth proc_filesystems:file r_file_perms;
+get_prop(bluetooth, incremental_prop)
+
+# Allow write access to bluetooth specific properties
+set_prop(bluetooth, binder_cache_bluetooth_server_prop);
+neverallow { domain -bluetooth -init }
+ binder_cache_bluetooth_server_prop:property_service set;
+set_prop(bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(bluetooth, bluetooth_audio_hal_prop)
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, exported_bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+
+allow bluetooth audioserver_service:service_manager find;
+allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth drmserver_service:service_manager find;
+allow bluetooth mediaserver_service:service_manager find;
+allow bluetooth radio_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
+allow bluetooth network_stack_service:service_manager find;
+allow bluetooth system_suspend_control_service:service_manager find;
+allow bluetooth hal_audio_service:service_manager find;
+
+# already open bugreport file descriptors may be shared with
+# the bluetooth process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow bluetooth shell_data_file:file read;
+
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:global_capability_class_set sys_nice;
+
+hal_client_domain(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_telephony)
+
+# Bluetooth A2DP offload requires binding with audio HAL
+hal_client_domain(bluetooth, hal_audio)
+
+read_runtime_log_tags(bluetooth)
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
diff --git a/prebuilts/api/26.0/private/bluetoothdomain.te b/prebuilts/api/33.0/private/bluetoothdomain.te
similarity index 100%
rename from prebuilts/api/26.0/private/bluetoothdomain.te
rename to prebuilts/api/33.0/private/bluetoothdomain.te
diff --git a/prebuilts/api/33.0/private/bootanim.te b/prebuilts/api/33.0/private/bootanim.te
new file mode 100644
index 0000000..f4fb0bc
--- /dev/null
+++ b/prebuilts/api/33.0/private/bootanim.te
@@ -0,0 +1,20 @@
+typeattribute bootanim coredomain;
+
+init_daemon_domain(bootanim)
+
+# b/68864350
+dontaudit bootanim unlabeled:dir search;
+
+# Bootanim should not be reading default vendor-defined properties.
+dontaudit bootanim vendor_default_prop:file read;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)
+
+get_prop(bootanim, bootanim_config_prop)
+
+# Allow updating boot animation status.
+set_prop(bootanim, bootanim_system_prop)
+
+# Allow accessing /data/bootanim
+r_dir_file(bootanim, bootanim_data_file)
diff --git a/prebuilts/api/33.0/private/bootstat.te b/prebuilts/api/33.0/private/bootstat.te
new file mode 100644
index 0000000..016292e
--- /dev/null
+++ b/prebuilts/api/33.0/private/bootstat.te
@@ -0,0 +1,34 @@
+typeattribute bootstat coredomain;
+
+init_daemon_domain(bootstat)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
+
+neverallow {
+ domain
+ -bootanim
+ -bootstat
+ -dumpstate
+ userdebug_or_eng(`-incidentd')
+ -init
+ -recovery
+ -shell
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/boringssl_self_test.te b/prebuilts/api/33.0/private/boringssl_self_test.te
new file mode 100644
index 0000000..50fc1fc
--- /dev/null
+++ b/prebuilts/api/33.0/private/boringssl_self_test.te
@@ -0,0 +1,74 @@
+# System and vendor domains for BoringSSL self test binaries.
+#
+# For FIPS compliance, all processes linked against libcrypto perform a startup
+# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
+# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
+#
+# The KATs are expensive, and to ensure they are run as few times as possible, they
+# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
+# the hash of the BCM that was computed earlier. The files are zero length and their contents
+# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl
+# to create these marker files, there are dedicated self test binaries which this policy
+# gives access to and which are run during early-init.
+#
+# Due to build skew, the version of libcrypto in /vendor may have a different hash than
+# the system one. To cater for this there are vendor variants of the self test binaries
+# which also have permission to write to the same files in /dev/boringssl. In the case where
+# vendor and system libcrypto have the same hash, there will be a race to create the file,
+# but this is harmless.
+#
+# If the self tests fail, then the device should reboot into firmware and for this reason
+# the system boringssl_self_test domain needs to be in coredomain. As vendor domains
+# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
+# reboot. However every binary linked against the vendor libcrypto will abort on startup,
+# so in practice the device will crash anyway in this unlikely scenario.
+
+# System boringssl_self_test domain
+type boringssl_self_test, domain, coredomain;
+type boringssl_self_test_exec, system_file_type, exec_type, file_type;
+
+# Vendor boringssl_self_test domain
+type vendor_boringssl_self_test, domain;
+type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;
+
+# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
+init_daemon_domain(boringssl_self_test)
+
+# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
+init_daemon_domain(vendor_boringssl_self_test)
+
+# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
+#
+# The files are zero length so there is no issue if both vendor and system code
+# try to create the same file simultaneously. One will succeed and the other will fail
+# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the
+# system domain e.g. when system and APEX copies of libcrypto are identical.
+type boringssl_self_test_marker, file_type;
+
+# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
+allow { boringssl_self_test vendor_boringssl_self_test }
+ boringssl_self_test_marker:file create_file_perms;
+allow { boringssl_self_test vendor_boringssl_self_test }
+ boringssl_self_test_marker:dir ra_dir_perms;
+
+# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
+allow { boringssl_self_test vendor_boringssl_self_test }
+ kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
+
+# No other process should be able to create marker files because their existence causes the
+# boringssl KAT to be skipped.
+neverallow {
+ domain
+ -vendor_boringssl_self_test
+ -boringssl_self_test
+ -init
+ -vendor_init
+} boringssl_self_test_marker:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -vendor_boringssl_self_test
+ -boringssl_self_test
+ -init
+ -vendor_init
+} boringssl_self_test_marker:dir write;
diff --git a/prebuilts/api/33.0/private/bpfdomain.te b/prebuilts/api/33.0/private/bpfdomain.te
new file mode 100644
index 0000000..2be7f88
--- /dev/null
+++ b/prebuilts/api/33.0/private/bpfdomain.te
@@ -0,0 +1,14 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+ bpfdomain
+ -bpfloader
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+
+allow bpfdomain fs_bpf:dir search;
diff --git a/prebuilts/api/33.0/private/bpfloader.te b/prebuilts/api/33.0/private/bpfloader.te
new file mode 100644
index 0000000..d7b27b5
--- /dev/null
+++ b/prebuilts/api/33.0/private/bpfloader.te
@@ -0,0 +1,66 @@
+type bpfloader_exec, system_file_type, exec_type, file_type;
+
+typeattribute bpfloader bpfdomain;
+
+# allow bpfloader to write to the kernel log (starts early)
+allow bpfloader kmsg_device:chr_file w_file_perms;
+
+# These permissions are required to pin ebpf maps & programs.
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
+allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
+
+# Allow bpfloader to create bpf maps and programs.
+allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
+
+allow bpfloader self:capability { chown sys_admin net_admin };
+
+allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
+
+set_prop(bpfloader, bpf_progs_loaded_prop)
+
+allow bpfloader bpfloader_exec:file execute_no_trans;
+
+###
+### Neverallow rules
+###
+
+# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
+neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
+
+neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+
+neverallow {
+ domain
+ -bpfloader
+ -gpuservice
+ -hal_health_server
+ -mediaprovider_app
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+
+neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+
+neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
+
+# No domain should be allowed to ptrace bpfloader
+neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
+# this should perhaps be moved to the bpfloader binary itself. Allow both.
+neverallow { domain -bpfloader -init } proc_bpf:file write;
diff --git a/prebuilts/api/26.0/private/bufferhubd.te b/prebuilts/api/33.0/private/bufferhubd.te
similarity index 100%
rename from prebuilts/api/26.0/private/bufferhubd.te
rename to prebuilts/api/33.0/private/bufferhubd.te
diff --git a/prebuilts/api/33.0/private/bug_map b/prebuilts/api/33.0/private/bug_map
new file mode 100644
index 0000000..083c213
--- /dev/null
+++ b/prebuilts/api/33.0/private/bug_map
@@ -0,0 +1,35 @@
+dnsmasq netd fifo_file b/77868789
+dnsmasq netd unix_stream_socket b/77868789
+gmscore_app system_data_file dir b/146166941
+init app_data_file file b/77873135
+init cache_file blk_file b/77873135
+init logpersist file b/77873135
+init nativetest_data_file dir b/77873135
+init pstorefs dir b/77873135
+init shell_data_file dir b/77873135
+init shell_data_file file b/77873135
+init shell_data_file lnk_file b/77873135
+init shell_data_file sock_file b/77873135
+init system_data_file chr_file b/77873135
+isolated_app privapp_data_file dir b/119596573
+isolated_app app_data_file dir b/120394782
+mediaextractor app_data_file file b/77923736
+mediaextractor radio_data_file file b/77923736
+mediaprovider cache_file blk_file b/77925342
+mediaprovider mnt_media_rw_file dir b/77925342
+mediaprovider shell_data_file dir b/77925342
+mediaswcodec ashmem_device chr_file b/142679232
+netd priv_app unix_stream_socket b/77870037
+netd untrusted_app unix_stream_socket b/77870037
+netd untrusted_app_25 unix_stream_socket b/77870037
+netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
+platform_app nfc_data_file dir b/74331887
+system_server overlayfs_file file b/142390309
+system_server sdcardfs file b/77856826
+system_server system_server capability b/228030183
+system_server zygote process b/77856826
+untrusted_app untrusted_app netlink_route_socket b/155595000
+vold system_data_file file b/124108085
+zygote untrusted_app_25 process b/77925912
+zygote labeledfs filesystem b/170748799
diff --git a/prebuilts/api/33.0/private/cameraserver.te b/prebuilts/api/33.0/private/cameraserver.te
new file mode 100644
index 0000000..96d7dbd
--- /dev/null
+++ b/prebuilts/api/33.0/private/cameraserver.te
@@ -0,0 +1,9 @@
+typeattribute cameraserver coredomain;
+
+typeattribute cameraserver camera_service_server;
+
+init_daemon_domain(cameraserver)
+tmpfs_domain(cameraserver)
+
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver gpu_device:dir r_dir_perms;
diff --git a/prebuilts/api/33.0/private/canhalconfigurator.te b/prebuilts/api/33.0/private/canhalconfigurator.te
new file mode 100644
index 0000000..9ba60ac
--- /dev/null
+++ b/prebuilts/api/33.0/private/canhalconfigurator.te
@@ -0,0 +1,7 @@
+type canhalconfigurator, domain, coredomain;
+type canhalconfigurator_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(canhalconfigurator)
+
+# This allows the configurator to look up the CAN HAL controller via
+# hwservice_manager and communicate with it.
+hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/prebuilts/api/33.0/private/charger.te b/prebuilts/api/33.0/private/charger.te
new file mode 100644
index 0000000..c5f3a50
--- /dev/null
+++ b/prebuilts/api/33.0/private/charger.te
@@ -0,0 +1,20 @@
+typeattribute charger coredomain;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+# The system charger needs to be allowed to set these properties on legacy devices.
+set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported3_system_prop)
+
+# The system charger can read ro.charger.*
+get_prop(charger, charger_prop)
+
+compatible_property_only(`
+ neverallow {
+ domain
+ -init
+ -dumpstate
+ -charger
+ } charger_prop:file no_rw_file_perms;
+')
diff --git a/prebuilts/api/33.0/private/charger_type.te b/prebuilts/api/33.0/private/charger_type.te
new file mode 100644
index 0000000..3647496
--- /dev/null
+++ b/prebuilts/api/33.0/private/charger_type.te
@@ -0,0 +1,38 @@
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger_type, charger_status_prop)
+get_prop(charger_type, charger_config_prop)
+
+# get minui properties
+get_prop(charger_type, recovery_config_prop)
+
+### Neverallow rules for charger properties
+
+# charger_config_prop: Only init and vendor_init is allowed to set it
+neverallow {
+ domain
+ -init
+ -vendor_init
+} charger_config_prop:property_service set;
+
+# charger_status_prop: Only init, vendor_init, charger, and charger_vendor
+# are allowed to set it
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -charger
+ -charger_vendor
+} charger_status_prop:property_service set;
+
+# Both charger_config_prop and charger_status_prop:
+# Only init, vendor_init, dumpstate, charger, and charger_vendor
+# are allowed to read it
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -vendor_init
+ -charger
+ -charger_vendor
+} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/prebuilts/api/33.0/private/clatd.te b/prebuilts/api/33.0/private/clatd.te
new file mode 100644
index 0000000..1f21d69
--- /dev/null
+++ b/prebuilts/api/33.0/private/clatd.te
@@ -0,0 +1,13 @@
+# 464xlat daemon
+type clatd, domain, coredomain;
+type clatd_exec, system_file_type, exec_type, file_type;
+
+net_domain(clatd)
+
+# Access objects inherited from system_server.
+allow clatd system_server:fd use;
+allow clatd system_server:packet_socket { read write };
+allow clatd system_server:rawip_socket { read write };
+
+allow clatd self:netlink_route_socket nlmsg_write;
+allow clatd tun_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/33.0/private/compat/28.0/28.0.cil b/prebuilts/api/33.0/private/compat/28.0/28.0.cil
new file mode 100644
index 0000000..321e938
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/28.0/28.0.cil
@@ -0,0 +1,1744 @@
+;; attributes removed from current policy
+(typeattribute hal_wifi_offload)
+(typeattribute hal_wifi_offload_client)
+(typeattribute hal_wifi_offload_server)
+
+;; types removed from current policy
+(type alarm_device)
+(type audio_seq_device)
+(type audio_timer_device)
+(type commontime_management_service)
+(type cpuctl_device)
+(type full_device)
+(type hal_wifi_offload_hwservice)
+(type i2c_device)
+(type kmem_device)
+(type mediacodec)
+(type mediacodec_exec)
+(type mediaextractor_update_service)
+(type mtd_device)
+(type netd_socket)
+(type qtaguid_proc)
+(type thermalcallback_hwservice)
+(type thermalserviced)
+(type thermalserviced_exec)
+(type untrusted_v2_app)
+(type vcs_device)
+
+;; Public 28.0 SEPolicy is divergent on different devices w.r.t
+;; exported_audio_prop type. We need this typeattribute declaration so that the
+;; mapping file compiles with vendor policies without exported_audio_prop type.
+(typeattribute exported_audio_prop_28_0)
+
+(expandtypeattribute (accessibility_service_28_0) true)
+(expandtypeattribute (account_service_28_0) true)
+(expandtypeattribute (activity_service_28_0) true)
+(expandtypeattribute (adbd_28_0) true)
+(expandtypeattribute (adb_data_file_28_0) true)
+(expandtypeattribute (adbd_exec_28_0) true)
+(expandtypeattribute (adbd_socket_28_0) true)
+(expandtypeattribute (adb_keys_file_28_0) true)
+(expandtypeattribute (alarm_device_28_0) true)
+(expandtypeattribute (alarm_service_28_0) true)
+(expandtypeattribute (anr_data_file_28_0) true)
+(expandtypeattribute (apk_data_file_28_0) true)
+(expandtypeattribute (apk_private_data_file_28_0) true)
+(expandtypeattribute (apk_private_tmp_file_28_0) true)
+(expandtypeattribute (apk_tmp_file_28_0) true)
+(expandtypeattribute (app_data_file_28_0) true)
+(expandtypeattribute (app_fuse_file_28_0) true)
+(expandtypeattribute (app_fusefs_28_0) true)
+(expandtypeattribute (appops_service_28_0) true)
+(expandtypeattribute (appwidget_service_28_0) true)
+(expandtypeattribute (asec_apk_file_28_0) true)
+(expandtypeattribute (asec_image_file_28_0) true)
+(expandtypeattribute (asec_public_file_28_0) true)
+(expandtypeattribute (ashmem_device_28_0) true)
+(expandtypeattribute (assetatlas_service_28_0) true)
+(expandtypeattribute (audio_data_file_28_0) true)
+(expandtypeattribute (audio_device_28_0) true)
+(expandtypeattribute (audiohal_data_file_28_0) true)
+(expandtypeattribute (audio_prop_28_0) true)
+(expandtypeattribute (audio_seq_device_28_0) true)
+(expandtypeattribute (audioserver_28_0) true)
+(expandtypeattribute (audioserver_data_file_28_0) true)
+(expandtypeattribute (audioserver_service_28_0) true)
+(expandtypeattribute (audio_service_28_0) true)
+(expandtypeattribute (audio_timer_device_28_0) true)
+(expandtypeattribute (autofill_service_28_0) true)
+(expandtypeattribute (backup_data_file_28_0) true)
+(expandtypeattribute (backup_service_28_0) true)
+(expandtypeattribute (batteryproperties_service_28_0) true)
+(expandtypeattribute (battery_service_28_0) true)
+(expandtypeattribute (batterystats_service_28_0) true)
+(expandtypeattribute (binder_calls_stats_service_28_0) true)
+(expandtypeattribute (binder_device_28_0) true)
+(expandtypeattribute (binfmt_miscfs_28_0) true)
+(expandtypeattribute (blkid_28_0) true)
+(expandtypeattribute (blkid_untrusted_28_0) true)
+(expandtypeattribute (block_device_28_0) true)
+(expandtypeattribute (bluetooth_28_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_28_0) true)
+(expandtypeattribute (bluetooth_data_file_28_0) true)
+(expandtypeattribute (bluetooth_efs_file_28_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_28_0) true)
+(expandtypeattribute (bluetooth_manager_service_28_0) true)
+(expandtypeattribute (bluetooth_prop_28_0) true)
+(expandtypeattribute (bluetooth_service_28_0) true)
+(expandtypeattribute (bluetooth_socket_28_0) true)
+(expandtypeattribute (bootanim_28_0) true)
+(expandtypeattribute (bootanim_exec_28_0) true)
+(expandtypeattribute (boot_block_device_28_0) true)
+(expandtypeattribute (bootchart_data_file_28_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_28_0) true)
+(expandtypeattribute (bootstat_28_0) true)
+(expandtypeattribute (bootstat_data_file_28_0) true)
+(expandtypeattribute (bootstat_exec_28_0) true)
+(expandtypeattribute (boottime_prop_28_0) true)
+(expandtypeattribute (boottrace_data_file_28_0) true)
+(expandtypeattribute (broadcastradio_service_28_0) true)
+(expandtypeattribute (bufferhubd_28_0) true)
+(expandtypeattribute (bufferhubd_exec_28_0) true)
+(expandtypeattribute (cache_backup_file_28_0) true)
+(expandtypeattribute (cache_block_device_28_0) true)
+(expandtypeattribute (cache_file_28_0) true)
+(expandtypeattribute (cache_private_backup_file_28_0) true)
+(expandtypeattribute (cache_recovery_file_28_0) true)
+(expandtypeattribute (camera_data_file_28_0) true)
+(expandtypeattribute (camera_device_28_0) true)
+(expandtypeattribute (cameraproxy_service_28_0) true)
+(expandtypeattribute (cameraserver_28_0) true)
+(expandtypeattribute (cameraserver_exec_28_0) true)
+(expandtypeattribute (cameraserver_service_28_0) true)
+(expandtypeattribute (cgroup_28_0) true)
+(expandtypeattribute (cgroup_bpf_28_0) true)
+(expandtypeattribute (charger_28_0) true)
+(expandtypeattribute (clatd_28_0) true)
+(expandtypeattribute (clatd_exec_28_0) true)
+(expandtypeattribute (clipboard_service_28_0) true)
+(expandtypeattribute (commontime_management_service_28_0) true)
+(expandtypeattribute (companion_device_service_28_0) true)
+(expandtypeattribute (configfs_28_0) true)
+(expandtypeattribute (config_prop_28_0) true)
+(expandtypeattribute (connectivity_service_28_0) true)
+(expandtypeattribute (connmetrics_service_28_0) true)
+(expandtypeattribute (console_device_28_0) true)
+(expandtypeattribute (consumer_ir_service_28_0) true)
+(expandtypeattribute (content_service_28_0) true)
+(expandtypeattribute (contexthub_service_28_0) true)
+(expandtypeattribute (coredump_file_28_0) true)
+(expandtypeattribute (country_detector_service_28_0) true)
+(expandtypeattribute (coverage_service_28_0) true)
+(expandtypeattribute (cppreopt_prop_28_0) true)
+(expandtypeattribute (cppreopts_28_0) true)
+(expandtypeattribute (cppreopts_exec_28_0) true)
+(expandtypeattribute (cpuctl_device_28_0) true)
+(expandtypeattribute (cpuinfo_service_28_0) true)
+(expandtypeattribute (crash_dump_28_0) true)
+(expandtypeattribute (crash_dump_exec_28_0) true)
+(expandtypeattribute (crossprofileapps_service_28_0) true)
+(expandtypeattribute (ctl_bootanim_prop_28_0) true)
+(expandtypeattribute (ctl_bugreport_prop_28_0) true)
+(expandtypeattribute (ctl_console_prop_28_0) true)
+(expandtypeattribute (ctl_default_prop_28_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_28_0) true)
+(expandtypeattribute (ctl_fuse_prop_28_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_28_0) true)
+(expandtypeattribute (ctl_interface_start_prop_28_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_28_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_28_0) true)
+(expandtypeattribute (ctl_restart_prop_28_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_28_0) true)
+(expandtypeattribute (ctl_sigstop_prop_28_0) true)
+(expandtypeattribute (ctl_start_prop_28_0) true)
+(expandtypeattribute (ctl_stop_prop_28_0) true)
+(expandtypeattribute (dalvikcache_data_file_28_0) true)
+(expandtypeattribute (dalvik_prop_28_0) true)
+(expandtypeattribute (dbinfo_service_28_0) true)
+(expandtypeattribute (debugfs_28_0) true)
+(expandtypeattribute (debugfs_mmc_28_0) true)
+(expandtypeattribute (debugfs_trace_marker_28_0) true)
+(expandtypeattribute (debugfs_tracing_28_0) true)
+(expandtypeattribute (debugfs_tracing_debug_28_0) true)
+(expandtypeattribute (debugfs_tracing_instances_28_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_28_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_28_0) true)
+(expandtypeattribute (debuggerd_prop_28_0) true)
+(expandtypeattribute (debug_prop_28_0) true)
+(expandtypeattribute (default_android_hwservice_28_0) true)
+(expandtypeattribute (default_android_service_28_0) true)
+(expandtypeattribute (default_android_vndservice_28_0) true)
+(expandtypeattribute (default_prop_28_0) true)
+(expandtypeattribute (device_28_0) true)
+(expandtypeattribute (device_identifiers_service_28_0) true)
+(expandtypeattribute (deviceidle_service_28_0) true)
+(expandtypeattribute (device_logging_prop_28_0) true)
+(expandtypeattribute (device_policy_service_28_0) true)
+(expandtypeattribute (devicestoragemonitor_service_28_0) true)
+(expandtypeattribute (devpts_28_0) true)
+(expandtypeattribute (dex2oat_28_0) true)
+(expandtypeattribute (dex2oat_exec_28_0) true)
+(expandtypeattribute (dhcp_28_0) true)
+(expandtypeattribute (dhcp_data_file_28_0) true)
+(expandtypeattribute (dhcp_exec_28_0) true)
+(expandtypeattribute (dhcp_prop_28_0) true)
+(expandtypeattribute (diskstats_service_28_0) true)
+(expandtypeattribute (display_service_28_0) true)
+(expandtypeattribute (dm_device_28_0) true)
+(expandtypeattribute (dnsmasq_28_0) true)
+(expandtypeattribute (dnsmasq_exec_28_0) true)
+(expandtypeattribute (dnsproxyd_socket_28_0) true)
+(expandtypeattribute (DockObserver_service_28_0) true)
+(expandtypeattribute (dreams_service_28_0) true)
+(expandtypeattribute (drm_data_file_28_0) true)
+(expandtypeattribute (drmserver_28_0) true)
+(expandtypeattribute (drmserver_exec_28_0) true)
+(expandtypeattribute (drmserver_service_28_0) true)
+(expandtypeattribute (drmserver_socket_28_0) true)
+(expandtypeattribute (dropbox_service_28_0) true)
+(expandtypeattribute (dumpstate_28_0) true)
+(expandtypeattribute (dumpstate_exec_28_0) true)
+(expandtypeattribute (dumpstate_options_prop_28_0) true)
+(expandtypeattribute (dumpstate_prop_28_0) true)
+(expandtypeattribute (dumpstate_service_28_0) true)
+(expandtypeattribute (dumpstate_socket_28_0) true)
+(expandtypeattribute (e2fs_28_0) true)
+(expandtypeattribute (e2fs_exec_28_0) true)
+(expandtypeattribute (efs_file_28_0) true)
+(expandtypeattribute (ephemeral_app_28_0) true)
+(expandtypeattribute (ethernet_service_28_0) true)
+(expandtypeattribute (exfat_28_0) true)
+(expandtypeattribute (exported2_config_prop_28_0) true)
+(expandtypeattribute (exported2_default_prop_28_0) true)
+(expandtypeattribute (exported2_radio_prop_28_0) true)
+(expandtypeattribute (exported2_system_prop_28_0) true)
+(expandtypeattribute (exported2_vold_prop_28_0) true)
+(expandtypeattribute (exported3_default_prop_28_0) true)
+(expandtypeattribute (exported3_radio_prop_28_0) true)
+(expandtypeattribute (exported3_system_prop_28_0) true)
+(expandtypeattribute (exported_audio_prop_28_0) true)
+(expandtypeattribute (exported_bluetooth_prop_28_0) true)
+(expandtypeattribute (exported_config_prop_28_0) true)
+(expandtypeattribute (exported_dalvik_prop_28_0) true)
+(expandtypeattribute (exported_default_prop_28_0) true)
+(expandtypeattribute (exported_dumpstate_prop_28_0) true)
+(expandtypeattribute (exported_ffs_prop_28_0) true)
+(expandtypeattribute (exported_fingerprint_prop_28_0) true)
+(expandtypeattribute (exported_overlay_prop_28_0) true)
+(expandtypeattribute (exported_pm_prop_28_0) true)
+(expandtypeattribute (exported_radio_prop_28_0) true)
+(expandtypeattribute (exported_secure_prop_28_0) true)
+(expandtypeattribute (exported_system_prop_28_0) true)
+(expandtypeattribute (exported_system_radio_prop_28_0) true)
+(expandtypeattribute (exported_vold_prop_28_0) true)
+(expandtypeattribute (exported_wifi_prop_28_0) true)
+(expandtypeattribute (ffs_prop_28_0) true)
+(expandtypeattribute (file_contexts_file_28_0) true)
+(expandtypeattribute (fingerprintd_28_0) true)
+(expandtypeattribute (fingerprintd_data_file_28_0) true)
+(expandtypeattribute (fingerprintd_exec_28_0) true)
+(expandtypeattribute (fingerprintd_service_28_0) true)
+(expandtypeattribute (fingerprint_prop_28_0) true)
+(expandtypeattribute (fingerprint_service_28_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_28_0) true)
+(expandtypeattribute (firstboot_prop_28_0) true)
+(expandtypeattribute (font_service_28_0) true)
+(expandtypeattribute (frp_block_device_28_0) true)
+(expandtypeattribute (fs_bpf_28_0) true)
+(expandtypeattribute (fsck_28_0) true)
+(expandtypeattribute (fsck_exec_28_0) true)
+(expandtypeattribute (fscklogs_28_0) true)
+(expandtypeattribute (fsck_untrusted_28_0) true)
+(expandtypeattribute (full_device_28_0) true)
+(expandtypeattribute (functionfs_28_0) true)
+(expandtypeattribute (fuse_28_0) true)
+(expandtypeattribute (fuse_device_28_0) true)
+(expandtypeattribute (fwk_display_hwservice_28_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_28_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_28_0) true)
+(expandtypeattribute (fwmarkd_socket_28_0) true)
+(expandtypeattribute (gatekeeperd_28_0) true)
+(expandtypeattribute (gatekeeper_data_file_28_0) true)
+(expandtypeattribute (gatekeeperd_exec_28_0) true)
+(expandtypeattribute (gatekeeper_service_28_0) true)
+(expandtypeattribute (gfxinfo_service_28_0) true)
+(expandtypeattribute (gps_control_28_0) true)
+(expandtypeattribute (gpu_device_28_0) true)
+(expandtypeattribute (gpu_service_28_0) true)
+(expandtypeattribute (graphics_device_28_0) true)
+(expandtypeattribute (graphicsstats_service_28_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_28_0) true)
+(expandtypeattribute (hal_audio_hwservice_28_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_28_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_28_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_28_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_28_0) true)
+(expandtypeattribute (hal_camera_hwservice_28_0) true)
+(expandtypeattribute (hal_cas_hwservice_28_0) true)
+(expandtypeattribute (hal_codec2_hwservice_28_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_28_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_28_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_28_0) true)
+(expandtypeattribute (hal_drm_hwservice_28_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_28_0) true)
+(expandtypeattribute (hal_evs_hwservice_28_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_28_0) true)
+(expandtypeattribute (hal_fingerprint_service_28_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_28_0) true)
+(expandtypeattribute (hal_gnss_hwservice_28_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_28_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_28_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_28_0) true)
+(expandtypeattribute (hal_health_hwservice_28_0) true)
+(expandtypeattribute (hal_ir_hwservice_28_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_28_0) true)
+(expandtypeattribute (hal_light_hwservice_28_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_28_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_28_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_28_0) true)
+(expandtypeattribute (hal_nfc_hwservice_28_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_28_0) true)
+(expandtypeattribute (hal_omx_hwservice_28_0) true)
+(expandtypeattribute (hal_power_hwservice_28_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_28_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_28_0) true)
+(expandtypeattribute (hal_sensors_hwservice_28_0) true)
+(expandtypeattribute (hal_telephony_hwservice_28_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_28_0) true)
+(expandtypeattribute (hal_thermal_hwservice_28_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_28_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_28_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_28_0) true)
+(expandtypeattribute (hal_usb_hwservice_28_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_28_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_28_0) true)
+(expandtypeattribute (hal_vr_hwservice_28_0) true)
+(expandtypeattribute (hal_weaver_hwservice_28_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_28_0) true)
+(expandtypeattribute (hal_wifi_hwservice_28_0) true)
+(expandtypeattribute (hal_wifi_offload_hwservice_28_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_28_0) true)
+(expandtypeattribute (hardware_properties_service_28_0) true)
+(expandtypeattribute (hardware_service_28_0) true)
+(expandtypeattribute (hci_attach_dev_28_0) true)
+(expandtypeattribute (hdmi_control_service_28_0) true)
+(expandtypeattribute (healthd_28_0) true)
+(expandtypeattribute (healthd_exec_28_0) true)
+(expandtypeattribute (heapdump_data_file_28_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_28_0) true)
+(expandtypeattribute (hidl_base_hwservice_28_0) true)
+(expandtypeattribute (hidl_manager_hwservice_28_0) true)
+(expandtypeattribute (hidl_memory_hwservice_28_0) true)
+(expandtypeattribute (hidl_token_hwservice_28_0) true)
+(expandtypeattribute (hwbinder_device_28_0) true)
+(expandtypeattribute (hw_random_device_28_0) true)
+(expandtypeattribute (hwservice_contexts_file_28_0) true)
+(expandtypeattribute (hwservicemanager_28_0) true)
+(expandtypeattribute (hwservicemanager_exec_28_0) true)
+(expandtypeattribute (hwservicemanager_prop_28_0) true)
+(expandtypeattribute (i2c_device_28_0) true)
+(expandtypeattribute (icon_file_28_0) true)
+(expandtypeattribute (idmap_28_0) true)
+(expandtypeattribute (idmap_exec_28_0) true)
+(expandtypeattribute (iio_device_28_0) true)
+(expandtypeattribute (imms_service_28_0) true)
+(expandtypeattribute (incident_28_0) true)
+(expandtypeattribute (incidentd_28_0) true)
+(expandtypeattribute (incident_data_file_28_0) true)
+(expandtypeattribute (incident_helper_28_0) true)
+(expandtypeattribute (incident_service_28_0) true)
+(expandtypeattribute (init_28_0) true)
+(expandtypeattribute (init_exec_28_0) true)
+(expandtypeattribute (inotify_28_0) true)
+(expandtypeattribute (input_device_28_0) true)
+(expandtypeattribute (inputflinger_28_0) true)
+(expandtypeattribute (inputflinger_exec_28_0) true)
+(expandtypeattribute (inputflinger_service_28_0) true)
+(expandtypeattribute (input_method_service_28_0) true)
+(expandtypeattribute (input_service_28_0) true)
+(expandtypeattribute (installd_28_0) true)
+(expandtypeattribute (install_data_file_28_0) true)
+(expandtypeattribute (installd_exec_28_0) true)
+(expandtypeattribute (installd_service_28_0) true)
+(expandtypeattribute (install_recovery_28_0) true)
+(expandtypeattribute (install_recovery_exec_28_0) true)
+(expandtypeattribute (ion_device_28_0) true)
+(expandtypeattribute (IProxyService_service_28_0) true)
+(expandtypeattribute (ipsec_service_28_0) true)
+(expandtypeattribute (isolated_app_28_0) true)
+(expandtypeattribute (jobscheduler_service_28_0) true)
+(expandtypeattribute (kernel_28_0) true)
+(expandtypeattribute (keychain_data_file_28_0) true)
+(expandtypeattribute (keychord_device_28_0) true)
+(expandtypeattribute (keystore_28_0) true)
+(expandtypeattribute (keystore_data_file_28_0) true)
+(expandtypeattribute (keystore_exec_28_0) true)
+(expandtypeattribute (keystore_service_28_0) true)
+(expandtypeattribute (kmem_device_28_0) true)
+(expandtypeattribute (kmsg_debug_device_28_0) true)
+(expandtypeattribute (kmsg_device_28_0) true)
+(expandtypeattribute (labeledfs_28_0) true)
+(expandtypeattribute (last_boot_reason_prop_28_0) true)
+(expandtypeattribute (launcherapps_service_28_0) true)
+(expandtypeattribute (lmkd_28_0) true)
+(expandtypeattribute (lmkd_exec_28_0) true)
+(expandtypeattribute (lmkd_socket_28_0) true)
+(expandtypeattribute (location_service_28_0) true)
+(expandtypeattribute (lock_settings_service_28_0) true)
+(expandtypeattribute (logcat_exec_28_0) true)
+(expandtypeattribute (logd_28_0) true)
+(expandtypeattribute (logd_exec_28_0) true)
+(expandtypeattribute (logd_prop_28_0) true)
+(expandtypeattribute (logdr_socket_28_0) true)
+(expandtypeattribute (logd_socket_28_0) true)
+(expandtypeattribute (logdw_socket_28_0) true)
+(expandtypeattribute (logpersist_28_0) true)
+(expandtypeattribute (logpersistd_logging_prop_28_0) true)
+(expandtypeattribute (log_prop_28_0) true)
+(expandtypeattribute (log_tag_prop_28_0) true)
+(expandtypeattribute (loop_control_device_28_0) true)
+(expandtypeattribute (loop_device_28_0) true)
+(expandtypeattribute (lowpan_device_28_0) true)
+(expandtypeattribute (lowpan_prop_28_0) true)
+(expandtypeattribute (lowpan_service_28_0) true)
+(expandtypeattribute (mac_perms_file_28_0) true)
+(expandtypeattribute (mdnsd_28_0) true)
+(expandtypeattribute (mdnsd_socket_28_0) true)
+(expandtypeattribute (mdns_socket_28_0) true)
+(expandtypeattribute (mediacodec_28_0) true)
+(expandtypeattribute (mediacodec_exec_28_0) true)
+(expandtypeattribute (mediacodec_service_28_0) true)
+(expandtypeattribute (media_data_file_28_0) true)
+(expandtypeattribute (mediadrmserver_28_0) true)
+(expandtypeattribute (mediadrmserver_exec_28_0) true)
+(expandtypeattribute (mediadrmserver_service_28_0) true)
+(expandtypeattribute (mediaextractor_28_0) true)
+(expandtypeattribute (mediaextractor_exec_28_0) true)
+(expandtypeattribute (mediaextractor_service_28_0) true)
+(expandtypeattribute (mediaextractor_update_service_28_0) true)
+(expandtypeattribute (mediametrics_28_0) true)
+(expandtypeattribute (mediametrics_exec_28_0) true)
+(expandtypeattribute (mediametrics_service_28_0) true)
+(expandtypeattribute (media_projection_service_28_0) true)
+(expandtypeattribute (mediaprovider_28_0) true)
+(expandtypeattribute (media_router_service_28_0) true)
+(expandtypeattribute (media_rw_data_file_28_0) true)
+(expandtypeattribute (mediaserver_28_0) true)
+(expandtypeattribute (mediaserver_exec_28_0) true)
+(expandtypeattribute (mediaserver_service_28_0) true)
+(expandtypeattribute (media_session_service_28_0) true)
+(expandtypeattribute (meminfo_service_28_0) true)
+(expandtypeattribute (metadata_block_device_28_0) true)
+(expandtypeattribute (metadata_file_28_0) true)
+(expandtypeattribute (method_trace_data_file_28_0) true)
+(expandtypeattribute (midi_service_28_0) true)
+(expandtypeattribute (misc_block_device_28_0) true)
+(expandtypeattribute (misc_logd_file_28_0) true)
+(expandtypeattribute (misc_user_data_file_28_0) true)
+(expandtypeattribute (mmc_prop_28_0) true)
+(expandtypeattribute (mnt_expand_file_28_0) true)
+(expandtypeattribute (mnt_media_rw_file_28_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_28_0) true)
+(expandtypeattribute (mnt_user_file_28_0) true)
+(expandtypeattribute (mnt_vendor_file_28_0) true)
+(expandtypeattribute (modprobe_28_0) true)
+(expandtypeattribute (mount_service_28_0) true)
+(expandtypeattribute (mqueue_28_0) true)
+(expandtypeattribute (mtd_device_28_0) true)
+(expandtypeattribute (mtp_28_0) true)
+(expandtypeattribute (mtp_device_28_0) true)
+(expandtypeattribute (mtpd_socket_28_0) true)
+(expandtypeattribute (mtp_exec_28_0) true)
+(expandtypeattribute (nativetest_data_file_28_0) true)
+(expandtypeattribute (netd_28_0) true)
+(expandtypeattribute (net_data_file_28_0) true)
+(expandtypeattribute (netd_exec_28_0) true)
+(expandtypeattribute (netd_listener_service_28_0) true)
+(expandtypeattribute (net_dns_prop_28_0) true)
+(expandtypeattribute (netd_service_28_0) true)
+(expandtypeattribute (netd_socket_28_0) true)
+(expandtypeattribute (netd_stable_secret_prop_28_0) true)
+(expandtypeattribute (netif_28_0) true)
+(expandtypeattribute (netpolicy_service_28_0) true)
+(expandtypeattribute (net_radio_prop_28_0) true)
+(expandtypeattribute (netstats_service_28_0) true)
+(expandtypeattribute (netutils_wrapper_28_0) true)
+(expandtypeattribute (netutils_wrapper_exec_28_0) true)
+(expandtypeattribute (network_management_service_28_0) true)
+(expandtypeattribute (network_score_service_28_0) true)
+(expandtypeattribute (network_time_update_service_28_0) true)
+(expandtypeattribute (network_watchlist_data_file_28_0) true)
+(expandtypeattribute (network_watchlist_service_28_0) true)
+(expandtypeattribute (nfc_28_0) true)
+(expandtypeattribute (nfc_data_file_28_0) true)
+(expandtypeattribute (nfc_device_28_0) true)
+(expandtypeattribute (nfc_prop_28_0) true)
+(expandtypeattribute (nfc_service_28_0) true)
+(expandtypeattribute (node_28_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_28_0) true)
+(expandtypeattribute (notification_service_28_0) true)
+(expandtypeattribute (null_device_28_0) true)
+(expandtypeattribute (oemfs_28_0) true)
+(expandtypeattribute (oem_lock_service_28_0) true)
+(expandtypeattribute (ota_data_file_28_0) true)
+(expandtypeattribute (otadexopt_service_28_0) true)
+(expandtypeattribute (ota_package_file_28_0) true)
+(expandtypeattribute (otapreopt_chroot_28_0) true)
+(expandtypeattribute (otapreopt_chroot_exec_28_0) true)
+(expandtypeattribute (otapreopt_slot_28_0) true)
+(expandtypeattribute (otapreopt_slot_exec_28_0) true)
+(expandtypeattribute (overlay_prop_28_0) true)
+(expandtypeattribute (overlay_service_28_0) true)
+(expandtypeattribute (owntty_device_28_0) true)
+(expandtypeattribute (package_native_service_28_0) true)
+(expandtypeattribute (package_service_28_0) true)
+(expandtypeattribute (pan_result_prop_28_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_28_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_28_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_28_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_28_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_28_0) true)
+(expandtypeattribute (pdx_display_dir_28_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_28_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_28_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_28_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_28_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_28_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_28_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_28_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_28_0) true)
+(expandtypeattribute (pdx_performance_dir_28_0) true)
+(expandtypeattribute (performanced_28_0) true)
+(expandtypeattribute (performanced_exec_28_0) true)
+(expandtypeattribute (permission_service_28_0) true)
+(expandtypeattribute (persist_debug_prop_28_0) true)
+(expandtypeattribute (persistent_data_block_service_28_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_28_0) true)
+(expandtypeattribute (pinner_service_28_0) true)
+(expandtypeattribute (pipefs_28_0) true)
+(expandtypeattribute (platform_app_28_0) true)
+(expandtypeattribute (pm_prop_28_0) true)
+(expandtypeattribute (pmsg_device_28_0) true)
+(expandtypeattribute (port_28_0) true)
+(expandtypeattribute (port_device_28_0) true)
+(expandtypeattribute (postinstall_28_0) true)
+(expandtypeattribute (postinstall_dexopt_28_0) true)
+(expandtypeattribute (postinstall_file_28_0) true)
+(expandtypeattribute (postinstall_mnt_dir_28_0) true)
+(expandtypeattribute (powerctl_prop_28_0) true)
+(expandtypeattribute (power_service_28_0) true)
+(expandtypeattribute (ppp_28_0) true)
+(expandtypeattribute (ppp_device_28_0) true)
+(expandtypeattribute (ppp_exec_28_0) true)
+(expandtypeattribute (preloads_data_file_28_0) true)
+(expandtypeattribute (preloads_media_file_28_0) true)
+(expandtypeattribute (preopt2cachename_28_0) true)
+(expandtypeattribute (preopt2cachename_exec_28_0) true)
+(expandtypeattribute (print_service_28_0) true)
+(expandtypeattribute (priv_app_28_0) true)
+(expandtypeattribute (proc_28_0) true)
+(expandtypeattribute (proc_abi_28_0) true)
+(expandtypeattribute (proc_asound_28_0) true)
+(expandtypeattribute (proc_bluetooth_writable_28_0) true)
+(expandtypeattribute (proc_buddyinfo_28_0) true)
+(expandtypeattribute (proc_cmdline_28_0) true)
+(expandtypeattribute (proc_cpuinfo_28_0) true)
+(expandtypeattribute (proc_dirty_28_0) true)
+(expandtypeattribute (proc_diskstats_28_0) true)
+(expandtypeattribute (proc_drop_caches_28_0) true)
+(expandtypeattribute (processinfo_service_28_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_28_0) true)
+(expandtypeattribute (proc_filesystems_28_0) true)
+(expandtypeattribute (proc_hostname_28_0) true)
+(expandtypeattribute (proc_hung_task_28_0) true)
+(expandtypeattribute (proc_interrupts_28_0) true)
+(expandtypeattribute (proc_iomem_28_0) true)
+(expandtypeattribute (proc_kmsg_28_0) true)
+(expandtypeattribute (proc_loadavg_28_0) true)
+(expandtypeattribute (proc_max_map_count_28_0) true)
+(expandtypeattribute (proc_meminfo_28_0) true)
+(expandtypeattribute (proc_min_free_order_shift_28_0) true)
+(expandtypeattribute (proc_misc_28_0) true)
+(expandtypeattribute (proc_modules_28_0) true)
+(expandtypeattribute (proc_mounts_28_0) true)
+(expandtypeattribute (proc_net_28_0) true)
+(expandtypeattribute (proc_overcommit_memory_28_0) true)
+(expandtypeattribute (proc_page_cluster_28_0) true)
+(expandtypeattribute (proc_pagetypeinfo_28_0) true)
+(expandtypeattribute (proc_panic_28_0) true)
+(expandtypeattribute (proc_perf_28_0) true)
+(expandtypeattribute (proc_pid_max_28_0) true)
+(expandtypeattribute (proc_pipe_conf_28_0) true)
+(expandtypeattribute (proc_qtaguid_stat_28_0) true)
+(expandtypeattribute (proc_random_28_0) true)
+(expandtypeattribute (proc_sched_28_0) true)
+(expandtypeattribute (proc_security_28_0) true)
+(expandtypeattribute (proc_stat_28_0) true)
+(expandtypeattribute (procstats_service_28_0) true)
+(expandtypeattribute (proc_swaps_28_0) true)
+(expandtypeattribute (proc_sysrq_28_0) true)
+(expandtypeattribute (proc_timer_28_0) true)
+(expandtypeattribute (proc_tty_drivers_28_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_28_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_28_0) true)
+(expandtypeattribute (proc_uid_cpupower_28_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_28_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_28_0) true)
+(expandtypeattribute (proc_uid_io_stats_28_0) true)
+(expandtypeattribute (proc_uid_procstat_set_28_0) true)
+(expandtypeattribute (proc_uid_time_in_state_28_0) true)
+(expandtypeattribute (proc_uptime_28_0) true)
+(expandtypeattribute (proc_version_28_0) true)
+(expandtypeattribute (proc_vmallocinfo_28_0) true)
+(expandtypeattribute (proc_vmstat_28_0) true)
+(expandtypeattribute (proc_zoneinfo_28_0) true)
+(expandtypeattribute (profman_28_0) true)
+(expandtypeattribute (profman_dump_data_file_28_0) true)
+(expandtypeattribute (profman_exec_28_0) true)
+(expandtypeattribute (properties_device_28_0) true)
+(expandtypeattribute (properties_serial_28_0) true)
+(expandtypeattribute (property_contexts_file_28_0) true)
+(expandtypeattribute (property_data_file_28_0) true)
+(expandtypeattribute (property_info_28_0) true)
+(expandtypeattribute (property_socket_28_0) true)
+(expandtypeattribute (pstorefs_28_0) true)
+(expandtypeattribute (ptmx_device_28_0) true)
+(expandtypeattribute (qtaguid_device_28_0) true)
+(expandtypeattribute (qtaguid_proc_28_0) true)
+(expandtypeattribute (racoon_28_0) true)
+(expandtypeattribute (racoon_exec_28_0) true)
+(expandtypeattribute (racoon_socket_28_0) true)
+(expandtypeattribute (radio_28_0) true)
+(expandtypeattribute (radio_data_file_28_0) true)
+(expandtypeattribute (radio_device_28_0) true)
+(expandtypeattribute (radio_prop_28_0) true)
+(expandtypeattribute (radio_service_28_0) true)
+(expandtypeattribute (ram_device_28_0) true)
+(expandtypeattribute (random_device_28_0) true)
+(expandtypeattribute (recovery_28_0) true)
+(expandtypeattribute (recovery_block_device_28_0) true)
+(expandtypeattribute (recovery_data_file_28_0) true)
+(expandtypeattribute (recovery_persist_28_0) true)
+(expandtypeattribute (recovery_persist_exec_28_0) true)
+(expandtypeattribute (recovery_refresh_28_0) true)
+(expandtypeattribute (recovery_refresh_exec_28_0) true)
+(expandtypeattribute (recovery_service_28_0) true)
+(expandtypeattribute (registry_service_28_0) true)
+(expandtypeattribute (resourcecache_data_file_28_0) true)
+(expandtypeattribute (restorecon_prop_28_0) true)
+(expandtypeattribute (restrictions_service_28_0) true)
+(expandtypeattribute (rild_debug_socket_28_0) true)
+(expandtypeattribute (rild_socket_28_0) true)
+(expandtypeattribute (ringtone_file_28_0) true)
+(expandtypeattribute (root_block_device_28_0) true)
+(expandtypeattribute (rootfs_28_0) true)
+(expandtypeattribute (rpmsg_device_28_0) true)
+(expandtypeattribute (rtc_device_28_0) true)
+(expandtypeattribute (rttmanager_service_28_0) true)
+(expandtypeattribute (runas_28_0) true)
+(expandtypeattribute (runas_exec_28_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_28_0) true)
+(expandtypeattribute (safemode_prop_28_0) true)
+(expandtypeattribute (same_process_hal_file_28_0) true)
+(expandtypeattribute (samplingprofiler_service_28_0) true)
+(expandtypeattribute (scheduling_policy_service_28_0) true)
+(expandtypeattribute (sdcardd_28_0) true)
+(expandtypeattribute (sdcardd_exec_28_0) true)
+(expandtypeattribute (sdcardfs_28_0) true)
+(expandtypeattribute (seapp_contexts_file_28_0) true)
+(expandtypeattribute (search_service_28_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_28_0) true)
+(expandtypeattribute (secure_element_28_0) true)
+(expandtypeattribute (secure_element_device_28_0) true)
+(expandtypeattribute (secure_element_service_28_0) true)
+(expandtypeattribute (selinuxfs_28_0) true)
+(expandtypeattribute (sensors_device_28_0) true)
+(expandtypeattribute (sensorservice_service_28_0) true)
+(expandtypeattribute (sepolicy_file_28_0) true)
+(expandtypeattribute (serial_device_28_0) true)
+(expandtypeattribute (serialno_prop_28_0) true)
+(expandtypeattribute (serial_service_28_0) true)
+(expandtypeattribute (service_contexts_file_28_0) true)
+(expandtypeattribute (servicediscovery_service_28_0) true)
+(expandtypeattribute (servicemanager_28_0) true)
+(expandtypeattribute (servicemanager_exec_28_0) true)
+(expandtypeattribute (settings_service_28_0) true)
+(expandtypeattribute (sgdisk_28_0) true)
+(expandtypeattribute (sgdisk_exec_28_0) true)
+(expandtypeattribute (shared_relro_28_0) true)
+(expandtypeattribute (shared_relro_file_28_0) true)
+(expandtypeattribute (shell_28_0) true)
+(expandtypeattribute (shell_data_file_28_0) true)
+(expandtypeattribute (shell_exec_28_0) true)
+(expandtypeattribute (shell_prop_28_0) true)
+(expandtypeattribute (shm_28_0) true)
+(expandtypeattribute (shortcut_manager_icons_28_0) true)
+(expandtypeattribute (shortcut_service_28_0) true)
+(expandtypeattribute (slice_service_28_0) true)
+(expandtypeattribute (slideshow_28_0) true)
+(expandtypeattribute (socket_device_28_0) true)
+(expandtypeattribute (sockfs_28_0) true)
+(expandtypeattribute (statusbar_service_28_0) true)
+(expandtypeattribute (storaged_service_28_0) true)
+(expandtypeattribute (storage_file_28_0) true)
+(expandtypeattribute (storagestats_service_28_0) true)
+(expandtypeattribute (storage_stub_file_28_0) true)
+(expandtypeattribute (su_28_0) true)
+(expandtypeattribute (su_exec_28_0) true)
+(expandtypeattribute (surfaceflinger_28_0) true)
+(expandtypeattribute (surfaceflinger_service_28_0) true)
+(expandtypeattribute (swap_block_device_28_0) true)
+(expandtypeattribute (sysfs_28_0) true)
+(expandtypeattribute (sysfs_android_usb_28_0) true)
+(expandtypeattribute (sysfs_batteryinfo_28_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_28_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_28_0) true)
+(expandtypeattribute (sysfs_dm_28_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_28_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_28_0) true)
+(expandtypeattribute (sysfs_hwrandom_28_0) true)
+(expandtypeattribute (sysfs_ipv4_28_0) true)
+(expandtypeattribute (sysfs_kernel_notes_28_0) true)
+(expandtypeattribute (sysfs_leds_28_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_28_0) true)
+(expandtypeattribute (sysfs_mac_address_28_0) true)
+(expandtypeattribute (sysfs_net_28_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_28_0) true)
+(expandtypeattribute (sysfs_power_28_0) true)
+(expandtypeattribute (sysfs_rtc_28_0) true)
+(expandtypeattribute (sysfs_switch_28_0) true)
+(expandtypeattribute (sysfs_thermal_28_0) true)
+(expandtypeattribute (sysfs_uio_28_0) true)
+(expandtypeattribute (sysfs_usb_28_0) true)
+(expandtypeattribute (sysfs_usermodehelper_28_0) true)
+(expandtypeattribute (sysfs_vibrator_28_0) true)
+(expandtypeattribute (sysfs_wake_lock_28_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_28_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_28_0) true)
+(expandtypeattribute (sysfs_zram_28_0) true)
+(expandtypeattribute (sysfs_zram_uevent_28_0) true)
+(expandtypeattribute (system_app_28_0) true)
+(expandtypeattribute (system_app_data_file_28_0) true)
+(expandtypeattribute (system_app_service_28_0) true)
+(expandtypeattribute (system_block_device_28_0) true)
+(expandtypeattribute (system_boot_reason_prop_28_0) true)
+(expandtypeattribute (system_data_file_28_0) true)
+(expandtypeattribute (system_file_28_0) true)
+(expandtypeattribute (systemkeys_data_file_28_0) true)
+(expandtypeattribute (system_ndebug_socket_28_0) true)
+(expandtypeattribute (system_net_netd_hwservice_28_0) true)
+(expandtypeattribute (system_prop_28_0) true)
+(expandtypeattribute (system_radio_prop_28_0) true)
+(expandtypeattribute (system_server_28_0) true)
+(expandtypeattribute (system_update_service_28_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_28_0) true)
+(expandtypeattribute (system_wpa_socket_28_0) true)
+(expandtypeattribute (task_service_28_0) true)
+(expandtypeattribute (tee_28_0) true)
+(expandtypeattribute (tee_data_file_28_0) true)
+(expandtypeattribute (tee_device_28_0) true)
+(expandtypeattribute (telecom_service_28_0) true)
+(expandtypeattribute (test_boot_reason_prop_28_0) true)
+(expandtypeattribute (textclassification_service_28_0) true)
+(expandtypeattribute (textclassifier_data_file_28_0) true)
+(expandtypeattribute (textservices_service_28_0) true)
+(expandtypeattribute (thermalcallback_hwservice_28_0) true)
+(expandtypeattribute (thermal_service_28_0) true)
+(expandtypeattribute (timezone_service_28_0) true)
+(expandtypeattribute (tmpfs_28_0) true)
+(expandtypeattribute (tombstoned_28_0) true)
+(expandtypeattribute (tombstone_data_file_28_0) true)
+(expandtypeattribute (tombstoned_crash_socket_28_0) true)
+(expandtypeattribute (tombstoned_exec_28_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_28_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_28_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_28_0) true)
+(expandtypeattribute (toolbox_28_0) true)
+(expandtypeattribute (toolbox_exec_28_0) true)
+(expandtypeattribute (trace_data_file_28_0) true)
+(expandtypeattribute (traced_consumer_socket_28_0) true)
+(expandtypeattribute (traced_enabled_prop_28_0) true)
+(expandtypeattribute (traced_probes_28_0) true)
+(expandtypeattribute (traced_producer_socket_28_0) true)
+(expandtypeattribute (traceur_app_28_0) true)
+(expandtypeattribute (trust_service_28_0) true)
+(expandtypeattribute (tty_device_28_0) true)
+(expandtypeattribute (tun_device_28_0) true)
+(expandtypeattribute (tv_input_service_28_0) true)
+(expandtypeattribute (tzdatacheck_28_0) true)
+(expandtypeattribute (tzdatacheck_exec_28_0) true)
+(expandtypeattribute (ueventd_28_0) true)
+(expandtypeattribute (uhid_device_28_0) true)
+(expandtypeattribute (uimode_service_28_0) true)
+(expandtypeattribute (uio_device_28_0) true)
+(expandtypeattribute (uncrypt_28_0) true)
+(expandtypeattribute (uncrypt_exec_28_0) true)
+(expandtypeattribute (uncrypt_socket_28_0) true)
+(expandtypeattribute (unencrypted_data_file_28_0) true)
+(expandtypeattribute (unlabeled_28_0) true)
+(expandtypeattribute (untrusted_app_25_28_0) true)
+(expandtypeattribute (untrusted_app_27_28_0) true)
+(expandtypeattribute (untrusted_app_28_0) true)
+(expandtypeattribute (untrusted_v2_app_28_0) true)
+(expandtypeattribute (update_engine_28_0) true)
+(expandtypeattribute (update_engine_data_file_28_0) true)
+(expandtypeattribute (update_engine_exec_28_0) true)
+(expandtypeattribute (update_engine_log_data_file_28_0) true)
+(expandtypeattribute (update_engine_service_28_0) true)
+(expandtypeattribute (updatelock_service_28_0) true)
+(expandtypeattribute (update_verifier_28_0) true)
+(expandtypeattribute (update_verifier_exec_28_0) true)
+(expandtypeattribute (usagestats_service_28_0) true)
+(expandtypeattribute (usbaccessory_device_28_0) true)
+(expandtypeattribute (usbd_28_0) true)
+(expandtypeattribute (usb_device_28_0) true)
+(expandtypeattribute (usbd_exec_28_0) true)
+(expandtypeattribute (usbfs_28_0) true)
+(expandtypeattribute (usb_service_28_0) true)
+(expandtypeattribute (userdata_block_device_28_0) true)
+(expandtypeattribute (usermodehelper_28_0) true)
+(expandtypeattribute (user_profile_data_file_28_0) true)
+(expandtypeattribute (user_service_28_0) true)
+(expandtypeattribute (vcs_device_28_0) true)
+(expandtypeattribute (vdc_28_0) true)
+(expandtypeattribute (vdc_exec_28_0) true)
+(expandtypeattribute (vendor_app_file_28_0) true)
+(expandtypeattribute (vendor_configs_file_28_0) true)
+(expandtypeattribute (vendor_data_file_28_0) true)
+(expandtypeattribute (vendor_default_prop_28_0) true)
+(expandtypeattribute (vendor_file_28_0) true)
+(expandtypeattribute (vendor_framework_file_28_0) true)
+(expandtypeattribute (vendor_hal_file_28_0) true)
+(expandtypeattribute (vendor_init_28_0) true)
+(expandtypeattribute (vendor_overlay_file_28_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_28_0) true)
+(expandtypeattribute (vendor_shell_28_0) true)
+(expandtypeattribute (vendor_shell_exec_28_0) true)
+(expandtypeattribute (vendor_toolbox_exec_28_0) true)
+(expandtypeattribute (vfat_28_0) true)
+(expandtypeattribute (vibrator_service_28_0) true)
+(expandtypeattribute (video_device_28_0) true)
+(expandtypeattribute (virtual_touchpad_28_0) true)
+(expandtypeattribute (virtual_touchpad_exec_28_0) true)
+(expandtypeattribute (virtual_touchpad_service_28_0) true)
+(expandtypeattribute (vndbinder_device_28_0) true)
+(expandtypeattribute (vndk_sp_file_28_0) true)
+(expandtypeattribute (vndservice_contexts_file_28_0) true)
+(expandtypeattribute (vndservicemanager_28_0) true)
+(expandtypeattribute (voiceinteraction_service_28_0) true)
+(expandtypeattribute (vold_28_0) true)
+(expandtypeattribute (vold_data_file_28_0) true)
+(expandtypeattribute (vold_device_28_0) true)
+(expandtypeattribute (vold_exec_28_0) true)
+(expandtypeattribute (vold_metadata_file_28_0) true)
+(expandtypeattribute (vold_prepare_subdirs_28_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_28_0) true)
+(expandtypeattribute (vold_prop_28_0) true)
+(expandtypeattribute (vold_service_28_0) true)
+(expandtypeattribute (vpn_data_file_28_0) true)
+(expandtypeattribute (vr_hwc_28_0) true)
+(expandtypeattribute (vr_hwc_exec_28_0) true)
+(expandtypeattribute (vr_hwc_service_28_0) true)
+(expandtypeattribute (vr_manager_service_28_0) true)
+(expandtypeattribute (wallpaper_file_28_0) true)
+(expandtypeattribute (wallpaper_service_28_0) true)
+(expandtypeattribute (watchdogd_28_0) true)
+(expandtypeattribute (watchdog_device_28_0) true)
+(expandtypeattribute (webviewupdate_service_28_0) true)
+(expandtypeattribute (webview_zygote_28_0) true)
+(expandtypeattribute (webview_zygote_exec_28_0) true)
+(expandtypeattribute (wifiaware_service_28_0) true)
+(expandtypeattribute (wificond_28_0) true)
+(expandtypeattribute (wificond_exec_28_0) true)
+(expandtypeattribute (wificond_service_28_0) true)
+(expandtypeattribute (wifi_data_file_28_0) true)
+(expandtypeattribute (wifi_log_prop_28_0) true)
+(expandtypeattribute (wifip2p_service_28_0) true)
+(expandtypeattribute (wifi_prop_28_0) true)
+(expandtypeattribute (wifiscanner_service_28_0) true)
+(expandtypeattribute (wifi_service_28_0) true)
+(expandtypeattribute (window_service_28_0) true)
+(expandtypeattribute (wpantund_28_0) true)
+(expandtypeattribute (wpantund_exec_28_0) true)
+(expandtypeattribute (wpantund_service_28_0) true)
+(expandtypeattribute (wpa_socket_28_0) true)
+(expandtypeattribute (zero_device_28_0) true)
+(expandtypeattribute (zoneinfo_data_file_28_0) true)
+(expandtypeattribute (zygote_28_0) true)
+(expandtypeattribute (zygote_exec_28_0) true)
+(expandtypeattribute (zygote_socket_28_0) true)
+(typeattributeset accessibility_service_28_0 (accessibility_service))
+(typeattributeset account_service_28_0 (account_service))
+(typeattributeset activity_service_28_0 (activity_service))
+(typeattributeset adbd_28_0 (adbd))
+(typeattributeset adb_data_file_28_0 (adb_data_file))
+(typeattributeset adbd_exec_28_0 (adbd_exec))
+(typeattributeset adbd_socket_28_0 (adbd_socket))
+(typeattributeset adb_keys_file_28_0 (adb_keys_file))
+(typeattributeset alarm_device_28_0 (alarm_device))
+(typeattributeset alarm_service_28_0 (alarm_service))
+(typeattributeset anr_data_file_28_0 (anr_data_file))
+(typeattributeset apk_data_file_28_0 (apk_data_file))
+(typeattributeset apk_private_data_file_28_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_28_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_28_0 (apk_tmp_file))
+(typeattributeset app_data_file_28_0 (app_data_file privapp_data_file))
+(typeattributeset app_fuse_file_28_0 (app_fuse_file))
+(typeattributeset app_fusefs_28_0 (app_fusefs))
+(typeattributeset appops_service_28_0 (appops_service))
+(typeattributeset appwidget_service_28_0 (appwidget_service))
+(typeattributeset asec_apk_file_28_0 (asec_apk_file))
+(typeattributeset asec_image_file_28_0 (asec_image_file))
+(typeattributeset asec_public_file_28_0 (asec_public_file))
+(typeattributeset ashmem_device_28_0 (ashmem_device))
+(typeattributeset assetatlas_service_28_0 (assetatlas_service))
+(typeattributeset audio_data_file_28_0 (audio_data_file))
+(typeattributeset audio_device_28_0 (audio_device))
+(typeattributeset audiohal_data_file_28_0 (audiohal_data_file))
+(typeattributeset audio_prop_28_0 (audio_prop))
+(typeattributeset audio_seq_device_28_0 (audio_seq_device))
+(typeattributeset audioserver_28_0 (audioserver))
+(typeattributeset audioserver_data_file_28_0 (audioserver_data_file))
+(typeattributeset audioserver_service_28_0 (audioserver_service))
+(typeattributeset audio_service_28_0 (audio_service))
+(typeattributeset audio_timer_device_28_0 (audio_timer_device))
+(typeattributeset autofill_service_28_0 (autofill_service))
+(typeattributeset backup_data_file_28_0 (backup_data_file))
+(typeattributeset backup_service_28_0 (backup_service))
+(typeattributeset batteryproperties_service_28_0 (batteryproperties_service))
+(typeattributeset battery_service_28_0 (battery_service))
+(typeattributeset batterystats_service_28_0 (batterystats_service))
+(typeattributeset binder_calls_stats_service_28_0 (binder_calls_stats_service))
+(typeattributeset binder_device_28_0 (binder_device))
+(typeattributeset binfmt_miscfs_28_0 (binfmt_miscfs))
+(typeattributeset blkid_28_0 (blkid))
+(typeattributeset blkid_untrusted_28_0 (blkid_untrusted))
+(typeattributeset block_device_28_0 (block_device))
+(typeattributeset bluetooth_28_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_28_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_data_file_28_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_28_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_28_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_28_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_28_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_28_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_28_0 (bluetooth_socket))
+(typeattributeset bootanim_28_0 (bootanim))
+(typeattributeset bootanim_exec_28_0 (bootanim_exec))
+(typeattributeset boot_block_device_28_0 (boot_block_device))
+(typeattributeset bootchart_data_file_28_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_28_0 (bootloader_boot_reason_prop))
+(typeattributeset bootstat_28_0 (bootstat))
+(typeattributeset bootstat_data_file_28_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_28_0 (bootstat_exec))
+(typeattributeset boottime_prop_28_0 (boottime_prop))
+(typeattributeset boottrace_data_file_28_0 (boottrace_data_file))
+(typeattributeset broadcastradio_service_28_0 (broadcastradio_service))
+(typeattributeset bufferhubd_28_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_28_0 (bufferhubd_exec))
+(typeattributeset cache_backup_file_28_0 (cache_backup_file))
+(typeattributeset cache_block_device_28_0 (cache_block_device))
+(typeattributeset cache_file_28_0 (cache_file))
+(typeattributeset cache_private_backup_file_28_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_28_0 (cache_recovery_file))
+(typeattributeset camera_data_file_28_0 (camera_data_file))
+(typeattributeset camera_device_28_0 (camera_device))
+(typeattributeset cameraproxy_service_28_0 (cameraproxy_service))
+(typeattributeset cameraserver_28_0 (cameraserver))
+(typeattributeset cameraserver_exec_28_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_28_0 (cameraserver_service))
+(typeattributeset cgroup_28_0 (cgroup))
+(typeattributeset cgroup_bpf_28_0 (cgroup_bpf))
+(typeattributeset charger_28_0 (charger))
+(typeattributeset clatd_28_0 (clatd))
+(typeattributeset clatd_exec_28_0 (clatd_exec))
+(typeattributeset clipboard_service_28_0 (clipboard_service))
+(typeattributeset commontime_management_service_28_0 (commontime_management_service))
+(typeattributeset companion_device_service_28_0 (companion_device_service))
+(typeattributeset configfs_28_0 (configfs))
+(typeattributeset config_prop_28_0 (config_prop))
+(typeattributeset connectivity_service_28_0 (connectivity_service))
+(typeattributeset connmetrics_service_28_0 (connmetrics_service))
+(typeattributeset console_device_28_0 (console_device))
+(typeattributeset consumer_ir_service_28_0 (consumer_ir_service))
+(typeattributeset content_service_28_0 (content_service))
+(typeattributeset contexthub_service_28_0 (contexthub_service))
+(typeattributeset coredump_file_28_0 (coredump_file))
+(typeattributeset country_detector_service_28_0 (country_detector_service))
+(typeattributeset coverage_service_28_0 (coverage_service))
+(typeattributeset cppreopt_prop_28_0 (cppreopt_prop))
+(typeattributeset cppreopts_28_0 (cppreopts))
+(typeattributeset cppreopts_exec_28_0 (cppreopts_exec))
+(typeattributeset cpuctl_device_28_0 (cpuctl_device))
+(typeattributeset cpuinfo_service_28_0 (cpuinfo_service))
+(typeattributeset crash_dump_28_0 (crash_dump))
+(typeattributeset crash_dump_exec_28_0 (crash_dump_exec))
+(typeattributeset crossprofileapps_service_28_0 (crossprofileapps_service))
+(typeattributeset ctl_bootanim_prop_28_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_28_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_28_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_28_0
+ ( ctl_adbd_prop
+ ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_28_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_28_0 (ctl_fuse_prop))
+(typeattributeset ctl_interface_restart_prop_28_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_28_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_28_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_28_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_28_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_28_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_28_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_28_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_28_0 (ctl_stop_prop))
+(typeattributeset dalvikcache_data_file_28_0 (dalvikcache_data_file))
+(typeattributeset dalvik_prop_28_0 (dalvik_prop))
+(typeattributeset dbinfo_service_28_0 (dbinfo_service))
+(typeattributeset debugfs_28_0 (debugfs))
+(typeattributeset debugfs_mmc_28_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_28_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_28_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_28_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_28_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wakeup_sources_28_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_28_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_28_0 (debuggerd_prop))
+(typeattributeset debug_prop_28_0 (debug_prop))
+(typeattributeset default_android_hwservice_28_0 (default_android_hwservice))
+(typeattributeset default_android_service_28_0 (default_android_service))
+(typeattributeset default_android_vndservice_28_0 (default_android_vndservice))
+(typeattributeset default_prop_28_0 (default_prop))
+(typeattributeset device_28_0 (device))
+(typeattributeset device_identifiers_service_28_0 (device_identifiers_service))
+(typeattributeset deviceidle_service_28_0 (deviceidle_service))
+(typeattributeset device_logging_prop_28_0 (device_logging_prop))
+(typeattributeset device_policy_service_28_0 (device_policy_service))
+(typeattributeset devicestoragemonitor_service_28_0 (devicestoragemonitor_service))
+(typeattributeset devpts_28_0 (devpts))
+(typeattributeset dex2oat_28_0 (dex2oat))
+(typeattributeset dex2oat_exec_28_0 (dex2oat_exec))
+(typeattributeset dhcp_28_0 (dhcp))
+(typeattributeset dhcp_data_file_28_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_28_0 (dhcp_exec))
+(typeattributeset dhcp_prop_28_0 (dhcp_prop))
+(typeattributeset diskstats_service_28_0 (diskstats_service))
+(typeattributeset display_service_28_0 (display_service))
+(typeattributeset dm_device_28_0 (dm_device))
+(typeattributeset dnsmasq_28_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_28_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_28_0 (dnsproxyd_socket))
+(typeattributeset DockObserver_service_28_0 (DockObserver_service))
+(typeattributeset dreams_service_28_0 (dreams_service))
+(typeattributeset drm_data_file_28_0 (drm_data_file))
+(typeattributeset drmserver_28_0 (drmserver))
+(typeattributeset drmserver_exec_28_0 (drmserver_exec))
+(typeattributeset drmserver_service_28_0 (drmserver_service))
+(typeattributeset drmserver_socket_28_0 (drmserver_socket))
+(typeattributeset dropbox_service_28_0 (dropbox_service))
+(typeattributeset dumpstate_28_0 (dumpstate))
+(typeattributeset dumpstate_exec_28_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_28_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_28_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_28_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_28_0 (dumpstate_socket))
+(typeattributeset e2fs_28_0 (e2fs))
+(typeattributeset e2fs_exec_28_0 (e2fs_exec))
+(typeattributeset efs_file_28_0 (efs_file))
+(typeattributeset ephemeral_app_28_0 (ephemeral_app))
+(typeattributeset ethernet_service_28_0 (ethernet_service))
+(typeattributeset exfat_28_0 (exfat))
+(typeattributeset exported2_config_prop_28_0 (exported2_config_prop))
+(typeattributeset exported2_default_prop_28_0 (exported2_default_prop))
+(typeattributeset exported2_radio_prop_28_0 (exported2_radio_prop))
+(typeattributeset exported2_system_prop_28_0 (exported2_system_prop))
+(typeattributeset exported2_vold_prop_28_0 (exported2_vold_prop))
+(typeattributeset exported3_default_prop_28_0 (exported3_default_prop))
+(typeattributeset exported3_radio_prop_28_0 (exported3_radio_prop))
+(typeattributeset exported3_system_prop_28_0 (exported3_system_prop))
+(typeattributeset exported_audio_prop_28_0 (exported_audio_prop))
+(typeattributeset exported_bluetooth_prop_28_0 (exported_bluetooth_prop))
+(typeattributeset exported_config_prop_28_0 (exported_config_prop))
+(typeattributeset exported_dalvik_prop_28_0 (exported_dalvik_prop))
+(typeattributeset exported_default_prop_28_0 (exported_default_prop))
+(typeattributeset exported_dumpstate_prop_28_0 (exported_dumpstate_prop))
+(typeattributeset exported_ffs_prop_28_0 (exported_ffs_prop))
+(typeattributeset exported_fingerprint_prop_28_0 (exported_fingerprint_prop))
+(typeattributeset exported_overlay_prop_28_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_28_0 (exported_pm_prop))
+(typeattributeset exported_radio_prop_28_0 (exported_radio_prop))
+(typeattributeset exported_secure_prop_28_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_28_0 (exported_system_prop))
+(typeattributeset exported_system_radio_prop_28_0 (exported_system_radio_prop))
+(typeattributeset exported_vold_prop_28_0 (exported_vold_prop))
+(typeattributeset exported_wifi_prop_28_0 (exported_wifi_prop))
+(typeattributeset ffs_prop_28_0 (ffs_prop))
+(typeattributeset file_contexts_file_28_0 (file_contexts_file))
+(typeattributeset fingerprintd_28_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_28_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_28_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_28_0 (fingerprintd_service))
+(typeattributeset fingerprint_prop_28_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_28_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_28_0 (fingerprint_vendor_data_file))
+(typeattributeset firstboot_prop_28_0 (firstboot_prop))
+(typeattributeset font_service_28_0 (font_service))
+(typeattributeset frp_block_device_28_0 (frp_block_device))
+(typeattributeset fs_bpf_28_0 (fs_bpf))
+(typeattributeset fsck_28_0 (fsck))
+(typeattributeset fsck_exec_28_0 (fsck_exec))
+(typeattributeset fscklogs_28_0 (fscklogs))
+(typeattributeset fsck_untrusted_28_0 (fsck_untrusted))
+(typeattributeset full_device_28_0 (full_device))
+(typeattributeset functionfs_28_0 (functionfs))
+(typeattributeset fuse_28_0 (fuse))
+(typeattributeset fuse_device_28_0 (fuse_device))
+(typeattributeset fwk_display_hwservice_28_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_28_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_28_0 (fwk_sensor_hwservice))
+(typeattributeset fwmarkd_socket_28_0 (fwmarkd_socket))
+(typeattributeset gatekeeperd_28_0 (gatekeeperd))
+(typeattributeset gatekeeper_data_file_28_0 (gatekeeper_data_file))
+(typeattributeset gatekeeperd_exec_28_0 (gatekeeperd_exec))
+(typeattributeset gatekeeper_service_28_0 (gatekeeper_service))
+(typeattributeset gfxinfo_service_28_0 (gfxinfo_service))
+(typeattributeset gps_control_28_0 (gps_control))
+(typeattributeset gpu_device_28_0 (gpu_device))
+(typeattributeset gpu_service_28_0 (gpu_service))
+(typeattributeset graphics_device_28_0 (graphics_device))
+(typeattributeset graphicsstats_service_28_0 (graphicsstats_service))
+(typeattributeset hal_audiocontrol_hwservice_28_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audio_hwservice_28_0 (hal_audio_hwservice))
+(typeattributeset hal_authsecret_hwservice_28_0 (hal_authsecret_hwservice))
+(typeattributeset hal_bluetooth_hwservice_28_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_28_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_28_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_28_0 (hal_camera_hwservice))
+(typeattributeset hal_cas_hwservice_28_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_28_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_28_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_28_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_28_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_28_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_28_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_evs_hwservice_28_0 (hal_evs_hwservice))
+(typeattributeset hal_fingerprint_hwservice_28_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_28_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_28_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_28_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_28_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_28_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_mapper_hwservice_28_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_28_0 (hal_health_hwservice))
+(typeattributeset hal_ir_hwservice_28_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_28_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_28_0 (hal_light_hwservice))
+(typeattributeset hal_lowpan_hwservice_28_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_28_0 (hal_memtrack_hwservice))
+(typeattributeset hal_neuralnetworks_hwservice_28_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_nfc_hwservice_28_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_28_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_28_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_28_0 (hal_power_hwservice))
+(typeattributeset hal_renderscript_hwservice_28_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_28_0 (hal_secure_element_hwservice))
+(typeattributeset hal_sensors_hwservice_28_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_28_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_28_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_28_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_28_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_28_0 (hal_tv_input_hwservice))
+(typeattributeset hal_usb_gadget_hwservice_28_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_28_0 (hal_usb_hwservice))
+(typeattributeset hal_vehicle_hwservice_28_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vibrator_hwservice_28_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vr_hwservice_28_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_28_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hostapd_hwservice_28_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hwservice_28_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_offload_hwservice_28_0 (hal_wifi_offload_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_28_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_28_0 (hardware_properties_service))
+(typeattributeset hardware_service_28_0 (hardware_service))
+(typeattributeset hci_attach_dev_28_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_28_0 (hdmi_control_service))
+(typeattributeset healthd_28_0 (healthd))
+(typeattributeset healthd_exec_28_0 (healthd_exec))
+(typeattributeset heapdump_data_file_28_0 (heapdump_data_file))
+(typeattributeset hidl_allocator_hwservice_28_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_28_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_28_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_28_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_28_0 (hidl_token_hwservice))
+(typeattributeset hwbinder_device_28_0 (hwbinder_device))
+(typeattributeset hw_random_device_28_0 (hw_random_device))
+(typeattributeset hwservice_contexts_file_28_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_28_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_28_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_28_0 (hwservicemanager_prop))
+(typeattributeset i2c_device_28_0 (i2c_device))
+(typeattributeset icon_file_28_0 (icon_file))
+(typeattributeset idmap_28_0 (idmap))
+(typeattributeset idmap_exec_28_0 (idmap_exec))
+(typeattributeset iio_device_28_0 (iio_device))
+(typeattributeset imms_service_28_0 (imms_service))
+(typeattributeset incident_28_0 (incident))
+(typeattributeset incidentd_28_0 (incidentd))
+(typeattributeset incident_data_file_28_0 (incident_data_file))
+(typeattributeset incident_helper_28_0 (incident_helper))
+(typeattributeset incident_service_28_0 (incident_service))
+(typeattributeset init_28_0 (init))
+(typeattributeset init_exec_28_0 (init_exec watchdogd_exec))
+(typeattributeset inotify_28_0 (inotify))
+(typeattributeset input_device_28_0 (input_device))
+(typeattributeset inputflinger_28_0 (inputflinger))
+(typeattributeset inputflinger_exec_28_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_28_0 (inputflinger_service))
+(typeattributeset input_method_service_28_0 (input_method_service))
+(typeattributeset input_service_28_0 (input_service))
+(typeattributeset installd_28_0 (installd))
+(typeattributeset install_data_file_28_0 (install_data_file))
+(typeattributeset installd_exec_28_0 (installd_exec))
+(typeattributeset installd_service_28_0 (installd_service))
+(typeattributeset install_recovery_28_0 (install_recovery))
+(typeattributeset install_recovery_exec_28_0 (install_recovery_exec))
+(typeattributeset ion_device_28_0 (ion_device))
+(typeattributeset IProxyService_service_28_0 (IProxyService_service))
+(typeattributeset ipsec_service_28_0 (ipsec_service))
+(typeattributeset isolated_app_28_0 (isolated_app))
+(typeattributeset jobscheduler_service_28_0 (jobscheduler_service))
+(typeattributeset kernel_28_0 (kernel))
+(typeattributeset keychain_data_file_28_0 (keychain_data_file))
+(typeattributeset keychord_device_28_0 (keychord_device))
+(typeattributeset keystore_28_0 (keystore))
+(typeattributeset keystore_data_file_28_0 (keystore_data_file))
+(typeattributeset keystore_exec_28_0 (keystore_exec))
+(typeattributeset keystore_service_28_0 (keystore_service))
+(typeattributeset kmem_device_28_0 (kmem_device))
+(typeattributeset kmsg_debug_device_28_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_28_0 (kmsg_device))
+(typeattributeset labeledfs_28_0 (labeledfs))
+(typeattributeset last_boot_reason_prop_28_0 (last_boot_reason_prop))
+(typeattributeset launcherapps_service_28_0 (launcherapps_service))
+(typeattributeset lmkd_28_0 (lmkd))
+(typeattributeset lmkd_exec_28_0 (lmkd_exec))
+(typeattributeset lmkd_socket_28_0 (lmkd_socket))
+(typeattributeset location_service_28_0 (location_service))
+(typeattributeset lock_settings_service_28_0 (lock_settings_service))
+(typeattributeset logcat_exec_28_0 (logcat_exec))
+(typeattributeset logd_28_0 (logd))
+(typeattributeset logd_exec_28_0 (logd_exec))
+(typeattributeset logd_prop_28_0 (logd_prop))
+(typeattributeset logdr_socket_28_0 (logdr_socket))
+(typeattributeset logd_socket_28_0 (logd_socket))
+(typeattributeset logdw_socket_28_0 (logdw_socket))
+(typeattributeset logpersist_28_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_28_0 (logpersistd_logging_prop))
+(typeattributeset log_prop_28_0 (log_prop))
+(typeattributeset log_tag_prop_28_0 (log_tag_prop))
+(typeattributeset loop_control_device_28_0 (loop_control_device))
+(typeattributeset loop_device_28_0 (loop_device))
+(typeattributeset lowpan_device_28_0 (lowpan_device))
+(typeattributeset lowpan_prop_28_0 (lowpan_prop))
+(typeattributeset lowpan_service_28_0 (lowpan_service))
+(typeattributeset mac_perms_file_28_0 (mac_perms_file))
+(typeattributeset mdnsd_28_0 (mdnsd))
+(typeattributeset mdnsd_socket_28_0 (mdnsd_socket))
+(typeattributeset mdns_socket_28_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_28_0))
+(typeattributeset mediacodec_28_0 (mediacodec))
+(typeattributeset mediacodec_exec_28_0 (mediacodec_exec))
+(typeattributeset mediacodec_service_28_0 (mediacodec_service))
+(typeattributeset media_data_file_28_0 (media_data_file))
+(typeattributeset mediadrmserver_28_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_28_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_28_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_28_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_28_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_28_0 (mediaextractor_service))
+(typeattributeset mediaextractor_update_service_28_0 (mediaextractor_update_service))
+(typeattributeset mediametrics_28_0 (mediametrics))
+(typeattributeset mediametrics_exec_28_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_28_0 (mediametrics_service))
+(typeattributeset media_projection_service_28_0 (media_projection_service))
+(typeattributeset mediaprovider_28_0 (mediaprovider))
+(typeattributeset media_router_service_28_0 (media_router_service))
+(typeattributeset media_rw_data_file_28_0 (media_rw_data_file))
+(typeattributeset mediaserver_28_0 (mediaserver))
+(typeattributeset mediaserver_exec_28_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_28_0 (mediaserver_service))
+(typeattributeset media_session_service_28_0 (media_session_service))
+(typeattributeset meminfo_service_28_0 (meminfo_service))
+(typeattributeset metadata_block_device_28_0 (metadata_block_device))
+(typeattributeset metadata_file_28_0 (metadata_file))
+(typeattributeset method_trace_data_file_28_0 (method_trace_data_file))
+(typeattributeset midi_service_28_0 (midi_service))
+(typeattributeset misc_block_device_28_0 (misc_block_device))
+(typeattributeset misc_logd_file_28_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_28_0 (misc_user_data_file))
+(typeattributeset mmc_prop_28_0 (mmc_prop))
+(typeattributeset mnt_expand_file_28_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_28_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_28_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_user_file_28_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_28_0 (mnt_vendor_file))
+(typeattributeset modprobe_28_0 (modprobe))
+(typeattributeset mount_service_28_0 (mount_service))
+(typeattributeset mqueue_28_0 (mqueue))
+(typeattributeset mtd_device_28_0 (mtd_device))
+(typeattributeset mtp_28_0 (mtp))
+(typeattributeset mtp_device_28_0 (mtp_device))
+(typeattributeset mtpd_socket_28_0 (mtpd_socket))
+(typeattributeset mtp_exec_28_0 (mtp_exec))
+(typeattributeset nativetest_data_file_28_0 (nativetest_data_file))
+(typeattributeset netd_28_0 (netd))
+(typeattributeset net_data_file_28_0 (net_data_file))
+(typeattributeset netd_exec_28_0 (netd_exec))
+(typeattributeset netd_listener_service_28_0 (netd_listener_service))
+(typeattributeset net_dns_prop_28_0 (net_dns_prop))
+(typeattributeset netd_service_28_0 (netd_service))
+(typeattributeset netd_socket_28_0 (netd_socket))
+(typeattributeset netd_stable_secret_prop_28_0 (netd_stable_secret_prop))
+(typeattributeset netif_28_0 (netif))
+(typeattributeset netpolicy_service_28_0 (netpolicy_service))
+(typeattributeset net_radio_prop_28_0 (net_radio_prop))
+(typeattributeset netstats_service_28_0 (netstats_service))
+(typeattributeset netutils_wrapper_28_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_28_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_28_0 (network_management_service))
+(typeattributeset network_score_service_28_0 (network_score_service))
+(typeattributeset network_time_update_service_28_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_28_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_28_0 (network_watchlist_service))
+(typeattributeset nfc_28_0 (nfc))
+(typeattributeset nfc_data_file_28_0 (nfc_data_file))
+(typeattributeset nfc_device_28_0 (nfc_device))
+(typeattributeset nfc_prop_28_0 (nfc_prop))
+(typeattributeset nfc_service_28_0 (nfc_service))
+(typeattributeset node_28_0 (node))
+(typeattributeset nonplat_service_contexts_file_28_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_28_0 (notification_service))
+(typeattributeset null_device_28_0 (null_device))
+(typeattributeset oemfs_28_0 (oemfs))
+(typeattributeset oem_lock_service_28_0 (oem_lock_service))
+(typeattributeset ota_data_file_28_0 (ota_data_file))
+(typeattributeset otadexopt_service_28_0 (otadexopt_service))
+(typeattributeset ota_package_file_28_0 (ota_package_file))
+(typeattributeset otapreopt_chroot_28_0 (otapreopt_chroot))
+(typeattributeset otapreopt_chroot_exec_28_0 (otapreopt_chroot_exec))
+(typeattributeset otapreopt_slot_28_0 (otapreopt_slot))
+(typeattributeset otapreopt_slot_exec_28_0 (otapreopt_slot_exec))
+(typeattributeset overlay_prop_28_0 (overlay_prop))
+(typeattributeset overlay_service_28_0 (overlay_service))
+(typeattributeset owntty_device_28_0 (owntty_device))
+(typeattributeset package_native_service_28_0 (package_native_service))
+(typeattributeset package_service_28_0 (package_service))
+(typeattributeset pan_result_prop_28_0 (pan_result_prop))
+(typeattributeset pdx_bufferhub_client_channel_socket_28_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_28_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_28_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_28_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_28_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_28_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_28_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_28_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_28_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_28_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_28_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_28_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_28_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_28_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_28_0 (pdx_performance_dir))
+(typeattributeset performanced_28_0 (performanced))
+(typeattributeset performanced_exec_28_0 (performanced_exec))
+(typeattributeset permission_service_28_0 (permission_service))
+(typeattributeset persist_debug_prop_28_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_28_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_28_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_28_0 (pinner_service))
+(typeattributeset pipefs_28_0 (pipefs))
+(typeattributeset platform_app_28_0 (platform_app))
+(typeattributeset pm_prop_28_0 (pm_prop))
+(typeattributeset pmsg_device_28_0 (pmsg_device))
+(typeattributeset port_28_0 (port))
+(typeattributeset port_device_28_0 (port_device))
+(typeattributeset postinstall_28_0 (postinstall))
+(typeattributeset postinstall_dexopt_28_0 (postinstall_dexopt))
+(typeattributeset postinstall_file_28_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_28_0 (postinstall_mnt_dir))
+(typeattributeset powerctl_prop_28_0 (powerctl_prop))
+(typeattributeset power_service_28_0 (power_service))
+(typeattributeset ppp_28_0 (ppp))
+(typeattributeset ppp_device_28_0 (ppp_device))
+(typeattributeset ppp_exec_28_0 (ppp_exec))
+(typeattributeset preloads_data_file_28_0 (preloads_data_file))
+(typeattributeset preloads_media_file_28_0 (preloads_media_file))
+(typeattributeset preopt2cachename_28_0 (preopt2cachename))
+(typeattributeset preopt2cachename_exec_28_0 (preopt2cachename_exec))
+(typeattributeset print_service_28_0 (print_service))
+(typeattributeset priv_app_28_0 (priv_app))
+(typeattributeset proc_28_0
+ ( proc
+ proc_fs_verity
+ proc_keys
+ proc_kpageflags
+ proc_lowmemorykiller
+ proc_pressure_cpu
+ proc_pressure_io
+ proc_pressure_mem
+ proc_slabinfo))
+(typeattributeset proc_abi_28_0 (proc_abi))
+(typeattributeset proc_asound_28_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_28_0 (proc_bluetooth_writable))
+(typeattributeset proc_buddyinfo_28_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_28_0 (proc_cmdline))
+(typeattributeset proc_cpuinfo_28_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_28_0 (proc_dirty))
+(typeattributeset proc_diskstats_28_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_28_0 (proc_drop_caches))
+(typeattributeset processinfo_service_28_0 (processinfo_service))
+(typeattributeset proc_extra_free_kbytes_28_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_28_0 (proc_filesystems))
+(typeattributeset proc_hostname_28_0 (proc_hostname))
+(typeattributeset proc_hung_task_28_0 (proc_hung_task))
+(typeattributeset proc_interrupts_28_0 (proc_interrupts))
+(typeattributeset proc_iomem_28_0 (proc_iomem))
+(typeattributeset proc_kmsg_28_0 (proc_kmsg))
+(typeattributeset proc_loadavg_28_0 (proc_loadavg))
+(typeattributeset proc_max_map_count_28_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_28_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_28_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_28_0 (proc_misc))
+(typeattributeset proc_modules_28_0 (proc_modules))
+(typeattributeset proc_mounts_28_0 (proc_mounts))
+(typeattributeset proc_net_28_0
+ ( proc_net
+ proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_28_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_28_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_28_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_28_0 (proc_panic))
+(typeattributeset proc_perf_28_0 (proc_perf))
+(typeattributeset proc_pid_max_28_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_28_0 (proc_pipe_conf))
+(typeattributeset proc_qtaguid_stat_28_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_28_0 (proc_random))
+(typeattributeset proc_sched_28_0 (proc_sched))
+(typeattributeset proc_security_28_0 (proc_security))
+(typeattributeset proc_stat_28_0 (proc_stat))
+(typeattributeset procstats_service_28_0 (procstats_service))
+(typeattributeset proc_swaps_28_0 (proc_swaps))
+(typeattributeset proc_sysrq_28_0 (proc_sysrq))
+(typeattributeset proc_timer_28_0 (proc_timer))
+(typeattributeset proc_tty_drivers_28_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_28_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_28_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_28_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_28_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_28_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_28_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_28_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_28_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_28_0 (proc_uptime))
+(typeattributeset proc_version_28_0 (proc_version))
+(typeattributeset proc_vmallocinfo_28_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_28_0 (proc_vmstat))
+(typeattributeset proc_zoneinfo_28_0 (proc_zoneinfo))
+(typeattributeset profman_28_0 (profman))
+(typeattributeset profman_dump_data_file_28_0 (profman_dump_data_file))
+(typeattributeset profman_exec_28_0 (profman_exec))
+(typeattributeset properties_device_28_0 (properties_device))
+(typeattributeset properties_serial_28_0 (properties_serial))
+(typeattributeset property_contexts_file_28_0 (property_contexts_file))
+(typeattributeset property_data_file_28_0 (property_data_file))
+(typeattributeset property_info_28_0 (property_info))
+(typeattributeset property_socket_28_0 (property_socket))
+(typeattributeset pstorefs_28_0 (pstorefs))
+(typeattributeset ptmx_device_28_0 (ptmx_device))
+(typeattributeset qtaguid_device_28_0 (qtaguid_device))
+(typeattributeset qtaguid_proc_28_0
+ ( proc_qtaguid_ctrl
+ qtaguid_proc))
+(typeattributeset racoon_28_0 (racoon))
+(typeattributeset racoon_exec_28_0 (racoon_exec))
+(typeattributeset racoon_socket_28_0 (racoon_socket))
+(typeattributeset radio_28_0 (radio))
+(typeattributeset radio_data_file_28_0 (radio_data_file))
+(typeattributeset radio_device_28_0 (radio_device))
+(typeattributeset radio_prop_28_0 (radio_prop))
+(typeattributeset radio_service_28_0 (radio_service))
+(typeattributeset ram_device_28_0 (ram_device))
+(typeattributeset random_device_28_0 (random_device))
+(typeattributeset recovery_28_0 (recovery))
+(typeattributeset recovery_block_device_28_0 (recovery_block_device))
+(typeattributeset recovery_data_file_28_0 (recovery_data_file))
+(typeattributeset recovery_persist_28_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_28_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_28_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_28_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_28_0 (recovery_service))
+(typeattributeset registry_service_28_0 (registry_service))
+(typeattributeset resourcecache_data_file_28_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_28_0 (restorecon_prop))
+(typeattributeset restrictions_service_28_0 (restrictions_service))
+(typeattributeset rild_debug_socket_28_0 (rild_debug_socket))
+(typeattributeset rild_socket_28_0 (rild_socket))
+(typeattributeset ringtone_file_28_0 (ringtone_file))
+(typeattributeset root_block_device_28_0 (root_block_device))
+(typeattributeset rootfs_28_0 (rootfs))
+(typeattributeset rpmsg_device_28_0 (rpmsg_device))
+(typeattributeset rtc_device_28_0 (rtc_device))
+(typeattributeset rttmanager_service_28_0 (rttmanager_service))
+(typeattributeset runas_28_0 (runas))
+(typeattributeset runas_exec_28_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_28_0 (runtime_event_log_tags_file))
+(typeattributeset safemode_prop_28_0 (safemode_prop))
+(typeattributeset same_process_hal_file_28_0
+ ( same_process_hal_file
+ vendor_public_lib_file))
+(typeattributeset samplingprofiler_service_28_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_28_0 (scheduling_policy_service))
+(typeattributeset sdcardd_28_0 (sdcardd))
+(typeattributeset sdcardd_exec_28_0 (sdcardd_exec))
+(typeattributeset sdcardfs_28_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_28_0 (seapp_contexts_file))
+(typeattributeset search_service_28_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_28_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_28_0 (secure_element))
+(typeattributeset secure_element_device_28_0 (secure_element_device))
+(typeattributeset secure_element_service_28_0 (secure_element_service))
+(typeattributeset selinuxfs_28_0 (selinuxfs))
+(typeattributeset sensors_device_28_0 (sensors_device))
+(typeattributeset sensorservice_service_28_0 (sensorservice_service))
+(typeattributeset sepolicy_file_28_0 (sepolicy_file))
+(typeattributeset serial_device_28_0 (serial_device))
+(typeattributeset serialno_prop_28_0 (serialno_prop))
+(typeattributeset serial_service_28_0 (serial_service))
+(typeattributeset service_contexts_file_28_0 (service_contexts_file))
+(typeattributeset servicediscovery_service_28_0 (servicediscovery_service))
+(typeattributeset servicemanager_28_0 (servicemanager))
+(typeattributeset servicemanager_exec_28_0 (servicemanager_exec))
+(typeattributeset settings_service_28_0 (settings_service))
+(typeattributeset sgdisk_28_0 (sgdisk))
+(typeattributeset sgdisk_exec_28_0 (sgdisk_exec))
+(typeattributeset shared_relro_28_0 (shared_relro))
+(typeattributeset shared_relro_file_28_0 (shared_relro_file))
+(typeattributeset shell_28_0 (shell))
+(typeattributeset shell_data_file_28_0 (shell_data_file))
+(typeattributeset shell_exec_28_0 (shell_exec))
+(typeattributeset shell_prop_28_0 (shell_prop))
+(typeattributeset shm_28_0 (shm))
+(typeattributeset shortcut_manager_icons_28_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_28_0 (shortcut_service))
+(typeattributeset slice_service_28_0 (slice_service))
+(typeattributeset slideshow_28_0 (slideshow))
+(typeattributeset socket_device_28_0 (socket_device))
+(typeattributeset sockfs_28_0 (sockfs))
+(typeattributeset statusbar_service_28_0 (statusbar_service))
+(typeattributeset storaged_service_28_0 (storaged_service))
+(typeattributeset storage_file_28_0 (storage_file))
+(typeattributeset storagestats_service_28_0 (storagestats_service))
+(typeattributeset storage_stub_file_28_0 (storage_stub_file))
+(typeattributeset su_28_0 (su))
+(typeattributeset su_exec_28_0 (su_exec))
+(typeattributeset surfaceflinger_28_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_28_0 (surfaceflinger_service))
+(typeattributeset swap_block_device_28_0 (swap_block_device))
+(typeattributeset sysfs_28_0
+ ( sysfs
+ sysfs_devices_block
+ sysfs_extcon
+ sysfs_loop
+ sysfs_transparent_hugepage))
+(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_28_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_system_cpu_28_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_28_0 (sysfs_dm))
+(typeattributeset sysfs_dt_firmware_android_28_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_fs_ext4_features_28_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_hwrandom_28_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ipv4_28_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_28_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_28_0 (sysfs_leds))
+(typeattributeset sysfs_lowmemorykiller_28_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_mac_address_28_0 (sysfs_mac_address))
+(typeattributeset sysfs_net_28_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_28_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_28_0 (sysfs_power))
+(typeattributeset sysfs_rtc_28_0 (sysfs_rtc))
+(typeattributeset sysfs_switch_28_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_28_0 (sysfs_thermal))
+(typeattributeset sysfs_uio_28_0 (sysfs_uio))
+(typeattributeset sysfs_usb_28_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_28_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vibrator_28_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_28_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_reasons_28_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_28_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_28_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_28_0 (sysfs_zram_uevent))
+(typeattributeset system_app_28_0 (system_app))
+(typeattributeset system_app_data_file_28_0 (system_app_data_file))
+(typeattributeset system_app_service_28_0 (system_app_service))
+(typeattributeset system_block_device_28_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_28_0 (system_boot_reason_prop))
+(typeattributeset system_data_file_28_0
+ ( dropbox_data_file
+ system_data_file
+ packages_list_file))
+(typeattributeset system_file_28_0
+ ( system_file
+ system_asan_options_file
+ system_lib_file
+ system_linker_config_file
+ system_linker_exec
+ system_seccomp_policy_file
+ system_security_cacerts_file
+ tcpdump_exec
+ system_zoneinfo_file
+))
+(typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file))
+(typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice))
+(typeattributeset system_prop_28_0 (system_prop))
+(typeattributeset system_radio_prop_28_0 (system_radio_prop))
+(typeattributeset system_server_28_0 (system_server))
+(typeattributeset system_update_service_28_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_28_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_28_0 (system_wpa_socket))
+(typeattributeset task_service_28_0 (task_service))
+(typeattributeset tee_28_0 (tee))
+(typeattributeset tee_data_file_28_0 (tee_data_file))
+(typeattributeset tee_device_28_0 (tee_device))
+(typeattributeset telecom_service_28_0 (telecom_service))
+(typeattributeset test_boot_reason_prop_28_0 (test_boot_reason_prop))
+(typeattributeset textclassification_service_28_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_28_0 (textclassifier_data_file))
+(typeattributeset textservices_service_28_0 (textservices_service))
+(typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
+(typeattributeset thermal_service_28_0 (thermal_service))
+(typeattributeset timezone_service_28_0 (timezone_service))
+(typeattributeset tmpfs_28_0
+ ( mnt_sdcard_file
+ tmpfs))
+(typeattributeset tombstoned_28_0 (tombstoned))
+(typeattributeset tombstone_data_file_28_0 (tombstone_data_file))
+(typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_28_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_28_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_28_0 (tombstoned_java_trace_socket))
+(typeattributeset tombstone_wifi_data_file_28_0 (tombstone_wifi_data_file))
+(typeattributeset toolbox_28_0 (toolbox))
+(typeattributeset toolbox_exec_28_0 (toolbox_exec))
+(typeattributeset trace_data_file_28_0 (trace_data_file))
+(typeattributeset traced_consumer_socket_28_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_28_0 (traced_enabled_prop))
+(typeattributeset traced_probes_28_0 (traced_probes))
+(typeattributeset traced_producer_socket_28_0 (traced_producer_socket))
+(typeattributeset traceur_app_28_0 (traceur_app))
+(typeattributeset trust_service_28_0 (trust_service))
+(typeattributeset tty_device_28_0 (tty_device))
+(typeattributeset tun_device_28_0 (tun_device))
+(typeattributeset tv_input_service_28_0 (tv_input_service))
+(typeattributeset tzdatacheck_28_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_28_0 (tzdatacheck_exec))
+(typeattributeset ueventd_28_0 (ueventd))
+(typeattributeset uhid_device_28_0 (uhid_device))
+(typeattributeset uimode_service_28_0 (uimode_service))
+(typeattributeset uio_device_28_0 (uio_device))
+(typeattributeset uncrypt_28_0 (uncrypt))
+(typeattributeset uncrypt_exec_28_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_28_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_28_0 (unencrypted_data_file))
+(typeattributeset unlabeled_28_0 (unlabeled))
+(typeattributeset untrusted_app_25_28_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_28_0 (untrusted_app_27))
+(typeattributeset untrusted_app_28_0 (untrusted_app))
+(typeattributeset untrusted_v2_app_28_0 (untrusted_v2_app))
+(typeattributeset update_engine_28_0 (update_engine))
+(typeattributeset update_engine_data_file_28_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_28_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_28_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_28_0 (update_engine_service))
+(typeattributeset updatelock_service_28_0 (updatelock_service))
+(typeattributeset update_verifier_28_0 (update_verifier))
+(typeattributeset update_verifier_exec_28_0 (update_verifier_exec))
+(typeattributeset usagestats_service_28_0 (usagestats_service))
+(typeattributeset usbaccessory_device_28_0 (usbaccessory_device))
+(typeattributeset usbd_28_0 (usbd))
+(typeattributeset usb_device_28_0 (usb_device))
+(typeattributeset usbd_exec_28_0 (usbd_exec))
+(typeattributeset usbfs_28_0 (usbfs))
+(typeattributeset usb_service_28_0 (usb_service))
+(typeattributeset userdata_block_device_28_0 (userdata_block_device))
+(typeattributeset usermodehelper_28_0 (usermodehelper))
+(typeattributeset user_profile_data_file_28_0 (user_profile_data_file))
+(typeattributeset user_service_28_0 (user_service))
+(typeattributeset vcs_device_28_0 (vcs_device))
+(typeattributeset vdc_28_0 (vdc))
+(typeattributeset vdc_exec_28_0 (vdc_exec))
+(typeattributeset vendor_app_file_28_0 (vendor_app_file))
+(typeattributeset vendor_configs_file_28_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_28_0 (vendor_data_file))
+(typeattributeset vendor_default_prop_28_0 (vendor_default_prop))
+(typeattributeset vendor_file_28_0 (vendor_file))
+(typeattributeset vendor_framework_file_28_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_28_0 (vendor_hal_file))
+(typeattributeset vendor_init_28_0 (vendor_init))
+(typeattributeset vendor_overlay_file_28_0 (vendor_overlay_file))
+(typeattributeset vendor_security_patch_level_prop_28_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_shell_28_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_28_0 (vendor_shell_exec))
+(typeattributeset vendor_toolbox_exec_28_0 (vendor_toolbox_exec))
+(typeattributeset vfat_28_0 (vfat))
+(typeattributeset vibrator_service_28_0 (vibrator_service))
+(typeattributeset video_device_28_0 (video_device))
+(typeattributeset virtual_touchpad_28_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_28_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_28_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_28_0 (vndbinder_device))
+(typeattributeset vndk_sp_file_28_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_28_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_28_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_28_0 (voiceinteraction_service))
+(typeattributeset vold_28_0 (vold))
+(typeattributeset vold_data_file_28_0 (vold_data_file))
+(typeattributeset vold_device_28_0 (vold_device))
+(typeattributeset vold_exec_28_0 (vold_exec))
+(typeattributeset vold_metadata_file_28_0 (vold_metadata_file))
+(typeattributeset vold_prepare_subdirs_28_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_28_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_28_0 (vold_prop))
+(typeattributeset vold_service_28_0 (vold_service))
+(typeattributeset vpn_data_file_28_0 (vpn_data_file))
+(typeattributeset vr_hwc_28_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_28_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_28_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_28_0 (vr_manager_service))
+(typeattributeset wallpaper_file_28_0 (wallpaper_file))
+(typeattributeset wallpaper_service_28_0 (wallpaper_service))
+(typeattributeset watchdogd_28_0 (watchdogd))
+(typeattributeset watchdog_device_28_0 (watchdog_device))
+(typeattributeset webviewupdate_service_28_0 (webviewupdate_service))
+(typeattributeset webview_zygote_28_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_28_0 (webview_zygote_exec))
+(typeattributeset wifiaware_service_28_0 (wifiaware_service))
+(typeattributeset wificond_28_0 (wificond))
+(typeattributeset wificond_exec_28_0 (wificond_exec))
+(typeattributeset wificond_service_28_0 (wificond_service))
+(typeattributeset wifi_data_file_28_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_28_0 (wifi_log_prop))
+(typeattributeset wifip2p_service_28_0 (wifip2p_service))
+(typeattributeset wifi_prop_28_0 (wifi_prop))
+(typeattributeset wifiscanner_service_28_0 (wifiscanner_service))
+(typeattributeset wifi_service_28_0 (wifi_service))
+(typeattributeset window_service_28_0 (window_service))
+(typeattributeset wpantund_28_0 (wpantund))
+(typeattributeset wpantund_exec_28_0 (wpantund_exec))
+(typeattributeset wpantund_service_28_0 (wpantund_service))
+(typeattributeset wpa_socket_28_0 (wpa_socket))
+(typeattributeset zero_device_28_0 (zero_device))
+(typeattributeset zoneinfo_data_file_28_0 (zoneinfo_data_file))
+(typeattributeset zygote_28_0 (zygote))
+(typeattributeset zygote_exec_28_0 (zygote_exec))
+(typeattributeset zygote_socket_28_0 (zygote_socket))
diff --git a/prebuilts/api/31.0/private/compat/26.0/26.0.compat.cil b/prebuilts/api/33.0/private/compat/28.0/28.0.compat.cil
similarity index 100%
rename from prebuilts/api/31.0/private/compat/26.0/26.0.compat.cil
rename to prebuilts/api/33.0/private/compat/28.0/28.0.compat.cil
diff --git a/prebuilts/api/33.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/33.0/private/compat/28.0/28.0.ignore.cil
new file mode 100644
index 0000000..e7ddf48
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/28.0/28.0.ignore.cil
@@ -0,0 +1,160 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ activity_task_service
+ adb_service
+ apex_data_file
+ apex_metadata_file
+ apex_mnt_dir
+ apex_service
+ apexd
+ apexd_exec
+ apexd_prop
+ apexd_tmpfs
+ appdomain_tmpfs
+ app_binding_service
+ app_prediction_service
+ app_zygote
+ app_zygote_tmpfs
+ ashmemd
+ ashmem_device_service
+ attention_service
+ biometric_service
+ bluetooth_audio_hal_prop
+ bpf_progs_loaded_prop
+ bugreport_service
+ cgroup_desc_file
+ cgroup_rc_file
+ charger_exec
+ content_capture_service
+ content_suggestions_service
+ cpu_variant_prop
+ ctl_apexd_prop
+ ctl_gsid_prop
+ dev_cpu_variant
+ device_config_activity_manager_native_boot_prop
+ device_config_boot_count_prop
+ device_config_input_native_boot_prop
+ device_config_netd_native_prop
+ device_config_reset_performed_prop
+ device_config_runtime_native_boot_prop
+ device_config_runtime_native_prop
+ device_config_media_native_prop
+ device_config_service
+ device_config_sys_traced_prop
+ dnsresolver_service
+ dynamic_system_service
+ dynamic_system_prop
+ face_service
+ face_vendor_data_file
+ sota_prop
+ fastbootd
+ flags_health_check
+ flags_health_check_exec
+ fwk_bufferhub_hwservice
+ fwk_camera_hwservice
+ fwk_stats_hwservice
+ gpuservice
+ gsi_data_file
+ gsi_metadata_file
+ gsi_public_metadata_file
+ gsi_service
+ gsid
+ gsid_exec
+ gsid_prop
+ color_display_service
+ external_vibrator_service
+ hal_atrace_hwservice
+ hal_face_hwservice
+ hal_graphics_composer_server_tmpfs
+ hal_health_storage_hwservice
+ hal_input_classifier_hwservice
+ hal_power_stats_hwservice
+ heapprofd
+ heapprofd_enabled_prop
+ heapprofd_exec
+ heapprofd_prop
+ heapprofd_socket
+ idmap_service
+ iris_service
+ iris_vendor_data_file
+ llkd
+ llkd_exec
+ llkd_prop
+ llkd_tmpfs
+ looper_stats_service
+ lpdumpd
+ lpdumpd_exec
+ lpdumpd_prop
+ lpdump_service
+ iorapd
+ iorapd_exec
+ iorapd_data_file
+ iorapd_service
+ iorapd_tmpfs
+ mediaswcodec
+ mediaswcodec_exec
+ mediaswcodec_tmpfs
+ metadata_bootstat_file
+ mnt_product_file
+ network_stack
+ network_stack_service
+ network_stack_tmpfs
+ nnapi_ext_deny_product_prop
+ overlayfs_file
+ password_slot_metadata_file
+ permissionmgr_service
+ postinstall_apex_mnt_dir
+ recovery_socket
+ role_service
+ rollback_service
+ rs
+ rs_exec
+ rss_hwm_reset
+ rss_hwm_reset_exec
+ runas_app
+ runas_app_tmpfs
+ art_apex_dir
+ runtime_service
+ sdcard_block_device
+ sensor_privacy_service
+ server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
+ socket_hook_prop
+ su_tmpfs
+ super_block_device
+ sysfs_fs_f2fs
+ system_bootstrap_lib_file
+ system_event_log_tags_file
+ system_lmk_prop
+ system_suspend_hwservice
+ system_suspend_control_service
+ system_trace_prop
+ staging_data_file
+ task_profiles_file
+ testharness_service
+ test_harness_prop
+ theme_prop
+ time_prop
+ timedetector_service
+ timezonedetector_service
+ traced_lazy_prop
+ uri_grants_service
+ use_memfd_prop
+ vendor_apex_file
+ vendor_cgroup_desc_file
+ vendor_idc_file
+ vendor_keychars_file
+ vendor_keylayout_file
+ vendor_misc_writer
+ vendor_misc_writer_exec
+ vendor_socket_hook_prop
+ vendor_task_profiles_file
+ vndk_prop
+ vrflinger_vsync_service
+ watchdogd_tmpfs))
diff --git a/prebuilts/api/33.0/private/compat/29.0/29.0.cil b/prebuilts/api/33.0/private/compat/29.0/29.0.cil
new file mode 100644
index 0000000..0fb0a1c
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/29.0/29.0.cil
@@ -0,0 +1,1983 @@
+;; types removed from current policy
+(type ashmemd)
+(type exported_audio_prop)
+(type exported_dalvik_prop)
+(type exported_vold_prop)
+(type exported2_config_prop)
+(type exported2_vold_prop)
+(type hal_wifi_offload_hwservice)
+(type install_recovery)
+(type install_recovery_exec)
+(type mediacodec_service)
+(type perfprofd_data_file)
+(type perfprofd_service)
+(type sysfs_mac_address)
+(type wificond_service)
+
+(expandtypeattribute (accessibility_service_29_0) true)
+(expandtypeattribute (account_service_29_0) true)
+(expandtypeattribute (activity_service_29_0) true)
+(expandtypeattribute (activity_task_service_29_0) true)
+(expandtypeattribute (adbd_29_0) true)
+(expandtypeattribute (adb_data_file_29_0) true)
+(expandtypeattribute (adbd_exec_29_0) true)
+(expandtypeattribute (adbd_socket_29_0) true)
+(expandtypeattribute (adb_keys_file_29_0) true)
+(expandtypeattribute (adb_service_29_0) true)
+(expandtypeattribute (alarm_service_29_0) true)
+(expandtypeattribute (anr_data_file_29_0) true)
+(expandtypeattribute (apexd_29_0) true)
+(expandtypeattribute (apex_data_file_29_0) true)
+(expandtypeattribute (apexd_exec_29_0) true)
+(expandtypeattribute (apexd_prop_29_0) true)
+(expandtypeattribute (apex_metadata_file_29_0) true)
+(expandtypeattribute (apex_mnt_dir_29_0) true)
+(expandtypeattribute (apex_service_29_0) true)
+(expandtypeattribute (apk_data_file_29_0) true)
+(expandtypeattribute (apk_private_data_file_29_0) true)
+(expandtypeattribute (apk_private_tmp_file_29_0) true)
+(expandtypeattribute (apk_tmp_file_29_0) true)
+(expandtypeattribute (app_binding_service_29_0) true)
+(expandtypeattribute (app_data_file_29_0) true)
+(expandtypeattribute (appdomain_tmpfs_29_0) true)
+(expandtypeattribute (app_fuse_file_29_0) true)
+(expandtypeattribute (app_fusefs_29_0) true)
+(expandtypeattribute (appops_service_29_0) true)
+(expandtypeattribute (app_prediction_service_29_0) true)
+(expandtypeattribute (appwidget_service_29_0) true)
+(expandtypeattribute (app_zygote_29_0) true)
+(expandtypeattribute (app_zygote_tmpfs_29_0) true)
+(expandtypeattribute (asec_apk_file_29_0) true)
+(expandtypeattribute (asec_image_file_29_0) true)
+(expandtypeattribute (asec_public_file_29_0) true)
+(expandtypeattribute (ashmemd_29_0) true)
+(expandtypeattribute (ashmem_device_29_0) true)
+(expandtypeattribute (assetatlas_service_29_0) true)
+(expandtypeattribute (audio_data_file_29_0) true)
+(expandtypeattribute (audio_device_29_0) true)
+(expandtypeattribute (audiohal_data_file_29_0) true)
+(expandtypeattribute (audio_prop_29_0) true)
+(expandtypeattribute (audioserver_29_0) true)
+(expandtypeattribute (audioserver_data_file_29_0) true)
+(expandtypeattribute (audioserver_service_29_0) true)
+(expandtypeattribute (audioserver_tmpfs_29_0) true)
+(expandtypeattribute (audio_service_29_0) true)
+(expandtypeattribute (autofill_service_29_0) true)
+(expandtypeattribute (backup_data_file_29_0) true)
+(expandtypeattribute (backup_service_29_0) true)
+(expandtypeattribute (batteryproperties_service_29_0) true)
+(expandtypeattribute (battery_service_29_0) true)
+(expandtypeattribute (batterystats_service_29_0) true)
+(expandtypeattribute (binder_calls_stats_service_29_0) true)
+(expandtypeattribute (binder_device_29_0) true)
+(expandtypeattribute (binfmt_miscfs_29_0) true)
+(expandtypeattribute (biometric_service_29_0) true)
+(expandtypeattribute (blkid_29_0) true)
+(expandtypeattribute (blkid_untrusted_29_0) true)
+(expandtypeattribute (block_device_29_0) true)
+(expandtypeattribute (bluetooth_29_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_29_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_29_0) true)
+(expandtypeattribute (bluetooth_data_file_29_0) true)
+(expandtypeattribute (bluetooth_efs_file_29_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_29_0) true)
+(expandtypeattribute (bluetooth_manager_service_29_0) true)
+(expandtypeattribute (bluetooth_prop_29_0) true)
+(expandtypeattribute (bluetooth_service_29_0) true)
+(expandtypeattribute (bluetooth_socket_29_0) true)
+(expandtypeattribute (bootanim_29_0) true)
+(expandtypeattribute (bootanim_exec_29_0) true)
+(expandtypeattribute (boot_block_device_29_0) true)
+(expandtypeattribute (bootchart_data_file_29_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_29_0) true)
+(expandtypeattribute (bootstat_29_0) true)
+(expandtypeattribute (bootstat_data_file_29_0) true)
+(expandtypeattribute (bootstat_exec_29_0) true)
+(expandtypeattribute (boottime_prop_29_0) true)
+(expandtypeattribute (boottrace_data_file_29_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_29_0) true)
+(expandtypeattribute (broadcastradio_service_29_0) true)
+(expandtypeattribute (bufferhubd_29_0) true)
+(expandtypeattribute (bufferhubd_exec_29_0) true)
+(expandtypeattribute (bugreport_service_29_0) true)
+(expandtypeattribute (cache_backup_file_29_0) true)
+(expandtypeattribute (cache_block_device_29_0) true)
+(expandtypeattribute (cache_file_29_0) true)
+(expandtypeattribute (cache_private_backup_file_29_0) true)
+(expandtypeattribute (cache_recovery_file_29_0) true)
+(expandtypeattribute (camera_data_file_29_0) true)
+(expandtypeattribute (camera_device_29_0) true)
+(expandtypeattribute (cameraproxy_service_29_0) true)
+(expandtypeattribute (cameraserver_29_0) true)
+(expandtypeattribute (cameraserver_exec_29_0) true)
+(expandtypeattribute (cameraserver_service_29_0) true)
+(expandtypeattribute (cameraserver_tmpfs_29_0) true)
+(expandtypeattribute (cgroup_29_0) true)
+(expandtypeattribute (cgroup_bpf_29_0) true)
+(expandtypeattribute (cgroup_desc_file_29_0) true)
+(expandtypeattribute (cgroup_rc_file_29_0) true)
+(expandtypeattribute (charger_29_0) true)
+(expandtypeattribute (charger_exec_29_0) true)
+(expandtypeattribute (clatd_29_0) true)
+(expandtypeattribute (clatd_exec_29_0) true)
+(expandtypeattribute (clipboard_service_29_0) true)
+(expandtypeattribute (color_display_service_29_0) true)
+(expandtypeattribute (companion_device_service_29_0) true)
+(expandtypeattribute (configfs_29_0) true)
+(expandtypeattribute (config_prop_29_0) true)
+(expandtypeattribute (connectivity_service_29_0) true)
+(expandtypeattribute (connmetrics_service_29_0) true)
+(expandtypeattribute (console_device_29_0) true)
+(expandtypeattribute (consumer_ir_service_29_0) true)
+(expandtypeattribute (content_capture_service_29_0) true)
+(expandtypeattribute (content_service_29_0) true)
+(expandtypeattribute (content_suggestions_service_29_0) true)
+(expandtypeattribute (contexthub_service_29_0) true)
+(expandtypeattribute (coredump_file_29_0) true)
+(expandtypeattribute (country_detector_service_29_0) true)
+(expandtypeattribute (coverage_service_29_0) true)
+(expandtypeattribute (cppreopt_prop_29_0) true)
+(expandtypeattribute (cpuinfo_service_29_0) true)
+(expandtypeattribute (cpu_variant_prop_29_0) true)
+(expandtypeattribute (crash_dump_29_0) true)
+(expandtypeattribute (crash_dump_exec_29_0) true)
+(expandtypeattribute (crossprofileapps_service_29_0) true)
+(expandtypeattribute (ctl_adbd_prop_29_0) true)
+(expandtypeattribute (ctl_bootanim_prop_29_0) true)
+(expandtypeattribute (ctl_bugreport_prop_29_0) true)
+(expandtypeattribute (ctl_console_prop_29_0) true)
+(expandtypeattribute (ctl_default_prop_29_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_29_0) true)
+(expandtypeattribute (ctl_fuse_prop_29_0) true)
+(expandtypeattribute (ctl_gsid_prop_29_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_29_0) true)
+(expandtypeattribute (ctl_interface_start_prop_29_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_29_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_29_0) true)
+(expandtypeattribute (ctl_restart_prop_29_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_29_0) true)
+(expandtypeattribute (ctl_sigstop_prop_29_0) true)
+(expandtypeattribute (ctl_start_prop_29_0) true)
+(expandtypeattribute (ctl_stop_prop_29_0) true)
+(expandtypeattribute (dalvikcache_data_file_29_0) true)
+(expandtypeattribute (dalvik_prop_29_0) true)
+(expandtypeattribute (dbinfo_service_29_0) true)
+(expandtypeattribute (debugfs_29_0) true)
+(expandtypeattribute (debugfs_mmc_29_0) true)
+(expandtypeattribute (debugfs_trace_marker_29_0) true)
+(expandtypeattribute (debugfs_tracing_29_0) true)
+(expandtypeattribute (debugfs_tracing_debug_29_0) true)
+(expandtypeattribute (debugfs_tracing_instances_29_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_29_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_29_0) true)
+(expandtypeattribute (debuggerd_prop_29_0) true)
+(expandtypeattribute (debug_prop_29_0) true)
+(expandtypeattribute (default_android_hwservice_29_0) true)
+(expandtypeattribute (default_android_service_29_0) true)
+(expandtypeattribute (default_android_vndservice_29_0) true)
+(expandtypeattribute (default_prop_29_0) true)
+(expandtypeattribute (dev_cpu_variant_29_0) true)
+(expandtypeattribute (device_29_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_29_0) true)
+(expandtypeattribute (device_config_boot_count_prop_29_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_29_0) true)
+(expandtypeattribute (device_config_media_native_prop_29_0) true)
+(expandtypeattribute (device_config_netd_native_prop_29_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_29_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_29_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_29_0) true)
+(expandtypeattribute (device_config_service_29_0) true)
+(expandtypeattribute (device_identifiers_service_29_0) true)
+(expandtypeattribute (deviceidle_service_29_0) true)
+(expandtypeattribute (device_logging_prop_29_0) true)
+(expandtypeattribute (device_policy_service_29_0) true)
+(expandtypeattribute (devicestoragemonitor_service_29_0) true)
+(expandtypeattribute (devpts_29_0) true)
+(expandtypeattribute (dhcp_29_0) true)
+(expandtypeattribute (dhcp_data_file_29_0) true)
+(expandtypeattribute (dhcp_exec_29_0) true)
+(expandtypeattribute (dhcp_prop_29_0) true)
+(expandtypeattribute (diskstats_service_29_0) true)
+(expandtypeattribute (display_service_29_0) true)
+(expandtypeattribute (dm_device_29_0) true)
+(expandtypeattribute (dnsmasq_29_0) true)
+(expandtypeattribute (dnsmasq_exec_29_0) true)
+(expandtypeattribute (dnsproxyd_socket_29_0) true)
+(expandtypeattribute (dnsresolver_service_29_0) true)
+(expandtypeattribute (DockObserver_service_29_0) true)
+(expandtypeattribute (dreams_service_29_0) true)
+(expandtypeattribute (drm_data_file_29_0) true)
+(expandtypeattribute (drmserver_29_0) true)
+(expandtypeattribute (drmserver_exec_29_0) true)
+(expandtypeattribute (drmserver_service_29_0) true)
+(expandtypeattribute (drmserver_socket_29_0) true)
+(expandtypeattribute (dropbox_data_file_29_0) true)
+(expandtypeattribute (dropbox_service_29_0) true)
+(expandtypeattribute (dumpstate_29_0) true)
+(expandtypeattribute (dumpstate_exec_29_0) true)
+(expandtypeattribute (dumpstate_options_prop_29_0) true)
+(expandtypeattribute (dumpstate_prop_29_0) true)
+(expandtypeattribute (dumpstate_service_29_0) true)
+(expandtypeattribute (dumpstate_socket_29_0) true)
+(expandtypeattribute (dynamic_system_prop_29_0) true)
+(expandtypeattribute (e2fs_29_0) true)
+(expandtypeattribute (e2fs_exec_29_0) true)
+(expandtypeattribute (efs_file_29_0) true)
+(expandtypeattribute (ephemeral_app_29_0) true)
+(expandtypeattribute (ethernet_service_29_0) true)
+(expandtypeattribute (exfat_29_0) true)
+(expandtypeattribute (exported2_config_prop_29_0) true)
+(expandtypeattribute (exported2_default_prop_29_0) true)
+(expandtypeattribute (exported2_radio_prop_29_0) true)
+(expandtypeattribute (exported2_system_prop_29_0) true)
+(expandtypeattribute (exported2_vold_prop_29_0) true)
+(expandtypeattribute (exported3_default_prop_29_0) true)
+(expandtypeattribute (exported3_radio_prop_29_0) true)
+(expandtypeattribute (exported3_system_prop_29_0) true)
+(expandtypeattribute (exported_audio_prop_29_0) true)
+(expandtypeattribute (exported_bluetooth_prop_29_0) true)
+(expandtypeattribute (exported_config_prop_29_0) true)
+(expandtypeattribute (exported_dalvik_prop_29_0) true)
+(expandtypeattribute (exported_default_prop_29_0) true)
+(expandtypeattribute (exported_dumpstate_prop_29_0) true)
+(expandtypeattribute (exported_ffs_prop_29_0) true)
+(expandtypeattribute (exported_fingerprint_prop_29_0) true)
+(expandtypeattribute (exported_overlay_prop_29_0) true)
+(expandtypeattribute (exported_pm_prop_29_0) true)
+(expandtypeattribute (exported_radio_prop_29_0) true)
+(expandtypeattribute (exported_secure_prop_29_0) true)
+(expandtypeattribute (exported_system_prop_29_0) true)
+(expandtypeattribute (exported_system_radio_prop_29_0) true)
+(expandtypeattribute (exported_vold_prop_29_0) true)
+(expandtypeattribute (exported_wifi_prop_29_0) true)
+(expandtypeattribute (external_vibrator_service_29_0) true)
+(expandtypeattribute (face_service_29_0) true)
+(expandtypeattribute (face_vendor_data_file_29_0) true)
+(expandtypeattribute (fastbootd_29_0) true)
+(expandtypeattribute (ffs_prop_29_0) true)
+(expandtypeattribute (file_contexts_file_29_0) true)
+(expandtypeattribute (fingerprintd_29_0) true)
+(expandtypeattribute (fingerprintd_data_file_29_0) true)
+(expandtypeattribute (fingerprintd_exec_29_0) true)
+(expandtypeattribute (fingerprintd_service_29_0) true)
+(expandtypeattribute (fingerprint_prop_29_0) true)
+(expandtypeattribute (fingerprint_service_29_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_29_0) true)
+(expandtypeattribute (firstboot_prop_29_0) true)
+(expandtypeattribute (flags_health_check_29_0) true)
+(expandtypeattribute (flags_health_check_exec_29_0) true)
+(expandtypeattribute (font_service_29_0) true)
+(expandtypeattribute (frp_block_device_29_0) true)
+(expandtypeattribute (fs_bpf_29_0) true)
+(expandtypeattribute (fsck_29_0) true)
+(expandtypeattribute (fsck_exec_29_0) true)
+(expandtypeattribute (fscklogs_29_0) true)
+(expandtypeattribute (fsck_untrusted_29_0) true)
+(expandtypeattribute (functionfs_29_0) true)
+(expandtypeattribute (fuse_29_0) true)
+(expandtypeattribute (fuse_device_29_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_29_0) true)
+(expandtypeattribute (fwk_camera_hwservice_29_0) true)
+(expandtypeattribute (fwk_display_hwservice_29_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_29_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_29_0) true)
+(expandtypeattribute (fwk_stats_hwservice_29_0) true)
+(expandtypeattribute (fwmarkd_socket_29_0) true)
+(expandtypeattribute (gatekeeperd_29_0) true)
+(expandtypeattribute (gatekeeper_data_file_29_0) true)
+(expandtypeattribute (gatekeeperd_exec_29_0) true)
+(expandtypeattribute (gatekeeper_service_29_0) true)
+(expandtypeattribute (gfxinfo_service_29_0) true)
+(expandtypeattribute (gps_control_29_0) true)
+(expandtypeattribute (gpu_device_29_0) true)
+(expandtypeattribute (gpu_service_29_0) true)
+(expandtypeattribute (gpuservice_29_0) true)
+(expandtypeattribute (graphics_device_29_0) true)
+(expandtypeattribute (graphicsstats_service_29_0) true)
+(expandtypeattribute (gsi_data_file_29_0) true)
+(expandtypeattribute (gsid_prop_29_0) true)
+(expandtypeattribute (gsi_metadata_file_29_0) true)
+(expandtypeattribute (hal_atrace_hwservice_29_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_29_0) true)
+(expandtypeattribute (hal_audio_hwservice_29_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_29_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_29_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_29_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_29_0) true)
+(expandtypeattribute (hal_camera_hwservice_29_0) true)
+(expandtypeattribute (hal_cas_hwservice_29_0) true)
+(expandtypeattribute (hal_codec2_hwservice_29_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_29_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_29_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_29_0) true)
+(expandtypeattribute (hal_drm_hwservice_29_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_29_0) true)
+(expandtypeattribute (hal_evs_hwservice_29_0) true)
+(expandtypeattribute (hal_face_hwservice_29_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_29_0) true)
+(expandtypeattribute (hal_fingerprint_service_29_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_29_0) true)
+(expandtypeattribute (hal_gnss_hwservice_29_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_29_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_29_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_29_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_29_0) true)
+(expandtypeattribute (hal_health_hwservice_29_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_29_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_29_0) true)
+(expandtypeattribute (hal_ir_hwservice_29_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_29_0) true)
+(expandtypeattribute (hal_light_hwservice_29_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_29_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_29_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_29_0) true)
+(expandtypeattribute (hal_nfc_hwservice_29_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_29_0) true)
+(expandtypeattribute (hal_omx_hwservice_29_0) true)
+(expandtypeattribute (hal_power_hwservice_29_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_29_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_29_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_29_0) true)
+(expandtypeattribute (hal_sensors_hwservice_29_0) true)
+(expandtypeattribute (hal_telephony_hwservice_29_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_29_0) true)
+(expandtypeattribute (hal_thermal_hwservice_29_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_29_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_29_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_29_0) true)
+(expandtypeattribute (hal_usb_hwservice_29_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_29_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_29_0) true)
+(expandtypeattribute (hal_vr_hwservice_29_0) true)
+(expandtypeattribute (hal_weaver_hwservice_29_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_29_0) true)
+(expandtypeattribute (hal_wifi_hwservice_29_0) true)
+(expandtypeattribute (hal_wifi_offload_hwservice_29_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_29_0) true)
+(expandtypeattribute (hardware_properties_service_29_0) true)
+(expandtypeattribute (hardware_service_29_0) true)
+(expandtypeattribute (hci_attach_dev_29_0) true)
+(expandtypeattribute (hdmi_control_service_29_0) true)
+(expandtypeattribute (healthd_29_0) true)
+(expandtypeattribute (healthd_exec_29_0) true)
+(expandtypeattribute (heapdump_data_file_29_0) true)
+(expandtypeattribute (heapprofd_29_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_29_0) true)
+(expandtypeattribute (heapprofd_prop_29_0) true)
+(expandtypeattribute (heapprofd_socket_29_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_29_0) true)
+(expandtypeattribute (hidl_base_hwservice_29_0) true)
+(expandtypeattribute (hidl_manager_hwservice_29_0) true)
+(expandtypeattribute (hidl_memory_hwservice_29_0) true)
+(expandtypeattribute (hidl_token_hwservice_29_0) true)
+(expandtypeattribute (hwbinder_device_29_0) true)
+(expandtypeattribute (hw_random_device_29_0) true)
+(expandtypeattribute (hwservice_contexts_file_29_0) true)
+(expandtypeattribute (hwservicemanager_29_0) true)
+(expandtypeattribute (hwservicemanager_exec_29_0) true)
+(expandtypeattribute (hwservicemanager_prop_29_0) true)
+(expandtypeattribute (icon_file_29_0) true)
+(expandtypeattribute (idmap_29_0) true)
+(expandtypeattribute (idmap_exec_29_0) true)
+(expandtypeattribute (idmap_service_29_0) true)
+(expandtypeattribute (iio_device_29_0) true)
+(expandtypeattribute (imms_service_29_0) true)
+(expandtypeattribute (incident_29_0) true)
+(expandtypeattribute (incidentd_29_0) true)
+(expandtypeattribute (incident_data_file_29_0) true)
+(expandtypeattribute (incident_helper_29_0) true)
+(expandtypeattribute (incident_service_29_0) true)
+(expandtypeattribute (init_29_0) true)
+(expandtypeattribute (init_exec_29_0) true)
+(expandtypeattribute (init_tmpfs_29_0) true)
+(expandtypeattribute (inotify_29_0) true)
+(expandtypeattribute (input_device_29_0) true)
+(expandtypeattribute (inputflinger_29_0) true)
+(expandtypeattribute (inputflinger_exec_29_0) true)
+(expandtypeattribute (inputflinger_service_29_0) true)
+(expandtypeattribute (input_method_service_29_0) true)
+(expandtypeattribute (input_service_29_0) true)
+(expandtypeattribute (installd_29_0) true)
+(expandtypeattribute (install_data_file_29_0) true)
+(expandtypeattribute (installd_exec_29_0) true)
+(expandtypeattribute (installd_service_29_0) true)
+(expandtypeattribute (install_recovery_29_0) true)
+(expandtypeattribute (install_recovery_exec_29_0) true)
+(expandtypeattribute (ion_device_29_0) true)
+(expandtypeattribute (iorapd_29_0) true)
+(expandtypeattribute (iorapd_data_file_29_0) true)
+(expandtypeattribute (iorapd_exec_29_0) true)
+(expandtypeattribute (iorapd_service_29_0) true)
+(expandtypeattribute (iorapd_tmpfs_29_0) true)
+(expandtypeattribute (IProxyService_service_29_0) true)
+(expandtypeattribute (ipsec_service_29_0) true)
+(expandtypeattribute (iris_service_29_0) true)
+(expandtypeattribute (iris_vendor_data_file_29_0) true)
+(expandtypeattribute (isolated_app_29_0) true)
+(expandtypeattribute (jobscheduler_service_29_0) true)
+(expandtypeattribute (kernel_29_0) true)
+(expandtypeattribute (keychain_data_file_29_0) true)
+(expandtypeattribute (keychord_device_29_0) true)
+(expandtypeattribute (keystore_29_0) true)
+(expandtypeattribute (keystore_data_file_29_0) true)
+(expandtypeattribute (keystore_exec_29_0) true)
+(expandtypeattribute (keystore_service_29_0) true)
+(expandtypeattribute (kmsg_debug_device_29_0) true)
+(expandtypeattribute (kmsg_device_29_0) true)
+(expandtypeattribute (labeledfs_29_0) true)
+(expandtypeattribute (last_boot_reason_prop_29_0) true)
+(expandtypeattribute (launcherapps_service_29_0) true)
+(expandtypeattribute (llkd_29_0) true)
+(expandtypeattribute (llkd_exec_29_0) true)
+(expandtypeattribute (llkd_prop_29_0) true)
+(expandtypeattribute (lmkd_29_0) true)
+(expandtypeattribute (lmkd_exec_29_0) true)
+(expandtypeattribute (lmkd_socket_29_0) true)
+(expandtypeattribute (location_service_29_0) true)
+(expandtypeattribute (lock_settings_service_29_0) true)
+(expandtypeattribute (logcat_exec_29_0) true)
+(expandtypeattribute (logd_29_0) true)
+(expandtypeattribute (logd_exec_29_0) true)
+(expandtypeattribute (logd_prop_29_0) true)
+(expandtypeattribute (logdr_socket_29_0) true)
+(expandtypeattribute (logd_socket_29_0) true)
+(expandtypeattribute (logdw_socket_29_0) true)
+(expandtypeattribute (logpersist_29_0) true)
+(expandtypeattribute (logpersistd_logging_prop_29_0) true)
+(expandtypeattribute (log_prop_29_0) true)
+(expandtypeattribute (log_tag_prop_29_0) true)
+(expandtypeattribute (loop_control_device_29_0) true)
+(expandtypeattribute (loop_device_29_0) true)
+(expandtypeattribute (looper_stats_service_29_0) true)
+(expandtypeattribute (lowpan_device_29_0) true)
+(expandtypeattribute (lowpan_prop_29_0) true)
+(expandtypeattribute (lowpan_service_29_0) true)
+(expandtypeattribute (lpdumpd_prop_29_0) true)
+(expandtypeattribute (lpdump_service_29_0) true)
+(expandtypeattribute (mac_perms_file_29_0) true)
+(expandtypeattribute (mdnsd_29_0) true)
+(expandtypeattribute (mdnsd_socket_29_0) true)
+(expandtypeattribute (mdns_socket_29_0) true)
+(expandtypeattribute (mediacodec_service_29_0) true)
+(expandtypeattribute (media_data_file_29_0) true)
+(expandtypeattribute (mediadrmserver_29_0) true)
+(expandtypeattribute (mediadrmserver_exec_29_0) true)
+(expandtypeattribute (mediadrmserver_service_29_0) true)
+(expandtypeattribute (mediaextractor_29_0) true)
+(expandtypeattribute (mediaextractor_exec_29_0) true)
+(expandtypeattribute (mediaextractor_service_29_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_29_0) true)
+(expandtypeattribute (mediametrics_29_0) true)
+(expandtypeattribute (mediametrics_exec_29_0) true)
+(expandtypeattribute (mediametrics_service_29_0) true)
+(expandtypeattribute (media_projection_service_29_0) true)
+(expandtypeattribute (mediaprovider_29_0) true)
+(expandtypeattribute (media_router_service_29_0) true)
+(expandtypeattribute (media_rw_data_file_29_0) true)
+(expandtypeattribute (mediaserver_29_0) true)
+(expandtypeattribute (mediaserver_exec_29_0) true)
+(expandtypeattribute (mediaserver_service_29_0) true)
+(expandtypeattribute (mediaserver_tmpfs_29_0) true)
+(expandtypeattribute (media_session_service_29_0) true)
+(expandtypeattribute (mediaswcodec_29_0) true)
+(expandtypeattribute (mediaswcodec_exec_29_0) true)
+(expandtypeattribute (meminfo_service_29_0) true)
+(expandtypeattribute (metadata_block_device_29_0) true)
+(expandtypeattribute (metadata_file_29_0) true)
+(expandtypeattribute (method_trace_data_file_29_0) true)
+(expandtypeattribute (midi_service_29_0) true)
+(expandtypeattribute (misc_block_device_29_0) true)
+(expandtypeattribute (misc_logd_file_29_0) true)
+(expandtypeattribute (misc_user_data_file_29_0) true)
+(expandtypeattribute (mmc_prop_29_0) true)
+(expandtypeattribute (mnt_expand_file_29_0) true)
+(expandtypeattribute (mnt_media_rw_file_29_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_29_0) true)
+(expandtypeattribute (mnt_product_file_29_0) true)
+(expandtypeattribute (mnt_user_file_29_0) true)
+(expandtypeattribute (mnt_vendor_file_29_0) true)
+(expandtypeattribute (modprobe_29_0) true)
+(expandtypeattribute (mount_service_29_0) true)
+(expandtypeattribute (mqueue_29_0) true)
+(expandtypeattribute (mtp_29_0) true)
+(expandtypeattribute (mtp_device_29_0) true)
+(expandtypeattribute (mtpd_socket_29_0) true)
+(expandtypeattribute (mtp_exec_29_0) true)
+(expandtypeattribute (nativetest_data_file_29_0) true)
+(expandtypeattribute (netd_29_0) true)
+(expandtypeattribute (net_data_file_29_0) true)
+(expandtypeattribute (netd_exec_29_0) true)
+(expandtypeattribute (netd_listener_service_29_0) true)
+(expandtypeattribute (net_dns_prop_29_0) true)
+(expandtypeattribute (netd_service_29_0) true)
+(expandtypeattribute (netd_stable_secret_prop_29_0) true)
+(expandtypeattribute (netif_29_0) true)
+(expandtypeattribute (netpolicy_service_29_0) true)
+(expandtypeattribute (net_radio_prop_29_0) true)
+(expandtypeattribute (netstats_service_29_0) true)
+(expandtypeattribute (netutils_wrapper_29_0) true)
+(expandtypeattribute (netutils_wrapper_exec_29_0) true)
+(expandtypeattribute (network_management_service_29_0) true)
+(expandtypeattribute (network_score_service_29_0) true)
+(expandtypeattribute (network_stack_29_0) true)
+(expandtypeattribute (network_stack_service_29_0) true)
+(expandtypeattribute (network_time_update_service_29_0) true)
+(expandtypeattribute (network_watchlist_data_file_29_0) true)
+(expandtypeattribute (network_watchlist_service_29_0) true)
+(expandtypeattribute (nfc_29_0) true)
+(expandtypeattribute (nfc_data_file_29_0) true)
+(expandtypeattribute (nfc_device_29_0) true)
+(expandtypeattribute (nfc_prop_29_0) true)
+(expandtypeattribute (nfc_service_29_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_29_0) true)
+(expandtypeattribute (node_29_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_29_0) true)
+(expandtypeattribute (notification_service_29_0) true)
+(expandtypeattribute (null_device_29_0) true)
+(expandtypeattribute (oemfs_29_0) true)
+(expandtypeattribute (oem_lock_service_29_0) true)
+(expandtypeattribute (ota_data_file_29_0) true)
+(expandtypeattribute (otadexopt_service_29_0) true)
+(expandtypeattribute (ota_package_file_29_0) true)
+(expandtypeattribute (overlayfs_file_29_0) true)
+(expandtypeattribute (overlay_prop_29_0) true)
+(expandtypeattribute (overlay_service_29_0) true)
+(expandtypeattribute (owntty_device_29_0) true)
+(expandtypeattribute (package_native_service_29_0) true)
+(expandtypeattribute (package_service_29_0) true)
+(expandtypeattribute (packages_list_file_29_0) true)
+(expandtypeattribute (pan_result_prop_29_0) true)
+(expandtypeattribute (password_slot_metadata_file_29_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_29_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_29_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_29_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_29_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_29_0) true)
+(expandtypeattribute (pdx_display_dir_29_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_29_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_29_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_29_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_29_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_29_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_29_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_29_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_29_0) true)
+(expandtypeattribute (pdx_performance_dir_29_0) true)
+(expandtypeattribute (perfetto_29_0) true)
+(expandtypeattribute (performanced_29_0) true)
+(expandtypeattribute (performanced_exec_29_0) true)
+(expandtypeattribute (permissionmgr_service_29_0) true)
+(expandtypeattribute (permission_service_29_0) true)
+(expandtypeattribute (persist_debug_prop_29_0) true)
+(expandtypeattribute (persistent_data_block_service_29_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_29_0) true)
+(expandtypeattribute (pinner_service_29_0) true)
+(expandtypeattribute (pipefs_29_0) true)
+(expandtypeattribute (platform_app_29_0) true)
+(expandtypeattribute (pm_prop_29_0) true)
+(expandtypeattribute (pmsg_device_29_0) true)
+(expandtypeattribute (port_29_0) true)
+(expandtypeattribute (port_device_29_0) true)
+(expandtypeattribute (postinstall_29_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_29_0) true)
+(expandtypeattribute (postinstall_file_29_0) true)
+(expandtypeattribute (postinstall_mnt_dir_29_0) true)
+(expandtypeattribute (powerctl_prop_29_0) true)
+(expandtypeattribute (power_service_29_0) true)
+(expandtypeattribute (ppp_29_0) true)
+(expandtypeattribute (ppp_device_29_0) true)
+(expandtypeattribute (ppp_exec_29_0) true)
+(expandtypeattribute (preloads_data_file_29_0) true)
+(expandtypeattribute (preloads_media_file_29_0) true)
+(expandtypeattribute (print_service_29_0) true)
+(expandtypeattribute (priv_app_29_0) true)
+(expandtypeattribute (privapp_data_file_29_0) true)
+(expandtypeattribute (proc_29_0) true)
+(expandtypeattribute (proc_abi_29_0) true)
+(expandtypeattribute (proc_asound_29_0) true)
+(expandtypeattribute (proc_bluetooth_writable_29_0) true)
+(expandtypeattribute (proc_buddyinfo_29_0) true)
+(expandtypeattribute (proc_cmdline_29_0) true)
+(expandtypeattribute (proc_cpuinfo_29_0) true)
+(expandtypeattribute (proc_dirty_29_0) true)
+(expandtypeattribute (proc_diskstats_29_0) true)
+(expandtypeattribute (proc_drop_caches_29_0) true)
+(expandtypeattribute (processinfo_service_29_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_29_0) true)
+(expandtypeattribute (proc_filesystems_29_0) true)
+(expandtypeattribute (proc_fs_verity_29_0) true)
+(expandtypeattribute (proc_hostname_29_0) true)
+(expandtypeattribute (proc_hung_task_29_0) true)
+(expandtypeattribute (proc_interrupts_29_0) true)
+(expandtypeattribute (proc_iomem_29_0) true)
+(expandtypeattribute (proc_keys_29_0) true)
+(expandtypeattribute (proc_kmsg_29_0) true)
+(expandtypeattribute (proc_loadavg_29_0) true)
+(expandtypeattribute (proc_max_map_count_29_0) true)
+(expandtypeattribute (proc_meminfo_29_0) true)
+(expandtypeattribute (proc_min_free_order_shift_29_0) true)
+(expandtypeattribute (proc_misc_29_0) true)
+(expandtypeattribute (proc_modules_29_0) true)
+(expandtypeattribute (proc_mounts_29_0) true)
+(expandtypeattribute (proc_net_29_0) true)
+(expandtypeattribute (proc_net_tcp_udp_29_0) true)
+(expandtypeattribute (proc_overcommit_memory_29_0) true)
+(expandtypeattribute (proc_page_cluster_29_0) true)
+(expandtypeattribute (proc_pagetypeinfo_29_0) true)
+(expandtypeattribute (proc_panic_29_0) true)
+(expandtypeattribute (proc_perf_29_0) true)
+(expandtypeattribute (proc_pid_max_29_0) true)
+(expandtypeattribute (proc_pipe_conf_29_0) true)
+(expandtypeattribute (proc_pressure_cpu_29_0) true)
+(expandtypeattribute (proc_pressure_io_29_0) true)
+(expandtypeattribute (proc_pressure_mem_29_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_29_0) true)
+(expandtypeattribute (proc_qtaguid_stat_29_0) true)
+(expandtypeattribute (proc_random_29_0) true)
+(expandtypeattribute (proc_sched_29_0) true)
+(expandtypeattribute (proc_security_29_0) true)
+(expandtypeattribute (proc_slabinfo_29_0) true)
+(expandtypeattribute (proc_stat_29_0) true)
+(expandtypeattribute (procstats_service_29_0) true)
+(expandtypeattribute (proc_swaps_29_0) true)
+(expandtypeattribute (proc_sysrq_29_0) true)
+(expandtypeattribute (proc_timer_29_0) true)
+(expandtypeattribute (proc_tty_drivers_29_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_29_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_29_0) true)
+(expandtypeattribute (proc_uid_cpupower_29_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_29_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_29_0) true)
+(expandtypeattribute (proc_uid_io_stats_29_0) true)
+(expandtypeattribute (proc_uid_procstat_set_29_0) true)
+(expandtypeattribute (proc_uid_time_in_state_29_0) true)
+(expandtypeattribute (proc_uptime_29_0) true)
+(expandtypeattribute (proc_version_29_0) true)
+(expandtypeattribute (proc_vmallocinfo_29_0) true)
+(expandtypeattribute (proc_vmstat_29_0) true)
+(expandtypeattribute (proc_zoneinfo_29_0) true)
+(expandtypeattribute (profman_29_0) true)
+(expandtypeattribute (profman_dump_data_file_29_0) true)
+(expandtypeattribute (profman_exec_29_0) true)
+(expandtypeattribute (properties_device_29_0) true)
+(expandtypeattribute (properties_serial_29_0) true)
+(expandtypeattribute (property_contexts_file_29_0) true)
+(expandtypeattribute (property_data_file_29_0) true)
+(expandtypeattribute (property_info_29_0) true)
+(expandtypeattribute (property_socket_29_0) true)
+(expandtypeattribute (pstorefs_29_0) true)
+(expandtypeattribute (ptmx_device_29_0) true)
+(expandtypeattribute (qtaguid_device_29_0) true)
+(expandtypeattribute (racoon_29_0) true)
+(expandtypeattribute (racoon_exec_29_0) true)
+(expandtypeattribute (racoon_socket_29_0) true)
+(expandtypeattribute (radio_29_0) true)
+(expandtypeattribute (radio_data_file_29_0) true)
+(expandtypeattribute (radio_device_29_0) true)
+(expandtypeattribute (radio_prop_29_0) true)
+(expandtypeattribute (radio_service_29_0) true)
+(expandtypeattribute (ram_device_29_0) true)
+(expandtypeattribute (random_device_29_0) true)
+(expandtypeattribute (recovery_29_0) true)
+(expandtypeattribute (recovery_block_device_29_0) true)
+(expandtypeattribute (recovery_data_file_29_0) true)
+(expandtypeattribute (recovery_persist_29_0) true)
+(expandtypeattribute (recovery_persist_exec_29_0) true)
+(expandtypeattribute (recovery_refresh_29_0) true)
+(expandtypeattribute (recovery_refresh_exec_29_0) true)
+(expandtypeattribute (recovery_service_29_0) true)
+(expandtypeattribute (recovery_socket_29_0) true)
+(expandtypeattribute (registry_service_29_0) true)
+(expandtypeattribute (resourcecache_data_file_29_0) true)
+(expandtypeattribute (restorecon_prop_29_0) true)
+(expandtypeattribute (restrictions_service_29_0) true)
+(expandtypeattribute (rild_debug_socket_29_0) true)
+(expandtypeattribute (rild_socket_29_0) true)
+(expandtypeattribute (ringtone_file_29_0) true)
+(expandtypeattribute (role_service_29_0) true)
+(expandtypeattribute (rollback_service_29_0) true)
+(expandtypeattribute (root_block_device_29_0) true)
+(expandtypeattribute (rootfs_29_0) true)
+(expandtypeattribute (rpmsg_device_29_0) true)
+(expandtypeattribute (rs_29_0) true)
+(expandtypeattribute (rs_exec_29_0) true)
+(expandtypeattribute (rss_hwm_reset_29_0) true)
+(expandtypeattribute (rtc_device_29_0) true)
+(expandtypeattribute (rttmanager_service_29_0) true)
+(expandtypeattribute (runas_29_0) true)
+(expandtypeattribute (runas_app_29_0) true)
+(expandtypeattribute (runas_exec_29_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_29_0) true)
+(expandtypeattribute (runtime_service_29_0) true)
+(expandtypeattribute (safemode_prop_29_0) true)
+(expandtypeattribute (same_process_hal_file_29_0) true)
+(expandtypeattribute (samplingprofiler_service_29_0) true)
+(expandtypeattribute (scheduling_policy_service_29_0) true)
+(expandtypeattribute (sdcard_block_device_29_0) true)
+(expandtypeattribute (sdcardd_29_0) true)
+(expandtypeattribute (sdcardd_exec_29_0) true)
+(expandtypeattribute (sdcardfs_29_0) true)
+(expandtypeattribute (seapp_contexts_file_29_0) true)
+(expandtypeattribute (search_service_29_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_29_0) true)
+(expandtypeattribute (secure_element_29_0) true)
+(expandtypeattribute (secure_element_device_29_0) true)
+(expandtypeattribute (secure_element_service_29_0) true)
+(expandtypeattribute (selinuxfs_29_0) true)
+(expandtypeattribute (sensor_privacy_service_29_0) true)
+(expandtypeattribute (sensors_device_29_0) true)
+(expandtypeattribute (sensorservice_service_29_0) true)
+(expandtypeattribute (sepolicy_file_29_0) true)
+(expandtypeattribute (serial_device_29_0) true)
+(expandtypeattribute (serialno_prop_29_0) true)
+(expandtypeattribute (serial_service_29_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_29_0) true)
+(expandtypeattribute (service_contexts_file_29_0) true)
+(expandtypeattribute (servicediscovery_service_29_0) true)
+(expandtypeattribute (servicemanager_29_0) true)
+(expandtypeattribute (servicemanager_exec_29_0) true)
+(expandtypeattribute (settings_service_29_0) true)
+(expandtypeattribute (sgdisk_29_0) true)
+(expandtypeattribute (sgdisk_exec_29_0) true)
+(expandtypeattribute (shared_relro_29_0) true)
+(expandtypeattribute (shared_relro_file_29_0) true)
+(expandtypeattribute (shell_29_0) true)
+(expandtypeattribute (shell_data_file_29_0) true)
+(expandtypeattribute (shell_exec_29_0) true)
+(expandtypeattribute (shell_prop_29_0) true)
+(expandtypeattribute (shm_29_0) true)
+(expandtypeattribute (shortcut_manager_icons_29_0) true)
+(expandtypeattribute (shortcut_service_29_0) true)
+(expandtypeattribute (simpleperf_app_runner_29_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_29_0) true)
+(expandtypeattribute (slice_service_29_0) true)
+(expandtypeattribute (slideshow_29_0) true)
+(expandtypeattribute (socket_device_29_0) true)
+(expandtypeattribute (sockfs_29_0) true)
+(expandtypeattribute (staging_data_file_29_0) true)
+(expandtypeattribute (statsd_29_0) true)
+(expandtypeattribute (stats_data_file_29_0) true)
+(expandtypeattribute (statsd_exec_29_0) true)
+(expandtypeattribute (statsdw_socket_29_0) true)
+(expandtypeattribute (statusbar_service_29_0) true)
+(expandtypeattribute (storaged_service_29_0) true)
+(expandtypeattribute (storage_file_29_0) true)
+(expandtypeattribute (storagestats_service_29_0) true)
+(expandtypeattribute (storage_stub_file_29_0) true)
+(expandtypeattribute (su_29_0) true)
+(expandtypeattribute (su_exec_29_0) true)
+(expandtypeattribute (super_block_device_29_0) true)
+(expandtypeattribute (surfaceflinger_29_0) true)
+(expandtypeattribute (surfaceflinger_service_29_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_29_0) true)
+(expandtypeattribute (swap_block_device_29_0) true)
+(expandtypeattribute (sysfs_29_0) true)
+(expandtypeattribute (sysfs_android_usb_29_0) true)
+(expandtypeattribute (sysfs_batteryinfo_29_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_29_0) true)
+(expandtypeattribute (sysfs_devices_block_29_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_29_0) true)
+(expandtypeattribute (sysfs_dm_29_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_29_0) true)
+(expandtypeattribute (sysfs_extcon_29_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_29_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_29_0) true)
+(expandtypeattribute (sysfs_hwrandom_29_0) true)
+(expandtypeattribute (sysfs_ipv4_29_0) true)
+(expandtypeattribute (sysfs_kernel_notes_29_0) true)
+(expandtypeattribute (sysfs_leds_29_0) true)
+(expandtypeattribute (sysfs_loop_29_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_29_0) true)
+(expandtypeattribute (sysfs_mac_address_29_0) true)
+(expandtypeattribute (sysfs_net_29_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_29_0) true)
+(expandtypeattribute (sysfs_power_29_0) true)
+(expandtypeattribute (sysfs_rtc_29_0) true)
+(expandtypeattribute (sysfs_switch_29_0) true)
+(expandtypeattribute (sysfs_thermal_29_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_29_0) true)
+(expandtypeattribute (sysfs_uio_29_0) true)
+(expandtypeattribute (sysfs_usb_29_0) true)
+(expandtypeattribute (sysfs_usermodehelper_29_0) true)
+(expandtypeattribute (sysfs_vibrator_29_0) true)
+(expandtypeattribute (sysfs_wake_lock_29_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_29_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_29_0) true)
+(expandtypeattribute (sysfs_zram_29_0) true)
+(expandtypeattribute (sysfs_zram_uevent_29_0) true)
+(expandtypeattribute (system_app_29_0) true)
+(expandtypeattribute (system_app_data_file_29_0) true)
+(expandtypeattribute (system_app_service_29_0) true)
+(expandtypeattribute (system_asan_options_file_29_0) true)
+(expandtypeattribute (system_block_device_29_0) true)
+(expandtypeattribute (system_boot_reason_prop_29_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_29_0) true)
+(expandtypeattribute (system_data_file_29_0) true)
+(expandtypeattribute (system_event_log_tags_file_29_0) true)
+(expandtypeattribute (system_file_29_0) true)
+(expandtypeattribute (systemkeys_data_file_29_0) true)
+(expandtypeattribute (system_lib_file_29_0) true)
+(expandtypeattribute (system_linker_config_file_29_0) true)
+(expandtypeattribute (system_linker_exec_29_0) true)
+(expandtypeattribute (system_lmk_prop_29_0) true)
+(expandtypeattribute (system_ndebug_socket_29_0) true)
+(expandtypeattribute (system_net_netd_hwservice_29_0) true)
+(expandtypeattribute (system_prop_29_0) true)
+(expandtypeattribute (system_radio_prop_29_0) true)
+(expandtypeattribute (system_seccomp_policy_file_29_0) true)
+(expandtypeattribute (system_security_cacerts_file_29_0) true)
+(expandtypeattribute (system_server_29_0) true)
+(expandtypeattribute (system_server_tmpfs_29_0) true)
+(expandtypeattribute (system_suspend_control_service_29_0) true)
+(expandtypeattribute (system_suspend_hwservice_29_0) true)
+(expandtypeattribute (system_trace_prop_29_0) true)
+(expandtypeattribute (system_update_service_29_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_29_0) true)
+(expandtypeattribute (system_wpa_socket_29_0) true)
+(expandtypeattribute (system_zoneinfo_file_29_0) true)
+(expandtypeattribute (task_profiles_file_29_0) true)
+(expandtypeattribute (task_service_29_0) true)
+(expandtypeattribute (tcpdump_exec_29_0) true)
+(expandtypeattribute (tee_29_0) true)
+(expandtypeattribute (tee_data_file_29_0) true)
+(expandtypeattribute (tee_device_29_0) true)
+(expandtypeattribute (telecom_service_29_0) true)
+(expandtypeattribute (test_boot_reason_prop_29_0) true)
+(expandtypeattribute (test_harness_prop_29_0) true)
+(expandtypeattribute (testharness_service_29_0) true)
+(expandtypeattribute (textclassification_service_29_0) true)
+(expandtypeattribute (textclassifier_data_file_29_0) true)
+(expandtypeattribute (textservices_service_29_0) true)
+(expandtypeattribute (thermalcallback_hwservice_29_0) true)
+(expandtypeattribute (thermal_service_29_0) true)
+(expandtypeattribute (timedetector_service_29_0) true)
+(expandtypeattribute (time_prop_29_0) true)
+(expandtypeattribute (timezone_service_29_0) true)
+(expandtypeattribute (tmpfs_29_0) true)
+(expandtypeattribute (tombstoned_29_0) true)
+(expandtypeattribute (tombstone_data_file_29_0) true)
+(expandtypeattribute (tombstoned_crash_socket_29_0) true)
+(expandtypeattribute (tombstoned_exec_29_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_29_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_29_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_29_0) true)
+(expandtypeattribute (toolbox_29_0) true)
+(expandtypeattribute (toolbox_exec_29_0) true)
+(expandtypeattribute (traced_29_0) true)
+(expandtypeattribute (trace_data_file_29_0) true)
+(expandtypeattribute (traced_consumer_socket_29_0) true)
+(expandtypeattribute (traced_enabled_prop_29_0) true)
+(expandtypeattribute (traced_lazy_prop_29_0) true)
+(expandtypeattribute (traced_probes_29_0) true)
+(expandtypeattribute (traced_producer_socket_29_0) true)
+(expandtypeattribute (traceur_app_29_0) true)
+(expandtypeattribute (trust_service_29_0) true)
+(expandtypeattribute (tty_device_29_0) true)
+(expandtypeattribute (tun_device_29_0) true)
+(expandtypeattribute (tv_input_service_29_0) true)
+(expandtypeattribute (tzdatacheck_29_0) true)
+(expandtypeattribute (tzdatacheck_exec_29_0) true)
+(expandtypeattribute (ueventd_29_0) true)
+(expandtypeattribute (ueventd_tmpfs_29_0) true)
+(expandtypeattribute (uhid_device_29_0) true)
+(expandtypeattribute (uimode_service_29_0) true)
+(expandtypeattribute (uio_device_29_0) true)
+(expandtypeattribute (uncrypt_29_0) true)
+(expandtypeattribute (uncrypt_exec_29_0) true)
+(expandtypeattribute (uncrypt_socket_29_0) true)
+(expandtypeattribute (unencrypted_data_file_29_0) true)
+(expandtypeattribute (unlabeled_29_0) true)
+(expandtypeattribute (untrusted_app_25_29_0) true)
+(expandtypeattribute (untrusted_app_27_29_0) true)
+(expandtypeattribute (untrusted_app_29_0) true)
+(expandtypeattribute (update_engine_29_0) true)
+(expandtypeattribute (update_engine_data_file_29_0) true)
+(expandtypeattribute (update_engine_exec_29_0) true)
+(expandtypeattribute (update_engine_log_data_file_29_0) true)
+(expandtypeattribute (update_engine_service_29_0) true)
+(expandtypeattribute (updatelock_service_29_0) true)
+(expandtypeattribute (update_verifier_29_0) true)
+(expandtypeattribute (update_verifier_exec_29_0) true)
+(expandtypeattribute (uri_grants_service_29_0) true)
+(expandtypeattribute (usagestats_service_29_0) true)
+(expandtypeattribute (usbaccessory_device_29_0) true)
+(expandtypeattribute (usbd_29_0) true)
+(expandtypeattribute (usb_device_29_0) true)
+(expandtypeattribute (usbd_exec_29_0) true)
+(expandtypeattribute (usbfs_29_0) true)
+(expandtypeattribute (usb_service_29_0) true)
+(expandtypeattribute (use_memfd_prop_29_0) true)
+(expandtypeattribute (userdata_block_device_29_0) true)
+(expandtypeattribute (usermodehelper_29_0) true)
+(expandtypeattribute (user_profile_data_file_29_0) true)
+(expandtypeattribute (user_service_29_0) true)
+(expandtypeattribute (vdc_29_0) true)
+(expandtypeattribute (vdc_exec_29_0) true)
+(expandtypeattribute (vendor_app_file_29_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_29_0) true)
+(expandtypeattribute (vendor_configs_file_29_0) true)
+(expandtypeattribute (vendor_data_file_29_0) true)
+(expandtypeattribute (vendor_default_prop_29_0) true)
+(expandtypeattribute (vendor_file_29_0) true)
+(expandtypeattribute (vendor_framework_file_29_0) true)
+(expandtypeattribute (vendor_hal_file_29_0) true)
+(expandtypeattribute (vendor_idc_file_29_0) true)
+(expandtypeattribute (vendor_init_29_0) true)
+(expandtypeattribute (vendor_keychars_file_29_0) true)
+(expandtypeattribute (vendor_keylayout_file_29_0) true)
+(expandtypeattribute (vendor_overlay_file_29_0) true)
+(expandtypeattribute (vendor_public_lib_file_29_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_29_0) true)
+(expandtypeattribute (vendor_shell_29_0) true)
+(expandtypeattribute (vendor_shell_exec_29_0) true)
+(expandtypeattribute (vendor_task_profiles_file_29_0) true)
+(expandtypeattribute (vendor_toolbox_exec_29_0) true)
+(expandtypeattribute (vfat_29_0) true)
+(expandtypeattribute (vibrator_service_29_0) true)
+(expandtypeattribute (video_device_29_0) true)
+(expandtypeattribute (virtual_touchpad_29_0) true)
+(expandtypeattribute (virtual_touchpad_exec_29_0) true)
+(expandtypeattribute (virtual_touchpad_service_29_0) true)
+(expandtypeattribute (vndbinder_device_29_0) true)
+(expandtypeattribute (vndk_sp_file_29_0) true)
+(expandtypeattribute (vndservice_contexts_file_29_0) true)
+(expandtypeattribute (vndservicemanager_29_0) true)
+(expandtypeattribute (voiceinteraction_service_29_0) true)
+(expandtypeattribute (vold_29_0) true)
+(expandtypeattribute (vold_data_file_29_0) true)
+(expandtypeattribute (vold_device_29_0) true)
+(expandtypeattribute (vold_exec_29_0) true)
+(expandtypeattribute (vold_metadata_file_29_0) true)
+(expandtypeattribute (vold_prepare_subdirs_29_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_29_0) true)
+(expandtypeattribute (vold_prop_29_0) true)
+(expandtypeattribute (vold_service_29_0) true)
+(expandtypeattribute (vpn_data_file_29_0) true)
+(expandtypeattribute (vrflinger_vsync_service_29_0) true)
+(expandtypeattribute (vr_hwc_29_0) true)
+(expandtypeattribute (vr_hwc_exec_29_0) true)
+(expandtypeattribute (vr_hwc_service_29_0) true)
+(expandtypeattribute (vr_manager_service_29_0) true)
+(expandtypeattribute (wallpaper_file_29_0) true)
+(expandtypeattribute (wallpaper_service_29_0) true)
+(expandtypeattribute (watchdogd_29_0) true)
+(expandtypeattribute (watchdog_device_29_0) true)
+(expandtypeattribute (watchdogd_exec_29_0) true)
+(expandtypeattribute (webviewupdate_service_29_0) true)
+(expandtypeattribute (webview_zygote_29_0) true)
+(expandtypeattribute (webview_zygote_exec_29_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_29_0) true)
+(expandtypeattribute (wifiaware_service_29_0) true)
+(expandtypeattribute (wificond_29_0) true)
+(expandtypeattribute (wificond_exec_29_0) true)
+(expandtypeattribute (wificond_service_29_0) true)
+(expandtypeattribute (wifi_data_file_29_0) true)
+(expandtypeattribute (wifi_log_prop_29_0) true)
+(expandtypeattribute (wifip2p_service_29_0) true)
+(expandtypeattribute (wifi_prop_29_0) true)
+(expandtypeattribute (wifiscanner_service_29_0) true)
+(expandtypeattribute (wifi_service_29_0) true)
+(expandtypeattribute (window_service_29_0) true)
+(expandtypeattribute (wpantund_29_0) true)
+(expandtypeattribute (wpantund_exec_29_0) true)
+(expandtypeattribute (wpantund_service_29_0) true)
+(expandtypeattribute (wpa_socket_29_0) true)
+(expandtypeattribute (zero_device_29_0) true)
+(expandtypeattribute (zoneinfo_data_file_29_0) true)
+(expandtypeattribute (zygote_29_0) true)
+(expandtypeattribute (zygote_exec_29_0) true)
+(expandtypeattribute (zygote_socket_29_0) true)
+(expandtypeattribute (zygote_tmpfs_29_0) true)
+(typeattributeset accessibility_service_29_0 (accessibility_service))
+(typeattributeset account_service_29_0 (account_service))
+(typeattributeset activity_service_29_0 (activity_service))
+(typeattributeset activity_task_service_29_0 (activity_task_service))
+(typeattributeset adbd_29_0 (adbd))
+(typeattributeset adb_data_file_29_0 (adb_data_file))
+(typeattributeset adbd_exec_29_0 (adbd_exec))
+(typeattributeset adbd_socket_29_0 (adbd_socket))
+(typeattributeset adb_keys_file_29_0 (adb_keys_file))
+(typeattributeset adb_service_29_0 (adb_service))
+(typeattributeset alarm_service_29_0 (alarm_service))
+(typeattributeset anr_data_file_29_0 (anr_data_file))
+(typeattributeset apexd_29_0 (apexd))
+(typeattributeset apex_data_file_29_0 (apex_data_file))
+(typeattributeset apexd_exec_29_0 (apexd_exec))
+(typeattributeset apexd_prop_29_0 (apexd_prop))
+(typeattributeset apex_metadata_file_29_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_29_0 (apex_mnt_dir))
+(typeattributeset apex_service_29_0 (apex_service))
+(typeattributeset apk_data_file_29_0 (apk_data_file))
+(typeattributeset apk_private_data_file_29_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_29_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_29_0 (apk_tmp_file))
+(typeattributeset app_binding_service_29_0 (app_binding_service))
+(typeattributeset app_data_file_29_0 (app_data_file))
+(typeattributeset appdomain_tmpfs_29_0 (appdomain_tmpfs))
+(typeattributeset app_fuse_file_29_0 (app_fuse_file))
+(typeattributeset app_fusefs_29_0 (app_fusefs))
+(typeattributeset appops_service_29_0 (appops_service))
+(typeattributeset app_prediction_service_29_0 (app_prediction_service))
+(typeattributeset appwidget_service_29_0 (appwidget_service))
+(typeattributeset app_zygote_29_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_29_0 (app_zygote_tmpfs))
+(typeattributeset asec_apk_file_29_0 (asec_apk_file))
+(typeattributeset asec_image_file_29_0 (asec_image_file))
+(typeattributeset asec_public_file_29_0 (asec_public_file))
+(typeattributeset ashmemd_29_0 (ashmemd))
+(typeattributeset ashmem_device_29_0 (ashmem_device))
+(typeattributeset assetatlas_service_29_0 (assetatlas_service))
+(typeattributeset audio_data_file_29_0 (audio_data_file))
+(typeattributeset audio_device_29_0 (audio_device))
+(typeattributeset audiohal_data_file_29_0 (audiohal_data_file))
+(typeattributeset audio_prop_29_0 (audio_prop))
+(typeattributeset audioserver_29_0 (audioserver))
+(typeattributeset audioserver_data_file_29_0 (audioserver_data_file))
+(typeattributeset audioserver_service_29_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_29_0 (audioserver_tmpfs))
+(typeattributeset audio_service_29_0 (audio_service))
+(typeattributeset autofill_service_29_0 (autofill_service))
+(typeattributeset backup_data_file_29_0 (backup_data_file))
+(typeattributeset backup_service_29_0 (backup_service))
+(typeattributeset batteryproperties_service_29_0 (batteryproperties_service))
+(typeattributeset battery_service_29_0 (battery_service))
+(typeattributeset batterystats_service_29_0 (batterystats_service))
+(typeattributeset binder_calls_stats_service_29_0 (binder_calls_stats_service))
+(typeattributeset binder_device_29_0 (binder_device))
+(typeattributeset binfmt_miscfs_29_0 (binfmt_miscfs))
+(typeattributeset biometric_service_29_0 (biometric_service))
+(typeattributeset blkid_29_0 (blkid))
+(typeattributeset blkid_untrusted_29_0 (blkid_untrusted))
+(typeattributeset block_device_29_0 (block_device))
+(typeattributeset bluetooth_29_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_29_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_29_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_data_file_29_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_29_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_29_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_29_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_29_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_29_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_29_0 (bluetooth_socket))
+(typeattributeset bootanim_29_0 (bootanim))
+(typeattributeset bootanim_exec_29_0 (bootanim_exec))
+(typeattributeset boot_block_device_29_0 (boot_block_device))
+(typeattributeset bootchart_data_file_29_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_29_0 (bootloader_boot_reason_prop))
+(typeattributeset bootstat_29_0 (bootstat))
+(typeattributeset bootstat_data_file_29_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_29_0 (bootstat_exec))
+(typeattributeset boottime_prop_29_0 (boottime_prop))
+(typeattributeset boottrace_data_file_29_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_29_0 (bpf_progs_loaded_prop))
+(typeattributeset broadcastradio_service_29_0 (broadcastradio_service))
+(typeattributeset bufferhubd_29_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_29_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_29_0 (bugreport_service))
+(typeattributeset cache_backup_file_29_0 (cache_backup_file))
+(typeattributeset cache_block_device_29_0 (cache_block_device))
+(typeattributeset cache_file_29_0 (cache_file))
+(typeattributeset cache_private_backup_file_29_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_29_0 (cache_recovery_file))
+(typeattributeset camera_data_file_29_0 (camera_data_file))
+(typeattributeset camera_device_29_0 (camera_device))
+(typeattributeset cameraproxy_service_29_0 (cameraproxy_service))
+(typeattributeset cameraserver_29_0 (cameraserver))
+(typeattributeset cameraserver_exec_29_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_29_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_29_0 (cameraserver_tmpfs))
+(typeattributeset cgroup_29_0 (cgroup))
+(typeattributeset cgroup_bpf_29_0 (cgroup_bpf))
+(typeattributeset cgroup_desc_file_29_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_29_0 (cgroup_rc_file))
+(typeattributeset charger_29_0 (charger))
+(typeattributeset charger_exec_29_0 (charger_exec))
+(typeattributeset clatd_29_0 (clatd))
+(typeattributeset clatd_exec_29_0 (clatd_exec))
+(typeattributeset clipboard_service_29_0 (clipboard_service))
+(typeattributeset color_display_service_29_0 (color_display_service))
+(typeattributeset companion_device_service_29_0 (companion_device_service))
+(typeattributeset configfs_29_0 (configfs))
+(typeattributeset config_prop_29_0 (config_prop))
+(typeattributeset connectivity_service_29_0 (connectivity_service))
+(typeattributeset connmetrics_service_29_0 (connmetrics_service))
+(typeattributeset console_device_29_0 (console_device))
+(typeattributeset consumer_ir_service_29_0 (consumer_ir_service))
+(typeattributeset content_capture_service_29_0 (content_capture_service))
+(typeattributeset content_service_29_0 (content_service))
+(typeattributeset content_suggestions_service_29_0 (content_suggestions_service))
+(typeattributeset contexthub_service_29_0 (contexthub_service))
+(typeattributeset coredump_file_29_0 (coredump_file))
+(typeattributeset country_detector_service_29_0 (country_detector_service))
+(typeattributeset coverage_service_29_0 (coverage_service))
+(typeattributeset cppreopt_prop_29_0 (cppreopt_prop))
+(typeattributeset cpuinfo_service_29_0 (cpuinfo_service))
+(typeattributeset cpu_variant_prop_29_0 (cpu_variant_prop))
+(typeattributeset crash_dump_29_0 (crash_dump))
+(typeattributeset crash_dump_exec_29_0 (crash_dump_exec))
+(typeattributeset crossprofileapps_service_29_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_29_0 (ctl_adbd_prop))
+(typeattributeset ctl_bootanim_prop_29_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_29_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_29_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_29_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_29_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_29_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_29_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_29_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_29_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_29_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_29_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_29_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_29_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_29_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_29_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_29_0 (ctl_stop_prop))
+(typeattributeset dalvikcache_data_file_29_0 (dalvikcache_data_file))
+(typeattributeset dalvik_prop_29_0 (dalvik_prop))
+(typeattributeset dbinfo_service_29_0 (dbinfo_service))
+(typeattributeset debugfs_29_0 (debugfs))
+(typeattributeset debugfs_mmc_29_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_29_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_29_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_29_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_29_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wakeup_sources_29_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_29_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_29_0 (debuggerd_prop))
+(typeattributeset debug_prop_29_0 (debug_prop))
+(typeattributeset default_android_hwservice_29_0 (default_android_hwservice))
+(typeattributeset default_android_service_29_0 (default_android_service))
+(typeattributeset default_android_vndservice_29_0 (default_android_vndservice))
+(typeattributeset default_prop_29_0 (default_prop apk_verity_prop))
+(typeattributeset dev_cpu_variant_29_0 (dev_cpu_variant))
+(typeattributeset device_29_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_29_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_29_0 (device_config_boot_count_prop))
+(typeattributeset device_config_input_native_boot_prop_29_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_29_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_29_0 (device_config_netd_native_prop))
+(typeattributeset device_config_reset_performed_prop_29_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_29_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_29_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_29_0 (device_config_service))
+(typeattributeset device_identifiers_service_29_0 (device_identifiers_service))
+(typeattributeset deviceidle_service_29_0 (deviceidle_service))
+(typeattributeset device_logging_prop_29_0 (device_logging_prop))
+(typeattributeset device_policy_service_29_0 (device_policy_service))
+(typeattributeset devicestoragemonitor_service_29_0 (devicestoragemonitor_service))
+(typeattributeset devpts_29_0 (devpts))
+(typeattributeset dhcp_29_0 (dhcp))
+(typeattributeset dhcp_data_file_29_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_29_0 (dhcp_exec))
+(typeattributeset dhcp_prop_29_0 (dhcp_prop))
+(typeattributeset diskstats_service_29_0 (diskstats_service))
+(typeattributeset display_service_29_0 (display_service))
+(typeattributeset dm_device_29_0 (dm_device))
+(typeattributeset dnsmasq_29_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_29_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_29_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_29_0 (dnsresolver_service))
+(typeattributeset DockObserver_service_29_0 (DockObserver_service))
+(typeattributeset dreams_service_29_0 (dreams_service))
+(typeattributeset drm_data_file_29_0 (drm_data_file))
+(typeattributeset drmserver_29_0 (drmserver))
+(typeattributeset drmserver_exec_29_0 (drmserver_exec))
+(typeattributeset drmserver_service_29_0 (drmserver_service))
+(typeattributeset drmserver_socket_29_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_29_0 (dropbox_data_file))
+(typeattributeset dropbox_service_29_0 (dropbox_service))
+(typeattributeset dumpstate_29_0 (dumpstate))
+(typeattributeset dumpstate_exec_29_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_29_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_29_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_29_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_29_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_29_0 (dynamic_system_prop))
+(typeattributeset e2fs_29_0 (e2fs))
+(typeattributeset e2fs_exec_29_0 (e2fs_exec))
+(typeattributeset efs_file_29_0 (efs_file))
+(typeattributeset ephemeral_app_29_0 (ephemeral_app))
+(typeattributeset ethernet_service_29_0 (ethernet_service))
+(typeattributeset exfat_29_0 (exfat))
+(typeattributeset exported2_config_prop_29_0 (exported2_config_prop systemsound_config_prop))
+(typeattributeset exported2_default_prop_29_0 (exported2_default_prop))
+(typeattributeset exported2_radio_prop_29_0 (exported2_radio_prop))
+(typeattributeset exported2_system_prop_29_0
+ ( exported2_system_prop
+ surfaceflinger_color_prop))
+(typeattributeset exported2_vold_prop_29_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
+(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop))
+(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
+(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop))
+(typeattributeset exported_audio_prop_29_0 (exported_audio_prop audio_config_prop))
+(typeattributeset exported_bluetooth_prop_29_0 (exported_bluetooth_prop))
+(typeattributeset exported_config_prop_29_0 (exported_config_prop))
+(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop dalvik_config_prop))
+(typeattributeset exported_default_prop_29_0
+ ( exported_default_prop
+ surfaceflinger_prop
+ vndk_prop))
+(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop))
+(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop))
+(typeattributeset exported_fingerprint_prop_29_0 (exported_fingerprint_prop))
+(typeattributeset exported_overlay_prop_29_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_29_0 (exported_pm_prop))
+(typeattributeset exported_radio_prop_29_0 (exported_radio_prop))
+(typeattributeset exported_secure_prop_29_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_29_0 (exported_system_prop))
+(typeattributeset exported_system_radio_prop_29_0 (exported_system_radio_prop))
+(typeattributeset exported_vold_prop_29_0 (exported_vold_prop vold_status_prop))
+(typeattributeset exported_wifi_prop_29_0 (exported_wifi_prop))
+(typeattributeset external_vibrator_service_29_0 (external_vibrator_service))
+(typeattributeset face_service_29_0 (face_service))
+(typeattributeset face_vendor_data_file_29_0 (face_vendor_data_file))
+(typeattributeset fastbootd_29_0 (fastbootd))
+(typeattributeset ffs_prop_29_0 (ffs_prop))
+(typeattributeset file_contexts_file_29_0 (file_contexts_file))
+(typeattributeset fingerprintd_29_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_29_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_29_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_29_0 (fingerprintd_service))
+(typeattributeset fingerprint_prop_29_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_29_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_29_0 (fingerprint_vendor_data_file))
+(typeattributeset firstboot_prop_29_0 (firstboot_prop))
+(typeattributeset flags_health_check_29_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_29_0 (flags_health_check_exec))
+(typeattributeset font_service_29_0 (font_service))
+(typeattributeset frp_block_device_29_0 (frp_block_device))
+(typeattributeset fs_bpf_29_0 (fs_bpf))
+(typeattributeset fsck_29_0 (fsck))
+(typeattributeset fsck_exec_29_0 (fsck_exec))
+(typeattributeset fscklogs_29_0 (fscklogs))
+(typeattributeset fsck_untrusted_29_0 (fsck_untrusted))
+(typeattributeset functionfs_29_0 (functionfs))
+(typeattributeset fuse_29_0 (fuse))
+(typeattributeset fuse_device_29_0 (fuse_device))
+(typeattributeset fwk_bufferhub_hwservice_29_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_29_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_29_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_29_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_29_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_29_0 (fwk_stats_hwservice))
+(typeattributeset fwmarkd_socket_29_0 (fwmarkd_socket))
+(typeattributeset gatekeeperd_29_0 (gatekeeperd))
+(typeattributeset gatekeeper_data_file_29_0 (gatekeeper_data_file))
+(typeattributeset gatekeeperd_exec_29_0 (gatekeeperd_exec))
+(typeattributeset gatekeeper_service_29_0 (gatekeeper_service))
+(typeattributeset gfxinfo_service_29_0 (gfxinfo_service))
+(typeattributeset gps_control_29_0 (gps_control))
+(typeattributeset gpu_device_29_0 (gpu_device))
+(typeattributeset gpu_service_29_0 (gpu_service))
+(typeattributeset gpuservice_29_0 (gpuservice))
+(typeattributeset graphics_device_29_0 (graphics_device))
+(typeattributeset graphicsstats_service_29_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_29_0 (gsi_data_file))
+(typeattributeset gsid_prop_29_0 (gsid_prop))
+(typeattributeset gsi_metadata_file_29_0 (gsi_metadata_file))
+(typeattributeset hal_atrace_hwservice_29_0 (hal_atrace_hwservice))
+(typeattributeset hal_audiocontrol_hwservice_29_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audio_hwservice_29_0 (hal_audio_hwservice))
+(typeattributeset hal_authsecret_hwservice_29_0 (hal_authsecret_hwservice))
+(typeattributeset hal_bluetooth_hwservice_29_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_29_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_29_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_29_0 (hal_camera_hwservice))
+(typeattributeset hal_cas_hwservice_29_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_29_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_29_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_29_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_29_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_29_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_29_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_evs_hwservice_29_0 (hal_evs_hwservice))
+(typeattributeset hal_face_hwservice_29_0 (hal_face_hwservice))
+(typeattributeset hal_fingerprint_hwservice_29_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_29_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_29_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_29_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_29_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_29_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_29_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_mapper_hwservice_29_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_29_0 (hal_health_hwservice))
+(typeattributeset hal_health_storage_hwservice_29_0 (hal_health_storage_hwservice))
+(typeattributeset hal_input_classifier_hwservice_29_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_ir_hwservice_29_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_29_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_29_0 (hal_light_hwservice))
+(typeattributeset hal_lowpan_hwservice_29_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_29_0 (hal_memtrack_hwservice))
+(typeattributeset hal_neuralnetworks_hwservice_29_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_nfc_hwservice_29_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_29_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_29_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_29_0 (hal_power_hwservice))
+(typeattributeset hal_power_stats_hwservice_29_0 (hal_power_stats_hwservice))
+(typeattributeset hal_renderscript_hwservice_29_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_29_0 (hal_secure_element_hwservice))
+(typeattributeset hal_sensors_hwservice_29_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_29_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_29_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_29_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_29_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_29_0 (hal_tv_input_hwservice))
+(typeattributeset hal_usb_gadget_hwservice_29_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_29_0 (hal_usb_hwservice))
+(typeattributeset hal_vehicle_hwservice_29_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vibrator_hwservice_29_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vr_hwservice_29_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_29_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hostapd_hwservice_29_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hwservice_29_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_offload_hwservice_29_0 (hal_wifi_offload_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_29_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_29_0 (hardware_properties_service))
+(typeattributeset hardware_service_29_0 (hardware_service))
+(typeattributeset hci_attach_dev_29_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_29_0 (hdmi_control_service))
+(typeattributeset healthd_29_0 (healthd))
+(typeattributeset healthd_exec_29_0 (healthd_exec))
+(typeattributeset heapdump_data_file_29_0 (heapdump_data_file))
+(typeattributeset heapprofd_29_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_29_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_29_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_29_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_29_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_29_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_29_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_29_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_29_0 (hidl_token_hwservice))
+(typeattributeset hwbinder_device_29_0 (hwbinder_device))
+(typeattributeset hw_random_device_29_0 (hw_random_device))
+(typeattributeset hwservice_contexts_file_29_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_29_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_29_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_29_0 (hwservicemanager_prop))
+(typeattributeset icon_file_29_0 (icon_file))
+(typeattributeset idmap_29_0 (idmap))
+(typeattributeset idmap_exec_29_0 (idmap_exec))
+(typeattributeset idmap_service_29_0 (idmap_service))
+(typeattributeset iio_device_29_0 (iio_device))
+(typeattributeset imms_service_29_0 (imms_service))
+(typeattributeset incident_29_0 (incident))
+(typeattributeset incidentd_29_0 (incidentd))
+(typeattributeset incident_data_file_29_0 (incident_data_file))
+(typeattributeset incident_helper_29_0 (incident_helper))
+(typeattributeset incident_service_29_0 (incident_service))
+(typeattributeset init_29_0 (init))
+(typeattributeset init_exec_29_0 (init_exec))
+(typeattributeset init_tmpfs_29_0 (init_tmpfs))
+(typeattributeset inotify_29_0 (inotify))
+(typeattributeset input_device_29_0 (input_device))
+(typeattributeset inputflinger_29_0 (inputflinger))
+(typeattributeset inputflinger_exec_29_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_29_0 (inputflinger_service))
+(typeattributeset input_method_service_29_0 (input_method_service))
+(typeattributeset input_service_29_0 (input_service))
+(typeattributeset installd_29_0 (installd))
+(typeattributeset install_data_file_29_0 (install_data_file))
+(typeattributeset installd_exec_29_0 (installd_exec))
+(typeattributeset installd_service_29_0 (installd_service))
+(typeattributeset install_recovery_29_0 (install_recovery))
+(typeattributeset install_recovery_exec_29_0 (install_recovery_exec))
+(typeattributeset ion_device_29_0 (ion_device))
+(typeattributeset iorapd_29_0 (iorapd))
+(typeattributeset iorapd_data_file_29_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_29_0 (iorapd_exec))
+(typeattributeset iorapd_service_29_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_29_0 (iorapd_tmpfs))
+(typeattributeset IProxyService_service_29_0 (IProxyService_service))
+(typeattributeset ipsec_service_29_0 (ipsec_service))
+(typeattributeset iris_service_29_0 (iris_service))
+(typeattributeset iris_vendor_data_file_29_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_29_0 (isolated_app))
+(typeattributeset jobscheduler_service_29_0 (jobscheduler_service))
+(typeattributeset kernel_29_0 (kernel))
+(typeattributeset keychain_data_file_29_0 (keychain_data_file))
+(typeattributeset keychord_device_29_0 (keychord_device))
+(typeattributeset keystore_29_0 (keystore))
+(typeattributeset keystore_data_file_29_0 (keystore_data_file))
+(typeattributeset keystore_exec_29_0 (keystore_exec))
+(typeattributeset keystore_service_29_0 (keystore_service))
+(typeattributeset kmsg_debug_device_29_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_29_0 (kmsg_device))
+(typeattributeset labeledfs_29_0 (labeledfs))
+(typeattributeset last_boot_reason_prop_29_0 (last_boot_reason_prop))
+(typeattributeset launcherapps_service_29_0 (launcherapps_service))
+(typeattributeset llkd_29_0 (llkd))
+(typeattributeset llkd_exec_29_0 (llkd_exec))
+(typeattributeset llkd_prop_29_0 (llkd_prop))
+(typeattributeset lmkd_29_0 (lmkd))
+(typeattributeset lmkd_exec_29_0 (lmkd_exec))
+(typeattributeset lmkd_socket_29_0 (lmkd_socket))
+(typeattributeset location_service_29_0 (location_service))
+(typeattributeset lock_settings_service_29_0 (lock_settings_service))
+(typeattributeset logcat_exec_29_0 (logcat_exec))
+(typeattributeset logd_29_0 (logd))
+(typeattributeset logd_exec_29_0 (logd_exec))
+(typeattributeset logd_prop_29_0 (logd_prop))
+(typeattributeset logdr_socket_29_0 (logdr_socket))
+(typeattributeset logd_socket_29_0 (logd_socket))
+(typeattributeset logdw_socket_29_0 (logdw_socket))
+(typeattributeset logpersist_29_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_29_0 (logpersistd_logging_prop))
+(typeattributeset log_prop_29_0 (log_prop))
+(typeattributeset log_tag_prop_29_0 (log_tag_prop))
+(typeattributeset loop_control_device_29_0 (loop_control_device))
+(typeattributeset loop_device_29_0 (loop_device))
+(typeattributeset looper_stats_service_29_0 (looper_stats_service))
+(typeattributeset lowpan_device_29_0 (lowpan_device))
+(typeattributeset lowpan_prop_29_0 (lowpan_prop))
+(typeattributeset lowpan_service_29_0 (lowpan_service))
+(typeattributeset lpdumpd_prop_29_0 (lpdumpd_prop))
+(typeattributeset lpdump_service_29_0 (lpdump_service))
+(typeattributeset mac_perms_file_29_0 (mac_perms_file))
+(typeattributeset mdnsd_29_0 (mdnsd))
+(typeattributeset mdnsd_socket_29_0 (mdnsd_socket))
+(typeattributeset mdns_socket_29_0 (mdns_socket))
+(typeattributeset mediacodec_service_29_0 (mediacodec_service))
+(typeattributeset media_data_file_29_0 (media_data_file))
+(typeattributeset mediadrmserver_29_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_29_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_29_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_29_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_29_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_29_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_29_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_29_0 (mediametrics))
+(typeattributeset mediametrics_exec_29_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_29_0 (mediametrics_service))
+(typeattributeset media_projection_service_29_0 (media_projection_service))
+(typeattributeset mediaprovider_29_0 (mediaprovider))
+(typeattributeset media_router_service_29_0 (media_router_service))
+(typeattributeset media_rw_data_file_29_0 (media_rw_data_file))
+(typeattributeset mediaserver_29_0 (mediaserver))
+(typeattributeset mediaserver_exec_29_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_29_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_29_0 (mediaserver_tmpfs))
+(typeattributeset media_session_service_29_0 (media_session_service))
+(typeattributeset mediaswcodec_29_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_29_0 (mediaswcodec_exec))
+(typeattributeset meminfo_service_29_0 (meminfo_service))
+(typeattributeset metadata_block_device_29_0 (metadata_block_device))
+(typeattributeset metadata_file_29_0 (metadata_file))
+(typeattributeset method_trace_data_file_29_0 (method_trace_data_file))
+(typeattributeset midi_service_29_0 (midi_service))
+(typeattributeset misc_block_device_29_0 (misc_block_device))
+(typeattributeset misc_logd_file_29_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_29_0 (misc_user_data_file))
+(typeattributeset mmc_prop_29_0 (mmc_prop))
+(typeattributeset mnt_expand_file_29_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_29_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_29_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_product_file_29_0 (mnt_product_file))
+(typeattributeset mnt_user_file_29_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_29_0 (mnt_vendor_file))
+(typeattributeset modprobe_29_0 (modprobe))
+(typeattributeset mount_service_29_0 (mount_service))
+(typeattributeset mqueue_29_0 (mqueue))
+(typeattributeset mtp_29_0 (mtp))
+(typeattributeset mtp_device_29_0 (mtp_device))
+(typeattributeset mtpd_socket_29_0 (mtpd_socket))
+(typeattributeset mtp_exec_29_0 (mtp_exec))
+(typeattributeset nativetest_data_file_29_0 (nativetest_data_file))
+(typeattributeset netd_29_0 (netd))
+(typeattributeset net_data_file_29_0 (net_data_file))
+(typeattributeset netd_exec_29_0 (netd_exec))
+(typeattributeset netd_listener_service_29_0 (netd_listener_service))
+(typeattributeset net_dns_prop_29_0 (net_dns_prop))
+(typeattributeset netd_service_29_0 (netd_service))
+(typeattributeset netd_stable_secret_prop_29_0 (netd_stable_secret_prop))
+(typeattributeset netif_29_0 (netif))
+(typeattributeset netpolicy_service_29_0 (netpolicy_service))
+(typeattributeset net_radio_prop_29_0 (net_radio_prop))
+(typeattributeset netstats_service_29_0 (netstats_service))
+(typeattributeset netutils_wrapper_29_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_29_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_29_0 (network_management_service))
+(typeattributeset network_score_service_29_0 (network_score_service))
+(typeattributeset network_stack_29_0 (network_stack))
+(typeattributeset network_stack_service_29_0 (network_stack_service))
+(typeattributeset network_time_update_service_29_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_29_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_29_0 (network_watchlist_service))
+(typeattributeset nfc_29_0 (nfc))
+(typeattributeset nfc_data_file_29_0 (nfc_data_file))
+(typeattributeset nfc_device_29_0 (nfc_device))
+(typeattributeset nfc_prop_29_0 (nfc_prop))
+(typeattributeset nfc_service_29_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_29_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_29_0 (node))
+(typeattributeset nonplat_service_contexts_file_29_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_29_0 (notification_service))
+(typeattributeset null_device_29_0 (null_device))
+(typeattributeset oemfs_29_0 (oemfs))
+(typeattributeset oem_lock_service_29_0 (oem_lock_service))
+(typeattributeset ota_data_file_29_0 (ota_data_file))
+(typeattributeset otadexopt_service_29_0 (otadexopt_service))
+(typeattributeset ota_package_file_29_0 (ota_package_file))
+(typeattributeset overlayfs_file_29_0 (overlayfs_file))
+(typeattributeset overlay_prop_29_0 (overlay_prop))
+(typeattributeset overlay_service_29_0 (overlay_service))
+(typeattributeset owntty_device_29_0 (owntty_device))
+(typeattributeset package_native_service_29_0 (package_native_service))
+(typeattributeset package_service_29_0 (package_service))
+(typeattributeset packages_list_file_29_0 (packages_list_file))
+(typeattributeset pan_result_prop_29_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_29_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_29_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_29_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_29_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_29_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_29_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_29_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_29_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_29_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_29_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_29_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_29_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_29_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_29_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_29_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_29_0 (pdx_performance_dir))
+(typeattributeset perfetto_29_0 (perfetto))
+(typeattributeset performanced_29_0 (performanced))
+(typeattributeset performanced_exec_29_0 (performanced_exec))
+(typeattributeset permissionmgr_service_29_0 (permissionmgr_service))
+(typeattributeset permission_service_29_0 (permission_service))
+(typeattributeset persist_debug_prop_29_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_29_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_29_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_29_0 (pinner_service))
+(typeattributeset pipefs_29_0 (pipefs))
+(typeattributeset platform_app_29_0 (platform_app))
+(typeattributeset pm_prop_29_0 (pm_prop))
+(typeattributeset pmsg_device_29_0 (pmsg_device))
+(typeattributeset port_29_0 (port))
+(typeattributeset port_device_29_0 (port_device))
+(typeattributeset postinstall_29_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_29_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_29_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_29_0 (postinstall_mnt_dir))
+(typeattributeset powerctl_prop_29_0 (powerctl_prop))
+(typeattributeset power_service_29_0 (power_service))
+(typeattributeset ppp_29_0 (ppp))
+(typeattributeset ppp_device_29_0 (ppp_device))
+(typeattributeset ppp_exec_29_0 (ppp_exec))
+(typeattributeset preloads_data_file_29_0 (preloads_data_file))
+(typeattributeset preloads_media_file_29_0 (preloads_media_file))
+(typeattributeset print_service_29_0 (print_service))
+(typeattributeset priv_app_29_0 (priv_app))
+(typeattributeset privapp_data_file_29_0 (privapp_data_file))
+(typeattributeset proc_29_0
+ ( proc
+ proc_kpageflags
+ proc_lowmemorykiller))
+(typeattributeset proc_abi_29_0 (proc_abi))
+(typeattributeset proc_asound_29_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_29_0 (proc_bluetooth_writable))
+(typeattributeset proc_buddyinfo_29_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_29_0 (proc_cmdline))
+(typeattributeset proc_cpuinfo_29_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_29_0 (proc_dirty))
+(typeattributeset proc_diskstats_29_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_29_0 (proc_drop_caches))
+(typeattributeset processinfo_service_29_0 (processinfo_service))
+(typeattributeset proc_extra_free_kbytes_29_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_29_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_29_0 (proc_fs_verity))
+(typeattributeset proc_hostname_29_0 (proc_hostname))
+(typeattributeset proc_hung_task_29_0 (proc_hung_task))
+(typeattributeset proc_interrupts_29_0 (proc_interrupts))
+(typeattributeset proc_iomem_29_0 (proc_iomem))
+(typeattributeset proc_keys_29_0 (proc_keys))
+(typeattributeset proc_kmsg_29_0 (proc_kmsg))
+(typeattributeset proc_loadavg_29_0 (proc_loadavg))
+(typeattributeset proc_max_map_count_29_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_29_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_29_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_29_0 (proc_misc))
+(typeattributeset proc_modules_29_0 (proc_modules))
+(typeattributeset proc_mounts_29_0 (proc_mounts))
+(typeattributeset proc_net_29_0 (proc_net))
+(typeattributeset proc_net_tcp_udp_29_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_29_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_29_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_29_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_29_0 (proc_panic))
+(typeattributeset proc_perf_29_0 (proc_perf))
+(typeattributeset proc_pid_max_29_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_29_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_29_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_29_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_29_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_29_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_29_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_29_0 (proc_random))
+(typeattributeset proc_sched_29_0 (proc_sched))
+(typeattributeset proc_security_29_0 (proc_security))
+(typeattributeset proc_slabinfo_29_0 (proc_slabinfo))
+(typeattributeset proc_stat_29_0 (proc_stat))
+(typeattributeset procstats_service_29_0 (procstats_service))
+(typeattributeset proc_swaps_29_0 (proc_swaps))
+(typeattributeset proc_sysrq_29_0 (proc_sysrq))
+(typeattributeset proc_timer_29_0 (proc_timer))
+(typeattributeset proc_tty_drivers_29_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_29_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_29_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_29_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_29_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_29_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_29_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_29_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_29_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_29_0 (proc_uptime))
+(typeattributeset proc_version_29_0 (proc_version))
+(typeattributeset proc_vmallocinfo_29_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_29_0 (proc_vmstat))
+(typeattributeset proc_zoneinfo_29_0 (proc_zoneinfo))
+(typeattributeset profman_29_0 (profman))
+(typeattributeset profman_dump_data_file_29_0 (profman_dump_data_file))
+(typeattributeset profman_exec_29_0 (profman_exec))
+(typeattributeset properties_device_29_0 (properties_device))
+(typeattributeset properties_serial_29_0 (properties_serial))
+(typeattributeset property_contexts_file_29_0 (property_contexts_file))
+(typeattributeset property_data_file_29_0 (property_data_file))
+(typeattributeset property_info_29_0 (property_info))
+(typeattributeset property_socket_29_0 (property_socket))
+(typeattributeset pstorefs_29_0 (pstorefs))
+(typeattributeset ptmx_device_29_0 (ptmx_device))
+(typeattributeset qtaguid_device_29_0 (qtaguid_device))
+(typeattributeset racoon_29_0 (racoon))
+(typeattributeset racoon_exec_29_0 (racoon_exec))
+(typeattributeset racoon_socket_29_0 (racoon_socket))
+(typeattributeset radio_29_0 (radio))
+(typeattributeset radio_data_file_29_0 (radio_data_file))
+(typeattributeset radio_device_29_0 (radio_device))
+(typeattributeset radio_prop_29_0 (radio_prop))
+(typeattributeset radio_service_29_0 (radio_service))
+(typeattributeset ram_device_29_0 (ram_device))
+(typeattributeset random_device_29_0 (random_device))
+(typeattributeset recovery_29_0 (recovery))
+(typeattributeset recovery_block_device_29_0 (recovery_block_device))
+(typeattributeset recovery_data_file_29_0 (recovery_data_file))
+(typeattributeset recovery_persist_29_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_29_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_29_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_29_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_29_0 (recovery_service))
+(typeattributeset recovery_socket_29_0 (recovery_socket))
+(typeattributeset registry_service_29_0 (registry_service))
+(typeattributeset resourcecache_data_file_29_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_29_0 (restorecon_prop))
+(typeattributeset restrictions_service_29_0 (restrictions_service))
+(typeattributeset rild_debug_socket_29_0 (rild_debug_socket))
+(typeattributeset rild_socket_29_0 (rild_socket))
+(typeattributeset ringtone_file_29_0 (ringtone_file))
+(typeattributeset role_service_29_0 (role_service))
+(typeattributeset rollback_service_29_0 (rollback_service))
+(typeattributeset root_block_device_29_0 (root_block_device))
+(typeattributeset rootfs_29_0 (rootfs))
+(typeattributeset rpmsg_device_29_0 (rpmsg_device))
+(typeattributeset rs_29_0 (rs))
+(typeattributeset rs_exec_29_0 (rs_exec))
+(typeattributeset rss_hwm_reset_29_0 (rss_hwm_reset))
+(typeattributeset rtc_device_29_0 (rtc_device))
+(typeattributeset rttmanager_service_29_0 (rttmanager_service))
+(typeattributeset runas_29_0 (runas))
+(typeattributeset runas_app_29_0 (runas_app))
+(typeattributeset runas_exec_29_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_29_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_29_0 (runtime_service))
+(typeattributeset safemode_prop_29_0 (safemode_prop))
+(typeattributeset same_process_hal_file_29_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_29_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_29_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_29_0 (sdcard_block_device))
+(typeattributeset sdcardd_29_0 (sdcardd))
+(typeattributeset sdcardd_exec_29_0 (sdcardd_exec))
+(typeattributeset sdcardfs_29_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_29_0 (seapp_contexts_file))
+(typeattributeset search_service_29_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_29_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_29_0 (secure_element))
+(typeattributeset secure_element_device_29_0 (secure_element_device))
+(typeattributeset secure_element_service_29_0 (secure_element_service))
+(typeattributeset selinuxfs_29_0 (selinuxfs))
+(typeattributeset sensor_privacy_service_29_0 (sensor_privacy_service))
+(typeattributeset sensors_device_29_0 (sensors_device))
+(typeattributeset sensorservice_service_29_0 (sensorservice_service))
+(typeattributeset sepolicy_file_29_0 (sepolicy_file))
+(typeattributeset serial_device_29_0 (serial_device))
+(typeattributeset serialno_prop_29_0 (serialno_prop))
+(typeattributeset serial_service_29_0 (serial_service))
+(typeattributeset server_configurable_flags_data_file_29_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_29_0 (service_contexts_file))
+(typeattributeset servicediscovery_service_29_0 (servicediscovery_service))
+(typeattributeset servicemanager_29_0 (servicemanager))
+(typeattributeset servicemanager_exec_29_0 (servicemanager_exec))
+(typeattributeset settings_service_29_0 (settings_service))
+(typeattributeset sgdisk_29_0 (sgdisk))
+(typeattributeset sgdisk_exec_29_0 (sgdisk_exec))
+(typeattributeset shared_relro_29_0 (shared_relro))
+(typeattributeset shared_relro_file_29_0 (shared_relro_file))
+(typeattributeset shell_29_0 (shell))
+(typeattributeset shell_data_file_29_0 (shell_data_file))
+(typeattributeset shell_exec_29_0 (shell_exec))
+(typeattributeset shell_prop_29_0 (shell_prop))
+(typeattributeset shm_29_0 (shm))
+(typeattributeset shortcut_manager_icons_29_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_29_0 (shortcut_service))
+(typeattributeset simpleperf_app_runner_29_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_29_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_29_0 (slice_service))
+(typeattributeset slideshow_29_0 (slideshow))
+(typeattributeset socket_device_29_0 (socket_device))
+(typeattributeset sockfs_29_0 (sockfs))
+(typeattributeset staging_data_file_29_0 (staging_data_file))
+(typeattributeset statsd_29_0 (statsd))
+(typeattributeset stats_data_file_29_0 (stats_data_file))
+(typeattributeset statsd_exec_29_0 (statsd_exec))
+(typeattributeset statsdw_socket_29_0 (statsdw_socket))
+(typeattributeset statusbar_service_29_0 (statusbar_service))
+(typeattributeset storaged_service_29_0 (storaged_service))
+(typeattributeset storage_file_29_0 (storage_file))
+(typeattributeset storagestats_service_29_0 (storagestats_service))
+(typeattributeset storage_stub_file_29_0 (storage_stub_file))
+(typeattributeset su_29_0 (su))
+(typeattributeset su_exec_29_0 (su_exec))
+(typeattributeset super_block_device_29_0 (super_block_device))
+(typeattributeset surfaceflinger_29_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_29_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_29_0 (surfaceflinger_tmpfs))
+(typeattributeset swap_block_device_29_0 (swap_block_device))
+(typeattributeset sysfs_29_0
+ ( sysfs
+ sysfs_ion
+ sysfs_suspend_stats
+ sysfs_wakeup))
+(typeattributeset sysfs_android_usb_29_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_29_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_29_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_block_29_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_system_cpu_29_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_29_0 (sysfs_dm))
+(typeattributeset sysfs_dt_firmware_android_29_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_29_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_29_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_29_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_hwrandom_29_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ipv4_29_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_29_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_29_0 (sysfs_leds))
+(typeattributeset sysfs_loop_29_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_29_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_mac_address_29_0 (sysfs_mac_address))
+(typeattributeset sysfs_net_29_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_29_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_29_0 (sysfs_power))
+(typeattributeset sysfs_rtc_29_0 (sysfs_rtc))
+(typeattributeset sysfs_switch_29_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_29_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_29_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uio_29_0 (sysfs_uio))
+(typeattributeset sysfs_usb_29_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_29_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vibrator_29_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_29_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_reasons_29_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_29_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_29_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_29_0 (sysfs_zram_uevent))
+(typeattributeset system_app_29_0 (system_app))
+(typeattributeset system_app_data_file_29_0 (system_app_data_file))
+(typeattributeset system_app_service_29_0 (system_app_service))
+(typeattributeset system_asan_options_file_29_0 (system_asan_options_file))
+(typeattributeset system_block_device_29_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file))
+(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file))
+(typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file))
+(typeattributeset system_file_29_0 (system_file))
+(typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file))
+(typeattributeset system_lib_file_29_0 (system_lib_file))
+(typeattributeset system_linker_config_file_29_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_29_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_29_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_29_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_29_0 (system_net_netd_hwservice))
+(typeattributeset system_prop_29_0 (system_prop))
+(typeattributeset system_radio_prop_29_0 (system_radio_prop))
+(typeattributeset system_seccomp_policy_file_29_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_29_0 (system_security_cacerts_file))
+(typeattributeset system_server_29_0 (system_server))
+(typeattributeset system_server_tmpfs_29_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_service_29_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_29_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_29_0 (system_trace_prop))
+(typeattributeset system_update_service_29_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_29_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_29_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_29_0 (system_zoneinfo_file))
+(typeattributeset task_profiles_file_29_0 (task_profiles_file))
+(typeattributeset task_service_29_0 (task_service))
+(typeattributeset tcpdump_exec_29_0 (tcpdump_exec))
+(typeattributeset tee_29_0 (tee))
+(typeattributeset tee_data_file_29_0 (tee_data_file))
+(typeattributeset tee_device_29_0 (tee_device))
+(typeattributeset telecom_service_29_0 (telecom_service))
+(typeattributeset test_boot_reason_prop_29_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_29_0 (test_harness_prop))
+(typeattributeset testharness_service_29_0 (testharness_service))
+(typeattributeset textclassification_service_29_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_29_0 (textclassifier_data_file))
+(typeattributeset textservices_service_29_0 (textservices_service))
+(typeattributeset thermalcallback_hwservice_29_0 (thermalcallback_hwservice))
+(typeattributeset thermal_service_29_0 (thermal_service))
+(typeattributeset timedetector_service_29_0 (timedetector_service))
+(typeattributeset time_prop_29_0 (time_prop))
+(typeattributeset timezone_service_29_0 (timezone_service))
+(typeattributeset tmpfs_29_0
+ ( mnt_sdcard_file
+ tmpfs))
+(typeattributeset tombstoned_29_0 (tombstoned))
+(typeattributeset tombstone_data_file_29_0 (tombstone_data_file))
+(typeattributeset tombstoned_crash_socket_29_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_29_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_29_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_29_0 (tombstoned_java_trace_socket))
+(typeattributeset tombstone_wifi_data_file_29_0 (tombstone_wifi_data_file))
+(typeattributeset toolbox_29_0 (toolbox))
+(typeattributeset toolbox_exec_29_0 (toolbox_exec))
+(typeattributeset traced_29_0 (traced))
+(typeattributeset trace_data_file_29_0 (trace_data_file))
+(typeattributeset traced_consumer_socket_29_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_29_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_29_0 (traced_lazy_prop))
+(typeattributeset traced_probes_29_0 (traced_probes))
+(typeattributeset traced_producer_socket_29_0 (traced_producer_socket))
+(typeattributeset traceur_app_29_0 (traceur_app))
+(typeattributeset trust_service_29_0 (trust_service))
+(typeattributeset tty_device_29_0 (tty_device))
+(typeattributeset tun_device_29_0 (tun_device))
+(typeattributeset tv_input_service_29_0 (tv_input_service))
+(typeattributeset tzdatacheck_29_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_29_0 (tzdatacheck_exec))
+(typeattributeset ueventd_29_0 (ueventd))
+(typeattributeset ueventd_tmpfs_29_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_29_0 (uhid_device))
+(typeattributeset uimode_service_29_0 (uimode_service))
+(typeattributeset uio_device_29_0 (uio_device))
+(typeattributeset uncrypt_29_0 (uncrypt))
+(typeattributeset uncrypt_exec_29_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_29_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_29_0 (unencrypted_data_file))
+(typeattributeset unlabeled_29_0 (unlabeled))
+(typeattributeset untrusted_app_25_29_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_29_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_0 (untrusted_app))
+(typeattributeset update_engine_29_0 (update_engine))
+(typeattributeset update_engine_data_file_29_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_29_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_29_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_29_0 (update_engine_service))
+(typeattributeset updatelock_service_29_0 (updatelock_service))
+(typeattributeset update_verifier_29_0 (update_verifier))
+(typeattributeset update_verifier_exec_29_0 (update_verifier_exec))
+(typeattributeset uri_grants_service_29_0 (uri_grants_service))
+(typeattributeset usagestats_service_29_0 (usagestats_service))
+(typeattributeset usbaccessory_device_29_0 (usbaccessory_device))
+(typeattributeset usbd_29_0 (usbd))
+(typeattributeset usb_device_29_0 (usb_device))
+(typeattributeset usbd_exec_29_0 (usbd_exec))
+(typeattributeset usbfs_29_0 (usbfs))
+(typeattributeset usb_service_29_0 (usb_service))
+(typeattributeset use_memfd_prop_29_0 (use_memfd_prop))
+(typeattributeset userdata_block_device_29_0 (userdata_block_device))
+(typeattributeset usermodehelper_29_0 (usermodehelper))
+(typeattributeset user_profile_data_file_29_0 (user_profile_data_file))
+(typeattributeset user_service_29_0 (user_service))
+(typeattributeset vdc_29_0 (vdc))
+(typeattributeset vdc_exec_29_0 (vdc_exec))
+(typeattributeset vendor_app_file_29_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_29_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_29_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_29_0 (vendor_data_file))
+(typeattributeset vendor_default_prop_29_0 (vendor_default_prop))
+(typeattributeset vendor_file_29_0 (vendor_file))
+(typeattributeset vendor_framework_file_29_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_29_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_29_0 (vendor_idc_file))
+(typeattributeset vendor_init_29_0 (vendor_init))
+(typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file))
+(typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file))
+(typeattributeset vendor_public_lib_file_29_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_shell_29_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec))
+(typeattributeset vendor_task_profiles_file_29_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_29_0 (vendor_toolbox_exec))
+(typeattributeset vfat_29_0 (vfat))
+(typeattributeset vibrator_service_29_0 (vibrator_service))
+(typeattributeset video_device_29_0 (video_device))
+(typeattributeset virtual_touchpad_29_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_29_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_29_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_29_0 (vndbinder_device))
+(typeattributeset vndk_sp_file_29_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_29_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_29_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_29_0 (voiceinteraction_service))
+(typeattributeset vold_29_0 (vold))
+(typeattributeset vold_data_file_29_0 (vold_data_file))
+(typeattributeset vold_device_29_0 (vold_device))
+(typeattributeset vold_exec_29_0 (vold_exec))
+(typeattributeset vold_metadata_file_29_0 (vold_metadata_file))
+(typeattributeset vold_prepare_subdirs_29_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_29_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_29_0 (vold_prop))
+(typeattributeset vold_service_29_0 (vold_service))
+(typeattributeset vpn_data_file_29_0 (vpn_data_file))
+(typeattributeset vrflinger_vsync_service_29_0 (vrflinger_vsync_service))
+(typeattributeset vr_hwc_29_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_29_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_29_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_29_0 (vr_manager_service))
+(typeattributeset wallpaper_file_29_0 (wallpaper_file))
+(typeattributeset wallpaper_service_29_0 (wallpaper_service))
+(typeattributeset watchdogd_29_0 (watchdogd))
+(typeattributeset watchdog_device_29_0 (watchdog_device))
+(typeattributeset watchdogd_exec_29_0 (watchdogd_exec))
+(typeattributeset webviewupdate_service_29_0 (webviewupdate_service))
+(typeattributeset webview_zygote_29_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_29_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_29_0 (webview_zygote_tmpfs))
+(typeattributeset wifiaware_service_29_0 (wifiaware_service))
+(typeattributeset wificond_29_0 (wificond))
+(typeattributeset wificond_exec_29_0 (wificond_exec))
+(typeattributeset wificond_service_29_0 (wificond_service wifinl80211_service))
+(typeattributeset wifi_data_file_29_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_29_0 (wifi_log_prop))
+(typeattributeset wifip2p_service_29_0 (wifip2p_service))
+(typeattributeset wifi_prop_29_0 (wifi_prop))
+(typeattributeset wifiscanner_service_29_0 (wifiscanner_service))
+(typeattributeset wifi_service_29_0 (wifi_service))
+(typeattributeset window_service_29_0 (window_service))
+(typeattributeset wpantund_29_0 (wpantund))
+(typeattributeset wpantund_exec_29_0 (wpantund_exec))
+(typeattributeset wpantund_service_29_0 (wpantund_service))
+(typeattributeset wpa_socket_29_0 (wpa_socket))
+(typeattributeset zero_device_29_0 (zero_device))
+(typeattributeset zoneinfo_data_file_29_0 (zoneinfo_data_file))
+(typeattributeset zygote_29_0 (zygote))
+(typeattributeset zygote_exec_29_0 (zygote_exec))
+(typeattributeset zygote_socket_29_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_29_0 (zygote_tmpfs))
diff --git a/prebuilts/api/33.0/private/compat/29.0/29.0.compat.cil b/prebuilts/api/33.0/private/compat/29.0/29.0.compat.cil
new file mode 100644
index 0000000..ccd9d1a
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/29.0/29.0.compat.cil
@@ -0,0 +1,9 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/33.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/33.0/private/compat/29.0/29.0.ignore.cil
new file mode 100644
index 0000000..1079046
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/29.0/29.0.ignore.cil
@@ -0,0 +1,130 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ aidl_lazy_test_server
+ aidl_lazy_test_server_exec
+ aidl_lazy_test_service
+ adbd_prop
+ apex_module_data_file
+ apex_permission_data_file
+ apex_rollback_data_file
+ apex_wifi_data_file
+ app_integrity_service
+ app_search_service
+ auth_service
+ automotive_display_service
+ automotive_display_service_exec
+ ashmem_libcutils_device
+ blob_store_service
+ binder_cache_bluetooth_server_prop
+ binder_cache_system_server_prop
+ binder_cache_telephony_server_prop
+ binderfs
+ binderfs_logs
+ binderfs_logs_proc
+ boringssl_self_test
+ bq_config_prop
+ cacheinfo_service
+ charger_prop
+ cold_boot_done_prop
+ credstore
+ credstore_data_file
+ credstore_exec
+ credstore_service
+ platform_compat_service
+ ctl_apexd_prop
+ dataloader_manager_service
+ device_config_storage_native_boot_prop
+ device_config_sys_traced_prop
+ device_config_window_manager_native_boot_prop
+ device_config_configuration_prop
+ emergency_affordance_service
+ exported_camera_prop
+ fastbootd_protocol_prop
+ file_integrity_service
+ fwk_automotive_display_hwservice
+ fusectlfs
+ gmscore_app
+ gnss_device
+ graphics_config_prop
+ hal_can_bus_hwservice
+ hal_can_controller_hwservice
+ hal_identity_service
+ hal_light_service
+ hal_power_service
+ hal_rebootescrow_service
+ hal_tv_tuner_hwservice
+ hal_vibrator_service
+ incremental_control_file
+ incremental_prop
+ incremental_service
+ init_perf_lsm_hooks_prop
+ init_svc_debug_prop
+ iorap_inode2filename
+ iorap_inode2filename_data_file
+ iorap_inode2filename_exec
+ iorap_inode2filename_tmpfs
+ iorap_prefetcherd
+ iorap_prefetcherd_data_file
+ iorap_prefetcherd_exec
+ iorap_prefetcherd_tmpfs
+ mediatranscoding_service
+ mediatranscoding
+ mediatranscoding_exec
+ mediatranscoding_tmpfs
+ mirror_data_file
+ light_service
+ linkerconfig_file
+ lmkd_prop
+ media_variant_prop
+ metadata_bootstat_file
+ mnt_pass_through_file
+ mock_ota_prop
+ module_sdkextensions_prop
+ ota_metadata_file
+ ota_prop
+ prereboot_data_file
+ art_apex_dir
+ rebootescrow_hal_prop
+ securityfs
+ service_manager_service
+ service_manager_vndservice
+ simpleperf
+ snapshotctl_log_data_file
+ socket_hook_prop
+ soundtrigger_middleware_service
+ staged_install_file
+ storage_config_prop
+ surfaceflinger_display_prop
+ sysfs_dm_verity
+ system_adbd_prop
+ system_config_service
+ system_group_file
+ system_jvmti_agent_prop
+ system_passwd_file
+ system_unsolzygote_socket
+ tethering_service
+ traced_perf
+ traced_perf_enabled_prop
+ traced_perf_socket
+ timezonedetector_service
+ untrusted_app_29
+ usb_serial_device
+ userspace_reboot_config_prop
+ userspace_reboot_exported_prop
+ userspace_reboot_log_prop
+ userspace_reboot_test_prop
+ vehicle_hal_prop
+ tv_tuner_resource_mgr_service
+ vendor_apex_file
+ vendor_boringssl_self_test
+ vendor_install_recovery
+ vendor_install_recovery_exec
+ vendor_service_contexts_file
+ vendor_socket_hook_prop
+ vendor_socket_hook_prop
+ virtual_ab_prop))
diff --git a/prebuilts/api/33.0/private/compat/30.0/30.0.cil b/prebuilts/api/33.0/private/compat/30.0/30.0.cil
new file mode 100644
index 0000000..9f40876
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/30.0/30.0.cil
@@ -0,0 +1,2266 @@
+;; types removed from current policy
+(type cgroup_bpf)
+(type exported_audio_prop)
+(type exported_dalvik_prop)
+(type exported_ffs_prop)
+(type exported_fingerprint_prop)
+(type exported_system_radio_prop)
+(type exported_radio_prop)
+(type exported_vold_prop)
+(type exported_wifi_prop)
+(type exported2_config_prop)
+(type exported2_default_prop)
+(type exported2_radio_prop)
+(type exported2_system_prop)
+(type exported2_vold_prop)
+(type exported3_default_prop)
+(type exported3_radio_prop)
+(type ffs_prop)
+(type system_radio_prop)
+(type thermalcallback_hwservice)
+
+(typeattribute binder_in_vendor_violators)
+
+(expandtypeattribute (DockObserver_service_30_0) true)
+(expandtypeattribute (IProxyService_service_30_0) true)
+(expandtypeattribute (accessibility_service_30_0) true)
+(expandtypeattribute (account_service_30_0) true)
+(expandtypeattribute (activity_service_30_0) true)
+(expandtypeattribute (activity_task_service_30_0) true)
+(expandtypeattribute (adb_data_file_30_0) true)
+(expandtypeattribute (adb_keys_file_30_0) true)
+(expandtypeattribute (adb_service_30_0) true)
+(expandtypeattribute (adbd_30_0) true)
+(expandtypeattribute (adbd_exec_30_0) true)
+(expandtypeattribute (adbd_prop_30_0) true)
+(expandtypeattribute (adbd_socket_30_0) true)
+(expandtypeattribute (aidl_lazy_test_server_30_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_30_0) true)
+(expandtypeattribute (aidl_lazy_test_service_30_0) true)
+(expandtypeattribute (alarm_service_30_0) true)
+(expandtypeattribute (anr_data_file_30_0) true)
+(expandtypeattribute (apex_data_file_30_0) true)
+(expandtypeattribute (apex_metadata_file_30_0) true)
+(expandtypeattribute (apex_mnt_dir_30_0) true)
+(expandtypeattribute (apex_module_data_file_30_0) true)
+(expandtypeattribute (apex_permission_data_file_30_0) true)
+(expandtypeattribute (apex_rollback_data_file_30_0) true)
+(expandtypeattribute (apex_service_30_0) true)
+(expandtypeattribute (apex_wifi_data_file_30_0) true)
+(expandtypeattribute (apexd_30_0) true)
+(expandtypeattribute (apexd_exec_30_0) true)
+(expandtypeattribute (apexd_prop_30_0) true)
+(expandtypeattribute (apk_data_file_30_0) true)
+(expandtypeattribute (apk_private_data_file_30_0) true)
+(expandtypeattribute (apk_private_tmp_file_30_0) true)
+(expandtypeattribute (apk_tmp_file_30_0) true)
+(expandtypeattribute (apk_verity_prop_30_0) true)
+(expandtypeattribute (app_binding_service_30_0) true)
+(expandtypeattribute (app_data_file_30_0) true)
+(expandtypeattribute (app_fuse_file_30_0) true)
+(expandtypeattribute (app_fusefs_30_0) true)
+(expandtypeattribute (app_integrity_service_30_0) true)
+(expandtypeattribute (app_prediction_service_30_0) true)
+(expandtypeattribute (app_search_service_30_0) true)
+(expandtypeattribute (app_zygote_30_0) true)
+(expandtypeattribute (app_zygote_tmpfs_30_0) true)
+(expandtypeattribute (appdomain_tmpfs_30_0) true)
+(expandtypeattribute (appops_service_30_0) true)
+(expandtypeattribute (appwidget_service_30_0) true)
+(expandtypeattribute (art_apex_dir_30_0) true)
+(expandtypeattribute (asec_apk_file_30_0) true)
+(expandtypeattribute (asec_image_file_30_0) true)
+(expandtypeattribute (asec_public_file_30_0) true)
+(expandtypeattribute (ashmem_device_30_0) true)
+(expandtypeattribute (ashmem_libcutils_device_30_0) true)
+(expandtypeattribute (assetatlas_service_30_0) true)
+(expandtypeattribute (audio_data_file_30_0) true)
+(expandtypeattribute (audio_device_30_0) true)
+(expandtypeattribute (audio_prop_30_0) true)
+(expandtypeattribute (audio_service_30_0) true)
+(expandtypeattribute (audiohal_data_file_30_0) true)
+(expandtypeattribute (audioserver_30_0) true)
+(expandtypeattribute (audioserver_data_file_30_0) true)
+(expandtypeattribute (audioserver_service_30_0) true)
+(expandtypeattribute (audioserver_tmpfs_30_0) true)
+(expandtypeattribute (auth_service_30_0) true)
+(expandtypeattribute (autofill_service_30_0) true)
+(expandtypeattribute (backup_data_file_30_0) true)
+(expandtypeattribute (backup_service_30_0) true)
+(expandtypeattribute (battery_service_30_0) true)
+(expandtypeattribute (batteryproperties_service_30_0) true)
+(expandtypeattribute (batterystats_service_30_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_30_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_30_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_30_0) true)
+(expandtypeattribute (binder_calls_stats_service_30_0) true)
+(expandtypeattribute (binder_device_30_0) true)
+(expandtypeattribute (binderfs_30_0) true)
+(expandtypeattribute (binderfs_logs_30_0) true)
+(expandtypeattribute (binderfs_logs_proc_30_0) true)
+(expandtypeattribute (binfmt_miscfs_30_0) true)
+(expandtypeattribute (biometric_service_30_0) true)
+(expandtypeattribute (blkid_30_0) true)
+(expandtypeattribute (blkid_untrusted_30_0) true)
+(expandtypeattribute (blob_store_service_30_0) true)
+(expandtypeattribute (block_device_30_0) true)
+(expandtypeattribute (bluetooth_30_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_30_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_30_0) true)
+(expandtypeattribute (bluetooth_data_file_30_0) true)
+(expandtypeattribute (bluetooth_efs_file_30_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_30_0) true)
+(expandtypeattribute (bluetooth_manager_service_30_0) true)
+(expandtypeattribute (bluetooth_prop_30_0) true)
+(expandtypeattribute (bluetooth_service_30_0) true)
+(expandtypeattribute (bluetooth_socket_30_0) true)
+(expandtypeattribute (boot_block_device_30_0) true)
+(expandtypeattribute (bootanim_30_0) true)
+(expandtypeattribute (bootanim_exec_30_0) true)
+(expandtypeattribute (bootchart_data_file_30_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_30_0) true)
+(expandtypeattribute (bootstat_30_0) true)
+(expandtypeattribute (bootstat_data_file_30_0) true)
+(expandtypeattribute (bootstat_exec_30_0) true)
+(expandtypeattribute (boottime_prop_30_0) true)
+(expandtypeattribute (boottime_public_prop_30_0) true)
+(expandtypeattribute (boottrace_data_file_30_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_30_0) true)
+(expandtypeattribute (bq_config_prop_30_0) true)
+(expandtypeattribute (broadcastradio_service_30_0) true)
+(expandtypeattribute (bufferhubd_30_0) true)
+(expandtypeattribute (bufferhubd_exec_30_0) true)
+(expandtypeattribute (bugreport_service_30_0) true)
+(expandtypeattribute (cache_backup_file_30_0) true)
+(expandtypeattribute (cache_block_device_30_0) true)
+(expandtypeattribute (cache_file_30_0) true)
+(expandtypeattribute (cache_private_backup_file_30_0) true)
+(expandtypeattribute (cache_recovery_file_30_0) true)
+(expandtypeattribute (camera_data_file_30_0) true)
+(expandtypeattribute (camera_device_30_0) true)
+(expandtypeattribute (cameraproxy_service_30_0) true)
+(expandtypeattribute (cameraserver_30_0) true)
+(expandtypeattribute (cameraserver_exec_30_0) true)
+(expandtypeattribute (cameraserver_service_30_0) true)
+(expandtypeattribute (cameraserver_tmpfs_30_0) true)
+(expandtypeattribute (cgroup_30_0) true)
+(expandtypeattribute (cgroup_bpf_30_0) true)
+(expandtypeattribute (cgroup_desc_file_30_0) true)
+(expandtypeattribute (cgroup_rc_file_30_0) true)
+(expandtypeattribute (charger_30_0) true)
+(expandtypeattribute (charger_exec_30_0) true)
+(expandtypeattribute (charger_prop_30_0) true)
+(expandtypeattribute (clipboard_service_30_0) true)
+(expandtypeattribute (cold_boot_done_prop_30_0) true)
+(expandtypeattribute (color_display_service_30_0) true)
+(expandtypeattribute (companion_device_service_30_0) true)
+(expandtypeattribute (config_prop_30_0) true)
+(expandtypeattribute (configfs_30_0) true)
+(expandtypeattribute (connectivity_service_30_0) true)
+(expandtypeattribute (connmetrics_service_30_0) true)
+(expandtypeattribute (console_device_30_0) true)
+(expandtypeattribute (consumer_ir_service_30_0) true)
+(expandtypeattribute (content_capture_service_30_0) true)
+(expandtypeattribute (content_service_30_0) true)
+(expandtypeattribute (content_suggestions_service_30_0) true)
+(expandtypeattribute (contexthub_service_30_0) true)
+(expandtypeattribute (coredump_file_30_0) true)
+(expandtypeattribute (country_detector_service_30_0) true)
+(expandtypeattribute (coverage_service_30_0) true)
+(expandtypeattribute (cppreopt_prop_30_0) true)
+(expandtypeattribute (cpu_variant_prop_30_0) true)
+(expandtypeattribute (cpuinfo_service_30_0) true)
+(expandtypeattribute (crash_dump_30_0) true)
+(expandtypeattribute (crash_dump_exec_30_0) true)
+(expandtypeattribute (credstore_30_0) true)
+(expandtypeattribute (credstore_data_file_30_0) true)
+(expandtypeattribute (credstore_exec_30_0) true)
+(expandtypeattribute (credstore_service_30_0) true)
+(expandtypeattribute (crossprofileapps_service_30_0) true)
+(expandtypeattribute (ctl_adbd_prop_30_0) true)
+(expandtypeattribute (ctl_apexd_prop_30_0) true)
+(expandtypeattribute (ctl_bootanim_prop_30_0) true)
+(expandtypeattribute (ctl_bugreport_prop_30_0) true)
+(expandtypeattribute (ctl_console_prop_30_0) true)
+(expandtypeattribute (ctl_default_prop_30_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_30_0) true)
+(expandtypeattribute (ctl_fuse_prop_30_0) true)
+(expandtypeattribute (ctl_gsid_prop_30_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_30_0) true)
+(expandtypeattribute (ctl_interface_start_prop_30_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_30_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_30_0) true)
+(expandtypeattribute (ctl_restart_prop_30_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_30_0) true)
+(expandtypeattribute (ctl_sigstop_prop_30_0) true)
+(expandtypeattribute (ctl_start_prop_30_0) true)
+(expandtypeattribute (ctl_stop_prop_30_0) true)
+(expandtypeattribute (dalvik_prop_30_0) true)
+(expandtypeattribute (dalvikcache_data_file_30_0) true)
+(expandtypeattribute (dataloader_manager_service_30_0) true)
+(expandtypeattribute (dbinfo_service_30_0) true)
+(expandtypeattribute (debug_prop_30_0) true)
+(expandtypeattribute (debugfs_30_0) true)
+(expandtypeattribute (debugfs_mmc_30_0) true)
+(expandtypeattribute (debugfs_trace_marker_30_0) true)
+(expandtypeattribute (debugfs_tracing_30_0) true)
+(expandtypeattribute (debugfs_tracing_debug_30_0) true)
+(expandtypeattribute (debugfs_tracing_instances_30_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_30_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_30_0) true)
+(expandtypeattribute (debuggerd_prop_30_0) true)
+(expandtypeattribute (default_android_hwservice_30_0) true)
+(expandtypeattribute (default_android_service_30_0) true)
+(expandtypeattribute (default_android_vndservice_30_0) true)
+(expandtypeattribute (default_prop_30_0) true)
+(expandtypeattribute (dev_cpu_variant_30_0) true)
+(expandtypeattribute (device_30_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_30_0) true)
+(expandtypeattribute (device_config_boot_count_prop_30_0) true)
+(expandtypeattribute (device_config_configuration_prop_30_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_30_0) true)
+(expandtypeattribute (device_config_media_native_prop_30_0) true)
+(expandtypeattribute (device_config_netd_native_prop_30_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_30_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_30_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_30_0) true)
+(expandtypeattribute (device_config_service_30_0) true)
+(expandtypeattribute (device_config_storage_native_boot_prop_30_0) true)
+(expandtypeattribute (device_config_sys_traced_prop_30_0) true)
+(expandtypeattribute (device_config_window_manager_native_boot_prop_30_0) true)
+(expandtypeattribute (device_identifiers_service_30_0) true)
+(expandtypeattribute (device_logging_prop_30_0) true)
+(expandtypeattribute (device_policy_service_30_0) true)
+(expandtypeattribute (deviceidle_service_30_0) true)
+(expandtypeattribute (devicestoragemonitor_service_30_0) true)
+(expandtypeattribute (devpts_30_0) true)
+(expandtypeattribute (dhcp_30_0) true)
+(expandtypeattribute (dhcp_data_file_30_0) true)
+(expandtypeattribute (dhcp_exec_30_0) true)
+(expandtypeattribute (dhcp_prop_30_0) true)
+(expandtypeattribute (diskstats_service_30_0) true)
+(expandtypeattribute (display_service_30_0) true)
+(expandtypeattribute (dm_device_30_0) true)
+(expandtypeattribute (dnsmasq_30_0) true)
+(expandtypeattribute (dnsmasq_exec_30_0) true)
+(expandtypeattribute (dnsproxyd_socket_30_0) true)
+(expandtypeattribute (dnsresolver_service_30_0) true)
+(expandtypeattribute (dreams_service_30_0) true)
+(expandtypeattribute (drm_data_file_30_0) true)
+(expandtypeattribute (drmserver_30_0) true)
+(expandtypeattribute (drmserver_exec_30_0) true)
+(expandtypeattribute (drmserver_service_30_0) true)
+(expandtypeattribute (drmserver_socket_30_0) true)
+(expandtypeattribute (dropbox_data_file_30_0) true)
+(expandtypeattribute (dropbox_service_30_0) true)
+(expandtypeattribute (dumpstate_30_0) true)
+(expandtypeattribute (dumpstate_exec_30_0) true)
+(expandtypeattribute (dumpstate_options_prop_30_0) true)
+(expandtypeattribute (dumpstate_prop_30_0) true)
+(expandtypeattribute (dumpstate_service_30_0) true)
+(expandtypeattribute (dumpstate_socket_30_0) true)
+(expandtypeattribute (dynamic_system_prop_30_0) true)
+(expandtypeattribute (e2fs_30_0) true)
+(expandtypeattribute (e2fs_exec_30_0) true)
+(expandtypeattribute (efs_file_30_0) true)
+(expandtypeattribute (emergency_affordance_service_30_0) true)
+(expandtypeattribute (ephemeral_app_30_0) true)
+(expandtypeattribute (ethernet_service_30_0) true)
+(expandtypeattribute (exfat_30_0) true)
+(expandtypeattribute (exported2_config_prop_30_0) true)
+(expandtypeattribute (exported2_default_prop_30_0) true)
+(expandtypeattribute (exported2_radio_prop_30_0) true)
+(expandtypeattribute (exported2_system_prop_30_0) true)
+(expandtypeattribute (exported2_vold_prop_30_0) true)
+(expandtypeattribute (exported3_default_prop_30_0) true)
+(expandtypeattribute (exported3_radio_prop_30_0) true)
+(expandtypeattribute (exported3_system_prop_30_0) true)
+(expandtypeattribute (exported_audio_prop_30_0) true)
+(expandtypeattribute (exported_bluetooth_prop_30_0) true)
+(expandtypeattribute (exported_camera_prop_30_0) true)
+(expandtypeattribute (exported_config_prop_30_0) true)
+(expandtypeattribute (exported_dalvik_prop_30_0) true)
+(expandtypeattribute (exported_default_prop_30_0) true)
+(expandtypeattribute (exported_dumpstate_prop_30_0) true)
+(expandtypeattribute (exported_ffs_prop_30_0) true)
+(expandtypeattribute (exported_fingerprint_prop_30_0) true)
+(expandtypeattribute (exported_overlay_prop_30_0) true)
+(expandtypeattribute (exported_pm_prop_30_0) true)
+(expandtypeattribute (exported_radio_prop_30_0) true)
+(expandtypeattribute (exported_secure_prop_30_0) true)
+(expandtypeattribute (exported_system_prop_30_0) true)
+(expandtypeattribute (exported_system_radio_prop_30_0) true)
+(expandtypeattribute (exported_vold_prop_30_0) true)
+(expandtypeattribute (exported_wifi_prop_30_0) true)
+(expandtypeattribute (external_vibrator_service_30_0) true)
+(expandtypeattribute (face_service_30_0) true)
+(expandtypeattribute (face_vendor_data_file_30_0) true)
+(expandtypeattribute (fastbootd_30_0) true)
+(expandtypeattribute (ffs_prop_30_0) true)
+(expandtypeattribute (file_contexts_file_30_0) true)
+(expandtypeattribute (file_integrity_service_30_0) true)
+(expandtypeattribute (fingerprint_service_30_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_30_0) true)
+(expandtypeattribute (fingerprintd_30_0) true)
+(expandtypeattribute (fingerprintd_data_file_30_0) true)
+(expandtypeattribute (fingerprintd_exec_30_0) true)
+(expandtypeattribute (fingerprintd_service_30_0) true)
+(expandtypeattribute (firstboot_prop_30_0) true)
+(expandtypeattribute (flags_health_check_30_0) true)
+(expandtypeattribute (flags_health_check_exec_30_0) true)
+(expandtypeattribute (font_service_30_0) true)
+(expandtypeattribute (frp_block_device_30_0) true)
+(expandtypeattribute (fs_bpf_30_0) true)
+(expandtypeattribute (fsck_30_0) true)
+(expandtypeattribute (fsck_exec_30_0) true)
+(expandtypeattribute (fsck_untrusted_30_0) true)
+(expandtypeattribute (fscklogs_30_0) true)
+(expandtypeattribute (functionfs_30_0) true)
+(expandtypeattribute (fuse_30_0) true)
+(expandtypeattribute (fuse_device_30_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_30_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_30_0) true)
+(expandtypeattribute (fwk_camera_hwservice_30_0) true)
+(expandtypeattribute (fwk_display_hwservice_30_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_30_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_30_0) true)
+(expandtypeattribute (fwk_stats_hwservice_30_0) true)
+(expandtypeattribute (fwmarkd_socket_30_0) true)
+(expandtypeattribute (gatekeeper_data_file_30_0) true)
+(expandtypeattribute (gatekeeper_service_30_0) true)
+(expandtypeattribute (gatekeeperd_30_0) true)
+(expandtypeattribute (gatekeeperd_exec_30_0) true)
+(expandtypeattribute (gfxinfo_service_30_0) true)
+(expandtypeattribute (gmscore_app_30_0) true)
+(expandtypeattribute (gps_control_30_0) true)
+(expandtypeattribute (gpu_device_30_0) true)
+(expandtypeattribute (gpu_service_30_0) true)
+(expandtypeattribute (gpuservice_30_0) true)
+(expandtypeattribute (graphics_device_30_0) true)
+(expandtypeattribute (graphicsstats_service_30_0) true)
+(expandtypeattribute (gsi_data_file_30_0) true)
+(expandtypeattribute (gsi_metadata_file_30_0) true)
+(expandtypeattribute (gsid_prop_30_0) true)
+(expandtypeattribute (hal_atrace_hwservice_30_0) true)
+(expandtypeattribute (hal_audio_hwservice_30_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_30_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_30_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_30_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_30_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_30_0) true)
+(expandtypeattribute (hal_camera_hwservice_30_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_30_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_30_0) true)
+(expandtypeattribute (hal_cas_hwservice_30_0) true)
+(expandtypeattribute (hal_codec2_hwservice_30_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_30_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_30_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_30_0) true)
+(expandtypeattribute (hal_drm_hwservice_30_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_30_0) true)
+(expandtypeattribute (hal_evs_hwservice_30_0) true)
+(expandtypeattribute (hal_face_hwservice_30_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_30_0) true)
+(expandtypeattribute (hal_fingerprint_service_30_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_30_0) true)
+(expandtypeattribute (hal_gnss_hwservice_30_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_30_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_30_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_30_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_30_0) true)
+(expandtypeattribute (hal_health_hwservice_30_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_30_0) true)
+(expandtypeattribute (hal_identity_service_30_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_30_0) true)
+(expandtypeattribute (hal_ir_hwservice_30_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_30_0) true)
+(expandtypeattribute (hal_light_hwservice_30_0) true)
+(expandtypeattribute (hal_light_service_30_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_30_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_30_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_30_0) true)
+(expandtypeattribute (hal_nfc_hwservice_30_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_30_0) true)
+(expandtypeattribute (hal_omx_hwservice_30_0) true)
+(expandtypeattribute (hal_power_hwservice_30_0) true)
+(expandtypeattribute (hal_power_service_30_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_30_0) true)
+(expandtypeattribute (hal_rebootescrow_service_30_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_30_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_30_0) true)
+(expandtypeattribute (hal_sensors_hwservice_30_0) true)
+(expandtypeattribute (hal_telephony_hwservice_30_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_30_0) true)
+(expandtypeattribute (hal_thermal_hwservice_30_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_30_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_30_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_30_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_30_0) true)
+(expandtypeattribute (hal_usb_hwservice_30_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_30_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_30_0) true)
+(expandtypeattribute (hal_vibrator_service_30_0) true)
+(expandtypeattribute (hal_vr_hwservice_30_0) true)
+(expandtypeattribute (hal_weaver_hwservice_30_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_30_0) true)
+(expandtypeattribute (hal_wifi_hwservice_30_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_30_0) true)
+(expandtypeattribute (hardware_properties_service_30_0) true)
+(expandtypeattribute (hardware_service_30_0) true)
+(expandtypeattribute (hci_attach_dev_30_0) true)
+(expandtypeattribute (hdmi_control_service_30_0) true)
+(expandtypeattribute (healthd_30_0) true)
+(expandtypeattribute (healthd_exec_30_0) true)
+(expandtypeattribute (heapdump_data_file_30_0) true)
+(expandtypeattribute (heapprofd_30_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_30_0) true)
+(expandtypeattribute (heapprofd_prop_30_0) true)
+(expandtypeattribute (heapprofd_socket_30_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_30_0) true)
+(expandtypeattribute (hidl_base_hwservice_30_0) true)
+(expandtypeattribute (hidl_manager_hwservice_30_0) true)
+(expandtypeattribute (hidl_memory_hwservice_30_0) true)
+(expandtypeattribute (hidl_token_hwservice_30_0) true)
+(expandtypeattribute (hw_random_device_30_0) true)
+(expandtypeattribute (hwbinder_device_30_0) true)
+(expandtypeattribute (hwservice_contexts_file_30_0) true)
+(expandtypeattribute (hwservicemanager_30_0) true)
+(expandtypeattribute (hwservicemanager_exec_30_0) true)
+(expandtypeattribute (hwservicemanager_prop_30_0) true)
+(expandtypeattribute (icon_file_30_0) true)
+(expandtypeattribute (idmap_30_0) true)
+(expandtypeattribute (idmap_exec_30_0) true)
+(expandtypeattribute (idmap_service_30_0) true)
+(expandtypeattribute (iio_device_30_0) true)
+(expandtypeattribute (imms_service_30_0) true)
+(expandtypeattribute (incident_30_0) true)
+(expandtypeattribute (incident_data_file_30_0) true)
+(expandtypeattribute (incident_helper_30_0) true)
+(expandtypeattribute (incident_service_30_0) true)
+(expandtypeattribute (incidentd_30_0) true)
+(expandtypeattribute (incremental_control_file_30_0) true)
+(expandtypeattribute (incremental_prop_30_0) true)
+(expandtypeattribute (incremental_service_30_0) true)
+(expandtypeattribute (init_30_0) true)
+(expandtypeattribute (init_exec_30_0) true)
+(expandtypeattribute (init_perf_lsm_hooks_prop_30_0) true)
+(expandtypeattribute (init_svc_debug_prop_30_0) true)
+(expandtypeattribute (init_tmpfs_30_0) true)
+(expandtypeattribute (inotify_30_0) true)
+(expandtypeattribute (input_device_30_0) true)
+(expandtypeattribute (input_method_service_30_0) true)
+(expandtypeattribute (input_service_30_0) true)
+(expandtypeattribute (inputflinger_30_0) true)
+(expandtypeattribute (inputflinger_exec_30_0) true)
+(expandtypeattribute (inputflinger_service_30_0) true)
+(expandtypeattribute (install_data_file_30_0) true)
+(expandtypeattribute (installd_30_0) true)
+(expandtypeattribute (installd_exec_30_0) true)
+(expandtypeattribute (installd_service_30_0) true)
+(expandtypeattribute (ion_device_30_0) true)
+(expandtypeattribute (iorap_inode2filename_30_0) true)
+(expandtypeattribute (iorap_inode2filename_exec_30_0) true)
+(expandtypeattribute (iorap_inode2filename_tmpfs_30_0) true)
+(expandtypeattribute (iorap_prefetcherd_30_0) true)
+(expandtypeattribute (iorap_prefetcherd_exec_30_0) true)
+(expandtypeattribute (iorap_prefetcherd_tmpfs_30_0) true)
+(expandtypeattribute (iorapd_30_0) true)
+(expandtypeattribute (iorapd_data_file_30_0) true)
+(expandtypeattribute (iorapd_exec_30_0) true)
+(expandtypeattribute (iorapd_service_30_0) true)
+(expandtypeattribute (iorapd_tmpfs_30_0) true)
+(expandtypeattribute (ipsec_service_30_0) true)
+(expandtypeattribute (iris_service_30_0) true)
+(expandtypeattribute (iris_vendor_data_file_30_0) true)
+(expandtypeattribute (isolated_app_30_0) true)
+(expandtypeattribute (jobscheduler_service_30_0) true)
+(expandtypeattribute (kernel_30_0) true)
+(expandtypeattribute (keychain_data_file_30_0) true)
+(expandtypeattribute (keychord_device_30_0) true)
+(expandtypeattribute (keystore_30_0) true)
+(expandtypeattribute (keystore_data_file_30_0) true)
+(expandtypeattribute (keystore_exec_30_0) true)
+(expandtypeattribute (keystore_service_30_0) true)
+(expandtypeattribute (kmsg_debug_device_30_0) true)
+(expandtypeattribute (kmsg_device_30_0) true)
+(expandtypeattribute (labeledfs_30_0) true)
+(expandtypeattribute (last_boot_reason_prop_30_0) true)
+(expandtypeattribute (launcherapps_service_30_0) true)
+(expandtypeattribute (light_service_30_0) true)
+(expandtypeattribute (linkerconfig_file_30_0) true)
+(expandtypeattribute (llkd_30_0) true)
+(expandtypeattribute (llkd_exec_30_0) true)
+(expandtypeattribute (llkd_prop_30_0) true)
+(expandtypeattribute (lmkd_30_0) true)
+(expandtypeattribute (lmkd_exec_30_0) true)
+(expandtypeattribute (lmkd_prop_30_0) true)
+(expandtypeattribute (lmkd_socket_30_0) true)
+(expandtypeattribute (location_service_30_0) true)
+(expandtypeattribute (lock_settings_service_30_0) true)
+(expandtypeattribute (log_prop_30_0) true)
+(expandtypeattribute (log_tag_prop_30_0) true)
+(expandtypeattribute (logcat_exec_30_0) true)
+(expandtypeattribute (logd_30_0) true)
+(expandtypeattribute (logd_exec_30_0) true)
+(expandtypeattribute (logd_prop_30_0) true)
+(expandtypeattribute (logd_socket_30_0) true)
+(expandtypeattribute (logdr_socket_30_0) true)
+(expandtypeattribute (logdw_socket_30_0) true)
+(expandtypeattribute (logpersist_30_0) true)
+(expandtypeattribute (logpersistd_logging_prop_30_0) true)
+(expandtypeattribute (loop_control_device_30_0) true)
+(expandtypeattribute (loop_device_30_0) true)
+(expandtypeattribute (looper_stats_service_30_0) true)
+(expandtypeattribute (lowpan_device_30_0) true)
+(expandtypeattribute (lowpan_prop_30_0) true)
+(expandtypeattribute (lowpan_service_30_0) true)
+(expandtypeattribute (lpdump_service_30_0) true)
+(expandtypeattribute (lpdumpd_prop_30_0) true)
+(expandtypeattribute (mac_perms_file_30_0) true)
+(expandtypeattribute (mdns_socket_30_0) true)
+(expandtypeattribute (mdnsd_30_0) true)
+(expandtypeattribute (mdnsd_socket_30_0) true)
+(expandtypeattribute (media_data_file_30_0) true)
+(expandtypeattribute (media_projection_service_30_0) true)
+(expandtypeattribute (media_router_service_30_0) true)
+(expandtypeattribute (media_rw_data_file_30_0) true)
+(expandtypeattribute (media_session_service_30_0) true)
+(expandtypeattribute (media_variant_prop_30_0) true)
+(expandtypeattribute (mediadrmserver_30_0) true)
+(expandtypeattribute (mediadrmserver_exec_30_0) true)
+(expandtypeattribute (mediadrmserver_service_30_0) true)
+(expandtypeattribute (mediaextractor_30_0) true)
+(expandtypeattribute (mediaextractor_exec_30_0) true)
+(expandtypeattribute (mediaextractor_service_30_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_30_0) true)
+(expandtypeattribute (mediametrics_30_0) true)
+(expandtypeattribute (mediametrics_exec_30_0) true)
+(expandtypeattribute (mediametrics_service_30_0) true)
+(expandtypeattribute (mediaprovider_30_0) true)
+(expandtypeattribute (mediaserver_30_0) true)
+(expandtypeattribute (mediaserver_exec_30_0) true)
+(expandtypeattribute (mediaserver_service_30_0) true)
+(expandtypeattribute (mediaserver_tmpfs_30_0) true)
+(expandtypeattribute (mediaswcodec_30_0) true)
+(expandtypeattribute (mediaswcodec_exec_30_0) true)
+(expandtypeattribute (mediatranscoding_30_0) true)
+(expandtypeattribute (mediatranscoding_exec_30_0) true)
+(expandtypeattribute (mediatranscoding_service_30_0) true)
+(expandtypeattribute (meminfo_service_30_0) true)
+(expandtypeattribute (metadata_block_device_30_0) true)
+(expandtypeattribute (metadata_bootstat_file_30_0) true)
+(expandtypeattribute (metadata_file_30_0) true)
+(expandtypeattribute (method_trace_data_file_30_0) true)
+(expandtypeattribute (midi_service_30_0) true)
+(expandtypeattribute (mirror_data_file_30_0) true)
+(expandtypeattribute (misc_block_device_30_0) true)
+(expandtypeattribute (misc_logd_file_30_0) true)
+(expandtypeattribute (misc_user_data_file_30_0) true)
+(expandtypeattribute (mmc_prop_30_0) true)
+(expandtypeattribute (mnt_expand_file_30_0) true)
+(expandtypeattribute (mnt_media_rw_file_30_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_30_0) true)
+(expandtypeattribute (mnt_pass_through_file_30_0) true)
+(expandtypeattribute (mnt_product_file_30_0) true)
+(expandtypeattribute (mnt_sdcard_file_30_0) true)
+(expandtypeattribute (mnt_user_file_30_0) true)
+(expandtypeattribute (mnt_vendor_file_30_0) true)
+(expandtypeattribute (mock_ota_prop_30_0) true)
+(expandtypeattribute (modprobe_30_0) true)
+(expandtypeattribute (module_sdkextensions_prop_30_0) true)
+(expandtypeattribute (mount_service_30_0) true)
+(expandtypeattribute (mqueue_30_0) true)
+(expandtypeattribute (mtp_30_0) true)
+(expandtypeattribute (mtp_device_30_0) true)
+(expandtypeattribute (mtp_exec_30_0) true)
+(expandtypeattribute (mtpd_socket_30_0) true)
+(expandtypeattribute (nativetest_data_file_30_0) true)
+(expandtypeattribute (net_data_file_30_0) true)
+(expandtypeattribute (net_dns_prop_30_0) true)
+(expandtypeattribute (net_radio_prop_30_0) true)
+(expandtypeattribute (netd_30_0) true)
+(expandtypeattribute (netd_exec_30_0) true)
+(expandtypeattribute (netd_listener_service_30_0) true)
+(expandtypeattribute (netd_service_30_0) true)
+(expandtypeattribute (netd_stable_secret_prop_30_0) true)
+(expandtypeattribute (netif_30_0) true)
+(expandtypeattribute (netpolicy_service_30_0) true)
+(expandtypeattribute (netstats_service_30_0) true)
+(expandtypeattribute (netutils_wrapper_30_0) true)
+(expandtypeattribute (netutils_wrapper_exec_30_0) true)
+(expandtypeattribute (network_management_service_30_0) true)
+(expandtypeattribute (network_score_service_30_0) true)
+(expandtypeattribute (network_stack_30_0) true)
+(expandtypeattribute (network_stack_service_30_0) true)
+(expandtypeattribute (network_time_update_service_30_0) true)
+(expandtypeattribute (network_watchlist_data_file_30_0) true)
+(expandtypeattribute (network_watchlist_service_30_0) true)
+(expandtypeattribute (nfc_30_0) true)
+(expandtypeattribute (nfc_data_file_30_0) true)
+(expandtypeattribute (nfc_device_30_0) true)
+(expandtypeattribute (nfc_prop_30_0) true)
+(expandtypeattribute (nfc_service_30_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_30_0) true)
+(expandtypeattribute (node_30_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_30_0) true)
+(expandtypeattribute (notification_service_30_0) true)
+(expandtypeattribute (null_device_30_0) true)
+(expandtypeattribute (oem_lock_service_30_0) true)
+(expandtypeattribute (oemfs_30_0) true)
+(expandtypeattribute (ota_data_file_30_0) true)
+(expandtypeattribute (ota_metadata_file_30_0) true)
+(expandtypeattribute (ota_package_file_30_0) true)
+(expandtypeattribute (ota_prop_30_0) true)
+(expandtypeattribute (otadexopt_service_30_0) true)
+(expandtypeattribute (overlay_prop_30_0) true)
+(expandtypeattribute (overlay_service_30_0) true)
+(expandtypeattribute (overlayfs_file_30_0) true)
+(expandtypeattribute (owntty_device_30_0) true)
+(expandtypeattribute (package_native_service_30_0) true)
+(expandtypeattribute (package_service_30_0) true)
+(expandtypeattribute (packages_list_file_30_0) true)
+(expandtypeattribute (pan_result_prop_30_0) true)
+(expandtypeattribute (password_slot_metadata_file_30_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_30_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_30_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_30_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_display_dir_30_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_30_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_30_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_30_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_30_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_performance_dir_30_0) true)
+(expandtypeattribute (perfetto_30_0) true)
+(expandtypeattribute (performanced_30_0) true)
+(expandtypeattribute (performanced_exec_30_0) true)
+(expandtypeattribute (permission_service_30_0) true)
+(expandtypeattribute (permissionmgr_service_30_0) true)
+(expandtypeattribute (persist_debug_prop_30_0) true)
+(expandtypeattribute (persistent_data_block_service_30_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_30_0) true)
+(expandtypeattribute (pinner_service_30_0) true)
+(expandtypeattribute (pipefs_30_0) true)
+(expandtypeattribute (platform_app_30_0) true)
+(expandtypeattribute (platform_compat_service_30_0) true)
+(expandtypeattribute (pm_prop_30_0) true)
+(expandtypeattribute (pmsg_device_30_0) true)
+(expandtypeattribute (port_30_0) true)
+(expandtypeattribute (port_device_30_0) true)
+(expandtypeattribute (postinstall_30_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_30_0) true)
+(expandtypeattribute (postinstall_file_30_0) true)
+(expandtypeattribute (postinstall_mnt_dir_30_0) true)
+(expandtypeattribute (power_service_30_0) true)
+(expandtypeattribute (powerctl_prop_30_0) true)
+(expandtypeattribute (ppp_30_0) true)
+(expandtypeattribute (ppp_device_30_0) true)
+(expandtypeattribute (ppp_exec_30_0) true)
+(expandtypeattribute (preloads_data_file_30_0) true)
+(expandtypeattribute (preloads_media_file_30_0) true)
+(expandtypeattribute (prereboot_data_file_30_0) true)
+(expandtypeattribute (print_service_30_0) true)
+(expandtypeattribute (priv_app_30_0) true)
+(expandtypeattribute (privapp_data_file_30_0) true)
+(expandtypeattribute (proc_30_0) true)
+(expandtypeattribute (proc_abi_30_0) true)
+(expandtypeattribute (proc_asound_30_0) true)
+(expandtypeattribute (proc_bluetooth_writable_30_0) true)
+(expandtypeattribute (proc_buddyinfo_30_0) true)
+(expandtypeattribute (proc_cmdline_30_0) true)
+(expandtypeattribute (proc_cpuinfo_30_0) true)
+(expandtypeattribute (proc_dirty_30_0) true)
+(expandtypeattribute (proc_diskstats_30_0) true)
+(expandtypeattribute (proc_drop_caches_30_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_30_0) true)
+(expandtypeattribute (proc_filesystems_30_0) true)
+(expandtypeattribute (proc_fs_verity_30_0) true)
+(expandtypeattribute (proc_hostname_30_0) true)
+(expandtypeattribute (proc_hung_task_30_0) true)
+(expandtypeattribute (proc_interrupts_30_0) true)
+(expandtypeattribute (proc_iomem_30_0) true)
+(expandtypeattribute (proc_keys_30_0) true)
+(expandtypeattribute (proc_kmsg_30_0) true)
+(expandtypeattribute (proc_kpageflags_30_0) true)
+(expandtypeattribute (proc_loadavg_30_0) true)
+(expandtypeattribute (proc_lowmemorykiller_30_0) true)
+(expandtypeattribute (proc_max_map_count_30_0) true)
+(expandtypeattribute (proc_meminfo_30_0) true)
+(expandtypeattribute (proc_min_free_order_shift_30_0) true)
+(expandtypeattribute (proc_misc_30_0) true)
+(expandtypeattribute (proc_modules_30_0) true)
+(expandtypeattribute (proc_mounts_30_0) true)
+(expandtypeattribute (proc_net_30_0) true)
+(expandtypeattribute (proc_net_tcp_udp_30_0) true)
+(expandtypeattribute (proc_overcommit_memory_30_0) true)
+(expandtypeattribute (proc_page_cluster_30_0) true)
+(expandtypeattribute (proc_pagetypeinfo_30_0) true)
+(expandtypeattribute (proc_panic_30_0) true)
+(expandtypeattribute (proc_perf_30_0) true)
+(expandtypeattribute (proc_pid_max_30_0) true)
+(expandtypeattribute (proc_pipe_conf_30_0) true)
+(expandtypeattribute (proc_pressure_cpu_30_0) true)
+(expandtypeattribute (proc_pressure_io_30_0) true)
+(expandtypeattribute (proc_pressure_mem_30_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_30_0) true)
+(expandtypeattribute (proc_qtaguid_stat_30_0) true)
+(expandtypeattribute (proc_random_30_0) true)
+(expandtypeattribute (proc_sched_30_0) true)
+(expandtypeattribute (proc_security_30_0) true)
+(expandtypeattribute (proc_slabinfo_30_0) true)
+(expandtypeattribute (proc_stat_30_0) true)
+(expandtypeattribute (proc_swaps_30_0) true)
+(expandtypeattribute (proc_sysrq_30_0) true)
+(expandtypeattribute (proc_timer_30_0) true)
+(expandtypeattribute (proc_tty_drivers_30_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_30_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_30_0) true)
+(expandtypeattribute (proc_uid_cpupower_30_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_30_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_30_0) true)
+(expandtypeattribute (proc_uid_io_stats_30_0) true)
+(expandtypeattribute (proc_uid_procstat_set_30_0) true)
+(expandtypeattribute (proc_uid_time_in_state_30_0) true)
+(expandtypeattribute (proc_uptime_30_0) true)
+(expandtypeattribute (proc_version_30_0) true)
+(expandtypeattribute (proc_vmallocinfo_30_0) true)
+(expandtypeattribute (proc_vmstat_30_0) true)
+(expandtypeattribute (proc_zoneinfo_30_0) true)
+(expandtypeattribute (processinfo_service_30_0) true)
+(expandtypeattribute (procstats_service_30_0) true)
+(expandtypeattribute (profman_30_0) true)
+(expandtypeattribute (profman_dump_data_file_30_0) true)
+(expandtypeattribute (profman_exec_30_0) true)
+(expandtypeattribute (properties_device_30_0) true)
+(expandtypeattribute (properties_serial_30_0) true)
+(expandtypeattribute (property_contexts_file_30_0) true)
+(expandtypeattribute (property_data_file_30_0) true)
+(expandtypeattribute (property_info_30_0) true)
+(expandtypeattribute (property_socket_30_0) true)
+(expandtypeattribute (pstorefs_30_0) true)
+(expandtypeattribute (ptmx_device_30_0) true)
+(expandtypeattribute (qtaguid_device_30_0) true)
+(expandtypeattribute (racoon_30_0) true)
+(expandtypeattribute (racoon_exec_30_0) true)
+(expandtypeattribute (racoon_socket_30_0) true)
+(expandtypeattribute (radio_30_0) true)
+(expandtypeattribute (radio_data_file_30_0) true)
+(expandtypeattribute (radio_device_30_0) true)
+(expandtypeattribute (radio_prop_30_0) true)
+(expandtypeattribute (radio_service_30_0) true)
+(expandtypeattribute (ram_device_30_0) true)
+(expandtypeattribute (random_device_30_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_30_0) true)
+(expandtypeattribute (recovery_30_0) true)
+(expandtypeattribute (recovery_block_device_30_0) true)
+(expandtypeattribute (recovery_data_file_30_0) true)
+(expandtypeattribute (recovery_persist_30_0) true)
+(expandtypeattribute (recovery_persist_exec_30_0) true)
+(expandtypeattribute (recovery_refresh_30_0) true)
+(expandtypeattribute (recovery_refresh_exec_30_0) true)
+(expandtypeattribute (recovery_service_30_0) true)
+(expandtypeattribute (recovery_socket_30_0) true)
+(expandtypeattribute (registry_service_30_0) true)
+(expandtypeattribute (resourcecache_data_file_30_0) true)
+(expandtypeattribute (restorecon_prop_30_0) true)
+(expandtypeattribute (restrictions_service_30_0) true)
+(expandtypeattribute (rild_debug_socket_30_0) true)
+(expandtypeattribute (rild_socket_30_0) true)
+(expandtypeattribute (ringtone_file_30_0) true)
+(expandtypeattribute (role_service_30_0) true)
+(expandtypeattribute (rollback_service_30_0) true)
+(expandtypeattribute (root_block_device_30_0) true)
+(expandtypeattribute (rootfs_30_0) true)
+(expandtypeattribute (rpmsg_device_30_0) true)
+(expandtypeattribute (rs_30_0) true)
+(expandtypeattribute (rs_exec_30_0) true)
+(expandtypeattribute (rss_hwm_reset_30_0) true)
+(expandtypeattribute (rtc_device_30_0) true)
+(expandtypeattribute (rttmanager_service_30_0) true)
+(expandtypeattribute (runas_30_0) true)
+(expandtypeattribute (runas_app_30_0) true)
+(expandtypeattribute (runas_exec_30_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_30_0) true)
+(expandtypeattribute (runtime_service_30_0) true)
+(expandtypeattribute (safemode_prop_30_0) true)
+(expandtypeattribute (same_process_hal_file_30_0) true)
+(expandtypeattribute (samplingprofiler_service_30_0) true)
+(expandtypeattribute (scheduling_policy_service_30_0) true)
+(expandtypeattribute (sdcard_block_device_30_0) true)
+(expandtypeattribute (sdcardd_30_0) true)
+(expandtypeattribute (sdcardd_exec_30_0) true)
+(expandtypeattribute (sdcardfs_30_0) true)
+(expandtypeattribute (seapp_contexts_file_30_0) true)
+(expandtypeattribute (search_service_30_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_30_0) true)
+(expandtypeattribute (secure_element_30_0) true)
+(expandtypeattribute (secure_element_device_30_0) true)
+(expandtypeattribute (secure_element_service_30_0) true)
+(expandtypeattribute (securityfs_30_0) true)
+(expandtypeattribute (selinuxfs_30_0) true)
+(expandtypeattribute (sensor_privacy_service_30_0) true)
+(expandtypeattribute (sensors_device_30_0) true)
+(expandtypeattribute (sensorservice_service_30_0) true)
+(expandtypeattribute (sepolicy_file_30_0) true)
+(expandtypeattribute (serial_device_30_0) true)
+(expandtypeattribute (serial_service_30_0) true)
+(expandtypeattribute (serialno_prop_30_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_30_0) true)
+(expandtypeattribute (service_contexts_file_30_0) true)
+(expandtypeattribute (service_manager_service_30_0) true)
+(expandtypeattribute (service_manager_vndservice_30_0) true)
+(expandtypeattribute (servicediscovery_service_30_0) true)
+(expandtypeattribute (servicemanager_30_0) true)
+(expandtypeattribute (servicemanager_exec_30_0) true)
+(expandtypeattribute (settings_service_30_0) true)
+(expandtypeattribute (sgdisk_30_0) true)
+(expandtypeattribute (sgdisk_exec_30_0) true)
+(expandtypeattribute (shared_relro_30_0) true)
+(expandtypeattribute (shared_relro_file_30_0) true)
+(expandtypeattribute (shell_30_0) true)
+(expandtypeattribute (shell_data_file_30_0) true)
+(expandtypeattribute (shell_exec_30_0) true)
+(expandtypeattribute (shell_prop_30_0) true)
+(expandtypeattribute (shm_30_0) true)
+(expandtypeattribute (shortcut_manager_icons_30_0) true)
+(expandtypeattribute (shortcut_service_30_0) true)
+(expandtypeattribute (simpleperf_30_0) true)
+(expandtypeattribute (simpleperf_app_runner_30_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_30_0) true)
+(expandtypeattribute (slice_service_30_0) true)
+(expandtypeattribute (slideshow_30_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_30_0) true)
+(expandtypeattribute (socket_device_30_0) true)
+(expandtypeattribute (socket_hook_prop_30_0) true)
+(expandtypeattribute (sockfs_30_0) true)
+(expandtypeattribute (sota_prop_30_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_30_0) true)
+(expandtypeattribute (staging_data_file_30_0) true)
+(expandtypeattribute (stats_data_file_30_0) true)
+(expandtypeattribute (statsd_30_0) true)
+(expandtypeattribute (statsd_exec_30_0) true)
+(expandtypeattribute (statsdw_socket_30_0) true)
+(expandtypeattribute (statusbar_service_30_0) true)
+(expandtypeattribute (storage_config_prop_30_0) true)
+(expandtypeattribute (storage_file_30_0) true)
+(expandtypeattribute (storage_stub_file_30_0) true)
+(expandtypeattribute (storaged_service_30_0) true)
+(expandtypeattribute (storagestats_service_30_0) true)
+(expandtypeattribute (su_30_0) true)
+(expandtypeattribute (su_exec_30_0) true)
+(expandtypeattribute (super_block_device_30_0) true)
+(expandtypeattribute (surfaceflinger_30_0) true)
+(expandtypeattribute (surfaceflinger_service_30_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_30_0) true)
+(expandtypeattribute (swap_block_device_30_0) true)
+(expandtypeattribute (sysfs_30_0) true)
+(expandtypeattribute (sysfs_android_usb_30_0) true)
+(expandtypeattribute (sysfs_batteryinfo_30_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_30_0) true)
+(expandtypeattribute (sysfs_devices_block_30_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_30_0) true)
+(expandtypeattribute (sysfs_dm_30_0) true)
+(expandtypeattribute (sysfs_dm_verity_30_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_30_0) true)
+(expandtypeattribute (sysfs_extcon_30_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_30_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_30_0) true)
+(expandtypeattribute (sysfs_hwrandom_30_0) true)
+(expandtypeattribute (sysfs_ion_30_0) true)
+(expandtypeattribute (sysfs_ipv4_30_0) true)
+(expandtypeattribute (sysfs_kernel_notes_30_0) true)
+(expandtypeattribute (sysfs_leds_30_0) true)
+(expandtypeattribute (sysfs_loop_30_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_30_0) true)
+(expandtypeattribute (sysfs_net_30_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_30_0) true)
+(expandtypeattribute (sysfs_power_30_0) true)
+(expandtypeattribute (sysfs_rtc_30_0) true)
+(expandtypeattribute (sysfs_suspend_stats_30_0) true)
+(expandtypeattribute (sysfs_switch_30_0) true)
+(expandtypeattribute (sysfs_thermal_30_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_30_0) true)
+(expandtypeattribute (sysfs_uio_30_0) true)
+(expandtypeattribute (sysfs_usb_30_0) true)
+(expandtypeattribute (sysfs_usermodehelper_30_0) true)
+(expandtypeattribute (sysfs_vibrator_30_0) true)
+(expandtypeattribute (sysfs_wake_lock_30_0) true)
+(expandtypeattribute (sysfs_wakeup_30_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_30_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_30_0) true)
+(expandtypeattribute (sysfs_zram_30_0) true)
+(expandtypeattribute (sysfs_zram_uevent_30_0) true)
+(expandtypeattribute (system_adbd_prop_30_0) true)
+(expandtypeattribute (system_app_30_0) true)
+(expandtypeattribute (system_app_data_file_30_0) true)
+(expandtypeattribute (system_app_service_30_0) true)
+(expandtypeattribute (system_asan_options_file_30_0) true)
+(expandtypeattribute (system_block_device_30_0) true)
+(expandtypeattribute (system_boot_reason_prop_30_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_30_0) true)
+(expandtypeattribute (system_config_service_30_0) true)
+(expandtypeattribute (system_data_file_30_0) true)
+(expandtypeattribute (system_data_root_file_30_0) true)
+(expandtypeattribute (system_event_log_tags_file_30_0) true)
+(expandtypeattribute (system_file_30_0) true)
+(expandtypeattribute (system_group_file_30_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_30_0) true)
+(expandtypeattribute (system_lib_file_30_0) true)
+(expandtypeattribute (system_linker_config_file_30_0) true)
+(expandtypeattribute (system_linker_exec_30_0) true)
+(expandtypeattribute (system_lmk_prop_30_0) true)
+(expandtypeattribute (system_ndebug_socket_30_0) true)
+(expandtypeattribute (system_net_netd_hwservice_30_0) true)
+(expandtypeattribute (system_passwd_file_30_0) true)
+(expandtypeattribute (system_prop_30_0) true)
+(expandtypeattribute (system_radio_prop_30_0) true)
+(expandtypeattribute (system_seccomp_policy_file_30_0) true)
+(expandtypeattribute (system_security_cacerts_file_30_0) true)
+(expandtypeattribute (system_server_30_0) true)
+(expandtypeattribute (system_server_tmpfs_30_0) true)
+(expandtypeattribute (system_suspend_control_service_30_0) true)
+(expandtypeattribute (system_suspend_hwservice_30_0) true)
+(expandtypeattribute (system_trace_prop_30_0) true)
+(expandtypeattribute (system_unsolzygote_socket_30_0) true)
+(expandtypeattribute (system_update_service_30_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_30_0) true)
+(expandtypeattribute (system_wpa_socket_30_0) true)
+(expandtypeattribute (system_zoneinfo_file_30_0) true)
+(expandtypeattribute (systemkeys_data_file_30_0) true)
+(expandtypeattribute (task_profiles_file_30_0) true)
+(expandtypeattribute (task_service_30_0) true)
+(expandtypeattribute (tcpdump_exec_30_0) true)
+(expandtypeattribute (tee_30_0) true)
+(expandtypeattribute (tee_data_file_30_0) true)
+(expandtypeattribute (tee_device_30_0) true)
+(expandtypeattribute (telecom_service_30_0) true)
+(expandtypeattribute (test_boot_reason_prop_30_0) true)
+(expandtypeattribute (test_harness_prop_30_0) true)
+(expandtypeattribute (testharness_service_30_0) true)
+(expandtypeattribute (tethering_service_30_0) true)
+(expandtypeattribute (textclassification_service_30_0) true)
+(expandtypeattribute (textclassifier_data_file_30_0) true)
+(expandtypeattribute (textservices_service_30_0) true)
+(expandtypeattribute (theme_prop_30_0) true)
+(expandtypeattribute (thermal_service_30_0) true)
+(expandtypeattribute (thermalcallback_hwservice_30_0) true)
+(expandtypeattribute (time_prop_30_0) true)
+(expandtypeattribute (timedetector_service_30_0) true)
+(expandtypeattribute (timezone_service_30_0) true)
+(expandtypeattribute (timezonedetector_service_30_0) true)
+(expandtypeattribute (tmpfs_30_0) true)
+(expandtypeattribute (tombstone_data_file_30_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_30_0) true)
+(expandtypeattribute (tombstoned_30_0) true)
+(expandtypeattribute (tombstoned_crash_socket_30_0) true)
+(expandtypeattribute (tombstoned_exec_30_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_30_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_30_0) true)
+(expandtypeattribute (toolbox_30_0) true)
+(expandtypeattribute (toolbox_exec_30_0) true)
+(expandtypeattribute (trace_data_file_30_0) true)
+(expandtypeattribute (traced_30_0) true)
+(expandtypeattribute (traced_consumer_socket_30_0) true)
+(expandtypeattribute (traced_enabled_prop_30_0) true)
+(expandtypeattribute (traced_lazy_prop_30_0) true)
+(expandtypeattribute (traced_perf_30_0) true)
+(expandtypeattribute (traced_perf_enabled_prop_30_0) true)
+(expandtypeattribute (traced_perf_socket_30_0) true)
+(expandtypeattribute (traced_probes_30_0) true)
+(expandtypeattribute (traced_producer_socket_30_0) true)
+(expandtypeattribute (traceur_app_30_0) true)
+(expandtypeattribute (trust_service_30_0) true)
+(expandtypeattribute (tty_device_30_0) true)
+(expandtypeattribute (tun_device_30_0) true)
+(expandtypeattribute (tv_input_service_30_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_30_0) true)
+(expandtypeattribute (tzdatacheck_30_0) true)
+(expandtypeattribute (tzdatacheck_exec_30_0) true)
+(expandtypeattribute (ueventd_30_0) true)
+(expandtypeattribute (ueventd_tmpfs_30_0) true)
+(expandtypeattribute (uhid_device_30_0) true)
+(expandtypeattribute (uimode_service_30_0) true)
+(expandtypeattribute (uio_device_30_0) true)
+(expandtypeattribute (uncrypt_30_0) true)
+(expandtypeattribute (uncrypt_exec_30_0) true)
+(expandtypeattribute (uncrypt_socket_30_0) true)
+(expandtypeattribute (unencrypted_data_file_30_0) true)
+(expandtypeattribute (unlabeled_30_0) true)
+(expandtypeattribute (untrusted_app_25_30_0) true)
+(expandtypeattribute (untrusted_app_27_30_0) true)
+(expandtypeattribute (untrusted_app_29_30_0) true)
+(expandtypeattribute (untrusted_app_30_0) true)
+(expandtypeattribute (update_engine_30_0) true)
+(expandtypeattribute (update_engine_data_file_30_0) true)
+(expandtypeattribute (update_engine_exec_30_0) true)
+(expandtypeattribute (update_engine_log_data_file_30_0) true)
+(expandtypeattribute (update_engine_service_30_0) true)
+(expandtypeattribute (update_verifier_30_0) true)
+(expandtypeattribute (update_verifier_exec_30_0) true)
+(expandtypeattribute (updatelock_service_30_0) true)
+(expandtypeattribute (uri_grants_service_30_0) true)
+(expandtypeattribute (usagestats_service_30_0) true)
+(expandtypeattribute (usb_device_30_0) true)
+(expandtypeattribute (usb_serial_device_30_0) true)
+(expandtypeattribute (usb_service_30_0) true)
+(expandtypeattribute (usbaccessory_device_30_0) true)
+(expandtypeattribute (usbd_30_0) true)
+(expandtypeattribute (usbd_exec_30_0) true)
+(expandtypeattribute (usbfs_30_0) true)
+(expandtypeattribute (use_memfd_prop_30_0) true)
+(expandtypeattribute (user_profile_data_file_30_0) true)
+(expandtypeattribute (user_service_30_0) true)
+(expandtypeattribute (userdata_block_device_30_0) true)
+(expandtypeattribute (usermodehelper_30_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_30_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_30_0) true)
+(expandtypeattribute (userspace_reboot_log_prop_30_0) true)
+(expandtypeattribute (userspace_reboot_test_prop_30_0) true)
+(expandtypeattribute (vdc_30_0) true)
+(expandtypeattribute (vdc_exec_30_0) true)
+(expandtypeattribute (vehicle_hal_prop_30_0) true)
+(expandtypeattribute (vendor_apex_file_30_0) true)
+(expandtypeattribute (vendor_app_file_30_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_30_0) true)
+(expandtypeattribute (vendor_configs_file_30_0) true)
+(expandtypeattribute (vendor_data_file_30_0) true)
+(expandtypeattribute (vendor_default_prop_30_0) true)
+(expandtypeattribute (vendor_file_30_0) true)
+(expandtypeattribute (vendor_framework_file_30_0) true)
+(expandtypeattribute (vendor_hal_file_30_0) true)
+(expandtypeattribute (vendor_idc_file_30_0) true)
+(expandtypeattribute (vendor_init_30_0) true)
+(expandtypeattribute (vendor_keychars_file_30_0) true)
+(expandtypeattribute (vendor_keylayout_file_30_0) true)
+(expandtypeattribute (vendor_misc_writer_30_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_30_0) true)
+(expandtypeattribute (vendor_overlay_file_30_0) true)
+(expandtypeattribute (vendor_public_lib_file_30_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_30_0) true)
+(expandtypeattribute (vendor_shell_30_0) true)
+(expandtypeattribute (vendor_shell_exec_30_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_30_0) true)
+(expandtypeattribute (vendor_task_profiles_file_30_0) true)
+(expandtypeattribute (vendor_toolbox_exec_30_0) true)
+(expandtypeattribute (vfat_30_0) true)
+(expandtypeattribute (vibrator_service_30_0) true)
+(expandtypeattribute (video_device_30_0) true)
+(expandtypeattribute (virtual_ab_prop_30_0) true)
+(expandtypeattribute (virtual_touchpad_30_0) true)
+(expandtypeattribute (virtual_touchpad_exec_30_0) true)
+(expandtypeattribute (virtual_touchpad_service_30_0) true)
+(expandtypeattribute (vndbinder_device_30_0) true)
+(expandtypeattribute (vndk_prop_30_0) true)
+(expandtypeattribute (vndk_sp_file_30_0) true)
+(expandtypeattribute (vndservice_contexts_file_30_0) true)
+(expandtypeattribute (vndservicemanager_30_0) true)
+(expandtypeattribute (voiceinteraction_service_30_0) true)
+(expandtypeattribute (vold_30_0) true)
+(expandtypeattribute (vold_data_file_30_0) true)
+(expandtypeattribute (vold_device_30_0) true)
+(expandtypeattribute (vold_exec_30_0) true)
+(expandtypeattribute (vold_metadata_file_30_0) true)
+(expandtypeattribute (vold_prepare_subdirs_30_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_30_0) true)
+(expandtypeattribute (vold_prop_30_0) true)
+(expandtypeattribute (vold_service_30_0) true)
+(expandtypeattribute (vpn_data_file_30_0) true)
+(expandtypeattribute (vr_hwc_30_0) true)
+(expandtypeattribute (vr_hwc_exec_30_0) true)
+(expandtypeattribute (vr_hwc_service_30_0) true)
+(expandtypeattribute (vr_manager_service_30_0) true)
+(expandtypeattribute (vrflinger_vsync_service_30_0) true)
+(expandtypeattribute (wallpaper_file_30_0) true)
+(expandtypeattribute (wallpaper_service_30_0) true)
+(expandtypeattribute (watchdog_device_30_0) true)
+(expandtypeattribute (watchdogd_30_0) true)
+(expandtypeattribute (watchdogd_exec_30_0) true)
+(expandtypeattribute (webview_zygote_30_0) true)
+(expandtypeattribute (webview_zygote_exec_30_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_30_0) true)
+(expandtypeattribute (webviewupdate_service_30_0) true)
+(expandtypeattribute (wifi_data_file_30_0) true)
+(expandtypeattribute (wifi_log_prop_30_0) true)
+(expandtypeattribute (wifi_prop_30_0) true)
+(expandtypeattribute (wifi_service_30_0) true)
+(expandtypeattribute (wifiaware_service_30_0) true)
+(expandtypeattribute (wificond_30_0) true)
+(expandtypeattribute (wificond_exec_30_0) true)
+(expandtypeattribute (wifinl80211_service_30_0) true)
+(expandtypeattribute (wifip2p_service_30_0) true)
+(expandtypeattribute (wifiscanner_service_30_0) true)
+(expandtypeattribute (window_service_30_0) true)
+(expandtypeattribute (wpa_socket_30_0) true)
+(expandtypeattribute (wpantund_30_0) true)
+(expandtypeattribute (wpantund_exec_30_0) true)
+(expandtypeattribute (wpantund_service_30_0) true)
+(expandtypeattribute (zero_device_30_0) true)
+(expandtypeattribute (zoneinfo_data_file_30_0) true)
+(expandtypeattribute (zygote_30_0) true)
+(expandtypeattribute (zygote_exec_30_0) true)
+(expandtypeattribute (zygote_socket_30_0) true)
+(expandtypeattribute (zygote_tmpfs_30_0) true)
+(typeattributeset DockObserver_service_30_0 (DockObserver_service))
+(typeattributeset IProxyService_service_30_0 (IProxyService_service))
+(typeattributeset accessibility_service_30_0 (accessibility_service))
+(typeattributeset account_service_30_0 (account_service))
+(typeattributeset activity_service_30_0 (activity_service))
+(typeattributeset activity_task_service_30_0 (activity_task_service))
+(typeattributeset adb_data_file_30_0 (adb_data_file))
+(typeattributeset adb_keys_file_30_0 (adb_keys_file))
+(typeattributeset adb_service_30_0 (adb_service))
+(typeattributeset adbd_30_0 (adbd))
+(typeattributeset adbd_exec_30_0 (adbd_exec))
+(typeattributeset adbd_prop_30_0 (adbd_prop))
+(typeattributeset adbd_socket_30_0 (adbd_socket))
+(typeattributeset aidl_lazy_test_server_30_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_30_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_30_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_30_0 (alarm_service))
+(typeattributeset anr_data_file_30_0 (anr_data_file))
+(typeattributeset apex_data_file_30_0 (apex_data_file))
+(typeattributeset apex_metadata_file_30_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_30_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_30_0 (apex_module_data_file))
+(typeattributeset apex_permission_data_file_30_0 (apex_permission_data_file))
+(typeattributeset apex_rollback_data_file_30_0 (apex_rollback_data_file))
+(typeattributeset apex_service_30_0 (apex_service))
+(typeattributeset apex_wifi_data_file_30_0 (apex_wifi_data_file))
+(typeattributeset apexd_30_0 (apexd))
+(typeattributeset apexd_exec_30_0 (apexd_exec))
+(typeattributeset apexd_prop_30_0 (apexd_prop))
+(typeattributeset apk_data_file_30_0 (apk_data_file))
+(typeattributeset apk_private_data_file_30_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_30_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_30_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_30_0 (apk_verity_prop))
+(typeattributeset app_binding_service_30_0 (app_binding_service))
+(typeattributeset app_data_file_30_0 (app_data_file))
+(typeattributeset app_fuse_file_30_0 (app_fuse_file))
+(typeattributeset app_fusefs_30_0 (app_fusefs))
+(typeattributeset app_integrity_service_30_0 (app_integrity_service))
+(typeattributeset app_prediction_service_30_0 (app_prediction_service))
+(typeattributeset app_search_service_30_0 (app_search_service))
+(typeattributeset app_zygote_30_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_30_0 (app_zygote_tmpfs))
+(typeattributeset appdomain_tmpfs_30_0 (appdomain_tmpfs))
+(typeattributeset appops_service_30_0 (appops_service))
+(typeattributeset appwidget_service_30_0 (appwidget_service))
+(typeattributeset art_apex_dir_30_0 (art_apex_dir))
+(typeattributeset asec_apk_file_30_0 (asec_apk_file))
+(typeattributeset asec_image_file_30_0 (asec_image_file))
+(typeattributeset asec_public_file_30_0 (asec_public_file))
+(typeattributeset ashmem_device_30_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_30_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_30_0 (assetatlas_service))
+(typeattributeset audio_data_file_30_0 (audio_data_file))
+(typeattributeset audio_device_30_0 (audio_device))
+(typeattributeset audio_prop_30_0 (audio_prop))
+(typeattributeset audio_service_30_0 (audio_service))
+(typeattributeset audiohal_data_file_30_0 (audiohal_data_file))
+(typeattributeset audioserver_30_0 (audioserver))
+(typeattributeset audioserver_data_file_30_0 (audioserver_data_file))
+(typeattributeset audioserver_service_30_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_30_0 (audioserver_tmpfs))
+(typeattributeset auth_service_30_0 (auth_service))
+(typeattributeset autofill_service_30_0 (autofill_service))
+(typeattributeset backup_data_file_30_0 (backup_data_file))
+(typeattributeset backup_service_30_0 (backup_service))
+(typeattributeset battery_service_30_0 (battery_service))
+(typeattributeset batteryproperties_service_30_0 (batteryproperties_service))
+(typeattributeset batterystats_service_30_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_30_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_30_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_30_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_30_0 (binder_calls_stats_service))
+(typeattributeset binder_device_30_0 (binder_device))
+(typeattributeset binderfs_30_0 (binderfs))
+(typeattributeset binderfs_logs_30_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_30_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_30_0 (binfmt_miscfs))
+(typeattributeset biometric_service_30_0 (biometric_service))
+(typeattributeset blkid_30_0 (blkid))
+(typeattributeset blkid_untrusted_30_0 (blkid_untrusted))
+(typeattributeset blob_store_service_30_0 (blob_store_service))
+(typeattributeset block_device_30_0 (block_device))
+(typeattributeset bluetooth_30_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_30_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_30_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_data_file_30_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_30_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_30_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_30_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_30_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_30_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_30_0 (bluetooth_socket))
+(typeattributeset boot_block_device_30_0 (boot_block_device))
+(typeattributeset bootanim_30_0 (bootanim))
+(typeattributeset bootanim_exec_30_0 (bootanim_exec))
+(typeattributeset bootchart_data_file_30_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_30_0 (bootloader_boot_reason_prop))
+(typeattributeset bootstat_30_0 (bootstat))
+(typeattributeset bootstat_data_file_30_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_30_0 (bootstat_exec))
+(typeattributeset boottime_prop_30_0 (boottime_prop))
+(typeattributeset boottime_public_prop_30_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_30_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_30_0 (bpf_progs_loaded_prop))
+(typeattributeset bq_config_prop_30_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_30_0 (broadcastradio_service))
+(typeattributeset bufferhubd_30_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_30_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_30_0 (bugreport_service))
+(typeattributeset cache_backup_file_30_0 (cache_backup_file))
+(typeattributeset cache_block_device_30_0 (cache_block_device))
+(typeattributeset cache_file_30_0 (cache_file))
+(typeattributeset cache_private_backup_file_30_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_30_0 (cache_recovery_file))
+(typeattributeset camera_data_file_30_0 (camera_data_file))
+(typeattributeset camera_device_30_0 (camera_device))
+(typeattributeset cameraproxy_service_30_0 (cameraproxy_service))
+(typeattributeset cameraserver_30_0 (cameraserver))
+(typeattributeset cameraserver_exec_30_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_30_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_30_0 (cameraserver_tmpfs))
+(typeattributeset cgroup_30_0 (cgroup))
+(typeattributeset cgroup_bpf_30_0 (cgroup_bpf))
+(typeattributeset cgroup_desc_file_30_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_30_0 (cgroup_rc_file))
+(typeattributeset charger_30_0 (charger))
+(typeattributeset charger_exec_30_0 (charger_exec))
+(typeattributeset charger_prop_30_0 (charger_prop))
+(typeattributeset clipboard_service_30_0 (clipboard_service))
+(typeattributeset cold_boot_done_prop_30_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_30_0 (color_display_service))
+(typeattributeset companion_device_service_30_0 (companion_device_service))
+(typeattributeset config_prop_30_0 (config_prop))
+(typeattributeset configfs_30_0 (configfs))
+(typeattributeset connectivity_service_30_0 (connectivity_service))
+(typeattributeset connmetrics_service_30_0 (connmetrics_service))
+(typeattributeset console_device_30_0 (console_device))
+(typeattributeset consumer_ir_service_30_0 (consumer_ir_service))
+(typeattributeset content_capture_service_30_0 (content_capture_service))
+(typeattributeset content_service_30_0 (content_service))
+(typeattributeset content_suggestions_service_30_0 (content_suggestions_service))
+(typeattributeset contexthub_service_30_0 (contexthub_service))
+(typeattributeset coredump_file_30_0 (coredump_file))
+(typeattributeset country_detector_service_30_0 (country_detector_service))
+(typeattributeset coverage_service_30_0 (coverage_service))
+(typeattributeset cppreopt_prop_30_0 (cppreopt_prop))
+(typeattributeset cpu_variant_prop_30_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_30_0 (cpuinfo_service))
+(typeattributeset crash_dump_30_0 (crash_dump))
+(typeattributeset crash_dump_exec_30_0 (crash_dump_exec))
+(typeattributeset credstore_30_0 (credstore))
+(typeattributeset credstore_data_file_30_0 (credstore_data_file))
+(typeattributeset credstore_exec_30_0 (credstore_exec))
+(typeattributeset credstore_service_30_0 (credstore_service))
+(typeattributeset crossprofileapps_service_30_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_30_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_30_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_30_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_30_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_30_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_30_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_30_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_30_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_30_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_30_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_30_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_30_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_30_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_30_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_30_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_30_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_30_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_30_0 (ctl_stop_prop))
+(typeattributeset dalvik_prop_30_0 (dalvik_prop))
+(typeattributeset dalvikcache_data_file_30_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_30_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_30_0 (dbinfo_service))
+(typeattributeset debug_prop_30_0 (debug_prop))
+(typeattributeset debugfs_30_0 (debugfs))
+(typeattributeset debugfs_mmc_30_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_30_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_30_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug
+ debugfs_tracing_printk_formats))
+(typeattributeset debugfs_tracing_instances_30_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wakeup_sources_30_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_30_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_30_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
+(typeattributeset default_android_service_30_0 (default_android_service))
+(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
+(typeattributeset default_prop_30_0 (
+ default_prop
+ audio_config_prop
+ build_config_prop
+ suspend_prop
+ init_service_status_private_prop
+ setupwizard_prop
+ sqlite_log_prop
+ verity_status_prop
+ zygote_wrap_prop
+))
+(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
+(typeattributeset device_30_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_30_0 (device_config_boot_count_prop))
+(typeattributeset device_config_configuration_prop_30_0 (device_config_configuration_prop))
+(typeattributeset device_config_input_native_boot_prop_30_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_30_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_30_0 (device_config_netd_native_prop))
+(typeattributeset device_config_reset_performed_prop_30_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_30_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_30_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_30_0 (device_config_service))
+(typeattributeset device_config_storage_native_boot_prop_30_0 (device_config_storage_native_boot_prop))
+(typeattributeset device_config_sys_traced_prop_30_0 (device_config_sys_traced_prop))
+(typeattributeset device_config_window_manager_native_boot_prop_30_0 (device_config_window_manager_native_boot_prop))
+(typeattributeset device_identifiers_service_30_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_30_0 (device_logging_prop))
+(typeattributeset device_policy_service_30_0 (device_policy_service))
+(typeattributeset deviceidle_service_30_0 (deviceidle_service))
+(typeattributeset devicestoragemonitor_service_30_0 (devicestoragemonitor_service))
+(typeattributeset devpts_30_0 (devpts))
+(typeattributeset dhcp_30_0 (dhcp))
+(typeattributeset dhcp_data_file_30_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_30_0 (dhcp_exec))
+(typeattributeset dhcp_prop_30_0 (dhcp_prop))
+(typeattributeset diskstats_service_30_0 (diskstats_service))
+(typeattributeset display_service_30_0 (display_service))
+(typeattributeset dm_device_30_0 (dm_device))
+(typeattributeset dnsmasq_30_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_30_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_30_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_30_0 (dnsresolver_service))
+(typeattributeset dreams_service_30_0 (dreams_service))
+(typeattributeset drm_data_file_30_0 (drm_data_file))
+(typeattributeset drmserver_30_0 (drmserver))
+(typeattributeset drmserver_exec_30_0 (drmserver_exec))
+(typeattributeset drmserver_service_30_0 (drmserver_service))
+(typeattributeset drmserver_socket_30_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_30_0 (dropbox_data_file))
+(typeattributeset dropbox_service_30_0 (dropbox_service))
+(typeattributeset dumpstate_30_0 (dumpstate))
+(typeattributeset dumpstate_exec_30_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_30_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_30_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_30_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_30_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_30_0 (dynamic_system_prop))
+(typeattributeset e2fs_30_0 (e2fs))
+(typeattributeset e2fs_exec_30_0 (e2fs_exec))
+(typeattributeset efs_file_30_0 (efs_file))
+(typeattributeset emergency_affordance_service_30_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_30_0 (ephemeral_app))
+(typeattributeset ethernet_service_30_0 (ethernet_service))
+(typeattributeset exfat_30_0 (exfat))
+(typeattributeset exported2_config_prop_30_0 (exported2_config_prop systemsound_config_prop))
+(typeattributeset exported2_default_prop_30_0
+ ( exported2_default_prop
+ aac_drc_prop
+ bootloader_prop
+ build_prop
+ hal_instrumentation_prop
+ init_service_status_prop
+ libc_debug_prop
+ property_service_version_prop))
+(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
+(typeattributeset exported2_system_prop_30_0
+ ( exported2_system_prop
+ dalvik_runtime_prop
+ surfaceflinger_color_prop
+ zram_control_prop))
+(typeattributeset exported2_vold_prop_30_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
+(typeattributeset exported3_default_prop_30_0
+ ( exported3_default_prop
+ camera_calibration_prop
+ camera_config_prop
+ charger_config_prop
+ drm_service_config_prop
+ hdmi_config_prop
+ keyguard_config_prop
+ lmkd_config_prop
+ media_config_prop
+ mediadrm_config_prop
+ oem_unlock_prop
+ packagemanager_config_prop
+ recovery_config_prop
+ sendbug_config_prop
+ storagemanager_config_prop
+ telephony_config_prop
+ tombstone_config_prop
+ vts_status_prop
+ wifi_config_prop
+ zram_config_prop))
+(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop radio_control_prop))
+(typeattributeset exported3_system_prop_30_0
+ ( exported3_system_prop
+ boot_status_prop
+ provisioned_prop
+ retaildemo_prop))
+(typeattributeset exported_audio_prop_30_0 (exported_audio_prop audio_config_prop))
+(typeattributeset exported_bluetooth_prop_30_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_30_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_30_0 (exported_config_prop))
+(typeattributeset exported_dalvik_prop_30_0 (exported_dalvik_prop dalvik_config_prop))
+(typeattributeset exported_default_prop_30_0
+ ( exported_default_prop
+ aaudio_config_prop
+ build_bootimage_prop
+ build_odm_prop
+ build_vendor_prop
+ surfaceflinger_prop
+ vts_config_prop))
+(typeattributeset exported_dumpstate_prop_30_0 (exported_dumpstate_prop))
+(typeattributeset exported_ffs_prop_30_0
+ ( exported_ffs_prop
+ ffs_config_prop
+ ffs_control_prop))
+(typeattributeset exported_fingerprint_prop_30_0 (exported_fingerprint_prop fingerprint_prop))
+(typeattributeset exported_overlay_prop_30_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_30_0 (exported_pm_prop))
+(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
+(typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop bootanim_system_prop))
+
+(typeattributeset exported_system_radio_prop_30_0
+ ( exported_system_radio_prop
+ usb_config_prop
+ usb_control_prop))
+(typeattributeset exported_vold_prop_30_0 (exported_vold_prop vold_status_prop))
+(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop wifi_hal_prop))
+(typeattributeset external_vibrator_service_30_0 (external_vibrator_service))
+(typeattributeset face_service_30_0 (face_service))
+(typeattributeset face_vendor_data_file_30_0 (face_vendor_data_file))
+(typeattributeset fastbootd_30_0 (fastbootd))
+(typeattributeset ffs_prop_30_0 (ffs_prop))
+(typeattributeset file_contexts_file_30_0 (file_contexts_file))
+(typeattributeset file_integrity_service_30_0 (file_integrity_service))
+(typeattributeset fingerprint_service_30_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_30_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_30_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_30_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_30_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_30_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_30_0 (firstboot_prop))
+(typeattributeset flags_health_check_30_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_30_0 (flags_health_check_exec))
+(typeattributeset font_service_30_0 (font_service))
+(typeattributeset frp_block_device_30_0 (frp_block_device))
+(typeattributeset fs_bpf_30_0 (fs_bpf))
+(typeattributeset fsck_30_0 (fsck))
+(typeattributeset fsck_exec_30_0 (fsck_exec))
+(typeattributeset fsck_untrusted_30_0 (fsck_untrusted))
+(typeattributeset fscklogs_30_0 (fscklogs))
+(typeattributeset functionfs_30_0 (functionfs))
+(typeattributeset fuse_30_0 (fuse))
+(typeattributeset fuse_device_30_0 (fuse_device))
+(typeattributeset fwk_automotive_display_hwservice_30_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_bufferhub_hwservice_30_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_30_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_30_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_30_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_30_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_30_0 (fwk_stats_hwservice))
+(typeattributeset fwmarkd_socket_30_0 (fwmarkd_socket))
+(typeattributeset gatekeeper_data_file_30_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_30_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_30_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_30_0 (gatekeeperd_exec))
+(typeattributeset gfxinfo_service_30_0 (gfxinfo_service))
+(typeattributeset gmscore_app_30_0 (gmscore_app))
+(typeattributeset gps_control_30_0 (gps_control))
+(typeattributeset gpu_device_30_0 (gpu_device))
+(typeattributeset gpu_service_30_0 (gpu_service))
+(typeattributeset gpuservice_30_0 (gpuservice))
+(typeattributeset graphics_device_30_0 (graphics_device))
+(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_30_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_30_0
+ ( gsi_metadata_file
+ gsi_public_metadata_file))
+(typeattributeset gsid_prop_30_0 (gsid_prop))
+(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
+(typeattributeset hal_audiocontrol_hwservice_30_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_authsecret_hwservice_30_0 (hal_authsecret_hwservice))
+(typeattributeset hal_bluetooth_hwservice_30_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_30_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_30_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_30_0 (hal_camera_hwservice))
+(typeattributeset hal_can_bus_hwservice_30_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_30_0 (hal_can_controller_hwservice))
+(typeattributeset hal_cas_hwservice_30_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_30_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_30_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_30_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_30_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_30_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_30_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_evs_hwservice_30_0 (hal_evs_hwservice))
+(typeattributeset hal_face_hwservice_30_0 (hal_face_hwservice))
+(typeattributeset hal_fingerprint_hwservice_30_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_30_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_30_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_30_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_30_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_30_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_30_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_mapper_hwservice_30_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_30_0 (hal_health_hwservice))
+(typeattributeset hal_health_storage_hwservice_30_0 (hal_health_storage_hwservice))
+(typeattributeset hal_identity_service_30_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_30_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_ir_hwservice_30_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_30_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_30_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_30_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_30_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_30_0 (hal_memtrack_hwservice))
+(typeattributeset hal_neuralnetworks_hwservice_30_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_nfc_hwservice_30_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_30_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_30_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_30_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_30_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_30_0 (hal_power_stats_hwservice))
+(typeattributeset hal_rebootescrow_service_30_0 (hal_rebootescrow_service))
+(typeattributeset hal_renderscript_hwservice_30_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_30_0 (hal_secure_element_hwservice))
+(typeattributeset hal_sensors_hwservice_30_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_30_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_30_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_30_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_30_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_30_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_tuner_hwservice_30_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_usb_gadget_hwservice_30_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_30_0 (hal_usb_hwservice))
+(typeattributeset hal_vehicle_hwservice_30_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vibrator_hwservice_30_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_30_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_30_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_30_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hostapd_hwservice_30_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hwservice_30_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_30_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_30_0 (hardware_properties_service))
+(typeattributeset hardware_service_30_0 (hardware_service))
+(typeattributeset hci_attach_dev_30_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_30_0 (hdmi_control_service))
+(typeattributeset healthd_30_0 (healthd))
+(typeattributeset healthd_exec_30_0 (healthd_exec))
+(typeattributeset heapdump_data_file_30_0 (heapdump_data_file))
+(typeattributeset heapprofd_30_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_30_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_30_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_30_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_30_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_30_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_30_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_30_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_30_0 (hidl_token_hwservice))
+(typeattributeset hw_random_device_30_0 (hw_random_device))
+(typeattributeset hwbinder_device_30_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_30_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_30_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_30_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_30_0 (hwservicemanager_prop))
+(typeattributeset icon_file_30_0 (icon_file))
+(typeattributeset idmap_30_0 (idmap))
+(typeattributeset idmap_exec_30_0 (idmap_exec))
+(typeattributeset idmap_service_30_0 (idmap_service))
+(typeattributeset iio_device_30_0 (iio_device))
+(typeattributeset imms_service_30_0 (imms_service))
+(typeattributeset incident_30_0 (incident))
+(typeattributeset incident_data_file_30_0 (incident_data_file))
+(typeattributeset incident_helper_30_0 (incident_helper))
+(typeattributeset incident_service_30_0 (incident_service))
+(typeattributeset incidentd_30_0 (incidentd))
+(typeattributeset incremental_control_file_30_0 (incremental_control_file))
+(typeattributeset incremental_prop_30_0 (incremental_prop))
+(typeattributeset incremental_service_30_0 (incremental_service))
+(typeattributeset init_30_0 (init))
+(typeattributeset init_exec_30_0 (init_exec))
+(typeattributeset init_perf_lsm_hooks_prop_30_0 (init_perf_lsm_hooks_prop))
+(typeattributeset init_svc_debug_prop_30_0 (init_svc_debug_prop))
+(typeattributeset init_tmpfs_30_0 (init_tmpfs))
+(typeattributeset inotify_30_0 (inotify))
+(typeattributeset input_device_30_0 (input_device))
+(typeattributeset input_method_service_30_0 (input_method_service))
+(typeattributeset input_service_30_0 (input_service))
+(typeattributeset inputflinger_30_0 (inputflinger))
+(typeattributeset inputflinger_exec_30_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_30_0 (inputflinger_service))
+(typeattributeset install_data_file_30_0 (install_data_file))
+(typeattributeset installd_30_0 (installd))
+(typeattributeset installd_exec_30_0 (installd_exec))
+(typeattributeset installd_service_30_0 (installd_service))
+(typeattributeset ion_device_30_0 (ion_device))
+(typeattributeset iorap_inode2filename_30_0 (iorap_inode2filename))
+(typeattributeset iorap_inode2filename_exec_30_0 (iorap_inode2filename_exec))
+(typeattributeset iorap_inode2filename_tmpfs_30_0 (iorap_inode2filename_tmpfs))
+(typeattributeset iorap_prefetcherd_30_0 (iorap_prefetcherd))
+(typeattributeset iorap_prefetcherd_exec_30_0 (iorap_prefetcherd_exec))
+(typeattributeset iorap_prefetcherd_tmpfs_30_0 (iorap_prefetcherd_tmpfs))
+(typeattributeset iorapd_30_0 (iorapd))
+(typeattributeset iorapd_data_file_30_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_30_0 (iorapd_exec))
+(typeattributeset iorapd_service_30_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_30_0 (iorapd_tmpfs))
+(typeattributeset ipsec_service_30_0 (ipsec_service))
+(typeattributeset iris_service_30_0 (iris_service))
+(typeattributeset iris_vendor_data_file_30_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_30_0 (isolated_app))
+(typeattributeset jobscheduler_service_30_0 (jobscheduler_service))
+(typeattributeset kernel_30_0 (kernel))
+(typeattributeset keychain_data_file_30_0 (keychain_data_file))
+(typeattributeset keychord_device_30_0 (keychord_device))
+(typeattributeset keystore_30_0 (keystore))
+(typeattributeset keystore_data_file_30_0 (keystore_data_file))
+(typeattributeset keystore_exec_30_0 (keystore_exec))
+(typeattributeset keystore_service_30_0 (keystore_service))
+(typeattributeset kmsg_debug_device_30_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_30_0 (kmsg_device))
+(typeattributeset labeledfs_30_0 (labeledfs))
+(typeattributeset last_boot_reason_prop_30_0 (last_boot_reason_prop))
+(typeattributeset launcherapps_service_30_0 (launcherapps_service))
+(typeattributeset light_service_30_0 (light_service))
+(typeattributeset linkerconfig_file_30_0 (linkerconfig_file))
+(typeattributeset llkd_30_0 (llkd))
+(typeattributeset llkd_exec_30_0 (llkd_exec))
+(typeattributeset llkd_prop_30_0 (llkd_prop))
+(typeattributeset lmkd_30_0 (lmkd))
+(typeattributeset lmkd_exec_30_0 (lmkd_exec))
+(typeattributeset lmkd_prop_30_0 (lmkd_prop))
+(typeattributeset lmkd_socket_30_0 (lmkd_socket))
+(typeattributeset location_service_30_0 (location_service))
+(typeattributeset lock_settings_service_30_0 (lock_settings_service))
+(typeattributeset log_prop_30_0 (log_prop))
+(typeattributeset log_tag_prop_30_0 (log_tag_prop))
+(typeattributeset logcat_exec_30_0 (logcat_exec))
+(typeattributeset logd_30_0 (logd))
+(typeattributeset logd_exec_30_0 (logd_exec))
+(typeattributeset logd_prop_30_0 (logd_prop))
+(typeattributeset logd_socket_30_0 (logd_socket))
+(typeattributeset logdr_socket_30_0 (logdr_socket))
+(typeattributeset logdw_socket_30_0 (logdw_socket))
+(typeattributeset logpersist_30_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_30_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_30_0 (loop_control_device))
+(typeattributeset loop_device_30_0 (loop_device))
+(typeattributeset looper_stats_service_30_0 (looper_stats_service))
+(typeattributeset lowpan_device_30_0 (lowpan_device))
+(typeattributeset lowpan_prop_30_0 (lowpan_prop))
+(typeattributeset lowpan_service_30_0 (lowpan_service))
+(typeattributeset lpdump_service_30_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_30_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_30_0 (mac_perms_file))
+(typeattributeset mdns_socket_30_0 (mdns_socket))
+(typeattributeset mdnsd_30_0 (mdnsd))
+(typeattributeset mdnsd_socket_30_0 (mdnsd_socket))
+(typeattributeset media_data_file_30_0 (media_data_file))
+(typeattributeset media_projection_service_30_0 (media_projection_service))
+(typeattributeset media_router_service_30_0 (media_router_service))
+(typeattributeset media_rw_data_file_30_0 (media_rw_data_file))
+(typeattributeset media_session_service_30_0 (media_session_service))
+(typeattributeset media_variant_prop_30_0 (media_variant_prop))
+(typeattributeset mediadrmserver_30_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_30_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_30_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_30_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_30_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_30_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_30_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_30_0 (mediametrics))
+(typeattributeset mediametrics_exec_30_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_30_0 (mediametrics_service))
+(typeattributeset mediaprovider_30_0 (mediaprovider))
+(typeattributeset mediaserver_30_0 (mediaserver))
+(typeattributeset mediaserver_exec_30_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_30_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_30_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_30_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_30_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_30_0 (mediatranscoding))
+(typeattributeset mediatranscoding_exec_30_0 (mediatranscoding_exec))
+(typeattributeset mediatranscoding_service_30_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_30_0 (meminfo_service))
+(typeattributeset metadata_block_device_30_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_30_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_30_0 (metadata_file))
+(typeattributeset method_trace_data_file_30_0 (method_trace_data_file))
+(typeattributeset midi_service_30_0 (midi_service))
+(typeattributeset mirror_data_file_30_0 (mirror_data_file))
+(typeattributeset misc_block_device_30_0 (misc_block_device))
+(typeattributeset misc_logd_file_30_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_30_0 (misc_user_data_file))
+(typeattributeset mmc_prop_30_0 (mmc_prop))
+(typeattributeset mnt_expand_file_30_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_30_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_30_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_30_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_30_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_30_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_30_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_30_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_30_0 (mock_ota_prop))
+(typeattributeset modprobe_30_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_30_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_30_0 (mount_service))
+(typeattributeset mqueue_30_0 (mqueue))
+(typeattributeset mtp_30_0 (mtp))
+(typeattributeset mtp_device_30_0 (mtp_device))
+(typeattributeset mtp_exec_30_0 (mtp_exec))
+(typeattributeset mtpd_socket_30_0 (mtpd_socket))
+(typeattributeset nativetest_data_file_30_0 (nativetest_data_file))
+(typeattributeset net_data_file_30_0 (net_data_file))
+(typeattributeset net_dns_prop_30_0 (net_dns_prop))
+(typeattributeset net_radio_prop_30_0 (net_radio_prop))
+(typeattributeset netd_30_0 (netd))
+(typeattributeset netd_exec_30_0 (netd_exec))
+(typeattributeset netd_listener_service_30_0 (netd_listener_service))
+(typeattributeset netd_service_30_0 (netd_service))
+(typeattributeset netd_stable_secret_prop_30_0 (netd_stable_secret_prop))
+(typeattributeset netif_30_0 (netif))
+(typeattributeset netpolicy_service_30_0 (netpolicy_service))
+(typeattributeset netstats_service_30_0 (netstats_service))
+(typeattributeset netutils_wrapper_30_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_30_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_30_0 (network_management_service))
+(typeattributeset network_score_service_30_0 (network_score_service))
+(typeattributeset network_stack_30_0 (network_stack))
+(typeattributeset network_stack_service_30_0 (network_stack_service))
+(typeattributeset network_time_update_service_30_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_30_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_30_0 (network_watchlist_service))
+(typeattributeset nfc_30_0 (nfc))
+(typeattributeset nfc_data_file_30_0 (nfc_data_file))
+(typeattributeset nfc_device_30_0 (nfc_device))
+(typeattributeset nfc_prop_30_0 (nfc_prop))
+(typeattributeset nfc_service_30_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_30_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_30_0 (node))
+(typeattributeset nonplat_service_contexts_file_30_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_30_0 (notification_service))
+(typeattributeset null_device_30_0 (null_device))
+(typeattributeset oem_lock_service_30_0 (oem_lock_service))
+(typeattributeset oemfs_30_0 (oemfs))
+(typeattributeset ota_data_file_30_0 (ota_data_file))
+(typeattributeset ota_metadata_file_30_0 (ota_metadata_file))
+(typeattributeset ota_package_file_30_0 (ota_package_file))
+(typeattributeset ota_prop_30_0 (ota_prop))
+(typeattributeset otadexopt_service_30_0 (otadexopt_service))
+(typeattributeset overlay_prop_30_0 (overlay_prop))
+(typeattributeset overlay_service_30_0 (overlay_service))
+(typeattributeset overlayfs_file_30_0 (overlayfs_file))
+(typeattributeset owntty_device_30_0 (owntty_device))
+(typeattributeset package_native_service_30_0 (package_native_service))
+(typeattributeset package_service_30_0 (package_service))
+(typeattributeset packages_list_file_30_0 (packages_list_file))
+(typeattributeset pan_result_prop_30_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_30_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_30_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_30_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_30_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_30_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_30_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_30_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_30_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_30_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_30_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_30_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_30_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_30_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_30_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_30_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_30_0 (pdx_performance_dir))
+(typeattributeset perfetto_30_0 (perfetto))
+(typeattributeset performanced_30_0 (performanced))
+(typeattributeset performanced_exec_30_0 (performanced_exec))
+(typeattributeset permission_service_30_0 (permission_service))
+(typeattributeset permissionmgr_service_30_0 (permissionmgr_service))
+(typeattributeset persist_debug_prop_30_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_30_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_30_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_30_0 (pinner_service))
+(typeattributeset pipefs_30_0 (pipefs))
+(typeattributeset platform_app_30_0 (platform_app))
+(typeattributeset platform_compat_service_30_0 (platform_compat_service))
+(typeattributeset pm_prop_30_0 (pm_prop))
+(typeattributeset pmsg_device_30_0 (pmsg_device))
+(typeattributeset port_30_0 (port))
+(typeattributeset port_device_30_0 (port_device))
+(typeattributeset postinstall_30_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_30_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_30_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_30_0 (postinstall_mnt_dir))
+(typeattributeset power_service_30_0 (power_service))
+(typeattributeset powerctl_prop_30_0 (powerctl_prop))
+(typeattributeset ppp_30_0 (ppp))
+(typeattributeset ppp_device_30_0 (ppp_device))
+(typeattributeset ppp_exec_30_0 (ppp_exec))
+(typeattributeset preloads_data_file_30_0 (preloads_data_file))
+(typeattributeset preloads_media_file_30_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_30_0 (prereboot_data_file))
+(typeattributeset print_service_30_0 (print_service))
+(typeattributeset priv_app_30_0 (priv_app))
+(typeattributeset privapp_data_file_30_0 (privapp_data_file))
+(typeattributeset proc_30_0
+ ( proc
+ proc_bootconfig))
+(typeattributeset proc_abi_30_0 (proc_abi))
+(typeattributeset proc_asound_30_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
+(typeattributeset proc_buddyinfo_30_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_30_0 (proc_cmdline))
+(typeattributeset proc_cpuinfo_30_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_30_0 (proc_dirty))
+(typeattributeset proc_diskstats_30_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_30_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_30_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_30_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_30_0 (proc_fs_verity))
+(typeattributeset proc_hostname_30_0 (proc_hostname))
+(typeattributeset proc_hung_task_30_0 (proc_hung_task))
+(typeattributeset proc_interrupts_30_0 (proc_interrupts))
+(typeattributeset proc_iomem_30_0 (proc_iomem))
+(typeattributeset proc_keys_30_0 (proc_keys))
+(typeattributeset proc_kmsg_30_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_30_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_30_0 (proc_loadavg))
+(typeattributeset proc_lowmemorykiller_30_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_30_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_30_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_30_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_30_0 (proc_misc))
+(typeattributeset proc_modules_30_0 (proc_modules))
+(typeattributeset proc_mounts_30_0 (proc_mounts))
+(typeattributeset proc_net_30_0 (proc_net))
+(typeattributeset proc_net_tcp_udp_30_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_30_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_30_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_30_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_30_0 (proc_panic))
+(typeattributeset proc_perf_30_0 (proc_perf))
+(typeattributeset proc_pid_max_30_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_30_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_30_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_30_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_30_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_30_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_30_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_30_0 (proc_random))
+(typeattributeset proc_sched_30_0 (proc_sched))
+(typeattributeset proc_security_30_0 (proc_security))
+(typeattributeset proc_slabinfo_30_0 (proc_slabinfo))
+(typeattributeset proc_stat_30_0 (proc_stat))
+(typeattributeset proc_swaps_30_0 (proc_swaps))
+(typeattributeset proc_sysrq_30_0 (proc_sysrq))
+(typeattributeset proc_timer_30_0 (proc_timer))
+(typeattributeset proc_tty_drivers_30_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_30_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_30_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_30_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_30_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_30_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_30_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_30_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_30_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_30_0 (proc_uptime))
+(typeattributeset proc_version_30_0 (proc_version))
+(typeattributeset proc_vmallocinfo_30_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_30_0 (proc_vmstat))
+(typeattributeset proc_zoneinfo_30_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_30_0 (processinfo_service))
+(typeattributeset procstats_service_30_0 (procstats_service))
+(typeattributeset profman_30_0 (profman))
+(typeattributeset profman_dump_data_file_30_0 (profman_dump_data_file))
+(typeattributeset profman_exec_30_0 (profman_exec))
+(typeattributeset properties_device_30_0 (properties_device))
+(typeattributeset properties_serial_30_0 (properties_serial))
+(typeattributeset property_contexts_file_30_0 (property_contexts_file))
+(typeattributeset property_data_file_30_0 (property_data_file))
+(typeattributeset property_info_30_0 (property_info))
+(typeattributeset property_socket_30_0 (property_socket))
+(typeattributeset pstorefs_30_0 (pstorefs))
+(typeattributeset ptmx_device_30_0 (ptmx_device))
+(typeattributeset qtaguid_device_30_0 (qtaguid_device))
+(typeattributeset racoon_30_0 (racoon))
+(typeattributeset racoon_exec_30_0 (racoon_exec))
+(typeattributeset racoon_socket_30_0 (racoon_socket))
+(typeattributeset radio_30_0 (radio))
+(typeattributeset radio_data_file_30_0 (radio_data_file))
+(typeattributeset radio_device_30_0 (radio_device))
+(typeattributeset radio_prop_30_0 (radio_prop))
+(typeattributeset radio_service_30_0 (radio_service))
+(typeattributeset ram_device_30_0 (ram_device))
+(typeattributeset random_device_30_0 (random_device))
+(typeattributeset rebootescrow_hal_prop_30_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_30_0 (recovery))
+(typeattributeset recovery_block_device_30_0 (recovery_block_device))
+(typeattributeset recovery_data_file_30_0 (recovery_data_file))
+(typeattributeset recovery_persist_30_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_30_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_30_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_30_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_30_0 (recovery_service))
+(typeattributeset recovery_socket_30_0 (recovery_socket))
+(typeattributeset registry_service_30_0 (registry_service))
+(typeattributeset resourcecache_data_file_30_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_30_0 (restorecon_prop))
+(typeattributeset restrictions_service_30_0 (restrictions_service))
+(typeattributeset rild_debug_socket_30_0 (rild_debug_socket))
+(typeattributeset rild_socket_30_0 (rild_socket))
+(typeattributeset ringtone_file_30_0 (ringtone_file))
+(typeattributeset role_service_30_0 (role_service))
+(typeattributeset rollback_service_30_0 (rollback_service))
+(typeattributeset root_block_device_30_0 (root_block_device))
+(typeattributeset rootfs_30_0 (rootfs))
+(typeattributeset rpmsg_device_30_0 (rpmsg_device))
+(typeattributeset rs_30_0 (rs))
+(typeattributeset rs_exec_30_0 (rs_exec))
+(typeattributeset rss_hwm_reset_30_0 (rss_hwm_reset))
+(typeattributeset rtc_device_30_0 (rtc_device))
+(typeattributeset rttmanager_service_30_0 (rttmanager_service))
+(typeattributeset runas_30_0 (runas))
+(typeattributeset runas_app_30_0 (runas_app))
+(typeattributeset runas_exec_30_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_30_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_30_0 (runtime_service))
+(typeattributeset safemode_prop_30_0 (safemode_prop))
+(typeattributeset same_process_hal_file_30_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_30_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_30_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_30_0 (sdcard_block_device))
+(typeattributeset sdcardd_30_0 (sdcardd))
+(typeattributeset sdcardd_exec_30_0 (sdcardd_exec))
+(typeattributeset sdcardfs_30_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_30_0 (seapp_contexts_file))
+(typeattributeset search_service_30_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_30_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_30_0 (secure_element))
+(typeattributeset secure_element_device_30_0 (secure_element_device))
+(typeattributeset secure_element_service_30_0 (secure_element_service))
+(typeattributeset securityfs_30_0 (securityfs))
+(typeattributeset selinuxfs_30_0 (selinuxfs))
+(typeattributeset sensor_privacy_service_30_0 (sensor_privacy_service))
+(typeattributeset sensors_device_30_0 (sensors_device))
+(typeattributeset sensorservice_service_30_0 (sensorservice_service))
+(typeattributeset sepolicy_file_30_0 (sepolicy_file))
+(typeattributeset serial_device_30_0 (serial_device))
+(typeattributeset serial_service_30_0 (serial_service))
+(typeattributeset serialno_prop_30_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_30_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_30_0 (service_contexts_file))
+(typeattributeset service_manager_service_30_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_30_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_30_0 (servicediscovery_service))
+(typeattributeset servicemanager_30_0 (servicemanager))
+(typeattributeset servicemanager_exec_30_0 (servicemanager_exec))
+(typeattributeset settings_service_30_0 (settings_service))
+(typeattributeset sgdisk_30_0 (sgdisk))
+(typeattributeset sgdisk_exec_30_0 (sgdisk_exec))
+(typeattributeset shared_relro_30_0 (shared_relro))
+(typeattributeset shared_relro_file_30_0 (shared_relro_file))
+(typeattributeset shell_30_0 (shell))
+(typeattributeset shell_data_file_30_0 (shell_data_file))
+(typeattributeset shell_exec_30_0 (shell_exec))
+(typeattributeset shell_prop_30_0 (shell_prop))
+(typeattributeset shm_30_0 (shm))
+(typeattributeset shortcut_manager_icons_30_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_30_0 (shortcut_service))
+(typeattributeset simpleperf_30_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_30_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_30_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_30_0 (slice_service))
+(typeattributeset slideshow_30_0 (slideshow))
+(typeattributeset snapshotctl_log_data_file_30_0 (snapshotctl_log_data_file))
+(typeattributeset socket_device_30_0 (socket_device))
+(typeattributeset socket_hook_prop_30_0 (socket_hook_prop))
+(typeattributeset sockfs_30_0 (sockfs))
+(typeattributeset sota_prop_30_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_30_0 (soundtrigger_middleware_service))
+(typeattributeset staging_data_file_30_0 (staging_data_file))
+(typeattributeset stats_data_file_30_0 (stats_data_file))
+(typeattributeset statsd_30_0 (statsd))
+(typeattributeset statsd_exec_30_0 (statsd_exec))
+(typeattributeset statsdw_socket_30_0 (statsdw_socket))
+(typeattributeset statusbar_service_30_0 (statusbar_service))
+(typeattributeset storage_config_prop_30_0 (storage_config_prop))
+(typeattributeset storage_file_30_0 (storage_file))
+(typeattributeset storage_stub_file_30_0 (storage_stub_file))
+(typeattributeset storaged_service_30_0 (storaged_service))
+(typeattributeset storagestats_service_30_0 (storagestats_service))
+(typeattributeset su_30_0 (su))
+(typeattributeset su_exec_30_0 (su_exec))
+(typeattributeset super_block_device_30_0 (super_block_device))
+(typeattributeset surfaceflinger_30_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
+(typeattributeset swap_block_device_30_0 (swap_block_device))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_block_30_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_system_cpu_30_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_30_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_30_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dt_firmware_android_30_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_30_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_30_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_30_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_hwrandom_30_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_30_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_30_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_30_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_30_0 (sysfs_leds))
+(typeattributeset sysfs_loop_30_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_30_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_net_30_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_30_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_30_0 (sysfs_power))
+(typeattributeset sysfs_rtc_30_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_30_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_30_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_30_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_30_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uio_30_0 (sysfs_uio))
+(typeattributeset sysfs_usb_30_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_30_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vibrator_30_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_30_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_30_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_30_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_30_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_30_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_30_0 (sysfs_zram_uevent))
+(typeattributeset system_adbd_prop_30_0 (system_adbd_prop))
+(typeattributeset system_app_30_0 (system_app))
+(typeattributeset system_app_data_file_30_0 (system_app_data_file))
+(typeattributeset system_app_service_30_0 (system_app_service))
+(typeattributeset system_asan_options_file_30_0 (system_asan_options_file))
+(typeattributeset system_block_device_30_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_30_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_30_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_30_0 (system_config_service))
+(typeattributeset system_data_file_30_0 (system_data_file))
+(typeattributeset system_data_root_file_30_0 (system_data_root_file))
+(typeattributeset system_event_log_tags_file_30_0 (system_event_log_tags_file))
+(typeattributeset system_file_30_0 (system_file))
+(typeattributeset system_group_file_30_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_30_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_30_0 (system_lib_file))
+(typeattributeset system_linker_config_file_30_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_30_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_30_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_30_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_30_0 (system_net_netd_hwservice))
+(typeattributeset system_passwd_file_30_0 (system_passwd_file))
+(typeattributeset system_prop_30_0 (system_prop))
+(typeattributeset system_radio_prop_30_0 (system_radio_prop usb_prop))
+(typeattributeset system_seccomp_policy_file_30_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_30_0 (system_security_cacerts_file))
+(typeattributeset system_server_30_0 (system_server))
+(typeattributeset system_server_tmpfs_30_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_service_30_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_30_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_30_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_30_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_30_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_30_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_30_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_30_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_30_0 (systemkeys_data_file))
+(typeattributeset task_profiles_file_30_0 (task_profiles_file))
+(typeattributeset task_service_30_0 (task_service))
+(typeattributeset tcpdump_exec_30_0 (tcpdump_exec))
+(typeattributeset tee_30_0 (tee))
+(typeattributeset tee_data_file_30_0 (tee_data_file))
+(typeattributeset tee_device_30_0 (tee_device))
+(typeattributeset telecom_service_30_0 (telecom_service))
+(typeattributeset test_boot_reason_prop_30_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_30_0 (test_harness_prop))
+(typeattributeset testharness_service_30_0 (testharness_service))
+(typeattributeset tethering_service_30_0 (tethering_service))
+(typeattributeset textclassification_service_30_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_30_0 (textclassifier_data_file))
+(typeattributeset textservices_service_30_0 (textservices_service))
+(typeattributeset theme_prop_30_0 (theme_prop))
+(typeattributeset thermal_service_30_0 (thermal_service))
+(typeattributeset thermalcallback_hwservice_30_0 (thermalcallback_hwservice))
+(typeattributeset time_prop_30_0 (time_prop))
+(typeattributeset timedetector_service_30_0 (timedetector_service))
+(typeattributeset timezone_service_30_0 (timezone_service))
+(typeattributeset timezonedetector_service_30_0 (timezonedetector_service))
+(typeattributeset tmpfs_30_0 (tmpfs))
+(typeattributeset tombstone_data_file_30_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_30_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_30_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_30_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_30_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_30_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_30_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_30_0 (toolbox))
+(typeattributeset toolbox_exec_30_0 (toolbox_exec))
+(typeattributeset trace_data_file_30_0 (trace_data_file))
+(typeattributeset traced_30_0 (traced))
+(typeattributeset traced_consumer_socket_30_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_30_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_30_0 (traced_lazy_prop))
+(typeattributeset traced_perf_30_0 (traced_perf))
+(typeattributeset traced_perf_enabled_prop_30_0 (traced_perf_enabled_prop))
+(typeattributeset traced_perf_socket_30_0 (traced_perf_socket))
+(typeattributeset traced_probes_30_0 (traced_probes))
+(typeattributeset traced_producer_socket_30_0 (traced_producer_socket))
+(typeattributeset traceur_app_30_0 (traceur_app))
+(typeattributeset trust_service_30_0 (trust_service))
+(typeattributeset tty_device_30_0 (tty_device))
+(typeattributeset tun_device_30_0 (tun_device))
+(typeattributeset tv_input_service_30_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_30_0 (tv_tuner_resource_mgr_service))
+(typeattributeset tzdatacheck_30_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_30_0 (tzdatacheck_exec))
+(typeattributeset ueventd_30_0 (ueventd))
+(typeattributeset ueventd_tmpfs_30_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_30_0 (uhid_device))
+(typeattributeset uimode_service_30_0 (uimode_service))
+(typeattributeset uio_device_30_0 (uio_device))
+(typeattributeset uncrypt_30_0 (uncrypt))
+(typeattributeset uncrypt_exec_30_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_30_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_30_0 (unencrypted_data_file))
+(typeattributeset unlabeled_30_0 (unlabeled))
+(typeattributeset untrusted_app_25_30_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_30_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_30_0 (untrusted_app_29))
+(typeattributeset untrusted_app_30_0 (untrusted_app))
+(typeattributeset update_engine_30_0 (update_engine))
+(typeattributeset update_engine_data_file_30_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_30_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_30_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_30_0 (update_engine_service))
+(typeattributeset update_verifier_30_0 (update_verifier))
+(typeattributeset update_verifier_exec_30_0 (update_verifier_exec))
+(typeattributeset updatelock_service_30_0 (updatelock_service))
+(typeattributeset uri_grants_service_30_0 (uri_grants_service))
+(typeattributeset usagestats_service_30_0 (usagestats_service))
+(typeattributeset usb_device_30_0 (usb_device))
+(typeattributeset usb_serial_device_30_0 (usb_serial_device))
+(typeattributeset usb_service_30_0 (usb_service))
+(typeattributeset usbaccessory_device_30_0 (usbaccessory_device))
+(typeattributeset usbd_30_0 (usbd))
+(typeattributeset usbd_exec_30_0 (usbd_exec))
+(typeattributeset usbfs_30_0 (usbfs))
+(typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_30_0
+ ( user_profile_data_file
+ user_profile_root_file
+))
+(typeattributeset user_service_30_0 (user_service))
+(typeattributeset userdata_block_device_30_0 (userdata_block_device))
+(typeattributeset usermodehelper_30_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_30_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_30_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_log_prop_30_0 (userspace_reboot_log_prop))
+(typeattributeset userspace_reboot_test_prop_30_0 (userspace_reboot_test_prop))
+(typeattributeset vdc_30_0 (vdc))
+(typeattributeset vdc_exec_30_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_30_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_30_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_30_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_30_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_30_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_30_0 (vendor_data_file))
+(typeattributeset vendor_default_prop_30_0 (vendor_default_prop))
+(typeattributeset vendor_file_30_0 (vendor_file))
+(typeattributeset vendor_framework_file_30_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_30_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_30_0 (vendor_idc_file))
+(typeattributeset vendor_init_30_0 (vendor_init))
+(typeattributeset vendor_keychars_file_30_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_30_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file))
+(typeattributeset vendor_public_lib_file_30_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_shell_30_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_30_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_30_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_30_0 (vendor_toolbox_exec))
+(typeattributeset vfat_30_0 (vfat))
+(typeattributeset vibrator_service_30_0 (vibrator_service))
+(typeattributeset video_device_30_0 (video_device))
+(typeattributeset virtual_ab_prop_30_0 (virtual_ab_prop))
+(typeattributeset virtual_touchpad_30_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_30_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_30_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_30_0 (vndbinder_device))
+(typeattributeset vndk_prop_30_0 (vndk_prop))
+(typeattributeset vndk_sp_file_30_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_30_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_30_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_30_0 (voiceinteraction_service))
+(typeattributeset vold_30_0 (vold))
+(typeattributeset vold_data_file_30_0 (vold_data_file))
+(typeattributeset vold_device_30_0 (vold_device))
+(typeattributeset vold_exec_30_0 (vold_exec))
+(typeattributeset vold_metadata_file_30_0 (vold_metadata_file))
+(typeattributeset vold_prepare_subdirs_30_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_30_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_30_0 (vold_prop))
+(typeattributeset vold_service_30_0 (vold_service))
+(typeattributeset vpn_data_file_30_0 (vpn_data_file))
+(typeattributeset vr_hwc_30_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_30_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_30_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_30_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_30_0 (vrflinger_vsync_service))
+(typeattributeset wallpaper_file_30_0 (wallpaper_file))
+(typeattributeset wallpaper_service_30_0 (wallpaper_service))
+(typeattributeset watchdog_device_30_0 (watchdog_device))
+(typeattributeset watchdogd_30_0 (watchdogd))
+(typeattributeset watchdogd_exec_30_0 (watchdogd_exec))
+(typeattributeset webview_zygote_30_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_30_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_30_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_30_0 (webviewupdate_service))
+(typeattributeset wifi_data_file_30_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_30_0 (wifi_log_prop))
+(typeattributeset wifi_prop_30_0 (wifi_prop))
+(typeattributeset wifi_service_30_0 (wifi_service))
+(typeattributeset wifiaware_service_30_0 (wifiaware_service))
+(typeattributeset wificond_30_0 (wificond))
+(typeattributeset wificond_exec_30_0 (wificond_exec))
+(typeattributeset wifinl80211_service_30_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_30_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_30_0 (wifiscanner_service))
+(typeattributeset window_service_30_0 (window_service))
+(typeattributeset wpa_socket_30_0 (wpa_socket))
+(typeattributeset wpantund_30_0 (wpantund))
+(typeattributeset wpantund_exec_30_0 (wpantund_exec))
+(typeattributeset wpantund_service_30_0 (wpantund_service))
+(typeattributeset zero_device_30_0 (zero_device))
+(typeattributeset zoneinfo_data_file_30_0 (zoneinfo_data_file))
+(typeattributeset zygote_30_0 (zygote))
+(typeattributeset zygote_exec_30_0 (zygote_exec))
+(typeattributeset zygote_socket_30_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_30_0 (zygote_tmpfs))
diff --git a/prebuilts/api/33.0/private/compat/30.0/30.0.compat.cil b/prebuilts/api/33.0/private/compat/30.0/30.0.compat.cil
new file mode 100644
index 0000000..97c5874
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/30.0/30.0.compat.cil
@@ -0,0 +1,10 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+
+;; TODO: Once 30.0 is no longer supported for vendor images,
+;; mlsvendorcompat can be completely from the system policy.
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/33.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/33.0/private/compat/30.0/30.0.ignore.cil
new file mode 100644
index 0000000..ba0a494
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/30.0/30.0.ignore.cil
@@ -0,0 +1,156 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ ab_update_gki_prop
+ adbd_config_prop
+ apc_service
+ apex_appsearch_data_file
+ apex_art_data_file
+ apex_art_staging_data_file
+ apex_info_file
+ apex_ota_reserved_file
+ apex_scheduling_data_file
+ apex_system_server_data_file
+ apexd_config_prop
+ app_hibernation_service
+ appcompat_data_file
+ arm64_memtag_prop
+ artd
+ artd_exec
+ artd_service
+ authorization_service
+ bootanim_config_prop
+ camerax_extensions_prop
+ cgroup_desc_api_file
+ cgroup_v2
+ codec2_config_prop
+ ctl_snapuserd_prop
+ dck_prop
+ debugfs_kprobes
+ debugfs_mm_events_tracing
+ debugfs_bootreceiver_tracing
+ debugfs_restriction_prop
+ device_config_profcollect_native_boot_prop
+ device_config_connectivity_prop
+ device_config_swcodec_native_prop
+ device_state_service
+ dm_user_device
+ dmabuf_heap_device
+ dmabuf_system_heap_device
+ dmabuf_system_secure_heap_device
+ domain_verification_service
+ dumpstate_tmpfs
+ framework_watchdog_config_prop
+ fs_bpf_tethering
+ fwk_stats_service
+ game_service
+ font_data_file
+ gki_apex_prepostinstall
+ gki_apex_prepostinstall_exec
+ hal_audio_service
+ hal_authsecret_service
+ hal_audiocontrol_service
+ hal_face_service
+ hal_fingerprint_service
+ hal_health_storage_service
+ hal_memtrack_service
+ hal_oemlock_service
+ hint_service
+ gnss_device
+ gnss_time_update_service
+ hal_dumpstate_config_prop
+ hal_gnss_service
+ hal_keymint_service
+ hal_neuralnetworks_service
+ hal_power_stats_service
+ hal_remotelyprovisionedcomponent_service
+ hal_secureclock_service
+ hal_sharedsecret_service
+ hal_uwb_service
+ hal_weaver_service
+ hw_timeout_multiplier_prop
+ keystore_compat_hal_service
+ keystore_maintenance_service
+ keystore_metrics_service
+ keystore2_key_contexts_file
+ legacy_permission_service
+ legacykeystore_service
+ location_time_zone_manager_service
+ media_communication_service
+ media_metrics_service
+ mediatuner_exec
+ mediatuner_service
+ mediatuner
+ mediatranscoding_tmpfs
+ memtrackproxy_service
+ mm_events_config_prop
+ music_recognition_service
+ nfc_logs_data_file
+ odrefresh
+ odrefresh_exec
+ odsign
+ odsign_data_file
+ odsign_exec
+ pac_proxy_service
+ permission_checker_service
+ people_service
+ persist_vendor_debug_wifi_prop
+ postinstall_dexopt_exec
+ postinstall_device_mnt_dir
+ postinstall_product_mnt_dir
+ postinstall_vendor_mnt_dir
+ power_debug_prop
+ powerstats_service
+ proc_kallsyms
+ proc_locks
+ profcollectd
+ profcollectd_data_file
+ profcollectd_exec
+ profcollectd_node_id_prop
+ profcollectd_service
+ qemu_hw_prop
+ qemu_sf_lcd_density_prop
+ radio_core_data_file
+ reboot_readiness_service
+ remote_prov_app
+ remoteprovisioning_service
+ resolver_service
+ search_ui_service
+ shell_test_data_file
+ smartspace_service
+ snapuserd
+ snapuserd_exec
+ snapuserd_socket
+ soc_prop
+ speech_recognition_service
+ sysfs_block
+ sysfs_devfreq_cur
+ sysfs_devfreq_dir
+ sysfs_devices_cs_etm
+ sysfs_dma_heap
+ sysfs_dmabuf_stats
+ sysfs_uhid
+ system_server_dumper_service
+ system_suspend_control_internal_service
+ task_profiles_api_file
+ texttospeech_service
+ translation_service
+ update_engine_stable_service
+ userdata_sysdev
+ userspace_reboot_metadata_file
+ uwb_service
+ vcn_management_service
+ vd_device
+ vendor_kernel_modules
+ vendor_modprobe
+ vendor_uuid_mapping_config_file
+ vibrator_manager_service
+ virtualization_service
+ vpn_management_service
+ watchdog_metadata_file
+ wifi_key
+ zygote_config_prop))
diff --git a/prebuilts/api/33.0/private/compat/31.0/31.0.cil b/prebuilts/api/33.0/private/compat/31.0/31.0.cil
new file mode 100644
index 0000000..ba6944e
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/31.0/31.0.cil
@@ -0,0 +1,2488 @@
+;; types removed from current policy
+(type apex_appsearch_data_file)
+(type apex_permission_data_file)
+(type apex_scheduling_data_file)
+(type apex_wifi_data_file)
+(type healthd_exec)
+(type nonplat_service_contexts_file)
+(type sysfs_block)
+(type vr_hwc)
+(type vr_hwc_exec)
+
+(expandtypeattribute (DockObserver_service_31_0) true)
+(expandtypeattribute (IProxyService_service_31_0) true)
+(expandtypeattribute (aac_drc_prop_31_0) true)
+(expandtypeattribute (aaudio_config_prop_31_0) true)
+(expandtypeattribute (ab_update_gki_prop_31_0) true)
+(expandtypeattribute (accessibility_service_31_0) true)
+(expandtypeattribute (account_service_31_0) true)
+(expandtypeattribute (activity_service_31_0) true)
+(expandtypeattribute (activity_task_service_31_0) true)
+(expandtypeattribute (adb_data_file_31_0) true)
+(expandtypeattribute (adb_keys_file_31_0) true)
+(expandtypeattribute (adb_service_31_0) true)
+(expandtypeattribute (adbd_31_0) true)
+(expandtypeattribute (adbd_config_prop_31_0) true)
+(expandtypeattribute (adbd_exec_31_0) true)
+(expandtypeattribute (adbd_socket_31_0) true)
+(expandtypeattribute (aidl_lazy_test_server_31_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_31_0) true)
+(expandtypeattribute (aidl_lazy_test_service_31_0) true)
+(expandtypeattribute (alarm_service_31_0) true)
+(expandtypeattribute (anr_data_file_31_0) true)
+(expandtypeattribute (apc_service_31_0) true)
+(expandtypeattribute (apex_appsearch_data_file_31_0) true)
+(expandtypeattribute (apex_data_file_31_0) true)
+(expandtypeattribute (apex_info_file_31_0) true)
+(expandtypeattribute (apex_metadata_file_31_0) true)
+(expandtypeattribute (apex_mnt_dir_31_0) true)
+(expandtypeattribute (apex_module_data_file_31_0) true)
+(expandtypeattribute (apex_ota_reserved_file_31_0) true)
+(expandtypeattribute (apex_permission_data_file_31_0) true)
+(expandtypeattribute (apex_rollback_data_file_31_0) true)
+(expandtypeattribute (apex_scheduling_data_file_31_0) true)
+(expandtypeattribute (apex_service_31_0) true)
+(expandtypeattribute (apex_wifi_data_file_31_0) true)
+(expandtypeattribute (apexd_31_0) true)
+(expandtypeattribute (apexd_config_prop_31_0) true)
+(expandtypeattribute (apexd_exec_31_0) true)
+(expandtypeattribute (apexd_prop_31_0) true)
+(expandtypeattribute (apk_data_file_31_0) true)
+(expandtypeattribute (apk_private_data_file_31_0) true)
+(expandtypeattribute (apk_private_tmp_file_31_0) true)
+(expandtypeattribute (apk_tmp_file_31_0) true)
+(expandtypeattribute (apk_verity_prop_31_0) true)
+(expandtypeattribute (app_binding_service_31_0) true)
+(expandtypeattribute (app_data_file_31_0) true)
+(expandtypeattribute (app_fuse_file_31_0) true)
+(expandtypeattribute (app_fusefs_31_0) true)
+(expandtypeattribute (app_hibernation_service_31_0) true)
+(expandtypeattribute (app_integrity_service_31_0) true)
+(expandtypeattribute (app_prediction_service_31_0) true)
+(expandtypeattribute (app_search_service_31_0) true)
+(expandtypeattribute (app_zygote_31_0) true)
+(expandtypeattribute (app_zygote_tmpfs_31_0) true)
+(expandtypeattribute (appcompat_data_file_31_0) true)
+(expandtypeattribute (appdomain_tmpfs_31_0) true)
+(expandtypeattribute (appops_service_31_0) true)
+(expandtypeattribute (appwidget_service_31_0) true)
+(expandtypeattribute (arm64_memtag_prop_31_0) true)
+(expandtypeattribute (art_apex_dir_31_0) true)
+(expandtypeattribute (asec_apk_file_31_0) true)
+(expandtypeattribute (asec_image_file_31_0) true)
+(expandtypeattribute (asec_public_file_31_0) true)
+(expandtypeattribute (ashmem_device_31_0) true)
+(expandtypeattribute (ashmem_libcutils_device_31_0) true)
+(expandtypeattribute (assetatlas_service_31_0) true)
+(expandtypeattribute (atrace_31_0) true)
+(expandtypeattribute (audio_config_prop_31_0) true)
+(expandtypeattribute (audio_data_file_31_0) true)
+(expandtypeattribute (audio_device_31_0) true)
+(expandtypeattribute (audio_prop_31_0) true)
+(expandtypeattribute (audio_service_31_0) true)
+(expandtypeattribute (audiohal_data_file_31_0) true)
+(expandtypeattribute (audioserver_31_0) true)
+(expandtypeattribute (audioserver_data_file_31_0) true)
+(expandtypeattribute (audioserver_service_31_0) true)
+(expandtypeattribute (audioserver_tmpfs_31_0) true)
+(expandtypeattribute (auth_service_31_0) true)
+(expandtypeattribute (authorization_service_31_0) true)
+(expandtypeattribute (autofill_service_31_0) true)
+(expandtypeattribute (backup_data_file_31_0) true)
+(expandtypeattribute (backup_service_31_0) true)
+(expandtypeattribute (battery_service_31_0) true)
+(expandtypeattribute (batteryproperties_service_31_0) true)
+(expandtypeattribute (batterystats_service_31_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_31_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_31_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_31_0) true)
+(expandtypeattribute (binder_calls_stats_service_31_0) true)
+(expandtypeattribute (binder_device_31_0) true)
+(expandtypeattribute (binderfs_31_0) true)
+(expandtypeattribute (binderfs_logs_31_0) true)
+(expandtypeattribute (binderfs_logs_proc_31_0) true)
+(expandtypeattribute (binfmt_miscfs_31_0) true)
+(expandtypeattribute (biometric_service_31_0) true)
+(expandtypeattribute (blkid_31_0) true)
+(expandtypeattribute (blkid_untrusted_31_0) true)
+(expandtypeattribute (blob_store_service_31_0) true)
+(expandtypeattribute (block_device_31_0) true)
+(expandtypeattribute (bluetooth_31_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_31_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_31_0) true)
+(expandtypeattribute (bluetooth_data_file_31_0) true)
+(expandtypeattribute (bluetooth_efs_file_31_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_31_0) true)
+(expandtypeattribute (bluetooth_manager_service_31_0) true)
+(expandtypeattribute (bluetooth_prop_31_0) true)
+(expandtypeattribute (bluetooth_service_31_0) true)
+(expandtypeattribute (bluetooth_socket_31_0) true)
+(expandtypeattribute (boot_block_device_31_0) true)
+(expandtypeattribute (boot_status_prop_31_0) true)
+(expandtypeattribute (bootanim_31_0) true)
+(expandtypeattribute (bootanim_config_prop_31_0) true)
+(expandtypeattribute (bootanim_exec_31_0) true)
+(expandtypeattribute (bootanim_system_prop_31_0) true)
+(expandtypeattribute (bootchart_data_file_31_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_31_0) true)
+(expandtypeattribute (bootloader_prop_31_0) true)
+(expandtypeattribute (bootstat_31_0) true)
+(expandtypeattribute (bootstat_data_file_31_0) true)
+(expandtypeattribute (bootstat_exec_31_0) true)
+(expandtypeattribute (boottime_prop_31_0) true)
+(expandtypeattribute (boottime_public_prop_31_0) true)
+(expandtypeattribute (boottrace_data_file_31_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_31_0) true)
+(expandtypeattribute (bq_config_prop_31_0) true)
+(expandtypeattribute (broadcastradio_service_31_0) true)
+(expandtypeattribute (bufferhubd_31_0) true)
+(expandtypeattribute (bufferhubd_exec_31_0) true)
+(expandtypeattribute (bugreport_service_31_0) true)
+(expandtypeattribute (build_bootimage_prop_31_0) true)
+(expandtypeattribute (build_config_prop_31_0) true)
+(expandtypeattribute (build_odm_prop_31_0) true)
+(expandtypeattribute (build_prop_31_0) true)
+(expandtypeattribute (build_vendor_prop_31_0) true)
+(expandtypeattribute (cache_backup_file_31_0) true)
+(expandtypeattribute (cache_block_device_31_0) true)
+(expandtypeattribute (cache_file_31_0) true)
+(expandtypeattribute (cache_private_backup_file_31_0) true)
+(expandtypeattribute (cache_recovery_file_31_0) true)
+(expandtypeattribute (cacheinfo_service_31_0) true)
+(expandtypeattribute (camera2_extensions_prop_31_0) true)
+(expandtypeattribute (camera_calibration_prop_31_0) true)
+(expandtypeattribute (camera_config_prop_31_0) true)
+(expandtypeattribute (camera_data_file_31_0) true)
+(expandtypeattribute (camera_device_31_0) true)
+(expandtypeattribute (cameraproxy_service_31_0) true)
+(expandtypeattribute (cameraserver_31_0) true)
+(expandtypeattribute (cameraserver_exec_31_0) true)
+(expandtypeattribute (cameraserver_service_31_0) true)
+(expandtypeattribute (cameraserver_tmpfs_31_0) true)
+(expandtypeattribute (camerax_extensions_prop_31_0) true)
+(expandtypeattribute (cgroup_31_0) true)
+(expandtypeattribute (cgroup_desc_api_file_31_0) true)
+(expandtypeattribute (cgroup_desc_file_31_0) true)
+(expandtypeattribute (cgroup_rc_file_31_0) true)
+(expandtypeattribute (cgroup_v2_31_0) true)
+(expandtypeattribute (charger_31_0) true)
+(expandtypeattribute (charger_config_prop_31_0) true)
+(expandtypeattribute (charger_exec_31_0) true)
+(expandtypeattribute (charger_prop_31_0) true)
+(expandtypeattribute (charger_status_prop_31_0) true)
+(expandtypeattribute (clipboard_service_31_0) true)
+(expandtypeattribute (codec2_config_prop_31_0) true)
+(expandtypeattribute (cold_boot_done_prop_31_0) true)
+(expandtypeattribute (color_display_service_31_0) true)
+(expandtypeattribute (companion_device_service_31_0) true)
+(expandtypeattribute (config_prop_31_0) true)
+(expandtypeattribute (configfs_31_0) true)
+(expandtypeattribute (connectivity_service_31_0) true)
+(expandtypeattribute (connmetrics_service_31_0) true)
+(expandtypeattribute (console_device_31_0) true)
+(expandtypeattribute (consumer_ir_service_31_0) true)
+(expandtypeattribute (content_capture_service_31_0) true)
+(expandtypeattribute (content_service_31_0) true)
+(expandtypeattribute (content_suggestions_service_31_0) true)
+(expandtypeattribute (contexthub_service_31_0) true)
+(expandtypeattribute (coredump_file_31_0) true)
+(expandtypeattribute (country_detector_service_31_0) true)
+(expandtypeattribute (coverage_service_31_0) true)
+(expandtypeattribute (cppreopt_prop_31_0) true)
+(expandtypeattribute (cpu_variant_prop_31_0) true)
+(expandtypeattribute (cpuinfo_service_31_0) true)
+(expandtypeattribute (crash_dump_31_0) true)
+(expandtypeattribute (crash_dump_exec_31_0) true)
+(expandtypeattribute (credstore_31_0) true)
+(expandtypeattribute (credstore_data_file_31_0) true)
+(expandtypeattribute (credstore_exec_31_0) true)
+(expandtypeattribute (credstore_service_31_0) true)
+(expandtypeattribute (crossprofileapps_service_31_0) true)
+(expandtypeattribute (ctl_adbd_prop_31_0) true)
+(expandtypeattribute (ctl_apexd_prop_31_0) true)
+(expandtypeattribute (ctl_bootanim_prop_31_0) true)
+(expandtypeattribute (ctl_bugreport_prop_31_0) true)
+(expandtypeattribute (ctl_console_prop_31_0) true)
+(expandtypeattribute (ctl_default_prop_31_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_31_0) true)
+(expandtypeattribute (ctl_fuse_prop_31_0) true)
+(expandtypeattribute (ctl_gsid_prop_31_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_31_0) true)
+(expandtypeattribute (ctl_interface_start_prop_31_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_31_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_31_0) true)
+(expandtypeattribute (ctl_restart_prop_31_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_31_0) true)
+(expandtypeattribute (ctl_sigstop_prop_31_0) true)
+(expandtypeattribute (ctl_start_prop_31_0) true)
+(expandtypeattribute (ctl_stop_prop_31_0) true)
+(expandtypeattribute (dalvik_config_prop_31_0) true)
+(expandtypeattribute (dalvik_prop_31_0) true)
+(expandtypeattribute (dalvik_runtime_prop_31_0) true)
+(expandtypeattribute (dalvikcache_data_file_31_0) true)
+(expandtypeattribute (dataloader_manager_service_31_0) true)
+(expandtypeattribute (dbinfo_service_31_0) true)
+(expandtypeattribute (dck_prop_31_0) true)
+(expandtypeattribute (debug_prop_31_0) true)
+(expandtypeattribute (debugfs_31_0) true)
+(expandtypeattribute (debugfs_bootreceiver_tracing_31_0) true)
+(expandtypeattribute (debugfs_kprobes_31_0) true)
+(expandtypeattribute (debugfs_mm_events_tracing_31_0) true)
+(expandtypeattribute (debugfs_mmc_31_0) true)
+(expandtypeattribute (debugfs_restriction_prop_31_0) true)
+(expandtypeattribute (debugfs_trace_marker_31_0) true)
+(expandtypeattribute (debugfs_tracing_31_0) true)
+(expandtypeattribute (debugfs_tracing_debug_31_0) true)
+(expandtypeattribute (debugfs_tracing_instances_31_0) true)
+(expandtypeattribute (debugfs_tracing_printk_formats_31_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_31_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_31_0) true)
+(expandtypeattribute (debuggerd_prop_31_0) true)
+(expandtypeattribute (default_android_hwservice_31_0) true)
+(expandtypeattribute (default_android_service_31_0) true)
+(expandtypeattribute (default_android_vndservice_31_0) true)
+(expandtypeattribute (default_prop_31_0) true)
+(expandtypeattribute (dev_cpu_variant_31_0) true)
+(expandtypeattribute (device_31_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_31_0) true)
+(expandtypeattribute (device_config_boot_count_prop_31_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_31_0) true)
+(expandtypeattribute (device_config_media_native_prop_31_0) true)
+(expandtypeattribute (device_config_netd_native_prop_31_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_31_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_31_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_31_0) true)
+(expandtypeattribute (device_config_service_31_0) true)
+(expandtypeattribute (device_identifiers_service_31_0) true)
+(expandtypeattribute (device_logging_prop_31_0) true)
+(expandtypeattribute (device_policy_service_31_0) true)
+(expandtypeattribute (device_state_service_31_0) true)
+(expandtypeattribute (deviceidle_service_31_0) true)
+(expandtypeattribute (devicestoragemonitor_service_31_0) true)
+(expandtypeattribute (devpts_31_0) true)
+(expandtypeattribute (dhcp_31_0) true)
+(expandtypeattribute (dhcp_data_file_31_0) true)
+(expandtypeattribute (dhcp_exec_31_0) true)
+(expandtypeattribute (dhcp_prop_31_0) true)
+(expandtypeattribute (diskstats_service_31_0) true)
+(expandtypeattribute (display_service_31_0) true)
+(expandtypeattribute (dm_device_31_0) true)
+(expandtypeattribute (dm_user_device_31_0) true)
+(expandtypeattribute (dmabuf_heap_device_31_0) true)
+(expandtypeattribute (dmabuf_system_heap_device_31_0) true)
+(expandtypeattribute (dmabuf_system_secure_heap_device_31_0) true)
+(expandtypeattribute (dnsmasq_31_0) true)
+(expandtypeattribute (dnsmasq_exec_31_0) true)
+(expandtypeattribute (dnsproxyd_socket_31_0) true)
+(expandtypeattribute (dnsresolver_service_31_0) true)
+(expandtypeattribute (domain_verification_service_31_0) true)
+(expandtypeattribute (dreams_service_31_0) true)
+(expandtypeattribute (drm_data_file_31_0) true)
+(expandtypeattribute (drm_service_config_prop_31_0) true)
+(expandtypeattribute (drmserver_31_0) true)
+(expandtypeattribute (drmserver_exec_31_0) true)
+(expandtypeattribute (drmserver_service_31_0) true)
+(expandtypeattribute (drmserver_socket_31_0) true)
+(expandtypeattribute (dropbox_data_file_31_0) true)
+(expandtypeattribute (dropbox_service_31_0) true)
+(expandtypeattribute (dumpstate_31_0) true)
+(expandtypeattribute (dumpstate_exec_31_0) true)
+(expandtypeattribute (dumpstate_options_prop_31_0) true)
+(expandtypeattribute (dumpstate_prop_31_0) true)
+(expandtypeattribute (dumpstate_service_31_0) true)
+(expandtypeattribute (dumpstate_socket_31_0) true)
+(expandtypeattribute (dynamic_system_prop_31_0) true)
+(expandtypeattribute (e2fs_31_0) true)
+(expandtypeattribute (e2fs_exec_31_0) true)
+(expandtypeattribute (efs_file_31_0) true)
+(expandtypeattribute (emergency_affordance_service_31_0) true)
+(expandtypeattribute (ephemeral_app_31_0) true)
+(expandtypeattribute (ethernet_service_31_0) true)
+(expandtypeattribute (exfat_31_0) true)
+(expandtypeattribute (exported3_system_prop_31_0) true)
+(expandtypeattribute (exported_bluetooth_prop_31_0) true)
+(expandtypeattribute (exported_camera_prop_31_0) true)
+(expandtypeattribute (exported_config_prop_31_0) true)
+(expandtypeattribute (exported_default_prop_31_0) true)
+(expandtypeattribute (exported_dumpstate_prop_31_0) true)
+(expandtypeattribute (exported_overlay_prop_31_0) true)
+(expandtypeattribute (exported_pm_prop_31_0) true)
+(expandtypeattribute (exported_secure_prop_31_0) true)
+(expandtypeattribute (exported_system_prop_31_0) true)
+(expandtypeattribute (external_vibrator_service_31_0) true)
+(expandtypeattribute (face_service_31_0) true)
+(expandtypeattribute (face_vendor_data_file_31_0) true)
+(expandtypeattribute (fastbootd_31_0) true)
+(expandtypeattribute (ffs_config_prop_31_0) true)
+(expandtypeattribute (ffs_control_prop_31_0) true)
+(expandtypeattribute (file_contexts_file_31_0) true)
+(expandtypeattribute (file_integrity_service_31_0) true)
+(expandtypeattribute (fingerprint_prop_31_0) true)
+(expandtypeattribute (fingerprint_service_31_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_31_0) true)
+(expandtypeattribute (fingerprintd_31_0) true)
+(expandtypeattribute (fingerprintd_data_file_31_0) true)
+(expandtypeattribute (fingerprintd_exec_31_0) true)
+(expandtypeattribute (fingerprintd_service_31_0) true)
+(expandtypeattribute (firstboot_prop_31_0) true)
+(expandtypeattribute (flags_health_check_31_0) true)
+(expandtypeattribute (flags_health_check_exec_31_0) true)
+(expandtypeattribute (font_service_31_0) true)
+(expandtypeattribute (framework_watchdog_config_prop_31_0) true)
+(expandtypeattribute (frp_block_device_31_0) true)
+(expandtypeattribute (fs_bpf_31_0) true)
+(expandtypeattribute (fs_bpf_tethering_31_0) true)
+(expandtypeattribute (fsck_31_0) true)
+(expandtypeattribute (fsck_exec_31_0) true)
+(expandtypeattribute (fsck_untrusted_31_0) true)
+(expandtypeattribute (fscklogs_31_0) true)
+(expandtypeattribute (functionfs_31_0) true)
+(expandtypeattribute (fuse_31_0) true)
+(expandtypeattribute (fuse_device_31_0) true)
+(expandtypeattribute (fusectlfs_31_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_31_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_31_0) true)
+(expandtypeattribute (fwk_camera_hwservice_31_0) true)
+(expandtypeattribute (fwk_display_hwservice_31_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_31_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_31_0) true)
+(expandtypeattribute (fwk_stats_hwservice_31_0) true)
+(expandtypeattribute (fwk_stats_service_31_0) true)
+(expandtypeattribute (fwmarkd_socket_31_0) true)
+(expandtypeattribute (game_service_31_0) true)
+(expandtypeattribute (gatekeeper_data_file_31_0) true)
+(expandtypeattribute (gatekeeper_service_31_0) true)
+(expandtypeattribute (gatekeeperd_31_0) true)
+(expandtypeattribute (gatekeeperd_exec_31_0) true)
+(expandtypeattribute (gfxinfo_service_31_0) true)
+(expandtypeattribute (gmscore_app_31_0) true)
+(expandtypeattribute (gnss_device_31_0) true)
+(expandtypeattribute (gnss_time_update_service_31_0) true)
+(expandtypeattribute (gps_control_31_0) true)
+(expandtypeattribute (gpu_device_31_0) true)
+(expandtypeattribute (gpu_service_31_0) true)
+(expandtypeattribute (gpuservice_31_0) true)
+(expandtypeattribute (graphics_config_prop_31_0) true)
+(expandtypeattribute (graphics_device_31_0) true)
+(expandtypeattribute (graphicsstats_service_31_0) true)
+(expandtypeattribute (gsi_data_file_31_0) true)
+(expandtypeattribute (gsi_metadata_file_31_0) true)
+(expandtypeattribute (gsi_public_metadata_file_31_0) true)
+(expandtypeattribute (hal_atrace_hwservice_31_0) true)
+(expandtypeattribute (hal_audio_hwservice_31_0) true)
+(expandtypeattribute (hal_audio_service_31_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_31_0) true)
+(expandtypeattribute (hal_audiocontrol_service_31_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_31_0) true)
+(expandtypeattribute (hal_authsecret_service_31_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_31_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_31_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_31_0) true)
+(expandtypeattribute (hal_camera_hwservice_31_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_31_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_31_0) true)
+(expandtypeattribute (hal_cas_hwservice_31_0) true)
+(expandtypeattribute (hal_codec2_hwservice_31_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_31_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_31_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_31_0) true)
+(expandtypeattribute (hal_drm_hwservice_31_0) true)
+(expandtypeattribute (hal_dumpstate_config_prop_31_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_31_0) true)
+(expandtypeattribute (hal_evs_hwservice_31_0) true)
+(expandtypeattribute (hal_face_hwservice_31_0) true)
+(expandtypeattribute (hal_face_service_31_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_31_0) true)
+(expandtypeattribute (hal_fingerprint_service_31_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_31_0) true)
+(expandtypeattribute (hal_gnss_hwservice_31_0) true)
+(expandtypeattribute (hal_gnss_service_31_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_31_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_31_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_31_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_31_0) true)
+(expandtypeattribute (hal_health_hwservice_31_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_31_0) true)
+(expandtypeattribute (hal_health_storage_service_31_0) true)
+(expandtypeattribute (hal_identity_service_31_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_31_0) true)
+(expandtypeattribute (hal_instrumentation_prop_31_0) true)
+(expandtypeattribute (hal_ir_hwservice_31_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_31_0) true)
+(expandtypeattribute (hal_keymint_service_31_0) true)
+(expandtypeattribute (hal_light_hwservice_31_0) true)
+(expandtypeattribute (hal_light_service_31_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_31_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_31_0) true)
+(expandtypeattribute (hal_memtrack_service_31_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_31_0) true)
+(expandtypeattribute (hal_neuralnetworks_service_31_0) true)
+(expandtypeattribute (hal_nfc_hwservice_31_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_31_0) true)
+(expandtypeattribute (hal_oemlock_service_31_0) true)
+(expandtypeattribute (hal_omx_hwservice_31_0) true)
+(expandtypeattribute (hal_power_hwservice_31_0) true)
+(expandtypeattribute (hal_power_service_31_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_31_0) true)
+(expandtypeattribute (hal_power_stats_service_31_0) true)
+(expandtypeattribute (hal_rebootescrow_service_31_0) true)
+(expandtypeattribute (hal_remotelyprovisionedcomponent_service_31_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_31_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_31_0) true)
+(expandtypeattribute (hal_secureclock_service_31_0) true)
+(expandtypeattribute (hal_sensors_hwservice_31_0) true)
+(expandtypeattribute (hal_sharedsecret_service_31_0) true)
+(expandtypeattribute (hal_telephony_hwservice_31_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_31_0) true)
+(expandtypeattribute (hal_thermal_hwservice_31_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_31_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_31_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_31_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_31_0) true)
+(expandtypeattribute (hal_usb_hwservice_31_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_31_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_31_0) true)
+(expandtypeattribute (hal_vibrator_service_31_0) true)
+(expandtypeattribute (hal_vr_hwservice_31_0) true)
+(expandtypeattribute (hal_weaver_hwservice_31_0) true)
+(expandtypeattribute (hal_weaver_service_31_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_31_0) true)
+(expandtypeattribute (hal_wifi_hwservice_31_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_31_0) true)
+(expandtypeattribute (hardware_properties_service_31_0) true)
+(expandtypeattribute (hardware_service_31_0) true)
+(expandtypeattribute (hci_attach_dev_31_0) true)
+(expandtypeattribute (hdmi_config_prop_31_0) true)
+(expandtypeattribute (hdmi_control_service_31_0) true)
+(expandtypeattribute (healthd_31_0) true)
+(expandtypeattribute (healthd_exec_31_0) true)
+(expandtypeattribute (heapdump_data_file_31_0) true)
+(expandtypeattribute (heapprofd_31_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_31_0) true)
+(expandtypeattribute (heapprofd_prop_31_0) true)
+(expandtypeattribute (heapprofd_socket_31_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_31_0) true)
+(expandtypeattribute (hidl_base_hwservice_31_0) true)
+(expandtypeattribute (hidl_manager_hwservice_31_0) true)
+(expandtypeattribute (hidl_memory_hwservice_31_0) true)
+(expandtypeattribute (hidl_token_hwservice_31_0) true)
+(expandtypeattribute (hint_service_31_0) true)
+(expandtypeattribute (hw_random_device_31_0) true)
+(expandtypeattribute (hw_timeout_multiplier_prop_31_0) true)
+(expandtypeattribute (hwbinder_device_31_0) true)
+(expandtypeattribute (hwservice_contexts_file_31_0) true)
+(expandtypeattribute (hwservicemanager_31_0) true)
+(expandtypeattribute (hwservicemanager_exec_31_0) true)
+(expandtypeattribute (hwservicemanager_prop_31_0) true)
+(expandtypeattribute (icon_file_31_0) true)
+(expandtypeattribute (idmap_31_0) true)
+(expandtypeattribute (idmap_exec_31_0) true)
+(expandtypeattribute (idmap_service_31_0) true)
+(expandtypeattribute (iio_device_31_0) true)
+(expandtypeattribute (imms_service_31_0) true)
+(expandtypeattribute (incident_31_0) true)
+(expandtypeattribute (incident_data_file_31_0) true)
+(expandtypeattribute (incident_helper_31_0) true)
+(expandtypeattribute (incident_service_31_0) true)
+(expandtypeattribute (incidentd_31_0) true)
+(expandtypeattribute (incremental_control_file_31_0) true)
+(expandtypeattribute (incremental_prop_31_0) true)
+(expandtypeattribute (incremental_service_31_0) true)
+(expandtypeattribute (init_31_0) true)
+(expandtypeattribute (init_exec_31_0) true)
+(expandtypeattribute (init_service_status_prop_31_0) true)
+(expandtypeattribute (init_tmpfs_31_0) true)
+(expandtypeattribute (inotify_31_0) true)
+(expandtypeattribute (input_device_31_0) true)
+(expandtypeattribute (input_method_service_31_0) true)
+(expandtypeattribute (input_service_31_0) true)
+(expandtypeattribute (inputflinger_31_0) true)
+(expandtypeattribute (inputflinger_exec_31_0) true)
+(expandtypeattribute (inputflinger_service_31_0) true)
+(expandtypeattribute (install_data_file_31_0) true)
+(expandtypeattribute (installd_31_0) true)
+(expandtypeattribute (installd_exec_31_0) true)
+(expandtypeattribute (installd_service_31_0) true)
+(expandtypeattribute (ion_device_31_0) true)
+(expandtypeattribute (iorap_inode2filename_31_0) true)
+(expandtypeattribute (iorap_inode2filename_exec_31_0) true)
+(expandtypeattribute (iorap_inode2filename_tmpfs_31_0) true)
+(expandtypeattribute (iorap_prefetcherd_31_0) true)
+(expandtypeattribute (iorap_prefetcherd_exec_31_0) true)
+(expandtypeattribute (iorap_prefetcherd_tmpfs_31_0) true)
+(expandtypeattribute (iorapd_31_0) true)
+(expandtypeattribute (iorapd_data_file_31_0) true)
+(expandtypeattribute (iorapd_exec_31_0) true)
+(expandtypeattribute (iorapd_service_31_0) true)
+(expandtypeattribute (iorapd_tmpfs_31_0) true)
+(expandtypeattribute (ipsec_service_31_0) true)
+(expandtypeattribute (iris_service_31_0) true)
+(expandtypeattribute (iris_vendor_data_file_31_0) true)
+(expandtypeattribute (isolated_app_31_0) true)
+(expandtypeattribute (jobscheduler_service_31_0) true)
+(expandtypeattribute (kernel_31_0) true)
+(expandtypeattribute (keychain_data_file_31_0) true)
+(expandtypeattribute (keychord_device_31_0) true)
+(expandtypeattribute (keyguard_config_prop_31_0) true)
+(expandtypeattribute (keystore2_key_contexts_file_31_0) true)
+(expandtypeattribute (keystore_31_0) true)
+(expandtypeattribute (keystore_compat_hal_service_31_0) true)
+(expandtypeattribute (keystore_data_file_31_0) true)
+(expandtypeattribute (keystore_exec_31_0) true)
+(expandtypeattribute (keystore_maintenance_service_31_0) true)
+(expandtypeattribute (keystore_metrics_service_31_0) true)
+(expandtypeattribute (keystore_service_31_0) true)
+(expandtypeattribute (kmsg_debug_device_31_0) true)
+(expandtypeattribute (kmsg_device_31_0) true)
+(expandtypeattribute (labeledfs_31_0) true)
+(expandtypeattribute (launcherapps_service_31_0) true)
+(expandtypeattribute (legacy_permission_service_31_0) true)
+(expandtypeattribute (legacykeystore_service_31_0) true)
+(expandtypeattribute (libc_debug_prop_31_0) true)
+(expandtypeattribute (light_service_31_0) true)
+(expandtypeattribute (linkerconfig_file_31_0) true)
+(expandtypeattribute (llkd_31_0) true)
+(expandtypeattribute (llkd_exec_31_0) true)
+(expandtypeattribute (llkd_prop_31_0) true)
+(expandtypeattribute (lmkd_31_0) true)
+(expandtypeattribute (lmkd_config_prop_31_0) true)
+(expandtypeattribute (lmkd_exec_31_0) true)
+(expandtypeattribute (lmkd_prop_31_0) true)
+(expandtypeattribute (lmkd_socket_31_0) true)
+(expandtypeattribute (location_service_31_0) true)
+(expandtypeattribute (location_time_zone_manager_service_31_0) true)
+(expandtypeattribute (lock_settings_service_31_0) true)
+(expandtypeattribute (log_prop_31_0) true)
+(expandtypeattribute (log_tag_prop_31_0) true)
+(expandtypeattribute (logcat_exec_31_0) true)
+(expandtypeattribute (logd_31_0) true)
+(expandtypeattribute (logd_exec_31_0) true)
+(expandtypeattribute (logd_prop_31_0) true)
+(expandtypeattribute (logd_socket_31_0) true)
+(expandtypeattribute (logdr_socket_31_0) true)
+(expandtypeattribute (logdw_socket_31_0) true)
+(expandtypeattribute (logpersist_31_0) true)
+(expandtypeattribute (logpersistd_logging_prop_31_0) true)
+(expandtypeattribute (loop_control_device_31_0) true)
+(expandtypeattribute (loop_device_31_0) true)
+(expandtypeattribute (looper_stats_service_31_0) true)
+(expandtypeattribute (lowpan_device_31_0) true)
+(expandtypeattribute (lowpan_prop_31_0) true)
+(expandtypeattribute (lowpan_service_31_0) true)
+(expandtypeattribute (lpdump_service_31_0) true)
+(expandtypeattribute (lpdumpd_prop_31_0) true)
+(expandtypeattribute (mac_perms_file_31_0) true)
+(expandtypeattribute (mdns_socket_31_0) true)
+(expandtypeattribute (mdnsd_31_0) true)
+(expandtypeattribute (mdnsd_socket_31_0) true)
+(expandtypeattribute (media_communication_service_31_0) true)
+(expandtypeattribute (media_config_prop_31_0) true)
+(expandtypeattribute (media_data_file_31_0) true)
+(expandtypeattribute (media_metrics_service_31_0) true)
+(expandtypeattribute (media_projection_service_31_0) true)
+(expandtypeattribute (media_router_service_31_0) true)
+(expandtypeattribute (media_rw_data_file_31_0) true)
+(expandtypeattribute (media_session_service_31_0) true)
+(expandtypeattribute (media_variant_prop_31_0) true)
+(expandtypeattribute (mediadrm_config_prop_31_0) true)
+(expandtypeattribute (mediadrmserver_31_0) true)
+(expandtypeattribute (mediadrmserver_exec_31_0) true)
+(expandtypeattribute (mediadrmserver_service_31_0) true)
+(expandtypeattribute (mediaextractor_31_0) true)
+(expandtypeattribute (mediaextractor_exec_31_0) true)
+(expandtypeattribute (mediaextractor_service_31_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_31_0) true)
+(expandtypeattribute (mediametrics_31_0) true)
+(expandtypeattribute (mediametrics_exec_31_0) true)
+(expandtypeattribute (mediametrics_service_31_0) true)
+(expandtypeattribute (mediaprovider_31_0) true)
+(expandtypeattribute (mediaserver_31_0) true)
+(expandtypeattribute (mediaserver_exec_31_0) true)
+(expandtypeattribute (mediaserver_service_31_0) true)
+(expandtypeattribute (mediaserver_tmpfs_31_0) true)
+(expandtypeattribute (mediaswcodec_31_0) true)
+(expandtypeattribute (mediaswcodec_exec_31_0) true)
+(expandtypeattribute (mediatranscoding_service_31_0) true)
+(expandtypeattribute (meminfo_service_31_0) true)
+(expandtypeattribute (memtrackproxy_service_31_0) true)
+(expandtypeattribute (metadata_block_device_31_0) true)
+(expandtypeattribute (metadata_bootstat_file_31_0) true)
+(expandtypeattribute (metadata_file_31_0) true)
+(expandtypeattribute (method_trace_data_file_31_0) true)
+(expandtypeattribute (midi_service_31_0) true)
+(expandtypeattribute (mirror_data_file_31_0) true)
+(expandtypeattribute (misc_block_device_31_0) true)
+(expandtypeattribute (misc_logd_file_31_0) true)
+(expandtypeattribute (misc_user_data_file_31_0) true)
+(expandtypeattribute (mm_events_config_prop_31_0) true)
+(expandtypeattribute (mmc_prop_31_0) true)
+(expandtypeattribute (mnt_expand_file_31_0) true)
+(expandtypeattribute (mnt_media_rw_file_31_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_31_0) true)
+(expandtypeattribute (mnt_pass_through_file_31_0) true)
+(expandtypeattribute (mnt_product_file_31_0) true)
+(expandtypeattribute (mnt_sdcard_file_31_0) true)
+(expandtypeattribute (mnt_user_file_31_0) true)
+(expandtypeattribute (mnt_vendor_file_31_0) true)
+(expandtypeattribute (mock_ota_prop_31_0) true)
+(expandtypeattribute (modprobe_31_0) true)
+(expandtypeattribute (module_sdkextensions_prop_31_0) true)
+(expandtypeattribute (mount_service_31_0) true)
+(expandtypeattribute (mqueue_31_0) true)
+(expandtypeattribute (mtp_31_0) true)
+(expandtypeattribute (mtp_device_31_0) true)
+(expandtypeattribute (mtp_exec_31_0) true)
+(expandtypeattribute (mtpd_socket_31_0) true)
+(expandtypeattribute (music_recognition_service_31_0) true)
+(expandtypeattribute (nativetest_data_file_31_0) true)
+(expandtypeattribute (net_data_file_31_0) true)
+(expandtypeattribute (net_dns_prop_31_0) true)
+(expandtypeattribute (net_radio_prop_31_0) true)
+(expandtypeattribute (netd_31_0) true)
+(expandtypeattribute (netd_exec_31_0) true)
+(expandtypeattribute (netd_listener_service_31_0) true)
+(expandtypeattribute (netd_service_31_0) true)
+(expandtypeattribute (netif_31_0) true)
+(expandtypeattribute (netpolicy_service_31_0) true)
+(expandtypeattribute (netstats_service_31_0) true)
+(expandtypeattribute (netutils_wrapper_31_0) true)
+(expandtypeattribute (netutils_wrapper_exec_31_0) true)
+(expandtypeattribute (network_management_service_31_0) true)
+(expandtypeattribute (network_score_service_31_0) true)
+(expandtypeattribute (network_stack_31_0) true)
+(expandtypeattribute (network_stack_service_31_0) true)
+(expandtypeattribute (network_time_update_service_31_0) true)
+(expandtypeattribute (network_watchlist_data_file_31_0) true)
+(expandtypeattribute (network_watchlist_service_31_0) true)
+(expandtypeattribute (nfc_31_0) true)
+(expandtypeattribute (nfc_data_file_31_0) true)
+(expandtypeattribute (nfc_device_31_0) true)
+(expandtypeattribute (nfc_logs_data_file_31_0) true)
+(expandtypeattribute (nfc_prop_31_0) true)
+(expandtypeattribute (nfc_service_31_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_31_0) true)
+(expandtypeattribute (node_31_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_31_0) true)
+(expandtypeattribute (notification_service_31_0) true)
+(expandtypeattribute (null_device_31_0) true)
+(expandtypeattribute (oem_lock_service_31_0) true)
+(expandtypeattribute (oem_unlock_prop_31_0) true)
+(expandtypeattribute (oemfs_31_0) true)
+(expandtypeattribute (ota_data_file_31_0) true)
+(expandtypeattribute (ota_metadata_file_31_0) true)
+(expandtypeattribute (ota_package_file_31_0) true)
+(expandtypeattribute (ota_prop_31_0) true)
+(expandtypeattribute (otadexopt_service_31_0) true)
+(expandtypeattribute (otapreopt_chroot_31_0) true)
+(expandtypeattribute (overlay_prop_31_0) true)
+(expandtypeattribute (overlay_service_31_0) true)
+(expandtypeattribute (overlayfs_file_31_0) true)
+(expandtypeattribute (owntty_device_31_0) true)
+(expandtypeattribute (pac_proxy_service_31_0) true)
+(expandtypeattribute (package_native_service_31_0) true)
+(expandtypeattribute (package_service_31_0) true)
+(expandtypeattribute (packagemanager_config_prop_31_0) true)
+(expandtypeattribute (packages_list_file_31_0) true)
+(expandtypeattribute (pan_result_prop_31_0) true)
+(expandtypeattribute (password_slot_metadata_file_31_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_31_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_31_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_31_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_31_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_31_0) true)
+(expandtypeattribute (pdx_display_dir_31_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_31_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_31_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_31_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_31_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_31_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_31_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_31_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_31_0) true)
+(expandtypeattribute (pdx_performance_dir_31_0) true)
+(expandtypeattribute (people_service_31_0) true)
+(expandtypeattribute (perfetto_31_0) true)
+(expandtypeattribute (performanced_31_0) true)
+(expandtypeattribute (performanced_exec_31_0) true)
+(expandtypeattribute (permission_checker_service_31_0) true)
+(expandtypeattribute (permission_service_31_0) true)
+(expandtypeattribute (permissionmgr_service_31_0) true)
+(expandtypeattribute (persist_debug_prop_31_0) true)
+(expandtypeattribute (persist_vendor_debug_wifi_prop_31_0) true)
+(expandtypeattribute (persistent_data_block_service_31_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_31_0) true)
+(expandtypeattribute (pinner_service_31_0) true)
+(expandtypeattribute (pipefs_31_0) true)
+(expandtypeattribute (platform_app_31_0) true)
+(expandtypeattribute (platform_compat_service_31_0) true)
+(expandtypeattribute (pmsg_device_31_0) true)
+(expandtypeattribute (port_31_0) true)
+(expandtypeattribute (port_device_31_0) true)
+(expandtypeattribute (postinstall_31_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_31_0) true)
+(expandtypeattribute (postinstall_file_31_0) true)
+(expandtypeattribute (postinstall_mnt_dir_31_0) true)
+(expandtypeattribute (power_debug_prop_31_0) true)
+(expandtypeattribute (power_service_31_0) true)
+(expandtypeattribute (powerctl_prop_31_0) true)
+(expandtypeattribute (powerstats_service_31_0) true)
+(expandtypeattribute (ppp_31_0) true)
+(expandtypeattribute (ppp_device_31_0) true)
+(expandtypeattribute (ppp_exec_31_0) true)
+(expandtypeattribute (preloads_data_file_31_0) true)
+(expandtypeattribute (preloads_media_file_31_0) true)
+(expandtypeattribute (prereboot_data_file_31_0) true)
+(expandtypeattribute (print_service_31_0) true)
+(expandtypeattribute (priv_app_31_0) true)
+(expandtypeattribute (privapp_data_file_31_0) true)
+(expandtypeattribute (proc_31_0) true)
+(expandtypeattribute (proc_abi_31_0) true)
+(expandtypeattribute (proc_asound_31_0) true)
+(expandtypeattribute (proc_bluetooth_writable_31_0) true)
+(expandtypeattribute (proc_bootconfig_31_0) true)
+(expandtypeattribute (proc_buddyinfo_31_0) true)
+(expandtypeattribute (proc_cmdline_31_0) true)
+(expandtypeattribute (proc_cpuinfo_31_0) true)
+(expandtypeattribute (proc_dirty_31_0) true)
+(expandtypeattribute (proc_diskstats_31_0) true)
+(expandtypeattribute (proc_drop_caches_31_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_31_0) true)
+(expandtypeattribute (proc_filesystems_31_0) true)
+(expandtypeattribute (proc_fs_verity_31_0) true)
+(expandtypeattribute (proc_hostname_31_0) true)
+(expandtypeattribute (proc_hung_task_31_0) true)
+(expandtypeattribute (proc_interrupts_31_0) true)
+(expandtypeattribute (proc_iomem_31_0) true)
+(expandtypeattribute (proc_kallsyms_31_0) true)
+(expandtypeattribute (proc_keys_31_0) true)
+(expandtypeattribute (proc_kmsg_31_0) true)
+(expandtypeattribute (proc_kpageflags_31_0) true)
+(expandtypeattribute (proc_loadavg_31_0) true)
+(expandtypeattribute (proc_locks_31_0) true)
+(expandtypeattribute (proc_lowmemorykiller_31_0) true)
+(expandtypeattribute (proc_max_map_count_31_0) true)
+(expandtypeattribute (proc_meminfo_31_0) true)
+(expandtypeattribute (proc_min_free_order_shift_31_0) true)
+(expandtypeattribute (proc_misc_31_0) true)
+(expandtypeattribute (proc_modules_31_0) true)
+(expandtypeattribute (proc_mounts_31_0) true)
+(expandtypeattribute (proc_net_31_0) true)
+(expandtypeattribute (proc_net_tcp_udp_31_0) true)
+(expandtypeattribute (proc_overcommit_memory_31_0) true)
+(expandtypeattribute (proc_page_cluster_31_0) true)
+(expandtypeattribute (proc_pagetypeinfo_31_0) true)
+(expandtypeattribute (proc_panic_31_0) true)
+(expandtypeattribute (proc_perf_31_0) true)
+(expandtypeattribute (proc_pid_max_31_0) true)
+(expandtypeattribute (proc_pipe_conf_31_0) true)
+(expandtypeattribute (proc_pressure_cpu_31_0) true)
+(expandtypeattribute (proc_pressure_io_31_0) true)
+(expandtypeattribute (proc_pressure_mem_31_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_31_0) true)
+(expandtypeattribute (proc_qtaguid_stat_31_0) true)
+(expandtypeattribute (proc_random_31_0) true)
+(expandtypeattribute (proc_sched_31_0) true)
+(expandtypeattribute (proc_security_31_0) true)
+(expandtypeattribute (proc_slabinfo_31_0) true)
+(expandtypeattribute (proc_stat_31_0) true)
+(expandtypeattribute (proc_swaps_31_0) true)
+(expandtypeattribute (proc_sysrq_31_0) true)
+(expandtypeattribute (proc_timer_31_0) true)
+(expandtypeattribute (proc_tty_drivers_31_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_31_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_31_0) true)
+(expandtypeattribute (proc_uid_cpupower_31_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_31_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_31_0) true)
+(expandtypeattribute (proc_uid_io_stats_31_0) true)
+(expandtypeattribute (proc_uid_procstat_set_31_0) true)
+(expandtypeattribute (proc_uid_time_in_state_31_0) true)
+(expandtypeattribute (proc_uptime_31_0) true)
+(expandtypeattribute (proc_vendor_sched_31_0) true)
+(expandtypeattribute (proc_version_31_0) true)
+(expandtypeattribute (proc_vmallocinfo_31_0) true)
+(expandtypeattribute (proc_vmstat_31_0) true)
+(expandtypeattribute (proc_zoneinfo_31_0) true)
+(expandtypeattribute (processinfo_service_31_0) true)
+(expandtypeattribute (procstats_service_31_0) true)
+(expandtypeattribute (profman_31_0) true)
+(expandtypeattribute (profman_dump_data_file_31_0) true)
+(expandtypeattribute (profman_exec_31_0) true)
+(expandtypeattribute (properties_device_31_0) true)
+(expandtypeattribute (properties_serial_31_0) true)
+(expandtypeattribute (property_contexts_file_31_0) true)
+(expandtypeattribute (property_data_file_31_0) true)
+(expandtypeattribute (property_info_31_0) true)
+(expandtypeattribute (property_service_version_prop_31_0) true)
+(expandtypeattribute (property_socket_31_0) true)
+(expandtypeattribute (provisioned_prop_31_0) true)
+(expandtypeattribute (pstorefs_31_0) true)
+(expandtypeattribute (ptmx_device_31_0) true)
+(expandtypeattribute (qemu_hw_prop_31_0) true)
+(expandtypeattribute (qemu_sf_lcd_density_prop_31_0) true)
+(expandtypeattribute (qtaguid_device_31_0) true)
+(expandtypeattribute (racoon_31_0) true)
+(expandtypeattribute (racoon_exec_31_0) true)
+(expandtypeattribute (racoon_socket_31_0) true)
+(expandtypeattribute (radio_31_0) true)
+(expandtypeattribute (radio_control_prop_31_0) true)
+(expandtypeattribute (radio_core_data_file_31_0) true)
+(expandtypeattribute (radio_data_file_31_0) true)
+(expandtypeattribute (radio_device_31_0) true)
+(expandtypeattribute (radio_prop_31_0) true)
+(expandtypeattribute (radio_service_31_0) true)
+(expandtypeattribute (ram_device_31_0) true)
+(expandtypeattribute (random_device_31_0) true)
+(expandtypeattribute (reboot_readiness_service_31_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_31_0) true)
+(expandtypeattribute (recovery_31_0) true)
+(expandtypeattribute (recovery_block_device_31_0) true)
+(expandtypeattribute (recovery_config_prop_31_0) true)
+(expandtypeattribute (recovery_data_file_31_0) true)
+(expandtypeattribute (recovery_persist_31_0) true)
+(expandtypeattribute (recovery_persist_exec_31_0) true)
+(expandtypeattribute (recovery_refresh_31_0) true)
+(expandtypeattribute (recovery_refresh_exec_31_0) true)
+(expandtypeattribute (recovery_service_31_0) true)
+(expandtypeattribute (recovery_socket_31_0) true)
+(expandtypeattribute (registry_service_31_0) true)
+(expandtypeattribute (remoteprovisioning_service_31_0) true)
+(expandtypeattribute (resourcecache_data_file_31_0) true)
+(expandtypeattribute (restorecon_prop_31_0) true)
+(expandtypeattribute (restrictions_service_31_0) true)
+(expandtypeattribute (retaildemo_prop_31_0) true)
+(expandtypeattribute (rild_debug_socket_31_0) true)
+(expandtypeattribute (rild_socket_31_0) true)
+(expandtypeattribute (ringtone_file_31_0) true)
+(expandtypeattribute (role_service_31_0) true)
+(expandtypeattribute (rollback_service_31_0) true)
+(expandtypeattribute (root_block_device_31_0) true)
+(expandtypeattribute (rootfs_31_0) true)
+(expandtypeattribute (rpmsg_device_31_0) true)
+(expandtypeattribute (rs_31_0) true)
+(expandtypeattribute (rs_exec_31_0) true)
+(expandtypeattribute (rss_hwm_reset_31_0) true)
+(expandtypeattribute (rtc_device_31_0) true)
+(expandtypeattribute (rttmanager_service_31_0) true)
+(expandtypeattribute (runas_31_0) true)
+(expandtypeattribute (runas_app_31_0) true)
+(expandtypeattribute (runas_exec_31_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_31_0) true)
+(expandtypeattribute (runtime_service_31_0) true)
+(expandtypeattribute (safemode_prop_31_0) true)
+(expandtypeattribute (same_process_hal_file_31_0) true)
+(expandtypeattribute (samplingprofiler_service_31_0) true)
+(expandtypeattribute (scheduling_policy_service_31_0) true)
+(expandtypeattribute (sdcard_block_device_31_0) true)
+(expandtypeattribute (sdcardd_31_0) true)
+(expandtypeattribute (sdcardd_exec_31_0) true)
+(expandtypeattribute (sdcardfs_31_0) true)
+(expandtypeattribute (seapp_contexts_file_31_0) true)
+(expandtypeattribute (search_service_31_0) true)
+(expandtypeattribute (search_ui_service_31_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_31_0) true)
+(expandtypeattribute (secure_element_31_0) true)
+(expandtypeattribute (secure_element_device_31_0) true)
+(expandtypeattribute (secure_element_service_31_0) true)
+(expandtypeattribute (securityfs_31_0) true)
+(expandtypeattribute (selinuxfs_31_0) true)
+(expandtypeattribute (sendbug_config_prop_31_0) true)
+(expandtypeattribute (sensor_privacy_service_31_0) true)
+(expandtypeattribute (sensors_device_31_0) true)
+(expandtypeattribute (sensorservice_service_31_0) true)
+(expandtypeattribute (sepolicy_file_31_0) true)
+(expandtypeattribute (serial_device_31_0) true)
+(expandtypeattribute (serial_service_31_0) true)
+(expandtypeattribute (serialno_prop_31_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_31_0) true)
+(expandtypeattribute (service_contexts_file_31_0) true)
+(expandtypeattribute (service_manager_service_31_0) true)
+(expandtypeattribute (service_manager_vndservice_31_0) true)
+(expandtypeattribute (servicediscovery_service_31_0) true)
+(expandtypeattribute (servicemanager_31_0) true)
+(expandtypeattribute (servicemanager_exec_31_0) true)
+(expandtypeattribute (settings_service_31_0) true)
+(expandtypeattribute (sgdisk_31_0) true)
+(expandtypeattribute (sgdisk_exec_31_0) true)
+(expandtypeattribute (shared_relro_31_0) true)
+(expandtypeattribute (shared_relro_file_31_0) true)
+(expandtypeattribute (shell_31_0) true)
+(expandtypeattribute (shell_data_file_31_0) true)
+(expandtypeattribute (shell_exec_31_0) true)
+(expandtypeattribute (shell_prop_31_0) true)
+(expandtypeattribute (shell_test_data_file_31_0) true)
+(expandtypeattribute (shm_31_0) true)
+(expandtypeattribute (shortcut_manager_icons_31_0) true)
+(expandtypeattribute (shortcut_service_31_0) true)
+(expandtypeattribute (simpleperf_31_0) true)
+(expandtypeattribute (simpleperf_app_runner_31_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_31_0) true)
+(expandtypeattribute (slice_service_31_0) true)
+(expandtypeattribute (slideshow_31_0) true)
+(expandtypeattribute (smartspace_service_31_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_31_0) true)
+(expandtypeattribute (snapuserd_socket_31_0) true)
+(expandtypeattribute (soc_prop_31_0) true)
+(expandtypeattribute (socket_device_31_0) true)
+(expandtypeattribute (socket_hook_prop_31_0) true)
+(expandtypeattribute (sockfs_31_0) true)
+(expandtypeattribute (sota_prop_31_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_31_0) true)
+(expandtypeattribute (speech_recognition_service_31_0) true)
+(expandtypeattribute (sqlite_log_prop_31_0) true)
+(expandtypeattribute (staged_install_file_31_0) true)
+(expandtypeattribute (staging_data_file_31_0) true)
+(expandtypeattribute (stats_data_file_31_0) true)
+(expandtypeattribute (statsd_31_0) true)
+(expandtypeattribute (statsd_exec_31_0) true)
+(expandtypeattribute (statsdw_socket_31_0) true)
+(expandtypeattribute (statusbar_service_31_0) true)
+(expandtypeattribute (storage_config_prop_31_0) true)
+(expandtypeattribute (storage_file_31_0) true)
+(expandtypeattribute (storage_stub_file_31_0) true)
+(expandtypeattribute (storaged_service_31_0) true)
+(expandtypeattribute (storagemanager_config_prop_31_0) true)
+(expandtypeattribute (storagestats_service_31_0) true)
+(expandtypeattribute (su_31_0) true)
+(expandtypeattribute (su_exec_31_0) true)
+(expandtypeattribute (super_block_device_31_0) true)
+(expandtypeattribute (surfaceflinger_31_0) true)
+(expandtypeattribute (surfaceflinger_color_prop_31_0) true)
+(expandtypeattribute (surfaceflinger_display_prop_31_0) true)
+(expandtypeattribute (surfaceflinger_prop_31_0) true)
+(expandtypeattribute (surfaceflinger_service_31_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_31_0) true)
+(expandtypeattribute (suspend_prop_31_0) true)
+(expandtypeattribute (swap_block_device_31_0) true)
+(expandtypeattribute (sysfs_31_0) true)
+(expandtypeattribute (sysfs_android_usb_31_0) true)
+(expandtypeattribute (sysfs_batteryinfo_31_0) true)
+(expandtypeattribute (sysfs_block_31_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_31_0) true)
+(expandtypeattribute (sysfs_devfreq_cur_31_0) true)
+(expandtypeattribute (sysfs_devfreq_dir_31_0) true)
+(expandtypeattribute (sysfs_devices_block_31_0) true)
+(expandtypeattribute (sysfs_devices_cs_etm_31_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_31_0) true)
+(expandtypeattribute (sysfs_dm_31_0) true)
+(expandtypeattribute (sysfs_dm_verity_31_0) true)
+(expandtypeattribute (sysfs_dma_heap_31_0) true)
+(expandtypeattribute (sysfs_dmabuf_stats_31_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_31_0) true)
+(expandtypeattribute (sysfs_extcon_31_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_31_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_31_0) true)
+(expandtypeattribute (sysfs_fs_incfs_features_31_0) true)
+(expandtypeattribute (sysfs_fs_incfs_metrics_31_0) true)
+(expandtypeattribute (sysfs_hwrandom_31_0) true)
+(expandtypeattribute (sysfs_ion_31_0) true)
+(expandtypeattribute (sysfs_ipv4_31_0) true)
+(expandtypeattribute (sysfs_kernel_notes_31_0) true)
+(expandtypeattribute (sysfs_leds_31_0) true)
+(expandtypeattribute (sysfs_loop_31_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_31_0) true)
+(expandtypeattribute (sysfs_net_31_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_31_0) true)
+(expandtypeattribute (sysfs_power_31_0) true)
+(expandtypeattribute (sysfs_rtc_31_0) true)
+(expandtypeattribute (sysfs_suspend_stats_31_0) true)
+(expandtypeattribute (sysfs_switch_31_0) true)
+(expandtypeattribute (sysfs_thermal_31_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_31_0) true)
+(expandtypeattribute (sysfs_uhid_31_0) true)
+(expandtypeattribute (sysfs_uio_31_0) true)
+(expandtypeattribute (sysfs_usb_31_0) true)
+(expandtypeattribute (sysfs_usermodehelper_31_0) true)
+(expandtypeattribute (sysfs_vendor_sched_31_0) true)
+(expandtypeattribute (sysfs_vibrator_31_0) true)
+(expandtypeattribute (sysfs_wake_lock_31_0) true)
+(expandtypeattribute (sysfs_wakeup_31_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_31_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_31_0) true)
+(expandtypeattribute (sysfs_zram_31_0) true)
+(expandtypeattribute (sysfs_zram_uevent_31_0) true)
+(expandtypeattribute (system_app_31_0) true)
+(expandtypeattribute (system_app_data_file_31_0) true)
+(expandtypeattribute (system_app_service_31_0) true)
+(expandtypeattribute (system_asan_options_file_31_0) true)
+(expandtypeattribute (system_block_device_31_0) true)
+(expandtypeattribute (system_boot_reason_prop_31_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_31_0) true)
+(expandtypeattribute (system_config_service_31_0) true)
+(expandtypeattribute (system_data_file_31_0) true)
+(expandtypeattribute (system_data_root_file_31_0) true)
+(expandtypeattribute (system_event_log_tags_file_31_0) true)
+(expandtypeattribute (system_file_31_0) true)
+(expandtypeattribute (system_group_file_31_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_31_0) true)
+(expandtypeattribute (system_lib_file_31_0) true)
+(expandtypeattribute (system_linker_config_file_31_0) true)
+(expandtypeattribute (system_linker_exec_31_0) true)
+(expandtypeattribute (system_lmk_prop_31_0) true)
+(expandtypeattribute (system_ndebug_socket_31_0) true)
+(expandtypeattribute (system_net_netd_hwservice_31_0) true)
+(expandtypeattribute (system_passwd_file_31_0) true)
+(expandtypeattribute (system_prop_31_0) true)
+(expandtypeattribute (system_seccomp_policy_file_31_0) true)
+(expandtypeattribute (system_security_cacerts_file_31_0) true)
+(expandtypeattribute (system_server_31_0) true)
+(expandtypeattribute (system_server_dumper_service_31_0) true)
+(expandtypeattribute (system_server_tmpfs_31_0) true)
+(expandtypeattribute (system_suspend_control_internal_service_31_0) true)
+(expandtypeattribute (system_suspend_control_service_31_0) true)
+(expandtypeattribute (system_suspend_hwservice_31_0) true)
+(expandtypeattribute (system_trace_prop_31_0) true)
+(expandtypeattribute (system_unsolzygote_socket_31_0) true)
+(expandtypeattribute (system_update_service_31_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_31_0) true)
+(expandtypeattribute (system_wpa_socket_31_0) true)
+(expandtypeattribute (system_zoneinfo_file_31_0) true)
+(expandtypeattribute (systemkeys_data_file_31_0) true)
+(expandtypeattribute (systemsound_config_prop_31_0) true)
+(expandtypeattribute (task_profiles_api_file_31_0) true)
+(expandtypeattribute (task_profiles_file_31_0) true)
+(expandtypeattribute (task_service_31_0) true)
+(expandtypeattribute (tcpdump_exec_31_0) true)
+(expandtypeattribute (tee_31_0) true)
+(expandtypeattribute (tee_data_file_31_0) true)
+(expandtypeattribute (tee_device_31_0) true)
+(expandtypeattribute (telecom_service_31_0) true)
+(expandtypeattribute (telephony_config_prop_31_0) true)
+(expandtypeattribute (telephony_status_prop_31_0) true)
+(expandtypeattribute (test_boot_reason_prop_31_0) true)
+(expandtypeattribute (test_harness_prop_31_0) true)
+(expandtypeattribute (testharness_service_31_0) true)
+(expandtypeattribute (tethering_service_31_0) true)
+(expandtypeattribute (textclassification_service_31_0) true)
+(expandtypeattribute (textclassifier_data_file_31_0) true)
+(expandtypeattribute (textservices_service_31_0) true)
+(expandtypeattribute (texttospeech_service_31_0) true)
+(expandtypeattribute (theme_prop_31_0) true)
+(expandtypeattribute (thermal_service_31_0) true)
+(expandtypeattribute (time_prop_31_0) true)
+(expandtypeattribute (timedetector_service_31_0) true)
+(expandtypeattribute (timezone_service_31_0) true)
+(expandtypeattribute (timezonedetector_service_31_0) true)
+(expandtypeattribute (tmpfs_31_0) true)
+(expandtypeattribute (tombstone_config_prop_31_0) true)
+(expandtypeattribute (tombstone_data_file_31_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_31_0) true)
+(expandtypeattribute (tombstoned_31_0) true)
+(expandtypeattribute (tombstoned_crash_socket_31_0) true)
+(expandtypeattribute (tombstoned_exec_31_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_31_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_31_0) true)
+(expandtypeattribute (toolbox_31_0) true)
+(expandtypeattribute (toolbox_exec_31_0) true)
+(expandtypeattribute (trace_data_file_31_0) true)
+(expandtypeattribute (traced_31_0) true)
+(expandtypeattribute (traced_consumer_socket_31_0) true)
+(expandtypeattribute (traced_enabled_prop_31_0) true)
+(expandtypeattribute (traced_lazy_prop_31_0) true)
+(expandtypeattribute (traced_perf_31_0) true)
+(expandtypeattribute (traced_perf_socket_31_0) true)
+(expandtypeattribute (traced_probes_31_0) true)
+(expandtypeattribute (traced_producer_socket_31_0) true)
+(expandtypeattribute (traced_tmpfs_31_0) true)
+(expandtypeattribute (traceur_app_31_0) true)
+(expandtypeattribute (translation_service_31_0) true)
+(expandtypeattribute (trust_service_31_0) true)
+(expandtypeattribute (tty_device_31_0) true)
+(expandtypeattribute (tun_device_31_0) true)
+(expandtypeattribute (tv_input_service_31_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_31_0) true)
+(expandtypeattribute (tzdatacheck_31_0) true)
+(expandtypeattribute (tzdatacheck_exec_31_0) true)
+(expandtypeattribute (ueventd_31_0) true)
+(expandtypeattribute (ueventd_tmpfs_31_0) true)
+(expandtypeattribute (uhid_device_31_0) true)
+(expandtypeattribute (uimode_service_31_0) true)
+(expandtypeattribute (uio_device_31_0) true)
+(expandtypeattribute (uncrypt_31_0) true)
+(expandtypeattribute (uncrypt_exec_31_0) true)
+(expandtypeattribute (uncrypt_socket_31_0) true)
+(expandtypeattribute (unencrypted_data_file_31_0) true)
+(expandtypeattribute (unlabeled_31_0) true)
+(expandtypeattribute (untrusted_app_25_31_0) true)
+(expandtypeattribute (untrusted_app_27_31_0) true)
+(expandtypeattribute (untrusted_app_29_31_0) true)
+(expandtypeattribute (untrusted_app_31_0) true)
+(expandtypeattribute (update_engine_31_0) true)
+(expandtypeattribute (update_engine_data_file_31_0) true)
+(expandtypeattribute (update_engine_exec_31_0) true)
+(expandtypeattribute (update_engine_log_data_file_31_0) true)
+(expandtypeattribute (update_engine_service_31_0) true)
+(expandtypeattribute (update_engine_stable_service_31_0) true)
+(expandtypeattribute (update_verifier_31_0) true)
+(expandtypeattribute (update_verifier_exec_31_0) true)
+(expandtypeattribute (updatelock_service_31_0) true)
+(expandtypeattribute (uri_grants_service_31_0) true)
+(expandtypeattribute (usagestats_service_31_0) true)
+(expandtypeattribute (usb_config_prop_31_0) true)
+(expandtypeattribute (usb_control_prop_31_0) true)
+(expandtypeattribute (usb_device_31_0) true)
+(expandtypeattribute (usb_prop_31_0) true)
+(expandtypeattribute (usb_serial_device_31_0) true)
+(expandtypeattribute (usb_service_31_0) true)
+(expandtypeattribute (usbaccessory_device_31_0) true)
+(expandtypeattribute (usbd_31_0) true)
+(expandtypeattribute (usbd_exec_31_0) true)
+(expandtypeattribute (usbfs_31_0) true)
+(expandtypeattribute (use_memfd_prop_31_0) true)
+(expandtypeattribute (user_profile_data_file_31_0) true)
+(expandtypeattribute (user_profile_root_file_31_0) true)
+(expandtypeattribute (user_service_31_0) true)
+(expandtypeattribute (userdata_block_device_31_0) true)
+(expandtypeattribute (userdata_sysdev_31_0) true)
+(expandtypeattribute (usermodehelper_31_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_31_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_31_0) true)
+(expandtypeattribute (userspace_reboot_metadata_file_31_0) true)
+(expandtypeattribute (uwb_service_31_0) true)
+(expandtypeattribute (vcn_management_service_31_0) true)
+(expandtypeattribute (vd_device_31_0) true)
+(expandtypeattribute (vdc_31_0) true)
+(expandtypeattribute (vdc_exec_31_0) true)
+(expandtypeattribute (vehicle_hal_prop_31_0) true)
+(expandtypeattribute (vendor_apex_file_31_0) true)
+(expandtypeattribute (vendor_app_file_31_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_31_0) true)
+(expandtypeattribute (vendor_configs_file_31_0) true)
+(expandtypeattribute (vendor_data_file_31_0) true)
+(expandtypeattribute (vendor_default_prop_31_0) true)
+(expandtypeattribute (vendor_file_31_0) true)
+(expandtypeattribute (vendor_framework_file_31_0) true)
+(expandtypeattribute (vendor_hal_file_31_0) true)
+(expandtypeattribute (vendor_idc_file_31_0) true)
+(expandtypeattribute (vendor_init_31_0) true)
+(expandtypeattribute (vendor_kernel_modules_31_0) true)
+(expandtypeattribute (vendor_keychars_file_31_0) true)
+(expandtypeattribute (vendor_keylayout_file_31_0) true)
+(expandtypeattribute (vendor_misc_writer_31_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_31_0) true)
+(expandtypeattribute (vendor_modprobe_31_0) true)
+(expandtypeattribute (vendor_overlay_file_31_0) true)
+(expandtypeattribute (vendor_public_framework_file_31_0) true)
+(expandtypeattribute (vendor_public_lib_file_31_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_31_0) true)
+(expandtypeattribute (vendor_service_contexts_file_31_0) true)
+(expandtypeattribute (vendor_shell_31_0) true)
+(expandtypeattribute (vendor_shell_exec_31_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_31_0) true)
+(expandtypeattribute (vendor_task_profiles_file_31_0) true)
+(expandtypeattribute (vendor_toolbox_exec_31_0) true)
+(expandtypeattribute (vfat_31_0) true)
+(expandtypeattribute (vibrator_manager_service_31_0) true)
+(expandtypeattribute (vibrator_service_31_0) true)
+(expandtypeattribute (video_device_31_0) true)
+(expandtypeattribute (virtual_ab_prop_31_0) true)
+(expandtypeattribute (virtual_touchpad_31_0) true)
+(expandtypeattribute (virtual_touchpad_exec_31_0) true)
+(expandtypeattribute (virtual_touchpad_service_31_0) true)
+(expandtypeattribute (virtualization_service_31_0) true)
+(expandtypeattribute (vndbinder_device_31_0) true)
+(expandtypeattribute (vndk_prop_31_0) true)
+(expandtypeattribute (vndk_sp_file_31_0) true)
+(expandtypeattribute (vndservice_contexts_file_31_0) true)
+(expandtypeattribute (vndservicemanager_31_0) true)
+(expandtypeattribute (voiceinteraction_service_31_0) true)
+(expandtypeattribute (vold_31_0) true)
+(expandtypeattribute (vold_config_prop_31_0) true)
+(expandtypeattribute (vold_data_file_31_0) true)
+(expandtypeattribute (vold_device_31_0) true)
+(expandtypeattribute (vold_exec_31_0) true)
+(expandtypeattribute (vold_metadata_file_31_0) true)
+(expandtypeattribute (vold_post_fs_data_prop_31_0) true)
+(expandtypeattribute (vold_prepare_subdirs_31_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_31_0) true)
+(expandtypeattribute (vold_prop_31_0) true)
+(expandtypeattribute (vold_service_31_0) true)
+(expandtypeattribute (vold_status_prop_31_0) true)
+(expandtypeattribute (vpn_data_file_31_0) true)
+(expandtypeattribute (vpn_management_service_31_0) true)
+(expandtypeattribute (vr_hwc_31_0) true)
+(expandtypeattribute (vr_hwc_exec_31_0) true)
+(expandtypeattribute (vr_hwc_service_31_0) true)
+(expandtypeattribute (vr_manager_service_31_0) true)
+(expandtypeattribute (vrflinger_vsync_service_31_0) true)
+(expandtypeattribute (vts_config_prop_31_0) true)
+(expandtypeattribute (vts_status_prop_31_0) true)
+(expandtypeattribute (wallpaper_file_31_0) true)
+(expandtypeattribute (wallpaper_service_31_0) true)
+(expandtypeattribute (watchdog_device_31_0) true)
+(expandtypeattribute (watchdog_metadata_file_31_0) true)
+(expandtypeattribute (watchdogd_31_0) true)
+(expandtypeattribute (watchdogd_exec_31_0) true)
+(expandtypeattribute (webview_zygote_31_0) true)
+(expandtypeattribute (webview_zygote_exec_31_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_31_0) true)
+(expandtypeattribute (webviewupdate_service_31_0) true)
+(expandtypeattribute (wifi_config_prop_31_0) true)
+(expandtypeattribute (wifi_data_file_31_0) true)
+(expandtypeattribute (wifi_hal_prop_31_0) true)
+(expandtypeattribute (wifi_key_31_0) true)
+(expandtypeattribute (wifi_log_prop_31_0) true)
+(expandtypeattribute (wifi_prop_31_0) true)
+(expandtypeattribute (wifi_service_31_0) true)
+(expandtypeattribute (wifiaware_service_31_0) true)
+(expandtypeattribute (wificond_31_0) true)
+(expandtypeattribute (wificond_exec_31_0) true)
+(expandtypeattribute (wifinl80211_service_31_0) true)
+(expandtypeattribute (wifip2p_service_31_0) true)
+(expandtypeattribute (wifiscanner_service_31_0) true)
+(expandtypeattribute (window_service_31_0) true)
+(expandtypeattribute (wpa_socket_31_0) true)
+(expandtypeattribute (wpantund_31_0) true)
+(expandtypeattribute (wpantund_exec_31_0) true)
+(expandtypeattribute (wpantund_service_31_0) true)
+(expandtypeattribute (zero_device_31_0) true)
+(expandtypeattribute (zoneinfo_data_file_31_0) true)
+(expandtypeattribute (zram_config_prop_31_0) true)
+(expandtypeattribute (zram_control_prop_31_0) true)
+(expandtypeattribute (zygote_31_0) true)
+(expandtypeattribute (zygote_config_prop_31_0) true)
+(expandtypeattribute (zygote_exec_31_0) true)
+(expandtypeattribute (zygote_socket_31_0) true)
+(expandtypeattribute (zygote_tmpfs_31_0) true)
+(typeattributeset DockObserver_service_31_0 (DockObserver_service))
+(typeattributeset IProxyService_service_31_0 (IProxyService_service))
+(typeattributeset aac_drc_prop_31_0 (aac_drc_prop))
+(typeattributeset aaudio_config_prop_31_0 (aaudio_config_prop))
+(typeattributeset ab_update_gki_prop_31_0 (ab_update_gki_prop))
+(typeattributeset accessibility_service_31_0 (accessibility_service))
+(typeattributeset account_service_31_0 (account_service))
+(typeattributeset activity_service_31_0 (activity_service))
+(typeattributeset activity_task_service_31_0 (activity_task_service))
+(typeattributeset adb_data_file_31_0 (adb_data_file))
+(typeattributeset adb_keys_file_31_0 (adb_keys_file))
+(typeattributeset adb_service_31_0 (adb_service))
+(typeattributeset adbd_31_0 (adbd))
+(typeattributeset adbd_config_prop_31_0 (adbd_config_prop))
+(typeattributeset adbd_exec_31_0 (adbd_exec))
+(typeattributeset adbd_socket_31_0 (adbd_socket))
+(typeattributeset aidl_lazy_test_server_31_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_31_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_31_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_31_0 (alarm_service))
+(typeattributeset anr_data_file_31_0 (anr_data_file))
+(typeattributeset apc_service_31_0 (apc_service))
+(typeattributeset apex_appsearch_data_file_31_0 (apex_appsearch_data_file apex_system_server_data_file))
+(typeattributeset apex_data_file_31_0 (apex_data_file))
+(typeattributeset apex_info_file_31_0 (apex_info_file))
+(typeattributeset apex_metadata_file_31_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_31_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_31_0 (apex_module_data_file))
+(typeattributeset apex_ota_reserved_file_31_0 (apex_ota_reserved_file))
+(typeattributeset apex_permission_data_file_31_0 (apex_permission_data_file apex_system_server_data_file))
+(typeattributeset apex_rollback_data_file_31_0 (apex_rollback_data_file))
+(typeattributeset apex_scheduling_data_file_31_0 (apex_scheduling_data_file apex_system_server_data_file))
+(typeattributeset apex_service_31_0 (apex_service))
+(typeattributeset apex_wifi_data_file_31_0 (apex_wifi_data_file apex_system_server_data_file))
+(typeattributeset apexd_31_0 (apexd))
+(typeattributeset apexd_config_prop_31_0 (apexd_config_prop))
+(typeattributeset apexd_exec_31_0 (apexd_exec))
+(typeattributeset apexd_prop_31_0 (apexd_prop))
+(typeattributeset apk_data_file_31_0 (apk_data_file))
+(typeattributeset apk_private_data_file_31_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_31_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_31_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_31_0 (apk_verity_prop))
+(typeattributeset app_binding_service_31_0 (app_binding_service))
+(typeattributeset app_data_file_31_0 (app_data_file))
+(typeattributeset app_fuse_file_31_0 (app_fuse_file))
+(typeattributeset app_fusefs_31_0 (app_fusefs))
+(typeattributeset app_hibernation_service_31_0 (app_hibernation_service))
+(typeattributeset app_integrity_service_31_0 (app_integrity_service))
+(typeattributeset app_prediction_service_31_0 (app_prediction_service))
+(typeattributeset app_search_service_31_0 (app_search_service))
+(typeattributeset app_zygote_31_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_31_0 (app_zygote_tmpfs))
+(typeattributeset appcompat_data_file_31_0 (appcompat_data_file))
+(typeattributeset appdomain_tmpfs_31_0 (appdomain_tmpfs))
+(typeattributeset appops_service_31_0 (appops_service))
+(typeattributeset appwidget_service_31_0 (appwidget_service))
+(typeattributeset arm64_memtag_prop_31_0 (arm64_memtag_prop))
+(typeattributeset art_apex_dir_31_0 (art_apex_dir))
+(typeattributeset asec_apk_file_31_0 (asec_apk_file))
+(typeattributeset asec_image_file_31_0 (asec_image_file))
+(typeattributeset asec_public_file_31_0 (asec_public_file))
+(typeattributeset ashmem_device_31_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_31_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_31_0 (assetatlas_service))
+(typeattributeset atrace_31_0 (atrace))
+(typeattributeset audio_config_prop_31_0 (audio_config_prop))
+(typeattributeset audio_data_file_31_0 (audio_data_file))
+(typeattributeset audio_device_31_0 (audio_device))
+(typeattributeset audio_prop_31_0 (audio_prop))
+(typeattributeset audio_service_31_0 (audio_service))
+(typeattributeset audiohal_data_file_31_0 (audiohal_data_file))
+(typeattributeset audioserver_31_0 (audioserver))
+(typeattributeset audioserver_data_file_31_0 (audioserver_data_file))
+(typeattributeset audioserver_service_31_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_31_0 (audioserver_tmpfs))
+(typeattributeset auth_service_31_0 (auth_service))
+(typeattributeset authorization_service_31_0 (authorization_service))
+(typeattributeset autofill_service_31_0 (autofill_service))
+(typeattributeset backup_data_file_31_0 (backup_data_file))
+(typeattributeset backup_service_31_0 (backup_service))
+(typeattributeset battery_service_31_0 (battery_service))
+(typeattributeset batteryproperties_service_31_0 (batteryproperties_service))
+(typeattributeset batterystats_service_31_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_31_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_31_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_31_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_31_0 (binder_calls_stats_service))
+(typeattributeset binder_device_31_0 (binder_device))
+(typeattributeset binderfs_31_0 (binderfs))
+(typeattributeset binderfs_logs_31_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_31_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_31_0 (binfmt_miscfs))
+(typeattributeset biometric_service_31_0 (biometric_service))
+(typeattributeset blkid_31_0 (blkid))
+(typeattributeset blkid_untrusted_31_0 (blkid_untrusted))
+(typeattributeset blob_store_service_31_0 (blob_store_service))
+(typeattributeset block_device_31_0 (block_device))
+(typeattributeset bluetooth_31_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_31_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_31_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_data_file_31_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_31_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_31_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_31_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_31_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_31_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_31_0 (bluetooth_socket))
+(typeattributeset boot_block_device_31_0 (boot_block_device))
+(typeattributeset boot_status_prop_31_0 (boot_status_prop))
+(typeattributeset bootanim_31_0 (bootanim))
+(typeattributeset bootanim_config_prop_31_0 (bootanim_config_prop))
+(typeattributeset bootanim_exec_31_0 (bootanim_exec))
+(typeattributeset bootanim_system_prop_31_0 (bootanim_system_prop))
+(typeattributeset bootchart_data_file_31_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_31_0 (bootloader_boot_reason_prop))
+(typeattributeset bootloader_prop_31_0 (bootloader_prop))
+(typeattributeset bootstat_31_0 (bootstat))
+(typeattributeset bootstat_data_file_31_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_31_0 (bootstat_exec))
+(typeattributeset boottime_prop_31_0 (boottime_prop))
+(typeattributeset boottime_public_prop_31_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_31_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_31_0 (bpf_progs_loaded_prop))
+(typeattributeset bq_config_prop_31_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_31_0 (broadcastradio_service))
+(typeattributeset bufferhubd_31_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_31_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_31_0 (bugreport_service))
+(typeattributeset build_bootimage_prop_31_0 (build_bootimage_prop))
+(typeattributeset build_config_prop_31_0 (build_config_prop))
+(typeattributeset build_odm_prop_31_0 (build_odm_prop))
+(typeattributeset build_prop_31_0 (build_prop))
+(typeattributeset build_vendor_prop_31_0 (build_vendor_prop))
+(typeattributeset cache_backup_file_31_0 (cache_backup_file))
+(typeattributeset cache_block_device_31_0 (cache_block_device))
+(typeattributeset cache_file_31_0 (cache_file))
+(typeattributeset cache_private_backup_file_31_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_31_0 (cache_recovery_file))
+(typeattributeset cacheinfo_service_31_0 (cacheinfo_service))
+(typeattributeset camera2_extensions_prop_31_0 (camera2_extensions_prop))
+(typeattributeset camera_calibration_prop_31_0 (camera_calibration_prop))
+(typeattributeset camera_config_prop_31_0 (camera_config_prop))
+(typeattributeset camera_data_file_31_0 (camera_data_file))
+(typeattributeset camera_device_31_0 (camera_device))
+(typeattributeset cameraproxy_service_31_0 (cameraproxy_service))
+(typeattributeset cameraserver_31_0 (cameraserver))
+(typeattributeset cameraserver_exec_31_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_31_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_31_0 (cameraserver_tmpfs))
+(typeattributeset camerax_extensions_prop_31_0 (camerax_extensions_prop))
+(typeattributeset cgroup_31_0 (cgroup))
+(typeattributeset cgroup_desc_api_file_31_0 (cgroup_desc_api_file))
+(typeattributeset cgroup_desc_file_31_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_31_0 (cgroup_rc_file))
+(typeattributeset cgroup_v2_31_0 (cgroup_v2))
+(typeattributeset charger_31_0 (charger))
+(typeattributeset charger_config_prop_31_0 (charger_config_prop))
+(typeattributeset charger_exec_31_0 (charger_exec))
+(typeattributeset charger_prop_31_0 (charger_prop))
+(typeattributeset charger_status_prop_31_0 (charger_status_prop))
+(typeattributeset clipboard_service_31_0 (clipboard_service))
+(typeattributeset codec2_config_prop_31_0 (codec2_config_prop))
+(typeattributeset cold_boot_done_prop_31_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_31_0 (color_display_service))
+(typeattributeset companion_device_service_31_0 (companion_device_service))
+(typeattributeset config_prop_31_0 (config_prop))
+(typeattributeset configfs_31_0 (configfs))
+(typeattributeset connectivity_service_31_0 (connectivity_service))
+(typeattributeset connmetrics_service_31_0 (connmetrics_service))
+(typeattributeset console_device_31_0 (console_device))
+(typeattributeset consumer_ir_service_31_0 (consumer_ir_service))
+(typeattributeset content_capture_service_31_0 (content_capture_service))
+(typeattributeset content_service_31_0 (content_service))
+(typeattributeset content_suggestions_service_31_0 (content_suggestions_service))
+(typeattributeset contexthub_service_31_0 (contexthub_service))
+(typeattributeset coredump_file_31_0 (coredump_file))
+(typeattributeset country_detector_service_31_0 (country_detector_service))
+(typeattributeset coverage_service_31_0 (coverage_service))
+(typeattributeset cppreopt_prop_31_0 (cppreopt_prop))
+(typeattributeset cpu_variant_prop_31_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_31_0 (cpuinfo_service))
+(typeattributeset crash_dump_31_0 (crash_dump))
+(typeattributeset crash_dump_exec_31_0 (crash_dump_exec))
+(typeattributeset credstore_31_0 (credstore))
+(typeattributeset credstore_data_file_31_0 (credstore_data_file))
+(typeattributeset credstore_exec_31_0 (credstore_exec))
+(typeattributeset credstore_service_31_0 (credstore_service))
+(typeattributeset crossprofileapps_service_31_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_31_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_31_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_31_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_31_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_31_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_31_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_31_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_31_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_31_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_31_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_31_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_31_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_31_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_31_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_31_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_31_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_31_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_31_0 (ctl_stop_prop))
+(typeattributeset dalvik_config_prop_31_0 (dalvik_config_prop))
+(typeattributeset dalvik_prop_31_0 (dalvik_prop))
+(typeattributeset dalvik_runtime_prop_31_0 (dalvik_runtime_prop))
+(typeattributeset dalvikcache_data_file_31_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_31_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_31_0 (dbinfo_service))
+(typeattributeset dck_prop_31_0 (dck_prop))
+(typeattributeset debug_prop_31_0 (debug_prop))
+(typeattributeset debugfs_31_0 (debugfs))
+(typeattributeset debugfs_bootreceiver_tracing_31_0 (debugfs_bootreceiver_tracing))
+(typeattributeset debugfs_kprobes_31_0 (debugfs_kprobes))
+(typeattributeset debugfs_mm_events_tracing_31_0 (debugfs_mm_events_tracing))
+(typeattributeset debugfs_mmc_31_0 (debugfs_mmc))
+(typeattributeset debugfs_restriction_prop_31_0 (debugfs_restriction_prop))
+(typeattributeset debugfs_trace_marker_31_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_31_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_31_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_31_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_tracing_printk_formats_31_0 (debugfs_tracing_printk_formats))
+(typeattributeset debugfs_wakeup_sources_31_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_31_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_31_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_31_0 (default_android_hwservice))
+(typeattributeset default_android_service_31_0 (default_android_service))
+(typeattributeset default_android_vndservice_31_0 (default_android_vndservice))
+(typeattributeset default_prop_31_0 (default_prop))
+(typeattributeset dev_cpu_variant_31_0 (dev_cpu_variant))
+(typeattributeset device_31_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_31_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_31_0 (device_config_boot_count_prop))
+(typeattributeset device_config_input_native_boot_prop_31_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_31_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_31_0 (device_config_netd_native_prop))
+(typeattributeset device_config_reset_performed_prop_31_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_31_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_31_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_31_0 (device_config_service))
+(typeattributeset device_identifiers_service_31_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_31_0 (device_logging_prop))
+(typeattributeset device_policy_service_31_0 (device_policy_service))
+(typeattributeset device_state_service_31_0 (device_state_service))
+(typeattributeset deviceidle_service_31_0 (deviceidle_service))
+(typeattributeset devicestoragemonitor_service_31_0 (devicestoragemonitor_service))
+(typeattributeset devpts_31_0 (devpts))
+(typeattributeset dhcp_31_0 (dhcp))
+(typeattributeset dhcp_data_file_31_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_31_0 (dhcp_exec))
+(typeattributeset dhcp_prop_31_0 (dhcp_prop))
+(typeattributeset diskstats_service_31_0 (diskstats_service))
+(typeattributeset display_service_31_0 (display_service))
+(typeattributeset dm_device_31_0 (dm_device))
+(typeattributeset dm_user_device_31_0 (dm_user_device))
+(typeattributeset dmabuf_heap_device_31_0 (dmabuf_heap_device))
+(typeattributeset dmabuf_system_heap_device_31_0 (dmabuf_system_heap_device))
+(typeattributeset dmabuf_system_secure_heap_device_31_0 (dmabuf_system_secure_heap_device))
+(typeattributeset dnsmasq_31_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_31_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_31_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_31_0 (dnsresolver_service))
+(typeattributeset domain_verification_service_31_0 (domain_verification_service))
+(typeattributeset dreams_service_31_0 (dreams_service))
+(typeattributeset drm_data_file_31_0 (drm_data_file))
+(typeattributeset drm_service_config_prop_31_0 (drm_service_config_prop))
+(typeattributeset drmserver_31_0 (drmserver))
+(typeattributeset drmserver_exec_31_0 (drmserver_exec))
+(typeattributeset drmserver_service_31_0 (drmserver_service))
+(typeattributeset drmserver_socket_31_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_31_0 (dropbox_data_file))
+(typeattributeset dropbox_service_31_0 (dropbox_service))
+(typeattributeset dumpstate_31_0 (dumpstate))
+(typeattributeset dumpstate_exec_31_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_31_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_31_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_31_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_31_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_31_0 (dynamic_system_prop))
+(typeattributeset e2fs_31_0 (e2fs))
+(typeattributeset e2fs_exec_31_0 (e2fs_exec))
+(typeattributeset efs_file_31_0 (efs_file))
+(typeattributeset emergency_affordance_service_31_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_31_0 (ephemeral_app))
+(typeattributeset ethernet_service_31_0 (ethernet_service))
+(typeattributeset exfat_31_0 (exfat))
+(typeattributeset exported3_system_prop_31_0 (exported3_system_prop))
+(typeattributeset exported_bluetooth_prop_31_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_31_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_31_0 (exported_config_prop))
+(typeattributeset exported_default_prop_31_0 (exported_default_prop))
+(typeattributeset exported_dumpstate_prop_31_0 (exported_dumpstate_prop))
+(typeattributeset exported_overlay_prop_31_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_31_0 (exported_pm_prop))
+(typeattributeset exported_secure_prop_31_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_31_0 (exported_system_prop))
+(typeattributeset external_vibrator_service_31_0 (external_vibrator_service))
+(typeattributeset face_service_31_0 (face_service))
+(typeattributeset face_vendor_data_file_31_0 (face_vendor_data_file))
+(typeattributeset fastbootd_31_0 (fastbootd))
+(typeattributeset ffs_config_prop_31_0 (ffs_config_prop))
+(typeattributeset ffs_control_prop_31_0 (ffs_control_prop))
+(typeattributeset file_contexts_file_31_0 (file_contexts_file))
+(typeattributeset file_integrity_service_31_0 (file_integrity_service))
+(typeattributeset fingerprint_prop_31_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_31_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_31_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_31_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_31_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_31_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_31_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_31_0 (firstboot_prop))
+(typeattributeset flags_health_check_31_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_31_0 (flags_health_check_exec))
+(typeattributeset font_service_31_0 (font_service))
+(typeattributeset framework_watchdog_config_prop_31_0 (framework_watchdog_config_prop))
+(typeattributeset frp_block_device_31_0 (frp_block_device))
+(typeattributeset fs_bpf_31_0 (fs_bpf))
+(typeattributeset fs_bpf_tethering_31_0 (fs_bpf_tethering))
+(typeattributeset fsck_31_0 (fsck))
+(typeattributeset fsck_exec_31_0 (fsck_exec))
+(typeattributeset fsck_untrusted_31_0 (fsck_untrusted))
+(typeattributeset fscklogs_31_0 (fscklogs))
+(typeattributeset functionfs_31_0 (functionfs))
+(typeattributeset fuse_31_0 (fuse))
+(typeattributeset fuse_device_31_0 (fuse_device))
+(typeattributeset fusectlfs_31_0 (fusectlfs))
+(typeattributeset fwk_automotive_display_hwservice_31_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_bufferhub_hwservice_31_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_31_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_31_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_31_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_31_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_31_0 (fwk_stats_hwservice))
+(typeattributeset fwk_stats_service_31_0 (fwk_stats_service))
+(typeattributeset fwmarkd_socket_31_0 (fwmarkd_socket))
+(typeattributeset game_service_31_0 (game_service))
+(typeattributeset gatekeeper_data_file_31_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_31_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_31_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_31_0 (gatekeeperd_exec))
+(typeattributeset gfxinfo_service_31_0 (gfxinfo_service))
+(typeattributeset gmscore_app_31_0 (gmscore_app))
+(typeattributeset gnss_device_31_0 (gnss_device))
+(typeattributeset gnss_time_update_service_31_0 (gnss_time_update_service))
+(typeattributeset gps_control_31_0 (gps_control))
+(typeattributeset gpu_device_31_0 (gpu_device))
+(typeattributeset gpu_service_31_0 (gpu_service))
+(typeattributeset gpuservice_31_0 (gpuservice))
+(typeattributeset graphics_config_prop_31_0 (graphics_config_prop))
+(typeattributeset graphics_device_31_0 (graphics_device))
+(typeattributeset graphicsstats_service_31_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_31_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_31_0 (gsi_metadata_file))
+(typeattributeset gsi_public_metadata_file_31_0 (gsi_public_metadata_file))
+(typeattributeset hal_atrace_hwservice_31_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_31_0 (hal_audio_hwservice))
+(typeattributeset hal_audio_service_31_0 (hal_audio_service))
+(typeattributeset hal_audiocontrol_hwservice_31_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audiocontrol_service_31_0 (hal_audiocontrol_service))
+(typeattributeset hal_authsecret_hwservice_31_0 (hal_authsecret_hwservice))
+(typeattributeset hal_authsecret_service_31_0 (hal_authsecret_service))
+(typeattributeset hal_bluetooth_hwservice_31_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_31_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_31_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_31_0 (hal_camera_hwservice))
+(typeattributeset hal_can_bus_hwservice_31_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_31_0 (hal_can_controller_hwservice))
+(typeattributeset hal_cas_hwservice_31_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_31_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_31_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_31_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_31_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_31_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_config_prop_31_0 (hal_dumpstate_config_prop))
+(typeattributeset hal_dumpstate_hwservice_31_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_evs_hwservice_31_0 (hal_evs_hwservice))
+(typeattributeset hal_face_hwservice_31_0 (hal_face_hwservice))
+(typeattributeset hal_face_service_31_0 (hal_face_service))
+(typeattributeset hal_fingerprint_hwservice_31_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_31_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_31_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_31_0 (hal_gnss_hwservice))
+(typeattributeset hal_gnss_service_31_0 (hal_gnss_service))
+(typeattributeset hal_graphics_allocator_hwservice_31_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_31_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_31_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_mapper_hwservice_31_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_31_0 (hal_health_hwservice))
+(typeattributeset hal_health_storage_hwservice_31_0 (hal_health_storage_hwservice))
+(typeattributeset hal_health_storage_service_31_0 (hal_health_storage_service))
+(typeattributeset hal_identity_service_31_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_31_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_instrumentation_prop_31_0 (hal_instrumentation_prop))
+(typeattributeset hal_ir_hwservice_31_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_31_0 (hal_keymaster_hwservice))
+(typeattributeset hal_keymint_service_31_0 (hal_keymint_service))
+(typeattributeset hal_light_hwservice_31_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_31_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_31_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_31_0 (hal_memtrack_hwservice))
+(typeattributeset hal_memtrack_service_31_0 (hal_memtrack_service))
+(typeattributeset hal_neuralnetworks_hwservice_31_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_neuralnetworks_service_31_0 (hal_neuralnetworks_service))
+(typeattributeset hal_nfc_hwservice_31_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_31_0 (hal_oemlock_hwservice))
+(typeattributeset hal_oemlock_service_31_0 (hal_oemlock_service))
+(typeattributeset hal_omx_hwservice_31_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_31_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_31_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_31_0 (hal_power_stats_hwservice))
+(typeattributeset hal_power_stats_service_31_0 (hal_power_stats_service))
+(typeattributeset hal_rebootescrow_service_31_0 (hal_rebootescrow_service))
+(typeattributeset hal_remotelyprovisionedcomponent_service_31_0 (hal_remotelyprovisionedcomponent_service))
+(typeattributeset hal_renderscript_hwservice_31_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_31_0 (hal_secure_element_hwservice))
+(typeattributeset hal_secureclock_service_31_0 (hal_secureclock_service))
+(typeattributeset hal_sensors_hwservice_31_0 (hal_sensors_hwservice))
+(typeattributeset hal_sharedsecret_service_31_0 (hal_sharedsecret_service))
+(typeattributeset hal_telephony_hwservice_31_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_31_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_31_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_31_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_31_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_tuner_hwservice_31_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_usb_gadget_hwservice_31_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_31_0 (hal_usb_hwservice))
+(typeattributeset hal_vehicle_hwservice_31_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vibrator_hwservice_31_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_31_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_31_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_31_0 (hal_weaver_hwservice))
+(typeattributeset hal_weaver_service_31_0 (hal_weaver_service))
+(typeattributeset hal_wifi_hostapd_hwservice_31_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hwservice_31_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_31_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_31_0 (hardware_properties_service))
+(typeattributeset hardware_service_31_0 (hardware_service))
+(typeattributeset hci_attach_dev_31_0 (hci_attach_dev))
+(typeattributeset hdmi_config_prop_31_0 (hdmi_config_prop))
+(typeattributeset hdmi_control_service_31_0 (hdmi_control_service))
+(typeattributeset healthd_31_0 (healthd))
+(typeattributeset healthd_exec_31_0 (healthd_exec))
+(typeattributeset heapdump_data_file_31_0 (heapdump_data_file))
+(typeattributeset heapprofd_31_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_31_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_31_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_31_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_31_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_31_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_31_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_31_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_31_0 (hidl_token_hwservice))
+(typeattributeset hint_service_31_0 (hint_service))
+(typeattributeset hw_random_device_31_0 (hw_random_device))
+(typeattributeset hw_timeout_multiplier_prop_31_0 (hw_timeout_multiplier_prop))
+(typeattributeset hwbinder_device_31_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_31_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_31_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_31_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_31_0 (hwservicemanager_prop))
+(typeattributeset icon_file_31_0 (icon_file))
+(typeattributeset idmap_31_0 (idmap))
+(typeattributeset idmap_exec_31_0 (idmap_exec))
+(typeattributeset idmap_service_31_0 (idmap_service))
+(typeattributeset iio_device_31_0 (iio_device))
+(typeattributeset imms_service_31_0 (imms_service))
+(typeattributeset incident_31_0 (incident))
+(typeattributeset incident_data_file_31_0 (incident_data_file))
+(typeattributeset incident_helper_31_0 (incident_helper))
+(typeattributeset incident_service_31_0 (incident_service))
+(typeattributeset incidentd_31_0 (incidentd))
+(typeattributeset incremental_control_file_31_0 (incremental_control_file))
+(typeattributeset incremental_prop_31_0 (incremental_prop))
+(typeattributeset incremental_service_31_0 (incremental_service))
+(typeattributeset init_31_0 (init))
+(typeattributeset init_exec_31_0 (init_exec))
+(typeattributeset init_service_status_prop_31_0 (init_service_status_prop))
+(typeattributeset init_tmpfs_31_0 (init_tmpfs))
+(typeattributeset inotify_31_0 (inotify))
+(typeattributeset input_device_31_0 (input_device))
+(typeattributeset input_method_service_31_0 (input_method_service))
+(typeattributeset input_service_31_0 (input_service))
+(typeattributeset inputflinger_31_0 (inputflinger))
+(typeattributeset inputflinger_exec_31_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_31_0 (inputflinger_service))
+(typeattributeset install_data_file_31_0 (install_data_file))
+(typeattributeset installd_31_0 (installd))
+(typeattributeset installd_exec_31_0 (installd_exec))
+(typeattributeset installd_service_31_0 (installd_service))
+(typeattributeset ion_device_31_0 (ion_device))
+(typeattributeset iorap_inode2filename_31_0 (iorap_inode2filename))
+(typeattributeset iorap_inode2filename_exec_31_0 (iorap_inode2filename_exec))
+(typeattributeset iorap_inode2filename_tmpfs_31_0 (iorap_inode2filename_tmpfs))
+(typeattributeset iorap_prefetcherd_31_0 (iorap_prefetcherd))
+(typeattributeset iorap_prefetcherd_exec_31_0 (iorap_prefetcherd_exec))
+(typeattributeset iorap_prefetcherd_tmpfs_31_0 (iorap_prefetcherd_tmpfs))
+(typeattributeset iorapd_31_0 (iorapd))
+(typeattributeset iorapd_data_file_31_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_31_0 (iorapd_exec))
+(typeattributeset iorapd_service_31_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_31_0 (iorapd_tmpfs))
+(typeattributeset ipsec_service_31_0 (ipsec_service))
+(typeattributeset iris_service_31_0 (iris_service))
+(typeattributeset iris_vendor_data_file_31_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_31_0 (isolated_app))
+(typeattributeset jobscheduler_service_31_0 (jobscheduler_service))
+(typeattributeset kernel_31_0 (kernel))
+(typeattributeset keychain_data_file_31_0 (keychain_data_file))
+(typeattributeset keychord_device_31_0 (keychord_device))
+(typeattributeset keyguard_config_prop_31_0 (keyguard_config_prop))
+(typeattributeset keystore2_key_contexts_file_31_0 (keystore2_key_contexts_file))
+(typeattributeset keystore_31_0 (keystore))
+(typeattributeset keystore_compat_hal_service_31_0 (keystore_compat_hal_service))
+(typeattributeset keystore_data_file_31_0 (keystore_data_file))
+(typeattributeset keystore_exec_31_0 (keystore_exec))
+(typeattributeset keystore_maintenance_service_31_0 (keystore_maintenance_service))
+(typeattributeset keystore_metrics_service_31_0 (keystore_metrics_service))
+(typeattributeset keystore_service_31_0 (keystore_service))
+(typeattributeset kmsg_debug_device_31_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_31_0 (kmsg_device))
+(typeattributeset labeledfs_31_0 (labeledfs))
+(typeattributeset launcherapps_service_31_0 (launcherapps_service))
+(typeattributeset legacy_permission_service_31_0 (legacy_permission_service))
+(typeattributeset legacykeystore_service_31_0 (legacykeystore_service))
+(typeattributeset libc_debug_prop_31_0 (libc_debug_prop))
+(typeattributeset light_service_31_0 (light_service))
+(typeattributeset linkerconfig_file_31_0 (linkerconfig_file))
+(typeattributeset llkd_31_0 (llkd))
+(typeattributeset llkd_exec_31_0 (llkd_exec))
+(typeattributeset llkd_prop_31_0 (llkd_prop))
+(typeattributeset lmkd_31_0 (lmkd))
+(typeattributeset lmkd_config_prop_31_0 (lmkd_config_prop))
+(typeattributeset lmkd_exec_31_0 (lmkd_exec))
+(typeattributeset lmkd_prop_31_0 (lmkd_prop))
+(typeattributeset lmkd_socket_31_0 (lmkd_socket))
+(typeattributeset location_service_31_0 (location_service))
+(typeattributeset location_time_zone_manager_service_31_0 (location_time_zone_manager_service))
+(typeattributeset lock_settings_service_31_0 (lock_settings_service))
+(typeattributeset log_prop_31_0 (log_prop))
+(typeattributeset log_tag_prop_31_0 (log_tag_prop))
+(typeattributeset logcat_exec_31_0 (logcat_exec))
+(typeattributeset logd_31_0 (logd))
+(typeattributeset logd_exec_31_0 (logd_exec))
+(typeattributeset logd_prop_31_0 (logd_prop))
+(typeattributeset logd_socket_31_0 (logd_socket))
+(typeattributeset logdr_socket_31_0 (logdr_socket))
+(typeattributeset logdw_socket_31_0 (logdw_socket))
+(typeattributeset logpersist_31_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_31_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_31_0 (loop_control_device))
+(typeattributeset loop_device_31_0 (loop_device))
+(typeattributeset looper_stats_service_31_0 (looper_stats_service))
+(typeattributeset lowpan_device_31_0 (lowpan_device))
+(typeattributeset lowpan_prop_31_0 (lowpan_prop))
+(typeattributeset lowpan_service_31_0 (lowpan_service))
+(typeattributeset lpdump_service_31_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_31_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_31_0 (mac_perms_file))
+(typeattributeset mdns_socket_31_0 (mdns_socket))
+(typeattributeset mdnsd_31_0 (mdnsd))
+(typeattributeset mdnsd_socket_31_0 (mdnsd_socket))
+(typeattributeset media_communication_service_31_0 (media_communication_service))
+(typeattributeset media_config_prop_31_0 (media_config_prop))
+(typeattributeset media_data_file_31_0 (media_data_file))
+(typeattributeset media_metrics_service_31_0 (media_metrics_service))
+(typeattributeset media_projection_service_31_0 (media_projection_service))
+(typeattributeset media_router_service_31_0 (media_router_service))
+(typeattributeset media_rw_data_file_31_0 (media_rw_data_file))
+(typeattributeset media_session_service_31_0 (media_session_service))
+(typeattributeset media_variant_prop_31_0 (media_variant_prop))
+(typeattributeset mediadrm_config_prop_31_0 (mediadrm_config_prop))
+(typeattributeset mediadrmserver_31_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_31_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_31_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_31_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_31_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_31_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_31_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_31_0 (mediametrics))
+(typeattributeset mediametrics_exec_31_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_31_0 (mediametrics_service))
+(typeattributeset mediaprovider_31_0 (mediaprovider))
+(typeattributeset mediaserver_31_0 (mediaserver))
+(typeattributeset mediaserver_exec_31_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_31_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_31_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_31_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_31_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_service_31_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_31_0 (meminfo_service))
+(typeattributeset memtrackproxy_service_31_0 (memtrackproxy_service))
+(typeattributeset metadata_block_device_31_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_31_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_31_0 (metadata_file))
+(typeattributeset method_trace_data_file_31_0 (method_trace_data_file))
+(typeattributeset midi_service_31_0 (midi_service))
+(typeattributeset mirror_data_file_31_0 (mirror_data_file))
+(typeattributeset misc_block_device_31_0 (misc_block_device))
+(typeattributeset misc_logd_file_31_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_31_0 (misc_user_data_file))
+(typeattributeset mm_events_config_prop_31_0 (mm_events_config_prop))
+(typeattributeset mmc_prop_31_0 (mmc_prop))
+(typeattributeset mnt_expand_file_31_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_31_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_31_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_31_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_31_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_31_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_31_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_31_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_31_0 (mock_ota_prop))
+(typeattributeset modprobe_31_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_31_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_31_0 (mount_service))
+(typeattributeset mqueue_31_0 (mqueue))
+(typeattributeset mtp_31_0 (mtp))
+(typeattributeset mtp_device_31_0 (mtp_device))
+(typeattributeset mtp_exec_31_0 (mtp_exec))
+(typeattributeset mtpd_socket_31_0 (mtpd_socket))
+(typeattributeset music_recognition_service_31_0 (music_recognition_service))
+(typeattributeset nativetest_data_file_31_0 (nativetest_data_file))
+(typeattributeset net_data_file_31_0 (net_data_file))
+(typeattributeset net_dns_prop_31_0 (net_dns_prop))
+(typeattributeset net_radio_prop_31_0 (net_radio_prop))
+(typeattributeset netd_31_0 (netd))
+(typeattributeset netd_exec_31_0 (netd_exec))
+(typeattributeset netd_listener_service_31_0 (netd_listener_service))
+(typeattributeset netd_service_31_0 (netd_service))
+(typeattributeset netif_31_0 (netif))
+(typeattributeset netpolicy_service_31_0 (netpolicy_service))
+(typeattributeset netstats_service_31_0 (netstats_service))
+(typeattributeset netutils_wrapper_31_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_31_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_31_0 (network_management_service))
+(typeattributeset network_score_service_31_0 (network_score_service))
+(typeattributeset network_stack_31_0 (network_stack))
+(typeattributeset network_stack_service_31_0 (network_stack_service))
+(typeattributeset network_time_update_service_31_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_31_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_31_0 (network_watchlist_service))
+(typeattributeset nfc_31_0 (nfc))
+(typeattributeset nfc_data_file_31_0 (nfc_data_file))
+(typeattributeset nfc_device_31_0 (nfc_device))
+(typeattributeset nfc_logs_data_file_31_0 (nfc_logs_data_file))
+(typeattributeset nfc_prop_31_0 (nfc_prop))
+(typeattributeset nfc_service_31_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_31_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_31_0 (node))
+(typeattributeset nonplat_service_contexts_file_31_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_31_0 (notification_service))
+(typeattributeset null_device_31_0 (null_device))
+(typeattributeset oem_lock_service_31_0 (oem_lock_service))
+(typeattributeset oem_unlock_prop_31_0 (oem_unlock_prop))
+(typeattributeset oemfs_31_0 (oemfs))
+(typeattributeset ota_data_file_31_0 (ota_data_file))
+(typeattributeset ota_metadata_file_31_0 (ota_metadata_file))
+(typeattributeset ota_package_file_31_0 (ota_package_file))
+(typeattributeset ota_prop_31_0 (ota_prop))
+(typeattributeset otadexopt_service_31_0 (otadexopt_service))
+(typeattributeset otapreopt_chroot_31_0 (otapreopt_chroot))
+(typeattributeset overlay_prop_31_0 (overlay_prop))
+(typeattributeset overlay_service_31_0 (overlay_service))
+(typeattributeset overlayfs_file_31_0 (overlayfs_file))
+(typeattributeset owntty_device_31_0 (owntty_device))
+(typeattributeset pac_proxy_service_31_0 (pac_proxy_service))
+(typeattributeset package_native_service_31_0 (package_native_service))
+(typeattributeset package_service_31_0 (package_service))
+(typeattributeset packagemanager_config_prop_31_0 (packagemanager_config_prop))
+(typeattributeset packages_list_file_31_0 (packages_list_file))
+(typeattributeset pan_result_prop_31_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_31_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_31_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_31_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_31_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_31_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_31_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_31_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_31_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_31_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_31_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_31_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_31_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_31_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_31_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_31_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_31_0 (pdx_performance_dir))
+(typeattributeset people_service_31_0 (people_service))
+(typeattributeset perfetto_31_0 (perfetto))
+(typeattributeset performanced_31_0 (performanced))
+(typeattributeset performanced_exec_31_0 (performanced_exec))
+(typeattributeset permission_checker_service_31_0 (permission_checker_service))
+(typeattributeset permission_service_31_0 (permission_service))
+(typeattributeset permissionmgr_service_31_0 (permissionmgr_service))
+(typeattributeset persist_debug_prop_31_0 (persist_debug_prop))
+(typeattributeset persist_vendor_debug_wifi_prop_31_0 (persist_vendor_debug_wifi_prop))
+(typeattributeset persistent_data_block_service_31_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_31_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_31_0 (pinner_service))
+(typeattributeset pipefs_31_0 (pipefs))
+(typeattributeset platform_app_31_0 (platform_app))
+(typeattributeset platform_compat_service_31_0 (platform_compat_service))
+(typeattributeset pmsg_device_31_0 (pmsg_device))
+(typeattributeset port_31_0 (port))
+(typeattributeset port_device_31_0 (port_device))
+(typeattributeset postinstall_31_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_31_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_31_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_31_0 (postinstall_mnt_dir))
+(typeattributeset power_debug_prop_31_0 (power_debug_prop))
+(typeattributeset power_service_31_0 (power_service))
+(typeattributeset powerctl_prop_31_0 (powerctl_prop))
+(typeattributeset powerstats_service_31_0 (powerstats_service))
+(typeattributeset ppp_31_0 (ppp))
+(typeattributeset ppp_device_31_0 (ppp_device))
+(typeattributeset ppp_exec_31_0 (ppp_exec))
+(typeattributeset preloads_data_file_31_0 (preloads_data_file))
+(typeattributeset preloads_media_file_31_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_31_0 (prereboot_data_file))
+(typeattributeset print_service_31_0 (print_service))
+(typeattributeset priv_app_31_0 (priv_app))
+(typeattributeset privapp_data_file_31_0 (privapp_data_file))
+(typeattributeset proc_31_0
+ ( proc
+ proc_bpf
+ proc_cpu_alignment
+))
+(typeattributeset proc_abi_31_0 (proc_abi))
+(typeattributeset proc_asound_31_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_31_0 (proc_bluetooth_writable))
+(typeattributeset proc_bootconfig_31_0 (proc_bootconfig))
+(typeattributeset proc_buddyinfo_31_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_31_0 (proc_cmdline))
+(typeattributeset proc_cpuinfo_31_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_31_0 (proc_dirty))
+(typeattributeset proc_diskstats_31_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_31_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_31_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_31_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_31_0 (proc_fs_verity))
+(typeattributeset proc_hostname_31_0 (proc_hostname))
+(typeattributeset proc_hung_task_31_0 (proc_hung_task))
+(typeattributeset proc_interrupts_31_0 (proc_interrupts))
+(typeattributeset proc_iomem_31_0 (proc_iomem))
+(typeattributeset proc_kallsyms_31_0 (proc_kallsyms))
+(typeattributeset proc_keys_31_0 (proc_keys))
+(typeattributeset proc_kmsg_31_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_31_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_31_0 (proc_loadavg))
+(typeattributeset proc_locks_31_0 (proc_locks))
+(typeattributeset proc_lowmemorykiller_31_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_31_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_31_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_31_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_31_0 (proc_misc))
+(typeattributeset proc_modules_31_0 (proc_modules))
+(typeattributeset proc_mounts_31_0 (proc_mounts))
+(typeattributeset proc_net_31_0
+ ( proc_bpf
+ proc_net
+))
+(typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_31_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_31_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_31_0 (proc_panic))
+(typeattributeset proc_perf_31_0 (proc_perf))
+(typeattributeset proc_pid_max_31_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_31_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_31_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_31_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_31_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_31_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_31_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_31_0 (proc_random))
+(typeattributeset proc_sched_31_0 (proc_sched))
+(typeattributeset proc_security_31_0 (proc_security))
+(typeattributeset proc_slabinfo_31_0 (proc_slabinfo))
+(typeattributeset proc_stat_31_0 (proc_stat))
+(typeattributeset proc_swaps_31_0 (proc_swaps))
+(typeattributeset proc_sysrq_31_0 (proc_sysrq))
+(typeattributeset proc_timer_31_0 (proc_timer))
+(typeattributeset proc_tty_drivers_31_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_31_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_31_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_31_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_31_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_31_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_31_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_31_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_31_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_31_0 (proc_uptime))
+(typeattributeset proc_vendor_sched_31_0 (proc_vendor_sched))
+(typeattributeset proc_version_31_0 (proc_version))
+(typeattributeset proc_vmallocinfo_31_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_31_0 (proc_vmstat))
+(typeattributeset proc_zoneinfo_31_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_31_0 (processinfo_service))
+(typeattributeset procstats_service_31_0 (procstats_service))
+(typeattributeset profman_31_0 (profman))
+(typeattributeset profman_dump_data_file_31_0 (profman_dump_data_file))
+(typeattributeset profman_exec_31_0 (profman_exec))
+(typeattributeset properties_device_31_0 (properties_device))
+(typeattributeset properties_serial_31_0 (properties_serial))
+(typeattributeset property_contexts_file_31_0 (property_contexts_file))
+(typeattributeset property_data_file_31_0 (property_data_file))
+(typeattributeset property_info_31_0 (property_info))
+(typeattributeset property_service_version_prop_31_0 (property_service_version_prop))
+(typeattributeset property_socket_31_0 (property_socket))
+(typeattributeset provisioned_prop_31_0 (provisioned_prop))
+(typeattributeset pstorefs_31_0 (pstorefs))
+(typeattributeset ptmx_device_31_0 (ptmx_device))
+(typeattributeset qemu_hw_prop_31_0 (qemu_hw_prop))
+(typeattributeset qemu_sf_lcd_density_prop_31_0 (qemu_sf_lcd_density_prop))
+(typeattributeset qtaguid_device_31_0 (qtaguid_device))
+(typeattributeset racoon_31_0 (racoon))
+(typeattributeset racoon_exec_31_0 (racoon_exec))
+(typeattributeset racoon_socket_31_0 (racoon_socket))
+(typeattributeset radio_31_0 (radio))
+(typeattributeset radio_control_prop_31_0 (radio_control_prop))
+(typeattributeset radio_core_data_file_31_0 (radio_core_data_file))
+(typeattributeset radio_data_file_31_0 (radio_data_file))
+(typeattributeset radio_device_31_0 (radio_device))
+(typeattributeset radio_prop_31_0 (radio_prop))
+(typeattributeset radio_service_31_0 (radio_service))
+(typeattributeset ram_device_31_0 (ram_device))
+(typeattributeset random_device_31_0 (random_device))
+(typeattributeset reboot_readiness_service_31_0 (reboot_readiness_service))
+(typeattributeset rebootescrow_hal_prop_31_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_31_0 (recovery))
+(typeattributeset recovery_block_device_31_0 (recovery_block_device))
+(typeattributeset recovery_config_prop_31_0 (recovery_config_prop))
+(typeattributeset recovery_data_file_31_0 (recovery_data_file))
+(typeattributeset recovery_persist_31_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_31_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_31_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_31_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_31_0 (recovery_service))
+(typeattributeset recovery_socket_31_0 (recovery_socket))
+(typeattributeset registry_service_31_0 (registry_service))
+(typeattributeset remoteprovisioning_service_31_0 (remoteprovisioning_service))
+(typeattributeset resourcecache_data_file_31_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_31_0 (restorecon_prop))
+(typeattributeset restrictions_service_31_0 (restrictions_service))
+(typeattributeset retaildemo_prop_31_0 (retaildemo_prop))
+(typeattributeset rild_debug_socket_31_0 (rild_debug_socket))
+(typeattributeset rild_socket_31_0 (rild_socket))
+(typeattributeset ringtone_file_31_0 (ringtone_file))
+(typeattributeset role_service_31_0 (role_service))
+(typeattributeset rollback_service_31_0 (rollback_service))
+(typeattributeset root_block_device_31_0 (root_block_device))
+(typeattributeset rootfs_31_0 (rootfs))
+(typeattributeset rpmsg_device_31_0 (rpmsg_device))
+(typeattributeset rs_31_0 (rs))
+(typeattributeset rs_exec_31_0 (rs_exec))
+(typeattributeset rss_hwm_reset_31_0 (rss_hwm_reset))
+(typeattributeset rtc_device_31_0 (rtc_device))
+(typeattributeset rttmanager_service_31_0 (rttmanager_service))
+(typeattributeset runas_31_0 (runas))
+(typeattributeset runas_app_31_0 (runas_app))
+(typeattributeset runas_exec_31_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_31_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_31_0 (runtime_service))
+(typeattributeset safemode_prop_31_0 (safemode_prop))
+(typeattributeset same_process_hal_file_31_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_31_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_31_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_31_0 (sdcard_block_device))
+(typeattributeset sdcardd_31_0 (sdcardd))
+(typeattributeset sdcardd_exec_31_0 (sdcardd_exec))
+(typeattributeset sdcardfs_31_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_31_0 (seapp_contexts_file))
+(typeattributeset search_service_31_0 (search_service))
+(typeattributeset search_ui_service_31_0 (search_ui_service))
+(typeattributeset sec_key_att_app_id_provider_service_31_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_31_0 (secure_element))
+(typeattributeset secure_element_device_31_0 (secure_element_device))
+(typeattributeset secure_element_service_31_0 (secure_element_service))
+(typeattributeset securityfs_31_0 (securityfs))
+(typeattributeset selinuxfs_31_0 (selinuxfs))
+(typeattributeset sendbug_config_prop_31_0 (sendbug_config_prop))
+(typeattributeset sensor_privacy_service_31_0 (sensor_privacy_service))
+(typeattributeset sensors_device_31_0 (sensors_device))
+(typeattributeset sensorservice_service_31_0 (sensorservice_service))
+(typeattributeset sepolicy_file_31_0 (sepolicy_file))
+(typeattributeset serial_device_31_0 (serial_device))
+(typeattributeset serial_service_31_0 (serial_service))
+(typeattributeset serialno_prop_31_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_31_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_31_0 (service_contexts_file))
+(typeattributeset service_manager_service_31_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_31_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_31_0 (servicediscovery_service))
+(typeattributeset servicemanager_31_0 (servicemanager))
+(typeattributeset servicemanager_exec_31_0 (servicemanager_exec))
+(typeattributeset settings_service_31_0 (settings_service))
+(typeattributeset sgdisk_31_0 (sgdisk))
+(typeattributeset sgdisk_exec_31_0 (sgdisk_exec))
+(typeattributeset shared_relro_31_0 (shared_relro))
+(typeattributeset shared_relro_file_31_0 (shared_relro_file))
+(typeattributeset shell_31_0 (shell))
+(typeattributeset shell_data_file_31_0 (shell_data_file))
+(typeattributeset shell_exec_31_0 (shell_exec))
+(typeattributeset shell_prop_31_0 (shell_prop))
+(typeattributeset shell_test_data_file_31_0 (shell_test_data_file))
+(typeattributeset shm_31_0 (shm))
+(typeattributeset shortcut_manager_icons_31_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_31_0 (shortcut_service))
+(typeattributeset simpleperf_31_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_31_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_31_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_31_0 (slice_service))
+(typeattributeset slideshow_31_0 (slideshow))
+(typeattributeset smartspace_service_31_0 (smartspace_service))
+(typeattributeset snapshotctl_log_data_file_31_0 (snapshotctl_log_data_file))
+(typeattributeset snapuserd_socket_31_0 (snapuserd_socket))
+(typeattributeset soc_prop_31_0 (soc_prop))
+(typeattributeset socket_device_31_0 (socket_device))
+(typeattributeset socket_hook_prop_31_0 (socket_hook_prop))
+(typeattributeset sockfs_31_0 (sockfs))
+(typeattributeset sota_prop_31_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_31_0 (soundtrigger_middleware_service))
+(typeattributeset speech_recognition_service_31_0 (speech_recognition_service))
+(typeattributeset sqlite_log_prop_31_0 (sqlite_log_prop))
+(typeattributeset staged_install_file_31_0 (staged_install_file))
+(typeattributeset staging_data_file_31_0 (staging_data_file))
+(typeattributeset stats_data_file_31_0 (stats_data_file))
+(typeattributeset statsd_31_0 (statsd))
+(typeattributeset statsd_exec_31_0 (statsd_exec))
+(typeattributeset statsdw_socket_31_0 (statsdw_socket))
+(typeattributeset statusbar_service_31_0 (statusbar_service))
+(typeattributeset storage_config_prop_31_0 (storage_config_prop))
+(typeattributeset storage_file_31_0 (storage_file))
+(typeattributeset storage_stub_file_31_0 (storage_stub_file))
+(typeattributeset storaged_service_31_0 (storaged_service))
+(typeattributeset storagemanager_config_prop_31_0 (storagemanager_config_prop))
+(typeattributeset storagestats_service_31_0 (storagestats_service))
+(typeattributeset su_31_0 (su))
+(typeattributeset su_exec_31_0 (su_exec))
+(typeattributeset super_block_device_31_0 (super_block_device))
+(typeattributeset surfaceflinger_31_0 (surfaceflinger))
+(typeattributeset surfaceflinger_color_prop_31_0 (surfaceflinger_color_prop))
+(typeattributeset surfaceflinger_display_prop_31_0 (surfaceflinger_display_prop))
+(typeattributeset surfaceflinger_prop_31_0 (surfaceflinger_prop))
+(typeattributeset surfaceflinger_service_31_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_31_0 (surfaceflinger_tmpfs))
+(typeattributeset suspend_prop_31_0 (suspend_prop))
+(typeattributeset swap_block_device_31_0 (swap_block_device))
+(typeattributeset sysfs_31_0 (sysfs))
+(typeattributeset sysfs_android_usb_31_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_31_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_block_31_0 (sysfs_block))
+(typeattributeset sysfs_bluetooth_writable_31_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devfreq_cur_31_0 (sysfs_devfreq_cur))
+(typeattributeset sysfs_devfreq_dir_31_0 (sysfs_devfreq_dir))
+(typeattributeset sysfs_devices_block_31_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_cs_etm_31_0 (sysfs_devices_cs_etm))
+(typeattributeset sysfs_devices_system_cpu_31_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_31_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_31_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dma_heap_31_0 (sysfs_dma_heap))
+(typeattributeset sysfs_dmabuf_stats_31_0 (sysfs_dmabuf_stats))
+(typeattributeset sysfs_dt_firmware_android_31_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_31_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_31_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_31_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_fs_incfs_features_31_0 (sysfs_fs_incfs_features))
+(typeattributeset sysfs_fs_incfs_metrics_31_0 (sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_hwrandom_31_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_31_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_31_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_31_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_31_0 (sysfs_leds))
+(typeattributeset sysfs_loop_31_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_31_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_net_31_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_31_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_31_0 (sysfs_power))
+(typeattributeset sysfs_rtc_31_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_31_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_31_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_31_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_31_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uhid_31_0 (sysfs_uhid))
+(typeattributeset sysfs_uio_31_0 (sysfs_uio))
+(typeattributeset sysfs_usb_31_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_31_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vendor_sched_31_0 (sysfs_vendor_sched))
+(typeattributeset sysfs_vibrator_31_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_31_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_31_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_31_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_31_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_31_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_31_0 (sysfs_zram_uevent))
+(typeattributeset system_app_31_0 (system_app))
+(typeattributeset system_app_data_file_31_0 (system_app_data_file))
+(typeattributeset system_app_service_31_0 (system_app_service))
+(typeattributeset system_asan_options_file_31_0 (system_asan_options_file))
+(typeattributeset system_block_device_31_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_31_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_31_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_31_0 (system_config_service))
+(typeattributeset system_data_file_31_0 (system_data_file))
+(typeattributeset system_data_root_file_31_0 (system_data_root_file))
+(typeattributeset system_event_log_tags_file_31_0 (system_event_log_tags_file))
+(typeattributeset system_file_31_0 (system_file))
+(typeattributeset system_group_file_31_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_31_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_31_0 (system_lib_file))
+(typeattributeset system_linker_config_file_31_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_31_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_31_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_31_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_31_0 (system_net_netd_hwservice))
+(typeattributeset system_passwd_file_31_0 (system_passwd_file))
+(typeattributeset system_prop_31_0 (system_prop))
+(typeattributeset system_seccomp_policy_file_31_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_31_0 (system_security_cacerts_file))
+(typeattributeset system_server_31_0 (system_server))
+(typeattributeset system_server_dumper_service_31_0 (system_server_dumper_service))
+(typeattributeset system_server_tmpfs_31_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_internal_service_31_0 (system_suspend_control_internal_service))
+(typeattributeset system_suspend_control_service_31_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_31_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_31_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_31_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_31_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_31_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_31_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_31_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_31_0 (systemkeys_data_file))
+(typeattributeset systemsound_config_prop_31_0 (systemsound_config_prop))
+(typeattributeset task_profiles_api_file_31_0 (task_profiles_api_file))
+(typeattributeset task_profiles_file_31_0 (task_profiles_file))
+(typeattributeset task_service_31_0 (task_service))
+(typeattributeset tcpdump_exec_31_0 (tcpdump_exec))
+(typeattributeset tee_31_0 (tee))
+(typeattributeset tee_data_file_31_0 (tee_data_file))
+(typeattributeset tee_device_31_0 (tee_device))
+(typeattributeset telecom_service_31_0 (telecom_service))
+(typeattributeset telephony_config_prop_31_0 (telephony_config_prop))
+(typeattributeset telephony_status_prop_31_0 (telephony_status_prop))
+(typeattributeset test_boot_reason_prop_31_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_31_0 (test_harness_prop))
+(typeattributeset testharness_service_31_0 (testharness_service))
+(typeattributeset tethering_service_31_0 (tethering_service))
+(typeattributeset textclassification_service_31_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_31_0 (textclassifier_data_file))
+(typeattributeset textservices_service_31_0 (textservices_service))
+(typeattributeset texttospeech_service_31_0 (texttospeech_service))
+(typeattributeset theme_prop_31_0 (theme_prop))
+(typeattributeset thermal_service_31_0 (thermal_service))
+(typeattributeset time_prop_31_0 (time_prop))
+(typeattributeset timedetector_service_31_0 (timedetector_service))
+(typeattributeset timezone_service_31_0 (timezone_service))
+(typeattributeset timezonedetector_service_31_0 (timezonedetector_service))
+(typeattributeset tmpfs_31_0 (tmpfs))
+(typeattributeset tombstone_config_prop_31_0 (tombstone_config_prop))
+(typeattributeset tombstone_data_file_31_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_31_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_31_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_31_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_31_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_31_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_31_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_31_0 (toolbox))
+(typeattributeset toolbox_exec_31_0 (toolbox_exec))
+(typeattributeset trace_data_file_31_0 (trace_data_file))
+(typeattributeset traced_31_0 (traced))
+(typeattributeset traced_consumer_socket_31_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_31_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_31_0 (traced_lazy_prop))
+(typeattributeset traced_perf_31_0 (traced_perf))
+(typeattributeset traced_perf_socket_31_0 (traced_perf_socket))
+(typeattributeset traced_probes_31_0 (traced_probes))
+(typeattributeset traced_producer_socket_31_0 (traced_producer_socket))
+(typeattributeset traced_tmpfs_31_0 (traced_tmpfs))
+(typeattributeset traceur_app_31_0 (traceur_app))
+(typeattributeset translation_service_31_0 (translation_service))
+(typeattributeset trust_service_31_0 (trust_service))
+(typeattributeset tty_device_31_0 (tty_device))
+(typeattributeset tun_device_31_0 (tun_device))
+(typeattributeset tv_input_service_31_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_31_0 (tv_tuner_resource_mgr_service))
+(typeattributeset tzdatacheck_31_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_31_0 (tzdatacheck_exec))
+(typeattributeset ueventd_31_0 (ueventd))
+(typeattributeset ueventd_tmpfs_31_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_31_0 (uhid_device))
+(typeattributeset uimode_service_31_0 (uimode_service))
+(typeattributeset uio_device_31_0 (uio_device))
+(typeattributeset uncrypt_31_0 (uncrypt))
+(typeattributeset uncrypt_exec_31_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_31_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_31_0 (unencrypted_data_file))
+(typeattributeset unlabeled_31_0 (unlabeled))
+(typeattributeset untrusted_app_25_31_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_31_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_31_0 (untrusted_app_29))
+(typeattributeset untrusted_app_31_0 (untrusted_app))
+(typeattributeset update_engine_31_0 (update_engine))
+(typeattributeset update_engine_data_file_31_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_31_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_31_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_31_0 (update_engine_service))
+(typeattributeset update_engine_stable_service_31_0 (update_engine_stable_service))
+(typeattributeset update_verifier_31_0 (update_verifier))
+(typeattributeset update_verifier_exec_31_0 (update_verifier_exec))
+(typeattributeset updatelock_service_31_0 (updatelock_service))
+(typeattributeset uri_grants_service_31_0 (uri_grants_service))
+(typeattributeset usagestats_service_31_0 (usagestats_service))
+(typeattributeset usb_config_prop_31_0 (usb_config_prop))
+(typeattributeset usb_control_prop_31_0 (usb_control_prop))
+(typeattributeset usb_device_31_0 (usb_device))
+(typeattributeset usb_prop_31_0 (usb_prop))
+(typeattributeset usb_serial_device_31_0 (usb_serial_device))
+(typeattributeset usb_service_31_0 (usb_service))
+(typeattributeset usbaccessory_device_31_0 (usbaccessory_device))
+(typeattributeset usbd_31_0 (usbd))
+(typeattributeset usbd_exec_31_0 (usbd_exec))
+(typeattributeset usbfs_31_0 (usbfs))
+(typeattributeset use_memfd_prop_31_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_31_0 (user_profile_data_file))
+(typeattributeset user_profile_root_file_31_0 (user_profile_root_file))
+(typeattributeset user_service_31_0 (user_service))
+(typeattributeset userdata_block_device_31_0 (userdata_block_device))
+(typeattributeset userdata_sysdev_31_0 (userdata_sysdev))
+(typeattributeset usermodehelper_31_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_31_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_31_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_metadata_file_31_0 (userspace_reboot_metadata_file))
+(typeattributeset uwb_service_31_0 (uwb_service))
+(typeattributeset vcn_management_service_31_0 (vcn_management_service))
+(typeattributeset vd_device_31_0 (vd_device))
+(typeattributeset vdc_31_0 (vdc))
+(typeattributeset vdc_exec_31_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_31_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_31_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_31_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_31_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_31_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_31_0 (vendor_data_file))
+(typeattributeset vendor_default_prop_31_0 (vendor_default_prop))
+(typeattributeset vendor_file_31_0 (vendor_file))
+(typeattributeset vendor_framework_file_31_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_31_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_31_0 (vendor_idc_file))
+(typeattributeset vendor_init_31_0 (vendor_init))
+(typeattributeset vendor_kernel_modules_31_0 (vendor_kernel_modules))
+(typeattributeset vendor_keychars_file_31_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_31_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_31_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_31_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_modprobe_31_0 (vendor_modprobe))
+(typeattributeset vendor_overlay_file_31_0 (vendor_overlay_file))
+(typeattributeset vendor_public_framework_file_31_0 (vendor_public_framework_file))
+(typeattributeset vendor_public_lib_file_31_0 (vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_31_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_service_contexts_file_31_0 (vendor_service_contexts_file))
+(typeattributeset vendor_shell_31_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_31_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_31_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_31_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_31_0 (vendor_toolbox_exec))
+(typeattributeset vfat_31_0 (vfat))
+(typeattributeset vibrator_manager_service_31_0 (vibrator_manager_service))
+(typeattributeset vibrator_service_31_0 (vibrator_service))
+(typeattributeset video_device_31_0 (video_device))
+(typeattributeset virtual_ab_prop_31_0 (virtual_ab_prop))
+(typeattributeset virtual_touchpad_31_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_31_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_31_0 (virtual_touchpad_service))
+(typeattributeset virtualization_service_31_0 (virtualization_service))
+(typeattributeset vndbinder_device_31_0 (vndbinder_device))
+(typeattributeset vndk_prop_31_0 (vndk_prop))
+(typeattributeset vndk_sp_file_31_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_31_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_31_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_31_0 (voiceinteraction_service))
+(typeattributeset vold_31_0 (vold))
+(typeattributeset vold_config_prop_31_0 (vold_config_prop))
+(typeattributeset vold_data_file_31_0 (vold_data_file))
+(typeattributeset vold_device_31_0 (vold_device))
+(typeattributeset vold_exec_31_0 (vold_exec))
+(typeattributeset vold_metadata_file_31_0 (vold_metadata_file))
+(typeattributeset vold_post_fs_data_prop_31_0 (vold_post_fs_data_prop))
+(typeattributeset vold_prepare_subdirs_31_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_31_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_31_0 (vold_prop))
+(typeattributeset vold_service_31_0 (vold_service))
+(typeattributeset vold_status_prop_31_0 (vold_status_prop))
+(typeattributeset vpn_data_file_31_0 (vpn_data_file))
+(typeattributeset vpn_management_service_31_0 (vpn_management_service))
+(typeattributeset vr_hwc_31_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_31_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_31_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_31_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_31_0 (vrflinger_vsync_service))
+(typeattributeset vts_config_prop_31_0 (vts_config_prop))
+(typeattributeset vts_status_prop_31_0 (vts_status_prop))
+(typeattributeset wallpaper_file_31_0 (wallpaper_file))
+(typeattributeset wallpaper_service_31_0 (wallpaper_service))
+(typeattributeset watchdog_device_31_0 (watchdog_device))
+(typeattributeset watchdog_metadata_file_31_0 (watchdog_metadata_file))
+(typeattributeset watchdogd_31_0 (watchdogd))
+(typeattributeset watchdogd_exec_31_0 (watchdogd_exec))
+(typeattributeset webview_zygote_31_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_31_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_31_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_31_0 (webviewupdate_service))
+(typeattributeset wifi_config_prop_31_0 (wifi_config_prop))
+(typeattributeset wifi_data_file_31_0 (wifi_data_file))
+(typeattributeset wifi_hal_prop_31_0 (wifi_hal_prop))
+(typeattributeset wifi_key_31_0 (wifi_key))
+(typeattributeset wifi_log_prop_31_0 (wifi_log_prop))
+(typeattributeset wifi_prop_31_0 (wifi_prop))
+(typeattributeset wifi_service_31_0 (wifi_service))
+(typeattributeset wifiaware_service_31_0 (wifiaware_service))
+(typeattributeset wificond_31_0 (wificond))
+(typeattributeset wificond_exec_31_0 (wificond_exec))
+(typeattributeset wifinl80211_service_31_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_31_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_31_0 (wifiscanner_service))
+(typeattributeset window_service_31_0 (window_service))
+(typeattributeset wpa_socket_31_0 (wpa_socket))
+(typeattributeset wpantund_31_0 (wpantund))
+(typeattributeset wpantund_exec_31_0 (wpantund_exec))
+(typeattributeset wpantund_service_31_0 (wpantund_service))
+(typeattributeset zero_device_31_0 (zero_device))
+(typeattributeset zoneinfo_data_file_31_0 (zoneinfo_data_file))
+(typeattributeset zram_config_prop_31_0 (zram_config_prop))
+(typeattributeset zram_control_prop_31_0 (zram_control_prop))
+(typeattributeset zygote_31_0 (zygote))
+(typeattributeset zygote_config_prop_31_0 (zygote_config_prop))
+(typeattributeset zygote_exec_31_0 (zygote_exec))
+(typeattributeset zygote_socket_31_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_31_0 (zygote_tmpfs))
diff --git a/prebuilts/api/33.0/private/compat/31.0/31.0.compat.cil b/prebuilts/api/33.0/private/compat/31.0/31.0.compat.cil
new file mode 100644
index 0000000..628abfc
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/31.0/31.0.compat.cil
@@ -0,0 +1 @@
+;; This file can't be empty.
diff --git a/prebuilts/api/33.0/private/compat/31.0/31.0.ignore.cil b/prebuilts/api/33.0/private/compat/31.0/31.0.ignore.cil
new file mode 100644
index 0000000..496832e
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/31.0/31.0.ignore.cil
@@ -0,0 +1,53 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ apexd_select_prop
+ artd_service
+ attestation_verification_service
+ camera2_extensions_prop
+ communal_service
+ device_config_nnapi_native_prop
+ dice_maintenance_service
+ dice_node_service
+ diced
+ diced_exec
+ extra_free_kbytes
+ extra_free_kbytes_exec
+ hal_contexthub_service
+ hal_dice_service
+ hal_dumpstate_service
+ hal_graphics_composer_service
+ hal_health_service
+ hal_radio_service
+ hal_sensors_service
+ hal_system_suspend_service
+ hal_tv_tuner_service
+ hal_uwb_service
+ hal_uwb_vendor_service
+ hal_wifi_hostapd_service
+ hal_wifi_supplicant_service
+ hal_nlinterceptor_service
+ hypervisor_prop
+ locale_service
+ power_stats_service
+ snapuserd_prop
+ snapuserd_proxy_socket
+ tare_service
+ transformer_service
+ proc_watermark_boost_factor
+ proc_watermark_scale_factor
+ untrusted_app_30
+ proc_vendor_sched
+ sdk_sandbox_service
+ sysfs_fs_fuse_bpf
+ sysfs_vendor_sched
+ tv_iapp_service
+ vendor_uuid_mapping_config_file
+ vendor_vm_file
+ vendor_vm_data_file
+ virtual_device_service
+ ))
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
new file mode 100644
index 0000000..a99b628
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
@@ -0,0 +1,2483 @@
+;; types removed from current policy
+(type apex_appsearch_data_file)
+(type apex_permission_data_file)
+(type apex_scheduling_data_file)
+(type apex_wifi_data_file)
+(type healthd_exec)
+(type nonplat_service_contexts_file)
+(type sysfs_block)
+(type vr_hwc)
+(type vr_hwc_exec)
+
+(expandtypeattribute (DockObserver_service_32_0) true)
+(expandtypeattribute (IProxyService_service_32_0) true)
+(expandtypeattribute (aac_drc_prop_32_0) true)
+(expandtypeattribute (aaudio_config_prop_32_0) true)
+(expandtypeattribute (ab_update_gki_prop_32_0) true)
+(expandtypeattribute (accessibility_service_32_0) true)
+(expandtypeattribute (account_service_32_0) true)
+(expandtypeattribute (activity_service_32_0) true)
+(expandtypeattribute (activity_task_service_32_0) true)
+(expandtypeattribute (adb_data_file_32_0) true)
+(expandtypeattribute (adb_keys_file_32_0) true)
+(expandtypeattribute (adb_service_32_0) true)
+(expandtypeattribute (adbd_32_0) true)
+(expandtypeattribute (adbd_config_prop_32_0) true)
+(expandtypeattribute (adbd_exec_32_0) true)
+(expandtypeattribute (adbd_socket_32_0) true)
+(expandtypeattribute (aidl_lazy_test_server_32_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_32_0) true)
+(expandtypeattribute (aidl_lazy_test_service_32_0) true)
+(expandtypeattribute (alarm_service_32_0) true)
+(expandtypeattribute (anr_data_file_32_0) true)
+(expandtypeattribute (apc_service_32_0) true)
+(expandtypeattribute (apex_appsearch_data_file_32_0) true)
+(expandtypeattribute (apex_data_file_32_0) true)
+(expandtypeattribute (apex_info_file_32_0) true)
+(expandtypeattribute (apex_metadata_file_32_0) true)
+(expandtypeattribute (apex_mnt_dir_32_0) true)
+(expandtypeattribute (apex_module_data_file_32_0) true)
+(expandtypeattribute (apex_ota_reserved_file_32_0) true)
+(expandtypeattribute (apex_permission_data_file_32_0) true)
+(expandtypeattribute (apex_rollback_data_file_32_0) true)
+(expandtypeattribute (apex_scheduling_data_file_32_0) true)
+(expandtypeattribute (apex_service_32_0) true)
+(expandtypeattribute (apex_wifi_data_file_32_0) true)
+(expandtypeattribute (apexd_32_0) true)
+(expandtypeattribute (apexd_config_prop_32_0) true)
+(expandtypeattribute (apexd_exec_32_0) true)
+(expandtypeattribute (apexd_prop_32_0) true)
+(expandtypeattribute (apk_data_file_32_0) true)
+(expandtypeattribute (apk_private_data_file_32_0) true)
+(expandtypeattribute (apk_private_tmp_file_32_0) true)
+(expandtypeattribute (apk_tmp_file_32_0) true)
+(expandtypeattribute (apk_verity_prop_32_0) true)
+(expandtypeattribute (app_binding_service_32_0) true)
+(expandtypeattribute (app_data_file_32_0) true)
+(expandtypeattribute (app_fuse_file_32_0) true)
+(expandtypeattribute (app_fusefs_32_0) true)
+(expandtypeattribute (app_hibernation_service_32_0) true)
+(expandtypeattribute (app_integrity_service_32_0) true)
+(expandtypeattribute (app_prediction_service_32_0) true)
+(expandtypeattribute (app_search_service_32_0) true)
+(expandtypeattribute (app_zygote_32_0) true)
+(expandtypeattribute (app_zygote_tmpfs_32_0) true)
+(expandtypeattribute (appcompat_data_file_32_0) true)
+(expandtypeattribute (appdomain_tmpfs_32_0) true)
+(expandtypeattribute (appops_service_32_0) true)
+(expandtypeattribute (appwidget_service_32_0) true)
+(expandtypeattribute (arm64_memtag_prop_32_0) true)
+(expandtypeattribute (art_apex_dir_32_0) true)
+(expandtypeattribute (asec_apk_file_32_0) true)
+(expandtypeattribute (asec_image_file_32_0) true)
+(expandtypeattribute (asec_public_file_32_0) true)
+(expandtypeattribute (ashmem_device_32_0) true)
+(expandtypeattribute (ashmem_libcutils_device_32_0) true)
+(expandtypeattribute (assetatlas_service_32_0) true)
+(expandtypeattribute (atrace_32_0) true)
+(expandtypeattribute (audio_config_prop_32_0) true)
+(expandtypeattribute (audio_data_file_32_0) true)
+(expandtypeattribute (audio_device_32_0) true)
+(expandtypeattribute (audio_prop_32_0) true)
+(expandtypeattribute (audio_service_32_0) true)
+(expandtypeattribute (audiohal_data_file_32_0) true)
+(expandtypeattribute (audioserver_32_0) true)
+(expandtypeattribute (audioserver_data_file_32_0) true)
+(expandtypeattribute (audioserver_service_32_0) true)
+(expandtypeattribute (audioserver_tmpfs_32_0) true)
+(expandtypeattribute (auth_service_32_0) true)
+(expandtypeattribute (authorization_service_32_0) true)
+(expandtypeattribute (autofill_service_32_0) true)
+(expandtypeattribute (backup_data_file_32_0) true)
+(expandtypeattribute (backup_service_32_0) true)
+(expandtypeattribute (battery_service_32_0) true)
+(expandtypeattribute (batteryproperties_service_32_0) true)
+(expandtypeattribute (batterystats_service_32_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_32_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_32_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_32_0) true)
+(expandtypeattribute (binder_calls_stats_service_32_0) true)
+(expandtypeattribute (binder_device_32_0) true)
+(expandtypeattribute (binderfs_32_0) true)
+(expandtypeattribute (binderfs_logs_32_0) true)
+(expandtypeattribute (binderfs_logs_proc_32_0) true)
+(expandtypeattribute (binfmt_miscfs_32_0) true)
+(expandtypeattribute (biometric_service_32_0) true)
+(expandtypeattribute (blkid_32_0) true)
+(expandtypeattribute (blkid_untrusted_32_0) true)
+(expandtypeattribute (blob_store_service_32_0) true)
+(expandtypeattribute (block_device_32_0) true)
+(expandtypeattribute (bluetooth_32_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_32_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_32_0) true)
+(expandtypeattribute (bluetooth_data_file_32_0) true)
+(expandtypeattribute (bluetooth_efs_file_32_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_32_0) true)
+(expandtypeattribute (bluetooth_manager_service_32_0) true)
+(expandtypeattribute (bluetooth_prop_32_0) true)
+(expandtypeattribute (bluetooth_service_32_0) true)
+(expandtypeattribute (bluetooth_socket_32_0) true)
+(expandtypeattribute (boot_block_device_32_0) true)
+(expandtypeattribute (boot_status_prop_32_0) true)
+(expandtypeattribute (bootanim_32_0) true)
+(expandtypeattribute (bootanim_config_prop_32_0) true)
+(expandtypeattribute (bootanim_exec_32_0) true)
+(expandtypeattribute (bootanim_system_prop_32_0) true)
+(expandtypeattribute (bootchart_data_file_32_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_32_0) true)
+(expandtypeattribute (bootloader_prop_32_0) true)
+(expandtypeattribute (bootstat_32_0) true)
+(expandtypeattribute (bootstat_data_file_32_0) true)
+(expandtypeattribute (bootstat_exec_32_0) true)
+(expandtypeattribute (boottime_prop_32_0) true)
+(expandtypeattribute (boottime_public_prop_32_0) true)
+(expandtypeattribute (boottrace_data_file_32_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_32_0) true)
+(expandtypeattribute (bq_config_prop_32_0) true)
+(expandtypeattribute (broadcastradio_service_32_0) true)
+(expandtypeattribute (bufferhubd_32_0) true)
+(expandtypeattribute (bufferhubd_exec_32_0) true)
+(expandtypeattribute (bugreport_service_32_0) true)
+(expandtypeattribute (build_bootimage_prop_32_0) true)
+(expandtypeattribute (build_config_prop_32_0) true)
+(expandtypeattribute (build_odm_prop_32_0) true)
+(expandtypeattribute (build_prop_32_0) true)
+(expandtypeattribute (build_vendor_prop_32_0) true)
+(expandtypeattribute (cache_backup_file_32_0) true)
+(expandtypeattribute (cache_block_device_32_0) true)
+(expandtypeattribute (cache_file_32_0) true)
+(expandtypeattribute (cache_private_backup_file_32_0) true)
+(expandtypeattribute (cache_recovery_file_32_0) true)
+(expandtypeattribute (cacheinfo_service_32_0) true)
+(expandtypeattribute (camera2_extensions_prop_32_0) true)
+(expandtypeattribute (camera_calibration_prop_32_0) true)
+(expandtypeattribute (camera_config_prop_32_0) true)
+(expandtypeattribute (camera_data_file_32_0) true)
+(expandtypeattribute (camera_device_32_0) true)
+(expandtypeattribute (cameraproxy_service_32_0) true)
+(expandtypeattribute (cameraserver_32_0) true)
+(expandtypeattribute (cameraserver_exec_32_0) true)
+(expandtypeattribute (cameraserver_service_32_0) true)
+(expandtypeattribute (cameraserver_tmpfs_32_0) true)
+(expandtypeattribute (camerax_extensions_prop_32_0) true)
+(expandtypeattribute (cgroup_32_0) true)
+(expandtypeattribute (cgroup_desc_api_file_32_0) true)
+(expandtypeattribute (cgroup_desc_file_32_0) true)
+(expandtypeattribute (cgroup_rc_file_32_0) true)
+(expandtypeattribute (cgroup_v2_32_0) true)
+(expandtypeattribute (charger_32_0) true)
+(expandtypeattribute (charger_config_prop_32_0) true)
+(expandtypeattribute (charger_exec_32_0) true)
+(expandtypeattribute (charger_prop_32_0) true)
+(expandtypeattribute (charger_status_prop_32_0) true)
+(expandtypeattribute (clipboard_service_32_0) true)
+(expandtypeattribute (codec2_config_prop_32_0) true)
+(expandtypeattribute (cold_boot_done_prop_32_0) true)
+(expandtypeattribute (color_display_service_32_0) true)
+(expandtypeattribute (companion_device_service_32_0) true)
+(expandtypeattribute (config_prop_32_0) true)
+(expandtypeattribute (configfs_32_0) true)
+(expandtypeattribute (connectivity_service_32_0) true)
+(expandtypeattribute (connmetrics_service_32_0) true)
+(expandtypeattribute (console_device_32_0) true)
+(expandtypeattribute (consumer_ir_service_32_0) true)
+(expandtypeattribute (content_capture_service_32_0) true)
+(expandtypeattribute (content_service_32_0) true)
+(expandtypeattribute (content_suggestions_service_32_0) true)
+(expandtypeattribute (contexthub_service_32_0) true)
+(expandtypeattribute (coredump_file_32_0) true)
+(expandtypeattribute (country_detector_service_32_0) true)
+(expandtypeattribute (coverage_service_32_0) true)
+(expandtypeattribute (cppreopt_prop_32_0) true)
+(expandtypeattribute (cpu_variant_prop_32_0) true)
+(expandtypeattribute (cpuinfo_service_32_0) true)
+(expandtypeattribute (crash_dump_32_0) true)
+(expandtypeattribute (crash_dump_exec_32_0) true)
+(expandtypeattribute (credstore_32_0) true)
+(expandtypeattribute (credstore_data_file_32_0) true)
+(expandtypeattribute (credstore_exec_32_0) true)
+(expandtypeattribute (credstore_service_32_0) true)
+(expandtypeattribute (crossprofileapps_service_32_0) true)
+(expandtypeattribute (ctl_adbd_prop_32_0) true)
+(expandtypeattribute (ctl_apexd_prop_32_0) true)
+(expandtypeattribute (ctl_bootanim_prop_32_0) true)
+(expandtypeattribute (ctl_bugreport_prop_32_0) true)
+(expandtypeattribute (ctl_console_prop_32_0) true)
+(expandtypeattribute (ctl_default_prop_32_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_32_0) true)
+(expandtypeattribute (ctl_fuse_prop_32_0) true)
+(expandtypeattribute (ctl_gsid_prop_32_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_32_0) true)
+(expandtypeattribute (ctl_interface_start_prop_32_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_32_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_32_0) true)
+(expandtypeattribute (ctl_restart_prop_32_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_32_0) true)
+(expandtypeattribute (ctl_sigstop_prop_32_0) true)
+(expandtypeattribute (ctl_start_prop_32_0) true)
+(expandtypeattribute (ctl_stop_prop_32_0) true)
+(expandtypeattribute (dalvik_config_prop_32_0) true)
+(expandtypeattribute (dalvik_prop_32_0) true)
+(expandtypeattribute (dalvik_runtime_prop_32_0) true)
+(expandtypeattribute (dalvikcache_data_file_32_0) true)
+(expandtypeattribute (dataloader_manager_service_32_0) true)
+(expandtypeattribute (dbinfo_service_32_0) true)
+(expandtypeattribute (dck_prop_32_0) true)
+(expandtypeattribute (debug_prop_32_0) true)
+(expandtypeattribute (debugfs_32_0) true)
+(expandtypeattribute (debugfs_bootreceiver_tracing_32_0) true)
+(expandtypeattribute (debugfs_kprobes_32_0) true)
+(expandtypeattribute (debugfs_mm_events_tracing_32_0) true)
+(expandtypeattribute (debugfs_mmc_32_0) true)
+(expandtypeattribute (debugfs_restriction_prop_32_0) true)
+(expandtypeattribute (debugfs_trace_marker_32_0) true)
+(expandtypeattribute (debugfs_tracing_32_0) true)
+(expandtypeattribute (debugfs_tracing_debug_32_0) true)
+(expandtypeattribute (debugfs_tracing_instances_32_0) true)
+(expandtypeattribute (debugfs_tracing_printk_formats_32_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_32_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_32_0) true)
+(expandtypeattribute (debuggerd_prop_32_0) true)
+(expandtypeattribute (default_android_hwservice_32_0) true)
+(expandtypeattribute (default_android_service_32_0) true)
+(expandtypeattribute (default_android_vndservice_32_0) true)
+(expandtypeattribute (default_prop_32_0) true)
+(expandtypeattribute (dev_cpu_variant_32_0) true)
+(expandtypeattribute (device_32_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_32_0) true)
+(expandtypeattribute (device_config_boot_count_prop_32_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_32_0) true)
+(expandtypeattribute (device_config_media_native_prop_32_0) true)
+(expandtypeattribute (device_config_netd_native_prop_32_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_32_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_32_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_32_0) true)
+(expandtypeattribute (device_config_service_32_0) true)
+(expandtypeattribute (device_identifiers_service_32_0) true)
+(expandtypeattribute (device_logging_prop_32_0) true)
+(expandtypeattribute (device_policy_service_32_0) true)
+(expandtypeattribute (device_state_service_32_0) true)
+(expandtypeattribute (deviceidle_service_32_0) true)
+(expandtypeattribute (devicestoragemonitor_service_32_0) true)
+(expandtypeattribute (devpts_32_0) true)
+(expandtypeattribute (dhcp_32_0) true)
+(expandtypeattribute (dhcp_data_file_32_0) true)
+(expandtypeattribute (dhcp_exec_32_0) true)
+(expandtypeattribute (dhcp_prop_32_0) true)
+(expandtypeattribute (diskstats_service_32_0) true)
+(expandtypeattribute (display_service_32_0) true)
+(expandtypeattribute (dm_device_32_0) true)
+(expandtypeattribute (dm_user_device_32_0) true)
+(expandtypeattribute (dmabuf_heap_device_32_0) true)
+(expandtypeattribute (dmabuf_system_heap_device_32_0) true)
+(expandtypeattribute (dmabuf_system_secure_heap_device_32_0) true)
+(expandtypeattribute (dnsmasq_32_0) true)
+(expandtypeattribute (dnsmasq_exec_32_0) true)
+(expandtypeattribute (dnsproxyd_socket_32_0) true)
+(expandtypeattribute (dnsresolver_service_32_0) true)
+(expandtypeattribute (domain_verification_service_32_0) true)
+(expandtypeattribute (dreams_service_32_0) true)
+(expandtypeattribute (drm_data_file_32_0) true)
+(expandtypeattribute (drm_service_config_prop_32_0) true)
+(expandtypeattribute (drmserver_32_0) true)
+(expandtypeattribute (drmserver_exec_32_0) true)
+(expandtypeattribute (drmserver_service_32_0) true)
+(expandtypeattribute (drmserver_socket_32_0) true)
+(expandtypeattribute (dropbox_data_file_32_0) true)
+(expandtypeattribute (dropbox_service_32_0) true)
+(expandtypeattribute (dumpstate_32_0) true)
+(expandtypeattribute (dumpstate_exec_32_0) true)
+(expandtypeattribute (dumpstate_options_prop_32_0) true)
+(expandtypeattribute (dumpstate_prop_32_0) true)
+(expandtypeattribute (dumpstate_service_32_0) true)
+(expandtypeattribute (dumpstate_socket_32_0) true)
+(expandtypeattribute (dynamic_system_prop_32_0) true)
+(expandtypeattribute (e2fs_32_0) true)
+(expandtypeattribute (e2fs_exec_32_0) true)
+(expandtypeattribute (efs_file_32_0) true)
+(expandtypeattribute (emergency_affordance_service_32_0) true)
+(expandtypeattribute (ephemeral_app_32_0) true)
+(expandtypeattribute (ethernet_service_32_0) true)
+(expandtypeattribute (exfat_32_0) true)
+(expandtypeattribute (exported3_system_prop_32_0) true)
+(expandtypeattribute (exported_bluetooth_prop_32_0) true)
+(expandtypeattribute (exported_camera_prop_32_0) true)
+(expandtypeattribute (exported_config_prop_32_0) true)
+(expandtypeattribute (exported_default_prop_32_0) true)
+(expandtypeattribute (exported_dumpstate_prop_32_0) true)
+(expandtypeattribute (exported_overlay_prop_32_0) true)
+(expandtypeattribute (exported_pm_prop_32_0) true)
+(expandtypeattribute (exported_secure_prop_32_0) true)
+(expandtypeattribute (exported_system_prop_32_0) true)
+(expandtypeattribute (external_vibrator_service_32_0) true)
+(expandtypeattribute (face_service_32_0) true)
+(expandtypeattribute (face_vendor_data_file_32_0) true)
+(expandtypeattribute (fastbootd_32_0) true)
+(expandtypeattribute (ffs_config_prop_32_0) true)
+(expandtypeattribute (ffs_control_prop_32_0) true)
+(expandtypeattribute (file_contexts_file_32_0) true)
+(expandtypeattribute (file_integrity_service_32_0) true)
+(expandtypeattribute (fingerprint_prop_32_0) true)
+(expandtypeattribute (fingerprint_service_32_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_32_0) true)
+(expandtypeattribute (fingerprintd_32_0) true)
+(expandtypeattribute (fingerprintd_data_file_32_0) true)
+(expandtypeattribute (fingerprintd_exec_32_0) true)
+(expandtypeattribute (fingerprintd_service_32_0) true)
+(expandtypeattribute (firstboot_prop_32_0) true)
+(expandtypeattribute (flags_health_check_32_0) true)
+(expandtypeattribute (flags_health_check_exec_32_0) true)
+(expandtypeattribute (font_service_32_0) true)
+(expandtypeattribute (framework_watchdog_config_prop_32_0) true)
+(expandtypeattribute (frp_block_device_32_0) true)
+(expandtypeattribute (fs_bpf_32_0) true)
+(expandtypeattribute (fs_bpf_tethering_32_0) true)
+(expandtypeattribute (fsck_32_0) true)
+(expandtypeattribute (fsck_exec_32_0) true)
+(expandtypeattribute (fsck_untrusted_32_0) true)
+(expandtypeattribute (fscklogs_32_0) true)
+(expandtypeattribute (functionfs_32_0) true)
+(expandtypeattribute (fuse_32_0) true)
+(expandtypeattribute (fuse_device_32_0) true)
+(expandtypeattribute (fusectlfs_32_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_32_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_32_0) true)
+(expandtypeattribute (fwk_camera_hwservice_32_0) true)
+(expandtypeattribute (fwk_display_hwservice_32_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_32_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_32_0) true)
+(expandtypeattribute (fwk_stats_hwservice_32_0) true)
+(expandtypeattribute (fwk_stats_service_32_0) true)
+(expandtypeattribute (fwmarkd_socket_32_0) true)
+(expandtypeattribute (game_service_32_0) true)
+(expandtypeattribute (gatekeeper_data_file_32_0) true)
+(expandtypeattribute (gatekeeper_service_32_0) true)
+(expandtypeattribute (gatekeeperd_32_0) true)
+(expandtypeattribute (gatekeeperd_exec_32_0) true)
+(expandtypeattribute (gfxinfo_service_32_0) true)
+(expandtypeattribute (gmscore_app_32_0) true)
+(expandtypeattribute (gnss_device_32_0) true)
+(expandtypeattribute (gnss_time_update_service_32_0) true)
+(expandtypeattribute (gps_control_32_0) true)
+(expandtypeattribute (gpu_device_32_0) true)
+(expandtypeattribute (gpu_service_32_0) true)
+(expandtypeattribute (gpuservice_32_0) true)
+(expandtypeattribute (graphics_config_prop_32_0) true)
+(expandtypeattribute (graphics_device_32_0) true)
+(expandtypeattribute (graphicsstats_service_32_0) true)
+(expandtypeattribute (gsi_data_file_32_0) true)
+(expandtypeattribute (gsi_metadata_file_32_0) true)
+(expandtypeattribute (gsi_public_metadata_file_32_0) true)
+(expandtypeattribute (hal_atrace_hwservice_32_0) true)
+(expandtypeattribute (hal_audio_hwservice_32_0) true)
+(expandtypeattribute (hal_audio_service_32_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_32_0) true)
+(expandtypeattribute (hal_audiocontrol_service_32_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_32_0) true)
+(expandtypeattribute (hal_authsecret_service_32_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_32_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_32_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_32_0) true)
+(expandtypeattribute (hal_camera_hwservice_32_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_32_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_32_0) true)
+(expandtypeattribute (hal_cas_hwservice_32_0) true)
+(expandtypeattribute (hal_codec2_hwservice_32_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_32_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_32_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_32_0) true)
+(expandtypeattribute (hal_drm_hwservice_32_0) true)
+(expandtypeattribute (hal_dumpstate_config_prop_32_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_32_0) true)
+(expandtypeattribute (hal_evs_hwservice_32_0) true)
+(expandtypeattribute (hal_face_hwservice_32_0) true)
+(expandtypeattribute (hal_face_service_32_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_32_0) true)
+(expandtypeattribute (hal_fingerprint_service_32_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_32_0) true)
+(expandtypeattribute (hal_gnss_hwservice_32_0) true)
+(expandtypeattribute (hal_gnss_service_32_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_32_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_32_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_32_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_32_0) true)
+(expandtypeattribute (hal_health_hwservice_32_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_32_0) true)
+(expandtypeattribute (hal_health_storage_service_32_0) true)
+(expandtypeattribute (hal_identity_service_32_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_32_0) true)
+(expandtypeattribute (hal_instrumentation_prop_32_0) true)
+(expandtypeattribute (hal_ir_hwservice_32_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_32_0) true)
+(expandtypeattribute (hal_keymint_service_32_0) true)
+(expandtypeattribute (hal_light_hwservice_32_0) true)
+(expandtypeattribute (hal_light_service_32_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_32_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_32_0) true)
+(expandtypeattribute (hal_memtrack_service_32_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_32_0) true)
+(expandtypeattribute (hal_neuralnetworks_service_32_0) true)
+(expandtypeattribute (hal_nfc_hwservice_32_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_32_0) true)
+(expandtypeattribute (hal_oemlock_service_32_0) true)
+(expandtypeattribute (hal_omx_hwservice_32_0) true)
+(expandtypeattribute (hal_power_hwservice_32_0) true)
+(expandtypeattribute (hal_power_service_32_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_32_0) true)
+(expandtypeattribute (hal_power_stats_service_32_0) true)
+(expandtypeattribute (hal_rebootescrow_service_32_0) true)
+(expandtypeattribute (hal_remotelyprovisionedcomponent_service_32_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_32_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_32_0) true)
+(expandtypeattribute (hal_secureclock_service_32_0) true)
+(expandtypeattribute (hal_sensors_hwservice_32_0) true)
+(expandtypeattribute (hal_sharedsecret_service_32_0) true)
+(expandtypeattribute (hal_telephony_hwservice_32_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_32_0) true)
+(expandtypeattribute (hal_thermal_hwservice_32_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_32_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_32_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_32_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_32_0) true)
+(expandtypeattribute (hal_usb_hwservice_32_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_32_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_32_0) true)
+(expandtypeattribute (hal_vibrator_service_32_0) true)
+(expandtypeattribute (hal_vr_hwservice_32_0) true)
+(expandtypeattribute (hal_weaver_hwservice_32_0) true)
+(expandtypeattribute (hal_weaver_service_32_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_32_0) true)
+(expandtypeattribute (hal_wifi_hwservice_32_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_32_0) true)
+(expandtypeattribute (hardware_properties_service_32_0) true)
+(expandtypeattribute (hardware_service_32_0) true)
+(expandtypeattribute (hci_attach_dev_32_0) true)
+(expandtypeattribute (hdmi_config_prop_32_0) true)
+(expandtypeattribute (hdmi_control_service_32_0) true)
+(expandtypeattribute (healthd_32_0) true)
+(expandtypeattribute (healthd_exec_32_0) true)
+(expandtypeattribute (heapdump_data_file_32_0) true)
+(expandtypeattribute (heapprofd_32_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_32_0) true)
+(expandtypeattribute (heapprofd_prop_32_0) true)
+(expandtypeattribute (heapprofd_socket_32_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_32_0) true)
+(expandtypeattribute (hidl_base_hwservice_32_0) true)
+(expandtypeattribute (hidl_manager_hwservice_32_0) true)
+(expandtypeattribute (hidl_memory_hwservice_32_0) true)
+(expandtypeattribute (hidl_token_hwservice_32_0) true)
+(expandtypeattribute (hint_service_32_0) true)
+(expandtypeattribute (hw_random_device_32_0) true)
+(expandtypeattribute (hw_timeout_multiplier_prop_32_0) true)
+(expandtypeattribute (hwbinder_device_32_0) true)
+(expandtypeattribute (hwservice_contexts_file_32_0) true)
+(expandtypeattribute (hwservicemanager_32_0) true)
+(expandtypeattribute (hwservicemanager_exec_32_0) true)
+(expandtypeattribute (hwservicemanager_prop_32_0) true)
+(expandtypeattribute (hypervisor_prop_32_0) true)
+(expandtypeattribute (icon_file_32_0) true)
+(expandtypeattribute (idmap_32_0) true)
+(expandtypeattribute (idmap_exec_32_0) true)
+(expandtypeattribute (idmap_service_32_0) true)
+(expandtypeattribute (iio_device_32_0) true)
+(expandtypeattribute (imms_service_32_0) true)
+(expandtypeattribute (incident_32_0) true)
+(expandtypeattribute (incident_data_file_32_0) true)
+(expandtypeattribute (incident_helper_32_0) true)
+(expandtypeattribute (incident_service_32_0) true)
+(expandtypeattribute (incidentd_32_0) true)
+(expandtypeattribute (incremental_control_file_32_0) true)
+(expandtypeattribute (incremental_prop_32_0) true)
+(expandtypeattribute (incremental_service_32_0) true)
+(expandtypeattribute (init_32_0) true)
+(expandtypeattribute (init_exec_32_0) true)
+(expandtypeattribute (init_service_status_prop_32_0) true)
+(expandtypeattribute (init_tmpfs_32_0) true)
+(expandtypeattribute (inotify_32_0) true)
+(expandtypeattribute (input_device_32_0) true)
+(expandtypeattribute (input_method_service_32_0) true)
+(expandtypeattribute (input_service_32_0) true)
+(expandtypeattribute (inputflinger_32_0) true)
+(expandtypeattribute (inputflinger_exec_32_0) true)
+(expandtypeattribute (inputflinger_service_32_0) true)
+(expandtypeattribute (install_data_file_32_0) true)
+(expandtypeattribute (installd_32_0) true)
+(expandtypeattribute (installd_exec_32_0) true)
+(expandtypeattribute (installd_service_32_0) true)
+(expandtypeattribute (ion_device_32_0) true)
+(expandtypeattribute (iorap_inode2filename_32_0) true)
+(expandtypeattribute (iorap_inode2filename_exec_32_0) true)
+(expandtypeattribute (iorap_inode2filename_tmpfs_32_0) true)
+(expandtypeattribute (iorap_prefetcherd_32_0) true)
+(expandtypeattribute (iorap_prefetcherd_exec_32_0) true)
+(expandtypeattribute (iorap_prefetcherd_tmpfs_32_0) true)
+(expandtypeattribute (iorapd_32_0) true)
+(expandtypeattribute (iorapd_data_file_32_0) true)
+(expandtypeattribute (iorapd_exec_32_0) true)
+(expandtypeattribute (iorapd_service_32_0) true)
+(expandtypeattribute (iorapd_tmpfs_32_0) true)
+(expandtypeattribute (ipsec_service_32_0) true)
+(expandtypeattribute (iris_service_32_0) true)
+(expandtypeattribute (iris_vendor_data_file_32_0) true)
+(expandtypeattribute (isolated_app_32_0) true)
+(expandtypeattribute (jobscheduler_service_32_0) true)
+(expandtypeattribute (kernel_32_0) true)
+(expandtypeattribute (keychain_data_file_32_0) true)
+(expandtypeattribute (keychord_device_32_0) true)
+(expandtypeattribute (keyguard_config_prop_32_0) true)
+(expandtypeattribute (keystore2_key_contexts_file_32_0) true)
+(expandtypeattribute (keystore_32_0) true)
+(expandtypeattribute (keystore_compat_hal_service_32_0) true)
+(expandtypeattribute (keystore_data_file_32_0) true)
+(expandtypeattribute (keystore_exec_32_0) true)
+(expandtypeattribute (keystore_maintenance_service_32_0) true)
+(expandtypeattribute (keystore_metrics_service_32_0) true)
+(expandtypeattribute (keystore_service_32_0) true)
+(expandtypeattribute (kmsg_debug_device_32_0) true)
+(expandtypeattribute (kmsg_device_32_0) true)
+(expandtypeattribute (labeledfs_32_0) true)
+(expandtypeattribute (launcherapps_service_32_0) true)
+(expandtypeattribute (legacy_permission_service_32_0) true)
+(expandtypeattribute (legacykeystore_service_32_0) true)
+(expandtypeattribute (libc_debug_prop_32_0) true)
+(expandtypeattribute (light_service_32_0) true)
+(expandtypeattribute (linkerconfig_file_32_0) true)
+(expandtypeattribute (llkd_32_0) true)
+(expandtypeattribute (llkd_exec_32_0) true)
+(expandtypeattribute (llkd_prop_32_0) true)
+(expandtypeattribute (lmkd_32_0) true)
+(expandtypeattribute (lmkd_config_prop_32_0) true)
+(expandtypeattribute (lmkd_exec_32_0) true)
+(expandtypeattribute (lmkd_prop_32_0) true)
+(expandtypeattribute (lmkd_socket_32_0) true)
+(expandtypeattribute (location_service_32_0) true)
+(expandtypeattribute (location_time_zone_manager_service_32_0) true)
+(expandtypeattribute (lock_settings_service_32_0) true)
+(expandtypeattribute (log_prop_32_0) true)
+(expandtypeattribute (log_tag_prop_32_0) true)
+(expandtypeattribute (logcat_exec_32_0) true)
+(expandtypeattribute (logd_32_0) true)
+(expandtypeattribute (logd_exec_32_0) true)
+(expandtypeattribute (logd_prop_32_0) true)
+(expandtypeattribute (logd_socket_32_0) true)
+(expandtypeattribute (logdr_socket_32_0) true)
+(expandtypeattribute (logdw_socket_32_0) true)
+(expandtypeattribute (logpersist_32_0) true)
+(expandtypeattribute (logpersistd_logging_prop_32_0) true)
+(expandtypeattribute (loop_control_device_32_0) true)
+(expandtypeattribute (loop_device_32_0) true)
+(expandtypeattribute (looper_stats_service_32_0) true)
+(expandtypeattribute (lowpan_device_32_0) true)
+(expandtypeattribute (lowpan_prop_32_0) true)
+(expandtypeattribute (lowpan_service_32_0) true)
+(expandtypeattribute (lpdump_service_32_0) true)
+(expandtypeattribute (lpdumpd_prop_32_0) true)
+(expandtypeattribute (mac_perms_file_32_0) true)
+(expandtypeattribute (mdns_socket_32_0) true)
+(expandtypeattribute (mdnsd_32_0) true)
+(expandtypeattribute (mdnsd_socket_32_0) true)
+(expandtypeattribute (media_communication_service_32_0) true)
+(expandtypeattribute (media_config_prop_32_0) true)
+(expandtypeattribute (media_data_file_32_0) true)
+(expandtypeattribute (media_metrics_service_32_0) true)
+(expandtypeattribute (media_projection_service_32_0) true)
+(expandtypeattribute (media_router_service_32_0) true)
+(expandtypeattribute (media_rw_data_file_32_0) true)
+(expandtypeattribute (media_session_service_32_0) true)
+(expandtypeattribute (media_variant_prop_32_0) true)
+(expandtypeattribute (mediadrm_config_prop_32_0) true)
+(expandtypeattribute (mediadrmserver_32_0) true)
+(expandtypeattribute (mediadrmserver_exec_32_0) true)
+(expandtypeattribute (mediadrmserver_service_32_0) true)
+(expandtypeattribute (mediaextractor_32_0) true)
+(expandtypeattribute (mediaextractor_exec_32_0) true)
+(expandtypeattribute (mediaextractor_service_32_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_32_0) true)
+(expandtypeattribute (mediametrics_32_0) true)
+(expandtypeattribute (mediametrics_exec_32_0) true)
+(expandtypeattribute (mediametrics_service_32_0) true)
+(expandtypeattribute (mediaprovider_32_0) true)
+(expandtypeattribute (mediaserver_32_0) true)
+(expandtypeattribute (mediaserver_exec_32_0) true)
+(expandtypeattribute (mediaserver_service_32_0) true)
+(expandtypeattribute (mediaserver_tmpfs_32_0) true)
+(expandtypeattribute (mediaswcodec_32_0) true)
+(expandtypeattribute (mediaswcodec_exec_32_0) true)
+(expandtypeattribute (mediatranscoding_service_32_0) true)
+(expandtypeattribute (meminfo_service_32_0) true)
+(expandtypeattribute (memtrackproxy_service_32_0) true)
+(expandtypeattribute (metadata_block_device_32_0) true)
+(expandtypeattribute (metadata_bootstat_file_32_0) true)
+(expandtypeattribute (metadata_file_32_0) true)
+(expandtypeattribute (method_trace_data_file_32_0) true)
+(expandtypeattribute (midi_service_32_0) true)
+(expandtypeattribute (mirror_data_file_32_0) true)
+(expandtypeattribute (misc_block_device_32_0) true)
+(expandtypeattribute (misc_logd_file_32_0) true)
+(expandtypeattribute (misc_user_data_file_32_0) true)
+(expandtypeattribute (mm_events_config_prop_32_0) true)
+(expandtypeattribute (mmc_prop_32_0) true)
+(expandtypeattribute (mnt_expand_file_32_0) true)
+(expandtypeattribute (mnt_media_rw_file_32_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_32_0) true)
+(expandtypeattribute (mnt_pass_through_file_32_0) true)
+(expandtypeattribute (mnt_product_file_32_0) true)
+(expandtypeattribute (mnt_sdcard_file_32_0) true)
+(expandtypeattribute (mnt_user_file_32_0) true)
+(expandtypeattribute (mnt_vendor_file_32_0) true)
+(expandtypeattribute (mock_ota_prop_32_0) true)
+(expandtypeattribute (modprobe_32_0) true)
+(expandtypeattribute (module_sdkextensions_prop_32_0) true)
+(expandtypeattribute (mount_service_32_0) true)
+(expandtypeattribute (mqueue_32_0) true)
+(expandtypeattribute (mtp_32_0) true)
+(expandtypeattribute (mtp_device_32_0) true)
+(expandtypeattribute (mtp_exec_32_0) true)
+(expandtypeattribute (mtpd_socket_32_0) true)
+(expandtypeattribute (music_recognition_service_32_0) true)
+(expandtypeattribute (nativetest_data_file_32_0) true)
+(expandtypeattribute (net_data_file_32_0) true)
+(expandtypeattribute (net_dns_prop_32_0) true)
+(expandtypeattribute (net_radio_prop_32_0) true)
+(expandtypeattribute (netd_32_0) true)
+(expandtypeattribute (netd_exec_32_0) true)
+(expandtypeattribute (netd_listener_service_32_0) true)
+(expandtypeattribute (netd_service_32_0) true)
+(expandtypeattribute (netif_32_0) true)
+(expandtypeattribute (netpolicy_service_32_0) true)
+(expandtypeattribute (netstats_service_32_0) true)
+(expandtypeattribute (netutils_wrapper_32_0) true)
+(expandtypeattribute (netutils_wrapper_exec_32_0) true)
+(expandtypeattribute (network_management_service_32_0) true)
+(expandtypeattribute (network_score_service_32_0) true)
+(expandtypeattribute (network_stack_32_0) true)
+(expandtypeattribute (network_stack_service_32_0) true)
+(expandtypeattribute (network_time_update_service_32_0) true)
+(expandtypeattribute (network_watchlist_data_file_32_0) true)
+(expandtypeattribute (network_watchlist_service_32_0) true)
+(expandtypeattribute (nfc_32_0) true)
+(expandtypeattribute (nfc_data_file_32_0) true)
+(expandtypeattribute (nfc_device_32_0) true)
+(expandtypeattribute (nfc_logs_data_file_32_0) true)
+(expandtypeattribute (nfc_prop_32_0) true)
+(expandtypeattribute (nfc_service_32_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_32_0) true)
+(expandtypeattribute (node_32_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_32_0) true)
+(expandtypeattribute (notification_service_32_0) true)
+(expandtypeattribute (null_device_32_0) true)
+(expandtypeattribute (oem_lock_service_32_0) true)
+(expandtypeattribute (oem_unlock_prop_32_0) true)
+(expandtypeattribute (oemfs_32_0) true)
+(expandtypeattribute (ota_data_file_32_0) true)
+(expandtypeattribute (ota_metadata_file_32_0) true)
+(expandtypeattribute (ota_package_file_32_0) true)
+(expandtypeattribute (ota_prop_32_0) true)
+(expandtypeattribute (otadexopt_service_32_0) true)
+(expandtypeattribute (otapreopt_chroot_32_0) true)
+(expandtypeattribute (overlay_prop_32_0) true)
+(expandtypeattribute (overlay_service_32_0) true)
+(expandtypeattribute (overlayfs_file_32_0) true)
+(expandtypeattribute (owntty_device_32_0) true)
+(expandtypeattribute (pac_proxy_service_32_0) true)
+(expandtypeattribute (package_native_service_32_0) true)
+(expandtypeattribute (package_service_32_0) true)
+(expandtypeattribute (packagemanager_config_prop_32_0) true)
+(expandtypeattribute (packages_list_file_32_0) true)
+(expandtypeattribute (pan_result_prop_32_0) true)
+(expandtypeattribute (password_slot_metadata_file_32_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_32_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_32_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_32_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_display_dir_32_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_32_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_32_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_32_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_32_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_performance_dir_32_0) true)
+(expandtypeattribute (people_service_32_0) true)
+(expandtypeattribute (perfetto_32_0) true)
+(expandtypeattribute (performanced_32_0) true)
+(expandtypeattribute (performanced_exec_32_0) true)
+(expandtypeattribute (permission_checker_service_32_0) true)
+(expandtypeattribute (permission_service_32_0) true)
+(expandtypeattribute (permissionmgr_service_32_0) true)
+(expandtypeattribute (persist_debug_prop_32_0) true)
+(expandtypeattribute (persist_vendor_debug_wifi_prop_32_0) true)
+(expandtypeattribute (persistent_data_block_service_32_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_32_0) true)
+(expandtypeattribute (pinner_service_32_0) true)
+(expandtypeattribute (pipefs_32_0) true)
+(expandtypeattribute (platform_app_32_0) true)
+(expandtypeattribute (platform_compat_service_32_0) true)
+(expandtypeattribute (pmsg_device_32_0) true)
+(expandtypeattribute (port_32_0) true)
+(expandtypeattribute (port_device_32_0) true)
+(expandtypeattribute (postinstall_32_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_32_0) true)
+(expandtypeattribute (postinstall_file_32_0) true)
+(expandtypeattribute (postinstall_mnt_dir_32_0) true)
+(expandtypeattribute (power_debug_prop_32_0) true)
+(expandtypeattribute (power_service_32_0) true)
+(expandtypeattribute (powerctl_prop_32_0) true)
+(expandtypeattribute (powerstats_service_32_0) true)
+(expandtypeattribute (ppp_32_0) true)
+(expandtypeattribute (ppp_device_32_0) true)
+(expandtypeattribute (ppp_exec_32_0) true)
+(expandtypeattribute (preloads_data_file_32_0) true)
+(expandtypeattribute (preloads_media_file_32_0) true)
+(expandtypeattribute (prereboot_data_file_32_0) true)
+(expandtypeattribute (print_service_32_0) true)
+(expandtypeattribute (priv_app_32_0) true)
+(expandtypeattribute (privapp_data_file_32_0) true)
+(expandtypeattribute (proc_32_0) true)
+(expandtypeattribute (proc_abi_32_0) true)
+(expandtypeattribute (proc_asound_32_0) true)
+(expandtypeattribute (proc_bluetooth_writable_32_0) true)
+(expandtypeattribute (proc_bootconfig_32_0) true)
+(expandtypeattribute (proc_buddyinfo_32_0) true)
+(expandtypeattribute (proc_cmdline_32_0) true)
+(expandtypeattribute (proc_cpuinfo_32_0) true)
+(expandtypeattribute (proc_dirty_32_0) true)
+(expandtypeattribute (proc_diskstats_32_0) true)
+(expandtypeattribute (proc_drop_caches_32_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_32_0) true)
+(expandtypeattribute (proc_filesystems_32_0) true)
+(expandtypeattribute (proc_fs_verity_32_0) true)
+(expandtypeattribute (proc_hostname_32_0) true)
+(expandtypeattribute (proc_hung_task_32_0) true)
+(expandtypeattribute (proc_interrupts_32_0) true)
+(expandtypeattribute (proc_iomem_32_0) true)
+(expandtypeattribute (proc_kallsyms_32_0) true)
+(expandtypeattribute (proc_keys_32_0) true)
+(expandtypeattribute (proc_kmsg_32_0) true)
+(expandtypeattribute (proc_kpageflags_32_0) true)
+(expandtypeattribute (proc_loadavg_32_0) true)
+(expandtypeattribute (proc_locks_32_0) true)
+(expandtypeattribute (proc_lowmemorykiller_32_0) true)
+(expandtypeattribute (proc_max_map_count_32_0) true)
+(expandtypeattribute (proc_meminfo_32_0) true)
+(expandtypeattribute (proc_min_free_order_shift_32_0) true)
+(expandtypeattribute (proc_misc_32_0) true)
+(expandtypeattribute (proc_modules_32_0) true)
+(expandtypeattribute (proc_mounts_32_0) true)
+(expandtypeattribute (proc_net_32_0) true)
+(expandtypeattribute (proc_net_tcp_udp_32_0) true)
+(expandtypeattribute (proc_overcommit_memory_32_0) true)
+(expandtypeattribute (proc_page_cluster_32_0) true)
+(expandtypeattribute (proc_pagetypeinfo_32_0) true)
+(expandtypeattribute (proc_panic_32_0) true)
+(expandtypeattribute (proc_perf_32_0) true)
+(expandtypeattribute (proc_pid_max_32_0) true)
+(expandtypeattribute (proc_pipe_conf_32_0) true)
+(expandtypeattribute (proc_pressure_cpu_32_0) true)
+(expandtypeattribute (proc_pressure_io_32_0) true)
+(expandtypeattribute (proc_pressure_mem_32_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_32_0) true)
+(expandtypeattribute (proc_qtaguid_stat_32_0) true)
+(expandtypeattribute (proc_random_32_0) true)
+(expandtypeattribute (proc_sched_32_0) true)
+(expandtypeattribute (proc_security_32_0) true)
+(expandtypeattribute (proc_slabinfo_32_0) true)
+(expandtypeattribute (proc_stat_32_0) true)
+(expandtypeattribute (proc_swaps_32_0) true)
+(expandtypeattribute (proc_sysrq_32_0) true)
+(expandtypeattribute (proc_timer_32_0) true)
+(expandtypeattribute (proc_tty_drivers_32_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_32_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_32_0) true)
+(expandtypeattribute (proc_uid_cpupower_32_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_32_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_32_0) true)
+(expandtypeattribute (proc_uid_io_stats_32_0) true)
+(expandtypeattribute (proc_uid_procstat_set_32_0) true)
+(expandtypeattribute (proc_uid_time_in_state_32_0) true)
+(expandtypeattribute (proc_uptime_32_0) true)
+(expandtypeattribute (proc_vendor_sched_32_0) true)
+(expandtypeattribute (proc_version_32_0) true)
+(expandtypeattribute (proc_vmallocinfo_32_0) true)
+(expandtypeattribute (proc_vmstat_32_0) true)
+(expandtypeattribute (proc_zoneinfo_32_0) true)
+(expandtypeattribute (processinfo_service_32_0) true)
+(expandtypeattribute (procstats_service_32_0) true)
+(expandtypeattribute (profman_32_0) true)
+(expandtypeattribute (profman_dump_data_file_32_0) true)
+(expandtypeattribute (profman_exec_32_0) true)
+(expandtypeattribute (properties_device_32_0) true)
+(expandtypeattribute (properties_serial_32_0) true)
+(expandtypeattribute (property_contexts_file_32_0) true)
+(expandtypeattribute (property_data_file_32_0) true)
+(expandtypeattribute (property_info_32_0) true)
+(expandtypeattribute (property_service_version_prop_32_0) true)
+(expandtypeattribute (property_socket_32_0) true)
+(expandtypeattribute (provisioned_prop_32_0) true)
+(expandtypeattribute (pstorefs_32_0) true)
+(expandtypeattribute (ptmx_device_32_0) true)
+(expandtypeattribute (qemu_hw_prop_32_0) true)
+(expandtypeattribute (qemu_sf_lcd_density_prop_32_0) true)
+(expandtypeattribute (qtaguid_device_32_0) true)
+(expandtypeattribute (racoon_32_0) true)
+(expandtypeattribute (racoon_exec_32_0) true)
+(expandtypeattribute (racoon_socket_32_0) true)
+(expandtypeattribute (radio_32_0) true)
+(expandtypeattribute (radio_control_prop_32_0) true)
+(expandtypeattribute (radio_core_data_file_32_0) true)
+(expandtypeattribute (radio_data_file_32_0) true)
+(expandtypeattribute (radio_device_32_0) true)
+(expandtypeattribute (radio_prop_32_0) true)
+(expandtypeattribute (radio_service_32_0) true)
+(expandtypeattribute (ram_device_32_0) true)
+(expandtypeattribute (random_device_32_0) true)
+(expandtypeattribute (reboot_readiness_service_32_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_32_0) true)
+(expandtypeattribute (recovery_32_0) true)
+(expandtypeattribute (recovery_block_device_32_0) true)
+(expandtypeattribute (recovery_config_prop_32_0) true)
+(expandtypeattribute (recovery_data_file_32_0) true)
+(expandtypeattribute (recovery_persist_32_0) true)
+(expandtypeattribute (recovery_persist_exec_32_0) true)
+(expandtypeattribute (recovery_refresh_32_0) true)
+(expandtypeattribute (recovery_refresh_exec_32_0) true)
+(expandtypeattribute (recovery_service_32_0) true)
+(expandtypeattribute (recovery_socket_32_0) true)
+(expandtypeattribute (registry_service_32_0) true)
+(expandtypeattribute (remoteprovisioning_service_32_0) true)
+(expandtypeattribute (resourcecache_data_file_32_0) true)
+(expandtypeattribute (restorecon_prop_32_0) true)
+(expandtypeattribute (restrictions_service_32_0) true)
+(expandtypeattribute (retaildemo_prop_32_0) true)
+(expandtypeattribute (rild_debug_socket_32_0) true)
+(expandtypeattribute (rild_socket_32_0) true)
+(expandtypeattribute (ringtone_file_32_0) true)
+(expandtypeattribute (role_service_32_0) true)
+(expandtypeattribute (rollback_service_32_0) true)
+(expandtypeattribute (root_block_device_32_0) true)
+(expandtypeattribute (rootfs_32_0) true)
+(expandtypeattribute (rpmsg_device_32_0) true)
+(expandtypeattribute (rs_32_0) true)
+(expandtypeattribute (rs_exec_32_0) true)
+(expandtypeattribute (rss_hwm_reset_32_0) true)
+(expandtypeattribute (rtc_device_32_0) true)
+(expandtypeattribute (rttmanager_service_32_0) true)
+(expandtypeattribute (runas_32_0) true)
+(expandtypeattribute (runas_app_32_0) true)
+(expandtypeattribute (runas_exec_32_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_32_0) true)
+(expandtypeattribute (runtime_service_32_0) true)
+(expandtypeattribute (safemode_prop_32_0) true)
+(expandtypeattribute (same_process_hal_file_32_0) true)
+(expandtypeattribute (samplingprofiler_service_32_0) true)
+(expandtypeattribute (scheduling_policy_service_32_0) true)
+(expandtypeattribute (sdcard_block_device_32_0) true)
+(expandtypeattribute (sdcardd_32_0) true)
+(expandtypeattribute (sdcardd_exec_32_0) true)
+(expandtypeattribute (sdcardfs_32_0) true)
+(expandtypeattribute (seapp_contexts_file_32_0) true)
+(expandtypeattribute (search_service_32_0) true)
+(expandtypeattribute (search_ui_service_32_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_32_0) true)
+(expandtypeattribute (secure_element_32_0) true)
+(expandtypeattribute (secure_element_device_32_0) true)
+(expandtypeattribute (secure_element_service_32_0) true)
+(expandtypeattribute (securityfs_32_0) true)
+(expandtypeattribute (selinuxfs_32_0) true)
+(expandtypeattribute (sendbug_config_prop_32_0) true)
+(expandtypeattribute (sensor_privacy_service_32_0) true)
+(expandtypeattribute (sensors_device_32_0) true)
+(expandtypeattribute (sensorservice_service_32_0) true)
+(expandtypeattribute (sepolicy_file_32_0) true)
+(expandtypeattribute (serial_device_32_0) true)
+(expandtypeattribute (serial_service_32_0) true)
+(expandtypeattribute (serialno_prop_32_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_32_0) true)
+(expandtypeattribute (service_contexts_file_32_0) true)
+(expandtypeattribute (service_manager_service_32_0) true)
+(expandtypeattribute (service_manager_vndservice_32_0) true)
+(expandtypeattribute (servicediscovery_service_32_0) true)
+(expandtypeattribute (servicemanager_32_0) true)
+(expandtypeattribute (servicemanager_exec_32_0) true)
+(expandtypeattribute (settings_service_32_0) true)
+(expandtypeattribute (sgdisk_32_0) true)
+(expandtypeattribute (sgdisk_exec_32_0) true)
+(expandtypeattribute (shared_relro_32_0) true)
+(expandtypeattribute (shared_relro_file_32_0) true)
+(expandtypeattribute (shell_32_0) true)
+(expandtypeattribute (shell_data_file_32_0) true)
+(expandtypeattribute (shell_exec_32_0) true)
+(expandtypeattribute (shell_prop_32_0) true)
+(expandtypeattribute (shell_test_data_file_32_0) true)
+(expandtypeattribute (shm_32_0) true)
+(expandtypeattribute (shortcut_manager_icons_32_0) true)
+(expandtypeattribute (shortcut_service_32_0) true)
+(expandtypeattribute (simpleperf_32_0) true)
+(expandtypeattribute (simpleperf_app_runner_32_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_32_0) true)
+(expandtypeattribute (slice_service_32_0) true)
+(expandtypeattribute (slideshow_32_0) true)
+(expandtypeattribute (smartspace_service_32_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_32_0) true)
+(expandtypeattribute (snapuserd_socket_32_0) true)
+(expandtypeattribute (soc_prop_32_0) true)
+(expandtypeattribute (socket_device_32_0) true)
+(expandtypeattribute (socket_hook_prop_32_0) true)
+(expandtypeattribute (sockfs_32_0) true)
+(expandtypeattribute (sota_prop_32_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_32_0) true)
+(expandtypeattribute (speech_recognition_service_32_0) true)
+(expandtypeattribute (sqlite_log_prop_32_0) true)
+(expandtypeattribute (staged_install_file_32_0) true)
+(expandtypeattribute (staging_data_file_32_0) true)
+(expandtypeattribute (stats_data_file_32_0) true)
+(expandtypeattribute (statsd_32_0) true)
+(expandtypeattribute (statsd_exec_32_0) true)
+(expandtypeattribute (statsdw_socket_32_0) true)
+(expandtypeattribute (statusbar_service_32_0) true)
+(expandtypeattribute (storage_config_prop_32_0) true)
+(expandtypeattribute (storage_file_32_0) true)
+(expandtypeattribute (storage_stub_file_32_0) true)
+(expandtypeattribute (storaged_service_32_0) true)
+(expandtypeattribute (storagemanager_config_prop_32_0) true)
+(expandtypeattribute (storagestats_service_32_0) true)
+(expandtypeattribute (su_32_0) true)
+(expandtypeattribute (su_exec_32_0) true)
+(expandtypeattribute (super_block_device_32_0) true)
+(expandtypeattribute (surfaceflinger_32_0) true)
+(expandtypeattribute (surfaceflinger_color_prop_32_0) true)
+(expandtypeattribute (surfaceflinger_display_prop_32_0) true)
+(expandtypeattribute (surfaceflinger_prop_32_0) true)
+(expandtypeattribute (surfaceflinger_service_32_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_32_0) true)
+(expandtypeattribute (suspend_prop_32_0) true)
+(expandtypeattribute (swap_block_device_32_0) true)
+(expandtypeattribute (sysfs_32_0) true)
+(expandtypeattribute (sysfs_android_usb_32_0) true)
+(expandtypeattribute (sysfs_batteryinfo_32_0) true)
+(expandtypeattribute (sysfs_block_32_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_32_0) true)
+(expandtypeattribute (sysfs_devfreq_cur_32_0) true)
+(expandtypeattribute (sysfs_devfreq_dir_32_0) true)
+(expandtypeattribute (sysfs_devices_block_32_0) true)
+(expandtypeattribute (sysfs_devices_cs_etm_32_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_32_0) true)
+(expandtypeattribute (sysfs_dm_32_0) true)
+(expandtypeattribute (sysfs_dm_verity_32_0) true)
+(expandtypeattribute (sysfs_dma_heap_32_0) true)
+(expandtypeattribute (sysfs_dmabuf_stats_32_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_32_0) true)
+(expandtypeattribute (sysfs_extcon_32_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_32_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_32_0) true)
+(expandtypeattribute (sysfs_fs_incfs_features_32_0) true)
+(expandtypeattribute (sysfs_fs_incfs_metrics_32_0) true)
+(expandtypeattribute (sysfs_hwrandom_32_0) true)
+(expandtypeattribute (sysfs_ion_32_0) true)
+(expandtypeattribute (sysfs_ipv4_32_0) true)
+(expandtypeattribute (sysfs_kernel_notes_32_0) true)
+(expandtypeattribute (sysfs_leds_32_0) true)
+(expandtypeattribute (sysfs_loop_32_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_32_0) true)
+(expandtypeattribute (sysfs_net_32_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_32_0) true)
+(expandtypeattribute (sysfs_power_32_0) true)
+(expandtypeattribute (sysfs_rtc_32_0) true)
+(expandtypeattribute (sysfs_suspend_stats_32_0) true)
+(expandtypeattribute (sysfs_switch_32_0) true)
+(expandtypeattribute (sysfs_thermal_32_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_32_0) true)
+(expandtypeattribute (sysfs_uhid_32_0) true)
+(expandtypeattribute (sysfs_uio_32_0) true)
+(expandtypeattribute (sysfs_usb_32_0) true)
+(expandtypeattribute (sysfs_usermodehelper_32_0) true)
+(expandtypeattribute (sysfs_vendor_sched_32_0) true)
+(expandtypeattribute (sysfs_vibrator_32_0) true)
+(expandtypeattribute (sysfs_wake_lock_32_0) true)
+(expandtypeattribute (sysfs_wakeup_32_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_32_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_32_0) true)
+(expandtypeattribute (sysfs_zram_32_0) true)
+(expandtypeattribute (sysfs_zram_uevent_32_0) true)
+(expandtypeattribute (system_app_32_0) true)
+(expandtypeattribute (system_app_data_file_32_0) true)
+(expandtypeattribute (system_app_service_32_0) true)
+(expandtypeattribute (system_asan_options_file_32_0) true)
+(expandtypeattribute (system_block_device_32_0) true)
+(expandtypeattribute (system_boot_reason_prop_32_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_32_0) true)
+(expandtypeattribute (system_config_service_32_0) true)
+(expandtypeattribute (system_data_file_32_0) true)
+(expandtypeattribute (system_data_root_file_32_0) true)
+(expandtypeattribute (system_event_log_tags_file_32_0) true)
+(expandtypeattribute (system_file_32_0) true)
+(expandtypeattribute (system_group_file_32_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_32_0) true)
+(expandtypeattribute (system_lib_file_32_0) true)
+(expandtypeattribute (system_linker_config_file_32_0) true)
+(expandtypeattribute (system_linker_exec_32_0) true)
+(expandtypeattribute (system_lmk_prop_32_0) true)
+(expandtypeattribute (system_ndebug_socket_32_0) true)
+(expandtypeattribute (system_net_netd_hwservice_32_0) true)
+(expandtypeattribute (system_passwd_file_32_0) true)
+(expandtypeattribute (system_prop_32_0) true)
+(expandtypeattribute (system_seccomp_policy_file_32_0) true)
+(expandtypeattribute (system_security_cacerts_file_32_0) true)
+(expandtypeattribute (system_server_32_0) true)
+(expandtypeattribute (system_server_dumper_service_32_0) true)
+(expandtypeattribute (system_server_tmpfs_32_0) true)
+(expandtypeattribute (system_suspend_control_internal_service_32_0) true)
+(expandtypeattribute (system_suspend_control_service_32_0) true)
+(expandtypeattribute (system_suspend_hwservice_32_0) true)
+(expandtypeattribute (system_trace_prop_32_0) true)
+(expandtypeattribute (system_unsolzygote_socket_32_0) true)
+(expandtypeattribute (system_update_service_32_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_32_0) true)
+(expandtypeattribute (system_wpa_socket_32_0) true)
+(expandtypeattribute (system_zoneinfo_file_32_0) true)
+(expandtypeattribute (systemkeys_data_file_32_0) true)
+(expandtypeattribute (systemsound_config_prop_32_0) true)
+(expandtypeattribute (task_profiles_api_file_32_0) true)
+(expandtypeattribute (task_profiles_file_32_0) true)
+(expandtypeattribute (task_service_32_0) true)
+(expandtypeattribute (tcpdump_exec_32_0) true)
+(expandtypeattribute (tee_32_0) true)
+(expandtypeattribute (tee_data_file_32_0) true)
+(expandtypeattribute (tee_device_32_0) true)
+(expandtypeattribute (telecom_service_32_0) true)
+(expandtypeattribute (telephony_config_prop_32_0) true)
+(expandtypeattribute (telephony_status_prop_32_0) true)
+(expandtypeattribute (test_boot_reason_prop_32_0) true)
+(expandtypeattribute (test_harness_prop_32_0) true)
+(expandtypeattribute (testharness_service_32_0) true)
+(expandtypeattribute (tethering_service_32_0) true)
+(expandtypeattribute (textclassification_service_32_0) true)
+(expandtypeattribute (textclassifier_data_file_32_0) true)
+(expandtypeattribute (textservices_service_32_0) true)
+(expandtypeattribute (texttospeech_service_32_0) true)
+(expandtypeattribute (theme_prop_32_0) true)
+(expandtypeattribute (thermal_service_32_0) true)
+(expandtypeattribute (time_prop_32_0) true)
+(expandtypeattribute (timedetector_service_32_0) true)
+(expandtypeattribute (timezone_service_32_0) true)
+(expandtypeattribute (timezonedetector_service_32_0) true)
+(expandtypeattribute (tmpfs_32_0) true)
+(expandtypeattribute (tombstone_config_prop_32_0) true)
+(expandtypeattribute (tombstone_data_file_32_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_32_0) true)
+(expandtypeattribute (tombstoned_32_0) true)
+(expandtypeattribute (tombstoned_crash_socket_32_0) true)
+(expandtypeattribute (tombstoned_exec_32_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_32_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_32_0) true)
+(expandtypeattribute (toolbox_32_0) true)
+(expandtypeattribute (toolbox_exec_32_0) true)
+(expandtypeattribute (trace_data_file_32_0) true)
+(expandtypeattribute (traced_32_0) true)
+(expandtypeattribute (traced_consumer_socket_32_0) true)
+(expandtypeattribute (traced_enabled_prop_32_0) true)
+(expandtypeattribute (traced_lazy_prop_32_0) true)
+(expandtypeattribute (traced_perf_32_0) true)
+(expandtypeattribute (traced_perf_socket_32_0) true)
+(expandtypeattribute (traced_probes_32_0) true)
+(expandtypeattribute (traced_producer_socket_32_0) true)
+(expandtypeattribute (traced_tmpfs_32_0) true)
+(expandtypeattribute (traceur_app_32_0) true)
+(expandtypeattribute (translation_service_32_0) true)
+(expandtypeattribute (trust_service_32_0) true)
+(expandtypeattribute (tty_device_32_0) true)
+(expandtypeattribute (tun_device_32_0) true)
+(expandtypeattribute (tv_input_service_32_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_32_0) true)
+(expandtypeattribute (tzdatacheck_32_0) true)
+(expandtypeattribute (tzdatacheck_exec_32_0) true)
+(expandtypeattribute (ueventd_32_0) true)
+(expandtypeattribute (ueventd_tmpfs_32_0) true)
+(expandtypeattribute (uhid_device_32_0) true)
+(expandtypeattribute (uimode_service_32_0) true)
+(expandtypeattribute (uio_device_32_0) true)
+(expandtypeattribute (uncrypt_32_0) true)
+(expandtypeattribute (uncrypt_exec_32_0) true)
+(expandtypeattribute (uncrypt_socket_32_0) true)
+(expandtypeattribute (unencrypted_data_file_32_0) true)
+(expandtypeattribute (unlabeled_32_0) true)
+(expandtypeattribute (untrusted_app_25_32_0) true)
+(expandtypeattribute (untrusted_app_27_32_0) true)
+(expandtypeattribute (untrusted_app_29_32_0) true)
+(expandtypeattribute (untrusted_app_32_0) true)
+(expandtypeattribute (update_engine_32_0) true)
+(expandtypeattribute (update_engine_data_file_32_0) true)
+(expandtypeattribute (update_engine_exec_32_0) true)
+(expandtypeattribute (update_engine_log_data_file_32_0) true)
+(expandtypeattribute (update_engine_service_32_0) true)
+(expandtypeattribute (update_engine_stable_service_32_0) true)
+(expandtypeattribute (update_verifier_32_0) true)
+(expandtypeattribute (update_verifier_exec_32_0) true)
+(expandtypeattribute (updatelock_service_32_0) true)
+(expandtypeattribute (uri_grants_service_32_0) true)
+(expandtypeattribute (usagestats_service_32_0) true)
+(expandtypeattribute (usb_config_prop_32_0) true)
+(expandtypeattribute (usb_control_prop_32_0) true)
+(expandtypeattribute (usb_device_32_0) true)
+(expandtypeattribute (usb_prop_32_0) true)
+(expandtypeattribute (usb_serial_device_32_0) true)
+(expandtypeattribute (usb_service_32_0) true)
+(expandtypeattribute (usbaccessory_device_32_0) true)
+(expandtypeattribute (usbd_32_0) true)
+(expandtypeattribute (usbd_exec_32_0) true)
+(expandtypeattribute (usbfs_32_0) true)
+(expandtypeattribute (use_memfd_prop_32_0) true)
+(expandtypeattribute (user_profile_data_file_32_0) true)
+(expandtypeattribute (user_profile_root_file_32_0) true)
+(expandtypeattribute (user_service_32_0) true)
+(expandtypeattribute (userdata_block_device_32_0) true)
+(expandtypeattribute (userdata_sysdev_32_0) true)
+(expandtypeattribute (usermodehelper_32_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_32_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_32_0) true)
+(expandtypeattribute (userspace_reboot_metadata_file_32_0) true)
+(expandtypeattribute (uwb_service_32_0) true)
+(expandtypeattribute (vcn_management_service_32_0) true)
+(expandtypeattribute (vd_device_32_0) true)
+(expandtypeattribute (vdc_32_0) true)
+(expandtypeattribute (vdc_exec_32_0) true)
+(expandtypeattribute (vehicle_hal_prop_32_0) true)
+(expandtypeattribute (vendor_apex_file_32_0) true)
+(expandtypeattribute (vendor_app_file_32_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_32_0) true)
+(expandtypeattribute (vendor_configs_file_32_0) true)
+(expandtypeattribute (vendor_data_file_32_0) true)
+(expandtypeattribute (vendor_default_prop_32_0) true)
+(expandtypeattribute (vendor_file_32_0) true)
+(expandtypeattribute (vendor_framework_file_32_0) true)
+(expandtypeattribute (vendor_hal_file_32_0) true)
+(expandtypeattribute (vendor_idc_file_32_0) true)
+(expandtypeattribute (vendor_init_32_0) true)
+(expandtypeattribute (vendor_kernel_modules_32_0) true)
+(expandtypeattribute (vendor_keychars_file_32_0) true)
+(expandtypeattribute (vendor_keylayout_file_32_0) true)
+(expandtypeattribute (vendor_misc_writer_32_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_32_0) true)
+(expandtypeattribute (vendor_modprobe_32_0) true)
+(expandtypeattribute (vendor_overlay_file_32_0) true)
+(expandtypeattribute (vendor_public_framework_file_32_0) true)
+(expandtypeattribute (vendor_public_lib_file_32_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_32_0) true)
+(expandtypeattribute (vendor_service_contexts_file_32_0) true)
+(expandtypeattribute (vendor_shell_32_0) true)
+(expandtypeattribute (vendor_shell_exec_32_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_32_0) true)
+(expandtypeattribute (vendor_task_profiles_file_32_0) true)
+(expandtypeattribute (vendor_toolbox_exec_32_0) true)
+(expandtypeattribute (vfat_32_0) true)
+(expandtypeattribute (vibrator_manager_service_32_0) true)
+(expandtypeattribute (vibrator_service_32_0) true)
+(expandtypeattribute (video_device_32_0) true)
+(expandtypeattribute (virtual_ab_prop_32_0) true)
+(expandtypeattribute (virtual_touchpad_32_0) true)
+(expandtypeattribute (virtual_touchpad_exec_32_0) true)
+(expandtypeattribute (virtual_touchpad_service_32_0) true)
+(expandtypeattribute (virtualization_service_32_0) true)
+(expandtypeattribute (vndbinder_device_32_0) true)
+(expandtypeattribute (vndk_prop_32_0) true)
+(expandtypeattribute (vndk_sp_file_32_0) true)
+(expandtypeattribute (vndservice_contexts_file_32_0) true)
+(expandtypeattribute (vndservicemanager_32_0) true)
+(expandtypeattribute (voiceinteraction_service_32_0) true)
+(expandtypeattribute (vold_32_0) true)
+(expandtypeattribute (vold_config_prop_32_0) true)
+(expandtypeattribute (vold_data_file_32_0) true)
+(expandtypeattribute (vold_device_32_0) true)
+(expandtypeattribute (vold_exec_32_0) true)
+(expandtypeattribute (vold_metadata_file_32_0) true)
+(expandtypeattribute (vold_post_fs_data_prop_32_0) true)
+(expandtypeattribute (vold_prepare_subdirs_32_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_32_0) true)
+(expandtypeattribute (vold_prop_32_0) true)
+(expandtypeattribute (vold_service_32_0) true)
+(expandtypeattribute (vold_status_prop_32_0) true)
+(expandtypeattribute (vpn_data_file_32_0) true)
+(expandtypeattribute (vpn_management_service_32_0) true)
+(expandtypeattribute (vr_hwc_32_0) true)
+(expandtypeattribute (vr_hwc_exec_32_0) true)
+(expandtypeattribute (vr_hwc_service_32_0) true)
+(expandtypeattribute (vr_manager_service_32_0) true)
+(expandtypeattribute (vrflinger_vsync_service_32_0) true)
+(expandtypeattribute (vts_config_prop_32_0) true)
+(expandtypeattribute (vts_status_prop_32_0) true)
+(expandtypeattribute (wallpaper_file_32_0) true)
+(expandtypeattribute (wallpaper_service_32_0) true)
+(expandtypeattribute (watchdog_device_32_0) true)
+(expandtypeattribute (watchdog_metadata_file_32_0) true)
+(expandtypeattribute (watchdogd_32_0) true)
+(expandtypeattribute (watchdogd_exec_32_0) true)
+(expandtypeattribute (webview_zygote_32_0) true)
+(expandtypeattribute (webview_zygote_exec_32_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_32_0) true)
+(expandtypeattribute (webviewupdate_service_32_0) true)
+(expandtypeattribute (wifi_config_prop_32_0) true)
+(expandtypeattribute (wifi_data_file_32_0) true)
+(expandtypeattribute (wifi_hal_prop_32_0) true)
+(expandtypeattribute (wifi_key_32_0) true)
+(expandtypeattribute (wifi_log_prop_32_0) true)
+(expandtypeattribute (wifi_prop_32_0) true)
+(expandtypeattribute (wifi_service_32_0) true)
+(expandtypeattribute (wifiaware_service_32_0) true)
+(expandtypeattribute (wificond_32_0) true)
+(expandtypeattribute (wificond_exec_32_0) true)
+(expandtypeattribute (wifinl80211_service_32_0) true)
+(expandtypeattribute (wifip2p_service_32_0) true)
+(expandtypeattribute (wifiscanner_service_32_0) true)
+(expandtypeattribute (window_service_32_0) true)
+(expandtypeattribute (wpa_socket_32_0) true)
+(expandtypeattribute (wpantund_32_0) true)
+(expandtypeattribute (wpantund_exec_32_0) true)
+(expandtypeattribute (wpantund_service_32_0) true)
+(expandtypeattribute (zero_device_32_0) true)
+(expandtypeattribute (zoneinfo_data_file_32_0) true)
+(expandtypeattribute (zram_config_prop_32_0) true)
+(expandtypeattribute (zram_control_prop_32_0) true)
+(expandtypeattribute (zygote_32_0) true)
+(expandtypeattribute (zygote_config_prop_32_0) true)
+(expandtypeattribute (zygote_exec_32_0) true)
+(expandtypeattribute (zygote_socket_32_0) true)
+(expandtypeattribute (zygote_tmpfs_32_0) true)
+(typeattributeset DockObserver_service_32_0 (DockObserver_service))
+(typeattributeset IProxyService_service_32_0 (IProxyService_service))
+(typeattributeset aac_drc_prop_32_0 (aac_drc_prop))
+(typeattributeset aaudio_config_prop_32_0 (aaudio_config_prop))
+(typeattributeset ab_update_gki_prop_32_0 (ab_update_gki_prop))
+(typeattributeset accessibility_service_32_0 (accessibility_service))
+(typeattributeset account_service_32_0 (account_service))
+(typeattributeset activity_service_32_0 (activity_service))
+(typeattributeset activity_task_service_32_0 (activity_task_service))
+(typeattributeset adb_data_file_32_0 (adb_data_file))
+(typeattributeset adb_keys_file_32_0 (adb_keys_file))
+(typeattributeset adb_service_32_0 (adb_service))
+(typeattributeset adbd_32_0 (adbd))
+(typeattributeset adbd_config_prop_32_0 (adbd_config_prop))
+(typeattributeset adbd_exec_32_0 (adbd_exec))
+(typeattributeset adbd_socket_32_0 (adbd_socket))
+(typeattributeset aidl_lazy_test_server_32_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_32_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_32_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_32_0 (alarm_service))
+(typeattributeset anr_data_file_32_0 (anr_data_file))
+(typeattributeset apc_service_32_0 (apc_service))
+(typeattributeset apex_appsearch_data_file_32_0 (apex_appsearch_data_file apex_system_server_data_file))
+(typeattributeset apex_data_file_32_0 (apex_data_file))
+(typeattributeset apex_info_file_32_0 (apex_info_file))
+(typeattributeset apex_metadata_file_32_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_32_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_32_0 (apex_module_data_file))
+(typeattributeset apex_ota_reserved_file_32_0 (apex_ota_reserved_file))
+(typeattributeset apex_permission_data_file_32_0 (apex_permission_data_file apex_system_server_data_file))
+(typeattributeset apex_rollback_data_file_32_0 (apex_rollback_data_file))
+(typeattributeset apex_scheduling_data_file_32_0 (apex_scheduling_data_file apex_system_server_data_file))
+(typeattributeset apex_service_32_0 (apex_service))
+(typeattributeset apex_wifi_data_file_32_0 (apex_wifi_data_file apex_system_server_data_file))
+(typeattributeset apexd_32_0 (apexd))
+(typeattributeset apexd_config_prop_32_0 (apexd_config_prop))
+(typeattributeset apexd_exec_32_0 (apexd_exec))
+(typeattributeset apexd_prop_32_0 (apexd_prop))
+(typeattributeset apk_data_file_32_0 (apk_data_file))
+(typeattributeset apk_private_data_file_32_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_32_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_32_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_32_0 (apk_verity_prop))
+(typeattributeset app_binding_service_32_0 (app_binding_service))
+(typeattributeset app_data_file_32_0 (app_data_file))
+(typeattributeset app_fuse_file_32_0 (app_fuse_file))
+(typeattributeset app_fusefs_32_0 (app_fusefs))
+(typeattributeset app_hibernation_service_32_0 (app_hibernation_service))
+(typeattributeset app_integrity_service_32_0 (app_integrity_service))
+(typeattributeset app_prediction_service_32_0 (app_prediction_service))
+(typeattributeset app_search_service_32_0 (app_search_service))
+(typeattributeset app_zygote_32_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_32_0 (app_zygote_tmpfs))
+(typeattributeset appcompat_data_file_32_0 (appcompat_data_file))
+(typeattributeset appdomain_tmpfs_32_0 (appdomain_tmpfs))
+(typeattributeset appops_service_32_0 (appops_service))
+(typeattributeset appwidget_service_32_0 (appwidget_service))
+(typeattributeset arm64_memtag_prop_32_0 (arm64_memtag_prop))
+(typeattributeset art_apex_dir_32_0 (art_apex_dir))
+(typeattributeset asec_apk_file_32_0 (asec_apk_file))
+(typeattributeset asec_image_file_32_0 (asec_image_file))
+(typeattributeset asec_public_file_32_0 (asec_public_file))
+(typeattributeset ashmem_device_32_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_32_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_32_0 (assetatlas_service))
+(typeattributeset atrace_32_0 (atrace))
+(typeattributeset audio_config_prop_32_0 (audio_config_prop))
+(typeattributeset audio_data_file_32_0 (audio_data_file))
+(typeattributeset audio_device_32_0 (audio_device))
+(typeattributeset audio_prop_32_0 (audio_prop))
+(typeattributeset audio_service_32_0 (audio_service))
+(typeattributeset audiohal_data_file_32_0 (audiohal_data_file))
+(typeattributeset audioserver_32_0 (audioserver))
+(typeattributeset audioserver_data_file_32_0 (audioserver_data_file))
+(typeattributeset audioserver_service_32_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_32_0 (audioserver_tmpfs))
+(typeattributeset auth_service_32_0 (auth_service))
+(typeattributeset authorization_service_32_0 (authorization_service))
+(typeattributeset autofill_service_32_0 (autofill_service))
+(typeattributeset backup_data_file_32_0 (backup_data_file))
+(typeattributeset backup_service_32_0 (backup_service))
+(typeattributeset battery_service_32_0 (battery_service))
+(typeattributeset batteryproperties_service_32_0 (batteryproperties_service))
+(typeattributeset batterystats_service_32_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_32_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_32_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_32_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_32_0 (binder_calls_stats_service))
+(typeattributeset binder_device_32_0 (binder_device))
+(typeattributeset binderfs_32_0 (binderfs))
+(typeattributeset binderfs_logs_32_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_32_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_32_0 (binfmt_miscfs))
+(typeattributeset biometric_service_32_0 (biometric_service))
+(typeattributeset blkid_32_0 (blkid))
+(typeattributeset blkid_untrusted_32_0 (blkid_untrusted))
+(typeattributeset blob_store_service_32_0 (blob_store_service))
+(typeattributeset block_device_32_0 (block_device))
+(typeattributeset bluetooth_32_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_32_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_32_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_data_file_32_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_32_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_32_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_32_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_32_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_32_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_32_0 (bluetooth_socket))
+(typeattributeset boot_block_device_32_0 (boot_block_device))
+(typeattributeset boot_status_prop_32_0 (boot_status_prop))
+(typeattributeset bootanim_32_0 (bootanim))
+(typeattributeset bootanim_config_prop_32_0 (bootanim_config_prop))
+(typeattributeset bootanim_exec_32_0 (bootanim_exec))
+(typeattributeset bootanim_system_prop_32_0 (bootanim_system_prop))
+(typeattributeset bootchart_data_file_32_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_32_0 (bootloader_boot_reason_prop))
+(typeattributeset bootloader_prop_32_0 (bootloader_prop))
+(typeattributeset bootstat_32_0 (bootstat))
+(typeattributeset bootstat_data_file_32_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_32_0 (bootstat_exec))
+(typeattributeset boottime_prop_32_0 (boottime_prop))
+(typeattributeset boottime_public_prop_32_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_32_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_32_0 (bpf_progs_loaded_prop))
+(typeattributeset bq_config_prop_32_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_32_0 (broadcastradio_service))
+(typeattributeset bufferhubd_32_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_32_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_32_0 (bugreport_service))
+(typeattributeset build_bootimage_prop_32_0 (build_bootimage_prop))
+(typeattributeset build_config_prop_32_0 (build_config_prop))
+(typeattributeset build_odm_prop_32_0 (build_odm_prop))
+(typeattributeset build_prop_32_0 (build_prop))
+(typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
+(typeattributeset cache_backup_file_32_0 (cache_backup_file))
+(typeattributeset cache_block_device_32_0 (cache_block_device))
+(typeattributeset cache_file_32_0 (cache_file))
+(typeattributeset cache_private_backup_file_32_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_32_0 (cache_recovery_file))
+(typeattributeset cacheinfo_service_32_0 (cacheinfo_service))
+(typeattributeset camera2_extensions_prop_32_0 (camera2_extensions_prop))
+(typeattributeset camera_calibration_prop_32_0 (camera_calibration_prop))
+(typeattributeset camera_config_prop_32_0 (camera_config_prop))
+(typeattributeset camera_data_file_32_0 (camera_data_file))
+(typeattributeset camera_device_32_0 (camera_device))
+(typeattributeset cameraproxy_service_32_0 (cameraproxy_service))
+(typeattributeset cameraserver_32_0 (cameraserver))
+(typeattributeset cameraserver_exec_32_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_32_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_32_0 (cameraserver_tmpfs))
+(typeattributeset camerax_extensions_prop_32_0 (camerax_extensions_prop))
+(typeattributeset cgroup_32_0 (cgroup))
+(typeattributeset cgroup_desc_api_file_32_0 (cgroup_desc_api_file))
+(typeattributeset cgroup_desc_file_32_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_32_0 (cgroup_rc_file))
+(typeattributeset cgroup_v2_32_0 (cgroup_v2))
+(typeattributeset charger_32_0 (charger))
+(typeattributeset charger_config_prop_32_0 (charger_config_prop))
+(typeattributeset charger_exec_32_0 (charger_exec))
+(typeattributeset charger_prop_32_0 (charger_prop))
+(typeattributeset charger_status_prop_32_0 (charger_status_prop))
+(typeattributeset clipboard_service_32_0 (clipboard_service))
+(typeattributeset codec2_config_prop_32_0 (codec2_config_prop))
+(typeattributeset cold_boot_done_prop_32_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_32_0 (color_display_service))
+(typeattributeset companion_device_service_32_0 (companion_device_service))
+(typeattributeset config_prop_32_0 (config_prop))
+(typeattributeset configfs_32_0 (configfs))
+(typeattributeset connectivity_service_32_0 (connectivity_service))
+(typeattributeset connmetrics_service_32_0 (connmetrics_service))
+(typeattributeset console_device_32_0 (console_device))
+(typeattributeset consumer_ir_service_32_0 (consumer_ir_service))
+(typeattributeset content_capture_service_32_0 (content_capture_service))
+(typeattributeset content_service_32_0 (content_service))
+(typeattributeset content_suggestions_service_32_0 (content_suggestions_service))
+(typeattributeset contexthub_service_32_0 (contexthub_service))
+(typeattributeset coredump_file_32_0 (coredump_file))
+(typeattributeset country_detector_service_32_0 (country_detector_service))
+(typeattributeset coverage_service_32_0 (coverage_service))
+(typeattributeset cppreopt_prop_32_0 (cppreopt_prop))
+(typeattributeset cpu_variant_prop_32_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_32_0 (cpuinfo_service))
+(typeattributeset crash_dump_32_0 (crash_dump))
+(typeattributeset crash_dump_exec_32_0 (crash_dump_exec))
+(typeattributeset credstore_32_0 (credstore))
+(typeattributeset credstore_data_file_32_0 (credstore_data_file))
+(typeattributeset credstore_exec_32_0 (credstore_exec))
+(typeattributeset credstore_service_32_0 (credstore_service))
+(typeattributeset crossprofileapps_service_32_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_32_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_32_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_32_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_32_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_32_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_32_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_32_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_32_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_32_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_32_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_32_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_32_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_32_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_32_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_32_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_32_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_32_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_32_0 (ctl_stop_prop))
+(typeattributeset dalvik_config_prop_32_0 (dalvik_config_prop))
+(typeattributeset dalvik_prop_32_0 (dalvik_prop))
+(typeattributeset dalvik_runtime_prop_32_0 (dalvik_runtime_prop))
+(typeattributeset dalvikcache_data_file_32_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_32_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_32_0 (dbinfo_service))
+(typeattributeset dck_prop_32_0 (dck_prop))
+(typeattributeset debug_prop_32_0 (debug_prop))
+(typeattributeset debugfs_32_0 (debugfs))
+(typeattributeset debugfs_bootreceiver_tracing_32_0 (debugfs_bootreceiver_tracing))
+(typeattributeset debugfs_kprobes_32_0 (debugfs_kprobes))
+(typeattributeset debugfs_mm_events_tracing_32_0 (debugfs_mm_events_tracing))
+(typeattributeset debugfs_mmc_32_0 (debugfs_mmc))
+(typeattributeset debugfs_restriction_prop_32_0 (debugfs_restriction_prop))
+(typeattributeset debugfs_trace_marker_32_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_32_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_32_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_32_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_tracing_printk_formats_32_0 (debugfs_tracing_printk_formats))
+(typeattributeset debugfs_wakeup_sources_32_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_32_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_32_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_32_0 (default_android_hwservice))
+(typeattributeset default_android_service_32_0 (default_android_service))
+(typeattributeset default_android_vndservice_32_0 (default_android_vndservice))
+(typeattributeset default_prop_32_0 (default_prop))
+(typeattributeset dev_cpu_variant_32_0 (dev_cpu_variant))
+(typeattributeset device_32_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_32_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_32_0 (device_config_boot_count_prop))
+(typeattributeset device_config_input_native_boot_prop_32_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_32_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_32_0 (device_config_netd_native_prop))
+(typeattributeset device_config_reset_performed_prop_32_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_32_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_32_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_32_0 (device_config_service))
+(typeattributeset device_identifiers_service_32_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_32_0 (device_logging_prop))
+(typeattributeset device_policy_service_32_0 (device_policy_service))
+(typeattributeset device_state_service_32_0 (device_state_service))
+(typeattributeset deviceidle_service_32_0 (deviceidle_service))
+(typeattributeset devicestoragemonitor_service_32_0 (devicestoragemonitor_service))
+(typeattributeset devpts_32_0 (devpts))
+(typeattributeset dhcp_32_0 (dhcp))
+(typeattributeset dhcp_data_file_32_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_32_0 (dhcp_exec))
+(typeattributeset dhcp_prop_32_0 (dhcp_prop))
+(typeattributeset diskstats_service_32_0 (diskstats_service))
+(typeattributeset display_service_32_0 (display_service))
+(typeattributeset dm_device_32_0 (dm_device))
+(typeattributeset dm_user_device_32_0 (dm_user_device))
+(typeattributeset dmabuf_heap_device_32_0 (dmabuf_heap_device))
+(typeattributeset dmabuf_system_heap_device_32_0 (dmabuf_system_heap_device))
+(typeattributeset dmabuf_system_secure_heap_device_32_0 (dmabuf_system_secure_heap_device))
+(typeattributeset dnsmasq_32_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_32_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_32_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_32_0 (dnsresolver_service))
+(typeattributeset domain_verification_service_32_0 (domain_verification_service))
+(typeattributeset dreams_service_32_0 (dreams_service))
+(typeattributeset drm_data_file_32_0 (drm_data_file))
+(typeattributeset drm_service_config_prop_32_0 (drm_service_config_prop))
+(typeattributeset drmserver_32_0 (drmserver))
+(typeattributeset drmserver_exec_32_0 (drmserver_exec))
+(typeattributeset drmserver_service_32_0 (drmserver_service))
+(typeattributeset drmserver_socket_32_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_32_0 (dropbox_data_file))
+(typeattributeset dropbox_service_32_0 (dropbox_service))
+(typeattributeset dumpstate_32_0 (dumpstate))
+(typeattributeset dumpstate_exec_32_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_32_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_32_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_32_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_32_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_32_0 (dynamic_system_prop))
+(typeattributeset e2fs_32_0 (e2fs))
+(typeattributeset e2fs_exec_32_0 (e2fs_exec))
+(typeattributeset efs_file_32_0 (efs_file))
+(typeattributeset emergency_affordance_service_32_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_32_0 (ephemeral_app))
+(typeattributeset ethernet_service_32_0 (ethernet_service))
+(typeattributeset exfat_32_0 (exfat))
+(typeattributeset exported3_system_prop_32_0 (exported3_system_prop))
+(typeattributeset exported_bluetooth_prop_32_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_32_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_32_0 (exported_config_prop))
+(typeattributeset exported_default_prop_32_0 (exported_default_prop))
+(typeattributeset exported_dumpstate_prop_32_0 (exported_dumpstate_prop))
+(typeattributeset exported_overlay_prop_32_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_32_0 (exported_pm_prop))
+(typeattributeset exported_secure_prop_32_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_32_0 (exported_system_prop))
+(typeattributeset external_vibrator_service_32_0 (external_vibrator_service))
+(typeattributeset face_service_32_0 (face_service))
+(typeattributeset face_vendor_data_file_32_0 (face_vendor_data_file))
+(typeattributeset fastbootd_32_0 (fastbootd))
+(typeattributeset ffs_config_prop_32_0 (ffs_config_prop))
+(typeattributeset ffs_control_prop_32_0 (ffs_control_prop))
+(typeattributeset file_contexts_file_32_0 (file_contexts_file))
+(typeattributeset file_integrity_service_32_0 (file_integrity_service))
+(typeattributeset fingerprint_prop_32_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_32_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_32_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_32_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_32_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_32_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_32_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_32_0 (firstboot_prop))
+(typeattributeset flags_health_check_32_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_32_0 (flags_health_check_exec))
+(typeattributeset font_service_32_0 (font_service))
+(typeattributeset framework_watchdog_config_prop_32_0 (framework_watchdog_config_prop))
+(typeattributeset frp_block_device_32_0 (frp_block_device))
+(typeattributeset fs_bpf_32_0 (fs_bpf))
+(typeattributeset fs_bpf_tethering_32_0 (fs_bpf_tethering))
+(typeattributeset fsck_32_0 (fsck))
+(typeattributeset fsck_exec_32_0 (fsck_exec))
+(typeattributeset fsck_untrusted_32_0 (fsck_untrusted))
+(typeattributeset fscklogs_32_0 (fscklogs))
+(typeattributeset functionfs_32_0 (functionfs))
+(typeattributeset fuse_32_0 (fuse))
+(typeattributeset fuse_device_32_0 (fuse_device))
+(typeattributeset fusectlfs_32_0 (fusectlfs))
+(typeattributeset fwk_automotive_display_hwservice_32_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_bufferhub_hwservice_32_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_32_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_32_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_32_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_32_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_32_0 (fwk_stats_hwservice))
+(typeattributeset fwk_stats_service_32_0 (fwk_stats_service))
+(typeattributeset fwmarkd_socket_32_0 (fwmarkd_socket))
+(typeattributeset game_service_32_0 (game_service))
+(typeattributeset gatekeeper_data_file_32_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_32_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_32_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_32_0 (gatekeeperd_exec))
+(typeattributeset gfxinfo_service_32_0 (gfxinfo_service))
+(typeattributeset gmscore_app_32_0 (gmscore_app))
+(typeattributeset gnss_device_32_0 (gnss_device))
+(typeattributeset gnss_time_update_service_32_0 (gnss_time_update_service))
+(typeattributeset gps_control_32_0 (gps_control))
+(typeattributeset gpu_device_32_0 (gpu_device))
+(typeattributeset gpu_service_32_0 (gpu_service))
+(typeattributeset gpuservice_32_0 (gpuservice))
+(typeattributeset graphics_config_prop_32_0 (graphics_config_prop))
+(typeattributeset graphics_device_32_0 (graphics_device))
+(typeattributeset graphicsstats_service_32_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_32_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_32_0 (gsi_metadata_file))
+(typeattributeset gsi_public_metadata_file_32_0 (gsi_public_metadata_file))
+(typeattributeset hal_atrace_hwservice_32_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_32_0 (hal_audio_hwservice))
+(typeattributeset hal_audio_service_32_0 (hal_audio_service))
+(typeattributeset hal_audiocontrol_hwservice_32_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audiocontrol_service_32_0 (hal_audiocontrol_service))
+(typeattributeset hal_authsecret_hwservice_32_0 (hal_authsecret_hwservice))
+(typeattributeset hal_authsecret_service_32_0 (hal_authsecret_service))
+(typeattributeset hal_bluetooth_hwservice_32_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_32_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_32_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_32_0 (hal_camera_hwservice))
+(typeattributeset hal_can_bus_hwservice_32_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_32_0 (hal_can_controller_hwservice))
+(typeattributeset hal_cas_hwservice_32_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_32_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_32_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_32_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_32_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_32_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_config_prop_32_0 (hal_dumpstate_config_prop))
+(typeattributeset hal_dumpstate_hwservice_32_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_evs_hwservice_32_0 (hal_evs_hwservice))
+(typeattributeset hal_face_hwservice_32_0 (hal_face_hwservice))
+(typeattributeset hal_face_service_32_0 (hal_face_service))
+(typeattributeset hal_fingerprint_hwservice_32_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_32_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_32_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_32_0 (hal_gnss_hwservice))
+(typeattributeset hal_gnss_service_32_0 (hal_gnss_service))
+(typeattributeset hal_graphics_allocator_hwservice_32_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_32_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_32_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_mapper_hwservice_32_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_32_0 (hal_health_hwservice))
+(typeattributeset hal_health_storage_hwservice_32_0 (hal_health_storage_hwservice))
+(typeattributeset hal_health_storage_service_32_0 (hal_health_storage_service))
+(typeattributeset hal_identity_service_32_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_32_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_instrumentation_prop_32_0 (hal_instrumentation_prop))
+(typeattributeset hal_ir_hwservice_32_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_32_0 (hal_keymaster_hwservice))
+(typeattributeset hal_keymint_service_32_0 (hal_keymint_service))
+(typeattributeset hal_light_hwservice_32_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_32_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_32_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_32_0 (hal_memtrack_hwservice))
+(typeattributeset hal_memtrack_service_32_0 (hal_memtrack_service))
+(typeattributeset hal_neuralnetworks_hwservice_32_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_neuralnetworks_service_32_0 (hal_neuralnetworks_service))
+(typeattributeset hal_nfc_hwservice_32_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_32_0 (hal_oemlock_hwservice))
+(typeattributeset hal_oemlock_service_32_0 (hal_oemlock_service))
+(typeattributeset hal_omx_hwservice_32_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_32_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_32_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_32_0 (hal_power_stats_hwservice))
+(typeattributeset hal_power_stats_service_32_0 (hal_power_stats_service))
+(typeattributeset hal_rebootescrow_service_32_0 (hal_rebootescrow_service))
+(typeattributeset hal_remotelyprovisionedcomponent_service_32_0 (hal_remotelyprovisionedcomponent_service))
+(typeattributeset hal_renderscript_hwservice_32_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_32_0 (hal_secure_element_hwservice))
+(typeattributeset hal_secureclock_service_32_0 (hal_secureclock_service))
+(typeattributeset hal_sensors_hwservice_32_0 (hal_sensors_hwservice))
+(typeattributeset hal_sharedsecret_service_32_0 (hal_sharedsecret_service))
+(typeattributeset hal_telephony_hwservice_32_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_32_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_32_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_32_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_32_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_tuner_hwservice_32_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_usb_gadget_hwservice_32_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_32_0 (hal_usb_hwservice))
+(typeattributeset hal_vehicle_hwservice_32_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vibrator_hwservice_32_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_32_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_32_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_32_0 (hal_weaver_hwservice))
+(typeattributeset hal_weaver_service_32_0 (hal_weaver_service))
+(typeattributeset hal_wifi_hostapd_hwservice_32_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hwservice_32_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_32_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_32_0 (hardware_properties_service))
+(typeattributeset hardware_service_32_0 (hardware_service))
+(typeattributeset hci_attach_dev_32_0 (hci_attach_dev))
+(typeattributeset hdmi_config_prop_32_0 (hdmi_config_prop))
+(typeattributeset hdmi_control_service_32_0 (hdmi_control_service))
+(typeattributeset healthd_32_0 (healthd))
+(typeattributeset healthd_exec_32_0 (healthd_exec))
+(typeattributeset heapdump_data_file_32_0 (heapdump_data_file))
+(typeattributeset heapprofd_32_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_32_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_32_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_32_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_32_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_32_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_32_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_32_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_32_0 (hidl_token_hwservice))
+(typeattributeset hint_service_32_0 (hint_service))
+(typeattributeset hw_random_device_32_0 (hw_random_device))
+(typeattributeset hw_timeout_multiplier_prop_32_0 (hw_timeout_multiplier_prop))
+(typeattributeset hwbinder_device_32_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_32_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_32_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_32_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_32_0 (hwservicemanager_prop))
+(typeattributeset hypervisor_prop_32_0 (hypervisor_prop))
+(typeattributeset icon_file_32_0 (icon_file))
+(typeattributeset idmap_32_0 (idmap))
+(typeattributeset idmap_exec_32_0 (idmap_exec))
+(typeattributeset idmap_service_32_0 (idmap_service))
+(typeattributeset iio_device_32_0 (iio_device))
+(typeattributeset imms_service_32_0 (imms_service))
+(typeattributeset incident_32_0 (incident))
+(typeattributeset incident_data_file_32_0 (incident_data_file))
+(typeattributeset incident_helper_32_0 (incident_helper))
+(typeattributeset incident_service_32_0 (incident_service))
+(typeattributeset incidentd_32_0 (incidentd))
+(typeattributeset incremental_control_file_32_0 (incremental_control_file))
+(typeattributeset incremental_prop_32_0 (incremental_prop))
+(typeattributeset incremental_service_32_0 (incremental_service))
+(typeattributeset init_32_0 (init))
+(typeattributeset init_exec_32_0 (init_exec))
+(typeattributeset init_service_status_prop_32_0 (init_service_status_prop))
+(typeattributeset init_tmpfs_32_0 (init_tmpfs))
+(typeattributeset inotify_32_0 (inotify))
+(typeattributeset input_device_32_0 (input_device))
+(typeattributeset input_method_service_32_0 (input_method_service))
+(typeattributeset input_service_32_0 (input_service))
+(typeattributeset inputflinger_32_0 (inputflinger))
+(typeattributeset inputflinger_exec_32_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_32_0 (inputflinger_service))
+(typeattributeset install_data_file_32_0 (install_data_file))
+(typeattributeset installd_32_0 (installd))
+(typeattributeset installd_exec_32_0 (installd_exec))
+(typeattributeset installd_service_32_0 (installd_service))
+(typeattributeset ion_device_32_0 (ion_device))
+(typeattributeset iorap_inode2filename_32_0 (iorap_inode2filename))
+(typeattributeset iorap_inode2filename_exec_32_0 (iorap_inode2filename_exec))
+(typeattributeset iorap_inode2filename_tmpfs_32_0 (iorap_inode2filename_tmpfs))
+(typeattributeset iorap_prefetcherd_32_0 (iorap_prefetcherd))
+(typeattributeset iorap_prefetcherd_exec_32_0 (iorap_prefetcherd_exec))
+(typeattributeset iorap_prefetcherd_tmpfs_32_0 (iorap_prefetcherd_tmpfs))
+(typeattributeset iorapd_32_0 (iorapd))
+(typeattributeset iorapd_data_file_32_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_32_0 (iorapd_exec))
+(typeattributeset iorapd_service_32_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_32_0 (iorapd_tmpfs))
+(typeattributeset ipsec_service_32_0 (ipsec_service))
+(typeattributeset iris_service_32_0 (iris_service))
+(typeattributeset iris_vendor_data_file_32_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_32_0 (isolated_app))
+(typeattributeset jobscheduler_service_32_0 (jobscheduler_service))
+(typeattributeset kernel_32_0 (kernel))
+(typeattributeset keychain_data_file_32_0 (keychain_data_file))
+(typeattributeset keychord_device_32_0 (keychord_device))
+(typeattributeset keyguard_config_prop_32_0 (keyguard_config_prop))
+(typeattributeset keystore2_key_contexts_file_32_0 (keystore2_key_contexts_file))
+(typeattributeset keystore_32_0 (keystore))
+(typeattributeset keystore_compat_hal_service_32_0 (keystore_compat_hal_service))
+(typeattributeset keystore_data_file_32_0 (keystore_data_file))
+(typeattributeset keystore_exec_32_0 (keystore_exec))
+(typeattributeset keystore_maintenance_service_32_0 (keystore_maintenance_service))
+(typeattributeset keystore_metrics_service_32_0 (keystore_metrics_service))
+(typeattributeset keystore_service_32_0 (keystore_service))
+(typeattributeset kmsg_debug_device_32_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_32_0 (kmsg_device))
+(typeattributeset labeledfs_32_0 (labeledfs))
+(typeattributeset launcherapps_service_32_0 (launcherapps_service))
+(typeattributeset legacy_permission_service_32_0 (legacy_permission_service))
+(typeattributeset legacykeystore_service_32_0 (legacykeystore_service))
+(typeattributeset libc_debug_prop_32_0 (libc_debug_prop))
+(typeattributeset light_service_32_0 (light_service))
+(typeattributeset linkerconfig_file_32_0 (linkerconfig_file))
+(typeattributeset llkd_32_0 (llkd))
+(typeattributeset llkd_exec_32_0 (llkd_exec))
+(typeattributeset llkd_prop_32_0 (llkd_prop))
+(typeattributeset lmkd_32_0 (lmkd))
+(typeattributeset lmkd_config_prop_32_0 (lmkd_config_prop))
+(typeattributeset lmkd_exec_32_0 (lmkd_exec))
+(typeattributeset lmkd_prop_32_0 (lmkd_prop))
+(typeattributeset lmkd_socket_32_0 (lmkd_socket))
+(typeattributeset location_service_32_0 (location_service))
+(typeattributeset location_time_zone_manager_service_32_0 (location_time_zone_manager_service))
+(typeattributeset lock_settings_service_32_0 (lock_settings_service))
+(typeattributeset log_prop_32_0 (log_prop))
+(typeattributeset log_tag_prop_32_0 (log_tag_prop))
+(typeattributeset logcat_exec_32_0 (logcat_exec))
+(typeattributeset logd_32_0 (logd))
+(typeattributeset logd_exec_32_0 (logd_exec))
+(typeattributeset logd_prop_32_0 (logd_prop))
+(typeattributeset logd_socket_32_0 (logd_socket))
+(typeattributeset logdr_socket_32_0 (logdr_socket))
+(typeattributeset logdw_socket_32_0 (logdw_socket))
+(typeattributeset logpersist_32_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_32_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_32_0 (loop_control_device))
+(typeattributeset loop_device_32_0 (loop_device))
+(typeattributeset looper_stats_service_32_0 (looper_stats_service))
+(typeattributeset lowpan_device_32_0 (lowpan_device))
+(typeattributeset lowpan_prop_32_0 (lowpan_prop))
+(typeattributeset lowpan_service_32_0 (lowpan_service))
+(typeattributeset lpdump_service_32_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_32_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_32_0 (mac_perms_file))
+(typeattributeset mdns_socket_32_0 (mdns_socket))
+(typeattributeset mdnsd_32_0 (mdnsd))
+(typeattributeset mdnsd_socket_32_0 (mdnsd_socket))
+(typeattributeset media_communication_service_32_0 (media_communication_service))
+(typeattributeset media_config_prop_32_0 (media_config_prop))
+(typeattributeset media_data_file_32_0 (media_data_file))
+(typeattributeset media_metrics_service_32_0 (media_metrics_service))
+(typeattributeset media_projection_service_32_0 (media_projection_service))
+(typeattributeset media_router_service_32_0 (media_router_service))
+(typeattributeset media_rw_data_file_32_0 (media_rw_data_file))
+(typeattributeset media_session_service_32_0 (media_session_service))
+(typeattributeset media_variant_prop_32_0 (media_variant_prop))
+(typeattributeset mediadrm_config_prop_32_0 (mediadrm_config_prop))
+(typeattributeset mediadrmserver_32_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_32_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_32_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_32_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_32_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_32_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_32_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_32_0 (mediametrics))
+(typeattributeset mediametrics_exec_32_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_32_0 (mediametrics_service))
+(typeattributeset mediaprovider_32_0 (mediaprovider))
+(typeattributeset mediaserver_32_0 (mediaserver))
+(typeattributeset mediaserver_exec_32_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_32_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_32_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_32_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_32_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_service_32_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_32_0 (meminfo_service))
+(typeattributeset memtrackproxy_service_32_0 (memtrackproxy_service))
+(typeattributeset metadata_block_device_32_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_32_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_32_0 (metadata_file))
+(typeattributeset method_trace_data_file_32_0 (method_trace_data_file))
+(typeattributeset midi_service_32_0 (midi_service))
+(typeattributeset mirror_data_file_32_0 (mirror_data_file))
+(typeattributeset misc_block_device_32_0 (misc_block_device))
+(typeattributeset misc_logd_file_32_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_32_0 (misc_user_data_file))
+(typeattributeset mm_events_config_prop_32_0 (mm_events_config_prop))
+(typeattributeset mmc_prop_32_0 (mmc_prop))
+(typeattributeset mnt_expand_file_32_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_32_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_32_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_32_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_32_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_32_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_32_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_32_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_32_0 (mock_ota_prop))
+(typeattributeset modprobe_32_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_32_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_32_0 (mount_service))
+(typeattributeset mqueue_32_0 (mqueue))
+(typeattributeset mtp_32_0 (mtp))
+(typeattributeset mtp_device_32_0 (mtp_device))
+(typeattributeset mtp_exec_32_0 (mtp_exec))
+(typeattributeset mtpd_socket_32_0 (mtpd_socket))
+(typeattributeset music_recognition_service_32_0 (music_recognition_service))
+(typeattributeset nativetest_data_file_32_0 (nativetest_data_file))
+(typeattributeset net_data_file_32_0 (net_data_file))
+(typeattributeset net_dns_prop_32_0 (net_dns_prop))
+(typeattributeset net_radio_prop_32_0 (net_radio_prop))
+(typeattributeset netd_32_0 (netd))
+(typeattributeset netd_exec_32_0 (netd_exec))
+(typeattributeset netd_listener_service_32_0 (netd_listener_service))
+(typeattributeset netd_service_32_0 (netd_service))
+(typeattributeset netif_32_0 (netif))
+(typeattributeset netpolicy_service_32_0 (netpolicy_service))
+(typeattributeset netstats_service_32_0 (netstats_service))
+(typeattributeset netutils_wrapper_32_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_32_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_32_0 (network_management_service))
+(typeattributeset network_score_service_32_0 (network_score_service))
+(typeattributeset network_stack_32_0 (network_stack))
+(typeattributeset network_stack_service_32_0 (network_stack_service))
+(typeattributeset network_time_update_service_32_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_32_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_32_0 (network_watchlist_service))
+(typeattributeset nfc_32_0 (nfc))
+(typeattributeset nfc_data_file_32_0 (nfc_data_file))
+(typeattributeset nfc_device_32_0 (nfc_device))
+(typeattributeset nfc_logs_data_file_32_0 (nfc_logs_data_file))
+(typeattributeset nfc_prop_32_0 (nfc_prop))
+(typeattributeset nfc_service_32_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_32_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_32_0 (node))
+(typeattributeset nonplat_service_contexts_file_32_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_32_0 (notification_service))
+(typeattributeset null_device_32_0 (null_device))
+(typeattributeset oem_lock_service_32_0 (oem_lock_service))
+(typeattributeset oem_unlock_prop_32_0 (oem_unlock_prop))
+(typeattributeset oemfs_32_0 (oemfs))
+(typeattributeset ota_data_file_32_0 (ota_data_file))
+(typeattributeset ota_metadata_file_32_0 (ota_metadata_file))
+(typeattributeset ota_package_file_32_0 (ota_package_file))
+(typeattributeset ota_prop_32_0 (ota_prop))
+(typeattributeset otadexopt_service_32_0 (otadexopt_service))
+(typeattributeset otapreopt_chroot_32_0 (otapreopt_chroot))
+(typeattributeset overlay_prop_32_0 (overlay_prop))
+(typeattributeset overlay_service_32_0 (overlay_service))
+(typeattributeset overlayfs_file_32_0 (overlayfs_file))
+(typeattributeset owntty_device_32_0 (owntty_device))
+(typeattributeset pac_proxy_service_32_0 (pac_proxy_service))
+(typeattributeset package_native_service_32_0 (package_native_service))
+(typeattributeset package_service_32_0 (package_service))
+(typeattributeset packagemanager_config_prop_32_0 (packagemanager_config_prop))
+(typeattributeset packages_list_file_32_0 (packages_list_file))
+(typeattributeset pan_result_prop_32_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_32_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_32_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_32_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_32_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_32_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_32_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_32_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_32_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_32_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_32_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_32_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_32_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_32_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_32_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_32_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_32_0 (pdx_performance_dir))
+(typeattributeset people_service_32_0 (people_service))
+(typeattributeset perfetto_32_0 (perfetto))
+(typeattributeset performanced_32_0 (performanced))
+(typeattributeset performanced_exec_32_0 (performanced_exec))
+(typeattributeset permission_checker_service_32_0 (permission_checker_service))
+(typeattributeset permission_service_32_0 (permission_service))
+(typeattributeset permissionmgr_service_32_0 (permissionmgr_service))
+(typeattributeset persist_debug_prop_32_0 (persist_debug_prop))
+(typeattributeset persist_vendor_debug_wifi_prop_32_0 (persist_vendor_debug_wifi_prop))
+(typeattributeset persistent_data_block_service_32_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_32_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_32_0 (pinner_service))
+(typeattributeset pipefs_32_0 (pipefs))
+(typeattributeset platform_app_32_0 (platform_app))
+(typeattributeset platform_compat_service_32_0 (platform_compat_service))
+(typeattributeset pmsg_device_32_0 (pmsg_device))
+(typeattributeset port_32_0 (port))
+(typeattributeset port_device_32_0 (port_device))
+(typeattributeset postinstall_32_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_32_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_32_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_32_0 (postinstall_mnt_dir))
+(typeattributeset power_debug_prop_32_0 (power_debug_prop))
+(typeattributeset power_service_32_0 (power_service))
+(typeattributeset powerctl_prop_32_0 (powerctl_prop))
+(typeattributeset powerstats_service_32_0 (powerstats_service))
+(typeattributeset ppp_32_0 (ppp))
+(typeattributeset ppp_device_32_0 (ppp_device))
+(typeattributeset ppp_exec_32_0 (ppp_exec))
+(typeattributeset preloads_data_file_32_0 (preloads_data_file))
+(typeattributeset preloads_media_file_32_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_32_0 (prereboot_data_file))
+(typeattributeset print_service_32_0 (print_service))
+(typeattributeset priv_app_32_0 (priv_app))
+(typeattributeset privapp_data_file_32_0 (privapp_data_file))
+(typeattributeset proc_32_0 (proc proc_bpf proc_cpu_alignment))
+(typeattributeset proc_abi_32_0 (proc_abi))
+(typeattributeset proc_asound_32_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_32_0 (proc_bluetooth_writable))
+(typeattributeset proc_bootconfig_32_0 (proc_bootconfig))
+(typeattributeset proc_buddyinfo_32_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_32_0 (proc_cmdline))
+(typeattributeset proc_cpuinfo_32_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_32_0 (proc_dirty))
+(typeattributeset proc_diskstats_32_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_32_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_32_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_32_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_32_0 (proc_fs_verity))
+(typeattributeset proc_hostname_32_0 (proc_hostname))
+(typeattributeset proc_hung_task_32_0 (proc_hung_task))
+(typeattributeset proc_interrupts_32_0 (proc_interrupts))
+(typeattributeset proc_iomem_32_0 (proc_iomem))
+(typeattributeset proc_kallsyms_32_0 (proc_kallsyms))
+(typeattributeset proc_keys_32_0 (proc_keys))
+(typeattributeset proc_kmsg_32_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_32_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_32_0 (proc_loadavg))
+(typeattributeset proc_locks_32_0 (proc_locks))
+(typeattributeset proc_lowmemorykiller_32_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_32_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_32_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_32_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_32_0 (proc_misc))
+(typeattributeset proc_modules_32_0 (proc_modules))
+(typeattributeset proc_mounts_32_0 (proc_mounts))
+(typeattributeset proc_net_32_0 (proc_net proc_bpf))
+(typeattributeset proc_net_tcp_udp_32_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_32_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_32_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_32_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_32_0 (proc_panic))
+(typeattributeset proc_perf_32_0 (proc_perf))
+(typeattributeset proc_pid_max_32_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_32_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_32_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_32_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_32_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_32_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_32_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_32_0 (proc_random))
+(typeattributeset proc_sched_32_0 (proc_sched))
+(typeattributeset proc_security_32_0 (proc_security))
+(typeattributeset proc_slabinfo_32_0 (proc_slabinfo))
+(typeattributeset proc_stat_32_0 (proc_stat))
+(typeattributeset proc_swaps_32_0 (proc_swaps))
+(typeattributeset proc_sysrq_32_0 (proc_sysrq))
+(typeattributeset proc_timer_32_0 (proc_timer))
+(typeattributeset proc_tty_drivers_32_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_32_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_32_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_32_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_32_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_32_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_32_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_32_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_32_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_32_0 (proc_uptime))
+(typeattributeset proc_vendor_sched_32_0 (proc_vendor_sched))
+(typeattributeset proc_version_32_0 (proc_version))
+(typeattributeset proc_vmallocinfo_32_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_32_0 (proc_vmstat))
+(typeattributeset proc_zoneinfo_32_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_32_0 (processinfo_service))
+(typeattributeset procstats_service_32_0 (procstats_service))
+(typeattributeset profman_32_0 (profman))
+(typeattributeset profman_dump_data_file_32_0 (profman_dump_data_file))
+(typeattributeset profman_exec_32_0 (profman_exec))
+(typeattributeset properties_device_32_0 (properties_device))
+(typeattributeset properties_serial_32_0 (properties_serial))
+(typeattributeset property_contexts_file_32_0 (property_contexts_file))
+(typeattributeset property_data_file_32_0 (property_data_file))
+(typeattributeset property_info_32_0 (property_info))
+(typeattributeset property_service_version_prop_32_0 (property_service_version_prop))
+(typeattributeset property_socket_32_0 (property_socket))
+(typeattributeset provisioned_prop_32_0 (provisioned_prop))
+(typeattributeset pstorefs_32_0 (pstorefs))
+(typeattributeset ptmx_device_32_0 (ptmx_device))
+(typeattributeset qemu_hw_prop_32_0 (qemu_hw_prop))
+(typeattributeset qemu_sf_lcd_density_prop_32_0 (qemu_sf_lcd_density_prop))
+(typeattributeset qtaguid_device_32_0 (qtaguid_device))
+(typeattributeset racoon_32_0 (racoon))
+(typeattributeset racoon_exec_32_0 (racoon_exec))
+(typeattributeset racoon_socket_32_0 (racoon_socket))
+(typeattributeset radio_32_0 (radio))
+(typeattributeset radio_control_prop_32_0 (radio_control_prop))
+(typeattributeset radio_core_data_file_32_0 (radio_core_data_file))
+(typeattributeset radio_data_file_32_0 (radio_data_file))
+(typeattributeset radio_device_32_0 (radio_device))
+(typeattributeset radio_prop_32_0 (radio_prop))
+(typeattributeset radio_service_32_0 (radio_service))
+(typeattributeset ram_device_32_0 (ram_device))
+(typeattributeset random_device_32_0 (random_device))
+(typeattributeset reboot_readiness_service_32_0 (reboot_readiness_service))
+(typeattributeset rebootescrow_hal_prop_32_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_32_0 (recovery))
+(typeattributeset recovery_block_device_32_0 (recovery_block_device))
+(typeattributeset recovery_config_prop_32_0 (recovery_config_prop))
+(typeattributeset recovery_data_file_32_0 (recovery_data_file))
+(typeattributeset recovery_persist_32_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_32_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_32_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_32_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_32_0 (recovery_service))
+(typeattributeset recovery_socket_32_0 (recovery_socket))
+(typeattributeset registry_service_32_0 (registry_service))
+(typeattributeset remoteprovisioning_service_32_0 (remoteprovisioning_service))
+(typeattributeset resourcecache_data_file_32_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_32_0 (restorecon_prop))
+(typeattributeset restrictions_service_32_0 (restrictions_service))
+(typeattributeset retaildemo_prop_32_0 (retaildemo_prop))
+(typeattributeset rild_debug_socket_32_0 (rild_debug_socket))
+(typeattributeset rild_socket_32_0 (rild_socket))
+(typeattributeset ringtone_file_32_0 (ringtone_file))
+(typeattributeset role_service_32_0 (role_service))
+(typeattributeset rollback_service_32_0 (rollback_service))
+(typeattributeset root_block_device_32_0 (root_block_device))
+(typeattributeset rootfs_32_0 (rootfs))
+(typeattributeset rpmsg_device_32_0 (rpmsg_device))
+(typeattributeset rs_32_0 (rs))
+(typeattributeset rs_exec_32_0 (rs_exec))
+(typeattributeset rss_hwm_reset_32_0 (rss_hwm_reset))
+(typeattributeset rtc_device_32_0 (rtc_device))
+(typeattributeset rttmanager_service_32_0 (rttmanager_service))
+(typeattributeset runas_32_0 (runas))
+(typeattributeset runas_app_32_0 (runas_app))
+(typeattributeset runas_exec_32_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_32_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_32_0 (runtime_service))
+(typeattributeset safemode_prop_32_0 (safemode_prop))
+(typeattributeset same_process_hal_file_32_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_32_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_32_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_32_0 (sdcard_block_device))
+(typeattributeset sdcardd_32_0 (sdcardd))
+(typeattributeset sdcardd_exec_32_0 (sdcardd_exec))
+(typeattributeset sdcardfs_32_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_32_0 (seapp_contexts_file))
+(typeattributeset search_service_32_0 (search_service))
+(typeattributeset search_ui_service_32_0 (search_ui_service))
+(typeattributeset sec_key_att_app_id_provider_service_32_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_32_0 (secure_element))
+(typeattributeset secure_element_device_32_0 (secure_element_device))
+(typeattributeset secure_element_service_32_0 (secure_element_service))
+(typeattributeset securityfs_32_0 (securityfs))
+(typeattributeset selinuxfs_32_0 (selinuxfs))
+(typeattributeset sendbug_config_prop_32_0 (sendbug_config_prop))
+(typeattributeset sensor_privacy_service_32_0 (sensor_privacy_service))
+(typeattributeset sensors_device_32_0 (sensors_device))
+(typeattributeset sensorservice_service_32_0 (sensorservice_service))
+(typeattributeset sepolicy_file_32_0 (sepolicy_file))
+(typeattributeset serial_device_32_0 (serial_device))
+(typeattributeset serial_service_32_0 (serial_service))
+(typeattributeset serialno_prop_32_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_32_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_32_0 (service_contexts_file))
+(typeattributeset service_manager_service_32_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_32_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_32_0 (servicediscovery_service))
+(typeattributeset servicemanager_32_0 (servicemanager))
+(typeattributeset servicemanager_exec_32_0 (servicemanager_exec))
+(typeattributeset settings_service_32_0 (settings_service))
+(typeattributeset sgdisk_32_0 (sgdisk))
+(typeattributeset sgdisk_exec_32_0 (sgdisk_exec))
+(typeattributeset shared_relro_32_0 (shared_relro))
+(typeattributeset shared_relro_file_32_0 (shared_relro_file))
+(typeattributeset shell_32_0 (shell))
+(typeattributeset shell_data_file_32_0 (shell_data_file))
+(typeattributeset shell_exec_32_0 (shell_exec))
+(typeattributeset shell_prop_32_0 (shell_prop))
+(typeattributeset shell_test_data_file_32_0 (shell_test_data_file))
+(typeattributeset shm_32_0 (shm))
+(typeattributeset shortcut_manager_icons_32_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_32_0 (shortcut_service))
+(typeattributeset simpleperf_32_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_32_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_32_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_32_0 (slice_service))
+(typeattributeset slideshow_32_0 (slideshow))
+(typeattributeset smartspace_service_32_0 (smartspace_service))
+(typeattributeset snapshotctl_log_data_file_32_0 (snapshotctl_log_data_file))
+(typeattributeset snapuserd_socket_32_0 (snapuserd_socket))
+(typeattributeset soc_prop_32_0 (soc_prop))
+(typeattributeset socket_device_32_0 (socket_device))
+(typeattributeset socket_hook_prop_32_0 (socket_hook_prop))
+(typeattributeset sockfs_32_0 (sockfs))
+(typeattributeset sota_prop_32_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_32_0 (soundtrigger_middleware_service))
+(typeattributeset speech_recognition_service_32_0 (speech_recognition_service))
+(typeattributeset sqlite_log_prop_32_0 (sqlite_log_prop))
+(typeattributeset staged_install_file_32_0 (staged_install_file))
+(typeattributeset staging_data_file_32_0 (staging_data_file))
+(typeattributeset stats_data_file_32_0 (stats_data_file))
+(typeattributeset statsd_32_0 (statsd))
+(typeattributeset statsd_exec_32_0 (statsd_exec))
+(typeattributeset statsdw_socket_32_0 (statsdw_socket))
+(typeattributeset statusbar_service_32_0 (statusbar_service))
+(typeattributeset storage_config_prop_32_0 (storage_config_prop))
+(typeattributeset storage_file_32_0 (storage_file))
+(typeattributeset storage_stub_file_32_0 (storage_stub_file))
+(typeattributeset storaged_service_32_0 (storaged_service))
+(typeattributeset storagemanager_config_prop_32_0 (storagemanager_config_prop))
+(typeattributeset storagestats_service_32_0 (storagestats_service))
+(typeattributeset su_32_0 (su))
+(typeattributeset su_exec_32_0 (su_exec))
+(typeattributeset super_block_device_32_0 (super_block_device))
+(typeattributeset surfaceflinger_32_0 (surfaceflinger))
+(typeattributeset surfaceflinger_color_prop_32_0 (surfaceflinger_color_prop))
+(typeattributeset surfaceflinger_display_prop_32_0 (surfaceflinger_display_prop))
+(typeattributeset surfaceflinger_prop_32_0 (surfaceflinger_prop))
+(typeattributeset surfaceflinger_service_32_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_32_0 (surfaceflinger_tmpfs))
+(typeattributeset suspend_prop_32_0 (suspend_prop))
+(typeattributeset swap_block_device_32_0 (swap_block_device))
+(typeattributeset sysfs_32_0 (sysfs))
+(typeattributeset sysfs_android_usb_32_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_32_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_block_32_0 (sysfs_block))
+(typeattributeset sysfs_bluetooth_writable_32_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devfreq_cur_32_0 (sysfs_devfreq_cur))
+(typeattributeset sysfs_devfreq_dir_32_0 (sysfs_devfreq_dir))
+(typeattributeset sysfs_devices_block_32_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_cs_etm_32_0 (sysfs_devices_cs_etm))
+(typeattributeset sysfs_devices_system_cpu_32_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_32_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_32_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dma_heap_32_0 (sysfs_dma_heap))
+(typeattributeset sysfs_dmabuf_stats_32_0 (sysfs_dmabuf_stats))
+(typeattributeset sysfs_dt_firmware_android_32_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_32_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_32_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_32_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_fs_incfs_features_32_0 (sysfs_fs_incfs_features))
+(typeattributeset sysfs_fs_incfs_metrics_32_0 (sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_hwrandom_32_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_32_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_32_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_32_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_32_0 (sysfs_leds))
+(typeattributeset sysfs_loop_32_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_32_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_net_32_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_32_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_32_0 (sysfs_power))
+(typeattributeset sysfs_rtc_32_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_32_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_32_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_32_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_32_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uhid_32_0 (sysfs_uhid))
+(typeattributeset sysfs_uio_32_0 (sysfs_uio))
+(typeattributeset sysfs_usb_32_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_32_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vendor_sched_32_0 (sysfs_vendor_sched))
+(typeattributeset sysfs_vibrator_32_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_32_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_32_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_32_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_32_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_32_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_32_0 (sysfs_zram_uevent))
+(typeattributeset system_app_32_0 (system_app))
+(typeattributeset system_app_data_file_32_0 (system_app_data_file))
+(typeattributeset system_app_service_32_0 (system_app_service))
+(typeattributeset system_asan_options_file_32_0 (system_asan_options_file))
+(typeattributeset system_block_device_32_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_32_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_32_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_32_0 (system_config_service))
+(typeattributeset system_data_file_32_0 (system_data_file))
+(typeattributeset system_data_root_file_32_0 (system_data_root_file))
+(typeattributeset system_event_log_tags_file_32_0 (system_event_log_tags_file))
+(typeattributeset system_file_32_0 (system_file))
+(typeattributeset system_group_file_32_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_32_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_32_0 (system_lib_file))
+(typeattributeset system_linker_config_file_32_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_32_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_32_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_32_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_32_0 (system_net_netd_hwservice))
+(typeattributeset system_passwd_file_32_0 (system_passwd_file))
+(typeattributeset system_prop_32_0 (system_prop))
+(typeattributeset system_seccomp_policy_file_32_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_32_0 (system_security_cacerts_file))
+(typeattributeset system_server_32_0 (system_server))
+(typeattributeset system_server_dumper_service_32_0 (system_server_dumper_service))
+(typeattributeset system_server_tmpfs_32_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_internal_service_32_0 (system_suspend_control_internal_service))
+(typeattributeset system_suspend_control_service_32_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_32_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_32_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_32_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_32_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_32_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_32_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_32_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_32_0 (systemkeys_data_file))
+(typeattributeset systemsound_config_prop_32_0 (systemsound_config_prop))
+(typeattributeset task_profiles_api_file_32_0 (task_profiles_api_file))
+(typeattributeset task_profiles_file_32_0 (task_profiles_file))
+(typeattributeset task_service_32_0 (task_service))
+(typeattributeset tcpdump_exec_32_0 (tcpdump_exec))
+(typeattributeset tee_32_0 (tee))
+(typeattributeset tee_data_file_32_0 (tee_data_file))
+(typeattributeset tee_device_32_0 (tee_device))
+(typeattributeset telecom_service_32_0 (telecom_service))
+(typeattributeset telephony_config_prop_32_0 (telephony_config_prop))
+(typeattributeset telephony_status_prop_32_0 (telephony_status_prop))
+(typeattributeset test_boot_reason_prop_32_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_32_0 (test_harness_prop))
+(typeattributeset testharness_service_32_0 (testharness_service))
+(typeattributeset tethering_service_32_0 (tethering_service))
+(typeattributeset textclassification_service_32_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_32_0 (textclassifier_data_file))
+(typeattributeset textservices_service_32_0 (textservices_service))
+(typeattributeset texttospeech_service_32_0 (texttospeech_service))
+(typeattributeset theme_prop_32_0 (theme_prop))
+(typeattributeset thermal_service_32_0 (thermal_service))
+(typeattributeset time_prop_32_0 (time_prop))
+(typeattributeset timedetector_service_32_0 (timedetector_service))
+(typeattributeset timezone_service_32_0 (timezone_service))
+(typeattributeset timezonedetector_service_32_0 (timezonedetector_service))
+(typeattributeset tmpfs_32_0 (tmpfs))
+(typeattributeset tombstone_config_prop_32_0 (tombstone_config_prop))
+(typeattributeset tombstone_data_file_32_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_32_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_32_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_32_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_32_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_32_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_32_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_32_0 (toolbox))
+(typeattributeset toolbox_exec_32_0 (toolbox_exec))
+(typeattributeset trace_data_file_32_0 (trace_data_file))
+(typeattributeset traced_32_0 (traced))
+(typeattributeset traced_consumer_socket_32_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_32_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_32_0 (traced_lazy_prop))
+(typeattributeset traced_perf_32_0 (traced_perf))
+(typeattributeset traced_perf_socket_32_0 (traced_perf_socket))
+(typeattributeset traced_probes_32_0 (traced_probes))
+(typeattributeset traced_producer_socket_32_0 (traced_producer_socket))
+(typeattributeset traced_tmpfs_32_0 (traced_tmpfs))
+(typeattributeset traceur_app_32_0 (traceur_app))
+(typeattributeset translation_service_32_0 (translation_service))
+(typeattributeset trust_service_32_0 (trust_service))
+(typeattributeset tty_device_32_0 (tty_device))
+(typeattributeset tun_device_32_0 (tun_device))
+(typeattributeset tv_input_service_32_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_32_0 (tv_tuner_resource_mgr_service))
+(typeattributeset tzdatacheck_32_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_32_0 (tzdatacheck_exec))
+(typeattributeset ueventd_32_0 (ueventd))
+(typeattributeset ueventd_tmpfs_32_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_32_0 (uhid_device))
+(typeattributeset uimode_service_32_0 (uimode_service))
+(typeattributeset uio_device_32_0 (uio_device))
+(typeattributeset uncrypt_32_0 (uncrypt))
+(typeattributeset uncrypt_exec_32_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_32_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_32_0 (unencrypted_data_file))
+(typeattributeset unlabeled_32_0 (unlabeled))
+(typeattributeset untrusted_app_25_32_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_32_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_32_0 (untrusted_app_29))
+(typeattributeset untrusted_app_32_0 (untrusted_app))
+(typeattributeset update_engine_32_0 (update_engine))
+(typeattributeset update_engine_data_file_32_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_32_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_32_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_32_0 (update_engine_service))
+(typeattributeset update_engine_stable_service_32_0 (update_engine_stable_service))
+(typeattributeset update_verifier_32_0 (update_verifier))
+(typeattributeset update_verifier_exec_32_0 (update_verifier_exec))
+(typeattributeset updatelock_service_32_0 (updatelock_service))
+(typeattributeset uri_grants_service_32_0 (uri_grants_service))
+(typeattributeset usagestats_service_32_0 (usagestats_service))
+(typeattributeset usb_config_prop_32_0 (usb_config_prop))
+(typeattributeset usb_control_prop_32_0 (usb_control_prop))
+(typeattributeset usb_device_32_0 (usb_device))
+(typeattributeset usb_prop_32_0 (usb_prop))
+(typeattributeset usb_serial_device_32_0 (usb_serial_device))
+(typeattributeset usb_service_32_0 (usb_service))
+(typeattributeset usbaccessory_device_32_0 (usbaccessory_device))
+(typeattributeset usbd_32_0 (usbd))
+(typeattributeset usbd_exec_32_0 (usbd_exec))
+(typeattributeset usbfs_32_0 (usbfs))
+(typeattributeset use_memfd_prop_32_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_32_0 (user_profile_data_file))
+(typeattributeset user_profile_root_file_32_0 (user_profile_root_file))
+(typeattributeset user_service_32_0 (user_service))
+(typeattributeset userdata_block_device_32_0 (userdata_block_device))
+(typeattributeset userdata_sysdev_32_0 (userdata_sysdev))
+(typeattributeset usermodehelper_32_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_32_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_32_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_metadata_file_32_0 (userspace_reboot_metadata_file))
+(typeattributeset uwb_service_32_0 (uwb_service))
+(typeattributeset vcn_management_service_32_0 (vcn_management_service))
+(typeattributeset vd_device_32_0 (vd_device))
+(typeattributeset vdc_32_0 (vdc))
+(typeattributeset vdc_exec_32_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_32_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_32_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_32_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_32_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_32_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_32_0 (vendor_data_file))
+(typeattributeset vendor_default_prop_32_0 (vendor_default_prop))
+(typeattributeset vendor_file_32_0 (vendor_file))
+(typeattributeset vendor_framework_file_32_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_32_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_32_0 (vendor_idc_file))
+(typeattributeset vendor_init_32_0 (vendor_init))
+(typeattributeset vendor_kernel_modules_32_0 (vendor_kernel_modules))
+(typeattributeset vendor_keychars_file_32_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_32_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_32_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_32_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_modprobe_32_0 (vendor_modprobe))
+(typeattributeset vendor_overlay_file_32_0 (vendor_overlay_file))
+(typeattributeset vendor_public_framework_file_32_0 (vendor_public_framework_file))
+(typeattributeset vendor_public_lib_file_32_0 (vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_32_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_service_contexts_file_32_0 (vendor_service_contexts_file))
+(typeattributeset vendor_shell_32_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_32_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_32_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_32_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_32_0 (vendor_toolbox_exec))
+(typeattributeset vfat_32_0 (vfat))
+(typeattributeset vibrator_manager_service_32_0 (vibrator_manager_service))
+(typeattributeset vibrator_service_32_0 (vibrator_service))
+(typeattributeset video_device_32_0 (video_device))
+(typeattributeset virtual_ab_prop_32_0 (virtual_ab_prop))
+(typeattributeset virtual_touchpad_32_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_32_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_32_0 (virtual_touchpad_service))
+(typeattributeset virtualization_service_32_0 (virtualization_service))
+(typeattributeset vndbinder_device_32_0 (vndbinder_device))
+(typeattributeset vndk_prop_32_0 (vndk_prop))
+(typeattributeset vndk_sp_file_32_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_32_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_32_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_32_0 (voiceinteraction_service))
+(typeattributeset vold_32_0 (vold))
+(typeattributeset vold_config_prop_32_0 (vold_config_prop))
+(typeattributeset vold_data_file_32_0 (vold_data_file))
+(typeattributeset vold_device_32_0 (vold_device))
+(typeattributeset vold_exec_32_0 (vold_exec))
+(typeattributeset vold_metadata_file_32_0 (vold_metadata_file))
+(typeattributeset vold_post_fs_data_prop_32_0 (vold_post_fs_data_prop))
+(typeattributeset vold_prepare_subdirs_32_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_32_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_32_0 (vold_prop))
+(typeattributeset vold_service_32_0 (vold_service))
+(typeattributeset vold_status_prop_32_0 (vold_status_prop))
+(typeattributeset vpn_data_file_32_0 (vpn_data_file))
+(typeattributeset vpn_management_service_32_0 (vpn_management_service))
+(typeattributeset vr_hwc_32_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_32_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_32_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_32_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_32_0 (vrflinger_vsync_service))
+(typeattributeset vts_config_prop_32_0 (vts_config_prop))
+(typeattributeset vts_status_prop_32_0 (vts_status_prop))
+(typeattributeset wallpaper_file_32_0 (wallpaper_file))
+(typeattributeset wallpaper_service_32_0 (wallpaper_service))
+(typeattributeset watchdog_device_32_0 (watchdog_device))
+(typeattributeset watchdog_metadata_file_32_0 (watchdog_metadata_file))
+(typeattributeset watchdogd_32_0 (watchdogd))
+(typeattributeset watchdogd_exec_32_0 (watchdogd_exec))
+(typeattributeset webview_zygote_32_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_32_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_32_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_32_0 (webviewupdate_service))
+(typeattributeset wifi_config_prop_32_0 (wifi_config_prop))
+(typeattributeset wifi_data_file_32_0 (wifi_data_file))
+(typeattributeset wifi_hal_prop_32_0 (wifi_hal_prop))
+(typeattributeset wifi_key_32_0 (wifi_key))
+(typeattributeset wifi_log_prop_32_0 (wifi_log_prop))
+(typeattributeset wifi_prop_32_0 (wifi_prop))
+(typeattributeset wifi_service_32_0 (wifi_service))
+(typeattributeset wifiaware_service_32_0 (wifiaware_service))
+(typeattributeset wificond_32_0 (wificond))
+(typeattributeset wificond_exec_32_0 (wificond_exec))
+(typeattributeset wifinl80211_service_32_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_32_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_32_0 (wifiscanner_service))
+(typeattributeset window_service_32_0 (window_service))
+(typeattributeset wpa_socket_32_0 (wpa_socket))
+(typeattributeset wpantund_32_0 (wpantund))
+(typeattributeset wpantund_exec_32_0 (wpantund_exec))
+(typeattributeset wpantund_service_32_0 (wpantund_service))
+(typeattributeset zero_device_32_0 (zero_device))
+(typeattributeset zoneinfo_data_file_32_0 (zoneinfo_data_file))
+(typeattributeset zram_config_prop_32_0 (zram_config_prop))
+(typeattributeset zram_control_prop_32_0 (zram_control_prop))
+(typeattributeset zygote_32_0 (zygote))
+(typeattributeset zygote_config_prop_32_0 (zygote_config_prop))
+(typeattributeset zygote_exec_32_0 (zygote_exec))
+(typeattributeset zygote_socket_32_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_32_0 (zygote_tmpfs))
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.compat.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.compat.cil
new file mode 100644
index 0000000..628abfc
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.compat.cil
@@ -0,0 +1 @@
+;; This file can't be empty.
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
new file mode 100644
index 0000000..d29a3d3
--- /dev/null
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -0,0 +1,80 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ adservices_manager_service
+ apexd_select_prop
+ artd_service
+ attestation_verification_service
+ bluetooth_config_prop
+ binderfs_features
+ charger_vendor
+ cloudsearch
+ cloudsearch_service
+ connectivity_native_service
+ device_config_nnapi_native_prop
+ device_config_surface_flinger_native_boot_prop
+ dice_maintenance_service
+ dice_node_service
+ diced
+ diced_exec
+ fwk_automotive_display_service
+ evsmanagerd
+ evsmanagerd_service
+ extra_free_kbytes
+ extra_free_kbytes_exec
+ fs_bpf_vendor
+ game_mode_intervention_list_file
+ gesture_prop
+ gwp_asan_prop
+ hal_contexthub_service
+ hal_camera_service
+ hal_evs_service
+ hal_dice_service
+ hal_drm_service
+ hal_dumpstate_service
+ hal_graphics_allocator_service
+ hal_graphics_composer_service
+ hal_health_service
+ hal_input_processor_service
+ hal_ir_service
+ hal_nfc_service
+ hal_nlinterceptor_service
+ hal_radio_service
+ hal_sensors_service
+ hal_system_suspend_service
+ hal_tv_tuner_service
+ hal_usb_service
+ hal_uwb_service
+ hal_vehicle_service
+ hal_wifi_hostapd_service
+ hal_wifi_supplicant_service
+ locale_service
+ mdns_service
+ nearby_service
+ persist_wm_debug_prop
+ proc_watermark_boost_factor
+ proc_watermark_scale_factor
+ remotelyprovisionedkeypool_service
+ resources_manager_service
+ rootdisk_sysdev
+ sdk_sandbox_service
+ selection_toolbar_service
+ smart_idle_maint_enabled_prop
+ snapuserd_proxy_socket
+ sysfs_fs_fuse_bpf
+ sysfs_gpu
+ sysfs_lru_gen_enabled
+ system_dlkm_file
+ tare_service
+ tv_iapp_service
+ untrusted_app_30
+ vendor_uuid_mapping_config_file
+ vendor_vm_data_file
+ vendor_vm_file
+ virtual_device_service
+ wallpaper_effects_generation_service
+))
diff --git a/prebuilts/api/33.0/private/compos_fd_server.te b/prebuilts/api/33.0/private/compos_fd_server.te
new file mode 100644
index 0000000..01504ee
--- /dev/null
+++ b/prebuilts/api/33.0/private/compos_fd_server.te
@@ -0,0 +1,26 @@
+# Make ART inputs and outputs available to the CompOS VM
+type compos_fd_server, domain, coredomain;
+
+# Allow access to open fds inherited from composd
+allow compos_fd_server composd:fd use;
+
+# Allow creating new files and directories in the staging directory.
+allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
+allow compos_fd_server apex_art_staging_data_file:file create_file_perms;
+
+# Allow creating new files and directories in the artifacts directory.
+allow compos_fd_server apex_art_data_file:dir create_dir_perms;
+allow compos_fd_server apex_art_data_file:file create_file_perms;
+
+# Use a pipe to signal readiness
+allow compos_fd_server composd:fifo_file write;
+
+# TODO(b/196109647) - remove this when no longer needed by minijail
+allow compos_fd_server composd:fifo_file read;
+
+# Create a listening vsock for the VM to connect back to
+allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Only composd can enter the domain via exec
+neverallow { domain -composd } compos_fd_server:process transition;
+neverallow * compos_fd_server:process dyntransition;
diff --git a/prebuilts/api/33.0/private/compos_verify.te b/prebuilts/api/33.0/private/compos_verify.te
new file mode 100644
index 0000000..0a281f8
--- /dev/null
+++ b/prebuilts/api/33.0/private/compos_verify.te
@@ -0,0 +1,23 @@
+# Run by odsign to verify a CompOS signature
+type compos_verify, domain, coredomain;
+type compos_verify_exec, exec_type, file_type, system_file_type;
+
+# Start a VM
+binder_use(compos_verify);
+virtualizationservice_use(compos_verify);
+
+# Access instance image files
+allow compos_verify apex_module_data_file:dir search;
+r_dir_file(compos_verify, apex_compos_data_file)
+
+# Read CompOS info & signature files
+allow compos_verify apex_art_data_file:dir search;
+allow compos_verify apex_art_data_file:file r_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify odsign:fd use;
+allow compos_verify odsign_devpts:chr_file { read write };
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify:process transition;
+neverallow * compos_verify:process dyntransition;
diff --git a/prebuilts/api/33.0/private/composd.te b/prebuilts/api/33.0/private/composd.te
new file mode 100644
index 0000000..5f99a92
--- /dev/null
+++ b/prebuilts/api/33.0/private/composd.te
@@ -0,0 +1,36 @@
+type composd, domain, coredomain;
+type composd_exec, system_file_type, exec_type, file_type;
+
+# Host dynamic AIDL services
+init_daemon_domain(composd)
+binder_use(composd)
+add_service(composd, compos_service)
+
+# Call back into system server
+binder_call(composd, system_server)
+
+# Start a VM
+virtualizationservice_use(composd)
+
+# Prepare staging directory for odrefresh
+allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+allow composd apex_art_staging_data_file:file { getattr unlink };
+
+# Delete files in the odrefresh target directory
+allow composd apex_art_data_file:file unlink;
+
+# Access our APEX data files
+allow composd apex_module_data_file:dir search;
+allow composd apex_compos_data_file:dir create_dir_perms;
+allow composd apex_compos_data_file:file create_file_perms;
+
+# Run fd_server in its own domain, and send SIGTERM when finished.
+domain_auto_trans(composd, fd_server_exec, compos_fd_server)
+allow composd compos_fd_server:process signal;
+
+# Read ART's properties
+get_prop(composd, dalvik_config_prop)
+
+# We never create any artifact files directly
+neverallow composd apex_art_data_file:file ~unlink;
diff --git a/prebuilts/api/33.0/private/coredomain.te b/prebuilts/api/33.0/private/coredomain.te
new file mode 100644
index 0000000..e4c9a52
--- /dev/null
+++ b/prebuilts/api/33.0/private/coredomain.te
@@ -0,0 +1,251 @@
+get_prop(coredomain, boot_status_prop)
+get_prop(coredomain, camera_config_prop)
+get_prop(coredomain, dalvik_config_prop)
+get_prop(coredomain, dalvik_runtime_prop)
+get_prop(coredomain, exported_pm_prop)
+get_prop(coredomain, ffs_config_prop)
+get_prop(coredomain, graphics_config_prop)
+get_prop(coredomain, hdmi_config_prop)
+get_prop(coredomain, init_service_status_private_prop)
+get_prop(coredomain, lmkd_config_prop)
+get_prop(coredomain, localization_prop)
+get_prop(coredomain, pm_prop)
+get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, rollback_test_prop)
+get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, sqlite_log_prop)
+get_prop(coredomain, storagemanager_config_prop)
+get_prop(coredomain, surfaceflinger_color_prop)
+get_prop(coredomain, systemsound_config_prop)
+get_prop(coredomain, telephony_config_prop)
+get_prop(coredomain, usb_config_prop)
+get_prop(coredomain, usb_control_prop)
+get_prop(coredomain, userspace_reboot_config_prop)
+get_prop(coredomain, vold_config_prop)
+get_prop(coredomain, vts_status_prop)
+get_prop(coredomain, zygote_config_prop)
+get_prop(coredomain, zygote_wrap_prop)
+
+# TODO(b/170590987): remove this after cleaning up default_prop
+get_prop(coredomain, default_prop)
+
+full_treble_only(`
+neverallow {
+ coredomain
+
+ # for chowning
+ -init
+
+ # generic access to sysfs_type
+ -apexd
+ -ueventd
+ -vold
+} sysfs_leds:file *;
+')
+
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few allowlisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -dexoptanalyzer
+ -idmap
+ -init
+ -installd
+ -heapprofd
+ -postinstall_dexopt
+ -rs # spawned by appdomain, so carryover the exception above
+ -system_server
+ -traced_perf
+ } vendor_app_file:dir { open read getattr search };
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -dexoptanalyzer
+ -idmap
+ -init
+ -installd
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
+ -postinstall_dexopt
+ -rs # spawned by appdomain, so carryover the exception above
+ userdebug_or_eng(`-simpleperf_boot')
+ -system_server
+ -traced_perf
+ -mediaserver
+ } vendor_app_file:file r_file_perms;
+')
+
+full_treble_only(`
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -postinstall_dexopt
+ -rs # spawned by appdomain, so carryover the exception above
+ -system_server
+ -traced_perf
+ -app_zygote
+ -webview_zygote
+ -zygote
+ -heapprofd
+ } vendor_overlay_file:dir { getattr open read search };
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -postinstall_dexopt
+ -rs # spawned by appdomain, so carryover the exception above
+ -system_server
+ -traced_perf
+ -app_zygote
+ -webview_zygote
+ -zygote
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
+ } vendor_overlay_file:file open;
+')
+
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+ # /proc
+ neverallow {
+ coredomain
+ -init
+ -vold
+ } proc:file no_rw_file_perms;
+
+ # /sys
+ neverallow {
+ coredomain
+ -apexd
+ -init
+ -ueventd
+ -vold
+ } sysfs:file no_rw_file_perms;
+
+ # /dev
+ neverallow {
+ coredomain
+ -apexd
+ -fsck
+ -init
+ -ueventd
+ } device:{ blk_file file } no_rw_file_perms;
+
+ # debugfs
+ neverallow {
+ coredomain
+ no_debugfs_restriction(`
+ -dumpstate
+ -init
+ -system_server
+ ')
+ } debugfs:file no_rw_file_perms;
+
+ # tracefs
+ neverallow {
+ coredomain
+ -atrace
+ -dumpstate
+ -gpuservice
+ -init
+ -traced_perf
+ -traced_probes
+ -shell
+ -system_server
+ -traceur_app
+ userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
+ } debugfs_tracing:file no_rw_file_perms;
+
+ # inotifyfs
+ neverallow {
+ coredomain
+ -init
+ } inotify:file no_rw_file_perms;
+
+ # pstorefs
+ neverallow {
+ coredomain
+ -bootstat
+ -charger
+ -dumpstate
+ userdebug_or_eng(`-incidentd')
+ -init
+ -logd
+ -logpersist
+ -recovery_persist
+ -recovery_refresh
+ -shell
+ -system_server
+ } pstorefs:file no_rw_file_perms;
+
+ # configfs
+ neverallow {
+ coredomain
+ -init
+ -system_server
+ } configfs:file no_rw_file_perms;
+
+ # functionfs
+ neverallow {
+ coredomain
+ -adbd
+ -init
+ -mediaprovider
+ -system_server
+ } functionfs:file no_rw_file_perms;
+
+ # usbfs and binfmt_miscfs
+ neverallow {
+ coredomain
+ -init
+ }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+
+ # dmabuf heaps
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ }{
+ dmabuf_heap_device_type
+ -dmabuf_system_heap_device
+ -dmabuf_system_secure_heap_device
+ }:chr_file no_rw_file_perms;
+')
+
+# Following /dev nodes must not be directly accessed by coredomain, but should
+# instead be wrapped by HALs.
+neverallow coredomain {
+ iio_device
+ radio_device
+}:chr_file { open read append write ioctl };
+
+# TODO(b/120243891): HAL permission to tee_device is included into coredomain
+# on non-Treble devices.
+full_treble_only(`
+ neverallow coredomain tee_device:chr_file { open read append write ioctl };
+')
diff --git a/prebuilts/api/33.0/private/cppreopts.te b/prebuilts/api/33.0/private/cppreopts.te
new file mode 100644
index 0000000..1192ba6
--- /dev/null
+++ b/prebuilts/api/33.0/private/cppreopts.te
@@ -0,0 +1,31 @@
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject, coredomain;
+type cppreopts_exec, system_file_type, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
+
+# Silence the denial when /postinstall cannot be mounted, e.g., system_other
+# is wiped, but cppreopts.sh still runs.
+dontaudit cppreopts postinstall_mnt_dir:dir search;
diff --git a/prebuilts/api/33.0/private/crash_dump.te b/prebuilts/api/33.0/private/crash_dump.te
new file mode 100644
index 0000000..90ffeb5
--- /dev/null
+++ b/prebuilts/api/33.0/private/crash_dump.te
@@ -0,0 +1,64 @@
+typeattribute crash_dump coredomain;
+
+# Crash dump does not need to access devices passed across exec().
+dontaudit crash_dump { devpts dev_type }:chr_file { read write };
+
+allow crash_dump {
+ domain
+ -apexd
+ -bpfloader
+ -crash_dump
+ -diced
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+}:process { ptrace signal sigchld sigstop sigkill };
+
+# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
+userdebug_or_eng(`
+ allow crash_dump {
+ apexd
+ keystore
+ llkd
+ logd
+ vold
+ }:process { ptrace signal sigchld sigstop sigkill };
+')
+
+###
+### neverallow assertions
+###
+
+# ptrace neverallow assertions are spread throughout the other policy
+# files, so we avoid adding redundant assertions here
+
+neverallow crash_dump {
+ apexd
+ userdebug_or_eng(`-apexd')
+ bpfloader
+ diced
+ init
+ kernel
+ keystore
+ userdebug_or_eng(`-keystore')
+ llkd
+ userdebug_or_eng(`-llkd')
+ logd
+ userdebug_or_eng(`-logd')
+ ueventd
+ vendor_init
+ vold
+ userdebug_or_eng(`-vold')
+}:process { signal sigstop sigkill };
+
+neverallow crash_dump self:process ptrace;
+neverallow crash_dump gpu_device:chr_file *;
+
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/prebuilts/api/33.0/private/credstore.te b/prebuilts/api/33.0/private/credstore.te
new file mode 100644
index 0000000..c410d76
--- /dev/null
+++ b/prebuilts/api/33.0/private/credstore.te
@@ -0,0 +1,12 @@
+typeattribute credstore coredomain;
+
+init_daemon_domain(credstore)
+
+# talk to Identity Credential
+hal_client_domain(credstore, hal_identity)
+
+# talk to keymint, specifically for IRemotelyProvisionedComponent/default
+hal_client_domain(credstore, hal_keymint)
+
+# credstore needs to get keys from the remotely provisioned pool
+allow credstore remotelyprovisionedkeypool_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/crosvm.te b/prebuilts/api/33.0/private/crosvm.te
new file mode 100644
index 0000000..167ad2f
--- /dev/null
+++ b/prebuilts/api/33.0/private/crosvm.te
@@ -0,0 +1,102 @@
+type crosvm, domain, coredomain;
+type crosvm_exec, system_file_type, exec_type, file_type;
+type crosvm_tmpfs, file_type;
+
+# Let crosvm open /dev/kvm.
+allow crosvm kvm_device:chr_file rw_file_perms;
+
+# Most other domains shouldn't access /dev/kvm.
+neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+
+# Let crosvm mlock VM memory and page tables.
+allow crosvm self:capability ipc_lock;
+
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from VirtualizationService.
+allow crosvm virtualizationservice:fd use;
+
+# Allow sending VirtualizationService the failure reason from the VM via pipe.
+allow crosvm virtualizationservice:fifo_file write;
+
+# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
+# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
+# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
+# the files are passed as file descriptors.
+allow crosvm {
+ virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ apex_compos_data_file
+ shell_data_file
+}:file { getattr read ioctl lock };
+
+# Allow searching the directory where the composite disk images are.
+allow crosvm virtualizationservice_data_file:dir search;
+
+# Don't allow crosvm to open files that it doesn't own.
+# This is important because a malicious application could try to start a VM with a composite disk
+# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
+# open them on its behalf. By preventing crosvm from opening any other files we prevent this
+# potential privilege escalation. See http://b/192453819 for more discussion.
+neverallow crosvm {
+ virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ userdebug_or_eng(`-shell_data_file')
+}:file open;
+
+# The instance image and the composite image should be writable as well because they could represent
+# mutable disks.
+allow crosvm {
+ virtualizationservice_data_file
+ app_data_file
+ apex_compos_data_file
+}:file write;
+
+# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
+allow crosvm adbd:fd use;
+allow crosvm adbd:unix_stream_socket { read write };
+
+# For ACPI
+allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
+# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
+userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
+
+# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
+full_treble_only(`
+ neverallow crosvm {
+ vendor_file_type
+ -vendor_vm_file
+ -vendor_vm_data_file
+ # These types are not required for crosvm, but the access is granted to globally in domain.te
+ # thus should be exempted here.
+ -vendor_configs_file
+ -vndk_sp_file
+ -vendor_task_profiles_file
+ }:file *;
+')
+
+# app_data_file and shell_data_file is the only app_data_file_type that is
+# allowed for crosvm to read. Note that the use of app_data_file is allowed
+# only for the instance disk image. This is enforced inside the
+# virtualizationservice by checking the file context of all disk image files.
+neverallow crosvm {
+ app_data_file_type
+ -app_data_file
+ -shell_data_file
+}:file read;
+
+# Only virtualizationservice can run crosvm
+neverallow {
+ domain
+ -crosvm
+ -virtualizationservice
+} crosvm_exec:file no_x_file_perms;
diff --git a/prebuilts/api/33.0/private/derive_classpath.te b/prebuilts/api/33.0/private/derive_classpath.te
new file mode 100644
index 0000000..2299ba0
--- /dev/null
+++ b/prebuilts/api/33.0/private/derive_classpath.te
@@ -0,0 +1,25 @@
+
+# Domain for derive_classpath
+type derive_classpath, domain, coredomain;
+type derive_classpath_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_classpath)
+
+# Read /apex
+allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+
+# Create /data/system/environ/classpath file
+allow derive_classpath environ_system_data_file:dir rw_dir_perms;
+allow derive_classpath environ_system_data_file:file create_file_perms;
+
+# b/183079517 fails on gphone targets otherwise
+allow derive_classpath unlabeled:dir search;
+
+# Allow derive_classpath to write the classpath into ota dexopt
+# - Read the ota's apex dir
+allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
+# - Report the BCP to the ota's dexopt
+allow derive_classpath postinstall_dexopt:dir search;
+allow derive_classpath postinstall_dexopt:fd use;
+allow derive_classpath postinstall_dexopt:file read;
+allow derive_classpath postinstall_dexopt:lnk_file read;
+allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
diff --git a/prebuilts/api/33.0/private/derive_sdk.te b/prebuilts/api/33.0/private/derive_sdk.te
new file mode 100644
index 0000000..1f60e34
--- /dev/null
+++ b/prebuilts/api/33.0/private/derive_sdk.te
@@ -0,0 +1,12 @@
+
+# Domain for derive_sdk
+type derive_sdk, domain, coredomain;
+type derive_sdk_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_sdk)
+
+# Read /apex
+allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+
+# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
+set_prop(derive_sdk, module_sdkextensions_prop)
+neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/dex2oat.te b/prebuilts/api/33.0/private/dex2oat.te
new file mode 100644
index 0000000..e7cdd5f
--- /dev/null
+++ b/prebuilts/api/33.0/private/dex2oat.te
@@ -0,0 +1,110 @@
+# dex2oat
+type dex2oat, domain, coredomain;
+type dex2oat_exec, system_file_type, exec_type, file_type;
+
+userfaultfd_use(dex2oat)
+
+r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read map };
+
+allow dex2oat tmpfs:file { read getattr map };
+
+r_dir_file(dex2oat, dalvikcache_data_file)
+allow dex2oat dalvikcache_data_file:file write;
+allow dex2oat installd:fd use;
+
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+allow dex2oat postinstall_file:file lock;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
+allow dex2oat user_profile_data_file:file { getattr read lock map };
+
+# Allow dex2oat to compile app's secondary dex files which were reported back to
+# the framework.
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
+
+# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
+allow dex2oat apex_module_data_file:dir search;
+
+# Allow dex2oat to use file descriptors passed from odrefresh.
+allow dex2oat odrefresh:fd use;
+
+# Allow dex2oat to use devpts and file descriptors passed from odsign
+allow dex2oat odsign_devpts:chr_file { read write };
+allow dex2oat odsign:fd use;
+
+# Allow dex2oat to write to file descriptors from odrefresh for files
+# in the staging area.
+allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
+allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
+
+# Allow dex2oat to read artifacts from odrefresh.
+allow dex2oat apex_art_data_file:dir r_dir_perms;
+allow dex2oat apex_art_data_file:file r_file_perms;
+
+# Allow dex2oat to read runtime native flag properties.
+get_prop(dex2oat, device_config_runtime_native_prop)
+get_prop(dex2oat, device_config_runtime_native_boot_prop)
+
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;
+
+##################
+# A/B OTA Dexopt #
+##################
+
+# Allow dex2oat to use file descriptors from otapreopt.
+allow dex2oat postinstall_dexopt:fd use;
+
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:dir r_dir_perms;
+allow dex2oat postinstall_file:filesystem getattr;
+allow dex2oat postinstall_file:lnk_file { getattr read };
+allow dex2oat postinstall_file:file read;
+# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
+# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
+allow dex2oat postinstall_file:file { execute getattr open };
+
+# Allow dex2oat access to /postinstall/apex.
+allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
+
+# Allow dex2oat access to files in /data/ota.
+allow dex2oat ota_data_file:dir ra_dir_perms;
+allow dex2oat ota_data_file:file r_file_perms;
+
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
+
+# It would be nice to tie this down, but currently, because of how images are written, we can't
+# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
+# create them itself (and make them world-readable).
+allow dex2oat ota_data_file:file { create w_file_perms setattr };
+
+###############
+# APEX Update #
+###############
+
+# /dev/zero is inherited.
+allow dex2oat apexd:fd use;
+
+# Allow dex2oat to use file descriptors from preinstall.
+
+##############
+# Neverallow #
+##############
+
+neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/prebuilts/api/33.0/private/dexoptanalyzer.te b/prebuilts/api/33.0/private/dexoptanalyzer.te
new file mode 100644
index 0000000..8eb1d29
--- /dev/null
+++ b/prebuilts/api/33.0/private/dexoptanalyzer.te
@@ -0,0 +1,56 @@
+# dexoptanalyzer
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
+type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
+type dexoptanalyzer_tmpfs, file_type;
+
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexoptanalyzer vs other
+# processes.
+tmpfs_domain(dexoptanalyzer)
+
+userfaultfd_use(dexoptanalyzer)
+
+# Allow dexoptanalyzer to read files in the dalvik cache.
+allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
+allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
+allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+
+# Allow dexoptanalyzer to read files in the ART APEX data directory.
+allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
+allow dexoptanalyzer apex_art_data_file:file r_file_perms;
+
+# Allow dexoptanalyzer to use file descriptors from odrefresh.
+allow dexoptanalyzer odrefresh:fd use;
+
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow dexoptanalyzer odsign:fd use;
+allow dexoptanalyzer odsign_devpts:chr_file { read write };
+
+allow dexoptanalyzer installd:fd use;
+allow dexoptanalyzer installd:fifo_file { getattr write };
+
+# Acquire advisory lock on /system/framework/arm/*
+allow dexoptanalyzer system_file:file lock;
+
+# Allow reading secondary dex files that were reported by the app to the
+# package manager.
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
+
+# Allow testing /data/user/0 which symlinks to /data/data
+allow dexoptanalyzer system_data_file:lnk_file { getattr };
+
+# Allow query ART device config properties
+get_prop(dexoptanalyzer, device_config_runtime_native_prop)
+get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
+
+# Allow dexoptanalyzer to read /apex/apex-info-list.xml
+allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/prebuilts/api/33.0/private/dhcp.te b/prebuilts/api/33.0/private/dhcp.te
new file mode 100644
index 0000000..8ec9111
--- /dev/null
+++ b/prebuilts/api/33.0/private/dhcp.te
@@ -0,0 +1,7 @@
+typeattribute dhcp coredomain;
+
+init_daemon_domain(dhcp)
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
diff --git a/prebuilts/api/33.0/private/diced.te b/prebuilts/api/33.0/private/diced.te
new file mode 100644
index 0000000..b37809c
--- /dev/null
+++ b/prebuilts/api/33.0/private/diced.te
@@ -0,0 +1,6 @@
+typeattribute diced coredomain;
+
+init_daemon_domain(diced)
+
+# Talk to dice HAL.
+hal_client_domain(diced, hal_dice)
diff --git a/prebuilts/api/33.0/private/dmesgd.te b/prebuilts/api/33.0/private/dmesgd.te
new file mode 100644
index 0000000..7a12882
--- /dev/null
+++ b/prebuilts/api/33.0/private/dmesgd.te
@@ -0,0 +1,15 @@
+type dmesgd, domain, coredomain;
+type dmesgd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(dmesgd)
+
+allow dmesgd dmesgd_data_file:dir create_dir_perms;
+allow dmesgd dmesgd_data_file:file create_file_perms;
+
+allow dmesgd kernel:system syslog_read;
+allow dmesgd shell_exec:file rx_file_perms;
+allow dmesgd toolbox_exec:file rx_file_perms;
+binder_use(dmesgd)
+binder_call(dmesgd, system_server)
+allow dmesgd dropbox_service:service_manager find;
+allow dmesgd proc_version:file r_file_perms;
diff --git a/prebuilts/api/26.0/private/dnsmasq.te b/prebuilts/api/33.0/private/dnsmasq.te
similarity index 100%
rename from prebuilts/api/26.0/private/dnsmasq.te
rename to prebuilts/api/33.0/private/dnsmasq.te
diff --git a/prebuilts/api/33.0/private/domain.te b/prebuilts/api/33.0/private/domain.te
new file mode 100644
index 0000000..2ef688c
--- /dev/null
+++ b/prebuilts/api/33.0/private/domain.te
@@ -0,0 +1,633 @@
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+# We do not apply this to the su domain to avoid interfering with
+# tests (b/114136122)
+domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
+# Allow every process to check the heapprofd.enable properties to determine
+# whether to load the heap profiling library. This does not necessarily enable
+# heap profiling, as initialization will fail if it does not have the
+# necessary SELinux permissions.
+get_prop(domain, heapprofd_prop);
+# Allow heap profiling on debug builds.
+userdebug_or_eng(`can_profile_heap({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
+ -ueventd
+ -vendor_init
+ -vold
+})')
+
+# As above, allow perf profiling most processes on debug builds.
+# zygote is excluded as system-wide profiling could end up with it
+# (unexpectedly) holding an open fd across a fork.
+userdebug_or_eng(`can_profile_perf({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
+ -ueventd
+ -vendor_init
+ -vold
+ -zygote
+})')
+
+# Everyone can access the IncFS list of features.
+r_dir_file(domain, sysfs_fs_incfs_features);
+
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup:file w_file_perms;
+
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;
+
+# Allow all domains to read sys.use_memfd to determine
+# if memfd support can be used if device supports it
+get_prop(domain, use_memfd_prop);
+
+# Read access to sdkextensions props
+get_prop(domain, module_sdkextensions_prop)
+
+# Read access to bq configuration values
+get_prop(domain, bq_config_prop);
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+not_compatible_property(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ get_prop(domain, core_property_type)
+ get_prop(domain, exported3_system_prop)
+ get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ get_prop({coredomain appdomain shell}, core_property_type)
+ get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain shell}, userspace_reboot_exported_prop)
+ get_prop({coredomain shell}, userspace_reboot_log_prop)
+ get_prop({coredomain shell}, userspace_reboot_test_prop)
+ get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+# Allow access to keys in the fsverity keyring that were installed at boot.
+allow domain fsverity_init:key search;
+# For testing purposes, allow access to keys installed with su.
+userdebug_or_eng(`
+ allow domain su:key search;
+')
+
+# Allow access to linkerconfig file
+allow domain linkerconfig_file:dir search;
+allow domain linkerconfig_file:file r_file_perms;
+
+# Allow all processes to check for the existence of the boringssl_self_test_marker files.
+allow domain boringssl_self_test_marker:dir search;
+
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+ -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these allowlisted domains.
+neverallow {
+ domain
+ -vold
+ userdebug_or_eng(`-llkd')
+ -dumpstate
+ userdebug_or_eng(`-incidentd')
+ userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
+ -storaged
+ -system_server
+} self:global_capability_class_set sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
+neverallow { domain -system_server } *:keystore2_key use_dev_id;
+neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ userdebug_or_eng(`-domain')
+} debugfs_tracing_debug:file no_rw_file_perms;
+
+# System_server owns dropbox data, and init creates/restorecons the directory
+# Disallow direct access by other processes.
+neverallow { domain -init -system_server } dropbox_data_file:dir *;
+neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
+
+###
+# Services should respect app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -installd # creation of sandbox
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
+
+# Only the following processes should be directly accessing private app
+# directories.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -app_zygote
+ -dexoptanalyzer
+ -installd
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -profman
+ -rs # spawned by appdomain, so carryover the exception above
+ -runas
+ -system_server
+ -viewcompiler
+ -zygote
+} { privapp_data_file app_data_file }:dir *;
+
+# Only apps should be modifying app data. installd is exempted for
+# restorecon and package install/uninstall.
+neverallow {
+ domain
+ -appdomain
+ -installd
+ -rs # spawned by appdomain, so carryover the exception above
+} { privapp_data_file app_data_file }:dir ~r_dir_perms;
+
+neverallow {
+ domain
+ -appdomain
+ -app_zygote
+ -installd
+ -iorap_prefetcherd
+ -rs # spawned by appdomain, so carryover the exception above
+} { privapp_data_file app_data_file }:file_class_set open;
+
+neverallow {
+ domain
+ -appdomain
+ -installd # creation of sandbox
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
+
+neverallow {
+ domain
+ -installd
+} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
+
+# The staging directory contains APEX and APK files. It is important to ensure
+# that these files cannot be accessed by other domains to ensure that the files
+# do not change between system_server staging the files and apexd processing
+# the files.
+neverallow {
+ domain
+ -init
+ -system_server
+ -apexd
+ -installd
+ -iorap_inode2filename
+ -priv_app
+ -virtualizationservice
+} staging_data_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_app
+ -system_server
+ -apexd
+ -adbd
+ -kernel
+ -installd
+ -iorap_inode2filename
+ -priv_app
+ -shell
+ -virtualizationservice
+ -crosvm
+} staging_data_file:file *;
+neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
+# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
+# except for `link` and `unlink`.
+neverallow { domain -init -system_server } staging_data_file:file
+ { append create relabelfrom rename setattr write no_x_file_perms };
+
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -bootanim # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the rootfs or /system partition except for a few allowlisted domains.
+# Executable files loaded from /data is a persistence vector
+# we want to avoid. See
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
+#
+neverallow {
+ domain
+ -appdomain
+ with_asan(`-asan_extract')
+ -iorap_prefetcherd
+ -shell
+ userdebug_or_eng(`-su')
+ -system_server_startup # for memfd backed executable regions
+ -app_zygote
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-mediaextractor')
+ userdebug_or_eng(`-mediaswcodec')
+} {
+ file_type
+ -system_file_type
+ -system_lib_file
+ -system_linker_exec
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
+# Only init is allowed to write cgroup.rc file
+neverallow {
+ domain
+ -init
+ -vendor_init
+} cgroup_rc_file:file no_w_file_perms;
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+ domain
+ -init # TODO: limit init to relabelfrom for files
+ -zygote
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -otapreopt_slot
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ -init
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -zygote
+ -otapreopt_slot
+} dalvikcache_data_file:dir no_w_dir_perms;
+
+# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
+# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
+neverallow {
+ domain
+ # art-related processes
+ -composd
+ -compos_fd_server
+ -odrefresh
+ -odsign
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ # art-related processes
+ -composd
+ -compos_fd_server
+ -odrefresh
+ -odsign
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:dir no_w_dir_perms;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+define(`dac_override_allowed', `{
+ apexd
+ dnsmasq
+ dumpstate
+ init
+ installd
+ userdebug_or_eng(`llkd')
+ lmkd
+ migrate_legacy_obb_data
+ netd
+ postinstall_dexopt
+ recovery
+ rss_hwm_reset
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ iorap_inode2filename
+ iorap_prefetcherd
+ traced_perf
+ traced_probes
+ heapprofd
+} self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
+# set of domains need this capability, including device-specific domains.
+neverallow {
+ domain
+ -apexd
+ recovery_only(`-fastbootd')
+ -init
+ -kernel
+ -otapreopt_chroot
+ -recovery
+ -update_engine
+ -vold
+ -zygote
+} { fs_type
+ -sdcard_type
+ -fusefs_type
+}:filesystem { mount remount relabelfrom relabelto };
+
+enforce_debugfs_restriction(`
+ neverallow {
+ domain userdebug_or_eng(`-init')
+ } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
+')
+
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -gsid
+ -init
+ -recovery
+ -ueventd
+ -uncrypt
+ -tee
+ -hal_bootctl_server
+ -fastbootd
+} self:global_capability_class_set sys_rawio;
+
+# Limit directory operations that doesn't need to do app data isolation.
+neverallow {
+ domain
+ -fsck
+ -init
+ -installd
+ -zygote
+} mirror_data_file:dir *;
+
+# This property is being removed. Remove remaining access.
+neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
+neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
+
+# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -bootanim
+ -crash_dump
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
+ -init
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel
+ userdebug_or_eng(`-simpleperf_boot')
+ -traced_perf
+ -ueventd
+ } vendor_file:file { no_w_file_perms no_x_file_perms open };
+')
+
+# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -tombstoned # linker to tombstoned
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced')
+ userdebug_or_eng(`-traced_perf')
+ });
+')
+
+full_treble_only(`
+ # Do not allow system components access to /vendor files except for the
+ # ones allowed here.
+ neverallow {
+ coredomain
+ # TODO(b/37168747): clean up fwk access to /vendor
+ -crash_dump
+ -crosvm # loads vendor-specific disk images
+ -init # starts vendor executables
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel # loads /vendor/firmware
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
+ -shell
+ userdebug_or_eng(`-simpleperf_boot')
+ -system_executes_vendor_violators
+ -traced_perf # library/binary access for symbolization
+ -ueventd # reads /vendor/ueventd.rc
+ -vold # loads incremental fs driver
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vendor_app_file
+ -vendor_apex_file
+ -vendor_configs_file
+ -vendor_service_contexts_file
+ -vendor_framework_file
+ -vendor_idc_file
+ -vendor_keychars_file
+ -vendor_keylayout_file
+ -vendor_overlay_file
+ -vendor_public_framework_file
+ -vendor_public_lib_file
+ -vendor_task_profiles_file
+ -vendor_uuid_mapping_config_file
+ -vndk_sp_file
+ }:file *;
+')
+
+# mlsvendorcompat is only for compatibility support for older vendor
+# images, and should not be granted to any domain in current policy.
+# (Every domain is allowed self:fork, so this will trigger if the
+# intsersection of domain & mlsvendorcompat is not empty.)
+neverallow domain mlsvendorcompat:process fork;
+
+# Only init and otapreopt_chroot should be mounting filesystems on locations
+# labeled system or vendor (/product and /vendor respectively).
+neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+
+# Only allow init and vendor_init to read/write mm_events properties
+# NOTE: dumpstate is allowed to read any system property
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+} mm_events_config_prop:file no_rw_file_perms;
+
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-profcollectd')
+ -vendor_init
+ userdebug_or_eng(`-simpleperf_boot')
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+# vendor_modprobe is also exempted since the kernel modules it loads may create
+# debugfs files in its context.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ -vendor_modprobe
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')
+
+# Restrict write access to etm sysfs interface.
+neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
+
+# Restrict write access to shell owned files. The /data/local/tmp directory is
+# untrustworthy, and non-allowed domains should not be trusting any content in
+# those directories. We allow shell files to be passed around by file
+# descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-virtualizationservice')
+ userdebug_or_eng(`-crosvm')
+} shell_data_file:file open;
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+ -iorap_inode2filename
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ ephemeral_app
+ priv_app
+ sdk_sandbox
+ untrusted_app_all
+} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/prebuilts/api/33.0/private/drmserver.te b/prebuilts/api/33.0/private/drmserver.te
new file mode 100644
index 0000000..8449c3e
--- /dev/null
+++ b/prebuilts/api/33.0/private/drmserver.te
@@ -0,0 +1,9 @@
+typeattribute drmserver coredomain;
+
+init_daemon_domain(drmserver)
+
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
+
+get_prop(drmserver, drm_service_config_prop)
diff --git a/prebuilts/api/33.0/private/dumpstate.te b/prebuilts/api/33.0/private/dumpstate.te
new file mode 100644
index 0000000..149d389
--- /dev/null
+++ b/prebuilts/api/33.0/private/dumpstate.te
@@ -0,0 +1,125 @@
+typeattribute dumpstate coredomain;
+type dumpstate_tmpfs, file_type;
+
+init_daemon_domain(dumpstate)
+
+# Execute and transition to the vdc domain
+domain_auto_trans(dumpstate, vdc_exec, vdc)
+
+# Create tmpfs files for using memfd descriptors to get output from child
+# processes.
+tmpfs_domain(dumpstate)
+
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
+allow dumpstate storaged_exec:file rx_file_perms;
+
+# /data/misc/a11ytrace for accessibility traces
+userdebug_or_eng(`
+ allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
+ allow dumpstate accessibility_trace_data_file:file r_file_perms;
+')
+
+# /data/misc/wmtrace for wm traces
+userdebug_or_eng(`
+ allow dumpstate wm_trace_data_file:dir r_dir_perms;
+ allow dumpstate wm_trace_data_file:file r_file_perms;
+')
+
+# Allow dumpstate to make binder calls to incidentd
+binder_call(dumpstate, incidentd)
+
+# Allow dumpstate to make binder calls to storaged service
+binder_call(dumpstate, storaged)
+
+# Allow dumpstate to make binder calls to statsd
+binder_call(dumpstate, statsd)
+
+# Allow dumpstate to talk to gpuservice over binder
+binder_call(dumpstate, gpuservice);
+
+# Allow dumpstate to talk to idmap over binder
+binder_call(dumpstate, idmap);
+
+# Allow dumpstate to talk to profcollectd over binder
+userdebug_or_eng(`
+ binder_call(dumpstate, profcollectd)
+')
+
+# Collect metrics on boot time created by init
+get_prop(dumpstate, boottime_prop)
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ mediatranscoding
+ statsd
+ netd
+}:process signal;
+
+userdebug_or_eng(`
+ allow dumpstate keystore:process signal;
+')
+
+# For collecting bugreports.
+no_debugfs_restriction(`
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
+allow dumpstate dev_type:blk_file getattr;
+allow dumpstate webview_zygote:process signal;
+allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
+dontaudit dumpstate update_engine:binder call;
+
+# Read files in /proc
+allow dumpstate {
+ proc_net_tcp_udp
+ proc_pid_max
+}:file r_file_perms;
+
+# For comminucating with the system process to do confirmation ui.
+binder_call(dumpstate, incidentcompanion_service)
+
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
+
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
+
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
+# For dumping dynamic partition information.
+set_prop(dumpstate, lpdumpd_prop)
+binder_call(dumpstate, lpdumpd)
+
+# For dumping hypervisor information.
+get_prop(dumpstate, hypervisor_prop)
+
+# For dumping device-mapper and snapshot information.
+allow dumpstate gsid_exec:file rx_file_perms;
+set_prop(dumpstate, ctl_gsid_prop)
+binder_call(dumpstate, gsid)
+
+r_dir_file(dumpstate, ota_metadata_file)
+
+# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
+# is being recorded, the command above will serialize it into
+# /data/misc/perfetto-traces/bugreport/*.pftrace .
+domain_auto_trans(dumpstate, perfetto_exec, perfetto)
+allow dumpstate perfetto:process signal;
+allow dumpstate perfetto_traces_data_file:dir { search };
+allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
+
+# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
+# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
+# zip file. These rules are to allow perfetto.te to inherit dumpstate's
+# /dev/null.
+allow perfetto dumpstate_tmpfs:file rw_file_perms;
+allow perfetto dumpstate:fd use;
+
+# system_dlkm_file for /system_dlkm partition
+allow dumpstate system_dlkm_file:dir getattr;
diff --git a/prebuilts/api/33.0/private/ephemeral_app.te b/prebuilts/api/33.0/private/ephemeral_app.te
new file mode 100644
index 0000000..3b916e2
--- /dev/null
+++ b/prebuilts/api/33.0/private/ephemeral_app.te
@@ -0,0 +1,95 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+typeattribute ephemeral_app coredomain;
+
+net_domain(ephemeral_app)
+app_domain(ephemeral_app)
+
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app privapp_data_file:file { r_file_perms execute };
+allow ephemeral_app app_data_file:file { r_file_perms execute };
+
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
+
+# Allow the renderscript compiler to be run.
+domain_auto_trans(ephemeral_app, rs_exec, rs)
+
+# Allow loading and deleting shared libraries created by trusted system
+# components within an application home directory.
+allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
+
+# services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediadrmserver_service:service_manager find;
+allow ephemeral_app drmserver_service:service_manager find;
+allow ephemeral_app radio_service:service_manager find;
+allow ephemeral_app ephemeral_app_api_service:service_manager find;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(ephemeral_app)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(ephemeral_app)
+can_profile_perf(ephemeral_app)
+
+# allow ephemeral apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow ephemeral_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+allow ephemeral_app ashmem_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
+
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/prebuilts/api/33.0/private/evsmanagerd.te b/prebuilts/api/33.0/private/evsmanagerd.te
new file mode 100644
index 0000000..3772628
--- /dev/null
+++ b/prebuilts/api/33.0/private/evsmanagerd.te
@@ -0,0 +1,39 @@
+# evsmanager
+typeattribute evsmanagerd coredomain;
+typeattribute evsmanagerd evsmanager_service_server;
+
+type evsmanagerd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(evsmanagerd);
+
+# Declares as a binder service
+binder_service(evsmanagerd)
+
+# Allows to add a service to service_manager
+add_service(evsmanagerd, evsmanagerd_service)
+
+# Allows to use the binder IPC
+binder_use(evsmanagerd)
+
+# Allows binder IPCs to the various system services
+binder_call(evsmanagerd, system_server)
+
+# Allows to use EVS HAL implementations
+hal_client_domain(evsmanagerd, hal_evs)
+
+# Allows to write messages to the shell
+allow evsmanagerd shell:fd use;
+allow evsmanagerd shell:fifo_file write;
+
+# Allows to use the graphics allocator
+allow evsmanagerd hal_graphics_allocator:fd use;
+
+# Allows to use a bootstrap statsd
+allow evsmanagerd statsbootstrap_service:service_manager find;
+
+# Allows binder IPCs to the CarService
+binder_call(evsmanagerd, appdomain)
+
+# For HIDL evs manager implementation
+allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
+allow evsmanagerd hidl_base_hwservice:hwservice_manager add;
diff --git a/prebuilts/api/33.0/private/extra_free_kbytes.te b/prebuilts/api/33.0/private/extra_free_kbytes.te
new file mode 100644
index 0000000..af3088b
--- /dev/null
+++ b/prebuilts/api/33.0/private/extra_free_kbytes.te
@@ -0,0 +1,3 @@
+typeattribute extra_free_kbytes coredomain;
+
+init_daemon_domain(extra_free_kbytes)
diff --git a/prebuilts/api/33.0/private/fastbootd.te b/prebuilts/api/33.0/private/fastbootd.te
new file mode 100644
index 0000000..2c65281
--- /dev/null
+++ b/prebuilts/api/33.0/private/fastbootd.te
@@ -0,0 +1,48 @@
+typeattribute fastbootd coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+ # Reboot the device
+ set_prop(fastbootd, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(fastbootd, serialno_prop)
+
+ # Set sys.usb.ffs.ready.
+ get_prop(fastbootd, ffs_config_prop)
+ set_prop(fastbootd, ffs_control_prop)
+
+ userdebug_or_eng(`
+ get_prop(fastbootd, persistent_properties_ready_prop)
+ ')
+
+ set_prop(fastbootd, gsid_prop)
+
+ # Determine allocation scheme (whether B partitions needs to be
+ # at the second half of super.
+ get_prop(fastbootd, virtual_ab_prop)
+ get_prop(fastbootd, snapuserd_prop)
+
+ # Needed for TCP protocol
+ allow fastbootd node:tcp_socket node_bind;
+ allow fastbootd port:tcp_socket name_bind;
+ allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Start snapuserd for merging VABC updates
+ set_prop(fastbootd, ctl_snapuserd_prop)
+
+ # Needed to communicate with snapuserd to complete merges.
+ allow fastbootd snapuserd_socket:sock_file write;
+ allow fastbootd snapuserd:unix_stream_socket connectto;
+ allow fastbootd dm_user_device:dir r_dir_perms;
+
+ # Get fastbootd protocol property
+ get_prop(fastbootd, fastbootd_protocol_prop)
+
+ # Mount /metadata to interact with Virtual A/B snapshots.
+ allow fastbootd labeledfs:filesystem { mount unmount };
+
+ # Needed for reading boot properties.
+ allow fastbootd proc_bootconfig:file r_file_perms;
+')
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
new file mode 100644
index 0000000..1afa50f
--- /dev/null
+++ b/prebuilts/api/33.0/private/file.te
@@ -0,0 +1,108 @@
+# /proc/config.gz
+type config_gz, fs_type, proc_type;
+
+# /data/misc/storaged
+type storaged_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/wmtrace for wm traces
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/a11ytrace for accessibility traces
+type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
+type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-configs for perfetto configs
+type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
+type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+
+# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
+type debugfs_kcov, fs_type, debugfs_type;
+
+# App executable files in /data/data directories
+type app_exec_data_file, file_type, data_file_type, core_data_file_type;
+typealias app_exec_data_file alias rs_data_file;
+
+# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
+# of application data.
+type rollback_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc_ce/checkin for checkin apps.
+type checkin_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/gsi/ota
+type ota_image_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/gsi_persistent_data
+type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/emergencynumberdb
+type emergency_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/profcollectd
+type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art
+type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
+# /data/misc/apexdata/com.android.art/staging
+type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.compos
+type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
+# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
+# for backward compatibility b/217581286
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
+# /data/font/files
+type font_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/dmesgd
+type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/odrefresh
+type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/odsign
+type odsign_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/odsign_metrics
+type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/virtualizationservice
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/system/environ
+type environ_system_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/bootanim
+type bootanim_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/kvm
+type kvm_device, dev_type;
+
+# /apex/com.android.virt/bin/fd_server
+type fd_server_exec, system_file_type, exec_type, file_type;
+
+# /apex/com.android.compos/bin/compsvc
+type compos_exec, exec_type, file_type, system_file_type;
+# /apex/com.android.compos/bin/compos_key_helper
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
+# /metadata/sepolicy
+type sepolicy_metadata_file, file_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
new file mode 100644
index 0000000..af51799
--- /dev/null
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -0,0 +1,843 @@
+###########################################
+# Root
+/ u:object_r:rootfs:s0
+
+# Data files
+/adb_keys u:object_r:adb_keys_file:s0
+/build\.prop u:object_r:rootfs:s0
+/default\.prop u:object_r:rootfs:s0
+/fstab\..* u:object_r:rootfs:s0
+/init\..* u:object_r:rootfs:s0
+/res(/.*)? u:object_r:rootfs:s0
+/selinux_version u:object_r:rootfs:s0
+/ueventd\..* u:object_r:rootfs:s0
+/verity_key u:object_r:rootfs:s0
+
+# Executables
+/init u:object_r:init_exec:s0
+/sbin(/.*)? u:object_r:rootfs:s0
+
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+/system_dlkm(/.*)? u:object_r:system_dlkm_file:s0
+
+# Empty directories
+/lost\+found u:object_r:rootfs:s0
+/acct u:object_r:cgroup:s0
+/config u:object_r:rootfs:s0
+/data_mirror u:object_r:mirror_data_file:s0
+/debug_ramdisk u:object_r:tmpfs:s0
+/mnt u:object_r:tmpfs:s0
+/proc u:object_r:rootfs:s0
+/second_stage_resources u:object_r:tmpfs:s0
+/sys u:object_r:sysfs:s0
+/apex u:object_r:apex_mnt_dir:s0
+
+# Postinstall directories
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
+
+/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
+
+# Symlinks
+/bin u:object_r:rootfs:s0
+/bugreports u:object_r:rootfs:s0
+/charger u:object_r:rootfs:s0
+/d u:object_r:rootfs:s0
+/etc u:object_r:rootfs:s0
+/sdcard u:object_r:rootfs:s0
+
+# SELinux policy files
+/vendor_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/product_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/product_property_contexts u:object_r:property_contexts_file:s0
+/vendor_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
+/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vndservice_contexts u:object_r:vndservice_contexts_file:s0
+
+##########################
+# Devices
+#
+/dev(/.*)? u:object_r:device:s0
+/dev/adf[0-9]* u:object_r:graphics_device:s0
+/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/ashmem u:object_r:ashmem_device:s0
+/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
+/dev/audio.* u:object_r:audio_device:s0
+/dev/binder u:object_r:binder_device:s0
+/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
+/dev/block/vold/.+ u:object_r:vold_device:s0
+/dev/block/ram[0-9]* u:object_r:ram_device:s0
+/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0
+/dev/bus/usb(.*)? u:object_r:usb_device:s0
+/dev/console u:object_r:console_device:s0
+/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
+/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
+/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
+/dev/device-mapper u:object_r:dm_device:s0
+/dev/eac u:object_r:audio_device:s0
+/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
+/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
+/dev/fuse u:object_r:fuse_device:s0
+/dev/gnss[0-9]+ u:object_r:gnss_device:s0
+/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hw_random u:object_r:hw_random_device:s0
+/dev/hwbinder u:object_r:hwbinder_device:s0
+/dev/input(/.*)? u:object_r:input_device:s0
+/dev/iio:device[0-9]+ u:object_r:iio_device:s0
+/dev/ion u:object_r:ion_device:s0
+/dev/keychord u:object_r:keychord_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
+/dev/modem.* u:object_r:radio_device:s0
+/dev/mtp_usb u:object_r:mtp_device:s0
+/dev/pmsg0 u:object_r:pmsg_device:s0
+/dev/pn544 u:object_r:nfc_device:s0
+/dev/port u:object_r:port_device:s0
+/dev/ppp u:object_r:ppp_device:s0
+/dev/ptmx u:object_r:ptmx_device:s0
+/dev/pvrsrvkm u:object_r:gpu_device:s0
+/dev/kmsg u:object_r:kmsg_device:s0
+/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/kvm u:object_r:kvm_device:s0
+/dev/null u:object_r:null_device:s0
+/dev/nvhdcp1 u:object_r:video_device:s0
+/dev/random u:object_r:random_device:s0
+/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
+/dev/rproc_user u:object_r:rpmsg_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
+/dev/snd(/.*)? u:object_r:audio_device:s0
+/dev/socket(/.*)? u:object_r:socket_device:s0
+/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
+/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
+/dev/socket/lmkd u:object_r:lmkd_socket:s0
+/dev/socket/logd u:object_r:logd_socket:s0
+/dev/socket/logdr u:object_r:logdr_socket:s0
+/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
+/dev/socket/mdns u:object_r:mdns_socket:s0
+/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
+/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
+/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
+/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
+/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
+/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/racoon u:object_r:racoon_socket:s0
+/dev/socket/recovery u:object_r:recovery_socket:s0
+/dev/socket/rild u:object_r:rild_socket:s0
+/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
+/dev/socket/snapuserd_proxy u:object_r:snapuserd_proxy_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
+/dev/socket/traced_perf u:object_r:traced_perf_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
+/dev/socket/heapprofd u:object_r:heapprofd_socket:s0
+/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
+/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
+/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
+/dev/socket/zygote u:object_r:zygote_socket:s0
+/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
+/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/sys/block/by-name/rootdisk(/.*)? u:object_r:rootdisk_sysdev:s0
+/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
+/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
+/dev/tty u:object_r:owntty_device:s0
+/dev/tty[0-9]* u:object_r:tty_device:s0
+/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/ttyUSB[0-9]* u:object_r:usb_serial_device:s0
+/dev/ttyACM[0-9]* u:object_r:usb_serial_device:s0
+/dev/tun u:object_r:tun_device:s0
+/dev/uhid u:object_r:uhid_device:s0
+/dev/uinput u:object_r:uhid_device:s0
+/dev/uio[0-9]* u:object_r:uio_device:s0
+/dev/urandom u:object_r:random_device:s0
+/dev/usb_accessory u:object_r:usbaccessory_device:s0
+/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vhost-vsock u:object_r:kvm_device:s0
+/dev/video[0-9]* u:object_r:video_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/watchdog u:object_r:watchdog_device:s0
+/dev/xt_qtaguid u:object_r:qtaguid_device:s0
+/dev/zero u:object_r:zero_device:s0
+/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/property_info u:object_r:property_info:s0
+#############################
+# Linker configuration
+#
+/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+
+# Apex sepoolicy files.
+/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
+/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
+/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
+/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
+/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
+#############################
+# System files
+#
+/system(/.*)? u:object_r:system_file:s0
+/system/apex/com.android.art u:object_r:art_apex_dir:s0
+/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
+/system/bin/mm_events u:object_r:mm_events_exec:s0
+/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/auditctl u:object_r:auditctl_exec:s0
+/system/bin/bcc u:object_r:rs_exec:s0
+/system/bin/blank_screen u:object_r:blank_screen_exec:s0
+/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/charger u:object_r:charger_exec:s0
+/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
+/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
+/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
+/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
+/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/init u:object_r:init_exec:s0
+# TODO(/123600489): merge mini-keyctl into toybox
+/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
+/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
+/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
+/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
+/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
+/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
+/system/bin/tune2fs -- u:object_r:fsck_exec:s0
+/system/bin/resize2fs -- u:object_r:fsck_exec:s0
+/system/bin/toolbox -- u:object_r:toolbox_exec:s0
+/system/bin/toybox -- u:object_r:toolbox_exec:s0
+/system/bin/ld\.mc u:object_r:rs_exec:s0
+/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logcatd -- u:object_r:logcat_exec:s0
+/system/bin/sh -- u:object_r:shell_exec:s0
+/system/bin/run-as -- u:object_r:runas_exec:s0
+/system/bin/bootanimation u:object_r:bootanim_exec:s0
+/system/bin/bootstat u:object_r:bootstat_exec:s0
+/system/bin/app_process32 u:object_r:zygote_exec:s0
+/system/bin/app_process64 u:object_r:zygote_exec:s0
+/system/bin/servicemanager u:object_r:servicemanager_exec:s0
+/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/gpuservice u:object_r:gpuservice_exec:s0
+/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
+/system/bin/performanced u:object_r:performanced_exec:s0
+/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/dumpstate u:object_r:dumpstate_exec:s0
+/system/bin/incident u:object_r:incident_exec:s0
+/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/incident_helper u:object_r:incident_helper_exec:s0
+/system/bin/iw u:object_r:iw_exec:s0
+/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
+/system/bin/vold u:object_r:vold_exec:s0
+/system/bin/netd u:object_r:netd_exec:s0
+/system/bin/wificond u:object_r:wificond_exec:s0
+/system/bin/audioserver u:object_r:audioserver_exec:s0
+/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
+/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediametrics u:object_r:mediametrics_exec:s0
+/system/bin/cameraserver u:object_r:cameraserver_exec:s0
+/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
+/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
+/system/bin/mediatuner u:object_r:mediatuner_exec:s0
+/system/bin/mdnsd u:object_r:mdnsd_exec:s0
+/system/bin/installd u:object_r:installd_exec:s0
+/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
+/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
+/system/bin/credstore u:object_r:credstore_exec:s0
+/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/keystore2 u:object_r:keystore_exec:s0
+/system/bin/diced u:object_r:diced_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
+/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
+/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
+/system/bin/remount u:object_r:remount_exec:s0
+/system/bin/dhcpcd u:object_r:dhcp_exec:s0
+/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
+/system/bin/dmesgd u:object_r:dmesgd_exec:s0
+/system/bin/mtpd u:object_r:mtp_exec:s0
+/system/bin/pppd u:object_r:ppp_exec:s0
+/system/bin/racoon u:object_r:racoon_exec:s0
+/system/xbin/su u:object_r:su_exec:s0
+/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
+/system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/llkd u:object_r:llkd_exec:s0
+/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/usbd u:object_r:usbd_exec:s0
+/system/bin/inputflinger u:object_r:inputflinger_exec:s0
+/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
+/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/mtectrl u:object_r:mtectrl_exec:s0
+/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_perf u:object_r:traced_perf_exec:s0
+/system/bin/traced_probes u:object_r:traced_probes_exec:s0
+/system/bin/heapprofd u:object_r:heapprofd_exec:s0
+/system/bin/uncrypt u:object_r:uncrypt_exec:s0
+/system/bin/update_verifier u:object_r:update_verifier_exec:s0
+/system/bin/logwrapper u:object_r:system_file:s0
+/system/bin/vdc u:object_r:vdc_exec:s0
+/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
+/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
+/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
+/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
+/system/bin/iorapd u:object_r:iorapd_exec:s0
+/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
+/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
+/system/bin/sgdisk u:object_r:sgdisk_exec:s0
+/system/bin/blkid u:object_r:blkid_exec:s0
+/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
+/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
+/system/bin/update_engine u:object_r:update_engine_exec:s0
+/system/bin/profcollectd u:object_r:profcollectd_exec:s0
+/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
+/system/bin/storaged u:object_r:storaged_exec:s0
+/system/bin/wpantund u:object_r:wpantund_exec:s0
+/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
+/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
+/system/etc/group u:object_r:system_group_file:s0
+/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
+/system/etc/passwd u:object_r:system_passwd_file:s0
+/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
+/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
+/system/bin/adbd u:object_r:adbd_exec:s0
+/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
+/system/bin/stats u:object_r:stats_exec:s0
+/system/bin/statsd u:object_r:statsd_exec:s0
+/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/btfloader u:object_r:bpfloader_exec:s0
+/system/bin/watchdogd u:object_r:watchdogd_exec:s0
+/system/bin/apexd u:object_r:apexd_exec:s0
+/system/bin/gsid u:object_r:gsid_exec:s0
+/system/bin/simpleperf u:object_r:simpleperf_exec:s0
+/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+/system/bin/snapuserd u:object_r:snapuserd_exec:s0
+/system/bin/odsign u:object_r:odsign_exec:s0
+/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
+/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
+/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
+/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
+
+#############################
+# Vendor files
+#
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
+/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+/(vendor|system/vendor)/manifest\.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
+/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
+/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
+
+#############################
+# OEM and ODM files
+#
+/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0
+/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0
+/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# secure-element service: vendor uuid mapping config file
+/(odm|vendor/odm|vendor|system/vendor)/etc/hal_uuid_map_(.*)?\.xml u:object_r:vendor_uuid_mapping_config_file:s0
+
+
+# Input configuration
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
+
+/oem(/.*)? u:object_r:oemfs:s0
+/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+
+# The precompiled monolithic sepolicy will be under /odm only when
+# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
+/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
+#############################
+# Product files
+#
+/(product|system/product)(/.*)? u:object_r:system_file:s0
+/(product|system/product)/etc/group u:object_r:system_group_file:s0
+/(product|system/product)/etc/passwd u:object_r:system_passwd_file:s0
+/(product|system/product)/overlay(/.*)? u:object_r:system_file:s0
+
+/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
+/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
+/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
+/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
+/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+
+#############################
+# SystemExt files
+#
+/(system_ext|system/system_ext)(/.*)? u:object_r:system_file:s0
+/(system_ext|system/system_ext)/etc/group u:object_r:system_group_file:s0
+/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0
+/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+
+/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+
+/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+
+/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+
+#############################
+# VendorDlkm files
+# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
+#
+/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
+/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+#############################
+# OdmDlkm files
+# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
+#
+/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
+/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+#############################
+# Vendor files from /(product|system/product)/vendor_overlay
+#
+# NOTE: For additional vendor file contexts for vendor overlay files,
+# use device specific file_contexts.
+#
+/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
+
+#############################
+# Data files
+#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
+/data u:object_r:system_data_root_file:s0
+/data/(.*)? u:object_r:system_data_file:s0
+/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
+/data/system/packages\.list u:object_r:packages_list_file:s0
+/data/system/game_mode_intervention\.list u:object_r:game_mode_intervention_list_file:s0
+/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
+/data/backup(/.*)? u:object_r:backup_data_file:s0
+/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
+/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
+/data/drm(/.*)? u:object_r:drm_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
+/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/ota(/.*)? u:object_r:ota_data_file:s0
+/data/ota_package(/.*)? u:object_r:ota_package_file:s0
+/data/adb(/.*)? u:object_r:adb_data_file:s0
+/data/anr(/.*)? u:object_r:anr_data_file:s0
+/data/apex(/.*)? u:object_r:apex_data_file:s0
+/data/apex/active/(.*)? u:object_r:staging_data_file:s0
+/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
+/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
+/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0
+/data/app(/.*)? u:object_r:apk_data_file:s0
+# Traditional /data/app/[packageName]-[randomString]/base.apk location
+/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+# /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
+/data/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
+/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/gsi(/.*)? u:object_r:gsi_data_file:s0
+/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
+/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
+/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
+/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
+/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
+/data/local/traces(/.*)? u:object_r:trace_data_file:s0
+/data/media(/.*)? u:object_r:media_rw_data_file:s0
+/data/mediadrm(/.*)? u:object_r:media_data_file:s0
+/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
+/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
+# This directory was removed after Q Beta 2, but we need to preserve labels for upgrading devices.
+/data/pkg_staging(/.*)? u:object_r:staging_data_file:s0
+/data/property(/.*)? u:object_r:property_data_file:s0
+/data/preloads(/.*)? u:object_r:preloads_data_file:s0
+/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
+/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
+/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
+/data/app-staging(/.*)? u:object_r:staging_data_file:s0
+# Ensure we have the same labels as /data/app or /data/apex/active
+# to avoid restorecon conflicts
+/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
+/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
+/data/fonts/files(/.*)? u:object_r:font_data_file:s0
+
+# Misc data
+/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
+/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
+/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
+/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
+/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
+/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
+/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
+/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
+/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
+/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
+/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
+/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
+/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dmesgd(/.*)? u:object_r:dmesgd_data_file:s0
+/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0
+/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
+/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
+/data/misc/installd(/.*)? u:object_r:install_data_file:s0
+/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
+/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
+/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
+/data/misc/media(/.*)? u:object_r:media_data_file:s0
+/data/misc/net(/.*)? u:object_r:net_data_file:s0
+/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
+/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
+/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
+/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
+/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
+/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
+/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
+/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
+/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
+/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
+/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
+/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
+/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
+/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
+/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
+/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
+/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
+/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
+/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
+/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
+/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
+/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
+/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
+
+# storaged proto files
+/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+
+# checkin data files
+/data/misc_ce/[0-9]+/checkin(/.*)? u:object_r:checkin_data_file:s0
+
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
+# Fingerprint vendor data file
+/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+
+# Face vendor data file
+/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+
+# Iris vendor data file
+/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
+
+# Bootchart data
+/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+
+# App data snapshots (managed by installd).
+/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+
+# Apex data directories
+/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
+
+# Apex rollback directories
+/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+
+# Incremental directories
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
+
+# Boot animation data
+/data/bootanim(/.*)? u:object_r:bootanim_data_file:s0
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
+/mnt/expand/[^/]+/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
+
+# coredump directory for userdebug/eng devices
+/cores(/.*)? u:object_r:coredump_file:s0
+
+# Wallpaper files
+/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+
+# ShortcutManager icons, e.g.
+# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
+/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
+
+# User icon files
+/data/system/users/[0-9]+/photo\.png u:object_r:icon_file:s0
+
+# vold per-user data
+/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+
+# iorapd per-user data
+/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
+
+# Backup service persistent per-user bookkeeping
+/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
+# Backup service temporary per-user data for inter-change with apps
+/data/system_ce/[0-9]+/backup_stage(/.*)? u:object_r:backup_data_file:s0
+
+#############################
+# efs files
+#
+/efs(/.*)? u:object_r:efs_file:s0
+
+#############################
+# Cache files
+#
+/cache(/.*)? u:object_r:cache_file:s0
+/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+#############################
+# Overlayfs support directories
+#
+/cache/overlay(/.*)? u:object_r:overlayfs_file:s0
+/mnt/scratch(/.*)? u:object_r:overlayfs_file:s0
+
+/data/cache(/.*)? u:object_r:cache_file:s0
+/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+#############################
+# Metadata files
+#
+/metadata(/.*)? u:object_r:metadata_file:s0
+/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
+/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
+/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
+/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
+/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
+/metadata/sepolicy(/.*)? u:object_r:sepolicy_metadata_file:s0
+/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
+/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
+/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+
+#############################
+# asec containers
+/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/data/app-asec(/.*)? u:object_r:asec_image_file:s0
+
+#############################
+# external storage
+/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
+/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/pass_through(/.*)? u:object_r:mnt_pass_through_file:s0
+/mnt/sdcard u:object_r:mnt_sdcard_file:s0
+/mnt/runtime(/.*)? u:object_r:storage_file:s0
+/storage(/.*)? u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
+
+#############################
+# mount point for read-write product partitions
+/mnt/product(/.*)? u:object_r:mnt_product_file:s0
+
+#############################
+# /postinstall file contexts
+/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0
diff --git a/prebuilts/api/33.0/private/file_contexts_asan b/prebuilts/api/33.0/private/file_contexts_asan
new file mode 100644
index 0000000..fd083c2
--- /dev/null
+++ b/prebuilts/api/33.0/private/file_contexts_asan
@@ -0,0 +1,16 @@
+/data/asan/system/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/system/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/vendor/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/vendor/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/odm/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/system/system_ext/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/system/system_ext/lib64(/.*)? u:object_r:system_lib_file:s0
+/system/asan.options u:object_r:system_asan_options_file:s0
+/system/bin/asan_extract u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/prebuilts/api/33.0/private/file_contexts_overlayfs b/prebuilts/api/33.0/private/file_contexts_overlayfs
new file mode 100644
index 0000000..e472fad
--- /dev/null
+++ b/prebuilts/api/33.0/private/file_contexts_overlayfs
@@ -0,0 +1,9 @@
+#############################
+# Overlayfs support directories for userdebug/eng devices
+#
+/cache/overlay/(system|product)/upper u:object_r:system_file:s0
+/cache/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
+/cache/overlay/oem/upper u:object_r:vendor_file:s0
+/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
+/mnt/scratch/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
+/mnt/scratch/overlay/oem/upper u:object_r:vendor_file:s0
diff --git a/prebuilts/api/33.0/private/fingerprintd.te b/prebuilts/api/33.0/private/fingerprintd.te
new file mode 100644
index 0000000..eb73ef8
--- /dev/null
+++ b/prebuilts/api/33.0/private/fingerprintd.te
@@ -0,0 +1,3 @@
+typeattribute fingerprintd coredomain;
+
+init_daemon_domain(fingerprintd)
diff --git a/prebuilts/api/33.0/private/flags_health_check.te b/prebuilts/api/33.0/private/flags_health_check.te
new file mode 100644
index 0000000..54ecd45
--- /dev/null
+++ b/prebuilts/api/33.0/private/flags_health_check.te
@@ -0,0 +1,38 @@
+typeattribute flags_health_check coredomain;
+
+init_daemon_domain(flags_health_check)
+
+set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
+set_prop(flags_health_check, device_config_input_native_boot_prop)
+set_prop(flags_health_check, device_config_lmkd_native_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_nnapi_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_mglru_native_prop)
+set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
+set_prop(flags_health_check, device_config_statsd_native_prop)
+set_prop(flags_health_check, device_config_statsd_native_boot_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_swcodec_native_prop)
+set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_configuration_prop)
+set_prop(flags_health_check, device_config_connectivity_prop)
+set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
+
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/fs_use b/prebuilts/api/33.0/private/fs_use
new file mode 100644
index 0000000..93d7f1b
--- /dev/null
+++ b/prebuilts/api/33.0/private/fs_use
@@ -0,0 +1,27 @@
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+fs_use_xattr f2fs u:object_r:labeledfs:s0;
+fs_use_xattr squashfs u:object_r:labeledfs:s0;
+fs_use_xattr overlay u:object_r:labeledfs:s0;
+fs_use_xattr erofs u:object_r:labeledfs:s0;
+fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
+fs_use_xattr virtiofs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
diff --git a/prebuilts/api/33.0/private/fsck.te b/prebuilts/api/33.0/private/fsck.te
new file mode 100644
index 0000000..f8e09b6
--- /dev/null
+++ b/prebuilts/api/33.0/private/fsck.te
@@ -0,0 +1,5 @@
+typeattribute fsck coredomain;
+
+init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/prebuilts/api/33.0/private/fsck_untrusted.te b/prebuilts/api/33.0/private/fsck_untrusted.te
new file mode 100644
index 0000000..9a57bf0
--- /dev/null
+++ b/prebuilts/api/33.0/private/fsck_untrusted.te
@@ -0,0 +1 @@
+typeattribute fsck_untrusted coredomain;
diff --git a/prebuilts/api/33.0/private/fsverity_init.te b/prebuilts/api/33.0/private/fsverity_init.te
new file mode 100644
index 0000000..e069233
--- /dev/null
+++ b/prebuilts/api/33.0/private/fsverity_init.te
@@ -0,0 +1,24 @@
+type fsverity_init, domain, coredomain;
+type fsverity_init_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(fsverity_init)
+
+# Allow to read /proc/keys for searching key id.
+allow fsverity_init proc_keys:file r_file_perms;
+
+# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
+dontaudit fsverity_init domain:key view;
+allow fsverity_init kernel:key { view search write setattr };
+allow fsverity_init fsverity_init:key { view search write };
+
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow fsverity_init proc_fs_verity:file w_file_perms;
+
+# Read the on-device signing certificate, to be able to add it to the keyring
+allow fsverity_init odsign:fd use;
+allow fsverity_init odsign_data_file:file { getattr read };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit fsverity_init kernel:system module_request;
diff --git a/prebuilts/api/33.0/private/fwk_bufferhub.te b/prebuilts/api/33.0/private/fwk_bufferhub.te
new file mode 100644
index 0000000..5286f3e
--- /dev/null
+++ b/prebuilts/api/33.0/private/fwk_bufferhub.te
@@ -0,0 +1,7 @@
+type fwk_bufferhub, domain, coredomain;
+type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
+
+hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
+allow fwk_bufferhub ion_device:chr_file r_file_perms;
+
+init_daemon_domain(fwk_bufferhub)
diff --git a/prebuilts/api/33.0/private/gatekeeperd.te b/prebuilts/api/33.0/private/gatekeeperd.te
new file mode 100644
index 0000000..2fb88a3
--- /dev/null
+++ b/prebuilts/api/33.0/private/gatekeeperd.te
@@ -0,0 +1,6 @@
+typeattribute gatekeeperd coredomain;
+
+init_daemon_domain(gatekeeperd)
+
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)
diff --git a/prebuilts/api/33.0/private/genfs_contexts b/prebuilts/api/33.0/private/genfs_contexts
new file mode 100644
index 0000000..1c604fc
--- /dev/null
+++ b/prebuilts/api/33.0/private/genfs_contexts
@@ -0,0 +1,399 @@
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
+genfscon proc /filesystems u:object_r:proc_filesystems:s0
+genfscon proc /interrupts u:object_r:proc_interrupts:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
+genfscon proc /keys u:object_r:proc_keys:s0
+genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
+genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /mounts u:object_r:proc_mounts:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
+genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
+genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
+genfscon proc /softirqs u:object_r:proc_timer:s0
+genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /swaps u:object_r:proc_swaps:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
+genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
+genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
+genfscon proc /timer_list u:object_r:proc_timer:s0
+genfscon proc /timer_stats u:object_r:proc_timer:s0
+genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
+genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
+
+genfscon fusectl / u:object_r:fusectlfs:s0
+
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0
+genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /class/net u:object_r:sysfs_net:s0
+genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
+genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
+genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
+genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/fuse/bpf_prog_type_fuse u:object_r:sysfs_fs_fuse_bpf:s0
+genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
+genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
+genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
+genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
+genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
+genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
+genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
+genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
+genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
+genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
+genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
+
+genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
+genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
+genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
+genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
+genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
+genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
+genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+
+genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /synthetic_events u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/synthetic_events u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+
+genfscon securityfs / u:object_r:securityfs:s0
+
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /features u:object_r:binderfs_features:s0
+
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
+genfscon exfat / u:object_r:exfat:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon esdfs / u:object_r:sdcardfs:s0
+genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
+genfscon usbfs / u:object_r:usbfs:s0
+genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
+genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/prebuilts/api/33.0/private/gki_apex_prepostinstall.te b/prebuilts/api/33.0/private/gki_apex_prepostinstall.te
new file mode 100644
index 0000000..1155389
--- /dev/null
+++ b/prebuilts/api/33.0/private/gki_apex_prepostinstall.te
@@ -0,0 +1,23 @@
+# GKI pre- & post-install hooks.
+#
+# Allow to run pre- and post-install hooks for GKI APEXes
+
+type gki_apex_prepostinstall, domain, coredomain;
+type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+# Execute /system/bin/sh.
+allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
+
+# Execute various toolsbox utilities.
+allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
+
+# Allow preinstall.sh to execute update_engine_stable_client binary.
+allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
+
+# Allow preinstall hook to communicate with update_engine to execute update.
+binder_use(gki_apex_prepostinstall)
+allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
+binder_call(gki_apex_prepostinstall, update_engine)
+
+# /dev/zero is inherited although it is not used. See b/126787589.
+allow gki_apex_prepostinstall apexd:fd use;
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
new file mode 100644
index 0000000..2198c15
--- /dev/null
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -0,0 +1,176 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+typeattribute gmscore_app coredomain;
+
+app_domain(gmscore_app)
+
+# TODO(b/217368496): remove this.
+perfetto_producer(gmscore_app)
+can_profile_heap(gmscore_app)
+can_profile_perf(gmscore_app)
+
+allow gmscore_app sysfs_type:dir search;
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(gmscore_app, sysfs_zram)
+
+r_dir_file(gmscore_app, rootfs)
+
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow gmscore_app config_gz:file { open read getattr };
+
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(gmscore_app, update_engine)
+allow gmscore_app update_engine_service:service_manager find;
+
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(gmscore_app, storaged)
+allow gmscore_app storaged_service:service_manager find;
+
+# Allow GMS core to access system_update_service (e.g. to publish pending
+# system update info).
+allow gmscore_app system_update_service:service_manager find;
+
+# Allow GMS core to communicate with statsd.
+binder_call(gmscore_app, statsd)
+
+# Allow GMS core to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into its private directory
+# for reporting when network and battery conditions are appropriate.
+allow gmscore_app perfetto:fd use;
+allow gmscore_app perfetto_traces_data_file:file { read getattr };
+
+# Allow GMS core to generate unique hardware IDs
+allow gmscore_app keystore:keystore_key gen_unique_id;
+allow gmscore_app keystore:keystore2_key gen_unique_id;
+
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow gmscore_app selinuxfs:file r_file_perms;
+
+# suppress denials for non-API accesses.
+dontaudit gmscore_app exec_type:file r_file_perms;
+dontaudit gmscore_app device:dir r_dir_perms;
+dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app net_dns_prop:file r_file_perms;
+dontaudit gmscore_app proc:file r_file_perms;
+dontaudit gmscore_app proc_interrupts:file r_file_perms;
+dontaudit gmscore_app proc_modules:file r_file_perms;
+dontaudit gmscore_app proc_net:file r_file_perms;
+dontaudit gmscore_app proc_stat:file r_file_perms;
+dontaudit gmscore_app proc_version:file r_file_perms;
+dontaudit gmscore_app sysfs:dir r_dir_perms;
+dontaudit gmscore_app sysfs:file r_file_perms;
+dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
+dontaudit gmscore_app sysfs_dm:file r_file_perms;
+dontaudit gmscore_app sysfs_loop:file r_file_perms;
+dontaudit gmscore_app sysfs_net:file r_file_perms;
+dontaudit gmscore_app sysfs_net:dir r_dir_perms;
+dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
+dontaudit gmscore_app mirror_data_file:dir search;
+dontaudit gmscore_app mnt_vendor_file:dir search;
+
+# Access the network
+net_domain(gmscore_app)
+
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow gmscore_app self:process ptrace;
+
+# Allow loading executable code from writable priv-app home
+# directories. This is a W^X violation, however, it needs
+# to be supported for now for the following reasons.
+# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
+# 1) com.android.opengl.shaders_cache
+# 2) com.android.skia.shaders_cache
+# 3) com.android.renderscript.cache
+# * /data/user_de/0/com.google.android.gms/app_chimera
+# TODO: Tighten (b/112357170)
+allow gmscore_app privapp_data_file:file execute;
+
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
+allow gmscore_app privapp_data_file:lnk_file create_file_perms;
+
+# /proc access
+allow gmscore_app proc_vmstat:file r_file_perms;
+
+# Allow interaction with gpuservice
+binder_call(gmscore_app, gpuservice)
+allow gmscore_app gpu_service:service_manager find;
+
+# find services that expose both @SystemAPI and normal APIs.
+allow gmscore_app app_api_service:service_manager find;
+allow gmscore_app system_api_service:service_manager find;
+allow gmscore_app audioserver_service:service_manager find;
+allow gmscore_app cameraserver_service:service_manager find;
+allow gmscore_app drmserver_service:service_manager find;
+allow gmscore_app mediadrmserver_service:service_manager find;
+allow gmscore_app mediaextractor_service:service_manager find;
+allow gmscore_app mediametrics_service:service_manager find;
+allow gmscore_app mediaserver_service:service_manager find;
+allow gmscore_app network_watchlist_service:service_manager find;
+allow gmscore_app nfc_service:service_manager find;
+allow gmscore_app oem_lock_service:service_manager find;
+allow gmscore_app persistent_data_block_service:service_manager find;
+allow gmscore_app radio_service:service_manager find;
+allow gmscore_app recovery_service:service_manager find;
+allow gmscore_app stats_service:service_manager find;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow gmscore_app shell_data_file:file r_file_perms;
+allow gmscore_app shell_data_file:dir r_dir_perms;
+
+# Write to /cache.
+allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow gmscore_app cache_file:lnk_file r_file_perms;
+
+# Write to /data/ota_package for OTA packages.
+allow gmscore_app ota_package_file:dir create_dir_perms;
+allow gmscore_app ota_package_file:file create_file_perms;
+
+# Write the checkin metadata to /data/misc_ce/<userid>/checkin
+allow gmscore_app checkin_data_file:dir rw_dir_perms;
+allow gmscore_app checkin_data_file:file create_file_perms;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow gmscore_app shell_data_file:file r_file_perms;
+allow gmscore_app shell_data_file:dir r_dir_perms;
+
+# b/18504118: Allow reads from /data/anr/traces.txt
+allow gmscore_app anr_data_file:file r_file_perms;
+
+# b/148974132: com.android.vending needs this
+allow gmscore_app priv_app:tcp_socket { read write };
+
+# b/168059475 Allow GMSCore to read Virtual AB properties to determine
+# if device supports VAB.
+get_prop(gmscore_app, virtual_ab_prop)
+
+# b/186488185: Allow GMSCore to read dck properties
+get_prop(gmscore_app, dck_prop)
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow gmscore_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow gmscore_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
diff --git a/prebuilts/api/33.0/private/gpuservice.te b/prebuilts/api/33.0/private/gpuservice.te
new file mode 100644
index 0000000..76a2370
--- /dev/null
+++ b/prebuilts/api/33.0/private/gpuservice.te
@@ -0,0 +1,68 @@
+# gpuservice - server for gpu stats and other gpu related services
+typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
+type gpuservice_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(gpuservice)
+
+binder_call(gpuservice, adbd)
+binder_call(gpuservice, shell)
+binder_call(gpuservice, system_server)
+binder_use(gpuservice)
+
+# Access the GPU.
+allow gpuservice gpu_device:chr_file rw_file_perms;
+
+# GPU service will need to load GPU driver, for example Vulkan driver in order
+# to get the capability of the driver.
+allow gpuservice same_process_hal_file:file { open read getattr execute map };
+allow gpuservice ion_device:chr_file r_file_perms;
+get_prop(gpuservice, hwservicemanager_prop)
+hwbinder_use(gpuservice)
+
+# Access /dev/graphics/fb0.
+allow gpuservice graphics_device:dir search;
+allow gpuservice graphics_device:chr_file rw_file_perms;
+
+# Needed for dumpsys pipes.
+allow gpuservice shell:fifo_file write;
+
+# Needed for perfetto producer.
+perfetto_producer(gpuservice)
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow gpuservice adbd:unix_stream_socket { read write getattr };
+
+# Needed for interactive shell
+allow gpuservice devpts:chr_file { read write getattr };
+
+# Needed for dumpstate to dumpsys gpu.
+allow gpuservice dumpstate:fd use;
+allow gpuservice dumpstate:fifo_file write;
+
+# Needed for stats callback registration to statsd.
+allow gpuservice stats_service:service_manager find;
+allow gpuservice statsmanager_service:service_manager find;
+# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
+binder_call(gpuservice, statsd);
+
+# Needed for reading tracepoint ids in order to attach bpf programs.
+allow gpuservice debugfs_tracing:file r_file_perms;
+allow gpuservice self:perf_event { cpu kernel open write };
+neverallow gpuservice self:perf_event ~{ cpu kernel open write };
+
+# Needed for interact with bpf fs.
+# Write is needed to open read/write bpf maps.
+allow gpuservice fs_bpf:file { read write };
+
+# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
+allow gpuservice bpfloader:bpf { map_read map_write prog_run };
+
+# Needed for getting a prop to ensure bpf programs loaded.
+get_prop(gpuservice, bpf_progs_loaded_prop)
+
+add_service(gpuservice, gpu_service)
+
+# Only uncomment below line when in development
+# userdebug_or_eng(`permissive gpuservice;')
diff --git a/prebuilts/api/33.0/private/gsid.te b/prebuilts/api/33.0/private/gsid.te
new file mode 100644
index 0000000..e795cea
--- /dev/null
+++ b/prebuilts/api/33.0/private/gsid.te
@@ -0,0 +1,207 @@
+# gsid - Manager for GSI Installation
+
+type gsid, domain;
+type gsid_exec, exec_type, file_type, system_file_type;
+typeattribute gsid coredomain;
+
+init_daemon_domain(gsid)
+
+binder_use(gsid)
+binder_service(gsid)
+add_service(gsid, gsi_service)
+
+# Manage DSU metadata encryption key through vold.
+allow gsid vold_service:service_manager find;
+binder_call(gsid, vold)
+
+set_prop(gsid, gsid_prop)
+
+# Needed to create/delete device-mapper nodes, and read/write to them.
+allow gsid dm_device:chr_file rw_file_perms;
+allow gsid dm_device:blk_file rw_file_perms;
+allow gsid self:global_capability_class_set sys_admin;
+dontaudit gsid self:global_capability_class_set dac_override;
+
+# On FBE devices (not using dm-default-key), gsid will use loop devices to map
+# images rather than device-mapper.
+allow gsid loop_control_device:chr_file rw_file_perms;
+allow gsid loop_device:blk_file rw_file_perms;
+allowxperm gsid loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
+# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
+# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
+# file names.
+r_dir_file(gsid, sysfs_dm)
+
+# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
+# whether pin_file support is enabled.
+r_dir_file(gsid, sysfs_fs_f2fs)
+
+# Needed to read fstab, which is used to validate that system verity does not
+# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
+# to get the A/B slot suffix).
+read_fstab(gsid)
+allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
+allow gsid sysfs_dt_firmware_android:file r_file_perms;
+
+# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
+allow gsid block_device:dir r_dir_perms;
+
+# Allow querying the size of super_block_device_type.
+allow gsid super_block_device_type:blk_file r_file_perms;
+
+# liblp queries these block alignment properties.
+allowxperm gsid {
+ userdata_block_device
+ sdcard_block_device
+ super_block_device_type
+}:blk_file ioctl {
+ BLKIOMIN
+ BLKALIGNOFF
+};
+
+# When installing images to an sdcard, gsid needs to be able to stat() the
+# block device. gsid also calls realpath() to remove symlinks.
+allow gsid mnt_media_rw_file:dir r_dir_perms;
+allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
+
+# When installing images to an sdcard, gsid must bypass sdcardfs and install
+# directly to vfat, which supports the FIBMAP ioctl.
+allow gsid vfat:dir create_dir_perms;
+allow gsid vfat:file create_file_perms;
+allow gsid sdcard_block_device:blk_file r_file_perms;
+# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
+# requirement, but the kernel does not implement FIEMAP support for VFAT.
+allow gsid self:global_capability_class_set sys_rawio;
+
+# Allow rules for gsi_tool.
+userdebug_or_eng(`
+ # gsi_tool passes the system image over the adb connection, via stdin.
+ allow gsid adbd:fd use;
+ # Needed when running gsi_tool through "su root" rather than adb root.
+ allow gsid adbd:unix_stream_socket rw_socket_perms;
+ # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
+ allow gsid { shell su }:fifo_file r_file_perms;
+ # Allow installing images from /storage/emulated/...
+ allow gsid { sdcard_type fuse }:file r_file_perms;
+')
+
+neverallow {
+ domain
+ -gsid
+ -init
+ -update_engine_common
+ -recovery
+ -fastbootd
+} gsid_prop:property_service set;
+
+# gsid needs to store images on /data, but cannot use file I/O. If it did, the
+# underlying blocks would be encrypted, and we couldn't mount the GSI image in
+# first-stage init. So instead of directly writing to /data, we:
+#
+# 1. fallocate a file large enough to hold the signed GSI
+# 2. extract its block layout with FIEMAP
+# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
+# 4. write system_gsi into that dm device
+#
+# To make this process work, we need to unwrap the device-mapper stacking for
+# userdata to reach the underlying block device. To verify the result we use
+# stat(), which requires read access.
+allow gsid userdata_block_device:blk_file r_file_perms;
+
+# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
+# init. It cannot use userdata since data cannot be decrypted during this
+# stage.
+#
+# gsid uses /metadata/gsi to store three files:
+# install_status - A short string indicating whether a GSI image is bootable.
+# lp_metadata - LpMetadata blob describing the block ranges on userdata
+# where system_gsi resides.
+# booted - An empty file that, if exists, indicates that a GSI is
+# currently running.
+#
+allow gsid metadata_file:dir { search getattr };
+allow gsid {
+ gsi_metadata_file_type
+}:dir create_dir_perms;
+
+allow gsid {
+ ota_metadata_file
+}:dir rw_dir_perms;
+
+allow gsid {
+ gsi_metadata_file_type
+ ota_metadata_file
+}:file create_file_perms;
+
+# Allow restorecon to fix context of gsi_public_metadata_file.
+allow gsid file_contexts_file:file r_file_perms;
+allow gsid gsi_metadata_file:file relabelfrom;
+allow gsid gsi_public_metadata_file:file relabelto;
+
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file create_file_perms;
+allowxperm gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file ioctl {
+ FS_IOC_FIEMAP
+ FS_IOC_GETFLAGS
+};
+
+allow gsid system_server:binder call;
+
+# Prevent most processes from writing to gsi_metadata_file_type, but allow
+# adding rules for path resolution of gsi_public_metadata_file and reading
+# gsi_public_metadata_file.
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+} gsi_metadata_file_type:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
+
+# Prevent apps from accessing gsi_metadata_file_type.
+neverallow {
+ appdomain
+ -shell
+} gsi_metadata_file_type:dir_file_class_set *;
+
+neverallow {
+ domain
+ -init
+ -gsid
+} gsi_data_file:dir_file_class_set *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:file_class_set ~{ relabelto getattr };
diff --git a/prebuilts/api/33.0/private/hal_allocator_default.te b/prebuilts/api/33.0/private/hal_allocator_default.te
new file mode 100644
index 0000000..7aa28aa
--- /dev/null
+++ b/prebuilts/api/33.0/private/hal_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_allocator_default, domain, coredomain;
+hal_server_domain(hal_allocator_default, hal_allocator)
+
+type hal_allocator_default_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(hal_allocator_default)
diff --git a/prebuilts/api/33.0/private/hal_lazy_test.te b/prebuilts/api/33.0/private/hal_lazy_test.te
new file mode 100644
index 0000000..93cf235
--- /dev/null
+++ b/prebuilts/api/33.0/private/hal_lazy_test.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+ hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
+')
diff --git a/prebuilts/api/26.0/private/halclientdomain.te b/prebuilts/api/33.0/private/halclientdomain.te
similarity index 100%
rename from prebuilts/api/26.0/private/halclientdomain.te
rename to prebuilts/api/33.0/private/halclientdomain.te
diff --git a/prebuilts/api/26.0/private/halserverdomain.te b/prebuilts/api/33.0/private/halserverdomain.te
similarity index 100%
rename from prebuilts/api/26.0/private/halserverdomain.te
rename to prebuilts/api/33.0/private/halserverdomain.te
diff --git a/prebuilts/api/33.0/private/healthd.te b/prebuilts/api/33.0/private/healthd.te
new file mode 100644
index 0000000..cf422ed
--- /dev/null
+++ b/prebuilts/api/33.0/private/healthd.te
@@ -0,0 +1 @@
+typeattribute healthd coredomain;
diff --git a/prebuilts/api/33.0/private/heapprofd.te b/prebuilts/api/33.0/private/heapprofd.te
new file mode 100644
index 0000000..246f936
--- /dev/null
+++ b/prebuilts/api/33.0/private/heapprofd.te
@@ -0,0 +1,77 @@
+# Android heap profiling daemon. go/heapprofd.
+#
+# On user builds, this daemon is responsible for receiving the initial
+# profiling configuration, finding matching target processes (if profiling by
+# process name), and sending the activation signal to them (+ setting system
+# properties for new processes to start profiling from startup). When profiling
+# is triggered in a process, it spawns a private heapprofd subprocess (in its
+# own SELinux domain), which will exclusively handle profiling of its parent.
+#
+# On debug builds, this central daemon performs profiling for all target
+# processes (which talk directly to this daemon).
+type heapprofd_exec, exec_type, file_type, system_file_type;
+type heapprofd_tmpfs, file_type;
+
+init_daemon_domain(heapprofd)
+tmpfs_domain(heapprofd)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# shared memory buffers created by heapprofd.
+typeattribute heapprofd_tmpfs mlstrustedobject;
+
+set_prop(heapprofd, heapprofd_prop);
+
+# Necessary for /proc/[pid]/cmdline access & sending signals.
+typeattribute heapprofd mlstrustedsubject;
+
+# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
+# SIGCHLD, which are controlled by separate permissions.
+allow heapprofd self:capability kill;
+
+# When scanning /proc/[pid]/cmdline to find matching processes for by-name
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
+# spamming logs with denials for entries that we can not access.
+dontaudit heapprofd domain:dir { search open };
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(heapprofd)
+
+# When handling profiling for all processes, heapprofd needs to read
+# executables/libraries/etc to do stack unwinding.
+r_dir_file(heapprofd, nativetest_data_file)
+r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apex_art_data_file)
+r_dir_file(heapprofd, apk_data_file)
+r_dir_file(heapprofd, dalvikcache_data_file)
+r_dir_file(heapprofd, vendor_file_type)
+r_dir_file(heapprofd, shell_test_data_file)
+# Some dex files are not world-readable.
+# We are still constrained by the SELinux rules above.
+allow heapprofd self:global_capability_class_set dac_read_search;
+
+# For checking profileability.
+allow heapprofd packages_list_file:file r_file_perms;
+
+# This is going to happen on user but is benign because central heapprofd
+# does not actually need these permission.
+# If the dac_read_search capability check is rejected, the kernel then tries
+# to perform a dac_override capability check, so we need to dontaudit that
+# as well.
+dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
+
+never_profile_heap(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
+
+full_treble_only(`
+ neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+')
diff --git a/prebuilts/api/33.0/private/hidl_lazy_test_server.te b/prebuilts/api/33.0/private/hidl_lazy_test_server.te
new file mode 100644
index 0000000..04e8c9f
--- /dev/null
+++ b/prebuilts/api/33.0/private/hidl_lazy_test_server.te
@@ -0,0 +1,8 @@
+type hidl_lazy_test_server, domain;
+type hidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+ typeattribute hidl_lazy_test_server coredomain;
+ init_daemon_domain(hidl_lazy_test_server)
+ hal_server_domain(hidl_lazy_test_server, hal_lazy_test)
+')
diff --git a/prebuilts/api/33.0/private/hwservice.te b/prebuilts/api/33.0/private/hwservice.te
new file mode 100644
index 0000000..b7ba4d7
--- /dev/null
+++ b/prebuilts/api/33.0/private/hwservice.te
@@ -0,0 +1 @@
+type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/prebuilts/api/33.0/private/hwservice_contexts b/prebuilts/api/33.0/private/hwservice_contexts
new file mode 100644
index 0000000..4a44dc5
--- /dev/null
+++ b/prebuilts/api/33.0/private/hwservice_contexts
@@ -0,0 +1,86 @@
+android.frameworks.automotive.display::IAutomotiveDisplayProxyService u:object_r:fwk_automotive_display_hwservice:s0
+android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
+android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
+android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
+android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
+android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.can::ICanController u:object_r:hal_can_controller_hwservice:s0
+android.hardware.automotive.can::ICanBus u:object_r:hal_can_bus_hwservice:s0
+android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
+android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
+android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
+android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
+android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.tests.lazy::ILazy u:object_r:hal_lazy_test_hwservice:s0
+android.hardware.tests.lazy_cb::ILazyCb u:object_r:hal_lazy_test_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
+android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.power.stats::IPowerStats u:object_r:hal_power_stats_hwservice:s0
+android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
+android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.tv.tuner::ITuner u:object_r:hal_tv_tuner_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
+android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/prebuilts/api/33.0/private/hwservicemanager.te b/prebuilts/api/33.0/private/hwservicemanager.te
new file mode 100644
index 0000000..e1fde43
--- /dev/null
+++ b/prebuilts/api/33.0/private/hwservicemanager.te
@@ -0,0 +1,9 @@
+typeattribute hwservicemanager coredomain;
+
+init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
+
+set_prop(hwservicemanager, ctl_interface_start_prop)
+set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/prebuilts/api/33.0/private/idmap.te b/prebuilts/api/33.0/private/idmap.te
new file mode 100644
index 0000000..c982783
--- /dev/null
+++ b/prebuilts/api/33.0/private/idmap.te
@@ -0,0 +1,3 @@
+typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/prebuilts/api/33.0/private/incident.te b/prebuilts/api/33.0/private/incident.te
new file mode 100644
index 0000000..db9ae86
--- /dev/null
+++ b/prebuilts/api/33.0/private/incident.te
@@ -0,0 +1,37 @@
+typeattribute incident coredomain;
+
+type incident_exec, system_file_type, exec_type, file_type;
+
+# switch to incident domain for incident command
+domain_auto_trans(shell, incident_exec, incident)
+domain_auto_trans(dumpstate, incident_exec, incident)
+
+# allow incident access to stdout from its parent shell.
+allow incident shell:fd use;
+
+# allow incident to communicate with dumpstate, and write incident report to
+# /data/data/com.android.shell/files/bugreports/tmp_incident_report
+allow incident dumpstate:fd use;
+allow incident dumpstate:unix_stream_socket { read write };
+allow incident shell_data_file:file write;
+
+# allow incident be able to output data for CTS to fetch.
+allow incident devpts:chr_file { read write };
+
+# allow incident to communicate use, read and write over the adb
+# connection.
+allow incident adbd:fd use;
+allow incident adbd:unix_stream_socket { read write };
+
+# allow adbd to reap incident
+allow incident adbd:process { sigchld };
+
+# Allow the incident command to talk to the incidentd over the binder, and get
+# back the incident report data from a ParcelFileDescriptor.
+binder_use(incident)
+allow incident incident_service:service_manager find;
+binder_call(incident, incidentd)
+allow incident incidentd:fifo_file write;
+
+# only allow incident being called by shell or dumpstate
+neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
diff --git a/prebuilts/api/33.0/private/incident_helper.te b/prebuilts/api/33.0/private/incident_helper.te
new file mode 100644
index 0000000..b453855
--- /dev/null
+++ b/prebuilts/api/33.0/private/incident_helper.te
@@ -0,0 +1,14 @@
+typeattribute incident_helper coredomain;
+
+type incident_helper_exec, system_file_type, exec_type, file_type;
+
+# switch to incident_helper domain for incident_helper command
+domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
+
+# use pipe to transmit data from/to incidentd/incident_helper for parsing
+allow incident_helper { shell incident incidentd dumpstate }:fd use;
+allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
+allow incident_helper incidentd:unix_stream_socket { read write };
+
+# only allow incidentd and shell to call incident_helper
+neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/prebuilts/api/33.0/private/incidentd.te b/prebuilts/api/33.0/private/incidentd.te
new file mode 100644
index 0000000..c1314a8
--- /dev/null
+++ b/prebuilts/api/33.0/private/incidentd.te
@@ -0,0 +1,216 @@
+typeattribute incidentd coredomain;
+typeattribute incidentd mlstrustedsubject;
+
+init_daemon_domain(incidentd)
+type incidentd_exec, system_file_type, exec_type, file_type;
+binder_use(incidentd)
+wakelock_use(incidentd)
+
+# Allow incidentd to scan through /proc/pid for all processes
+r_dir_file(incidentd, domain)
+
+# Allow incidentd to kill incident_helper when timeout
+allow incidentd incident_helper:process sigkill;
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow incidentd system_file:file execute_no_trans;
+allow incidentd toolbox_exec:file rx_file_perms;
+
+# section id 1002, allow reading kernel version /proc/version
+allow incidentd proc_version:file r_file_perms;
+
+# section id 1116, allow accessing statsd socket
+unix_socket_send(incidentd, statsdw, statsd)
+
+# section id 2001, allow reading /proc/pagetypeinfo
+allow incidentd proc_pagetypeinfo:file r_file_perms;
+
+# section id 2002, allow reading /d/wakeup_sources
+no_debugfs_restriction(`
+ allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
+
+# section id 2003, allow executing top
+allow incidentd proc_meminfo:file { open read };
+
+# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
+allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+
+# section id 2005, allow reading ps dump in full
+allow incidentd domain:process getattr;
+
+# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
+allow incidentd sysfs_batteryinfo:dir { search };
+allow incidentd sysfs_batteryinfo:file r_file_perms;
+
+# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
+userdebug_or_eng(`allow incidentd pstorefs:dir search');
+userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+
+# section id 3023, allow obtaining stats report
+allow incidentd stats_service:service_manager find;
+binder_call(incidentd, statsd)
+
+# section id 3026, allow reading /data/misc/perfetto-traces.
+allow incidentd perfetto_traces_data_file:dir r_dir_perms;
+allow incidentd perfetto_traces_data_file:file r_file_perms;
+
+# section id 3052, allow accessing nfc_service
+allow incidentd nfc_service:service_manager find;
+
+# Create and write into /data/misc/incidents
+allow incidentd incident_data_file:dir rw_dir_perms;
+allow incidentd incident_data_file:file create_file_perms;
+
+# Enable incidentd to get stack traces.
+binder_use(incidentd)
+hwbinder_use(incidentd)
+allow incidentd hwservicemanager:hwservice_manager { list };
+get_prop(incidentd, hwservicemanager_prop)
+allow incidentd hidl_manager_hwservice:hwservice_manager { find };
+
+# Read files in /proc
+allow incidentd {
+ proc_cmdline
+ proc_pid_max
+ proc_pipe_conf
+ proc_stat
+}:file r_file_perms;
+
+# Signal java processes to dump their stack and get the results
+allow incidentd { appdomain ephemeral_app system_server }:process signal;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in incidentd/utils.c
+allow incidentd {
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediametrics
+ mediaserver
+ sdcardd
+ statsd
+ surfaceflinger
+
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_codec2_server
+ hal_face_server
+ hal_graphics_allocator_server
+ hal_graphics_composer_server
+ hal_health_server
+ hal_omx_server
+ hal_sensors_server
+ hal_vr_server
+}:process signal;
+
+# Allow incidentd to make binder calls to any binder service
+binder_call(incidentd, system_server)
+binder_call(incidentd, appdomain)
+
+# Reading /proc/PID/maps of other processes
+userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
+# incidentd has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow incidentd *:process ptrace;
+
+allow incidentd self:global_capability_class_set {
+ # Send signals to processes
+ kill
+};
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
+
+# Run a shell.
+allow incidentd shell_exec:file rx_file_perms;
+
+# For running am, incident-helper-cmd and similar framework commands.
+# Run /system/bin/app_process.
+allow incidentd zygote_exec:file { rx_file_perms };
+# Access the runtime feature flag properties.
+get_prop(incidentd, device_config_runtime_native_prop)
+get_prop(incidentd, device_config_runtime_native_boot_prop)
+# Access odsign verification status.
+get_prop(incidentd, odsign_prop)
+# ART locks profile files.
+allow incidentd system_file:file lock;
+# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
+dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd apex_module_data_file:dir r_dir_perms;
+dontaudit incidentd apex_art_data_file:dir r_dir_perms;
+dontaudit incidentd tmpfs:file rwx_file_perms;
+
+# Allow incidentd to read /apex/apex-info-list.xml
+allow incidentd apex_info_file:file r_file_perms;
+
+# logd access - work to be done is a PII safe log (possibly an event log?)
+userdebug_or_eng(`read_logd(incidentd)')
+# TODO control_logd(incidentd)
+
+# Access /data/misc/logd
+r_dir_file(incidentd, misc_logd_file)
+
+# Allow incidentd to find these standard groups of services.
+# Others can be allowlisted individually.
+allow incidentd {
+ system_server_service
+ app_api_service
+ system_api_service
+ -tracingproxy_service
+}:service_manager find;
+
+# Only incidentd can publish the binder service
+add_service(incidentd, incident_service)
+
+# Allow pipes only from dumpstate and incident
+allow incidentd { dumpstate incident }:fd use;
+allow incidentd { dumpstate incident }:fifo_file write;
+
+# Allow incident to call back to incident with status updates.
+binder_call(incidentd, incident)
+
+# Read device serial number from system properties
+# This is used to track reports from lab testing devices
+userdebug_or_eng(`
+ get_prop(incidentd, serialno_prop)
+')
+
+# Read ro.boot.bootreason, persist.sys.boot.bootreason
+# This is used to track reports from lab testing devices
+userdebug_or_eng(`
+ get_prop(incidentd, bootloader_boot_reason_prop);
+ get_prop(incidentd, system_boot_reason_prop);
+ get_prop(incidentd, last_boot_reason_prop);
+')
+
+###
+### neverallow rules
+###
+# only incidentd and the other root services in limited circumstances
+# can get to the files in /data/misc/incidents
+#
+# write, execute, append are forbidden almost everywhere
+neverallow { domain -incidentd -init -vold } incident_data_file:file {
+ w_file_perms
+ x_file_perms
+ create
+ rename
+ setattr
+ unlink
+ append
+};
+# read is also allowed by system_server, for when the file is handed to dropbox
+neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
+# limited access to the directory itself
+neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
+
diff --git a/prebuilts/api/33.0/private/init.te b/prebuilts/api/33.0/private/init.te
new file mode 100644
index 0000000..997a184
--- /dev/null
+++ b/prebuilts/api/33.0/private/init.te
@@ -0,0 +1,123 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, slideshow)
+domain_auto_trans(init, charger_exec, charger)
+domain_auto_trans(init, e2fs_exec, e2fs)
+domain_auto_trans(init, bpfloader_exec, bpfloader)
+
+recovery_only(`
+ # Files in recovery image are labeled as rootfs.
+ domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, charger)
+ domain_trans(init, rootfs, fastbootd)
+ domain_trans(init, rootfs, hal_health_server)
+ domain_trans(init, rootfs, recovery)
+ domain_trans(init, rootfs, linkerconfig)
+ domain_trans(init, rootfs, servicemanager)
+ domain_trans(init, rootfs, snapuserd)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, vendor_init)
+domain_trans(init, { rootfs toolbox_exec }, modprobe)
+userdebug_or_eng(`
+ # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+ domain_auto_trans(init, logcat_exec, logpersist)
+
+ # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
+ allow init su:process transition;
+ dontaudit init su:process noatsecure;
+ allow init su:process { siginh rlimitinh };
+')
+
+# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
+# This is useful in case of remounting ext4 userdata into checkpointing mode,
+# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
+# that userdata is mounted onto.
+allow init sysfs_dm:file read;
+
+# Allow init to modify the properties of loop devices.
+allow init sysfs_loop:dir r_dir_perms;
+allow init sysfs_loop:file rw_file_perms;
+
+# Allow init to examine the properties of block devices.
+allow init sysfs_type:file { getattr read };
+# Allow init get the attributes of block devices in /dev/block.
+allow init dev_type:dir r_dir_perms;
+allow init dev_type:blk_file getattr;
+
+# Allow init to write to the drop_caches file.
+allow init proc_drop_caches:file rw_file_perms;
+
+# Allow the BoringSSL self test to request a reboot upon failure
+set_prop(init, powerctl_prop)
+
+# Only init is allowed to set userspace reboot related properties.
+set_prop(init, userspace_reboot_exported_prop)
+neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+# TODO(b/137092007): this can be removed once the platform stops supporting
+# kernels that precede the perf_event_open hooks (Android common kernels 4.4
+# and 4.9).
+allow init self:perf_event { open cpu };
+allow init self:global_capability2_class_set perfmon;
+neverallow init self:perf_event { kernel tracepoint read write };
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Allow init to communicate with snapuserd to transition Virtual A/B devices
+# from the first-stage daemon to the second-stage.
+allow init snapuserd_socket:sock_file write;
+allow init snapuserd:unix_stream_socket connectto;
+# Allow for libsnapshot's use of flock() on /metadata/ota.
+allow init ota_metadata_file:dir lock;
+
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
+# Only init is allowed to set the sysprop indicating whether perf_event_open()
+# SELinux hooks were detected.
+set_prop(init, init_perf_lsm_hooks_prop)
+neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
+
+# Only init can write vts.native_server.on
+set_prop(init, vts_status_prop)
+neverallow { domain -init } vts_status_prop:property_service set;
+
+# Only init can write normal ro.boot. properties
+neverallow { domain -init } bootloader_prop:property_service set;
+
+# Only init can write ro.boot.hypervisor properties
+neverallow { domain -init } hypervisor_prop:property_service set;
+
+# Only init can write hal.instrumentation.enable
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
+
+# Only init can write ro.property_service.version
+neverallow { domain -init } property_service_version_prop:property_service set;
+
+# Only init can set keystore.boot_level
+neverallow { domain -init } keystore_listen_prop:property_service set;
+
+# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
+allow init debugfs_bootreceiver_tracing:file w_file_perms;
+
+# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
+# attempt to write a non exisiting 'synthetic_events' file, when setting
+# up synthetic events. This is a no-op in tracefs.
+dontaudit init debugfs_tracing_debug:dir { write add_name };
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -keychord_device
+ -kvm_device
+ -port_device
+}:chr_file setattr;
diff --git a/prebuilts/api/26.0/private/initial_sid_contexts b/prebuilts/api/33.0/private/initial_sid_contexts
similarity index 100%
rename from prebuilts/api/26.0/private/initial_sid_contexts
rename to prebuilts/api/33.0/private/initial_sid_contexts
diff --git a/prebuilts/api/26.0/private/initial_sids b/prebuilts/api/33.0/private/initial_sids
similarity index 100%
rename from prebuilts/api/26.0/private/initial_sids
rename to prebuilts/api/33.0/private/initial_sids
diff --git a/prebuilts/api/26.0/private/inputflinger.te b/prebuilts/api/33.0/private/inputflinger.te
similarity index 100%
rename from prebuilts/api/26.0/private/inputflinger.te
rename to prebuilts/api/33.0/private/inputflinger.te
diff --git a/prebuilts/api/33.0/private/installd.te b/prebuilts/api/33.0/private/installd.te
new file mode 100644
index 0000000..251a14f
--- /dev/null
+++ b/prebuilts/api/33.0/private/installd.te
@@ -0,0 +1,50 @@
+typeattribute installd coredomain;
+
+init_daemon_domain(installd)
+
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Run viewcompiler in its own sandbox.
+domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
+
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
+
+# For collecting bugreports.
+allow installd dumpstate:fd use;
+allow installd dumpstate:fifo_file r_file_perms;
+
+# Delete /system/bin/bcc generated artifacts
+allow installd app_exec_data_file:file unlink;
+
+# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
+# subsequently restore them.
+allow installd rollback_data_file:dir create_dir_perms;
+allow installd rollback_data_file:file create_file_perms;
+
+# Allow installd to access the runtime feature flag properties.
+get_prop(installd, device_config_runtime_native_prop)
+get_prop(installd, device_config_runtime_native_boot_prop)
+
+# Allow installd to access apk verity feature flag (for legacy case).
+get_prop(installd, apk_verity_prop)
+
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
+# Allow installd to delete files in /data/staging
+allow installd staging_data_file:file unlink;
+allow installd staging_data_file:dir { open read remove_name rmdir search write };
+
+allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
diff --git a/prebuilts/api/33.0/private/iorap_inode2filename.te b/prebuilts/api/33.0/private/iorap_inode2filename.te
new file mode 100644
index 0000000..5acb262
--- /dev/null
+++ b/prebuilts/api/33.0/private/iorap_inode2filename.te
@@ -0,0 +1,11 @@
+typeattribute iorap_inode2filename coredomain;
+
+# Grant access to open most of the files under /
+allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
+allow iorap_inode2filename apex_data_file:file { getattr };
+allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
+allow iorap_inode2filename dalvikcache_data_file:file { getattr };
+allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
+allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
+allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
+allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/prebuilts/api/33.0/private/iorap_prefecherd.te b/prebuilts/api/33.0/private/iorap_prefecherd.te
new file mode 100644
index 0000000..9ddb512
--- /dev/null
+++ b/prebuilts/api/33.0/private/iorap_prefecherd.te
@@ -0,0 +1,4 @@
+typeattribute iorap_prefetcherd coredomain;
+
+init_daemon_domain(iorap_prefetcherd)
+tmpfs_domain(iorap_prefetcherd)
diff --git a/prebuilts/api/33.0/private/iorapd.te b/prebuilts/api/33.0/private/iorapd.te
new file mode 100644
index 0000000..73acec9
--- /dev/null
+++ b/prebuilts/api/33.0/private/iorapd.te
@@ -0,0 +1,10 @@
+typeattribute iorapd coredomain;
+
+init_daemon_domain(iorapd)
+tmpfs_domain(iorapd)
+
+domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
+domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
+
+# Allow iorapd to access the runtime native boot feature flag properties.
+get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/prebuilts/api/33.0/private/isolated_app.te b/prebuilts/api/33.0/private/isolated_app.te
new file mode 100644
index 0000000..828ffb1
--- /dev/null
+++ b/prebuilts/api/33.0/private/isolated_app.te
@@ -0,0 +1,153 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+typeattribute isolated_app coredomain;
+
+app_domain(isolated_app)
+
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
+
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
+allow isolated_app activity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app self:process ptrace;
+
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules below.
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
+
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
+
+# Inherit FDs from the app_zygote.
+allow isolated_app app_zygote:fd use;
+# Notify app_zygote of child death.
+allow isolated_app app_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app app_zygote:unix_dgram_socket write;
+
+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_app shell_data_file:dir search;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(isolated_app)
+
+# Allow profiling if the main app has been marked as profileable or
+# debuggable.
+can_profile_heap(isolated_app)
+can_profile_perf(isolated_app)
+
+#####
+##### Neverallow
+#####
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
+# Isolated apps must not be permitted to use HwBinder
+neverallow isolated_app hwbinder_device:chr_file *;
+neverallow isolated_app *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services allowlisted below.
+neverallow isolated_app *:service_manager ~find;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service, webviewupdate_service.
+neverallow isolated_app {
+ service_manager_type
+ -activity_service
+ -display_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
+
+# Do not allow isolated_app to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
+
+# Do not allow USB access
+neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app webview_zygote:sock_file write;
+
+# Limit the /sys files which isolated_app can access. This is important
+# for controlling isolated_app attack surface.
+neverallow isolated_app {
+ sysfs_type
+ -sysfs_devices_system_cpu
+ -sysfs_transparent_hugepage
+ -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+ -sysfs_fs_incfs_features
+}:file no_rw_file_perms;
+
+# No creation of sockets families other than AF_UNIX sockets.
+# List taken from system/sepolicy/public/global_macros - socket_class_set
+# excluding unix_stream_socket and unix_dgram_socket.
+# Many of these are socket families which have never and will never
+# be compiled into the Android kernel.
+neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
+ key_socket appletalk_socket netlink_route_socket
+ netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
+ netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
+ netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
+ netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
+ netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
+ rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
+ ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
+ qipcrtr_socket smc_socket xdp_socket
+} create;
diff --git a/prebuilts/api/33.0/private/iw.te b/prebuilts/api/33.0/private/iw.te
new file mode 100644
index 0000000..adc8c96
--- /dev/null
+++ b/prebuilts/api/33.0/private/iw.te
@@ -0,0 +1,4 @@
+type iw, domain, coredomain;
+type iw_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(iw)
diff --git a/prebuilts/api/33.0/private/kernel.te b/prebuilts/api/33.0/private/kernel.te
new file mode 100644
index 0000000..6775b3b
--- /dev/null
+++ b/prebuilts/api/33.0/private/kernel.te
@@ -0,0 +1,49 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
+domain_auto_trans(kernel, snapuserd_exec, snapuserd)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel snapuserd_exec:file relabelto;
+
+allow kernel kmsg_device:chr_file write;
+allow kernel gsid:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;
diff --git a/prebuilts/api/33.0/private/keys.conf b/prebuilts/api/33.0/private/keys.conf
new file mode 100644
index 0000000..18c1a8c
--- /dev/null
+++ b/prebuilts/api/33.0/private/keys.conf
@@ -0,0 +1,34 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+
+[@SDK_SANDBOX]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem
+
+[@BLUETOOTH]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/bluetooth.x509.pem
+
+[@MEDIA]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
+
+[@NETWORK_STACK]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+
+[@SHARED]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
+
+# Example of ALL TARGET_BUILD_VARIANTS
+[@RELEASE]
+ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+
diff --git a/prebuilts/api/33.0/private/keystore.te b/prebuilts/api/33.0/private/keystore.te
new file mode 100644
index 0000000..78c0198
--- /dev/null
+++ b/prebuilts/api/33.0/private/keystore.te
@@ -0,0 +1,38 @@
+typeattribute keystore coredomain;
+
+init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# talk to keymint
+hal_client_domain(keystore, hal_keymint)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
+# Allow to check whether security logging is enabled.
+get_prop(keystore, device_logging_prop)
+
+# Allow keystore to check if the system is rkp only.
+get_prop(keystore, remote_prov_prop)
+
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
+
+get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold so that it
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+
+# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
+# system property, an exception is added for init as well.
+set_prop(keystore, keystore_crash_prop)
+neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/keystore2_key_contexts b/prebuilts/api/33.0/private/keystore2_key_contexts
new file mode 100644
index 0000000..3833971
--- /dev/null
+++ b/prebuilts/api/33.0/private/keystore2_key_contexts
@@ -0,0 +1,28 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ... 2^31)
+# su_key is a keystore_key namespace for the su domain intended for native tests.
+0 u:object_r:su_key:s0
+
+# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+1 u:object_r:shell_key:s0
+
+# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
+100 u:object_r:vold_key:s0
+
+# odsign_key is a keystore2_key namespace for the on-device signing daemon.
+101 u:object_r:odsign_key:s0
+
+# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
+# namespace in keystore.
+102 u:object_r:wifi_key:s0
+
+# locksettings_key is a keystore2_key namespace for the LockSettingsService.
+103 u:object_r:locksettings_key:s0
+
+# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
+120 u:object_r:resume_on_reboot_key:s0
+
diff --git a/prebuilts/api/33.0/private/keystore_keys.te b/prebuilts/api/33.0/private/keystore_keys.te
new file mode 100644
index 0000000..2f97608
--- /dev/null
+++ b/prebuilts/api/33.0/private/keystore_keys.te
@@ -0,0 +1,22 @@
+# Specify keystore2_key namespaces in this file.
+# Please keep the names in alphabetical order and comment each new entry.
+
+# A keystore2_key namespace for the shell domain. Mainly used for native tests.
+type shell_key, keystore2_key_type;
+
+# A keystore2 namespace for the su domain. Mainly used for native tests.
+type su_key, keystore2_key_type;
+
+# A keystore2 namespace for vold. Vold need special permission to handle
+# its own Keymint blobs.
+type vold_key, keystore2_key_type;
+
+# A keystore2 namespace for the on-device signing daemon.
+type odsign_key, keystore2_key_type;
+
+# A keystore2 namespace for LockSettingsService.
+type locksettings_key, keystore2_key_type;
+
+# A keystore2 namespace for resume on reboot.
+type resume_on_reboot_key, keystore2_key_type;
+
diff --git a/prebuilts/api/33.0/private/linkerconfig.te b/prebuilts/api/33.0/private/linkerconfig.te
new file mode 100644
index 0000000..2688102
--- /dev/null
+++ b/prebuilts/api/33.0/private/linkerconfig.te
@@ -0,0 +1,27 @@
+type linkerconfig, domain, coredomain;
+type linkerconfig_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(linkerconfig)
+
+## Read and write linkerconfig subdirectory.
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
+allow linkerconfig linkerconfig_file:file create_file_perms;
+
+# Allow linkerconfig to log to the kernel.
+allow linkerconfig kmsg_device:chr_file w_file_perms;
+
+# Allow linkerconfig to be invoked with logwrapper from init.
+allow linkerconfig devpts:chr_file { read write };
+
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
+# Allow linkerconfig to read apex-info-list.xml
+allow linkerconfig apex_info_file:file r_file_perms;
+
+# Allow linkerconfig to be called in the otapreopt_chroot
+allow linkerconfig otapreopt_chroot:fd use;
+allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
+allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
+
+neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/prebuilts/api/33.0/private/llkd.te b/prebuilts/api/33.0/private/llkd.te
new file mode 100644
index 0000000..8512e85
--- /dev/null
+++ b/prebuilts/api/33.0/private/llkd.te
@@ -0,0 +1,54 @@
+# llkd Live LocK Daemon
+typeattribute llkd coredomain;
+
+init_daemon_domain(llkd)
+
+get_prop(llkd, llkd_prop)
+
+allow llkd self:global_capability_class_set kill;
+userdebug_or_eng(`
+ allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
+ allow llkd self:global_capability_class_set { dac_override dac_read_search };
+')
+
+# llkd optionally locks itself in memory, to prevent it from being
+# swapped out and unable to discover a kernel in live-lock state.
+allow llkd self:global_capability_class_set ipc_lock;
+
+# Send kill signals to _anyone_ suffering from Live Lock
+allow llkd domain:process sigkill;
+
+# read stack to check for Live Lock
+userdebug_or_eng(`
+ allow llkd {
+ domain
+ -apexd
+ -diced
+ -kernel
+ -keystore
+ -init
+ -llkd
+ -ueventd
+ -vendor_init
+ }:process ptrace;
+')
+
+# live lock watchdog process allowed to look through /proc/
+allow llkd domain:dir r_dir_perms;
+allow llkd domain:file r_file_perms;
+allow llkd domain:lnk_file read;
+# Set /proc/sys/kernel/hung_task_*
+allow llkd proc_hung_task:file rw_file_perms;
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow llkd proc_sysrq:file rw_file_perms;
+allow llkd kmsg_device:chr_file w_file_perms;
+
+### neverallow rules
+
+neverallow { domain -init } llkd:process { dyntransition transition };
+neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
+
+# never honor LD_PRELOAD
+neverallow * llkd:process noatsecure;
diff --git a/prebuilts/api/33.0/private/lmkd.te b/prebuilts/api/33.0/private/lmkd.te
new file mode 100644
index 0000000..51d6204
--- /dev/null
+++ b/prebuilts/api/33.0/private/lmkd.te
@@ -0,0 +1,18 @@
+typeattribute lmkd coredomain;
+typeattribute lmkd bpfdomain;
+
+init_daemon_domain(lmkd)
+
+# Set sys.lmk.* properties.
+set_prop(lmkd, system_lmk_prop)
+
+# Set lmkd.* properties.
+set_prop(lmkd, lmkd_prop)
+
+# Get persist.device_config.lmk_native.* properties.
+get_prop(lmkd, device_config_lmkd_native_prop)
+
+allow lmkd fs_bpf:file read;
+allow lmkd bpfloader:bpf map_read;
+
+neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/logd.te b/prebuilts/api/33.0/private/logd.te
new file mode 100644
index 0000000..62d4196
--- /dev/null
+++ b/prebuilts/api/33.0/private/logd.te
@@ -0,0 +1,51 @@
+typeattribute logd coredomain;
+
+init_daemon_domain(logd)
+
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
+# only on userdebug or eng builds
+neverallow logd {
+ file_type
+ -runtime_event_log_tags_file
+ # shell_data_file access is needed to dump bugreports
+ -shell_data_file
+ userdebug_or_eng(`-coredump_file -misc_logd_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file { create write append };
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -appdomain # covered below
+ -bootstat
+ -dumpstate
+ -init
+ -logd
+ userdebug_or_eng(`-logpersist')
+ -servicemanager
+ -system_server
+ -surfaceflinger
+ -zygote
+} runtime_event_log_tags_file:file no_rw_file_perms;
+
+neverallow {
+ appdomain
+ -bluetooth
+ -platform_app
+ -priv_app
+ -radio
+ -shell
+ userdebug_or_eng(`-su')
+ -system_app
+} runtime_event_log_tags_file:file no_rw_file_perms;
+
+# Only binder communication between logd and system_server is allowed
+binder_use(logd)
+binder_service(logd)
+binder_call(logd, system_server)
+
+add_service(logd, logd_service)
+allow logd logcat_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/logpersist.te b/prebuilts/api/33.0/private/logpersist.te
new file mode 100644
index 0000000..e151810
--- /dev/null
+++ b/prebuilts/api/33.0/private/logpersist.te
@@ -0,0 +1,31 @@
+typeattribute logpersist coredomain;
+
+# android debug log storage in logpersist domains (eng and userdebug only)
+userdebug_or_eng(`
+
+ r_dir_file(logpersist, cgroup)
+ r_dir_file(logpersist, cgroup_v2)
+
+ allow logpersist misc_logd_file:file create_file_perms;
+ allow logpersist misc_logd_file:dir rw_dir_perms;
+
+ allow logpersist self:global_capability_class_set sys_nice;
+ allow logpersist pstorefs:dir search;
+ allow logpersist pstorefs:file r_file_perms;
+
+ control_logd(logpersist)
+ unix_socket_connect(logpersist, logdr, logd)
+ get_prop(logpersist, logd_prop)
+ read_runtime_log_tags(logpersist)
+
+')
+
+# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
+neverallow logpersist {
+ file_type
+ userdebug_or_eng(`-misc_logd_file -coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file { create write append };
+neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/33.0/private/lpdumpd.te b/prebuilts/api/33.0/private/lpdumpd.te
new file mode 100644
index 0000000..9f5f87e
--- /dev/null
+++ b/prebuilts/api/33.0/private/lpdumpd.te
@@ -0,0 +1,37 @@
+type lpdumpd, domain, coredomain;
+type lpdumpd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(lpdumpd)
+
+# Allow lpdumpd to register itself as a service.
+binder_use(lpdumpd)
+add_service(lpdumpd, lpdump_service)
+
+# Allow lpdumpd to find the super partition block device.
+allow lpdumpd block_device:dir r_dir_perms;
+
+# Allow lpdumpd to read super partition metadata.
+allow lpdumpd super_block_device_type:blk_file r_file_perms;
+
+# Allow lpdumpd to read fstab.
+allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
+allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
+read_fstab(lpdumpd)
+
+### Neverallow rules
+
+# Disallow other domains to get lpdump_service and call lpdumpd.
+neverallow {
+ domain
+ -dumpstate
+ -lpdumpd
+ -shell
+} lpdump_service:service_manager find;
+
+neverallow {
+ domain
+ -dumpstate
+ -lpdumpd
+ -shell
+ -servicemanager
+} lpdumpd:binder call;
diff --git a/prebuilts/api/33.0/private/mac_permissions.xml b/prebuilts/api/33.0/private/mac_permissions.xml
new file mode 100644
index 0000000..c9a9aca
--- /dev/null
+++ b/prebuilts/api/33.0/private/mac_permissions.xml
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag. The signature can
+ either appear as a set of attached cert child tags or as an attribute.
+ * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+ * Each signer/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process as well as the apps data directory.
+ * seinfo assignments are made according to the following rules:
+ - Stanzas with package name refinements will be checked first.
+ - Stanzas w/o package name refinements will be checked second.
+ - The "default" seinfo label is automatically applied.
+
+ * valid stanzas can take one of the following forms:
+
+ // single cert protecting seinfo
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ // multiple certs protecting seinfo (all contained certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <seinfo value="platform" />
+ </signer>
+
+ // single cert protecting explicitly named app
+ <signer signature="@PLATFORM" >
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+
+ // multiple certs protecting explicitly named app (all certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+-->
+
+ <!-- Platform dev key in AOSP -->
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ <!-- Sdk Sandbox key -->
+ <signer signature="@SDK_SANDBOX" >
+ <seinfo value="sdk_sandbox" />
+ </signer>
+
+ <!-- Bluetooth key in AOSP -->
+ <signer signature="@BLUETOOTH" >
+ <seinfo value="bluetooth" />
+ </signer>
+
+ <!-- Media key in AOSP -->
+ <signer signature="@MEDIA" >
+ <seinfo value="media" />
+ </signer>
+
+ <signer signature="@NETWORK_STACK" >
+ <seinfo value="network_stack" />
+ </signer>
+</policy>
diff --git a/prebuilts/api/33.0/private/mdnsd.te b/prebuilts/api/33.0/private/mdnsd.te
new file mode 100644
index 0000000..98e95da
--- /dev/null
+++ b/prebuilts/api/33.0/private/mdnsd.te
@@ -0,0 +1,12 @@
+# mdns daemon
+
+typeattribute mdnsd coredomain;
+typeattribute mdnsd mlstrustedsubject;
+
+type mdnsd_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(mdnsd)
+
+net_domain(mdnsd)
+
+# Read from /proc/net
+r_dir_file(mdnsd, proc_net_type)
diff --git a/prebuilts/api/26.0/private/mediadrmserver.te b/prebuilts/api/33.0/private/mediadrmserver.te
similarity index 100%
rename from prebuilts/api/26.0/private/mediadrmserver.te
rename to prebuilts/api/33.0/private/mediadrmserver.te
diff --git a/prebuilts/api/33.0/private/mediaextractor.te b/prebuilts/api/33.0/private/mediaextractor.te
new file mode 100644
index 0000000..7bcf5c8
--- /dev/null
+++ b/prebuilts/api/33.0/private/mediaextractor.te
@@ -0,0 +1,10 @@
+typeattribute mediaextractor coredomain;
+
+init_daemon_domain(mediaextractor)
+tmpfs_domain(mediaextractor)
+allow mediaextractor appdomain_tmpfs:file { getattr map read write };
+allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
+allow mediaextractor system_server_tmpfs:file { getattr map read write };
+
+get_prop(mediaextractor, device_config_media_native_prop)
+get_prop(mediaextractor, device_config_swcodec_native_prop)
diff --git a/prebuilts/api/33.0/private/mediametrics.te b/prebuilts/api/33.0/private/mediametrics.te
new file mode 100644
index 0000000..5a6f2e1
--- /dev/null
+++ b/prebuilts/api/33.0/private/mediametrics.te
@@ -0,0 +1,8 @@
+typeattribute mediametrics coredomain;
+
+init_daemon_domain(mediametrics)
+
+# Needed for stats callback registration to statsd.
+allow mediametrics stats_service:service_manager find;
+allow mediametrics statsmanager_service:service_manager find;
+binder_call(mediametrics, statsd)
diff --git a/prebuilts/api/33.0/private/mediaprovider.te b/prebuilts/api/33.0/private/mediaprovider.te
new file mode 100644
index 0000000..545d9ea
--- /dev/null
+++ b/prebuilts/api/33.0/private/mediaprovider.te
@@ -0,0 +1,49 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+typeattribute mediaprovider coredomain;
+app_domain(mediaprovider)
+
+# DownloadProvider accesses the network.
+net_domain(mediaprovider)
+
+# DownloadProvider uses /cache.
+allow mediaprovider cache_file:dir create_dir_perms;
+allow mediaprovider cache_file:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow mediaprovider cache_file:lnk_file r_file_perms;
+# mediaprovider searches through /cache looking for orphans
+# Ignore denials to /cache/recovery and /cache/backup.
+dontaudit mediaprovider cache_private_backup_file:dir getattr;
+dontaudit mediaprovider cache_recovery_file:dir getattr;
+
+# Access external sdcards through /mnt/media_rw
+allow mediaprovider { mnt_media_rw_file }:dir search;
+
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider cameraserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
+allow mediaprovider mediaextractor_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+
+# Allow MediaProvider to read/write cached ringtones (opened by system).
+allow mediaprovider ringtone_file:file { getattr read write };
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
+allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_ALLOC;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+get_prop(mediaprovider, ffs_config_prop)
+set_prop(mediaprovider, ffs_control_prop)
+
+# DownloadManager may retrieve DRM status
+get_prop(mediaprovider, drm_service_config_prop)
diff --git a/prebuilts/api/33.0/private/mediaprovider_app.te b/prebuilts/api/33.0/private/mediaprovider_app.te
new file mode 100644
index 0000000..a9a52bb
--- /dev/null
+++ b/prebuilts/api/33.0/private/mediaprovider_app.te
@@ -0,0 +1,70 @@
+###
+### A domain for further sandboxing the MediaProvider mainline module.
+###
+type mediaprovider_app, domain, coredomain, bpfdomain;
+
+app_domain(mediaprovider_app)
+
+# Access to /mnt/pass_through.
+r_dir_file(mediaprovider_app, mnt_pass_through_file)
+
+# Allow MediaProvider to host a FUSE daemon for external storage
+allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
+
+# Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_rw_data_file:file create_file_perms;
+allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
+
+# Talk to the DRM service
+allow mediaprovider_app drmserver_service:service_manager find;
+
+# Talk to the MediaServer service
+allow mediaprovider_app mediaserver_service:service_manager find;
+
+# Talk to the AudioServer service
+allow mediaprovider_app audioserver_service:service_manager find;
+
+# Talk to the MediaCodec APIs that log media metrics
+allow mediaprovider_app mediametrics_service:service_manager find;
+
+# Talk to regular app services
+allow mediaprovider_app app_api_service:service_manager find;
+
+# Talk to the GPU service
+binder_call(mediaprovider_app, gpuservice)
+
+# Talk to statsd
+allow mediaprovider_app statsmanager_service:service_manager find;
+binder_call(mediaprovider_app, statsd)
+
+# read pipe-max-size configuration
+allow mediaprovider_app proc_pipe_conf:file r_file_perms;
+
+# Allow MediaProvider to set extended attributes (such as quota project ID)
+# on media files.
+allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
+# Access external sdcards through /mnt/media_rw
+allow mediaprovider_app { mnt_media_rw_file }:dir search;
+
+allow mediaprovider_app proc_filesystems:file r_file_perms;
+
+#Allow MediaProvider to see if sdcardfs is in use
+get_prop(mediaprovider_app, storage_config_prop)
+
+get_prop(mediaprovider_app, drm_service_config_prop)
+
+allow mediaprovider_app gpu_device:chr_file rw_file_perms;
+allow mediaprovider_app gpu_device:dir r_dir_perms;
+
+dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
+dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
+
+# bpfprog access for FUSE BPF
+allow mediaprovider_app fs_bpf:file read;
+allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
diff --git a/prebuilts/api/33.0/private/mediaserver.te b/prebuilts/api/33.0/private/mediaserver.te
new file mode 100644
index 0000000..6fe460c
--- /dev/null
+++ b/prebuilts/api/33.0/private/mediaserver.te
@@ -0,0 +1,20 @@
+typeattribute mediaserver coredomain;
+
+init_daemon_domain(mediaserver)
+tmpfs_domain(mediaserver)
+allow mediaserver appdomain_tmpfs:file { getattr map read write };
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
+hal_client_domain(mediaserver, hal_configstore)
+hal_client_domain(mediaserver, hal_drm)
+hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
+set_prop(mediaserver, audio_prop)
+
+get_prop(mediaserver, drm_service_config_prop)
+get_prop(mediaserver, media_config_prop)
+
+# Allow mediaserver to start media.transcoding service via ctl.start.
+set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/prebuilts/api/33.0/private/mediaswcodec.te b/prebuilts/api/33.0/private/mediaswcodec.te
new file mode 100644
index 0000000..02079c1
--- /dev/null
+++ b/prebuilts/api/33.0/private/mediaswcodec.te
@@ -0,0 +1,6 @@
+typeattribute mediaswcodec coredomain;
+
+init_daemon_domain(mediaswcodec)
+
+get_prop(mediaswcodec, device_config_media_native_prop)
+get_prop(mediaswcodec, device_config_swcodec_native_prop)
diff --git a/prebuilts/api/33.0/private/mediatranscoding.te b/prebuilts/api/33.0/private/mediatranscoding.te
new file mode 100644
index 0000000..829d948
--- /dev/null
+++ b/prebuilts/api/33.0/private/mediatranscoding.te
@@ -0,0 +1,66 @@
+# mediatranscoding - daemon for transcoding video and image.
+type mediatranscoding_exec, system_file_type, exec_type, file_type;
+type mediatranscoding_tmpfs, file_type;
+typeattribute mediatranscoding coredomain;
+
+init_daemon_domain(mediatranscoding)
+tmpfs_domain(mediatranscoding)
+allow mediatranscoding appdomain_tmpfs:file { getattr map read write };
+
+binder_use(mediatranscoding)
+binder_call(mediatranscoding, binderservicedomain)
+binder_call(mediatranscoding, appdomain)
+binder_service(mediatranscoding)
+
+add_service(mediatranscoding, mediatranscoding_service)
+
+hal_client_domain(mediatranscoding, hal_graphics_allocator)
+hal_client_domain(mediatranscoding, hal_configstore)
+hal_client_domain(mediatranscoding, hal_omx)
+hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
+
+allow mediatranscoding mediaserver_service:service_manager find;
+allow mediatranscoding mediametrics_service:service_manager find;
+allow mediatranscoding mediaextractor_service:service_manager find;
+allow mediatranscoding package_native_service:service_manager find;
+allow mediatranscoding thermal_service:service_manager find;
+
+allow mediatranscoding system_server:fd use;
+allow mediatranscoding activity_service:service_manager find;
+
+# allow mediatranscoding service read/write permissions for file sources
+allow mediatranscoding sdcardfs:file { getattr read write };
+allow mediatranscoding media_rw_data_file:file { getattr read write };
+allow mediatranscoding apk_data_file:file { getattr read };
+allow mediatranscoding app_data_file:file { getattr read write };
+allow mediatranscoding shell_data_file:file { getattr read write };
+
+# allow mediatranscoding service write permission to statsd socket
+unix_socket_send(mediatranscoding, statsdw, statsd)
+
+# Allow mediatranscoding to access the DMA-BUF system heap
+allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow mediatranscoding gpu_device:chr_file rw_file_perms;
+allow mediatranscoding gpu_device:dir r_dir_perms;
+
+# Allow mediatranscoding service to access media-related system properties
+get_prop(mediatranscoding, media_config_prop)
+
+# mediatranscoding should never execute any executable without a
+# domain transition
+neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
+neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/prebuilts/api/33.0/private/mediatuner.te b/prebuilts/api/33.0/private/mediatuner.te
new file mode 100644
index 0000000..413d2e5
--- /dev/null
+++ b/prebuilts/api/33.0/private/mediatuner.te
@@ -0,0 +1,30 @@
+# mediatuner - mediatuner daemon
+type mediatuner, domain;
+type mediatuner_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediatuner coredomain;
+
+init_daemon_domain(mediatuner)
+hal_client_domain(mediatuner, hal_tv_tuner)
+
+binder_use(mediatuner)
+binder_call(mediatuner, appdomain)
+binder_service(mediatuner)
+
+add_service(mediatuner, mediatuner_service)
+allow mediatuner system_server:fd use;
+allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
+allow mediatuner package_native_service:service_manager find;
+binder_call(mediatuner, system_server)
+
+###
+### neverallow rules
+###
+
+# mediatuner should never execute any executable without a
+# domain transition
+neverallow mediatuner { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
diff --git a/prebuilts/api/33.0/private/migrate_legacy_obb_data.te b/prebuilts/api/33.0/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..b2a1fb1
--- /dev/null
+++ b/prebuilts/api/33.0/private/migrate_legacy_obb_data.te
@@ -0,0 +1,28 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+allow migrate_legacy_obb_data mnt_user_file:dir search;
+allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
+allow migrate_legacy_obb_data storage_file:dir search;
+allow migrate_legacy_obb_data storage_file:lnk_file read;
+
+allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
+allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/prebuilts/api/33.0/private/mls b/prebuilts/api/33.0/private/mls
new file mode 100644
index 0000000..955c27b
--- /dev/null
+++ b/prebuilts/api/33.0/private/mls
@@ -0,0 +1,116 @@
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition: Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations: Require equivalence unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+ (l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Sockets inherit the range of their creator.
+mlsconstrain socket_class_set { create relabelfrom relabelto }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Datagram send: Sender must be equivalent to the receiver unless one of them
+# is trusted.
+mlsconstrain unix_dgram_socket { sendto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect: Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain dir_file_class_set { create relabelfrom relabelto }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+#
+# Userfaultfd constraints
+#
+# To enforce that anonymous inodes are self contained in the application's process.
+mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
+ (l1 eq l2);
+
+#
+# Constraints for app data files only.
+#
+
+# Only constrain open, not read/write, so already open fds can be used.
+# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
+# Subject must dominate object unless the subject is trusted.
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
+ (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
+mlsconstrain { file sock_file } { open setattr unlink link rename }
+ ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+
+# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
+mlsconstrain { lnk_file } { open setattr unlink link rename read }
+ ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
+# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
+# TODO: Migrate to equivalence when it's no longer needed.
+mlsconstrain { lnk_file } { open setattr unlink link rename read }
+ ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+
+#
+# Constraints for file types other than app data files.
+#
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+ (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+ or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+ (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be equivalent to the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+ (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+ (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
+mlsconstrain fifo_file { read getattr }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/prebuilts/api/26.0/private/mls_decl b/prebuilts/api/33.0/private/mls_decl
similarity index 100%
rename from prebuilts/api/26.0/private/mls_decl
rename to prebuilts/api/33.0/private/mls_decl
diff --git a/prebuilts/api/26.0/private/mls_macros b/prebuilts/api/33.0/private/mls_macros
similarity index 100%
rename from prebuilts/api/26.0/private/mls_macros
rename to prebuilts/api/33.0/private/mls_macros
diff --git a/prebuilts/api/33.0/private/mlstrustedsubject.te b/prebuilts/api/33.0/private/mlstrustedsubject.te
new file mode 100644
index 0000000..22482d9
--- /dev/null
+++ b/prebuilts/api/33.0/private/mlstrustedsubject.te
@@ -0,0 +1,30 @@
+# MLS override can't be used to access private app data.
+
+# Apps should not normally be mlstrustedsubject, but if they must be
+# they cannot use this to access app private data files; their own app
+# data files must use a different label.
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:dir ~{ read getattr search };
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+ -system_server
+ -adbd
+ -runas
+ -zygote
+} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/prebuilts/api/33.0/private/mm_events.te b/prebuilts/api/33.0/private/mm_events.te
new file mode 100644
index 0000000..4875d40
--- /dev/null
+++ b/prebuilts/api/33.0/private/mm_events.te
@@ -0,0 +1,14 @@
+type mm_events, domain, coredomain;
+type mm_events_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mm_events)
+
+allow mm_events shell_exec:file rx_file_perms;
+
+# Allow running the sleep command to rate limit attempts
+# to arm mm_events on failure.
+allow mm_events toolbox_exec:file rx_file_perms;
+
+allow mm_events perfetto_exec:file rx_file_perms;
+
+domain_auto_trans(mm_events, perfetto_exec, perfetto)
diff --git a/prebuilts/api/26.0/private/modprobe.te b/prebuilts/api/33.0/private/modprobe.te
similarity index 100%
rename from prebuilts/api/26.0/private/modprobe.te
rename to prebuilts/api/33.0/private/modprobe.te
diff --git a/prebuilts/api/33.0/private/mtectrl.te b/prebuilts/api/33.0/private/mtectrl.te
new file mode 100644
index 0000000..436dcae
--- /dev/null
+++ b/prebuilts/api/33.0/private/mtectrl.te
@@ -0,0 +1,10 @@
+# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl, domain, coredomain;
+type mtectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mtectrl)
+
+# mtectrl communicates the request to the bootloader via the misc partition.
+allow mtectrl misc_block_device:blk_file w_file_perms;
+allow mtectrl block_device:dir r_dir_perms;
+read_fstab(mtectrl)
diff --git a/prebuilts/api/33.0/private/mtp.te b/prebuilts/api/33.0/private/mtp.te
new file mode 100644
index 0000000..732e111
--- /dev/null
+++ b/prebuilts/api/33.0/private/mtp.te
@@ -0,0 +1,3 @@
+typeattribute mtp coredomain;
+
+init_daemon_domain(mtp)
diff --git a/prebuilts/api/33.0/private/net.te b/prebuilts/api/33.0/private/net.te
new file mode 100644
index 0000000..9e15f41
--- /dev/null
+++ b/prebuilts/api/33.0/private/net.te
@@ -0,0 +1,18 @@
+# Bind to ports.
+allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
+
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -sdk_sandbox
+ -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
+
diff --git a/prebuilts/api/33.0/private/netd.te b/prebuilts/api/33.0/private/netd.te
new file mode 100644
index 0000000..30dcd08
--- /dev/null
+++ b/prebuilts/api/33.0/private/netd.te
@@ -0,0 +1,42 @@
+typeattribute netd coredomain;
+typeattribute netd bpfdomain;
+
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
+# the map created by bpfloader
+allow netd bpfloader:bpf { prog_run map_read map_write };
+
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Remove this after we remove all bpf interactions from netd.
+allow netd self:key_socket create;
+
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
+get_prop(netd, adbd_config_prop)
+get_prop(netd, bpf_progs_loaded_prop)
+get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
+
+# Allow netd to write to statsd.
+unix_socket_send(netd, statsdw, statsd)
+
+# Allow netd to send callbacks to network_stack
+binder_call(netd, network_stack)
+
+# Allow netd to send dump info to dumpstate
+allow netd dumpstate:fd use;
+allow netd dumpstate:fifo_file { getattr write };
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/netutils_wrapper.te b/prebuilts/api/33.0/private/netutils_wrapper.te
new file mode 100644
index 0000000..af0360f
--- /dev/null
+++ b/prebuilts/api/33.0/private/netutils_wrapper.te
@@ -0,0 +1,45 @@
+typeattribute netutils_wrapper coredomain;
+typeattribute netutils_wrapper bpfdomain;
+
+r_dir_file(netutils_wrapper, system_file);
+
+# For netutils (ip, iptables, tc)
+allow netutils_wrapper self:global_capability_class_set net_raw;
+
+allow netutils_wrapper system_file:file { execute execute_no_trans };
+allow netutils_wrapper proc_net_type:file { open read getattr };
+allow netutils_wrapper self:rawip_socket create_socket_perms;
+allow netutils_wrapper self:udp_socket create_socket_perms;
+allow netutils_wrapper self:global_capability_class_set net_admin;
+# ip utils need everything but ioctl
+allow netutils_wrapper self:netlink_route_socket ~ioctl;
+allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
+
+# For netutils (ndc) to be able to talk to netd
+allow netutils_wrapper netd_service:service_manager find;
+allow netutils_wrapper dnsresolver_service:service_manager find;
+allow netutils_wrapper mdns_service:service_manager find;
+binder_use(netutils_wrapper);
+binder_call(netutils_wrapper, netd);
+
+# For vendor code that update the iptables rules at runtime. They need to reload
+# the whole chain including the xt_bpf rules. They need to access to the pinned
+# program when reloading the rule.
+allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper bpfloader:bpf prog_run;
+
+# For /data/misc/net access to ndc and ip
+r_dir_file(netutils_wrapper, net_data_file)
+
+domain_auto_trans({
+ domain
+ -coredomain
+ -appdomain
+}, netutils_wrapper_exec, netutils_wrapper)
+
+# suppress spurious denials
+dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+dontaudit netutils_wrapper sysfs_type:file read;
+
+# netutils wrapper may only use the following capabilities.
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/prebuilts/api/33.0/private/network_stack.te b/prebuilts/api/33.0/private/network_stack.te
new file mode 100644
index 0000000..b105938
--- /dev/null
+++ b/prebuilts/api/33.0/private/network_stack.te
@@ -0,0 +1,65 @@
+# Networking service app
+typeattribute network_stack coredomain;
+typeattribute network_stack mlstrustedsubject;
+typeattribute network_stack bpfdomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+# Monitor neighbors via netlink.
+allow network_stack self:netlink_route_socket nlmsg_write;
+
+allow network_stack app_api_service:service_manager find;
+allow network_stack dnsresolver_service:service_manager find;
+allow network_stack mdns_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack network_watchlist_service:service_manager find;
+allow network_stack radio_service:service_manager find;
+allow network_stack system_config_service:service_manager find;
+allow network_stack radio_data_file:dir create_dir_perms;
+allow network_stack radio_data_file:file create_file_perms;
+
+binder_call(network_stack, netd);
+
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;
+# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
+# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
+dontaudit network_stack self:key_socket getopt;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
+
+# Create/use netlink_tcpdiag_socket to get tcp info
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+############### Tethering Service app - Tethering.apk ##############
+hal_client_domain(network_stack, hal_tetheroffload)
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow network_stack network_stack_service:service_manager find;
+# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
+allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
+allow network_stack bpfloader:bpf { map_read map_write prog_run };
+
+# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# Unfortunately init/vendor_init have all sorts of extra privs
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
+
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/prebuilts/api/33.0/private/nfc.te b/prebuilts/api/33.0/private/nfc.te
new file mode 100644
index 0000000..f1a08f7
--- /dev/null
+++ b/prebuilts/api/33.0/private/nfc.te
@@ -0,0 +1,35 @@
+# nfc subsystem
+typeattribute nfc coredomain, mlstrustedsubject;
+app_domain(nfc)
+net_domain(nfc)
+
+binder_service(nfc)
+add_service(nfc, nfc_service)
+
+hal_client_domain(nfc, hal_nfc)
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+allow nfc nfc_logs_data_file:dir rw_dir_perms;
+allow nfc nfc_logs_data_file:file create_file_perms;
+
+# SoundPool loading and playback
+allow nfc audioserver_service:service_manager find;
+allow nfc drmserver_service:service_manager find;
+allow nfc mediametrics_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
+allow nfc mediaserver_service:service_manager find;
+
+allow nfc radio_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;
+allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
+
+set_prop(nfc, nfc_prop);
+
+# already open bugreport file descriptors may be shared with
+# the nfc process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow nfc shell_data_file:file read;
diff --git a/prebuilts/api/33.0/private/odrefresh.te b/prebuilts/api/33.0/private/odrefresh.te
new file mode 100644
index 0000000..d716309
--- /dev/null
+++ b/prebuilts/api/33.0/private/odrefresh.te
@@ -0,0 +1,60 @@
+# odrefresh
+type odrefresh, domain, coredomain;
+type odrefresh_exec, system_file_type, exec_type, file_type;
+
+# Allow odrefresh to create files and directories for on device signing.
+allow odrefresh apex_module_data_file:dir { getattr search };
+allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow odrefresh apex_art_data_file:file create_file_perms;
+
+# Allow odrefresh to create data files (typically for metrics before statsd starts).
+allow odrefresh odrefresh_data_file:dir create_dir_perms;
+allow odrefresh odrefresh_data_file:file create_file_perms;
+
+userfaultfd_use(odrefresh)
+
+# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
+# sets up files here and passes file descriptors for dex2oat to write to.
+allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
+allow odrefresh apex_art_staging_data_file:file create_file_perms;
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow odrefresh odsign_devpts:chr_file { read write };
+allow odrefresh odsign:fd use;
+
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Do not audit unused resources from parent processes (adb, shell, su).
+# These appear to be unnecessary for odrefresh.
+dontaudit odrefresh { adbd shell }:fd use;
+dontaudit odrefresh devpts:chr_file rw_file_perms;
+dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
+
+# No other processes should be creating files in the staging area.
+neverallow { domain -init -odrefresh -compos_fd_server } apex_art_staging_data_file:file open;
+
+# No processes other than init, odrefresh and system_server access
+# odrefresh_data_files.
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
diff --git a/prebuilts/api/33.0/private/odsign.te b/prebuilts/api/33.0/private/odsign.te
new file mode 100644
index 0000000..f06795c
--- /dev/null
+++ b/prebuilts/api/33.0/private/odsign.te
@@ -0,0 +1,69 @@
+# odsign - on-device signing.
+type odsign, domain;
+
+# odsign - Binary for signing ART artifacts.
+typeattribute odsign coredomain;
+
+type odsign_exec, exec_type, file_type, system_file_type;
+
+# Allow init to start odsign
+init_daemon_domain(odsign)
+
+# Allow using persistent storage in /data/odsign
+allow odsign odsign_data_file:dir create_dir_perms;
+allow odsign odsign_data_file:file create_file_perms;
+
+# Allow using persistent storage in /data/odsign/metrics - to add metrics related files
+allow odsign odsign_metrics_file:dir rw_dir_perms;
+allow odsign odsign_metrics_file:file create_file_perms;
+
+# Create and use pty created by android_fork_execvp().
+create_pty(odsign)
+
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
+allowxperm odsign apex_art_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
+};
+
+# talk to binder services (for keystore)
+binder_use(odsign);
+
+# talk to keystore specifically
+use_keystore(odsign);
+
+# Use our dedicated keystore key
+allow odsign odsign_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ use
+};
+
+# talk to keymaster
+hal_client_domain(odsign, hal_keymaster)
+
+# For ART apex data dir access
+allow odsign apex_module_data_file:dir { getattr search };
+
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
+allow odsign apex_art_data_file:file { rw_file_perms unlink };
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(odsign, odrefresh_exec, odrefresh)
+
+# Run fsverity_init to add key to fsverity keyring
+domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+
+# Run compos_verify to verify CompOs signatures
+domain_auto_trans(odsign, compos_verify_exec, compos_verify)
+
+# only odsign can set odsign sysprop
+set_prop(odsign, odsign_prop)
+neverallow { domain -odsign -init } odsign_prop:property_service set;
+
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
+# Neverallows
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
diff --git a/prebuilts/api/33.0/private/otapreopt_chroot.te b/prebuilts/api/33.0/private/otapreopt_chroot.te
new file mode 100644
index 0000000..ea9d4ee
--- /dev/null
+++ b/prebuilts/api/33.0/private/otapreopt_chroot.te
@@ -0,0 +1,98 @@
+# otapreopt_chroot executable
+typeattribute otapreopt_chroot coredomain;
+type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot apex_mnt_dir:dir mounton;
+allow otapreopt_chroot device:dir mounton;
+allow otapreopt_chroot linkerconfig_file:dir mounton;
+allow otapreopt_chroot rootfs:dir mounton;
+allow otapreopt_chroot sysfs:dir mounton;
+allow otapreopt_chroot system_data_root_file:dir mounton;
+allow otapreopt_chroot system_file:dir mounton;
+allow otapreopt_chroot vendor_file:dir mounton;
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# This is required for dynamic partitions.
+allow otapreopt_chroot dm_device:chr_file rw_file_perms;
+
+# This is required to unmount flattened APEX packages under
+# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
+allow otapreopt_chroot postinstall_file:filesystem unmount;
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
+
+# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
+domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
+
+# Allow otapreopt_chroot to control linkerconfig
+allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
+allow otapreopt_chroot linkerconfig_file:file create_file_perms;
+
+# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
+allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
+# Allow otapreopt_chroot to access loop devices.
+allow otapreopt_chroot loop_device:blk_file rw_file_perms;
+allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_CONFIGURE
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
+# Allow otapreopt_chroot to configure read-ahead of loop devices.
+allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
+allow otapreopt_chroot sysfs_loop:file rw_file_perms;
+
+# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
+allow otapreopt_chroot tmpfs:filesystem mount;
+# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir relabelfrom;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
+
+# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
+allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
+# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
+
+# Allow otapreopt_chroot to access /dev/block (needed to detach loop
+# devices used by ext4 images from APEX packages).
+allow otapreopt_chroot block_device:dir r_dir_perms;
+
+# Allow to access the linker through the symlink.
+allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
+
+# Allow otapreopt_chroot to read ro.cold_boot_done prop.
+# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
+# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
+get_prop(otapreopt_chroot, cold_boot_done_prop)
+
+# allow otapreopt_chroot to run the linkerconfig from the new image.
+allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/prebuilts/api/33.0/private/otapreopt_slot.te b/prebuilts/api/33.0/private/otapreopt_slot.te
new file mode 100644
index 0000000..27a3b0e
--- /dev/null
+++ b/prebuilts/api/33.0/private/otapreopt_slot.te
@@ -0,0 +1,28 @@
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject, coredomain;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/33.0/private/perfetto.te b/prebuilts/api/33.0/private/perfetto.te
new file mode 100644
index 0000000..5897aed
--- /dev/null
+++ b/prebuilts/api/33.0/private/perfetto.te
@@ -0,0 +1,130 @@
+# Perfetto command-line client. Can be used only from the domains that are
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# This command line client accesses the privileged socket of the traced
+# daemon.
+
+type perfetto_exec, system_file_type, exec_type, file_type;
+type perfetto_tmpfs, file_type;
+
+tmpfs_domain(perfetto);
+
+# Allow init to start a trace (for perfetto_boottrace).
+init_daemon_domain(perfetto)
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Connect to the Perfetto traced daemon as a producer. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(perfetto)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow perfetto to access the proxy service for reporting traces.
+allow perfetto tracingproxy_service:service_manager find;
+binder_use(perfetto)
+binder_call(perfetto, system_server)
+
+# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
+# shell and adb can write files into that directory.
+allow perfetto perfetto_configs_data_file:dir r_dir_perms;
+allow perfetto perfetto_configs_data_file:file r_file_perms;
+
+# Allow perfetto to read the trace config from statsd, mm_events and shell
+# (both root and non-root) on stdin and also to write the resulting trace to
+# stdout.
+allow perfetto { statsd mm_events shell su }:fd use;
+allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
+
+# Allow to communicate use, read and write over the adb connection.
+allow perfetto adbd:fd use;
+allow perfetto adbd:unix_stream_socket { read write };
+
+# Allow adbd to reap perfetto.
+allow perfetto adbd:process { sigchld };
+
+# Allow perfetto to write to statsd.
+unix_socket_send(perfetto, statsdw, statsd)
+
+# Allow to access /dev/pts when launched in an adb shell.
+allow perfetto devpts:chr_file rw_file_perms;
+
+# Allow perfetto to ask incidentd to start a report.
+# TODO(lalitm): remove all incidentd rules when proxy service is stable.
+allow perfetto incident_service:service_manager find;
+binder_call(perfetto, incidentd)
+
+# perfetto log formatter calls isatty() on its stderr. Denial when running
+# under adbd is harmless. Avoid generating denial logs.
+dontaudit perfetto adbd:unix_stream_socket getattr;
+dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
+# As above, when adbd is running in "su" domain (only the ioctl is denied in
+# practice).
+dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
+# Similarly, CTS tests end up hitting a denial on shell pipes.
+dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
+
+###
+### Neverallow rules
+###
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -dumpstate # For attaching traces to bugreports.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+ -priv_app # For stating traces for bug-report UI.
+} perfetto_traces_data_file:dir *;
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow perfetto self:process execmem;
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto {
+ data_file_type
+ -system_data_file
+ -system_data_root_file
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+ -perfetto_configs_data_file
+ with_native_coverage(`-method_trace_data_file')
+}:dir *;
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
+neverallow perfetto {
+ data_file_type
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+ -perfetto_configs_data_file
+ with_native_coverage(`-method_trace_data_file')
+}:file ~write;
diff --git a/prebuilts/api/26.0/private/performanced.te b/prebuilts/api/33.0/private/performanced.te
similarity index 100%
rename from prebuilts/api/26.0/private/performanced.te
rename to prebuilts/api/33.0/private/performanced.te
diff --git a/prebuilts/api/33.0/private/permissioncontroller_app.te b/prebuilts/api/33.0/private/permissioncontroller_app.te
new file mode 100644
index 0000000..5f81875
--- /dev/null
+++ b/prebuilts/api/33.0/private/permissioncontroller_app.te
@@ -0,0 +1,22 @@
+###
+### A domain for further sandboxing the GooglePermissionController app.
+###
+type permissioncontroller_app, domain, coredomain;
+
+app_domain(permissioncontroller_app)
+
+allow permissioncontroller_app app_api_service:service_manager find;
+allow permissioncontroller_app system_api_service:service_manager find;
+
+# Allow interaction with gpuservice
+binder_call(permissioncontroller_app, gpuservice)
+
+allow permissioncontroller_app radio_service:service_manager find;
+
+# Allow the app to request and collect incident reports.
+# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
+allow permissioncontroller_app incident_service:service_manager find;
+binder_call(permissioncontroller_app, incidentd)
+allow permissioncontroller_app incidentd:fifo_file { read write };
+
+allow permissioncontroller_app gpu_device:dir search;
diff --git a/prebuilts/api/33.0/private/platform_app.te b/prebuilts/api/33.0/private/platform_app.te
new file mode 100644
index 0000000..b723633
--- /dev/null
+++ b/prebuilts/api/33.0/private/platform_app.te
@@ -0,0 +1,128 @@
+###
+### Apps signed with the platform key.
+###
+
+typeattribute platform_app coredomain;
+
+app_domain(platform_app)
+
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+# Read from /data/local/tmp or /data/data/com.android.shell.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app icon_file:file { open getattr read };
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
+
+# Access to /data/media.
+allow platform_app media_rw_data_file:dir create_dir_perms;
+allow platform_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;
+
+# Direct access to vold-mounted storage under /mnt/media_rw
+# This is a performance optimization that allows platform apps to bypass the FUSE layer
+allow platform_app mnt_media_rw_file:dir r_dir_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
+
+# com.android.systemui
+allow platform_app rootfs:dir getattr;
+get_prop(platform_app, radio_cdma_ecm_prop)
+userdebug_or_eng(`
+ set_prop(platform_app, persist_wm_debug_prop)
+')
+neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;
+
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app {
+ proc_vmstat
+}:file r_file_perms;
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(platform_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
+allow platform_app drmserver_service:service_manager find;
+allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediametrics_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
+allow platform_app mediadrmserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
+allow platform_app radio_service:service_manager find;
+allow platform_app thermal_service:service_manager find;
+allow platform_app timezone_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;
+allow platform_app vr_manager_service:service_manager find;
+allow platform_app stats_service:service_manager find;
+
+# Allow platform apps to log via statsd.
+binder_call(platform_app, statsd)
+
+# Allow platform applications to find and call artd for testing
+userdebug_or_eng(`
+ allow platform_app artd_service:service_manager find;
+ binder_call(platform_app, artd)
+')
+
+# Access to /data/preloads
+allow platform_app preloads_data_file:file r_file_perms;
+allow platform_app preloads_data_file:dir r_dir_perms;
+allow platform_app preloads_media_file:file r_file_perms;
+allow platform_app preloads_media_file:dir r_dir_perms;
+
+read_runtime_log_tags(platform_app)
+
+# allow platform apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow platform_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow platform apps to connect to the property service
+set_prop(platform_app, test_boot_reason_prop)
+
+# allow platform apps to read keyguard.no_require_sim
+get_prop(platform_app, keyguard_config_prop)
+
+# allow platform apps to read qemu.hw.mainkeys
+get_prop(platform_app, qemu_hw_prop)
+
+# allow platform apps to create symbolic link
+allow platform_app app_data_file:lnk_file create_file_perms;
+
+# suppress denials caused by debugfs_tracing
+dontaudit platform_app debugfs_tracing:file rw_file_perms;
+
+# Allow platform apps to act as Perfetto producers.
+perfetto_producer(platform_app)
+
+# TODO(b/217368496): remove this.
+can_profile_heap(platform_app)
+can_profile_perf(platform_app)
+
+# Allow platform apps to create VMs
+virtualizationservice_use(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/prebuilts/api/33.0/private/policy_capabilities b/prebuilts/api/33.0/private/policy_capabilities
new file mode 100644
index 0000000..9290e3a
--- /dev/null
+++ b/prebuilts/api/33.0/private/policy_capabilities
@@ -0,0 +1,20 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
+# Enable NoNewPrivileges support. Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
diff --git a/prebuilts/api/26.0/private/port_contexts b/prebuilts/api/33.0/private/port_contexts
similarity index 100%
rename from prebuilts/api/26.0/private/port_contexts
rename to prebuilts/api/33.0/private/port_contexts
diff --git a/prebuilts/api/33.0/private/postinstall.te b/prebuilts/api/33.0/private/postinstall.te
new file mode 100644
index 0000000..7060c59
--- /dev/null
+++ b/prebuilts/api/33.0/private/postinstall.te
@@ -0,0 +1,5 @@
+typeattribute postinstall coredomain;
+type postinstall_exec, system_file_type, exec_type, file_type;
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
+allow postinstall rootfs:dir r_dir_perms;
diff --git a/prebuilts/api/33.0/private/postinstall_dexopt.te b/prebuilts/api/33.0/private/postinstall_dexopt.te
new file mode 100644
index 0000000..2fdc941
--- /dev/null
+++ b/prebuilts/api/33.0/private/postinstall_dexopt.te
@@ -0,0 +1,88 @@
+# Domain for the otapreopt executable, running under postinstall_dexopt
+#
+# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
+# this is derived and adapted from installd.te.
+
+type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
+type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
+type postinstall_dexopt_tmpfs, file_type;
+
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+# - Case where dex2oat is in a non-flattened APEX, which has retained
+# the correct type (`dex2oat_exec`).
+domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
+# - Case where dex2oat is in a flattened APEX, which has been tagged
+# with the `postinstall_file` type by update_engine.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+
+# Run derive_classpath to get the current BCP.
+domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
+# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
+tmpfs_domain(postinstall_dexopt);
+allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
+
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
+
+allow postinstall_dexopt postinstall_file:filesystem getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr read search };
+allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt rootfs:file r_file_perms;
+
+allow postinstall_dexopt tmpfs:file read;
+
+# Allow access odsign verification status
+get_prop(postinstall_dexopt, odsign_prop)
+
+# Allow access to /postinstall/apex.
+allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
+# Read vendor overlay files (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_overlay_file)
+# Access to app oat directory.
+r_dir_file(postinstall_dexopt, dalvikcache_data_file)
+
+# Read profile data.
+allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow postinstall_dexopt ota_data_file:dir create_dir_perms;
+allow postinstall_dexopt ota_data_file:file create_file_perms;
+allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
+
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
+allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
+allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+
+# Check validity of SELinux context before use.
+selinux_check_context(postinstall_dexopt)
+selinux_check_access(postinstall_dexopt)
+
+
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
+
+# Allow otapreopt to use file descriptors from otapreopt_chroot.
+# TODO: Probably we can actually close file descriptors...
+allow postinstall_dexopt otapreopt_chroot:fd use;
+
+# Allow postinstall_dexopt to access the runtime feature flag properties.
+get_prop(postinstall_dexopt, device_config_runtime_native_prop)
+get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
diff --git a/prebuilts/api/33.0/private/ppp.te b/prebuilts/api/33.0/private/ppp.te
new file mode 100644
index 0000000..968b221
--- /dev/null
+++ b/prebuilts/api/33.0/private/ppp.te
@@ -0,0 +1,3 @@
+typeattribute ppp coredomain;
+
+domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/prebuilts/api/33.0/private/preloads_copy.te b/prebuilts/api/33.0/private/preloads_copy.te
new file mode 100644
index 0000000..ba54b70
--- /dev/null
+++ b/prebuilts/api/33.0/private/preloads_copy.te
@@ -0,0 +1,18 @@
+type preloads_copy, domain, coredomain;
+type preloads_copy_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(preloads_copy)
+
+allow preloads_copy shell_exec:file rx_file_perms;
+allow preloads_copy toolbox_exec:file rx_file_perms;
+allow preloads_copy preloads_data_file:dir create_dir_perms;
+allow preloads_copy preloads_data_file:file create_file_perms;
+allow preloads_copy preloads_media_file:dir create_dir_perms;
+allow preloads_copy preloads_media_file:file create_file_perms;
+
+# Allow to copy from /postinstall
+allow preloads_copy system_file:dir r_dir_perms;
+
+# Silence the denial when /postinstall cannot be mounted, e.g., system_other
+# is wiped, but preloads_copy.sh still runs.
+dontaudit preloads_copy postinstall_mnt_dir:dir search;
diff --git a/prebuilts/api/33.0/private/preopt2cachename.te b/prebuilts/api/33.0/private/preopt2cachename.te
new file mode 100644
index 0000000..dcfba14
--- /dev/null
+++ b/prebuilts/api/33.0/private/preopt2cachename.te
@@ -0,0 +1,17 @@
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+
+type preopt2cachename, domain, coredomain;
+type preopt2cachename_exec, system_file_type, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+ auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/prebuilts/api/33.0/private/priv_app.te b/prebuilts/api/33.0/private/priv_app.te
new file mode 100644
index 0000000..9d7a0f6
--- /dev/null
+++ b/prebuilts/api/33.0/private/priv_app.te
@@ -0,0 +1,290 @@
+###
+### A domain for further sandboxing privileged apps.
+###
+
+typeattribute priv_app coredomain;
+app_domain(priv_app)
+
+# Access the network.
+net_domain(priv_app)
+# Access bluetooth.
+bluetooth_domain(priv_app)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
+create_pty(priv_app)
+
+# Allow loading executable code from writable priv-app home
+# directories. This is a W^X violation, however, it needs
+# to be supported for now for the following reasons.
+# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
+# 1) com.android.opengl.shaders_cache
+# 2) com.android.skia.shaders_cache
+# 3) com.android.renderscript.cache
+# * /data/user_de/0/com.google.android.gms/app_chimera
+# TODO: Tighten (b/112357170)
+allow priv_app privapp_data_file:file execute;
+
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
+allow priv_app privapp_data_file:lnk_file create_file_perms;
+
+# Priv apps can find services that expose both @SystemAPI and normal APIs.
+allow priv_app app_api_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
+
+allow priv_app audioserver_service:service_manager find;
+allow priv_app cameraserver_service:service_manager find;
+allow priv_app drmserver_service:service_manager find;
+allow priv_app mediadrmserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediametrics_service:service_manager find;
+allow priv_app mediaserver_service:service_manager find;
+allow priv_app music_recognition_service:service_manager find;
+allow priv_app network_watchlist_service:service_manager find;
+allow priv_app nfc_service:service_manager find;
+allow priv_app oem_lock_service:service_manager find;
+allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app radio_service:service_manager find;
+allow priv_app recovery_service:service_manager find;
+allow priv_app stats_service:service_manager find;
+
+# Write to /cache.
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow priv_app cache_file:lnk_file r_file_perms;
+
+# Access to /data/media.
+allow priv_app media_rw_data_file:dir create_dir_perms;
+allow priv_app media_rw_data_file:file create_file_perms;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow priv_app shell_data_file:file r_file_perms;
+allow priv_app shell_data_file:dir r_dir_perms;
+
+# Allow traceur to pass file descriptors through a content provider to betterbug
+allow priv_app trace_data_file:file { getattr read };
+
+# Allow betterbug to read profile reports generated by profcollect.
+userdebug_or_eng(`
+ allow priv_app profcollectd_data_file:file r_file_perms;
+')
+
+# Allow the bug reporting frontend to read the presence and timestamp of the
+# trace attached to the bugreport (but not its contents, which will go in the
+# usual bugreport .zip file). This is used by the bug reporting UI to tell if
+# the bugreport will contain a system trace or not while the bugreport is still
+# in progress.
+allow priv_app wm_trace_data_file:dir r_dir_perms;
+allow priv_app wm_trace_data_file:file getattr;
+allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
+allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
+# Required to traverse the parent dir (/data/misc/perfetto-traces).
+allow priv_app perfetto_traces_data_file:dir { search };
+
+# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
+# the framework (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow priv_app perfetto:fd use;
+allow priv_app perfetto_traces_data_file:file { read getattr };
+
+# Allow verifier to access staged apks.
+allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
+# For AppFuse.
+allow priv_app vold:fd use;
+allow priv_app fuse_device:chr_file { read write };
+
+# /proc access
+allow priv_app {
+ proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
+r_dir_file(priv_app, rootfs)
+
+# Allow com.android.vending to communicate with statsd.
+binder_call(priv_app, statsd)
+
+# Allow Phone to read/write cached ringtones (opened by system).
+allow priv_app ringtone_file:file { getattr read write };
+
+# Access to /data/preloads
+allow priv_app preloads_data_file:file r_file_perms;
+allow priv_app preloads_data_file:dir r_dir_perms;
+allow priv_app preloads_media_file:file r_file_perms;
+allow priv_app preloads_media_file:dir r_dir_perms;
+
+read_runtime_log_tags(priv_app)
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(priv_app)
+
+# Allow priv_apps to request and collect incident reports.
+# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
+allow priv_app incident_service:service_manager find;
+binder_call(priv_app, incidentd)
+allow priv_app incidentd:fifo_file { read write };
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(priv_app)
+can_profile_perf(priv_app)
+
+# Allow priv_apps to check whether Dynamic System Update is enabled
+get_prop(priv_app, dynamic_system_prop)
+
+# suppress denials for non-API accesses.
+dontaudit priv_app exec_type:file getattr;
+dontaudit priv_app device:dir read;
+dontaudit priv_app fs_bpf:dir search;
+dontaudit priv_app net_dns_prop:file read;
+dontaudit priv_app proc:file read;
+dontaudit priv_app proc_interrupts:file read;
+dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_net:file read;
+dontaudit priv_app proc_stat:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app sysfs:dir read;
+dontaudit priv_app sysfs:file read;
+dontaudit priv_app sysfs_android_usb:file read;
+dontaudit priv_app sysfs_dm:file r_file_perms;
+dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
+
+# allow privileged apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow priv_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow apps like Phonesky to check the file signature of an apk installed on
+# the Incremental File System, fill missing blocks and get the app status and loading progress
+allowxperm priv_app apk_data_file:file ioctl {
+ INCFS_IOCTL_READ_SIGNATURE
+ INCFS_IOCTL_FILL_BLOCKS
+ INCFS_IOCTL_GET_BLOCK_COUNT
+ INCFS_IOCTL_GET_FILLED_BLOCKS
+};
+
+# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
+allow priv_app incremental_control_file:file { read getattr ioctl };
+
+# allow apps like Phonesky to request permission to fill blocks of an apk file
+# on the Incremental File System.
+allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
+
+# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
+get_prop(priv_app, incremental_prop)
+
+# Required for Phonesky to be able to read APEX files under /data/apex/active/.
+allow priv_app apex_data_file:dir search;
+allow priv_app staging_data_file:file r_file_perms;
+# Required for Phonesky to be able to read staged files under /data/app-staging.
+allow priv_app staging_data_file:dir r_dir_perms;
+
+# allow priv app to access the system app data files for ContentProvider case.
+allow priv_app system_app_data_file:file { read getattr };
+
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow priv_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow priv_app domain:netlink_socket *;
+
+# Read or write kernel printk buffer
+neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow priv_app debugfs:file read;
+
+# Do not allow privileged apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow priv_app service_manager_type:service_manager add;
+
+# Do not allow privileged apps to connect to the property service
+# or set properties. b/10243159
+neverallow priv_app property_socket:sock_file write;
+neverallow priv_app init:unix_stream_socket connectto;
+neverallow priv_app property_type:property_service set;
+
+# Do not allow priv_app to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and priv_app is allowed fork permission to itself.
+neverallow priv_app mlstrustedsubject:process fork;
+
+# Do not allow priv_app to hard link to any files.
+# In particular, if priv_app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure priv_app never has this
+# capability.
+neverallow priv_app file_type:file link;
+
+# priv apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor which they can then read
+neverallow priv_app trace_data_file:dir *;
+neverallow priv_app trace_data_file:file { no_w_file_perms open };
+
+# Do not allow priv_app access to cgroups.
+neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
+
+# Do not allow loading executable code from non-privileged
+# application home directories. Code loading across a security boundary
+# is dangerous and allows a full compromise of a privileged process
+# by an unprivileged process. b/112357170
+neverallow priv_app app_data_file:file no_x_file_perms;
+
+# Do not follow untrusted app provided symlinks
+neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow priv_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow priv_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
+
+# Allow priv apps to report off body events to keystore2.
+allow priv_app keystore:keystore2 report_off_body;
diff --git a/prebuilts/api/33.0/private/profcollectd.te b/prebuilts/api/33.0/private/profcollectd.te
new file mode 100644
index 0000000..f83d4a8
--- /dev/null
+++ b/prebuilts/api/33.0/private/profcollectd.te
@@ -0,0 +1,66 @@
+# profcollectd - hardware profile collection daemon
+type profcollectd, domain, coredomain, mlstrustedsubject;
+type profcollectd_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(profcollectd)
+
+ # profcollectd opens a file for writing in /data/misc/profcollectd.
+ allow profcollectd profcollectd_data_file:file create_file_perms;
+ allow profcollectd profcollectd_data_file:dir create_dir_perms;
+
+ # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
+ allow profcollectd self:perf_event { cpu kernel open read write };
+
+ # Allow profcollectd to scan through /proc/pid for all processes.
+ r_dir_file(profcollectd, domain)
+
+ # Allow profcollectd to read executable binaries.
+ allow profcollectd system_file_type:file r_file_perms;
+ allow profcollectd vendor_file_type:file r_file_perms;
+
+ # Allow profcollectd to search for and read kernel modules.
+ allow profcollectd vendor_file:dir r_dir_perms;
+ allow profcollectd vendor_kernel_modules:file r_file_perms;
+
+ # Allow profcollectd to read (but not execute) system bootstrap libs.
+ allow profcollectd system_bootstrap_lib_file:dir search;
+ allow profcollectd system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow profcollectd to access tracefs.
+ allow profcollectd debugfs_tracing:dir r_dir_perms;
+ allow profcollectd debugfs_tracing:file rw_file_perms;
+ allow profcollectd debugfs_tracing_debug:dir r_dir_perms;
+ allow profcollectd debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow profcollectd to write to perf_event_paranoid under /proc.
+ allow profcollectd proc_perf:file write;
+
+ # Allow profcollectd to access cs_etm sysfs.
+ r_dir_file(profcollectd, sysfs_devices_cs_etm)
+
+ # Allow profcollectd to ptrace.
+ allow profcollectd self:global_capability_class_set sys_ptrace;
+
+ # Allow profcollectd to read its system properties.
+ get_prop(profcollectd, device_config_profcollect_native_boot_prop)
+ set_prop(profcollectd, profcollectd_node_id_prop)
+
+ # Allow profcollectd to publish a binder service and make binder calls.
+ binder_use(profcollectd)
+ # Allow profcollectd to call callbacks registered by system_server when ETM is ready.
+ binder_call(profcollectd, system_server)
+ add_service(profcollectd, profcollectd_service)
+
+ # Allow profcollectd to request wakelock from system-suspend.
+ wakelock_use(profcollectd)
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(profcollectd, lower_kptr_restrict_prop)
+ allow profcollectd proc_kallsyms:file r_file_perms;
+ allow profcollectd proc_modules:file r_file_perms;
+
+ # Allow profcollectd to read kernel build id.
+ allow profcollectd sysfs_kernel_notes:file r_file_perms;
+')
diff --git a/prebuilts/api/26.0/private/profman.te b/prebuilts/api/33.0/private/profman.te
similarity index 100%
rename from prebuilts/api/26.0/private/profman.te
rename to prebuilts/api/33.0/private/profman.te
diff --git a/prebuilts/api/33.0/private/property.te b/prebuilts/api/33.0/private/property.te
new file mode 100644
index 0000000..63081bf
--- /dev/null
+++ b/prebuilts/api/33.0/private/property.te
@@ -0,0 +1,640 @@
+# Properties used only in /system
+system_internal_prop(adbd_prop)
+system_internal_prop(apexd_payload_metadata_prop)
+system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(device_config_lmkd_native_prop)
+system_internal_prop(device_config_mglru_native_prop)
+system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_statsd_native_prop)
+system_internal_prop(device_config_statsd_native_boot_prop)
+system_internal_prop(device_config_storage_native_boot_prop)
+system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(device_config_window_manager_native_boot_prop)
+system_internal_prop(device_config_configuration_prop)
+system_internal_prop(device_config_connectivity_prop)
+system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(dmesgd_start_prop)
+system_internal_prop(fastbootd_protocol_prop)
+system_internal_prop(gsid_prop)
+system_internal_prop(init_perf_lsm_hooks_prop)
+system_internal_prop(init_service_status_private_prop)
+system_internal_prop(init_svc_debug_prop)
+system_internal_prop(keystore_crash_prop)
+system_internal_prop(keystore_listen_prop)
+system_internal_prop(last_boot_reason_prop)
+system_internal_prop(localization_prop)
+system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(net_464xlat_fromvendor_prop)
+system_internal_prop(net_connectivity_prop)
+system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(odsign_prop)
+system_internal_prop(perf_drop_caches_prop)
+system_internal_prop(pm_prop)
+system_internal_prop(profcollectd_node_id_prop)
+system_internal_prop(radio_cdma_ecm_prop)
+system_internal_prop(remote_prov_prop)
+system_internal_prop(rollback_test_prop)
+system_internal_prop(setupwizard_prop)
+system_internal_prop(snapuserd_prop)
+system_internal_prop(system_adbd_prop)
+system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(userspace_reboot_log_prop)
+system_internal_prop(userspace_reboot_test_prop)
+system_internal_prop(verity_status_prop)
+system_internal_prop(zygote_wrap_prop)
+system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
+system_internal_prop(virtualizationservice_prop)
+
+# Properties which can't be written outside system
+system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_virtualization_framework_native_prop)
+system_restricted_prop(system_user_mode_emulation_prop)
+
+###
+### Neverallow rules
+###
+
+treble_sysprop_neverallow(`
+
+enforce_sysprop_owner(`
+ neverallow domain {
+ property_type
+ -system_property_type
+ -product_property_type
+ -vendor_property_type
+ }:file no_rw_file_perms;
+')
+
+neverallow { domain -coredomain } {
+ system_property_type
+ system_internal_property_type
+ -system_restricted_property_type
+ -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_public_property_type
+}:property_service set;
+
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
+ vendor_property_type
+ vendor_internal_property_type
+ -vendor_restricted_property_type
+ -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { coredomain -init } {
+ vendor_property_type
+ -vendor_public_property_type
+}:property_service set;
+
+')
+
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
+neverallow * {
+ core_property_type
+ -audio_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -ota_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -system_user_mode_emulation_prop
+ -usb_prop
+ -vold_prop
+}:file no_rw_file_perms;
+
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
+compatible_property_only(`
+# Prevent properties from being set
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_config_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_system_prop
+ exported3_system_prop
+ usb_control_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ -vendor_init
+ } {
+ radio_control_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_camera_server
+ -cameraserver
+ -vendor_init
+ } {
+ exported_camera_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -init
+ -dumpstate
+ -hal_wifi_server
+ -wificond
+ -vendor_init
+ } {
+ wifi_hal_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ dalvik_config_prop
+ extended_core_property_type
+ exported3_system_prop
+ systemsound_config_prop
+ -debug_prop
+ -logd_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -vendor_init
+ } {
+ suspend_prop
+ }:property_service set;
+')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -system_property_type
+ -extended_core_property_type
+ }:property_service set;
+')
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} {
+ ffs_config_prop
+ ffs_control_prop
+}:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -system_server
+} {
+ userspace_reboot_log_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and system_server to set system_adbd_prop
+ domain
+ -init
+ -system_server
+} {
+ system_adbd_prop
+}:property_service set;
+
+# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -adbd
+ -system_server
+} {
+ adbd_config_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and adbd to set adbd_prop
+ domain
+ -init
+ -adbd
+} {
+ adbd_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init to set apexd_payload_metadata_prop
+ domain
+ -init
+} {
+ apexd_payload_metadata_prop
+}:property_service set;
+
+
+neverallow {
+ # Only allow init and shell to set userspace_reboot_test_prop
+ domain
+ -init
+ -shell
+} {
+ userspace_reboot_test_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -system_server
+ -vendor_init
+} {
+ surfaceflinger_color_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+} {
+ libc_debug_prop
+}:property_service set;
+
+# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb
+# shell access can control the settings on their device. Allow system apps to
+# set MTE props, so Developer Options can set them.
+neverallow {
+ domain
+ -init
+ -shell
+ -system_app
+} {
+ arm64_memtag_prop
+ gwp_asan_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -system_server
+ -vendor_init
+} zram_control_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -system_server
+ -vendor_init
+} dalvik_runtime_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} {
+ usb_config_prop
+ usb_control_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -system_server
+} {
+ provisioned_prop
+ retaildemo_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} {
+ provisioned_prop
+ retaildemo_prop
+}:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+} {
+ init_service_status_private_prop
+ init_service_status_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -radio
+ -appdomain
+ -hal_telephony_server
+ not_compatible_property(`-vendor_init')
+} telephony_status_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} {
+ graphics_config_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -surfaceflinger
+} {
+ surfaceflinger_display_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+} packagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} keyguard_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+} {
+ localization_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -system_app
+} oem_unlock_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} storagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} sendbug_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} camera_calibration_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -hal_dumpstate_server
+ not_compatible_property(`-vendor_init')
+} hal_dumpstate_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
+ userdebug_or_eng(`-traced_probes')
+ userdebug_or_eng(`-traced_perf')
+} {
+ lower_kptr_restrict_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+} zygote_wrap_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+} verity_status_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+} setupwizard_prop:property_service set;
+
+# ro.product.property_source_order is useless after initialization of ro.product.* props.
+# So making it accessible only from init and vendor_init.
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -vendor_init
+} build_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -shell
+} sqlite_log_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -appdomain
+} sqlite_log_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+} default_prop:property_service set;
+
+# Only one of system_property_type and vendor_property_type can be assigned.
+# Property types having both attributes won't be accessible from anywhere.
+neverallow domain system_and_vendor_property_type:{file property_service} *;
+
+neverallow {
+ # Only init and the remote provisioner can set the ro.remote_provisioning.* props
+ domain
+ -init
+ -remote_prov_app
+} remote_prov_prop:property_service set;
+
+neverallow {
+ # Only allow init and shell to set rollback_test_prop
+ domain
+ -init
+ -shell
+} rollback_test_prop:property_service set;
+
+neverallow {
+ # Only allow init and profcollectd to access profcollectd_node_id_prop
+ domain
+ -init
+ -dumpstate
+ -profcollectd
+} profcollectd_node_id_prop:file r_file_perms;
+
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
new file mode 100644
index 0000000..f19a60a
--- /dev/null
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -0,0 +1,1338 @@
+##########################
+# property service keys
+#
+#
+net.rmnet u:object_r:net_radio_prop:s0
+net.gprs u:object_r:net_radio_prop:s0
+net.ppp u:object_r:net_radio_prop:s0
+net.qmi u:object_r:net_radio_prop:s0
+net.lte u:object_r:net_radio_prop:s0
+net.cdma u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_dns_prop:s0
+ril. u:object_r:radio_prop:s0
+ro.ril. u:object_r:radio_prop:s0
+gsm. u:object_r:radio_prop:s0
+persist.radio u:object_r:radio_prop:s0
+
+net. u:object_r:system_prop:s0
+dev. u:object_r:system_prop:s0
+ro.runtime. u:object_r:system_prop:s0
+ro.runtime.firstboot u:object_r:firstboot_prop:s0
+hw. u:object_r:system_prop:s0
+ro.hw. u:object_r:system_prop:s0
+sys. u:object_r:system_prop:s0
+sys.audio. u:object_r:audio_prop:s0
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
+sys.cppreopt u:object_r:cppreopt_prop:s0
+sys.lpdumpd u:object_r:lpdumpd_prop:s0
+sys.powerctl u:object_r:powerctl_prop:s0
+service. u:object_r:system_prop:s0
+dhcp. u:object_r:dhcp_prop:s0
+dhcp.bt-pan.result u:object_r:pan_result_prop:s0
+bluetooth. u:object_r:bluetooth_prop:s0
+
+debug. u:object_r:debug_prop:s0
+debug.db. u:object_r:debuggerd_prop:s0
+dumpstate. u:object_r:dumpstate_prop:s0
+dumpstate.options u:object_r:dumpstate_options_prop:s0
+init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0
+llk. u:object_r:llkd_prop:s0
+khungtask. u:object_r:llkd_prop:s0
+ro.llk. u:object_r:llkd_prop:s0
+ro.khungtask. u:object_r:llkd_prop:s0
+log. u:object_r:log_prop:s0
+log.tag u:object_r:log_tag_prop:s0
+log.tag.WifiHAL u:object_r:wifi_log_prop:s0
+security.perf_harden u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
+security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
+service.adb.root u:object_r:shell_prop:s0
+service.adb.tls.port u:object_r:adbd_prop:s0
+persist.adb.wifi. u:object_r:adbd_prop:s0
+persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
+
+persist.audio. u:object_r:audio_prop:s0
+persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc. u:object_r:nfc_prop:s0
+persist.nfc_cfg. u:object_r:nfc_prop:s0
+persist.debug. u:object_r:persist_debug_prop:s0
+persist.debug.user_mode_emulation u:object_r:system_user_mode_emulation_prop:s0
+logd. u:object_r:logd_prop:s0
+persist.logd. u:object_r:logd_prop:s0
+ro.logd. u:object_r:logd_prop:s0
+persist.logd.security u:object_r:device_logging_prop:s0
+persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+persist.log.tag u:object_r:log_tag_prop:s0
+persist.mmc. u:object_r:mmc_prop:s0
+persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
+persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
+persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
+persist.sys. u:object_r:system_prop:s0
+persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.tap_gesture u:object_r:gesture_prop:s0
+persist.sys.theme u:object_r:theme_prop:s0
+persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
+dynamic_system.data_transfer.shared_memory.size u:object_r:dynamic_system_prop:s0 exact uint
+ro.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.audit_safemode u:object_r:safemode_prop:s0
+persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0
+persist.service. u:object_r:system_prop:s0
+persist.service.bdroid. u:object_r:bluetooth_prop:s0
+persist.security. u:object_r:system_prop:s0
+persist.traced.enable u:object_r:traced_enabled_prop:s0
+traced.lazy. u:object_r:traced_lazy_prop:s0
+persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
+persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
+persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
+persist.vendor.overlay. u:object_r:overlay_prop:s0
+ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
+ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boottime. u:object_r:boottime_prop:s0
+ro.serialno u:object_r:serialno_prop:s0
+ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
+ro.boot.serialno u:object_r:serialno_prop:s0
+ro.bt. u:object_r:bluetooth_prop:s0
+ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
+persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
+sys.boot.reason u:object_r:system_boot_reason_prop:s0
+sys.boot.reason.last u:object_r:last_boot_reason_prop:s0
+pm. u:object_r:pm_prop:s0
+test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
+test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
+sys.lmk. u:object_r:system_lmk_prop:s0
+sys.trace. u:object_r:system_trace_prop:s0
+wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+persist.wm.debug. u:object_r:persist_wm_debug_prop:s0
+
+# Suspend service properties
+suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
+suspend.base_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
+suspend.backoff_threshold_count u:object_r:suspend_prop:s0 exact uint
+suspend.short_suspend_threshold_millis u:object_r:suspend_prop:s0 exact uint
+suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
+suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
+suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
+
+# Fastbootd protocol control property
+fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+
+# adbd protoctl configuration property
+service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+service.adb.transport u:object_r:adbd_config_prop:s0 exact string
+
+# Boolean property set by system server upon boot indicating
+# if device is fully owned by organization instead of being
+# a personal device.
+ro.organization_owned u:object_r:device_logging_prop:s0
+
+# selinux non-persistent properties
+selinux.restorecon_recursive u:object_r:restorecon_prop:s0
+
+# default property context
+* u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold. u:object_r:vold_prop:s0
+ro.crypto. u:object_r:vold_prop:s0
+
+# ro.build.fingerprint is either set in /system/build.prop, or is
+# set at runtime by system_server.
+ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
+
+ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
+
+# ctl properties
+ctl.bootanim u:object_r:ctl_bootanim_prop:s0
+ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
+ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl.bugreport u:object_r:ctl_bugreport_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
+
+# Don't allow uncontrolled access to all services
+ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
+ctl.start$ u:object_r:ctl_start_prop:s0
+ctl.stop$ u:object_r:ctl_stop_prop:s0
+ctl.restart$ u:object_r:ctl_restart_prop:s0
+ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+
+ # Restrict access to starting/stopping adbd
+ctl.start$adbd u:object_r:ctl_adbd_prop:s0
+ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
+ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
+
+# Restrict access to starting/stopping gsid.
+ctl.start$gsid u:object_r:ctl_gsid_prop:s0
+ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
+ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+
+# Restrict access to stopping apexd.
+ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
+# Restrict access to starting media.transcoding.
+ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
+
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
+# Restrict access to control snapuserd
+ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+
+# NFC properties
+nfc. u:object_r:nfc_prop:s0
+
+# These properties are not normally set by processes other than init.
+# They are only distinguished here for setting by qemu-props on the
+# emulator/goldfish.
+config. u:object_r:config_prop:s0
+ro.config. u:object_r:config_prop:s0
+dalvik. u:object_r:dalvik_prop:s0
+ro.dalvik. u:object_r:dalvik_prop:s0
+
+# qemu_hw_prop is read/written by both system and vendor.
+qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0 exact string
+
+# qemu_sf_lcd_density_prop is read/written by both system and vendor.
+qemu.sf.lcd_density u:object_r:qemu_sf_lcd_density_prop:s0 exact int
+
+# Shared between system server and wificond
+wifi. u:object_r:wifi_prop:s0
+wlan. u:object_r:wifi_prop:s0
+
+# Lowpan properties
+lowpan. u:object_r:lowpan_prop:s0
+ro.lowpan. u:object_r:lowpan_prop:s0
+
+# heapprofd properties
+heapprofd. u:object_r:heapprofd_prop:s0
+
+# hwservicemanager properties
+hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
+init.svc.odm. u:object_r:vendor_default_prop:s0
+init.svc.vendor. u:object_r:vendor_default_prop:s0
+ro.hardware. u:object_r:vendor_default_prop:s0
+ro.odm. u:object_r:vendor_default_prop:s0
+ro.vendor. u:object_r:vendor_default_prop:s0
+ro.vendor_dlkm. u:object_r:vendor_default_prop:s0
+ro.odm_dlkm. u:object_r:vendor_default_prop:s0
+odm. u:object_r:vendor_default_prop:s0
+persist.odm. u:object_r:vendor_default_prop:s0
+persist.vendor. u:object_r:vendor_default_prop:s0
+vendor. u:object_r:vendor_default_prop:s0
+
+# Properties that relate to time / time zone detection behavior.
+persist.time. u:object_r:time_prop:s0
+
+# Properties that relate to server configurable flags
+device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
+persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
+persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
+persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
+persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
+persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
+persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
+persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.nnapi_native. u:object_r:device_config_nnapi_native_prop:s0
+persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
+persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
+persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
+persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
+persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+
+# F2FS smart idle maint prop
+persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
+
+# MGLRU experiment prop
+persist.device_config.mglru_native.lru_gen_config u:object_r:device_config_mglru_native_prop:s0 exact enum none core core_and_mm_walk core_and_nonleaf_young all
+
+# MM Events config props
+persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
+
+# Properties that relate to legacy server configurable flags
+persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
+
+apexd. u:object_r:apexd_prop:s0
+apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
+persist.apexd. u:object_r:apexd_prop:s0
+persist.vendor.apex. u:object_r:apexd_select_prop:s0
+ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
+
+bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 exact bool
+
+gsid. u:object_r:gsid_prop:s0
+ro.gsid. u:object_r:gsid_prop:s0
+
+# Property for disabling NNAPI vendor extensions on product image (used on GSI /product image,
+# which can't use NNAPI vendor extensions).
+ro.nnapi.extensions.deny_on_product u:object_r:nnapi_ext_deny_product_prop:s0
+
+# Property that is set once ueventd finishes cold boot.
+ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
+
+# Properties that control performance operations.
+# Leave space to later set drop_caches to 1, 2, and 4.
+perf.drop_caches u:object_r:perf_drop_caches_prop:s0 exact enum 0 3
+
+# Charger properties
+ro.charger. u:object_r:charger_prop:s0
+sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
+ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
+
+# Virtual A/B and snapuserd properties
+ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.test.io_uring.force_disable u:object_r:snapuserd_prop:s0 exact bool
+
+ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
+# Property to set/clear the warm reset flag after an OTA update.
+ota.warm_reset u:object_r:ota_prop:s0
+# The vbmeta digest for the inactive slot. It can be set after installing
+# ota updates to the b partition of a/b devices.
+ota.other.vbmeta_digest u:object_r:ota_prop:s0 exact string
+
+# Module properties
+com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+
+# Connectivity module
+net.464xlat.cellular.enabled u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
+net.tcp_def_init_rwnd u:object_r:net_connectivity_prop:s0 exact int
+
+# Userspace reboot properties
+sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+
+# Integer property which is used in libgui to configure the number of frames
+# tracked by buffer queue's frame event timing history. The property is set
+# by devices with video decoding pipelines long enough to overflow the default
+# history size.
+ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
+
+af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
+ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
+ro.audio.flinger_standbytime_ms u:object_r:audio_config_prop:s0 exact int
+
+audio.camerasound.force u:object_r:audio_config_prop:s0 exact bool
+audio.deep_buffer.media u:object_r:audio_config_prop:s0 exact bool
+audio.offload.video u:object_r:audio_config_prop:s0 exact bool
+audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+
+ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
+ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioService to configure whether
+# spatializer functionality should be initialized
+ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool
+
+persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
+
+config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
+
+camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
+camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
+camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
+
+ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
+
+ro.vendor.camera.extensions.package u:object_r:camera2_extensions_prop:s0 exact string
+ro.vendor.camera.extensions.service u:object_r:camera2_extensions_prop:s0 exact string
+
+# ART properties
+dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
+
+# A set of ART properties listed explicitly for compatibility purposes.
+ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-max-image-block-size u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dexopt.secondary u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dexopt.thermal-cutoff u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.execution-mode u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.extra-opts u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.foreground-heap-growth-multiplier u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.gctype u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapgrowthlimit u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapmaxfree u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapminfree u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapsize u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapstartsize u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heaptargetutilization u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.hot-startup-method-samples u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.image-dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.isa.arm.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.arm.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.arm64.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.arm64.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.mips.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.mips.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.mips64.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.mips64.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.unknown.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.unknown.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.x86.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.x86.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.x86_64.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.x86_64.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.jitinitialsize u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.jitmaxsize u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.jitprithreadweight u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.jitthreshold u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.jittransitionweight u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.jniopts u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.lockprof.threshold u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.method-trace u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.method-trace-file u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.method-trace-file-siz u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.method-trace-stream u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
+
+persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
+
+keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
+
+media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
+
+media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
+media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
+media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
+media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-http u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-player u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-qcp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-scan u:object_r:media_config_prop:s0 exact bool
+media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
+persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
+
+persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
+persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
+
+bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+
+bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+
+bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
+bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
+
+bluetooth.profile.a2dp.sink.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.a2dp.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.asha.central.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.target.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.assist.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.unicast.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bas.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bass.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.ccp.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.csip.set_coordinator.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.gatt.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.ag.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.hf.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.device.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.host.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.mcp.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.opp.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.nap.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
+persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
+
+persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
+persist.radio.allow_mock_modem u:object_r:radio_control_prop:s0 exact bool
+
+persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.set_menu_language u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.property_sytem_audio_device_arc_port u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.cec_audio_device_forward_volume_keys_system_audio_mode_off u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
+ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
+
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+
+ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
+
+ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+
+ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
+
+ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
+
+ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
+ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
+ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
+ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
+ro.config.ringtone u:object_r:systemsound_config_prop:s0 exact string
+ro.config.system_vol_default u:object_r:systemsound_config_prop:s0 exact int
+ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
+
+ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
+ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
+
+ro.crypto.allow_encrypt_override u:object_r:vold_config_prop:s0 exact bool
+ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
+ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
+ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
+ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
+ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
+ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.filenames_mode u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.metadata.encryption u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
+
+external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
+
+ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.filecache_min_kb u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.stall_limit_critical u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.use_new_strategy u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
+lmkd.reinit u:object_r:lmkd_prop:s0 exact int
+
+ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
+ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
+ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string
+
+ro.minui.default_rotation u:object_r:recovery_config_prop:s0 exact string
+ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
+ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string
+
+ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
+
+ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
+
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
+ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
+
+ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
+
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+
+ro.zram.mark_idle_delay_mins u:object_r:zram_config_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:zram_config_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:zram_config_prop:s0 exact int
+zram.force_writeback u:object_r:zram_config_prop:s0 exact bool
+persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool
+
+sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
+
+persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
+
+sys.usb.config u:object_r:usb_control_prop:s0 exact string
+sys.usb.configfs u:object_r:usb_control_prop:s0 exact int
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+sys.usb.state u:object_r:usb_control_prop:s0 exact string
+
+sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool
+sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
+
+sys.usb.config. u:object_r:usb_prop:s0
+
+sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
+sys.usb.ffs.max_read u:object_r:ffs_config_prop:s0 exact int
+sys.usb.ffs.max_write u:object_r:ffs_config_prop:s0 exact int
+
+sys.usb.ffs.ready u:object_r:ffs_control_prop:s0 exact bool
+sys.usb.ffs.mtp.ready u:object_r:ffs_control_prop:s0 exact bool
+
+tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
+
+vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
+
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+
+dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
+
+odsign.key.done u:object_r:odsign_prop:s0 exact bool
+odsign.verification.done u:object_r:odsign_prop:s0 exact bool
+odsign.verification.success u:object_r:odsign_prop:s0 exact bool
+
+dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
+sys.boot_completed u:object_r:boot_status_prop:s0 exact bool
+
+persist.sys.device_provisioned u:object_r:provisioned_prop:s0 exact string
+
+persist.sys.theme u:object_r:theme_prop:s0 exact string
+
+sys.retaildemo.enabled u:object_r:retaildemo_prop:s0 exact int
+
+sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
+
+aac_drc_boost u:object_r:aac_drc_prop:s0 exact int
+aac_drc_cut u:object_r:aac_drc_prop:s0 exact int
+aac_drc_enc_target_level u:object_r:aac_drc_prop:s0 exact int
+aac_drc_heavy u:object_r:aac_drc_prop:s0 exact int
+aac_drc_reference_level u:object_r:aac_drc_prop:s0 exact int
+ro.aac_drc_effect_type u:object_r:aac_drc_prop:s0 exact int
+
+build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
+
+drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool
+media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
+
+drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
+
+dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
+persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
+
+hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
+
+# default contexts only accessible by coredomain
+init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
+
+# Globally-readable init service props
+init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
+init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
+init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string
+init.svc.console u:object_r:init_service_status_prop:s0 exact string
+init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
+init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
+init.svc.statsd u:object_r:init_service_status_prop:s0 exact string
+init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
+init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
+init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
+
+libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
+libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+
+# GWP-ASan props. Separate from other libc.debug.* props, because we want users
+# to be able to set them from `adb shell` even on release devices.
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+
+# shell-only props for ARM memory tagging (MTE).
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
+persist.arm64.memtag.app_default u:object_r:arm64_memtag_prop:s0 exact string
+
+net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
+
+persist.sys.locale u:object_r:exported_system_prop:s0 exact string
+persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
+
+ro.arch u:object_r:build_prop:s0 exact string
+
+# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
+ro.boot. u:object_r:bootloader_prop:s0
+ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.baseband u:object_r:bootloader_prop:s0 exact string
+ro.boot.bootdevice u:object_r:bootloader_prop:s0 exact string
+ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.boot.boottime u:object_r:bootloader_prop:s0 exact string
+ro.boot.console u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
+ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string
+ro.boot.mode u:object_r:bootloader_prop:s0 exact string
+# Populated on Android Studio Emulator (for emulator specific workarounds)
+ro.boot.qemu u:object_r:bootloader_prop:s0 exact bool
+ro.boot.revision u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
+# Properties specific to virtualized deployments of Android
+ro.boot.hypervisor.protected_vm.supported u:object_r:hypervisor_prop:s0 exact bool
+ro.boot.hypervisor.version u:object_r:hypervisor_prop:s0 exact string
+ro.boot.hypervisor.vm.supported u:object_r:hypervisor_prop:s0 exact bool
+
+# These ro.X properties are set to values of ro.boot.X by property_service.
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
+
+ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
+ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
+
+ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
+ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
+
+ro.build.characteristics u:object_r:build_prop:s0 exact string
+ro.build.date u:object_r:build_prop:s0 exact string
+ro.build.date.utc u:object_r:build_prop:s0 exact int
+ro.build.description u:object_r:build_prop:s0 exact string
+ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.flavor u:object_r:build_prop:s0 exact string
+ro.build.host u:object_r:build_prop:s0 exact string
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.product u:object_r:build_prop:s0 exact string
+ro.build.system_root_image u:object_r:build_prop:s0 exact bool
+ro.build.tags u:object_r:build_prop:s0 exact string
+ro.build.type u:object_r:build_prop:s0 exact string
+ro.build.user u:object_r:build_prop:s0 exact string
+ro.build.version.all_codenames u:object_r:build_prop:s0 exact string
+ro.build.version.base_os u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
+ro.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+
+ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
+
+ro.debuggable u:object_r:build_prop:s0 exact bool
+
+ro.treble.enabled u:object_r:build_prop:s0 exact bool
+
+ro.product.cpu.abi u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+
+ro.product.system.brand u:object_r:build_prop:s0 exact string
+ro.product.system.device u:object_r:build_prop:s0 exact string
+ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system.model u:object_r:build_prop:s0 exact string
+ro.product.system.name u:object_r:build_prop:s0 exact string
+
+ro.system.build.date u:object_r:build_prop:s0 exact string
+ro.system.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system.build.id u:object_r:build_prop:s0 exact string
+ro.system.build.tags u:object_r:build_prop:s0 exact string
+ro.system.build.type u:object_r:build_prop:s0 exact string
+ro.system.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system.build.version.release u:object_r:build_prop:s0 exact string
+ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
+
+ro.adb.secure u:object_r:build_prop:s0 exact bool
+ro.secure u:object_r:build_prop:s0 exact int
+
+ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
+ro.product.system_ext.device u:object_r:build_prop:s0 exact string
+ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system_ext.model u:object_r:build_prop:s0 exact string
+ro.product.system_ext.name u:object_r:build_prop:s0 exact string
+
+ro.system_ext.build.date u:object_r:build_prop:s0 exact string
+ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system_ext.build.id u:object_r:build_prop:s0 exact string
+ro.system_ext.build.tags u:object_r:build_prop:s0 exact string
+ro.system_ext.build.type u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int
+
+# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
+ro.product.product.brand u:object_r:build_prop:s0 exact string
+ro.product.product.device u:object_r:build_prop:s0 exact string
+ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.product.model u:object_r:build_prop:s0 exact string
+ro.product.product.name u:object_r:build_prop:s0 exact string
+
+ro.product.build.date u:object_r:build_prop:s0 exact string
+ro.product.build.date.utc u:object_r:build_prop:s0 exact int
+ro.product.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.product.build.id u:object_r:build_prop:s0 exact string
+ro.product.build.tags u:object_r:build_prop:s0 exact string
+ro.product.build.type u:object_r:build_prop:s0 exact string
+ro.product.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.product.build.version.release u:object_r:build_prop:s0 exact string
+ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.product.build.version.sdk u:object_r:build_prop:s0 exact int
+
+# These 5 properties are set by property_service
+ro.product.brand u:object_r:build_prop:s0 exact string
+ro.product.device u:object_r:build_prop:s0 exact string
+ro.product.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.model u:object_r:build_prop:s0 exact string
+ro.product.name u:object_r:build_prop:s0 exact string
+
+# Sanitizer properties
+ro.sanitize.address u:object_r:build_prop:s0 exact bool
+ro.sanitize.cfi u:object_r:build_prop:s0 exact bool
+ro.sanitize.default-ub u:object_r:build_prop:s0 exact bool
+ro.sanitize.fuzzer u:object_r:build_prop:s0 exact bool
+ro.sanitize.hwaddress u:object_r:build_prop:s0 exact bool
+ro.sanitize.integer_overflow u:object_r:build_prop:s0 exact bool
+ro.sanitize.safe-stack u:object_r:build_prop:s0 exact bool
+ro.sanitize.scudo u:object_r:build_prop:s0 exact bool
+ro.sanitize.thread u:object_r:build_prop:s0 exact bool
+ro.sanitize.undefined u:object_r:build_prop:s0 exact bool
+
+# All odm build props are set by /odm/build.prop
+ro.odm.build.date u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int
+ro.odm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.media_performance_class u:object_r:build_odm_prop:s0 exact int
+
+ro.product.odm.brand u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.device u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.manufacturer u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.model u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
+
+# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
+ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+
+# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
+ro.product.odm_dlkm.brand u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.device u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.manufacturer u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.model u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.name u:object_r:build_odm_prop:s0 exact string
+
+ro.odm_dlkm.build.date u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.date.utc u:object_r:build_odm_prop:s0 exact int
+ro.odm_dlkm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.id u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.tags u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.type u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.release u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.release_or_codename u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.sdk u:object_r:build_odm_prop:s0 exact int
+
+# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
+ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
+
+# All vendor build props are set by /vendor/build.prop
+ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.fingerprint_has_digest u:object_r:build_vendor_prop:s0 exact bool
+ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.dont_use_vabc u:object_r:build_vendor_prop:s0 exact bool
+
+# All vendor CPU abilist props are set by /vendor/build.prop
+ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string
+
+ro.product.board u:object_r:build_vendor_prop:s0 exact string
+ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.brand u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.device u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
+
+# GRF property for the first api level of the vendor partition
+ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
+
+# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
+ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+
+ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
+
+# ro.product.property_source_order is settable from any build.prop
+ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
+
+ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
+ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file managed none
+
+ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
+
+ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
+
+service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
+service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
+
+sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
+sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
+
+vold.decrypt u:object_r:vold_status_prop:s0 exact string
+
+aaudio.hw_burst_min_usec u:object_r:aaudio_config_prop:s0 exact int
+aaudio.minimum_sleep_usec u:object_r:aaudio_config_prop:s0 exact int
+aaudio.mixer_bursts u:object_r:aaudio_config_prop:s0 exact int
+aaudio.mmap_exclusive_policy u:object_r:aaudio_config_prop:s0 exact int
+aaudio.mmap_policy u:object_r:aaudio_config_prop:s0 exact int
+aaudio.wakeup_delay_usec u:object_r:aaudio_config_prop:s0 exact int
+
+persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
+
+ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+
+ro.board.platform u:object_r:exported_default_prop:s0 exact string
+
+ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
+ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+
+ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
+
+# Update related props
+ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
+ro.build.ab_update.gki.prevent_downgrade_version u:object_r:ab_update_gki_prop:s0 exact bool
+ro.build.ab_update.gki.prevent_downgrade_spl u:object_r:ab_update_gki_prop:s0 exact bool
+
+ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
+ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
+
+ro.carrier u:object_r:exported_default_prop:s0 exact string
+
+ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
+ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
+
+ro.frp.pst u:object_r:exported_default_prop:s0 exact string
+
+ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
+ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
+ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
+ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
+ro.hardware.input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
+ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
+ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
+ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
+ro.hardware.power u:object_r:exported_default_prop:s0 exact string
+ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
+ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
+ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.type u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
+ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+
+ro.hw_timeout_multiplier u:object_r:hw_timeout_multiplier_prop:s0 exact int
+
+ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
+
+# ro.kernel.* properties are emulator specific and deprecated. Do not use.
+# Should be retired once presubmit allows.
+ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
+ro.kernel.qemu. u:object_r:exported_default_prop:s0
+ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
+
+ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
+
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
+
+ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
+ro.vndk.version u:object_r:vndk_prop:s0 exact string
+
+ro.vts.coverage u:object_r:vts_config_prop:s0 exact int
+
+vts.native_server.on u:object_r:vts_status_prop:s0 exact bool
+
+wifi.active.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.aware.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.interface u:object_r:wifi_hal_prop:s0 exact string
+wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
+
+ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
+
+ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
+
+# Property to enable incremental feature
+ro.incremental.enable u:object_r:incremental_prop:s0
+
+# Properties to configure userspace reboot.
+init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
+init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.sigterm.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+
+sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
+
+# surfaceflinger properties
+ro.surface_flinger.default_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.default_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.has_HDR_display u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.has_wide_color_display u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_graphics_height u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_graphics_width u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.primary_display_orientation u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.running_without_sync_framework u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_color_management u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_context_priority u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_vr_flinger u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.display_primary_red u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_green u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_blue u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_white u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.protected_contents u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.supports_background_blur u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
+
+ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
+
+persist.sys.sf.color_mode u:object_r:surfaceflinger_color_prop:s0 exact int
+persist.sys.sf.color_saturation u:object_r:surfaceflinger_color_prop:s0 exact string
+persist.sys.sf.native_mode u:object_r:surfaceflinger_color_prop:s0 exact int
+
+# Binder cache properties. These are world-readable
+cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
+cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
+cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
+cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
+cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
+
+cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
+cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
+cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
+
+# Framework watchdog configuration properties.
+framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
+framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+
+gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
+gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
+gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
+persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool
+
+ro.cdma.home.operator.alpha u:object_r:telephony_config_prop:s0 exact string
+ro.cdma.home.operator.numeric u:object_r:telephony_config_prop:s0 exact string
+ro.com.android.dataroaming u:object_r:telephony_config_prop:s0 exact bool
+ro.com.android.prov_mobiledata u:object_r:telephony_config_prop:s0 exact bool
+ro.radio.noril u:object_r:telephony_config_prop:s0 exact string
+ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool
+ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int
+ro.telephony.default_network u:object_r:telephony_config_prop:s0 exact string
+ro.telephony.iwlan_operation_mode u:object_r:telephony_config_prop:s0 exact enum default legacy AP-assisted
+telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int
+telephony.lteOnCdmaDevice u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
+
+# System locale list filter configuration
+ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
+
+# Graphics related properties
+ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
+
+ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
+ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int
+
+graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
+
+ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+
+# surfaceflinger-settable
+graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
+
+# Disable/enable charger input
+power.battery_input.suspended u:object_r:power_debug_prop:s0 exact bool
+
+# zygote config property
+zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
+
+ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+
+# Allows a device to run without batch attestation keys
+remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+
+# Broadcast boot stages, which keystore listens to
+keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+
+# Property that tracks keystore crash counts during a boot cycle.
+keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+
+partition.system.verified u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
+partition.product.verified u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified u:object_r:verity_status_prop:s0 exact string
+
+# Properties that holds the hashtree information for verity partitions.
+partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.system.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.product.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+
+ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
+ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+
+setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.day_night_mode_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_low_ram_filter u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_suggestion u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.device_default_dark_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.esim_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data.carrier-1 u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.portal_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.predeferred_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.return_partner_customization_bundle u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.show_pixel_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.use_biometric_lock u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.wallpaper_suggestion_after_restore u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
+
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
+
+# SOC related props
+ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
+ro.soc.model u:object_r:soc_prop:s0 exact string
+
+# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
+# to detect failures where hard linking should work otherwise
+persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
+
+# bootanimation properties
+ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
+
+# dck properties
+ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+# virtualization service properties
+virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
diff --git a/prebuilts/api/26.0/private/racoon.te b/prebuilts/api/33.0/private/racoon.te
similarity index 100%
rename from prebuilts/api/26.0/private/racoon.te
rename to prebuilts/api/33.0/private/racoon.te
diff --git a/prebuilts/api/33.0/private/radio.te b/prebuilts/api/33.0/private/radio.te
new file mode 100644
index 0000000..08365f0
--- /dev/null
+++ b/prebuilts/api/33.0/private/radio.te
@@ -0,0 +1,36 @@
+typeattribute radio coredomain, mlstrustedsubject;
+
+app_domain(radio)
+
+read_runtime_log_tags(radio)
+
+# Property service
+set_prop(radio, radio_control_prop)
+set_prop(radio, radio_prop)
+set_prop(radio, net_radio_prop)
+set_prop(radio, telephony_status_prop)
+set_prop(radio, radio_cdma_ecm_prop)
+
+# ctl interface
+set_prop(radio, ctl_rildaemon_prop)
+
+# Telephony code contains time / time zone detection logic so it reads the associated properties.
+get_prop(radio, time_prop)
+
+# allow telephony to access platform compat to log permission denials
+allow radio platform_compat_service:service_manager find;
+
+allow radio uce_service:service_manager find;
+
+# Manage /data/misc/emergencynumberdb
+allow radio emergency_data_file:dir r_dir_perms;
+allow radio emergency_data_file:file r_file_perms;
+
+# allow telephony to access related cache properties
+set_prop(radio, binder_cache_telephony_server_prop);
+neverallow { domain -radio -init }
+ binder_cache_telephony_server_prop:property_service set;
+
+# allow sending pulled atoms to statsd
+binder_call(radio, statsd)
+
diff --git a/prebuilts/api/33.0/private/recovery.te b/prebuilts/api/33.0/private/recovery.te
new file mode 100644
index 0000000..2dba93b
--- /dev/null
+++ b/prebuilts/api/33.0/private/recovery.te
@@ -0,0 +1,50 @@
+typeattribute recovery coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+ # Reboot the device
+ set_prop(recovery, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(recovery, serialno_prop)
+
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ get_prop(recovery, ffs_config_prop)
+ set_prop(recovery, ffs_control_prop)
+
+ # Set sys.usb.config when switching into fastboot.
+ set_prop(recovery, usb_control_prop)
+ set_prop(recovery, usb_prop)
+
+ # Read ro.boot.bootreason
+ get_prop(recovery, bootloader_boot_reason_prop)
+
+ # Read storage properties (for correctly formatting filesystems)
+ get_prop(recovery, storage_config_prop)
+
+ set_prop(recovery, gsid_prop)
+
+ # These are needed to allow recovery to manage network
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+ allow recovery self:global_capability_class_set net_admin;
+ allow recovery self:tcp_socket { create ioctl };
+ allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+ # Start snapuserd for merging VABC updates
+ set_prop(recovery, ctl_snapuserd_prop)
+
+ # Needed to communicate with snapuserd to complete merges.
+ allow recovery snapuserd_socket:sock_file write;
+ allow recovery snapuserd:unix_stream_socket connectto;
+ allow recovery dm_user_device:dir r_dir_perms;
+ get_prop(recovery, snapuserd_prop)
+
+ # Set fastbootd protocol property
+ set_prop(recovery, fastbootd_protocol_prop)
+
+ get_prop(recovery, recovery_config_prop)
+
+ # Needed to read bootconfig parameters through libfs_mgr
+ allow recovery proc_bootconfig:file r_file_perms;
+')
diff --git a/prebuilts/api/33.0/private/recovery_persist.te b/prebuilts/api/33.0/private/recovery_persist.te
new file mode 100644
index 0000000..7cb2e67
--- /dev/null
+++ b/prebuilts/api/33.0/private/recovery_persist.te
@@ -0,0 +1,11 @@
+typeattribute recovery_persist coredomain;
+
+init_daemon_domain(recovery_persist)
+
+# recovery_persist is not allowed to write anywhere other than recovery_data_file
+neverallow recovery_persist {
+ file_type
+ -recovery_data_file
+ userdebug_or_eng(`-coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file write;
diff --git a/prebuilts/api/33.0/private/recovery_refresh.te b/prebuilts/api/33.0/private/recovery_refresh.te
new file mode 100644
index 0000000..3c095cc
--- /dev/null
+++ b/prebuilts/api/33.0/private/recovery_refresh.te
@@ -0,0 +1,10 @@
+typeattribute recovery_refresh coredomain;
+
+init_daemon_domain(recovery_refresh)
+
+# recovery_refresh is not allowed to write anywhere
+neverallow recovery_refresh {
+ file_type
+ userdebug_or_eng(`-coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file write;
diff --git a/prebuilts/api/33.0/private/remote_prov_app.te b/prebuilts/api/33.0/private/remote_prov_app.te
new file mode 100644
index 0000000..43b69d2
--- /dev/null
+++ b/prebuilts/api/33.0/private/remote_prov_app.te
@@ -0,0 +1,14 @@
+type remote_prov_app, domain;
+typeattribute remote_prov_app coredomain;
+
+app_domain(remote_prov_app)
+net_domain(remote_prov_app)
+
+set_prop(remote_prov_app, remote_prov_prop)
+# The app needs access to properly build a DeviceInfo package for the verifying server
+get_prop(remote_prov_app, vendor_security_patch_level_prop)
+
+allow remote_prov_app {
+ app_api_service
+ remoteprovisioning_service
+}:service_manager find;
diff --git a/prebuilts/api/33.0/private/remount.te b/prebuilts/api/33.0/private/remount.te
new file mode 100644
index 0000000..4dd94a5
--- /dev/null
+++ b/prebuilts/api/33.0/private/remount.te
@@ -0,0 +1,15 @@
+type remount, domain, coredomain;
+type remount_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # Allow init to run clean_scratch_files and do auto domain transfer.
+ init_daemon_domain(remount)
+
+ # Allow talking to gsid.
+ binder_use(remount)
+ allow remount gsi_service:service_manager find;
+ binder_call(remount, gsid)
+
+ # Allow searching for /metadata/gsi/remount/lp_metadata.
+ allow remount { metadata_file gsi_metadata_file_type }:dir search;
+')
diff --git a/prebuilts/api/26.0/private/roles_decl b/prebuilts/api/33.0/private/roles_decl
similarity index 100%
rename from prebuilts/api/26.0/private/roles_decl
rename to prebuilts/api/33.0/private/roles_decl
diff --git a/prebuilts/api/33.0/private/rs.te b/prebuilts/api/33.0/private/rs.te
new file mode 100644
index 0000000..268f040
--- /dev/null
+++ b/prebuilts/api/33.0/private/rs.te
@@ -0,0 +1,40 @@
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
+allow rs app_exec_data_file:file create_file_perms;
+type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
+
+# Follow /data/user/0 symlink
+allow rs system_data_file:lnk_file read;
+
+# Read files from the app home directory.
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
+
+# Cleanup app_exec_data_file files in the app home directory.
+allow rs { app_data_file privapp_data_file }:dir remove_name;
+
+# Use vendor resources
+allow rs vendor_file:dir r_dir_perms;
+r_dir_file(rs, vendor_overlay_file)
+r_dir_file(rs, vendor_app_file)
+
+# Read contents of app apks
+r_dir_file(rs, apk_data_file)
+
+allow rs gpu_device:chr_file rw_file_perms;
+allow rs ion_device:chr_file r_file_perms;
+allow rs same_process_hal_file:file { r_file_perms execute };
+
+# File descriptors passed from app to renderscript
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
+
+# rs can access app data, so ensure it can only be entered via an app domain and cannot have
+# CAP_DAC_OVERRIDE.
+neverallow rs rs:capability_class_set *;
+neverallow { domain -appdomain } rs:process { dyntransition transition };
+neverallow rs { domain -crash_dump }:process { dyntransition transition };
+neverallow rs app_data_file:file_class_set ~r_file_perms;
+# rs should never use network sockets
+neverallow rs *:network_socket_class_set *;
diff --git a/prebuilts/api/33.0/private/rss_hwm_reset.te b/prebuilts/api/33.0/private/rss_hwm_reset.te
new file mode 100644
index 0000000..30818c2
--- /dev/null
+++ b/prebuilts/api/33.0/private/rss_hwm_reset.te
@@ -0,0 +1,14 @@
+type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
+
+# Start rss_hwm_reset from init.
+init_daemon_domain(rss_hwm_reset)
+
+# Search /proc/pid directories.
+allow rss_hwm_reset domain:dir search;
+
+# Write to /proc/pid/clear_refs of other processes.
+# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
+allow rss_hwm_reset self:global_capability_class_set { dac_override };
+
+# Write to /prc/pid/clear_refs.
+allow rss_hwm_reset domain:file w_file_perms;
diff --git a/prebuilts/api/33.0/private/runas.te b/prebuilts/api/33.0/private/runas.te
new file mode 100644
index 0000000..ef31aac
--- /dev/null
+++ b/prebuilts/api/33.0/private/runas.te
@@ -0,0 +1,4 @@
+typeattribute runas coredomain;
+
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
diff --git a/prebuilts/api/33.0/private/runas_app.te b/prebuilts/api/33.0/private/runas_app.te
new file mode 100644
index 0000000..c1b354a
--- /dev/null
+++ b/prebuilts/api/33.0/private/runas_app.te
@@ -0,0 +1,32 @@
+typeattribute runas_app coredomain;
+
+app_domain(runas_app)
+untrusted_app_domain(runas_app)
+net_domain(runas_app)
+bluetooth_domain(runas_app)
+
+# The ability to call exec() on files in the apps home directories
+# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
+# which are copied to the apps home directories.
+allow runas_app app_data_file:file execute_no_trans;
+
+# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
+r_dir_file(runas_app, untrusted_app_all)
+
+# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
+allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:unix_stream_socket connectto;
+
+# Allow executing system image simpleperf without a domain transition.
+allow runas_app simpleperf_exec:file rx_file_perms;
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective process, most of which this domain is not
+# allowed to see.
+dontaudit runas_app domain:dir search;
+
+# Allow runas_app to call perf_event_open for profiling debuggable app
+# processes, but not the whole system.
+allow runas_app self:perf_event { open read write kernel };
+neverallow runas_app self:perf_event ~{ open read write kernel };
diff --git a/prebuilts/api/33.0/private/sdcardd.te b/prebuilts/api/33.0/private/sdcardd.te
new file mode 100644
index 0000000..126d643
--- /dev/null
+++ b/prebuilts/api/33.0/private/sdcardd.te
@@ -0,0 +1,3 @@
+typeattribute sdcardd coredomain;
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
new file mode 100644
index 0000000..b18b7dd
--- /dev/null
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -0,0 +1,90 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes.
+
+type sdk_sandbox, domain;
+
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+# Audit the access to signal that we are still investigating whether sdk_sandbox
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox trust_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(sdk_sandbox)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(sdk_sandbox)
+can_profile_perf(sdk_sandbox)
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow access to sdksandbox data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/seapp_contexts b/prebuilts/api/33.0/private/seapp_contexts
new file mode 100644
index 0000000..b26d977
--- /dev/null
+++ b/prebuilts/api/33.0/private/seapp_contexts
@@ -0,0 +1,179 @@
+# The entries in this file define how security contexts for apps are determined.
+# Each entry lists input selectors, used to match the app, and outputs which are
+# used to determine the security contexts for matching apps.
+#
+# Input selectors:
+# isSystemServer (boolean)
+# isEphemeralApp (boolean)
+# user (string)
+# seinfo (string)
+# name (string)
+# isPrivApp (boolean)
+# minTargetSdkVersion (unsigned integer)
+# fromRunAs (boolean)
+#
+# All specified input selectors in an entry must match (i.e. logical AND).
+# An unspecified string or boolean selector with no default will match any
+# value.
+# A user, or name string selector that ends in * will perform a prefix
+# match.
+# String matching is case-insensitive.
+# See external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_lookup().
+#
+# isSystemServer=true only matches the system server.
+# An unspecified isSystemServer defaults to false.
+# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
+# user=_app will match any regular app process.
+# user=_isolated will match any isolated service process.
+# user=_sdksandbox will match sdk sandbox process for an app.
+# Other values of user are matched against the name associated with the process
+# UID.
+# seinfo= matches aginst the seinfo tag for the app, determined from
+# mac_permissions.xml files.
+# The ':' character is reserved and may not be used in seinfo.
+# name= matches against the package name of the app.
+# isPrivApp=true will only match for applications preinstalled in
+# /system/priv-app.
+# minTargetSdkVersion will match applications with a targetSdkVersion
+# greater than or equal to the specified value. If unspecified,
+# it has a default value of 0.
+# fromRunAs=true means the process being labeled is started by run-as. Default
+# is false.
+#
+# Precedence: entries are compared using the following rules, in the order shown
+# (see external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_cmp()).
+# (1) isSystemServer=true before isSystemServer=false.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
+# boolean.
+# (3) Specified user= string before unspecified user= string;
+# more specific user= string before less specific user= string.
+# (4) Specified seinfo= string before unspecified seinfo= string.
+# (5) Specified name= string before unspecified name= string;
+# more specific name= string before less specific name= string.
+# (6) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (7) Higher value of minTargetSdkVersion= before lower value of
+# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
+# defaults to 0 if unspecified.
+# (8) fromRunAs=true before fromRunAs=false.
+# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
+# longer prefix is more specific than a shorter prefix.)
+# Apps are checked against entries in precedence order until the first match,
+# regardless of their order in this file.
+#
+# Duplicate entries, i.e. with identical input selectors, are not allowed.
+#
+# Outputs:
+# domain (string)
+# type (string)
+# levelFrom (string; one of none, all, app, or user)
+# level (string)
+#
+# domain= determines the label to be used for the app process; entries
+# without domain= are ignored for this purpose.
+# type= specifies the label to be used for the app data directory; entries
+# without type= are ignored for this purpose. The label specified must
+# have the app_data_file_type attribute.
+# levelFrom and level are used to determine the level (sensitivity + categories)
+# for MLS/MCS.
+# levelFrom=none omits the level.
+# levelFrom=app determines the level from the process UID.
+# levelFrom=user determines the level from the user ID.
+# levelFrom=all determines the level from both UID and user ID.
+#
+# levelFrom=user is only supported for _app or _isolated UIDs.
+# levelFrom=app or levelFrom=all is only supported for _app UIDs.
+# level may be used to specify a fixed level for any UID.
+#
+# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
+# and levelFromUid=false is equivalent to levelFrom=none.
+#
+#
+# Neverallow Assertions
+# Additional compile time assertion checks for the rules in this file can be
+# added as well. The assertion
+# rules are lines beginning with the keyword neverallow. Full support for PCRE
+# regular expressions exists on all input and output selectors. Neverallow
+# rules are never output to the built seapp_contexts file. Like all keywords,
+# neverallows are case-insensitive. A neverallow is asserted when all key value
+# inputs are matched on a key value rule line.
+#
+
+# only the system server can be assigned the system_server domains
+neverallow isSystemServer=false domain=system_server
+neverallow isSystemServer=false domain=system_server_startup
+neverallow isSystemServer="" domain=system_server
+neverallow isSystemServer="" domain=system_server_startup
+
+# system domains should never be assigned outside of system uid
+neverallow user=((?!system).)* domain=system_app
+neverallow user=((?!system).)* type=system_app_data_file
+
+# any non priv-app with a non-known uid with a specified name should have a specified
+# seinfo
+neverallow user=_app isPrivApp=false name=.* seinfo=""
+neverallow user=_app isPrivApp=false name=.* seinfo=default
+
+# neverallow shared relro to any other domain
+# and neverallow any other uid into shared_relro
+neverallow user=shared_relro domain=((?!shared_relro).)*
+neverallow user=((?!shared_relro).)* domain=shared_relro
+
+# neverallow non-isolated uids into isolated_app domain
+# and vice versa
+neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=((?!_isolated).)* domain=isolated_app
+
+# uid shell should always be in shell domain, however non-shell
+# uid's can be in shell domain
+neverallow user=shell domain=((?!shell).)*
+
+# only the package named com.android.shell can run in the shell domain
+neverallow domain=shell name=((?!com\.android\.shell).)*
+neverallow user=shell name=((?!com\.android\.shell).)*
+
+# Ephemeral Apps must run in the ephemeral_app domain
+neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
+
+isSystemServer=true domain=system_server_startup
+
+# sdksandbox must run in the sdksandbox domain
+neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
+
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
+user=system seinfo=platform domain=system_app type=system_app_data_file
+user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
+user=radio seinfo=platform domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro levelFrom=all
+user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
+user=webview_zygote seinfo=webview_zygote domain=webview_zygote
+user=_isolated domain=isolated_app levelFrom=user
+user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
+user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
+user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
+user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
+user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
+user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
+user=_app fromRunAs=true domain=runas_app levelFrom=user
+
diff --git a/prebuilts/api/33.0/private/secure_element.te b/prebuilts/api/33.0/private/secure_element.te
new file mode 100644
index 0000000..fd3b688
--- /dev/null
+++ b/prebuilts/api/33.0/private/secure_element.te
@@ -0,0 +1,16 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;
+
+allow secure_element vendor_uuid_mapping_config_file:file r_file_perms;
diff --git a/prebuilts/api/33.0/private/security_classes b/prebuilts/api/33.0/private/security_classes
new file mode 100644
index 0000000..0d3cc80
--- /dev/null
+++ b/prebuilts/api/33.0/private/security_classes
@@ -0,0 +1,170 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class anon_inode
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+class process2
+
+class bpf
+
+class xdp_socket
+
+class perf_event
+
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
+# Property service
+class property_service # userspace
+
+# Service manager
+class service_manager # userspace
+
+# hardware service manager # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key # userspace
+
+# Keystore 2.0 permissions
+class keystore2 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key # userspace
+
+# Diced permissions
+class diced # userspace
+
+class drmservice # userspace
+# FLASK
diff --git a/prebuilts/api/33.0/private/service.te b/prebuilts/api/33.0/private/service.te
new file mode 100644
index 0000000..1f407a6
--- /dev/null
+++ b/prebuilts/api/33.0/private/service.te
@@ -0,0 +1,20 @@
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
+type attention_service, system_server_service, service_manager_type;
+type compos_service, service_manager_type;
+type communal_service, app_api_service, system_server_service, service_manager_type;
+type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
+type gsi_service, service_manager_type;
+type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
+type mediatuner_service, app_api_service, service_manager_type;
+type profcollectd_service, service_manager_type;
+type resolver_service, system_server_service, service_manager_type;
+type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type stats_service, service_manager_type;
+type statsbootstrap_service, system_server_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
+type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+type tracingproxy_service, system_server_service, service_manager_type;
+type transparency_service, system_server_service, service_manager_type;
+type uce_service, service_manager_type;
diff --git a/prebuilts/api/33.0/private/service_contexts b/prebuilts/api/33.0/private/service_contexts
new file mode 100644
index 0000000..72fa166
--- /dev/null
+++ b/prebuilts/api/33.0/private/service_contexts
@@ -0,0 +1,387 @@
+android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
+android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
+android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
+android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
+android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
+android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+# The instance here is internal/0 following naming convention for ICameraProvider.
+# It advertises internal camera devices.
+android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
+android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
+android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
+android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
+android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
+android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
+android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
+android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
+android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
+android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
+android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
+android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
+android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
+android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
+android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
+android.hardware.power.IPower/default u:object_r:hal_power_service:s0
+android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
+android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
+android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
+android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
+android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
+android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
+android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
+android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
+android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
+android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
+android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
+android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
+
+accessibility u:object_r:accessibility_service:s0
+account u:object_r:account_service:s0
+activity u:object_r:activity_service:s0
+activity_task u:object_r:activity_task_service:s0
+adb u:object_r:adb_service:s0
+adservices_manager u:object_r:adservices_manager_service:s0
+aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
+aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
+aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
+alarm u:object_r:alarm_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0
+android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
+android.security.apc u:object_r:apc_service:s0
+android.security.authorization u:object_r:authorization_service:s0
+android.security.compat u:object_r:keystore_compat_hal_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
+android.security.identity u:object_r:credstore_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+android.security.legacykeystore u:object_r:legacykeystore_service:s0
+android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
+android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
+android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+android.system.composd u:object_r:compos_service:s0
+android.system.virtualizationservice u:object_r:virtualization_service:s0
+ambient_context u:object_r:ambient_context_service:s0
+app_binding u:object_r:app_binding_service:s0
+app_hibernation u:object_r:app_hibernation_service:s0
+app_integrity u:object_r:app_integrity_service:s0
+app_prediction u:object_r:app_prediction_service:s0
+app_search u:object_r:app_search_service:s0
+apexservice u:object_r:apex_service:s0
+attestation_verification u:object_r:attestation_verification_service:s0
+blob_store u:object_r:blob_store_service:s0
+gsiservice u:object_r:gsi_service:s0
+appops u:object_r:appops_service:s0
+appwidget u:object_r:appwidget_service:s0
+artd u:object_r:artd_service:s0
+assetatlas u:object_r:assetatlas_service:s0
+attention u:object_r:attention_service:s0
+audio u:object_r:audio_service:s0
+auth u:object_r:auth_service:s0
+autofill u:object_r:autofill_service:s0
+backup u:object_r:backup_service:s0
+batteryproperties u:object_r:batteryproperties_service:s0
+batterystats u:object_r:batterystats_service:s0
+battery u:object_r:battery_service:s0
+binder_calls_stats u:object_r:binder_calls_stats_service:s0
+biometric u:object_r:biometric_service:s0
+bluetooth_manager u:object_r:bluetooth_manager_service:s0
+bluetooth u:object_r:bluetooth_service:s0
+broadcastradio u:object_r:broadcastradio_service:s0
+bugreport u:object_r:bugreport_service:s0
+cacheinfo u:object_r:cacheinfo_service:s0
+carrier_config u:object_r:radio_service:s0
+clipboard u:object_r:clipboard_service:s0
+cloudsearch u:object_r:cloudsearch_service:s0
+cloudsearch_service u:object_r:cloudsearch_service:s0
+com.android.net.IProxyService u:object_r:IProxyService_service:s0
+companiondevice u:object_r:companion_device_service:s0
+communal u:object_r:communal_service:s0
+platform_compat u:object_r:platform_compat_service:s0
+platform_compat_native u:object_r:platform_compat_service:s0
+connectivity u:object_r:connectivity_service:s0
+connectivity_native u:object_r:connectivity_native_service:s0
+connmetrics u:object_r:connmetrics_service:s0
+consumer_ir u:object_r:consumer_ir_service:s0
+content u:object_r:content_service:s0
+content_capture u:object_r:content_capture_service:s0
+content_suggestions u:object_r:content_suggestions_service:s0
+contexthub u:object_r:contexthub_service:s0
+country_detector u:object_r:country_detector_service:s0
+coverage u:object_r:coverage_service:s0
+cpuinfo u:object_r:cpuinfo_service:s0
+crossprofileapps u:object_r:crossprofileapps_service:s0
+dataloader_manager u:object_r:dataloader_manager_service:s0
+dbinfo u:object_r:dbinfo_service:s0
+device_config u:object_r:device_config_service:s0
+device_policy u:object_r:device_policy_service:s0
+device_identifiers u:object_r:device_identifiers_service:s0
+deviceidle u:object_r:deviceidle_service:s0
+device_state u:object_r:device_state_service:s0
+devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+diskstats u:object_r:diskstats_service:s0
+display u:object_r:display_service:s0
+dnsresolver u:object_r:dnsresolver_service:s0
+domain_verification u:object_r:domain_verification_service:s0
+color_display u:object_r:color_display_service:s0
+netd_listener u:object_r:netd_listener_service:s0
+network_watchlist u:object_r:network_watchlist_service:s0
+DockObserver u:object_r:DockObserver_service:s0
+dreams u:object_r:dreams_service:s0
+drm.drmManager u:object_r:drmserver_service:s0
+dropbox u:object_r:dropbox_service:s0
+dumpstate u:object_r:dumpstate_service:s0
+dynamic_system u:object_r:dynamic_system_service:s0
+econtroller u:object_r:radio_service:s0
+emergency_affordance u:object_r:emergency_affordance_service:s0
+euicc_card_controller u:object_r:radio_service:s0
+external_vibrator_service u:object_r:external_vibrator_service:s0
+lowpan u:object_r:lowpan_service:s0
+ethernet u:object_r:ethernet_service:s0
+face u:object_r:face_service:s0
+file_integrity u:object_r:file_integrity_service:s0
+fingerprint u:object_r:fingerprint_service:s0
+font u:object_r:font_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
+game u:object_r:game_service:s0
+gfxinfo u:object_r:gfxinfo_service:s0
+gnss_time_update_service u:object_r:gnss_time_update_service:s0
+graphicsstats u:object_r:graphicsstats_service:s0
+gpu u:object_r:gpu_service:s0
+hardware u:object_r:hardware_service:s0
+hardware_properties u:object_r:hardware_properties_service:s0
+hdmi_control u:object_r:hdmi_control_service:s0
+ions u:object_r:radio_service:s0
+idmap u:object_r:idmap_service:s0
+incident u:object_r:incident_service:s0
+incidentcompanion u:object_r:incidentcompanion_service:s0
+inputflinger u:object_r:inputflinger_service:s0
+input_method u:object_r:input_method_service:s0
+input u:object_r:input_service:s0
+installd u:object_r:installd_service:s0
+iorapd u:object_r:iorapd_service:s0
+iphonesubinfo_msim u:object_r:radio_service:s0
+iphonesubinfo2 u:object_r:radio_service:s0
+iphonesubinfo u:object_r:radio_service:s0
+ims u:object_r:radio_service:s0
+imms u:object_r:imms_service:s0
+incremental u:object_r:incremental_service:s0
+ipsec u:object_r:ipsec_service:s0
+ircsmessage u:object_r:radio_service:s0
+iris u:object_r:iris_service:s0
+isms_msim u:object_r:radio_service:s0
+isms2 u:object_r:radio_service:s0
+isms u:object_r:radio_service:s0
+isub u:object_r:radio_service:s0
+jobscheduler u:object_r:jobscheduler_service:s0
+launcherapps u:object_r:launcherapps_service:s0
+legacy_permission u:object_r:legacy_permission_service:s0
+lights u:object_r:light_service:s0
+locale u:object_r:locale_service:s0
+location u:object_r:location_service:s0
+location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
+lock_settings u:object_r:lock_settings_service:s0
+logcat u:object_r:logcat_service:s0
+logd u:object_r:logd_service:s0
+looper_stats u:object_r:looper_stats_service:s0
+lpdump_service u:object_r:lpdump_service:s0
+mdns u:object_r:mdns_service:s0
+media.aaudio u:object_r:audioserver_service:s0
+media.audio_flinger u:object_r:audioserver_service:s0
+media.audio_policy u:object_r:audioserver_service:s0
+media.camera u:object_r:cameraserver_service:s0
+media.camera.proxy u:object_r:cameraproxy_service:s0
+media.log u:object_r:audioserver_service:s0
+media.player u:object_r:mediaserver_service:s0
+media.metrics u:object_r:mediametrics_service:s0
+media.extractor u:object_r:mediaextractor_service:s0
+media.transcoding u:object_r:mediatranscoding_service:s0
+media.resource_manager u:object_r:mediaserver_service:s0
+media.resource_observer u:object_r:mediaserver_service:s0
+media.sound_trigger_hw u:object_r:audioserver_service:s0
+media.drm u:object_r:mediadrmserver_service:s0
+media.tuner u:object_r:mediatuner_service:s0
+media_communication u:object_r:media_communication_service:s0
+media_metrics u:object_r:media_metrics_service:s0
+media_projection u:object_r:media_projection_service:s0
+media_resource_monitor u:object_r:media_session_service:s0
+media_router u:object_r:media_router_service:s0
+media_session u:object_r:media_session_service:s0
+meminfo u:object_r:meminfo_service:s0
+memtrack.proxy u:object_r:memtrackproxy_service:s0
+midi u:object_r:midi_service:s0
+mount u:object_r:mount_service:s0
+music_recognition u:object_r:music_recognition_service:s0
+nearby u:object_r:nearby_service:s0
+netd u:object_r:netd_service:s0
+netpolicy u:object_r:netpolicy_service:s0
+netstats u:object_r:netstats_service:s0
+network_stack u:object_r:network_stack_service:s0
+network_management u:object_r:network_management_service:s0
+network_score u:object_r:network_score_service:s0
+network_time_update_service u:object_r:network_time_update_service:s0
+nfc u:object_r:nfc_service:s0
+notification u:object_r:notification_service:s0
+oem_lock u:object_r:oem_lock_service:s0
+otadexopt u:object_r:otadexopt_service:s0
+overlay u:object_r:overlay_service:s0
+pac_proxy u:object_r:pac_proxy_service:s0
+package u:object_r:package_service:s0
+package_native u:object_r:package_native_service:s0
+people u:object_r:people_service:s0
+performance_hint u:object_r:hint_service:s0
+permission u:object_r:permission_service:s0
+permissionmgr u:object_r:permissionmgr_service:s0
+permission_checker u:object_r:permission_checker_service:s0
+persistent_data_block u:object_r:persistent_data_block_service:s0
+phone_msim u:object_r:radio_service:s0
+phone1 u:object_r:radio_service:s0
+phone2 u:object_r:radio_service:s0
+phone u:object_r:radio_service:s0
+pinner u:object_r:pinner_service:s0
+powerstats u:object_r:powerstats_service:s0
+power u:object_r:power_service:s0
+print u:object_r:print_service:s0
+processinfo u:object_r:processinfo_service:s0
+procstats u:object_r:procstats_service:s0
+profcollectd u:object_r:profcollectd_service:s0
+radio.phonesubinfo u:object_r:radio_service:s0
+radio.phone u:object_r:radio_service:s0
+radio.sms u:object_r:radio_service:s0
+rcs u:object_r:radio_service:s0
+reboot_readiness u:object_r:reboot_readiness_service:s0
+recovery u:object_r:recovery_service:s0
+resolver u:object_r:resolver_service:s0
+resources u:object_r:resources_manager_service:s0
+restrictions u:object_r:restrictions_service:s0
+role u:object_r:role_service:s0
+rollback u:object_r:rollback_service:s0
+rttmanager u:object_r:rttmanager_service:s0
+runtime u:object_r:runtime_service:s0
+safety_center u:object_r:safety_center_service:s0
+samplingprofiler u:object_r:samplingprofiler_service:s0
+scheduling_policy u:object_r:scheduling_policy_service:s0
+search u:object_r:search_service:s0
+search_ui u:object_r:search_ui_service:s0
+secure_element u:object_r:secure_element_service:s0
+sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+selection_toolbar u:object_r:selection_toolbar_service:s0
+sensorservice u:object_r:sensorservice_service:s0
+sensor_privacy u:object_r:sensor_privacy_service:s0
+serial u:object_r:serial_service:s0
+servicediscovery u:object_r:servicediscovery_service:s0
+manager u:object_r:service_manager_service:s0
+settings u:object_r:settings_service:s0
+shortcut u:object_r:shortcut_service:s0
+simphonebook_msim u:object_r:radio_service:s0
+simphonebook2 u:object_r:radio_service:s0
+simphonebook u:object_r:radio_service:s0
+sip u:object_r:radio_service:s0
+slice u:object_r:slice_service:s0
+smartspace u:object_r:smartspace_service:s0
+speech_recognition u:object_r:speech_recognition_service:s0
+stats u:object_r:stats_service:s0
+statsbootstrap u:object_r:statsbootstrap_service:s0
+statscompanion u:object_r:statscompanion_service:s0
+statsmanager u:object_r:statsmanager_service:s0
+soundtrigger u:object_r:voiceinteraction_service:s0
+soundtrigger_middleware u:object_r:soundtrigger_middleware_service:s0
+statusbar u:object_r:statusbar_service:s0
+storaged u:object_r:storaged_service:s0
+storaged_pri u:object_r:storaged_service:s0
+storagestats u:object_r:storagestats_service:s0
+sdk_sandbox u:object_r:sdk_sandbox_service:s0
+SurfaceFlinger u:object_r:surfaceflinger_service:s0
+SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
+suspend_control u:object_r:system_suspend_control_service:s0
+suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
+system_config u:object_r:system_config_service:s0
+system_server_dumper u:object_r:system_server_dumper_service:s0
+system_update u:object_r:system_update_service:s0
+tare u:object_r:tare_service:s0
+task u:object_r:task_service:s0
+telecom u:object_r:telecom_service:s0
+telephony.registry u:object_r:registry_service:s0
+telephony_ims u:object_r:radio_service:s0
+testharness u:object_r:testharness_service:s0
+tethering u:object_r:tethering_service:s0
+textclassification u:object_r:textclassification_service:s0
+textservices u:object_r:textservices_service:s0
+texttospeech u:object_r:texttospeech_service:s0
+time_detector u:object_r:timedetector_service:s0
+time_zone_detector u:object_r:timezonedetector_service:s0
+timezone u:object_r:timezone_service:s0
+thermalservice u:object_r:thermal_service:s0
+tracing.proxy u:object_r:tracingproxy_service:s0
+translation u:object_r:translation_service:s0
+transparency u:object_r:transparency_service:s0
+trust u:object_r:trust_service:s0
+tv_interactive_app u:object_r:tv_iapp_service:s0
+tv_input u:object_r:tv_input_service:s0
+tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
+uce u:object_r:uce_service:s0
+uimode u:object_r:uimode_service:s0
+updatelock u:object_r:updatelock_service:s0
+uri_grants u:object_r:uri_grants_service:s0
+usagestats u:object_r:usagestats_service:s0
+usb u:object_r:usb_service:s0
+user u:object_r:user_service:s0
+uwb u:object_r:uwb_service:s0
+vcn_management u:object_r:vcn_management_service:s0
+vibrator u:object_r:vibrator_service:s0
+vibrator_manager u:object_r:vibrator_manager_service:s0
+virtualdevice u:object_r:virtual_device_service:s0
+virtual_touchpad u:object_r:virtual_touchpad_service:s0
+voiceinteraction u:object_r:voiceinteraction_service:s0
+vold u:object_r:vold_service:s0
+vpn_management u:object_r:vpn_management_service:s0
+vrmanager u:object_r:vr_manager_service:s0
+wallpaper u:object_r:wallpaper_service:s0
+wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
+webviewupdate u:object_r:webviewupdate_service:s0
+wifip2p u:object_r:wifip2p_service:s0
+wifiscanner u:object_r:wifiscanner_service:s0
+wifi u:object_r:wifi_service:s0
+wifinl80211 u:object_r:wifinl80211_service:s0
+wifiaware u:object_r:wifiaware_service:s0
+wifirtt u:object_r:rttmanager_service:s0
+window u:object_r:window_service:s0
+* u:object_r:default_android_service:s0
diff --git a/prebuilts/api/33.0/private/servicemanager.te b/prebuilts/api/33.0/private/servicemanager.te
new file mode 100644
index 0000000..6294452
--- /dev/null
+++ b/prebuilts/api/33.0/private/servicemanager.te
@@ -0,0 +1,7 @@
+typeattribute servicemanager coredomain;
+
+init_daemon_domain(servicemanager)
+
+read_runtime_log_tags(servicemanager)
+
+set_prop(servicemanager, ctl_interface_start_prop)
diff --git a/prebuilts/api/26.0/private/sgdisk.te b/prebuilts/api/33.0/private/sgdisk.te
similarity index 100%
rename from prebuilts/api/26.0/private/sgdisk.te
rename to prebuilts/api/33.0/private/sgdisk.te
diff --git a/prebuilts/api/33.0/private/shared_relro.te b/prebuilts/api/33.0/private/shared_relro.te
new file mode 100644
index 0000000..31fdb8c
--- /dev/null
+++ b/prebuilts/api/33.0/private/shared_relro.te
@@ -0,0 +1,15 @@
+typeattribute shared_relro coredomain;
+
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
+
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+allow shared_relro activity_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
+
+# StrictMode may attempt to find this service, failure is harmless.
+dontaudit shared_relro network_management_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/shell.te b/prebuilts/api/33.0/private/shell.te
new file mode 100644
index 0000000..c20e612
--- /dev/null
+++ b/prebuilts/api/33.0/private/shell.te
@@ -0,0 +1,236 @@
+typeattribute shell coredomain, mlstrustedsubject;
+
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
+# systrace support - allow atrace to run
+allow shell debugfs_tracing_debug:dir r_dir_perms;
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file rw_file_perms;
+allow shell debugfs_trace_marker:file getattr;
+allow shell atrace_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ allow shell debugfs_tracing_debug:file rw_file_perms;
+')
+
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)
+
+# allow shell to call dumpsys storaged
+binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
+
+# Control Perfetto traced and obtain traces from it.
+# Needed for Studio and debugging.
+unix_socket_connect(shell, traced_consumer, traced)
+
+# Allow shell binaries to write trace data to Perfetto. Used for testing and
+# cmdline utils.
+perfetto_producer(shell)
+
+domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+
+# Allow shell binaries to exec the perfetto cmdline util and have that
+# transition into its own domain, so that it behaves consistently to
+# when exec()-d by statsd.
+domain_auto_trans(shell, perfetto_exec, perfetto)
+# Allow to send SIGINT to perfetto when daemonized.
+allow shell perfetto:process signal;
+
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
+# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
+userdebug_or_eng(`
+ allow shell accessibility_trace_data_file:dir rw_dir_perms;
+ allow shell accessibility_trace_data_file:file { r_file_perms unlink };
+')
+
+# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
+allow shell perfetto_traces_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_data_file:file { r_file_perms unlink };
+# ... and /data/misc/perfetto-traces/bugreport/ .
+allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
+
+# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
+allow shell perfetto_configs_data_file:dir rw_dir_perms;
+allow shell perfetto_configs_data_file:file create_file_perms;
+
+# Allow shell to run adb shell cmd gpu commands.
+binder_call(shell, gpuservice);
+
+# Allow shell to use atrace HAL
+hal_client_domain(shell, hal_atrace)
+
+# For hostside tests such as CTS listening ports test.
+allow shell proc_net_tcp_udp:file r_file_perms;
+
+# The dl.exec_linker* tests need to execute /system/bin/linker
+# b/124789393
+allow shell system_linker_exec:file rx_file_perms;
+
+# Renderscript host side tests depend on being able to execute
+# /system/bin/bcc (b/126388046)
+allow shell rs_exec:file rx_file_perms;
+
+# Allow (host-driven) ART run-tests to execute dex2oat, in order to
+# check ART's compiler.
+allow shell dex2oat_exec:file rx_file_perms;
+allow shell dex2oat_exec:lnk_file read;
+
+# Allow shell to start and comminicate with lpdumpd.
+set_prop(shell, lpdumpd_prop);
+binder_call(shell, lpdumpd)
+
+# Allow shell to set and read value of properties used for CTS tests of
+# userspace reboot
+set_prop(shell, userspace_reboot_test_prop)
+
+# Allow shell to set this property to disable charging.
+set_prop(shell, power_debug_prop)
+
+# Allow shell to set this property used for rollback tests
+set_prop(shell, rollback_test_prop)
+
+# Allow shell to get encryption policy of /data/local/tmp/, for CTS
+allowxperm shell shell_data_file:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_GET_ENCRYPTION_POLICY_EX
+};
+
+# Allow shell to execute simpleperf without a domain transition.
+allow shell simpleperf_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ # Allow shell to execute profcollectctl without a domain transition.
+ allow shell profcollectd_exec:file rx_file_perms;
+
+ # Allow shell to read profcollectd data files.
+ r_dir_file(shell, profcollectd_data_file)
+
+ # Allow to issue control commands to profcollectd binder service.
+ allow shell profcollectd:binder call;
+')
+
+# Allow shell to call perf_event_open for profiling other shell processes, but
+# not the whole system.
+allow shell self:perf_event { open read write kernel };
+neverallow shell self:perf_event ~{ open read write kernel };
+
+# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
+allow shell apex_info_file:file r_file_perms;
+allow shell vendor_apex_file:file r_file_perms;
+allow shell vendor_apex_file:dir r_dir_perms;
+
+# Allow shell to read updated APEXes under /data/apex
+allow shell apex_data_file:dir search;
+allow shell staging_data_file:file r_file_perms;
+
+# Set properties.
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, perf_drop_caches_prop)
+set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
+# adjust is_loggable properties
+userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
+# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
+# property.
+set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
+set_prop(shell, ctl_snapuserd_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
+
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
+# Allow shell to read boot image timestamps and fingerprints.
+get_prop(shell, build_bootimage_prop)
+
+# Allow shell to read odsign verification properties
+get_prop(shell, odsign_prop)
+
+userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
+
+# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
+allow shell keystore2_key_contexts_file:file r_file_perms;
+
+# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
+allow shell shell_key:keystore2_key { delete rebind use get_info update };
+
+# Allow shell to open and execute memfd files for minijail unit tests.
+userdebug_or_eng(`
+ allow shell appdomain_tmpfs:file { open execute_no_trans };
+')
+
+# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
+set_prop(shell, sqlite_log_prop)
+
+# Allow shell to write MTE properties even on user builds.
+set_prop(shell, arm64_memtag_prop)
+
+# Allow shell to read the dm-verity props on user builds.
+get_prop(shell, verity_status_prop)
+
+# Allow shell to read Virtual A/B related properties
+get_prop(shell, virtual_ab_prop)
+
+# Never allow others to set or get the perf.drop_caches property.
+neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
+neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
+
+# Allow ReadDefaultFstab() for CTS.
+read_fstab(shell)
+
+# Allow shell read access to /apex/apex-info-list.xml for CTS.
+allow shell apex_info_file:file r_file_perms;
+
+# Let the shell user call virtualizationservice (and
+# virtualizationservice call back to shell) for debugging.
+virtualizationservice_use(shell)
+
+# Allow shell to set persist.wm.debug properties
+userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
+
+# Allow shell to write GWP-ASan properties even on user builds.
+set_prop(shell, gwp_asan_prop)
diff --git a/prebuilts/api/33.0/private/simpleperf.te b/prebuilts/api/33.0/private/simpleperf.te
new file mode 100644
index 0000000..9c70060
--- /dev/null
+++ b/prebuilts/api/33.0/private/simpleperf.te
@@ -0,0 +1,51 @@
+# Domain used when running /system/bin/simpleperf to profile a specific app.
+# Entered either by the app itself exec-ing the binary, or through
+# simpleperf_app_runner (with shell as its origin). Certain other domains
+# (runas_app, shell) can also exec this binary without a domain transition.
+typeattribute simpleperf coredomain;
+type simpleperf_exec, system_file_type, exec_type, file_type;
+
+# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
+define(`simpleperf_profileable_apps', `{
+ ephemeral_app
+ isolated_app
+ platform_app
+ priv_app
+ untrusted_app_all
+}')
+
+domain_auto_trans({ simpleperf_profileable_apps -runas_app }, simpleperf_exec, simpleperf)
+
+# When running in this domain, simpleperf is scoped to profiling an individual
+# app. The necessary MAC permissions for profiling are more maintainable and
+# consistent if simpleperf is marked as an app domain as well (as, for example,
+# it will then see the same set of system libraries as the app).
+app_domain(simpleperf)
+untrusted_app_domain(simpleperf)
+
+# Allow ptrace attach to the target app, for reading JIT debug info (using
+# process_vm_readv) during unwinding and symbolization.
+allow simpleperf simpleperf_profileable_apps:process ptrace;
+
+# Allow using perf_event_open syscall for profiling the target app.
+allow simpleperf self:perf_event { open read write kernel };
+
+# Allow /proc/<pid> access for the target app (for example, when trying to
+# discover it by cmdline).
+r_dir_file(simpleperf, simpleperf_profileable_apps)
+
+# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow simpleperf_profileable_apps simpleperf:process signal;
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective processes, most of which this domain is
+# not allowed to see.
+dontaudit simpleperf domain:dir search;
+
+# Neverallows:
+
+# Profiling must be confined to the scope of an individual app.
+neverallow simpleperf self:perf_event ~{ open read write kernel };
diff --git a/prebuilts/api/33.0/private/simpleperf_app_runner.te b/prebuilts/api/33.0/private/simpleperf_app_runner.te
new file mode 100644
index 0000000..184a80a
--- /dev/null
+++ b/prebuilts/api/33.0/private/simpleperf_app_runner.te
@@ -0,0 +1,45 @@
+typeattribute simpleperf_app_runner coredomain;
+
+domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+allow simpleperf_app_runner packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+# simpleperf_app_runner passes pipe fds.
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/prebuilts/api/33.0/private/simpleperf_boot.te b/prebuilts/api/33.0/private/simpleperf_boot.te
new file mode 100644
index 0000000..e71c492
--- /dev/null
+++ b/prebuilts/api/33.0/private/simpleperf_boot.te
@@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+ domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+ # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+ allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+ allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+ # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+ allow simpleperf_boot self:perf_event { cpu kernel open read write };
+ allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+ # Allow simpleperf_boot to scan through /proc/pid for all processes.
+ r_dir_file(simpleperf_boot, domain)
+
+ # Allow simpleperf_boot to read executable binaries.
+ allow simpleperf_boot system_file_type:file r_file_perms;
+ allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+ # Allow simpleperf_boot to search for and read kernel modules.
+ allow simpleperf_boot vendor_file:dir r_dir_perms;
+ allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read system bootstrap libs.
+ allow simpleperf_boot system_bootstrap_lib_file:dir search;
+ allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow simpleperf_boot to access tracefs.
+ allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+ allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+ allow simpleperf_boot proc_perf:file write;
+
+ # Allow simpleperf_boot to read process maps.
+ allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+ # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+ allow simpleperf_boot { system_server zygote }:process ptrace;
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+ allow simpleperf_boot proc_kallsyms:file r_file_perms;
+ allow simpleperf_boot proc_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read kernel build id.
+ allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+ dontaudit simpleperf_boot shell_data_file:dir search;
+')
diff --git a/prebuilts/api/26.0/private/slideshow.te b/prebuilts/api/33.0/private/slideshow.te
similarity index 100%
rename from prebuilts/api/26.0/private/slideshow.te
rename to prebuilts/api/33.0/private/slideshow.te
diff --git a/prebuilts/api/33.0/private/snapshotctl.te b/prebuilts/api/33.0/private/snapshotctl.te
new file mode 100644
index 0000000..fb2bbca
--- /dev/null
+++ b/prebuilts/api/33.0/private/snapshotctl.te
@@ -0,0 +1,45 @@
+type snapshotctl, domain, coredomain;
+type snapshotctl_exec, system_file_type, exec_type, file_type;
+
+# Allow init to run snapshotctl and do auto domain transfer.
+init_daemon_domain(snapshotctl);
+
+# Allow to start gsid service.
+set_prop(snapshotctl, ctl_gsid_prop)
+
+# Allow to talk to gsid.
+binder_use(snapshotctl)
+allow snapshotctl gsi_service:service_manager find;
+binder_call(snapshotctl, gsid)
+
+# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
+allow snapshotctl metadata_file:dir search;
+allow snapshotctl ota_metadata_file:dir rw_dir_perms;
+allow snapshotctl ota_metadata_file:file create_file_perms;
+
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(snapshotctl, sysfs_dt_firmware_android);
+allow snapshotctl proc_cmdline:file r_file_perms;
+
+# Needed to (re-)map logical partitions.
+allow snapshotctl block_device:dir r_dir_perms;
+allow snapshotctl super_block_device:blk_file r_file_perms;
+
+# Interact with device-mapper to collapse snapshots.
+allow snapshotctl dm_device:chr_file rw_file_perms;
+
+# Needed to mutate device-mapper nodes.
+allow snapshotctl self:global_capability_class_set sys_admin;
+
+# Snapshotctl talk to boot control HAL to set merge status.
+hwbinder_use(snapshotctl)
+hal_client_domain(snapshotctl, hal_bootctl)
+
+# Allow snapshotctl to write to statsd socket.
+unix_socket_send(snapshotctl, statsdw, statsd)
+
+# Logging
+userdebug_or_eng(`
+ allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
+ allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/prebuilts/api/33.0/private/snapuserd.te b/prebuilts/api/33.0/private/snapuserd.te
new file mode 100644
index 0000000..2e2c473
--- /dev/null
+++ b/prebuilts/api/33.0/private/snapuserd.te
@@ -0,0 +1,55 @@
+# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;
+
+typeattribute snapuserd coredomain;
+
+init_daemon_domain(snapuserd)
+
+allow snapuserd kmsg_device:chr_file rw_file_perms;
+
+allow snapuserd self:capability ipc_lock;
+
+# Allow snapuserd to reach block devices in /dev/block.
+allow snapuserd block_device:dir search;
+
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow snapuserd sysfs:dir { open read };
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and dynamic partitions.
+allow snapuserd sysfs_dm:dir { open read search };
+allow snapuserd sysfs_dm:file r_file_perms;
+
+# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
+allow snapuserd block_device:dir r_dir_perms;
+allow snapuserd dm_device:chr_file rw_file_perms;
+allow snapuserd dm_device:blk_file rw_file_perms;
+
+# Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:dir r_dir_perms;
+allow snapuserd dm_user_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
+allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+allow snapuserd snapuserd_proxy_socket:sock_file write;
+
+# This arises due to first-stage init opening /dev/null without F_CLOEXEC
+# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
+# again, the descriptor leaks into the new process.
+allow snapuserd kernel:fd use;
+
+# snapuserd.* properties
+set_prop(snapuserd, snapuserd_prop)
+get_prop(snapuserd, virtual_ab_prop)
+
+# For inotify watching for /dev/socket/snapuserd_proxy to appear.
+allow snapuserd tmpfs:dir { read watch };
+
+# Forbid anything other than snapuserd and init setting snapuserd properties.
+neverallow {
+ domain
+ -snapuserd
+ -init
+} snapuserd_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/stats.te b/prebuilts/api/33.0/private/stats.te
new file mode 100644
index 0000000..db29072
--- /dev/null
+++ b/prebuilts/api/33.0/private/stats.te
@@ -0,0 +1,57 @@
+type stats, domain;
+typeattribute stats coredomain;
+type stats_exec, system_file_type, exec_type, file_type;
+
+# switch to stats domain for stats command
+domain_auto_trans(shell, stats_exec, stats)
+
+# allow stats access to stdout from its parent shell.
+allow stats shell:fd use;
+
+# allow stats to communicate use, read and write over the adb
+# connection.
+allow stats adbd:fd use;
+allow stats adbd:unix_stream_socket { read write };
+
+# allow adbd to reap stats
+allow stats adbd:process { sigchld };
+
+# Allow the stats command to talk to the statsd over the binder, and get
+# back the stats report data from a ParcelFileDescriptor.
+binder_use(stats)
+allow stats stats_service:service_manager find;
+binder_call(stats, statsd)
+allow stats statsd:fifo_file write;
+
+# Only statsd can publish the binder service.
+add_service(statsd, stats_service)
+
+# Allow pipes from (and only from) stats.
+allow statsd stats:fd use;
+allow statsd stats:fifo_file write;
+
+# Allow statsd to call back to stats with status updates.
+binder_call(statsd, stats)
+
+###
+### neverallow rules
+###
+
+neverallow {
+ domain
+ -dumpstate
+ -gmscore_app
+ -gpuservice
+ -incidentd
+ -keystore
+ -mediametrics
+ -platform_app
+ -priv_app
+ -shell
+ -stats
+ -statsd
+ -surfaceflinger
+ -system_app
+ -system_server
+ -traceur_app
+} stats_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/statsd.te b/prebuilts/api/33.0/private/statsd.te
new file mode 100644
index 0000000..59948ff
--- /dev/null
+++ b/prebuilts/api/33.0/private/statsd.te
@@ -0,0 +1,30 @@
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)
+
+# Allow to exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. It allows statsd to capture traces and hand them
+# to Android dropbox.
+allow statsd perfetto_exec:file rx_file_perms;
+domain_auto_trans(statsd, perfetto_exec, perfetto)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ statscompanion_service
+}:service_manager find;
+
+# Allow incidentd to obtain the statsd incident section.
+allow statsd incidentd:fifo_file write;
+
+# Allow StatsCompanionService to pipe data to statsd.
+allow statsd system_server:fifo_file { read write getattr };
+
+# Allow Statsd to pipe data to privileged apps.
+allow statsd priv_app:fifo_file { read write getattr };
+
+# Allow statsd to retrieve SF statistics over binder
+binder_call(statsd, surfaceflinger);
+
+# Allow statsd to read its system properties
+get_prop(statsd, device_config_statsd_native_prop)
+get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/prebuilts/api/33.0/private/storaged.te b/prebuilts/api/33.0/private/storaged.te
new file mode 100644
index 0000000..bb39e5b
--- /dev/null
+++ b/prebuilts/api/33.0/private/storaged.te
@@ -0,0 +1,69 @@
+# storaged daemon
+type storaged, domain, coredomain, mlstrustedsubject;
+type storaged_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(storaged)
+
+# Read access to pseudo filesystems
+r_dir_file(storaged, domain)
+
+# Read /proc/uid_io/stats
+allow storaged proc_uid_io_stats:file r_file_perms;
+
+# Read /data/system/packages.list
+allow storaged system_data_file:file r_file_perms;
+allow storaged packages_list_file:file r_file_perms;
+
+# Store storaged proto file
+allow storaged storaged_data_file:dir rw_dir_perms;
+allow storaged storaged_data_file:file create_file_perms;
+
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+ ')
+')
+
+# Needed to provide debug dump output via dumpsys pipes.
+allow storaged shell:fd use;
+allow storaged shell:fifo_file write;
+
+# Needed for GMScore to call dumpsys storaged
+allow storaged priv_app:fd use;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+# Remove after no logs are seen for this rule.
+userdebug_or_eng(`
+ auditallow storaged priv_app:fd use;
+')
+allow storaged gmscore_app:fd use;
+allow storaged { privapp_data_file app_data_file }:file write;
+allow storaged permission_service:service_manager find;
+
+# Binder permissions
+add_service(storaged, storaged_service)
+
+binder_use(storaged)
+binder_call(storaged, system_server)
+
+hal_client_domain(storaged, hal_health)
+
+# Implements a dumpsys interface.
+allow storaged dumpstate:fd use;
+
+# use a subset of the package manager service
+allow storaged package_native_service:service_manager find;
+
+# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
+# running as root. See b/35323867 #3.
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
+
+# For collecting bugreports.
+allow storaged dumpstate:fifo_file write;
+
+###
+### neverallow
+###
+neverallow storaged domain:process ptrace;
+neverallow storaged self:capability_class_set *;
diff --git a/prebuilts/api/33.0/private/su.te b/prebuilts/api/33.0/private/su.te
new file mode 100644
index 0000000..587f449
--- /dev/null
+++ b/prebuilts/api/33.0/private/su.te
@@ -0,0 +1,30 @@
+userdebug_or_eng(`
+ typeattribute su coredomain;
+
+ domain_auto_trans(shell, su_exec, su)
+ # Allow dumpstate to call su on userdebug / eng builds to collect
+ # additional information.
+ domain_auto_trans(dumpstate, su_exec, su)
+
+ # Make sure that dumpstate runs the same from the "su" domain as
+ # from the "init" domain.
+ domain_auto_trans(su, dumpstate_exec, dumpstate)
+
+ # Put the incident command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, incident_exec, incident)
+
+ # Put the odrefresh command into its domain.
+ domain_auto_trans(su, odrefresh_exec, odrefresh)
+
+ # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, perfetto_exec, perfetto)
+
+ # su is also permissive to permit setenforce.
+ permissive su;
+
+ app_domain(su)
+
+ # Do not audit accesses to keystore2 namespace for the su domain.
+ dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
+')
diff --git a/prebuilts/api/33.0/private/surfaceflinger.te b/prebuilts/api/33.0/private/surfaceflinger.te
new file mode 100644
index 0000000..123fc69
--- /dev/null
+++ b/prebuilts/api/33.0/private/surfaceflinger.te
@@ -0,0 +1,155 @@
+# surfaceflinger - display compositor service
+
+typeattribute surfaceflinger coredomain;
+
+type surfaceflinger_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(surfaceflinger)
+tmpfs_domain(surfaceflinger)
+
+typeattribute surfaceflinger mlstrustedsubject;
+typeattribute surfaceflinger display_service_server;
+
+read_runtime_log_tags(surfaceflinger)
+
+# Perform HwBinder IPC.
+hal_client_domain(surfaceflinger, hal_graphics_allocator)
+hal_client_domain(surfaceflinger, hal_graphics_composer)
+typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
+hal_client_domain(surfaceflinger, hal_omx)
+hal_client_domain(surfaceflinger, hal_configstore)
+hal_client_domain(surfaceflinger, hal_power)
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
+
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, system_server);
+binder_service(surfaceflinger)
+
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+allow surfaceflinger gpu_device:dir r_dir_perms;
+allow surfaceflinger sysfs_gpu:file r_file_perms;
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file rw_file_perms;
+
+# Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
+allow surfaceflinger video_device:chr_file rw_file_perms;
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Set properties.
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, bootanim_system_prop)
+set_prop(surfaceflinger, exported_system_prop)
+set_prop(surfaceflinger, exported3_system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
+set_prop(surfaceflinger, surfaceflinger_display_prop)
+
+# Get properties.
+get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
+get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop)
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
+
+# Allow writing surface traces to /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
+ allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
+')
+
+# Allow userspace tracing via perfetto.
+perfetto_producer(surfaceflinger)
+
+# Allow to be profiled by performance tools.
+can_profile_heap(surfaceflinger)
+can_profile_perf(surfaceflinger)
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
+# Allow a dumpstate triggered screenshot
+binder_call(surfaceflinger, dumpstate)
+binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)
+
+# media.player service
+
+# do not use add_service() as hal_graphics_composer_default may be the
+# provider as well
+#add_service(surfaceflinger, surfaceflinger_service)
+allow surfaceflinger surfaceflinger_service:service_manager { add find };
+
+allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
+allow surfaceflinger vr_manager_service:service_manager find;
+allow surfaceflinger window_service:service_manager find;
+allow surfaceflinger inputflinger_service:service_manager find;
+
+
+# allow self to set SCHED_FIFO
+allow surfaceflinger self:global_capability_class_set sys_nice;
+allow surfaceflinger proc_meminfo:file r_file_perms;
+r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
+r_dir_file(surfaceflinger, system_file)
+allow surfaceflinger tmpfs:dir r_dir_perms;
+allow surfaceflinger system_server:fd use;
+allow surfaceflinger system_server:unix_stream_socket { read write };
+allow surfaceflinger ion_device:chr_file r_file_perms;
+allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
+
+# pdx IPC
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
+
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+
+# Allow supplying timestats statistics to statsd
+allow surfaceflinger stats_service:service_manager find;
+allow surfaceflinger statsmanager_service:service_manager find;
+# TODO(146461633): remove this once native pullers talk to StatsManagerService
+binder_call(surfaceflinger, statsd);
+
+# Allow to use files supplied by hal_evs
+allow surfaceflinger hal_evs:fd use;
+
+# Allow pushing jank event atoms to statsd
+userdebug_or_eng(`
+ unix_socket_send(surfaceflinger, statsdw, statsd)
+')
+
+# Surfaceflinger should not be reading default vendor-defined properties.
+dontaudit surfaceflinger vendor_default_prop:file read;
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms;
+
+# b/68864350
+dontaudit surfaceflinger unlabeled:dir search;
diff --git a/prebuilts/api/33.0/private/system_app.te b/prebuilts/api/33.0/private/system_app.te
new file mode 100644
index 0000000..01956f4
--- /dev/null
+++ b/prebuilts/api/33.0/private/system_app.te
@@ -0,0 +1,195 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+typeattribute system_app coredomain, mlstrustedsubject;
+
+app_domain(system_app)
+net_domain(system_app)
+binder_service(system_app)
+
+# android.ui and system.ui
+allow system_app rootfs:dir getattr;
+
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+# Read and write to /data/misc/user.
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
+
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Read icon file.
+allow system_app icon_file:file r_file_perms;
+
+# Write to properties
+set_prop(system_app, arm64_memtag_prop)
+set_prop(system_app, bluetooth_a2dp_offload_prop)
+set_prop(system_app, bluetooth_audio_hal_prop)
+set_prop(system_app, bluetooth_prop)
+set_prop(system_app, debug_prop)
+set_prop(system_app, system_prop)
+set_prop(system_app, exported_bluetooth_prop)
+set_prop(system_app, exported_system_prop)
+set_prop(system_app, exported3_system_prop)
+set_prop(system_app, gesture_prop)
+set_prop(system_app, logd_prop)
+set_prop(system_app, net_radio_prop)
+set_prop(system_app, usb_control_prop)
+set_prop(system_app, usb_prop)
+set_prop(system_app, log_tag_prop)
+userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app usb_control_prop:property_service set;
+auditallow system_app usb_prop:property_service set;
+# Allow Settings to enable Dynamic System Update
+set_prop(system_app, dynamic_system_prop)
+
+# ctl interface
+set_prop(system_app, ctl_default_prop)
+set_prop(system_app, ctl_bugreport_prop)
+
+# Allow developer settings to query gsid status
+get_prop(system_app, gsid_prop)
+
+# Create /data/anr/traces.txt.
+allow system_app anr_data_file:dir ra_dir_perms;
+allow system_app anr_data_file:file create_file_perms;
+
+# Settings need to access app name and icon from asec
+allow system_app asec_apk_file:file r_file_perms;
+
+# Allow system apps (like Settings) to interact with statsd
+binder_call(system_app, statsd)
+
+# Allow system apps to interact with incidentd
+binder_call(system_app, incidentd)
+
+# Allow system app to interact with Dumpstate HAL
+hal_client_domain(system_app, hal_dumpstate)
+
+allow system_app servicemanager:service_manager list;
+# TODO: scope this down? Too broad?
+allow system_app {
+ service_manager_type
+ -apex_service
+ -dnsresolver_service
+ -dumpstate_service
+ -installd_service
+ -iorapd_service
+ -lpdump_service
+ -mdns_service
+ -netd_service
+ -system_suspend_control_internal_service
+ -system_suspend_control_service
+ -tracingproxy_service
+ -virtual_touchpad_service
+ -vold_service
+ -default_android_service
+}:service_manager find;
+# suppress denials for services system_app should not be accessing.
+dontaudit system_app {
+ dnsresolver_service
+ dumpstate_service
+ installd_service
+ iorapd_service
+ mdns_service
+ netd_service
+ virtual_touchpad_service
+ vold_service
+}:service_manager find;
+
+# suppress denials caused by debugfs_tracing
+dontaudit system_app debugfs_tracing:file rw_file_perms;
+
+allow system_app keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ user_changed
+};
+
+allow system_app keystore:keystore2_key {
+ delete
+ get_info
+ grant
+ rebind
+ update
+ use
+};
+
+# Allow Settings to manage WI-FI keys.
+allow system_app wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+# settings app reads /proc/version
+allow system_app {
+ proc_version
+}:file r_file_perms;
+
+# Settings app writes to /dev/stune/foreground/tasks.
+allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
+allow system_app cgroup_v2:dir w_dir_perms;
+
+control_logd(system_app)
+read_runtime_log_tags(system_app)
+get_prop(system_app, device_logging_prop)
+
+# allow system apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow system_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# Settings app reads ro.oem_unlock_supported
+get_prop(system_app, oem_unlock_prop)
+
+# Allow system apps to act as Perfetto producers.
+perfetto_producer(system_app)
+
+# TODO(b/217368496): remove this.
+can_profile_heap(system_app)
+can_profile_perf(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
+
+# Apps which run as UID=system should not rely on any attacker controlled
+# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
+# allow writes to files passed by file descriptor to support dumpstate and
+# bug reports, but not reads.
+neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
+neverallow system_app shell_data_file:file { open read ioctl lock };
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
new file mode 100644
index 0000000..6d9d960
--- /dev/null
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -0,0 +1,1483 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+
+typeattribute system_server coredomain;
+typeattribute system_server mlstrustedsubject;
+typeattribute system_server scheduler_service_server;
+typeattribute system_server sensor_service_server;
+typeattribute system_server stats_service_server;
+typeattribute system_server bpfdomain;
+
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
+userfaultfd_use(system_server)
+
+# TODO(b/217368496): remove this.
+perfetto_producer(system_server)
+can_profile_heap(system_server)
+can_profile_perf(system_server)
+
+# Create a socket for connections from crash_dump.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+
+# Create a socket for connections from zygotes.
+type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
+
+allow system_server zygote_tmpfs:file { map read };
+allow system_server appdomain_tmpfs:file { getattr map read write };
+
+# For Incremental Service to check if incfs is available
+allow system_server proc_filesystems:file r_file_perms;
+
+# To create files, get permission to fill blocks, and configure Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl {
+ INCFS_IOCTL_CREATE_FILE
+ INCFS_IOCTL_CREATE_MAPPED_FILE
+ INCFS_IOCTL_PERMIT_FILL
+ INCFS_IOCTL_GET_READ_TIMEOUTS
+ INCFS_IOCTL_SET_READ_TIMEOUTS
+ INCFS_IOCTL_GET_LAST_READ_ERROR
+};
+
+# To get signature of an APK installed on Incremental File System, and fill in data
+# blocks and get the filesystem state
+allowxperm system_server apk_data_file:file ioctl {
+ INCFS_IOCTL_READ_SIGNATURE
+ INCFS_IOCTL_FILL_BLOCKS
+ INCFS_IOCTL_GET_FILLED_BLOCKS
+ INCFS_IOCTL_GET_BLOCK_COUNT
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_COMPRESS_BLOCKS
+ F2FS_IOC_COMPRESS_FILE
+ F2FS_IOC_DECOMPRESS_FILE
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ F2FS_IOC_RESERVE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+ FS_IOC_GETFLAGS
+};
+
+allowxperm system_server apk_tmp_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
+};
+
+# For Incremental Service to check incfs metrics
+allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+
+# For f2fs-compression support
+allow system_server sysfs_fs_f2fs:dir r_dir_perms;
+allow system_server sysfs_fs_f2fs:file r_file_perms;
+
+# For art.
+allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
+
+# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`.
+# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a
+# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks
+# system_server. It fails to be loaded when the jar is used as a shared library, which is expected.
+dontaudit system_server apex_art_data_file:file execute;
+
+# For release odex/vdex compress blocks
+allowxperm system_server dalvikcache_data_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
+};
+
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
+
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
+# ptrace to processes in the same domain for debugging crashes.
+allow system_server self:process ptrace;
+
+# Child of the zygote.
+allow system_server zygote:fd use;
+allow system_server zygote:process sigchld;
+
+# May kill zygote on crashes.
+allow system_server {
+ app_zygote
+ crash_dump
+ webview_zygote
+ zygote
+}:process { getpgid sigkill signull };
+
+# Read /system/bin/app_process.
+allow system_server zygote_exec:file r_file_perms;
+
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
+# system server gets network and bluetooth permissions.
+net_domain(system_server)
+# in addition to ioctls allowlisted for all domains, also allow system_server
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
+bluetooth_domain(system_server)
+
+# Allow setup of tcp keepalive offload. This gives system_server the permission to
+# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
+# be granted individually, except for a small set of safe values allowlisted in
+# public/domain.te.
+allow system_server appdomain:tcp_socket ioctl;
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:global_capability_class_set {
+ ipc_lock
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_nice
+ sys_ptrace
+ sys_time
+ sys_tty_config
+};
+
+# Trigger module auto-load.
+allow system_server kernel:system module_request;
+
+# Allow alarmtimers to be set
+allow system_server self:global_capability2_class_set wake_alarm;
+
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+
+# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
+allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Use netlink uevent sockets.
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Use generic netlink sockets.
+allow system_server self:netlink_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
+# Use generic "sockets" where the address family is not known
+# to the kernel. The ioctl permission is specifically omitted here, but may
+# be added to device specific policy along with the ioctl commands to be
+# allowlisted.
+allow system_server self:socket create_socket_perms_no_ioctl;
+
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
+# Kill apps.
+allow system_server appdomain:process { getpgid sigkill signal };
+# signull allowed for kill(pid, 0) existence test.
+allow system_server appdomain:process { signull };
+
+# Set scheduling info for apps.
+allow system_server appdomain:process { getsched setsched };
+allow system_server audioserver:process { getsched setsched };
+allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
+allow system_server hal_omx_server:process { getsched setsched };
+allow system_server mediaswcodec:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
+allow system_server hal_camera:process { getsched setsched };
+allow system_server mediaserver:process { getsched setsched };
+allow system_server bootanim:process { getsched setsched };
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete this line b/131761776
+allow system_server kernel:process { getsched setsched };
+
+# Allow system_server to write to /proc/<pid>/*
+allow system_server domain:file w_file_perms;
+
+# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
+# within system_server to keep track of memory and CPU usage for
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
+r_dir_file(system_server, domain)
+
+# Write /proc/uid_cputime/remove_uid_range.
+allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+
+# Write /proc/uid_procstat/set.
+allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+
+# Write to /proc/sysrq-trigger.
+allow system_server proc_sysrq:file rw_file_perms;
+
+# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
+allow system_server stats_data_file:dir { open read remove_name search write };
+allow system_server stats_data_file:file unlink;
+
+# Read metric file & upload to statsd
+allow system_server odsign_data_file:dir search;
+allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
+allow system_server odsign_metrics_file:file { r_file_perms unlink };
+
+# Read /sys/kernel/debug/wakeup_sources.
+no_debugfs_restriction(`
+ allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
+
+# Read /sys/kernel/ion/*.
+allow system_server sysfs_ion:file r_file_perms;
+
+# Read /sys/kernel/dma_heap/*.
+allow system_server sysfs_dma_heap:file r_file_perms;
+
+# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
+allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
+allow system_server sysfs_dmabuf_stats:file r_file_perms;
+
+# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
+# for dumpsys meminfo
+allow system_server dmabuf_heap_device:dir r_dir_perms;
+
+# Allow reading /proc/vmstat for the oom kill count
+allow system_server proc_vmstat:file r_file_perms;
+
+# The DhcpClient and WifiWatchdog use packet_sockets
+allow system_server self:packet_socket create_socket_perms_no_ioctl;
+
+# 3rd party VPN clients require a tun_socket to be created
+allow system_server self:tun_socket create_socket_perms_no_ioctl;
+
+# Talk to init and various daemons via sockets.
+unix_socket_connect(system_server, lmkd, lmkd)
+unix_socket_connect(system_server, mtpd, mtp)
+unix_socket_connect(system_server, zygote, zygote)
+unix_socket_connect(system_server, racoon, racoon)
+unix_socket_connect(system_server, uncrypt, uncrypt)
+
+# Allow system_server to write to statsd.
+unix_socket_send(system_server, statsdw, statsd)
+
+# Communicate over a socket created by surfaceflinger.
+allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+
+allow system_server gpuservice:unix_stream_socket { read write setopt };
+
+# Communicate over a socket created by webview_zygote.
+allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
+
+# Communicate over a socket created by app_zygote.
+allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
+
+# Perform Binder IPC.
+binder_use(system_server)
+binder_call(system_server, appdomain)
+binder_call(system_server, binderservicedomain)
+binder_call(system_server, composd)
+binder_call(system_server, dumpstate)
+binder_call(system_server, fingerprintd)
+binder_call(system_server, gatekeeperd)
+binder_call(system_server, gpuservice)
+binder_call(system_server, idmap)
+binder_call(system_server, installd)
+binder_call(system_server, incidentd)
+binder_call(system_server, iorapd)
+binder_call(system_server, netd)
+userdebug_or_eng(`binder_call(system_server, profcollectd)')
+binder_call(system_server, statsd)
+binder_call(system_server, storaged)
+binder_call(system_server, update_engine)
+binder_call(system_server, vold)
+binder_call(system_server, logd)
+binder_call(system_server, wificond)
+binder_call(system_server, wpantund)
+binder_service(system_server)
+
+# Use HALs
+hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_audio)
+hal_client_domain(system_server, hal_authsecret)
+hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
+hal_client_domain(system_server, hal_configstore)
+hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_face)
+hal_client_domain(system_server, hal_fingerprint)
+hal_client_domain(system_server, hal_gnss)
+hal_client_domain(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_health)
+hal_client_domain(system_server, hal_input_classifier)
+hal_client_domain(system_server, hal_input_processor)
+hal_client_domain(system_server, hal_ir)
+hal_client_domain(system_server, hal_light)
+hal_client_domain(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_neuralnetworks)
+hal_client_domain(system_server, hal_oemlock)
+hal_client_domain(system_server, hal_omx)
+hal_client_domain(system_server, hal_power)
+hal_client_domain(system_server, hal_power_stats)
+hal_client_domain(system_server, hal_rebootescrow)
+hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_tetheroffload)
+hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_input)
+hal_client_domain(system_server, hal_usb)
+hal_client_domain(system_server, hal_usb_gadget)
+hal_client_domain(system_server, hal_uwb)
+hal_client_domain(system_server, hal_vibrator)
+hal_client_domain(system_server, hal_vr)
+hal_client_domain(system_server, hal_weaver)
+hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_hostapd)
+hal_client_domain(system_server, hal_wifi_supplicant)
+# The bootctl is a pass through HAL mode under recovery mode. So we skip the
+# permission for recovery in order not to give system server the access to
+# the low level block devices.
+not_recovery(`hal_client_domain(system_server, hal_bootctl)')
+
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+allow system_server same_process_hal_file:file { execute read open getattr map };
+
+# Talk to tombstoned to get ANR traces.
+unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+
+# List HAL interfaces to get ANR traces.
+allow system_server hwservicemanager:hwservice_manager list;
+allow system_server servicemanager:service_manager list;
+
+# Send signals to trigger ANR traces.
+allow system_server {
+ # This is derived from the list that system server defines as interesting native processes
+ # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ audioserver
+ cameraserver
+ drmserver
+ gpuservice
+ inputflinger
+ keystore
+ mediadrmserver
+ mediaextractor
+ mediametrics
+ mediaserver
+ mediaswcodec
+ mediatranscoding
+ mediatuner
+ netd
+ sdcardd
+ statsd
+ surfaceflinger
+ vold
+
+ # This list comes from HAL_INTERFACES_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_codec2_server
+ hal_face_server
+ hal_fingerprint_server
+ hal_gnss_server
+ hal_graphics_allocator_server
+ hal_graphics_composer_server
+ hal_health_server
+ hal_light_server
+ hal_neuralnetworks_server
+ hal_omx_server
+ hal_power_server
+ hal_power_stats_server
+ hal_sensors_server
+ hal_vibrator_server
+ hal_vr_server
+ system_suspend_server
+}:process { signal };
+
+# Use sockets received over binder from various services.
+allow system_server audioserver:tcp_socket rw_socket_perms;
+allow system_server audioserver:udp_socket rw_socket_perms;
+allow system_server mediaserver:tcp_socket rw_socket_perms;
+allow system_server mediaserver:udp_socket rw_socket_perms;
+
+# Use sockets received over binder from various services.
+allow system_server mediadrmserver:tcp_socket rw_socket_perms;
+allow system_server mediadrmserver:udp_socket rw_socket_perms;
+
+userdebug_or_eng(`perfetto_producer({ system_server })')
+
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
+# Check SELinux permissions.
+selinux_check_access(system_server)
+
+allow system_server sysfs_type:dir r_dir_perms;
+
+r_dir_file(system_server, sysfs_android_usb)
+allow system_server sysfs_android_usb:file w_file_perms;
+
+r_dir_file(system_server, sysfs_extcon)
+
+r_dir_file(system_server, sysfs_ipv4)
+allow system_server sysfs_ipv4:file w_file_perms;
+
+r_dir_file(system_server, sysfs_rtc)
+r_dir_file(system_server, sysfs_switch)
+
+allow system_server sysfs_nfc_power_writable:file rw_file_perms;
+allow system_server sysfs_power:dir search;
+allow system_server sysfs_power:file rw_file_perms;
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file r_file_perms;
+allow system_server sysfs_uhid:dir r_dir_perms;
+allow system_server sysfs_uhid:file rw_file_perms;
+
+# TODO: Remove when HALs are forced into separate processes
+allow system_server sysfs_vibrator:file { write append };
+
+# TODO: added to match above sysfs rule. Remove me?
+allow system_server sysfs_usb:file w_file_perms;
+
+# Access devices.
+allow system_server device:dir r_dir_perms;
+allow system_server mdns_socket:sock_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server gpu_device:dir r_dir_perms;
+allow system_server sysfs_gpu:file r_file_perms;
+allow system_server input_device:dir r_dir_perms;
+allow system_server input_device:chr_file rw_file_perms;
+allow system_server tty_device:chr_file rw_file_perms;
+allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:dir r_dir_perms;
+allow system_server video_device:chr_file rw_file_perms;
+allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server rtc_device:chr_file rw_file_perms;
+allow system_server audio_device:dir r_dir_perms;
+allow system_server uhid_device:chr_file rw_file_perms;
+
+# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
+
+# tun device used for 3rd party vpn apps
+allow system_server tun_device:chr_file rw_file_perms;
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+
+# Manage data/ota_package
+allow system_server ota_package_file:dir rw_dir_perms;
+allow system_server ota_package_file:file create_file_perms;
+
+# Manage system data files.
+allow system_server system_data_file:dir create_dir_perms;
+allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server packages_list_file:file create_file_perms;
+allow system_server game_mode_intervention_list_file:file create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
+allow system_server keychain_data_file:lnk_file create_file_perms;
+
+# Manage /data/app.
+allow system_server apk_data_file:dir create_dir_perms;
+allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
+allow system_server apk_tmp_file:dir create_dir_perms;
+allow system_server apk_tmp_file:file create_file_perms;
+
+# Access input configuration files in the /vendor directory
+r_dir_file(system_server, vendor_keylayout_file)
+r_dir_file(system_server, vendor_keychars_file)
+r_dir_file(system_server, vendor_idc_file)
+
+# Access /vendor/{app,framework,overlay}
+r_dir_file(system_server, vendor_app_file)
+r_dir_file(system_server, vendor_framework_file)
+r_dir_file(system_server, vendor_overlay_file)
+
+# Manage /data/app-private.
+allow system_server apk_private_data_file:dir create_dir_perms;
+allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:dir create_dir_perms;
+allow system_server apk_private_tmp_file:file create_file_perms;
+
+# Manage files within asec containers.
+allow system_server asec_apk_file:dir create_dir_perms;
+allow system_server asec_apk_file:file create_file_perms;
+allow system_server asec_public_file:file create_file_perms;
+
+# Manage /data/anr.
+#
+# TODO: Some of these permissions can be withdrawn once we've switched to the
+# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
+# the system_server should never need to create a new anr_data_file:file or write
+# to one, but it will still need to read and append to existing files.
+allow system_server anr_data_file:dir create_dir_perms;
+allow system_server anr_data_file:file create_file_perms;
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow system_server to connect and write to the tombstoned java trace socket in
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture and incidentd during incident collection.
+unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
+allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
+allow system_server incidentd:fifo_file append;
+# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
+userdebug_or_eng(`
+ allow system_server su:fifo_file append;
+')
+
+# Allow system_server to read pipes from incidentd (used to deliver incident reports
+# to dropbox)
+allow system_server incidentd:fifo_file read;
+
+# Read /data/misc/incidents - only read. The fd will be sent over binder,
+# with no DAC access to it, for dropbox to read.
+allow system_server incident_data_file:file read;
+
+# Manage /data/misc/prereboot.
+allow system_server prereboot_data_file:dir rw_dir_perms;
+allow system_server prereboot_data_file:file create_file_perms;
+
+# Allow tracing proxy service to read traces. Only the fd is sent over
+# binder.
+allow system_server perfetto_traces_data_file:file { read getattr };
+allow system_server perfetto:fd use;
+
+# Manage /data/backup.
+allow system_server backup_data_file:dir create_dir_perms;
+allow system_server backup_data_file:file create_file_perms;
+
+# Write to /data/system/dropbox
+allow system_server dropbox_data_file:dir create_dir_perms;
+allow system_server dropbox_data_file:file create_file_perms;
+
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
+# Manage /data/misc/adb.
+allow system_server adb_keys_file:dir create_dir_perms;
+allow system_server adb_keys_file:file create_file_perms;
+
+# Manage /data/misc/appcompat.
+allow system_server appcompat_data_file:dir rw_dir_perms;
+allow system_server appcompat_data_file:file create_file_perms;
+
+# Manage /data/misc/emergencynumberdb
+allow system_server emergency_data_file:dir create_dir_perms;
+allow system_server emergency_data_file:file create_file_perms;
+
+# Manage /data/misc/network_watchlist
+allow system_server network_watchlist_data_file:dir create_dir_perms;
+allow system_server network_watchlist_data_file:file create_file_perms;
+
+# Manage /data/misc/sms.
+# TODO: Split into a separate type?
+allow system_server radio_data_file:dir create_dir_perms;
+allow system_server radio_data_file:file create_file_perms;
+
+# Manage /data/misc/systemkeys.
+allow system_server systemkeys_data_file:dir create_dir_perms;
+allow system_server systemkeys_data_file:file create_file_perms;
+
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
+# Access /data/tombstones.
+allow system_server tombstone_data_file:dir r_dir_perms;
+allow system_server tombstone_data_file:file r_file_perms;
+
+# Allow write access to be able to truncate tombstones.
+allow system_server tombstone_data_file:file write;
+
+# Manage /data/misc/vpn.
+allow system_server vpn_data_file:dir create_dir_perms;
+allow system_server vpn_data_file:file create_file_perms;
+
+# Manage /data/misc/wifi.
+allow system_server wifi_data_file:dir create_dir_perms;
+allow system_server wifi_data_file:file create_file_perms;
+
+# Manage /data/misc/zoneinfo.
+allow system_server zoneinfo_data_file:dir create_dir_perms;
+allow system_server zoneinfo_data_file:file create_file_perms;
+
+# Manage /data/app-staging.
+allow system_server staging_data_file:dir create_dir_perms;
+allow system_server staging_data_file:file create_file_perms;
+
+# Manage /data/rollback.
+allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
+
+# Walk /data/data subdirectories.
+allow system_server app_data_file_type:dir { getattr read search };
+
+# Also permit for unlabeled /data/data subdirectories and
+# for unlabeled asec containers on upgrades from 4.2.
+allow system_server unlabeled:dir r_dir_perms;
+# Read pkg.apk file before it has been relabeled by vold.
+allow system_server unlabeled:file r_file_perms;
+
+# Populate com.android.providers.settings/databases/settings.db.
+allow system_server system_app_data_file:dir create_dir_perms;
+allow system_server system_app_data_file:file create_file_perms;
+
+# Receive and use open app data files passed over binder IPC.
+allow system_server app_data_file_type:file { getattr read write append map };
+
+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
+
+# Receive and use open /data/media files passed over binder IPC.
+# Also used for measuring disk usage.
+allow system_server media_rw_data_file:file { getattr read write append };
+
+# System server needs to setfscreate to packages_list_file when writing
+# /data/system/packages.list
+allow system_server system_server:process setfscreate;
+
+# Relabel apk files.
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+# Allow PackageManager to:
+# 1. rename file from /data/app-staging folder to /data/app
+# 2. relabel files (linked to /data/rollback) under /data/app-staging
+# during staged apk/apex install.
+allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system_server system_data_file:file relabelfrom;
+allow system_server wallpaper_file:file relabelto;
+allow system_server wallpaper_file:file { rw_file_perms rename unlink };
+
+# Backup of wallpaper imagery uses temporary hard links to avoid data churn
+allow system_server { system_data_file wallpaper_file }:file link;
+
+# ShortcutManager icons
+allow system_server system_data_file:dir relabelfrom;
+allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
+allow system_server shortcut_manager_icons:file create_file_perms;
+
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
+# Relabel icon file.
+allow system_server icon_file:file relabelto;
+allow system_server icon_file:file { rw_file_perms unlink };
+
+# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
+allow system_server system_data_file:dir relabelfrom;
+
+# server_configurable_flags_data_file is used for storing server configurable flags which
+# have been reset during current booting. system_server needs to read the data to perform related
+# disaster recovery actions.
+allow system_server server_configurable_flags_data_file:dir r_dir_perms;
+allow system_server server_configurable_flags_data_file:file r_file_perms;
+
+# Property Service write
+set_prop(system_server, system_prop)
+set_prop(system_server, bootanim_system_prop)
+set_prop(system_server, exported_system_prop)
+set_prop(system_server, exported3_system_prop)
+set_prop(system_server, safemode_prop)
+set_prop(system_server, theme_prop)
+set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_connectivity_prop)
+set_prop(system_server, net_radio_prop)
+set_prop(system_server, net_dns_prop)
+set_prop(system_server, usb_control_prop)
+set_prop(system_server, usb_prop)
+set_prop(system_server, debug_prop)
+set_prop(system_server, powerctl_prop)
+set_prop(system_server, fingerprint_prop)
+set_prop(system_server, device_logging_prop)
+set_prop(system_server, dumpstate_options_prop)
+set_prop(system_server, overlay_prop)
+set_prop(system_server, exported_overlay_prop)
+set_prop(system_server, pm_prop)
+set_prop(system_server, exported_pm_prop)
+set_prop(system_server, socket_hook_prop)
+set_prop(system_server, audio_prop)
+set_prop(system_server, boot_status_prop)
+set_prop(system_server, surfaceflinger_color_prop)
+set_prop(system_server, provisioned_prop)
+set_prop(system_server, retaildemo_prop)
+set_prop(system_server, dmesgd_start_prop)
+userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
+
+# ctl interface
+set_prop(system_server, ctl_default_prop)
+set_prop(system_server, ctl_bugreport_prop)
+set_prop(system_server, ctl_gsid_prop)
+
+# cppreopt property
+set_prop(system_server, cppreopt_prop)
+
+# server configurable flags properties
+set_prop(system_server, device_config_input_native_boot_prop)
+set_prop(system_server, device_config_netd_native_prop)
+set_prop(system_server, device_config_nnapi_native_prop)
+set_prop(system_server, device_config_activity_manager_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_prop)
+set_prop(system_server, device_config_lmkd_native_prop)
+set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_mglru_native_prop)
+set_prop(system_server, device_config_profcollect_native_boot_prop)
+set_prop(system_server, device_config_statsd_native_prop)
+set_prop(system_server, device_config_statsd_native_boot_prop)
+set_prop(system_server, device_config_storage_native_boot_prop)
+set_prop(system_server, device_config_swcodec_native_prop)
+set_prop(system_server, device_config_sys_traced_prop)
+set_prop(system_server, device_config_window_manager_native_boot_prop)
+set_prop(system_server, device_config_configuration_prop)
+set_prop(system_server, device_config_connectivity_prop)
+set_prop(system_server, device_config_surface_flinger_native_boot_prop)
+set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, smart_idle_maint_enabled_prop)
+
+# Allow query ART device config properties
+get_prop(system_server, device_config_runtime_native_boot_prop)
+get_prop(system_server, device_config_runtime_native_prop)
+
+# BootReceiver to read ro.boot.bootreason
+get_prop(system_server, bootloader_boot_reason_prop)
+# PowerManager to read sys.boot.reason
+get_prop(system_server, system_boot_reason_prop)
+
+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
+
+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
+# Read/write the property which keeps track of whether this is the first start of system_server
+set_prop(system_server, firstboot_prop)
+
+# Audio service in system server can read audio config properties,
+# such as camera shutter enforcement
+get_prop(system_server, audio_config_prop)
+
+# system server reads this property to keep track of whether server configurable flags have been
+# reset during current boot.
+get_prop(system_server, device_config_reset_performed_prop)
+
+# Read/write the property that enables Test Harness Mode
+set_prop(system_server, test_harness_prop)
+
+# Read gsid.image_running.
+get_prop(system_server, gsid_prop)
+
+# Read the property that mocks an OTA
+get_prop(system_server, mock_ota_prop)
+
+# Read the property as feature flag for protecting apks with fs-verity.
+get_prop(system_server, apk_verity_prop)
+
+# Read wifi.interface
+get_prop(system_server, wifi_prop)
+
+# Read the vendor property that indicates if Incremental features is enabled
+get_prop(system_server, incremental_prop)
+
+# Read ro.zram. properties
+get_prop(system_server, zram_config_prop)
+
+# Read/write persist.sys.zram_enabled
+set_prop(system_server, zram_control_prop)
+
+# Read/write persist.sys.dalvik.vm.lib.2
+set_prop(system_server, dalvik_runtime_prop)
+
+# Read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(system_server, packagemanager_config_prop)
+
+# Read the net.464xlat.cellular.enabled property (written by init).
+get_prop(system_server, net_464xlat_fromvendor_prop)
+
+# Read hypervisor capabilities ro.boot.hypervisor.*
+get_prop(system_server, hypervisor_prop)
+
+# Read persist.wm.debug. properties
+get_prop(system_server, persist_wm_debug_prop)
+
+# Create a socket for connections from debuggerd.
+allow system_server system_ndebug_socket:sock_file create_file_perms;
+
+# Create a socket for connections from zygotes.
+allow system_server system_unsolzygote_socket:sock_file create_file_perms;
+
+# Manage cache files.
+allow system_server cache_file:lnk_file r_file_perms;
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
+
+allow system_server system_file:dir r_dir_perms;
+allow system_server system_file:lnk_file r_file_perms;
+
+# ART locks profile files.
+allow system_server system_file:file lock;
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system_server gps_control:file rw_file_perms;
+
+# Allow system_server to use app-created sockets and pipes.
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
+
+# BackupManagerService needs to manipulate backup data files
+allow system_server cache_backup_file:dir rw_dir_perms;
+allow system_server cache_backup_file:file create_file_perms;
+# LocalTransport works inside /cache/backup
+allow system_server cache_private_backup_file:dir create_dir_perms;
+allow system_server cache_private_backup_file:file create_file_perms;
+
+# Allow system to talk to usb device
+allow system_server usb_device:chr_file rw_file_perms;
+allow system_server usb_device:dir r_dir_perms;
+
+# Read and delete files under /dev/fscklogs.
+r_dir_file(system_server, fscklogs)
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
+
+# Read from log daemon.
+read_logd(system_server)
+read_runtime_log_tags(system_server)
+
+# Be consistent with DAC permissions. Allow system_server to write to
+# /sys/module/lowmemorykiller/parameters/adj
+# /sys/module/lowmemorykiller/parameters/minfree
+allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow system_server pstorefs:dir r_dir_perms;
+allow system_server pstorefs:file r_file_perms;
+
+# /sys access
+allow system_server sysfs_zram:dir search;
+allow system_server sysfs_zram:file rw_file_perms;
+
+add_service(system_server, system_server_service);
+allow system_server audioserver_service:service_manager find;
+allow system_server authorization_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
+allow system_server compos_service:service_manager find;
+allow system_server dataloader_manager_service:service_manager find;
+allow system_server dnsresolver_service:service_manager find;
+allow system_server drmserver_service:service_manager find;
+allow system_server dumpstate_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
+allow system_server gpu_service:service_manager find;
+allow system_server gsi_service:service_manager find;
+allow system_server idmap_service:service_manager find;
+allow system_server incident_service:service_manager find;
+allow system_server incremental_service:service_manager find;
+allow system_server installd_service:service_manager find;
+allow system_server iorapd_service:service_manager find;
+allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mdns_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server mediametrics_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
+allow system_server mediadrmserver_service:service_manager find;
+allow system_server mediatuner_service:service_manager find;
+allow system_server netd_service:service_manager find;
+allow system_server nfc_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server stats_service:service_manager find;
+allow system_server storaged_service:service_manager find;
+allow system_server surfaceflinger_service:service_manager find;
+allow system_server update_engine_service:service_manager find;
+allow system_server vold_service:service_manager find;
+allow system_server wifinl80211_service:service_manager find;
+allow system_server logd_service:service_manager find;
+userdebug_or_eng(`
+ allow system_server profcollectd_service:service_manager find;
+')
+
+add_service(system_server, batteryproperties_service)
+
+allow system_server keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+};
+
+allow system_server keystore:keystore2 {
+ add_auth
+ change_password
+ change_user
+ clear_ns
+ clear_uid
+ get_state
+ lock
+ pull_metrics
+ reset
+ unlock
+};
+
+allow system_server keystore:keystore2_key {
+ delete
+ use_dev_id
+ grant
+ get_info
+ rebind
+ update
+ use
+};
+
+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
+allow system_server locksettings_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
+allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
+allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
+
+# Create new process groups and clean up old cgroups
+allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir create_dir_perms;
+allow system_server cgroup_v2:file { r_file_perms setattr };
+
+# /oem access
+r_dir_file(system_server, oemfs)
+
+# Allow resolving per-user storage symlinks
+allow system_server { mnt_user_file storage_file }:dir { getattr search };
+allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
+
+# Allow statfs() on storage devices, which happens fast enough that
+# we shouldn't be killed during unsafe removal
+allow system_server { sdcard_type fuse }:dir { getattr search };
+
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
+# Allow system process to relabel the fingerprint directory after mkdir
+# and delete the directory and files when no longer needed
+allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
+allow system_server fingerprintd_data_file:file { getattr unlink };
+
+userdebug_or_eng(`
+ # Allow system server to create and write method traces in /data/misc/trace.
+ allow system_server method_trace_data_file:dir w_dir_perms;
+ allow system_server method_trace_data_file:file { create w_file_perms };
+
+ # Allow system server to read dmesg
+ allow system_server kernel:system syslog_read;
+
+ # Allow writing and removing window traces in /data/misc/wmtrace.
+ allow system_server wm_trace_data_file:dir rw_dir_perms;
+ allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+
+ # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
+ allow system_server accessibility_trace_data_file:dir rw_dir_perms;
+ allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
+')
+
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl getattr };
+allow system_server app_fuse_file:file { read write getattr };
+
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open create unlink write };
+
+# Connect to adbd and use a socket transferred from it.
+# Used for e.g. jdwp.
+allow system_server adbd:unix_stream_socket connectto;
+allow system_server adbd:fd use;
+allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# Read service.adb.tls.port, persist.adb.wifi. properties
+get_prop(system_server, adbd_prop)
+
+# Set persist.adb.tls_server.enable property
+set_prop(system_server, system_adbd_prop)
+
+# Allow invoking tools like "timeout"
+allow system_server toolbox_exec:file rx_file_perms;
+
+# Allow system process to setup and measure fs-verity
+allowxperm system_server apk_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+# Postinstall
+#
+# For OTA dexopt, allow calls coming from postinstall.
+binder_call(system_server, postinstall)
+
+allow system_server postinstall:fifo_file write;
+allow system_server update_engine:fd use;
+allow system_server update_engine:fifo_file write;
+
+# Access to /data/preloads
+allow system_server preloads_data_file:file { r_file_perms unlink };
+allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow system_server preloads_media_file:file { r_file_perms unlink };
+allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
+allow system_server ion_device:chr_file r_file_perms;
+
+# Access to /dev/dma_heap/system
+allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
+# Access to /dev/dma_heap/system-secure
+allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+r_dir_file(system_server, proc_asound)
+r_dir_file(system_server, proc_net_type)
+r_dir_file(system_server, proc_qtaguid_stat)
+allow system_server {
+ proc_cmdline
+ proc_loadavg
+ proc_locks
+ proc_meminfo
+ proc_pagetypeinfo
+ proc_pipe_conf
+ proc_stat
+ proc_uid_cputime_showstat
+ proc_uid_io_stats
+ proc_uid_time_in_state
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
+ proc_version
+ proc_vmallocinfo
+}:file r_file_perms;
+
+allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
+
+r_dir_file(system_server, rootfs)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow system_server debugfs_tracing_instances:dir search;
+allow system_server debugfs_wifi_tracing:dir search;
+allow system_server debugfs_wifi_tracing:file rw_file_perms;
+
+# Allow BootReceiver to watch trace error_report events.
+allow system_server debugfs_bootreceiver_tracing:dir search;
+allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
+
+# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
+allow system_server debugfs_tracing:file r_file_perms;
+
+# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
+# asanwrapper.
+with_asan(`
+ allow system_server shell_exec:file rx_file_perms;
+ allow system_server asanwrapper_exec:file rx_file_perms;
+ allow system_server zygote_exec:file rx_file_perms;
+')
+
+# allow system_server to read the eBPF maps that stores the traffic stats information and update
+# the map after snapshot is recorded, and to read, update and run the maps and programs used for
+# time in state accounting
+allow system_server fs_bpf:file { read write };
+allow system_server bpfloader:bpf { map_read map_write prog_run };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+allow system_server self:key_socket create;
+
+# Allow system_server to start clatd in its own domain and kill it.
+domain_auto_trans(system_server, clatd_exec, clatd)
+allow system_server clatd:process signal;
+
+# ART Profiles.
+# Allow system_server to open profile snapshots for read.
+# System server never reads the actual content. It passes the descriptor to
+# to privileged apps which acquire the permissions to inspect the profiles.
+allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
+allow system_server user_profile_data_file:file { getattr open read };
+
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+ allow system_server user_profile_data_file:file create_file_perms;
+')
+# Allow system server to load JVMTI agents under control of a property.
+get_prop(system_server,system_jvmti_agent_prop)
+
+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
+
+# system_server contains time / time zone detection logic so reads the associated properties.
+get_prop(system_server, time_prop)
+
+# system_server reads this property to know it should expect the lmkd sends notification to it
+# on low memory kills.
+get_prop(system_server, system_lmk_prop)
+
+get_prop(system_server, wifi_config_prop)
+
+# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
+# Watchdog prints debugging log to /dev/kmsg_debug.
+userdebug_or_eng(`
+ allow system_server kmsg_debug_device:chr_file { open append getattr };
+')
+# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
+get_prop(system_server, framework_watchdog_config_prop)
+
+
+# Font files are written by system server
+allow system_server font_data_file:file create_file_perms;
+allow system_server font_data_file:dir create_dir_perms;
+# Allow system process to setup fs-verity for font files
+allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
+
+# Allow system server to read profcollectd reports for upload.
+userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
+
+###
+### Neverallow rules
+###
+### system_server should NEVER do any of this
+
+# Do not allow opening files from external storage as unsafe ejection
+# could cause the kernel to kill the system_server.
+neverallow system_server { sdcard_type fuse }:dir { open read write };
+neverallow system_server { sdcard_type fuse }:file rw_file_perms;
+
+# system server should never be operating on zygote spawned app data
+# files directly. Rather, they should always be passed via a
+# file descriptor.
+# Exclude those types that system_server needs to open directly.
+neverallow system_server {
+ app_data_file_type
+ -system_app_data_file
+ -radio_data_file
+}:file { open create unlink link };
+
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server {
+ file_type
+ -toolbox_exec
+ -logcat_exec
+ with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
+}:file execute_no_trans;
+
+# Ensure that system_server doesn't perform any domain transitions other than
+# transitioning to the crash_dump domain when a crash occurs or fork clatd.
+neverallow system_server { domain -clatd -crash_dump }:process transition;
+neverallow system_server *:process dyntransition;
+
+# Only allow crash_dump to connect to system_ndebug_socket.
+neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+
+# Only allow zygotes to connect to system_unsolzygote_socket.
+neverallow {
+ domain
+ -init
+ -system_server
+ -zygote
+ -app_zygote
+ -webview_zygote
+} system_unsolzygote_socket:sock_file { open write };
+
+# Only allow init, system_server, flags_health_check to set properties for server configurable flags
+neverallow {
+ domain
+ -init
+ -system_server
+ -flags_health_check
+} {
+ device_config_activity_manager_native_boot_prop
+ device_config_connectivity_prop
+ device_config_input_native_boot_prop
+ device_config_lmkd_native_prop
+ device_config_netd_native_prop
+ device_config_nnapi_native_prop
+ device_config_runtime_native_boot_prop
+ device_config_runtime_native_prop
+ device_config_media_native_prop
+ device_config_mglru_native_prop
+ device_config_storage_native_boot_prop
+ device_config_surface_flinger_native_boot_prop
+ device_config_sys_traced_prop
+ device_config_swcodec_native_prop
+ device_config_window_manager_native_boot_prop
+}:property_service set;
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;
+
+# system_server should never execute or load executable shared libraries
+# in /data. Executable files in /data are a persistence vector.
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
+neverallow system_server data_file_type:file no_x_file_perms;
+
+# The only block device system_server should be writing to is
+# the frp_block_device. This helps avoid a system_server to root
+# escalation by writing to raw block devices.
+# The system_server may need to read from vd_device if it uses
+# block apexes.
+neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms;
+neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms;
+
+# system_server should never use JIT functionality
+# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
+# in the section titled "A Short ROP Chain" for why.
+# However, in emulator builds without OpenGL passthrough, we use software
+# rendering via SwiftShader, which requires JIT support. These builds are
+# never shipped to users.
+ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
+ `allow system_server self:process execmem;',
+ `neverallow system_server self:process execmem;')
+neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow system_server system_server_tmpfs:file execute;
+
+# Resources handed off by system_server_startup
+allow system_server system_server_startup:fd use;
+allow system_server system_server_startup_tmpfs:file { read write map };
+allow system_server system_server_startup:unix_dgram_socket write;
+
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
+
+# Allow system server to scan /apex for flattened APEXes
+allow system_server apex_mnt_dir:dir r_dir_perms;
+
+# Allow system server to read /apex/apex-info-list.xml
+allow system_server apex_info_file:file r_file_perms;
+
+# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_internal_service:service_manager find;
+allow system_server system_suspend_control_service:service_manager find;
+binder_call(system_server, system_suspend)
+binder_call(system_suspend, system_server)
+
+# Allow system server to communicate to system-suspend's wakelock interface
+wakelock_use(system_server)
+
+# Allow the system server to read files under /data/apex. The system_server
+# needs these privileges to compare file signatures while processing installs.
+#
+# Only apexd is allowed to create new entries or write to any file under /data/apex.
+allow system_server apex_data_file:dir { getattr search };
+allow system_server apex_data_file:file r_file_perms;
+
+# Allow the system server to read files under /vendor/apex. This is where
+# vendor APEX packages might be installed and system_server needs to parse
+# these packages to inspect the signatures and other metadata.
+allow system_server vendor_apex_file:dir { getattr search };
+allow system_server vendor_apex_file:file r_file_perms;
+
+# Allow the system server to manage relevant apex module data files.
+allow system_server apex_module_data_file:dir { getattr search };
+# These are modules where the code runs in system_server, so we need full access.
+allow system_server apex_system_server_data_file:dir create_dir_perms;
+allow system_server apex_system_server_data_file:file create_file_perms;
+# Legacy labels that we still need to support (b/217581286)
+allow system_server {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_tethering_data_file
+ apex_wifi_data_file
+}:dir create_dir_perms;
+allow system_server {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_tethering_data_file
+ apex_wifi_data_file
+}:file create_file_perms;
+
+# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
+# communicate which slots are available for use.
+allow system_server metadata_file:dir search;
+allow system_server password_slot_metadata_file:dir rw_dir_perms;
+allow system_server password_slot_metadata_file:file create_file_perms;
+
+allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
+allow system_server userspace_reboot_metadata_file:file create_file_perms;
+
+# Allow system server rw access to files in /metadata/staged-install folder
+allow system_server staged_install_file:dir rw_dir_perms;
+allow system_server staged_install_file:file create_file_perms;
+
+allow system_server watchdog_metadata_file:dir rw_dir_perms;
+allow system_server watchdog_metadata_file:file create_file_perms;
+
+allow system_server gsi_persistent_data_file:dir rw_dir_perms;
+allow system_server gsi_persistent_data_file:file create_file_perms;
+
+# Allow system server read and remove files under /data/misc/odrefresh
+allow system_server odrefresh_data_file:dir rw_dir_perms;
+allow system_server odrefresh_data_file:file { r_file_perms unlink };
+
+# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
+allow system_server surfaceflinger_exec:file r_file_perms;
+
+# Allow init to set sysprop used to compute stats about userspace reboot.
+set_prop(system_server, userspace_reboot_log_prop)
+
+# JVMTI agent settings are only readable from the system server.
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -init
+ -vendor_init
+} {
+ system_jvmti_agent_prop
+}:file no_rw_file_perms;
+
+# Read/Write /proc/pressure/memory
+allow system_server proc_pressure_mem:file rw_file_perms;
+
+# dexoptanalyzer is currently used only for secondary dex files which
+# system_server should never access.
+neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+neverallow system_server system_server:global_capability_class_set sys_resource;
+
+# Only system_server/init should access /metadata/password_slots.
+neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+
+# Only system_server/init should access /metadata/userspacereboot.
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+
+# Allow systemserver to read/write the invalidation property
+set_prop(system_server, binder_cache_system_server_prop)
+neverallow { domain -system_server -init }
+ binder_cache_system_server_prop:property_service set;
+
+# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
+# system_server cannot use this access to read perf event data like process stacks.
+allow system_server self:perf_event { open write cpu kernel };
+neverallow system_server self:perf_event ~{ open write cpu kernel };
+
+# Do not allow any domain other than init or system server to set the property
+neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+neverallow { domain -init -system_server } boot_status_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -system_server
+} wifi_config_prop:file no_rw_file_perms;
+
+# Only allow system server to write uhid sysfs files
+neverallow {
+ domain
+ -init
+ -system_server
+ -ueventd
+ -vendor_init
+} sysfs_uhid:file no_w_file_perms;
+
+# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
+# can be accessed by system_server only (b/143717177)
+# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
+# interface
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
+# Only system server can write the font files.
+neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
+neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
diff --git a/prebuilts/api/33.0/private/system_server_startup.te b/prebuilts/api/33.0/private/system_server_startup.te
new file mode 100644
index 0000000..064e038
--- /dev/null
+++ b/prebuilts/api/33.0/private/system_server_startup.te
@@ -0,0 +1,24 @@
+type system_server_startup, domain, coredomain;
+type system_server_startup_tmpfs, file_type;
+
+tmpfs_domain(system_server_startup)
+
+# Create JIT memory
+allow system_server_startup self:process execmem;
+allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+
+# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
+allow system_server_startup apex_art_data_file:dir r_dir_perms;
+allow system_server_startup apex_art_data_file:file { r_file_perms execute };
+
+# Allow system_server_startup to run setcon() and enter the
+# system_server domain
+allow system_server_startup self:process setcurrent;
+allow system_server_startup system_server:process dyntransition;
+
+# Child of the zygote.
+allow system_server_startup zygote:process sigchld;
+
+# Allow query ART device config properties
+get_prop(system_server_startup, device_config_runtime_native_boot_prop)
+get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/prebuilts/api/33.0/private/system_suspend.te b/prebuilts/api/33.0/private/system_suspend.te
new file mode 100644
index 0000000..d924187
--- /dev/null
+++ b/prebuilts/api/33.0/private/system_suspend.te
@@ -0,0 +1,40 @@
+type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
+
+type system_suspend_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(system_suspend)
+
+# To serve ISuspendControlService.
+binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_service)
+
+add_service(system_suspend, hal_system_suspend_service)
+
+# Access to /sys/power/{ wakeup_count, state } suspend interface.
+allow system_suspend sysfs_power:file rw_file_perms;
+
+# Access to wakeup, suspend stats, and wakeup reasons.
+r_dir_file(system_suspend, sysfs_suspend_stats)
+r_dir_file(system_suspend, sysfs_wakeup)
+r_dir_file(system_suspend, sysfs_wakeup_reasons)
+# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
+allow system_suspend sysfs_type:dir search;
+
+# Access to suspend_hal system properties
+get_prop(system_suspend, suspend_prop)
+
+# To call BTAA registered callbacks
+allow system_suspend bluetooth:binder call;
+
+# For adding `dumpsys syspend_control` output to bugreport
+allow system_suspend dumpstate:fd use;
+allow system_suspend dumpstate:fifo_file write;
+
+neverallow {
+ domain
+ -atrace # tracing
+ -bluetooth # support Bluetooth activity attribution (BTAA)
+ -dumpstate # bug reports
+ -system_suspend # implements system_suspend_control_service
+ -system_server # configures system_suspend via ISuspendControlService
+ -traceur_app # tracing
+} system_suspend_control_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/technical_debt.cil b/prebuilts/api/33.0/private/technical_debt.cil
new file mode 100644
index 0000000..fcd4fe7
--- /dev/null
+++ b/prebuilts/api/33.0/private/technical_debt.cil
@@ -0,0 +1,66 @@
+; THIS IS A WORKAROUND for the current limitations of the module policy language
+; This should be used sparingly until we figure out a saner way to achieve the
+; stuff below, for example, by improving typeattribute statement of module
+; language.
+;
+; NOTE: This file has no effect on recovery policy.
+
+; Apps, except isolated apps, are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_allocator_client;
+; typeattribute hal_allocator_client halclientdomain;
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset halclientdomain (hal_allocator_client))
+
+; Apps, except isolated apps, are clients of OMX-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
+
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Cas HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
+
+; Apps, except isolated apps, are clients of Neuralnetworks HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
+
+; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
+; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators;
+; typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators;
+(typeattribute untrusted_app_visible_hwservice)
+(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
+(typeattribute untrusted_app_visible_halserver)
+(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
+
+; Properties having both system_property_type and vendor_property_type are illegal
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
+(typeattribute system_and_vendor_property_type)
+(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
diff --git a/prebuilts/api/33.0/private/tombstoned.te b/prebuilts/api/33.0/private/tombstoned.te
new file mode 100644
index 0000000..b6dfd1e
--- /dev/null
+++ b/prebuilts/api/33.0/private/tombstoned.te
@@ -0,0 +1,13 @@
+typeattribute tombstoned coredomain;
+
+init_daemon_domain(tombstoned)
+
+get_prop(tombstoned, tombstone_config_prop)
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -tombstoned
+} tombstone_config_prop:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/private/toolbox.te b/prebuilts/api/33.0/private/toolbox.te
similarity index 100%
rename from prebuilts/api/26.0/private/toolbox.te
rename to prebuilts/api/33.0/private/toolbox.te
diff --git a/prebuilts/api/33.0/private/traced.te b/prebuilts/api/33.0/private/traced.te
new file mode 100644
index 0000000..a6e200e
--- /dev/null
+++ b/prebuilts/api/33.0/private/traced.te
@@ -0,0 +1,129 @@
+# Perfetto user-space tracing daemon (unprivileged)
+
+# type traced is defined under /public (because iorapd rules
+# under public/ need to refer to it).
+type traced_exec, system_file_type, exec_type, file_type;
+
+# Allow init to exec the daemon.
+init_daemon_domain(traced)
+tmpfs_domain(traced)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# share memory buffers created by traced.
+typeattribute traced_tmpfs mlstrustedobject;
+
+# Allow traced to start with a lower scheduling class and change
+# class accordingly to what defined in the config provided by
+# the privileged process that controls it.
+allow traced self:global_capability_class_set { sys_nice };
+
+# Allow to pass a file descriptor for the output trace from "perfetto" (the
+# cmdline client) and other shell binaries to traced and let traced write
+# directly into that (rather than returning the trace contents over the socket).
+allow traced perfetto:fd use;
+allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
+
+# Allow the service to create new files within /data/misc/perfetto-traces.
+allow traced perfetto_traces_data_file:file create_file_perms;
+allow traced perfetto_traces_data_file:dir rw_dir_perms;
+# ... and /data/misc/perfetto-traces/bugreport*
+allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
+allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+
+# Allow traceur to pass open file descriptors to traced, so traced can directly
+# write into the output file without doing roundtrips over IPC.
+allow traced traceur_app:fd use;
+allow traced trace_data_file:file { read write };
+
+# Allow perfetto to access the proxy service for notifying Traceur.
+allow traced tracingproxy_service:service_manager find;
+binder_use(traced);
+binder_call(traced, system_server);
+
+# Allow iorapd to pass memfd descriptors to traced, so traced can directly
+# write into the shmem buffer file without doing roundtrips over IPC.
+allow traced iorapd:fd use;
+allow traced iorapd_tmpfs:file { read write };
+
+# Allow traced to use shared memory supplied by producers. Typically, traced
+# (i.e. the tracing service) creates the shared memory used for data transfer
+# from the producer. This rule allows an alternative scheme, where the producer
+# creates the shared memory, that is then adopted by traced (after validating
+# that it is appropriately sealed).
+# This list has to replicate the tmpfs domains of all applicable domains that
+# have perfetto_producer() macro applied to them.
+# perfetto_tmpfs excluded as it should never need to use the producer-supplied
+# shared memory scheme.
+allow traced {
+ appdomain_tmpfs
+ heapprofd_tmpfs
+ surfaceflinger_tmpfs
+ traced_probes_tmpfs
+ userdebug_or_eng(`system_server_tmpfs')
+}:file { getattr map read write };
+
+# Allow traced to notify Traceur when a trace ends by setting the
+# sys.trace.trace_end_signal property.
+set_prop(traced, system_trace_prop)
+# Allow to lazily start producers.
+set_prop(traced, traced_lazy_prop)
+
+# Allow traced to talk to statsd for logging metrics.
+unix_socket_send(traced, statsdw, statsd)
+
+###
+### Neverallow rules
+###
+### traced should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow traced self:process execmem;
+
+# Block device access.
+neverallow traced dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow traced domain:process ptrace;
+
+# Disallows access to /data files, still allowing to write to file descriptors
+# passed through the socket.
+neverallow traced {
+ data_file_type
+ -perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
+ -system_data_file
+ -system_data_root_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
+neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced {
+ data_file_type
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
+ -trace_data_file
+ with_native_coverage(`-method_trace_data_file')
+}:file ~write;
+
+# Only init is allowed to enter the traced domain via exec()
+neverallow { domain -init } traced:process transition;
+neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow {
+ domain
+ -traced
+ -dumpstate
+ -traceur_app
+ -shell
+ -system_server
+ -perfetto
+} tracingproxy_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/traced_perf.te b/prebuilts/api/33.0/private/traced_perf.te
new file mode 100644
index 0000000..96a7263
--- /dev/null
+++ b/prebuilts/api/33.0/private/traced_perf.te
@@ -0,0 +1,72 @@
+# Performance profiler, backed by perf_event_open(2).
+# See go/perfetto-perf-android.
+typeattribute traced_perf coredomain;
+typeattribute traced_perf mlstrustedsubject;
+
+type traced_perf_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(traced_perf)
+perfetto_producer(traced_perf)
+
+# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
+# profiling, but retain samples only for profileable processes.
+# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
+# check (which would require a process:attach SELinux allow-rule).
+allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
+
+# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
+# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
+# sampled stacks, which requires opening the backing libraries/executables (as
+# symbols are usually not mapped into the process space). Not all such files
+# are world-readable, e.g. odex files that included user profiles during
+# profile-guided optimization.
+allow traced_perf self:capability { kill dac_read_search };
+
+# Allow reading /system/data/packages.list.
+allow traced_perf packages_list_file:file r_file_perms;
+
+# Allow reading files for stack unwinding and symbolization.
+r_dir_file(traced_perf, nativetest_data_file)
+r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apex_art_data_file)
+r_dir_file(traced_perf, apk_data_file)
+r_dir_file(traced_perf, dalvikcache_data_file)
+r_dir_file(traced_perf, vendor_file_type)
+
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
+allow traced_perf proc_kallsyms:file r_file_perms;
+
+# Allow reading tracefs files to get the format and numeric ids of tracepoints.
+allow traced_perf debugfs_tracing:dir r_dir_perms;
+allow traced_perf debugfs_tracing:file r_file_perms;
+userdebug_or_eng(`
+ allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
+ allow traced_perf debugfs_tracing_debug:file r_file_perms;
+')
+
+# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
+# domains that it cannot read.
+dontaudit traced_perf domain:dir { search getattr open };
+
+# Do not audit failures to signal a process, as there are cases when this is
+# expected (native processes on debug builds use the policy for enforcing which
+# processes are profileable).
+dontaudit traced_perf domain:process signal;
+
+# Never allow access to app data files
+neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+
+# Never allow profiling highly privileged processes.
+never_profile_perf(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
diff --git a/prebuilts/api/33.0/private/traced_probes.te b/prebuilts/api/33.0/private/traced_probes.te
new file mode 100644
index 0000000..66d5ac4
--- /dev/null
+++ b/prebuilts/api/33.0/private/traced_probes.te
@@ -0,0 +1,156 @@
+# Perfetto tracing probes, has tracefs access.
+type traced_probes_exec, system_file_type, exec_type, file_type;
+type traced_probes_tmpfs, file_type;
+
+# Allow init to exec the daemon.
+init_daemon_domain(traced_probes)
+tmpfs_domain(traced_probes)
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(traced_probes)
+
+# Allow traced_probes to access tracefs.
+allow traced_probes debugfs_tracing:dir r_dir_perms;
+allow traced_probes debugfs_tracing:file rw_file_perms;
+allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
+
+# Allow traced_probes to access mm_events trace instance
+allow traced_probes debugfs_tracing_instances:dir search;
+allow traced_probes debugfs_mm_events_tracing:dir search;
+allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
+
+# TODO(primiano): temporarily I/O tracing categories are still
+# userdebug only until we nail down the denylist/allowlist.
+userdebug_or_eng(`
+allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
+allow traced_probes debugfs_tracing_debug:file rw_file_perms;
+')
+
+# Allow traced_probes to start with a higher scheduling class and then downgrade
+# itself.
+allow traced_probes self:global_capability_class_set { sys_nice };
+
+# Allow procfs access
+r_dir_file(traced_probes, domain)
+
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
+allow traced_probes proc_kallsyms:file r_file_perms;
+
+# Allow to read packages.list file.
+allow traced_probes packages_list_file:file r_file_perms;
+
+# Allow to read game_mode_intervention.list file.
+allow traced_probes game_mode_intervention_list_file:file r_file_perms;
+
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
+# Allow traced_probes to list the system partition.
+allow traced_probes system_file:dir { open read };
+
+# Allow traced_probes to list some of the data partition.
+allow traced_probes self:global_capability_class_set dac_read_search;
+
+allow traced_probes apk_data_file:dir { getattr open read search };
+allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
+allow traced_probes dalvikcache_data_file:dir { getattr open read search };
+userdebug_or_eng(`
+# search and getattr are granted via domain and coredomain, respectively.
+allow traced_probes system_data_file:dir { open read };
+')
+allow traced_probes system_app_data_file:dir { getattr open read search };
+allow traced_probes backup_data_file:dir { getattr open read search };
+allow traced_probes bootstat_data_file:dir { getattr open read search };
+allow traced_probes update_engine_data_file:dir { getattr open read search };
+allow traced_probes update_engine_log_data_file:dir { getattr open read search };
+allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
+
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace);
+
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
+
+# Allow traced_probes to access /proc files for system stats.
+# Note: trace data is NOT exposed to anything other than shell and privileged
+# system apps that have access to the traced consumer socket.
+allow traced_probes {
+ proc_meminfo
+ proc_vmstat
+ proc_stat
+}:file r_file_perms;
+
+# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
+allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
+allow traced_probes sysfs_devfreq_cur:file r_file_perms;
+
+# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
+hal_client_domain(traced_probes, hal_health)
+hal_client_domain(traced_probes, hal_power_stats)
+
+# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
+hal_client_domain(traced_probes, hal_atrace)
+
+# On debug builds allow to ingest system logs into the trace.
+userdebug_or_eng(`read_logd(traced_probes)')
+
+# Allow traced_probes to talk to statsd for logging metrics.
+unix_socket_send(traced_probes, statsdw, statsd)
+
+###
+### Neverallow rules
+###
+### traced_probes should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow traced_probes self:process execmem;
+
+# Block device access.
+neverallow traced_probes dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow traced_probes domain:process ptrace;
+
+# Disallows access to /data files.
+neverallow traced_probes {
+ data_file_type
+ -apex_module_data_file
+ -apex_art_data_file
+ -apk_data_file
+ -dalvikcache_data_file
+ -system_data_file
+ -system_data_root_file
+ -system_app_data_file
+ -backup_data_file
+ -bootstat_data_file
+ -update_engine_data_file
+ -update_engine_log_data_file
+ -user_profile_root_file
+ -user_profile_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+}:dir *;
+neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
+neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced_probes {
+ data_file_type
+ -zoneinfo_data_file
+ -packages_list_file
+ with_native_coverage(`-method_trace_data_file')
+ -game_mode_intervention_list_file
+}:file *;
+
+# Only init is allowed to enter the traced_probes domain via exec()
+neverallow { domain -init } traced_probes:process transition;
+neverallow * traced_probes:process dyntransition;
+
diff --git a/prebuilts/api/33.0/private/traceur_app.te b/prebuilts/api/33.0/private/traceur_app.te
new file mode 100644
index 0000000..2937e26
--- /dev/null
+++ b/prebuilts/api/33.0/private/traceur_app.te
@@ -0,0 +1,24 @@
+typeattribute traceur_app coredomain;
+
+app_domain(traceur_app);
+allow traceur_app debugfs_tracing:file rw_file_perms;
+allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
+
+userdebug_or_eng(`
+ allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+')
+
+allow traceur_app trace_data_file:file create_file_perms;
+allow traceur_app trace_data_file:dir rw_dir_perms;
+allow traceur_app atrace_exec:file rx_file_perms;
+
+# To exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe.
+allow traceur_app perfetto_exec:file rx_file_perms;
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(traceur_app, traced_consumer, traced)
+
+dontaudit traceur_app debugfs_tracing_debug:file audit_access;
+
+set_prop(traceur_app, debug_prop)
diff --git a/prebuilts/api/26.0/private/tzdatacheck.te b/prebuilts/api/33.0/private/tzdatacheck.te
similarity index 100%
rename from prebuilts/api/26.0/private/tzdatacheck.te
rename to prebuilts/api/33.0/private/tzdatacheck.te
diff --git a/prebuilts/api/33.0/private/ueventd.te b/prebuilts/api/33.0/private/ueventd.te
new file mode 100644
index 0000000..8bcdbf9
--- /dev/null
+++ b/prebuilts/api/33.0/private/ueventd.te
@@ -0,0 +1,7 @@
+typeattribute ueventd coredomain;
+
+tmpfs_domain(ueventd)
+
+# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
+# to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)
diff --git a/prebuilts/api/33.0/private/uncrypt.te b/prebuilts/api/33.0/private/uncrypt.te
new file mode 100644
index 0000000..1a94cd1
--- /dev/null
+++ b/prebuilts/api/33.0/private/uncrypt.te
@@ -0,0 +1,6 @@
+typeattribute uncrypt coredomain;
+
+init_daemon_domain(uncrypt)
+
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app.te b/prebuilts/api/33.0/private/untrusted_app.te
new file mode 100644
index 0000000..62d458d
--- /dev/null
+++ b/prebuilts/api/33.0/private/untrusted_app.te
@@ -0,0 +1,16 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion >= 32.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app coredomain;
+
+app_domain(untrusted_app)
+untrusted_app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
diff --git a/prebuilts/api/33.0/private/untrusted_app_25.te b/prebuilts/api/33.0/private/untrusted_app_25.te
new file mode 100644
index 0000000..4235d7e
--- /dev/null
+++ b/prebuilts/api/33.0/private/untrusted_app_25.te
@@ -0,0 +1,54 @@
+###
+### Untrusted_app_25
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion <= 25.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_25 coredomain;
+
+app_domain(untrusted_app_25)
+untrusted_app_domain(untrusted_app_25)
+net_domain(untrusted_app_25)
+bluetooth_domain(untrusted_app_25)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_app_25 proc_misc:file r_file_perms;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
+auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_25 ashmem_device:chr_file open;
+
+# Read /mnt/sdcard symlink.
+allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
diff --git a/prebuilts/api/33.0/private/untrusted_app_27.te b/prebuilts/api/33.0/private/untrusted_app_27.te
new file mode 100644
index 0000000..c747af1
--- /dev/null
+++ b/prebuilts/api/33.0/private/untrusted_app_27.te
@@ -0,0 +1,42 @@
+###
+### Untrusted_27.
+###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 28.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_27 coredomain;
+
+app_domain(untrusted_app_27)
+untrusted_app_domain(untrusted_app_27)
+net_domain(untrusted_app_27)
+bluetooth_domain(untrusted_app_27)
+
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
+auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_27 ashmem_device:chr_file open;
+
+# Read /mnt/sdcard symlink.
+allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
diff --git a/prebuilts/api/33.0/private/untrusted_app_29.te b/prebuilts/api/33.0/private/untrusted_app_29.te
new file mode 100644
index 0000000..6bb2606
--- /dev/null
+++ b/prebuilts/api/33.0/private/untrusted_app_29.te
@@ -0,0 +1,20 @@
+###
+### Untrusted_29.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion = 29.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_29 coredomain;
+
+app_domain(untrusted_app_29)
+untrusted_app_domain(untrusted_app_29)
+net_domain(untrusted_app_29)
+bluetooth_domain(untrusted_app_29)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
diff --git a/prebuilts/api/33.0/private/untrusted_app_30.te b/prebuilts/api/33.0/private/untrusted_app_30.te
new file mode 100644
index 0000000..e0a71ef
--- /dev/null
+++ b/prebuilts/api/33.0/private/untrusted_app_30.te
@@ -0,0 +1,22 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 29 < targetSdkVersion <= 31.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible
+###
+
+typeattribute untrusted_app_30 coredomain;
+
+app_domain(untrusted_app_30)
+untrusted_app_domain(untrusted_app_30)
+net_domain(untrusted_app_30)
+bluetooth_domain(untrusted_app_30)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
diff --git a/prebuilts/api/33.0/private/untrusted_app_all.te b/prebuilts/api/33.0/private/untrusted_app_all.te
new file mode 100644
index 0000000..ceee544
--- /dev/null
+++ b/prebuilts/api/33.0/private/untrusted_app_all.te
@@ -0,0 +1,187 @@
+###
+### Untrusted_app_all.
+###
+### This file defines the rules shared by all untrusted app domains except
+### ephemeral_app for instant apps and isolated_app (which has a reduced
+### permission set).
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app_all attribute is assigned to all default
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### attribute is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to ephemeral_app.te.
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_all app_data_file:file { r_file_perms execute };
+auditallow untrusted_app_all app_data_file:file execute;
+
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow untrusted_app_all system_linker_exec:file execute_no_trans;
+
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
+
+# Allow handling of less common filesystem objects
+allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
+
+# ASEC
+allow untrusted_app_all asec_apk_file:file r_file_perms;
+allow untrusted_app_all asec_apk_file:dir r_dir_perms;
+# Execute libs in asec containers.
+allow untrusted_app_all asec_public_file:file { execute };
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow untrusted_app_all shell_data_file:file r_file_perms;
+allow untrusted_app_all shell_data_file:dir r_dir_perms;
+
+# Allow traceur to pass file descriptors through a content provider to untrusted apps
+# for the purpose of sharing files through e.g. gmail
+allow untrusted_app_all trace_data_file:file { getattr read };
+
+# untrusted apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor
+neverallow untrusted_app_all trace_data_file:dir *;
+neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+
+# neverallow untrusted apps accessing debugfs_tracing
+neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
+
+# Allow to read staged apks.
+allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app_all system_app_data_file:file { read write getattr };
+
+#
+# Rules migrated from old app domains coalesced into untrusted_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access to /data/media.
+allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
+allow untrusted_app_all media_rw_data_file:file create_file_perms;
+
+# allow cts to query all services
+allow untrusted_app_all servicemanager:service_manager list;
+
+allow untrusted_app_all audioserver_service:service_manager find;
+allow untrusted_app_all cameraserver_service:service_manager find;
+allow untrusted_app_all drmserver_service:service_manager find;
+allow untrusted_app_all mediaserver_service:service_manager find;
+allow untrusted_app_all mediaextractor_service:service_manager find;
+allow untrusted_app_all mediametrics_service:service_manager find;
+allow untrusted_app_all mediadrmserver_service:service_manager find;
+allow untrusted_app_all nfc_service:service_manager find;
+allow untrusted_app_all radio_service:service_manager find;
+allow untrusted_app_all app_api_service:service_manager find;
+allow untrusted_app_all vr_manager_service:service_manager find;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_app_all self:process ptrace;
+
+# Android Studio Instant Run has the application connect to a
+# runas_app socket listening in the abstract namespace.
+# https://developer.android.com/studio/run/
+# b/123297648
+allow untrusted_app_all runas_app:unix_stream_socket connectto;
+
+# Untrusted apps need to be able to send a SIGCHLD to runas_app
+# when running under a debugger (b/123612207)
+allow untrusted_app_all runas_app:process sigchld;
+
+# Cts: HwRngTest
+allow untrusted_app_all sysfs_hwrandom:dir search;
+allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
+
+# Allow apps to view preloaded media content
+allow untrusted_app_all preloads_media_file:dir r_dir_perms;
+allow untrusted_app_all preloads_media_file:file r_file_perms;
+allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(untrusted_app_all)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(untrusted_app_all)
+can_profile_perf(untrusted_app_all)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# Allow the renderscript compiler to be run.
+domain_auto_trans(untrusted_app_all, rs_exec, rs)
+
+# suppress denials caused by debugfs_tracing
+dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
+
+# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
+dontaudit untrusted_app_all net_dns_prop:file read;
+
+# These have been disallowed since Android O.
+# For P, we assume that apps are safely handling the denial.
+dontaudit untrusted_app_all proc_stat:file read;
+dontaudit untrusted_app_all proc_vmstat:file read;
+dontaudit untrusted_app_all proc_uptime:file read;
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_all)
+
+# Allow access to kcov via its ioctl interface for coverage
+# guided kernel fuzzing.
+userdebug_or_eng(`
+ allow untrusted_app_all debugfs_kcov:file rw_file_perms;
+ allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+ # The use of debugfs kcov is considered a breach of the kernel integrity
+ # according to the heuristic of lockdown.
+ allow untrusted_app_all self:lockdown integrity;
+')
+
+# Allow running a VM for test/demo purposes. Note that access the service is
+# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission. The protection level of the permission is `signature|development`
+# so that it can only be granted to either platform-key signed apps or
+# test-only apps having `android:testOnly="true"` in its manifest.
+userdebug_or_eng(`
+ virtualizationservice_use(untrusted_app_all)
+')
+
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
diff --git a/prebuilts/api/33.0/private/update_engine.te b/prebuilts/api/33.0/private/update_engine.te
new file mode 100644
index 0000000..c3f575f
--- /dev/null
+++ b/prebuilts/api/33.0/private/update_engine.te
@@ -0,0 +1,32 @@
+typeattribute update_engine coredomain;
+
+init_daemon_domain(update_engine);
+
+# Allow to talk to gsid.
+allow update_engine gsi_service:service_manager find;
+binder_call(update_engine, gsid)
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# Allow to start snapuserd for dm-user communication.
+set_prop(update_engine, ctl_snapuserd_prop)
+
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
+# Allow to get the DSU status
+get_prop(update_engine, gsid_prop)
+
+# Allow update_engine to call the callback function provided by GKI update hook.
+binder_call(update_engine, gki_apex_prepostinstall)
+
+# Allow to communicate with the snapuserd service, for dm-user snapshots.
+allow update_engine snapuserd:unix_stream_socket connectto;
+allow update_engine snapuserd_socket:sock_file write;
+get_prop(update_engine, snapuserd_prop)
+
+# Allow to communicate with apexd for calculating and reserving space for
+# capex decompression
+allow update_engine apex_service:service_manager find;
+binder_call(update_engine, apexd)
diff --git a/prebuilts/api/33.0/private/update_engine_common.te b/prebuilts/api/33.0/private/update_engine_common.te
new file mode 100644
index 0000000..8571ff6
--- /dev/null
+++ b/prebuilts/api/33.0/private/update_engine_common.te
@@ -0,0 +1,13 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# The postinstall program is run by update_engine_common and must be tagged
+# with postinstall_exec in the new filesystem.
+# TODO Have build system attempt to verify this
+domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
+
+# Vendor directories can have the transition as well during OTA. This is caused
+# by update_engine execing scripts in vendor to perform any update tasks needed
+# there.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
+
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/prebuilts/api/33.0/private/update_verifier.te b/prebuilts/api/33.0/private/update_verifier.te
new file mode 100644
index 0000000..5e1b27b
--- /dev/null
+++ b/prebuilts/api/33.0/private/update_verifier.te
@@ -0,0 +1,9 @@
+typeattribute update_verifier coredomain;
+
+init_daemon_domain(update_verifier)
+
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
diff --git a/prebuilts/api/33.0/private/usbd.te b/prebuilts/api/33.0/private/usbd.te
new file mode 100644
index 0000000..42f2324
--- /dev/null
+++ b/prebuilts/api/33.0/private/usbd.te
@@ -0,0 +1,15 @@
+typeattribute usbd coredomain;
+
+init_daemon_domain(usbd)
+
+# Access usb gadget hal
+hal_client_domain(usbd, hal_usb_gadget)
+
+# Access persist.sys.usb.config
+get_prop(usbd, system_prop)
+
+# start adbd during boot if adb is enabled
+set_prop(usbd, ctl_default_prop)
+
+# Start/stop adbd via ctl.start adbd
+set_prop(usbd, ctl_adbd_prop)
diff --git a/prebuilts/api/26.0/private/users b/prebuilts/api/33.0/private/users
similarity index 100%
rename from prebuilts/api/26.0/private/users
rename to prebuilts/api/33.0/private/users
diff --git a/prebuilts/api/33.0/private/vdc.te b/prebuilts/api/33.0/private/vdc.te
new file mode 100644
index 0000000..63c9c2a
--- /dev/null
+++ b/prebuilts/api/33.0/private/vdc.te
@@ -0,0 +1,6 @@
+typeattribute vdc coredomain;
+
+init_daemon_domain(vdc)
+
+# Allow stdin/out back to vehicle_binding_util
+allow vdc vehicle_binding_util:fd use;
diff --git a/prebuilts/api/33.0/private/vehicle_binding_util.te b/prebuilts/api/33.0/private/vehicle_binding_util.te
new file mode 100644
index 0000000..76d0756
--- /dev/null
+++ b/prebuilts/api/33.0/private/vehicle_binding_util.te
@@ -0,0 +1,20 @@
+# vehicle binding util startup application
+type vehicle_binding_util, domain, coredomain;
+
+# allow init to start vehicle_binding_util
+type vehicle_binding_util_exec, exec_type, file_type, system_file_type;
+init_daemon_domain(vehicle_binding_util)
+
+# allow writing to kmsg during boot
+allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
+
+# allow reading the binding property from vhal
+hwbinder_use(vehicle_binding_util)
+hal_client_domain(vehicle_binding_util, hal_vehicle)
+
+# allow executing vdc
+domain_auto_trans(vehicle_binding_util, vdc_exec, vdc)
+
+# devpts is needed to redirect output from vdc
+allow vehicle_binding_util devpts:chr_file rw_file_perms;
+
diff --git a/prebuilts/api/33.0/private/vendor_init.te b/prebuilts/api/33.0/private/vendor_init.te
new file mode 100644
index 0000000..70b3ef9
--- /dev/null
+++ b/prebuilts/api/33.0/private/vendor_init.te
@@ -0,0 +1,23 @@
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit vendor_init sysfs:dir write;
+
+# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
+allow vendor_init system_data_root_file:dir rw_dir_perms;
+
+# Let vendor_init set service.adb.tcp.port.
+set_prop(vendor_init, adbd_config_prop)
+
+# Let vendor_init react to AVF device config changes
+get_prop(vendor_init, device_config_virtualization_framework_native_prop)
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -keychord_device
+ -kvm_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/prebuilts/api/33.0/private/viewcompiler.te b/prebuilts/api/33.0/private/viewcompiler.te
new file mode 100644
index 0000000..d1f0964
--- /dev/null
+++ b/prebuilts/api/33.0/private/viewcompiler.te
@@ -0,0 +1,25 @@
+# viewcompiler
+type viewcompiler, domain, coredomain, mlstrustedsubject;
+type viewcompiler_exec, system_file_type, exec_type, file_type;
+type viewcompiler_tmpfs, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by viewcompiler vs other
+# processes.
+tmpfs_domain(viewcompiler)
+
+allow viewcompiler installd:fd use;
+
+# Include write permission for app data files so viewcompiler can generate
+# compiled layout dex files
+allow viewcompiler app_data_file:file { getattr write };
+
+# Allow the view compiler to read resources from the apps APK.
+allow viewcompiler apk_data_file:file { read map };
+
+# priv-apps are moving to a world where they can only execute
+# signed code. Make sure viewcompiler never can write to privapp
+# directories to avoid introducing unsigned executable code
+neverallow viewcompiler privapp_data_file:file no_w_file_perms;
diff --git a/prebuilts/api/26.0/private/virtual_touchpad.te b/prebuilts/api/33.0/private/virtual_touchpad.te
similarity index 100%
rename from prebuilts/api/26.0/private/virtual_touchpad.te
rename to prebuilts/api/33.0/private/virtual_touchpad.te
diff --git a/prebuilts/api/33.0/private/virtualizationservice.te b/prebuilts/api/33.0/private/virtualizationservice.te
new file mode 100644
index 0000000..c369a90
--- /dev/null
+++ b/prebuilts/api/33.0/private/virtualizationservice.te
@@ -0,0 +1,84 @@
+type virtualizationservice, domain, coredomain;
+type virtualizationservice_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with virtualizationservice_exec, run it in the
+# virtualizationservice domain.
+init_daemon_domain(virtualizationservice)
+
+# Let the virtualizationservice domain use Binder.
+binder_use(virtualizationservice)
+# ... and host a binder service
+binder_service(virtualizationservice)
+
+# Allow calling into the system server so that it can check permissions.
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to access "package_native" service for staged apex info.
+allow virtualizationservice package_native_service:service_manager find;
+
+# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
+add_service(virtualizationservice, virtualization_service)
+
+# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+
+# Let virtualizationservice kill crosvm.
+allow virtualizationservice crosvm:process sigkill;
+
+# Let virtualizationservice access its data directory.
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+
+# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
+# crosvm to the console
+allow virtualizationservice adbd:fd use;
+allow virtualizationservice adbd:unix_stream_socket { read write };
+
+# Let virtualizationservice read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationservice apk_data_file:file { getattr read };
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationservice {
+ app_data_file
+ apex_compos_data_file
+}:file { getattr read write };
+
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationservice shell_data_file:file { getattr read write };
+
+# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationservice apex_info_file:file r_file_perms;
+allow virtualizationservice apex_data_file:dir search;
+allow virtualizationservice staging_data_file:file r_file_perms;
+allow virtualizationservice staging_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow virtualizationservice derive_classpath_exec:file rx_file_perms;
+allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
+
+# Let virtualizationservice to accept vsock connection from the guest VMs
+allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
+set_prop(virtualizationservice, virtualizationservice_prop)
+
+# Allow virtualizationservice to inspect hypervisor capabilities.
+get_prop(virtualizationservice, hypervisor_prop)
+
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
+# Allow virtualization service to talk to tombstoned to push guest tombstones
+unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
+
+# Append to tombstone files passed as fds from tombstoned
+allow virtualizationservice tombstone_data_file:file { append getattr };
+allow virtualizationservice tombstoned:fd use;
+
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/vold.te b/prebuilts/api/33.0/private/vold.te
new file mode 100644
index 0000000..cb7b1bc
--- /dev/null
+++ b/prebuilts/api/33.0/private/vold.te
@@ -0,0 +1,68 @@
+typeattribute vold coredomain;
+
+init_daemon_domain(vold)
+
+# Switch to more restrictive domains when executing common tools
+domain_auto_trans(vold, sgdisk_exec, sgdisk);
+domain_auto_trans(vold, sdcardd_exec, sdcardd);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, blkid_exec, blkid);
+domain_trans(vold, blkid_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Newly created storage dirs are always treated as mount stubs to prevent us
+# from accidentally writing when the mount point isn't present.
+type_transition vold storage_file:dir storage_stub_file;
+type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
+
+# Property Service
+get_prop(vold, vold_config_prop)
+get_prop(vold, storage_config_prop);
+get_prop(vold, incremental_prop);
+get_prop(vold, gsid_prop);
+
+set_prop(vold, vold_prop)
+set_prop(vold, vold_status_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
+set_prop(vold, boottime_prop)
+set_prop(vold, boottime_public_prop)
+
+# Vold will use Keystore instead of using Keymint directly. But it still needs
+# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
+allow vold vold_key:keystore2_key {
+ convert_storage_key_to_ephemeral
+ delete
+ get_info
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+};
+
+# vold needs to call keystore methods
+allow vold keystore:binder call;
+
+# vold needs to find keystore2 services
+allow vold keystore_service:service_manager find;
+allow vold keystore_maintenance_service:service_manager find;
+
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
+allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;
+
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+ -gsid
+} vold_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/vold_prepare_subdirs.te b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
new file mode 100644
index 0000000..818660c
--- /dev/null
+++ b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
@@ -0,0 +1,66 @@
+domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+
+typeattribute vold_prepare_subdirs mlstrustedsubject;
+
+allow vold_prepare_subdirs system_file:file execute_no_trans;
+allow vold_prepare_subdirs shell_exec:file rx_file_perms;
+allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
+allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
+allow vold_prepare_subdirs vold:fd use;
+allow vold_prepare_subdirs vold:fifo_file { read write };
+allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
+allow vold_prepare_subdirs self:process setfscreate;
+allow vold_prepare_subdirs {
+ system_data_file
+ vendor_data_file
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs {
+ apex_data_file_type
+ apex_module_data_file
+ apex_rollback_data_file
+ backup_data_file
+ checkin_data_file
+ face_vendor_data_file
+ fingerprint_vendor_data_file
+ iris_vendor_data_file
+ rollback_data_file
+ storaged_data_file
+ sdk_sandbox_data_file
+ system_data_file
+ vold_data_file
+}:dir { create_dir_perms relabelto };
+allow vold_prepare_subdirs {
+ apex_data_file_type
+ apex_art_staging_data_file
+ apex_module_data_file
+ apex_rollback_data_file
+ backup_data_file
+ checkin_data_file
+ face_vendor_data_file
+ fingerprint_vendor_data_file
+ iris_vendor_data_file
+ rollback_data_file
+ storaged_data_file
+ sdk_sandbox_data_file
+ system_data_file
+ vold_data_file
+}:file { getattr unlink };
+allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
+allow vold_prepare_subdirs mnt_expand_file:dir search;
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
+allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+
+# Migrate legacy labels to apex_system_server_data_file (b/217581286)
+allow vold_prepare_subdirs {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_tethering_data_file
+ apex_wifi_data_file
+}:dir relabelfrom;
+
+# /data/misc is unlabeled during early boot.
+allow vold_prepare_subdirs unlabeled:dir search;
+
+dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/prebuilts/api/33.0/private/vzwomatrigger_app.te b/prebuilts/api/33.0/private/vzwomatrigger_app.te
new file mode 100644
index 0000000..8deb22b
--- /dev/null
+++ b/prebuilts/api/33.0/private/vzwomatrigger_app.te
@@ -0,0 +1,6 @@
+###
+### A domain for further sandboxing the VzwOmaTrigger app.
+###
+type vzwomatrigger_app, domain;
+
+app_domain(vzwomatrigger_app)
diff --git a/prebuilts/api/33.0/private/wait_for_keymaster.te b/prebuilts/api/33.0/private/wait_for_keymaster.te
new file mode 100644
index 0000000..974a297
--- /dev/null
+++ b/prebuilts/api/33.0/private/wait_for_keymaster.te
@@ -0,0 +1,5 @@
+# wait_for_keymaster service. No longer used;
+# here only so that downstream code compiles.
+type wait_for_keymaster, domain, coredomain;
+type wait_for_keymaster_exec, system_file_type, exec_type, file_type;
+
diff --git a/prebuilts/api/33.0/private/watchdogd.te b/prebuilts/api/33.0/private/watchdogd.te
new file mode 100644
index 0000000..91ece70
--- /dev/null
+++ b/prebuilts/api/33.0/private/watchdogd.te
@@ -0,0 +1,3 @@
+typeattribute watchdogd coredomain;
+
+init_daemon_domain(watchdogd)
diff --git a/prebuilts/api/33.0/private/webview_zygote.te b/prebuilts/api/33.0/private/webview_zygote.te
new file mode 100644
index 0000000..3473eca
--- /dev/null
+++ b/prebuilts/api/33.0/private/webview_zygote.te
@@ -0,0 +1,155 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+typeattribute webview_zygote coredomain;
+
+# The webview_zygote needs to be able to transition domains.
+typeattribute webview_zygote mlstrustedsubject;
+
+# Allow access to temporary files, which is normally permitted through
+# a domain macro.
+tmpfs_domain(webview_zygote);
+
+userfaultfd_use(webview_zygote)
+
+# Allow reading/executing installed binaries to enable preloading the
+# installed WebView implementation.
+allow webview_zygote apk_data_file:dir r_dir_perms;
+allow webview_zygote apk_data_file:file { r_file_perms execute };
+
+# Access to the WebView relro file.
+allow webview_zygote shared_relro_file:dir search;
+allow webview_zygote shared_relro_file:file r_file_perms;
+
+# Set the UID/GID of the process.
+allow webview_zygote self:global_capability_class_set { setgid setuid };
+# Drop capabilities from bounding set.
+allow webview_zygote self:global_capability_class_set setpcap;
+# Switch SELinux context to app domains.
+allow webview_zygote self:process setcurrent;
+allow webview_zygote isolated_app:process dyntransition;
+
+# For art.
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
+allow webview_zygote apex_module_data_file:dir search;
+
+# Allow webview_zygote to create JIT memory.
+allow webview_zygote self:process execmem;
+
+# Allow webview_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow webview_zygote debugfs_trace_marker:file getattr;
+
+# Allow webview_zygote to manage the pgroup of its children.
+allow webview_zygote system_server:process getpgid;
+
+# Interaction between the webview_zygote and its children.
+allow webview_zygote isolated_app:process setpgid;
+
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
+
+# TODO (b/72957399) remove this when webview_zygote is reparented to
+# app_process zygote
+dontaudit webview_zygote dex2oat_exec:file execute;
+
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(webview_zygote)
+# Check SELinux permissions.
+selinux_check_access(webview_zygote)
+
+# Directory listing in /system.
+allow webview_zygote system_file:dir r_dir_perms;
+
+# Read and inspect temporary files (like system properties) managed by zygote.
+allow webview_zygote zygote_tmpfs:file { read getattr };
+# Child of zygote.
+allow webview_zygote zygote:fd use;
+allow webview_zygote zygote:process sigchld;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(webview_zygote, vendor_overlay_file)
+
+allow webview_zygote same_process_hal_file:file { execute read open getattr map };
+
+allow webview_zygote system_data_file:lnk_file r_file_perms;
+
+# Send unsolicited message to system_server
+unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+
+# Allow the webview_zygote to access the runtime feature flag properties.
+get_prop(webview_zygote, device_config_runtime_native_prop)
+get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow webview_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow webview_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for the zygote to fork a new
+# webview_zygote child.
+neverallow { domain -zygote } webview_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow webview_zygote property_socket:sock_file write;
+neverallow webview_zygote property_type:property_service set;
+
+# Should not have any access to app data files.
+neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
+
+neverallow webview_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow webview_zygote access to /cache.
+neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
+neverallow webview_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow webview_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+ sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+ x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+ pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+ rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+ xdp_socket
+} *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
diff --git a/prebuilts/api/33.0/private/wificond.te b/prebuilts/api/33.0/private/wificond.te
new file mode 100644
index 0000000..3fdaca2
--- /dev/null
+++ b/prebuilts/api/33.0/private/wificond.te
@@ -0,0 +1,11 @@
+typeattribute wificond coredomain;
+
+set_prop(wificond, wifi_hal_prop)
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
+get_prop(wificond, hwservicemanager_prop)
+
+allow wificond legacykeystore_service:service_manager find;
+
+init_daemon_domain(wificond)
diff --git a/prebuilts/api/33.0/private/wpantund.te b/prebuilts/api/33.0/private/wpantund.te
new file mode 100644
index 0000000..e91662c
--- /dev/null
+++ b/prebuilts/api/33.0/private/wpantund.te
@@ -0,0 +1,3 @@
+typeattribute wpantund coredomain;
+
+init_daemon_domain(wpantund)
diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
new file mode 100644
index 0000000..ea983fd
--- /dev/null
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -0,0 +1,274 @@
+# zygote
+typeattribute zygote coredomain;
+typeattribute zygote mlstrustedsubject;
+
+init_daemon_domain(zygote)
+tmpfs_domain(zygote)
+
+read_runtime_log_tags(zygote)
+
+# Override DAC on files and switch uid/gid.
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
+
+# Drop capabilities from bounding set.
+allow zygote self:global_capability_class_set setpcap;
+
+# Switch SELinux context to app domains.
+allow zygote self:process setcurrent;
+allow zygote system_server_startup:process dyntransition;
+allow zygote appdomain:process dyntransition;
+allow zygote webview_zygote:process dyntransition;
+allow zygote app_zygote:process dyntransition;
+
+# Allow zygote to read app /proc/pid dirs (b/10455872).
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { r_file_perms };
+
+userfaultfd_use(zygote)
+
+# Move children into the peer process group.
+allow zygote system_server:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+allow zygote webview_zygote:process { getpgid setpgid };
+allow zygote app_zygote:process { getpgid setpgid };
+
+# Read system data.
+allow zygote system_data_file:dir r_dir_perms;
+allow zygote system_data_file:file r_file_perms;
+
+# Write to /data/dalvik-cache.
+allow zygote dalvikcache_data_file:dir create_dir_perms;
+allow zygote dalvikcache_data_file:file create_file_perms;
+
+# Create symlinks in /data/dalvik-cache.
+allow zygote dalvikcache_data_file:lnk_file create_file_perms;
+
+# Write to /data/resource-cache.
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
+
+# For updateability, the zygote may fetch the current boot
+# classpath from the dalvik cache. Integrity of the files
+# is ensured by fsverity protection (checked in art_apex_boot_integrity).
+allow zygote dalvikcache_data_file:file execute;
+
+# Allow zygote to find files in APEX data directories.
+allow zygote apex_module_data_file:dir search;
+
+# Allow zygote to find and map files created by on device signing.
+allow zygote apex_art_data_file:dir { getattr search };
+allow zygote apex_art_data_file:file { r_file_perms execute };
+
+# Bind mount on /data/data and mounted volumes
+allow zygote { system_data_file mnt_expand_file }:dir mounton;
+
+# Relabel /data/user /data/user_de and /data/data
+allow zygote tmpfs:{ dir lnk_file } relabelfrom;
+allow zygote system_data_file:{ dir lnk_file } relabelto;
+
+# Zygote opens /mnt/expand to mount CE DE storage on each vol
+allow zygote mnt_expand_file:dir { open read search relabelto };
+
+# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
+allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
+
+# Create and bind dirs on /data/data
+allow zygote tmpfs:dir { create_dir_perms mounton };
+
+# Goes into media directory and bind mount obb directory
+allow zygote media_rw_data_file:dir { getattr search };
+
+# Bind mount on top of existing mounted obb and data directory
+allow zygote media_rw_data_file:dir { mounton };
+
+# Read if sdcardfs is supported
+allow zygote proc_filesystems:file r_file_perms;
+
+# Create symlink for /data/user/0
+allow zygote tmpfs:lnk_file create;
+
+allow zygote mirror_data_file:dir r_dir_perms;
+
+# Get inode of directories for app data isolation
+allow zygote {
+ app_data_file_type
+ system_data_file
+ mnt_expand_file
+}:dir getattr;
+
+# Allow zygote to create JIT memory.
+allow zygote self:process execmem;
+allow zygote zygote_tmpfs:file execute;
+allow zygote ashmem_libcutils_device:chr_file execute;
+
+# Execute idmap and dex2oat within zygote's own domain.
+# TODO: Should either of these be transitioned to the same domain
+# used by installd or stay in-domain for zygote?
+allow zygote idmap_exec:file rx_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
+
+# Control cgroups.
+allow zygote cgroup:dir create_dir_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
+allow zygote self:global_capability_class_set sys_admin;
+
+# Allow zygote to stat the files that it opens. The zygote must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow zygote pmsg_device:chr_file getattr;
+allow zygote debugfs_trace_marker:file getattr;
+
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(zygote)
+# Check SELinux permissions.
+selinux_check_access(zygote)
+
+# Native bridge functionality requires that zygote replaces
+# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
+allow zygote proc_cpuinfo:file mounton;
+
+# Allow remounting rootfs as MS_SLAVE.
+allow zygote rootfs:dir mounton;
+allow zygote tmpfs:filesystem { mount unmount };
+allow zygote fuse:filesystem { unmount };
+allow zygote sdcardfs:filesystem { unmount };
+allow zygote labeledfs:filesystem { unmount };
+
+# Allow creating user-specific storage source if started before vold.
+allow zygote mnt_user_file:dir { create_dir_perms mounton };
+allow zygote mnt_user_file:lnk_file create_file_perms;
+allow zygote mnt_user_file:file create_file_perms;
+
+# Allow mounting user-specific storage source if started before vold.
+allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
+
+# Allowed to mount user-specific storage into place
+allow zygote storage_file:dir { search mounton };
+
+# Allow mounting and creating files, dirs on sdcardfs.
+allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type fuse }:file { create_file_perms };
+
+# Handle --invoke-with command when launching Zygote with a wrapper command.
+allow zygote zygote_exec:file rx_file_perms;
+
+# Allow zygote to write to statsd.
+unix_socket_send(zygote, statsdw, statsd)
+
+# Root fs.
+r_dir_file(zygote, rootfs)
+
+# System file accesses.
+r_dir_file(zygote, system_file)
+
+# /oem accesses.
+allow zygote oemfs:dir search;
+
+userdebug_or_eng(`
+ # Allow zygote to create and write method traces in /data/misc/trace.
+ allow zygote method_trace_data_file:dir w_dir_perms;
+ allow zygote method_trace_data_file:file { create w_file_perms };
+')
+
+allow zygote ion_device:chr_file r_file_perms;
+allow zygote tmpfs:dir r_dir_perms;
+
+allow zygote same_process_hal_file:file { execute read open getattr map };
+
+# Allow the zygote to access storage properties to check if sdcardfs is enabled.
+get_prop(zygote, storage_config_prop);
+
+# Let the zygote access overlays so it can initialize the AssetManager.
+get_prop(zygote, overlay_prop)
+get_prop(zygote, exported_overlay_prop)
+
+# Allow the zygote to access the runtime feature flag properties.
+get_prop(zygote, device_config_runtime_native_prop)
+get_prop(zygote, device_config_runtime_native_boot_prop)
+
+# Allow the zygote to access window manager native boot feature flags
+# to initialize WindowManager static properties.
+get_prop(zygote, device_config_window_manager_native_boot_prop)
+
+# ingore spurious denials
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
+
+# Ignore spurious denials calling access() on fuse.
+# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
+# doesn't exist.
+# TODO(b/151316657): avoid the denials
+dontaudit zygote media_rw_data_file:dir { read open setattr };
+
+# Allow zygote to use ashmem fds from system_server.
+allow zygote system_server:fd use;
+
+# Send unsolicited message to system_server
+unix_socket_send(zygote, system_unsolzygote, system_server)
+
+# Allow zygote to access media_variant_prop for static initialization
+get_prop(zygote, media_variant_prop)
+
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
+# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(zygote, packagemanager_config_prop)
+
+# Allow zygote to read qemu.sf.lcd_density
+get_prop(zygote, qemu_sf_lcd_density_prop)
+
+# Allow zygote to read /apex/apex-info-list.xml
+allow zygote apex_info_file:file r_file_perms;
+
+# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
+# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
+allow zygote vendor_apex_file:dir { getattr search };
+allow zygote vendor_apex_file:file { getattr };
+
+###
+### neverallow rules
+###
+
+# Ensure that all types assigned to app processes are included
+# in the appdomain attribute, so that all allow and neverallow rules
+# written on appdomain are applied to all app processes.
+# This is achieved by ensuring that it is impossible for zygote to
+# setcon (dyntransition) to any types other than those associated
+# with appdomain plus system_server_startup, webview_zygote and
+# app_zygote.
+neverallow zygote ~{
+ appdomain
+ system_server_startup
+ webview_zygote
+ app_zygote
+}:process dyntransition;
+
+# Zygote should never execute anything from /data except for
+# /data/dalvik-cache files or files generated during on-device
+# signing under /data/misc/apexdata/com.android.art/.
+neverallow zygote {
+ data_file_type
+ -apex_art_data_file # map PROT_EXEC
+ -dalvikcache_data_file # map PROT_EXEC
+}:file no_x_file_perms;
+
+# Do not allow access to Bluetooth-related system properties and files
+neverallow zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
+
+# Zygote should not be able to access app private data.
+neverallow zygote app_data_file_type:dir ~getattr;
diff --git a/prebuilts/api/33.0/public/adbd.te b/prebuilts/api/33.0/public/adbd.te
new file mode 100644
index 0000000..5056b35
--- /dev/null
+++ b/prebuilts/api/33.0/public/adbd.te
@@ -0,0 +1,13 @@
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain;
+type adbd_exec, exec_type, file_type, system_file_type;
+
+# Only init is allowed to enter the adbd domain via exec()
+neverallow { domain -init } adbd:process transition;
+neverallow * adbd:process dyntransition;
+
+# Access /data/local/tests.
+allow adbd shell_test_data_file:dir create_dir_perms;
+allow adbd shell_test_data_file:file create_file_perms;
+allow adbd shell_test_data_file:lnk_file create_file_perms;
diff --git a/prebuilts/api/33.0/public/aidl_lazy_test_server.te b/prebuilts/api/33.0/public/aidl_lazy_test_server.te
new file mode 100644
index 0000000..626d008
--- /dev/null
+++ b/prebuilts/api/33.0/public/aidl_lazy_test_server.te
@@ -0,0 +1,9 @@
+type aidl_lazy_test_server, domain;
+type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+ binder_use(aidl_lazy_test_server)
+ binder_call(aidl_lazy_test_server, binderservicedomain)
+
+ add_service(aidl_lazy_test_server, aidl_lazy_test_service)
+')
diff --git a/prebuilts/api/33.0/public/apexd.te b/prebuilts/api/33.0/public/apexd.te
new file mode 100644
index 0000000..53bc569
--- /dev/null
+++ b/prebuilts/api/33.0/public/apexd.te
@@ -0,0 +1,11 @@
+# apexd -- manager for APEX packages
+type apexd, domain;
+type apexd_exec, exec_type, file_type, system_file_type;
+
+binder_use(apexd)
+add_service(apexd, apex_service)
+
+neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+
+neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/prebuilts/api/33.0/public/app.te b/prebuilts/api/33.0/public/app.te
new file mode 100644
index 0000000..da24012
--- /dev/null
+++ b/prebuilts/api/33.0/public/app.te
@@ -0,0 +1,240 @@
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+type appdomain_tmpfs, file_type;
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+
+# Block device access.
+neverallow appdomain dev_type:blk_file { read write };
+
+# Access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+ video_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
+ { read write };
+neverallow appdomain tee_device:chr_file { read write };
+
+# Privileged netlink socket interfaces.
+neverallow { appdomain -network_stack }
+ domain:{
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_dnrt_socket
+ } *;
+
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow appdomain socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow appdomain adbd_socket:sock_file write;
+neverallow { appdomain -radio } rild_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow appdomain { domain -appdomain }:process ptrace;
+
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces. llkd is excluded, as it needs ptrace access to
+# inspect stack traces for live lock conditions.
+
+neverallow {
+ domain
+ -appdomain
+ -crash_dump
+ userdebug_or_eng(`-llkd')
+} appdomain:process ptrace;
+
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+# -perfetto is to allow shell (which is an appdomain) to kill perfetto
+# (see private/shell.te).
+neverallow appdomain { domain -appdomain -perfetto }:process
+ { sigkill sigstop signal };
+
+# Write to rootfs.
+neverallow appdomain rootfs:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow appdomain system_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow appdomain exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+neverallow appdomain system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow appdomain drm_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell }
+ shell_data_file:dir_file_class_set
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth }
+ bluetooth_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
+neverallow appdomain
+ keystore_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ systemkeys_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ dhcp_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# access tmp apk files
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+ { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
+
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+
+# Access to factory files.
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc }
+ sysfs:dir_file_class_set write;
+neverallow appdomain
+ proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow appdomain fs_type:filesystem ~getattr;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+ apk_data_file
+ cache_file
+ cache_recovery_file
+ dev_type
+ rootfs
+ system_file
+ tmpfs
+}:lnk_file no_w_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+ appdomain
+ -shell # bugreport
+} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+
+# allow system_app to access Nfc-related system properties.
+set_prop(system_app, nfc_prop)
+
+# allow system_app to access radio_config system properties.
+set_prop(system_app, radio_control_prop)
+
+# Apps cannot access proc_uid_time_in_state
+neverallow appdomain proc_uid_time_in_state:file *;
+
+# Apps cannot access proc_uid_concurrent_active_time
+neverallow appdomain proc_uid_concurrent_active_time:file *;
+
+# Apps cannot access proc_uid_concurrent_policy_time
+neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
+# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
+# perform UID lookups.
+neverallow { appdomain -shell } proc_net_tcp_udp:file *;
+
+# Apps cannot access bootstrap files. The bootstrap files are only for
+# extremely early processes (like init, etc.) which are started before
+# the runtime APEX is activated and Bionic libs are provided from there.
+# If app process accesses (or even load/execute) the bootstrap files,
+# it might cause problems such as ODR violation, etc.
+neverallow appdomain system_bootstrap_lib_file:file
+ { open read write append execute execute_no_trans map };
+neverallow appdomain system_bootstrap_lib_file:dir
+ { open read getattr search };
+
+# Allow to read ro.vendor.camera.extensions.enabled
+get_prop(appdomain, camera2_extensions_prop)
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
diff --git a/prebuilts/api/33.0/public/app_zygote.te b/prebuilts/api/33.0/public/app_zygote.te
new file mode 100644
index 0000000..4c1ec96
--- /dev/null
+++ b/prebuilts/api/33.0/public/app_zygote.te
@@ -0,0 +1,6 @@
+# app_zygote is an auxiliary zygote process that is used to spawn
+# isolated service processes for individual applications. It is
+# spawned from the regular zygote process as a "child zygote".
+
+type app_zygote, domain;
+type app_zygote_tmpfs, file_type;
diff --git a/prebuilts/api/33.0/public/asan_extract.te b/prebuilts/api/33.0/public/asan_extract.te
new file mode 100644
index 0000000..d8a1b73
--- /dev/null
+++ b/prebuilts/api/33.0/public/asan_extract.te
@@ -0,0 +1,33 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+ type asan_extract, domain, coredomain;
+ type asan_extract_exec, exec_type, file_type, system_file_type;
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
+')
diff --git a/prebuilts/api/33.0/public/atrace.te b/prebuilts/api/33.0/public/atrace.te
new file mode 100644
index 0000000..7327f84
--- /dev/null
+++ b/prebuilts/api/33.0/public/atrace.te
@@ -0,0 +1 @@
+type atrace, domain, coredomain;
diff --git a/prebuilts/api/33.0/public/attributes b/prebuilts/api/33.0/public/attributes
new file mode 100644
index 0000000..906dbcd
--- /dev/null
+++ b/prebuilts/api/33.0/public/attributes
@@ -0,0 +1,433 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# in tools/checkfc.c
+attribute dev_type;
+
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
+attribute bdev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute fs_type;
+
+# All types used for context= mounts.
+attribute contextmount_type;
+
+# All types referencing a FUSE filesystem.
+# When mounting a new FUSE filesystem, the fscontext= option should be used to
+# set a domain-specific type with this attribute. See app_fusefs for an
+# example.
+attribute fusefs_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+expandattribute data_file_type false;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+expandattribute core_data_file_type false;
+
+# All types used for app private data files in seapp_contexts.
+# Such types should not be applied to any other files.
+attribute app_data_file_type;
+expandattribute app_data_file_type false;
+
+# All types in /system
+attribute system_file_type;
+
+# All types in /system_dlkm
+attribute system_dlkm_file_type;
+
+# All types in /vendor
+attribute vendor_file_type;
+
+# All types used for procfs files.
+attribute proc_type;
+expandattribute proc_type false;
+
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
+# All types used for sysfs files.
+attribute sysfs_type;
+
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
+attribute sysfs_block_type;
+
+# All types use for debugfs files.
+attribute debugfs_type;
+
+# All types used for tracefs files.
+attribute tracefs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+# On change, update CHECK_PC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute property_type;
+
+# All properties defined in core SELinux policy. Should not be
+# used by device specific properties
+attribute core_property_type;
+
+# All properties used to configure log filtering.
+attribute log_property_type;
+
+# All properties that are not specific to device but are added from
+# outside of AOSP. (e.g. OEM-specific properties)
+# These properties are not accessible from device-specific domains
+attribute extended_core_property_type;
+
+# Properties used for representing ownership. All properties should have one
+# of: system_property_type, product_property_type, or vendor_property_type.
+
+# All properties defined by /system.
+attribute system_property_type;
+expandattribute system_property_type false;
+
+# All /system-defined properties used only in /system.
+attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
+
+# All /system-defined properties which can't be written outside /system.
+attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
+
+# All /system-defined properties with no restrictions.
+attribute system_public_property_type;
+expandattribute system_public_property_type false;
+
+# All keystore2_key labels.
+attribute keystore2_key_type;
+
+# All properties defined by /product.
+# Currently there are no enforcements between /system and /product, so for now
+# /product attributes are just replaced to /system attributes.
+define(`product_property_type', `system_property_type')
+define(`product_internal_property_type', `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type', `system_public_property_type')
+
+# All properties defined by /vendor.
+attribute vendor_property_type;
+expandattribute vendor_property_type false;
+
+# All /vendor-defined properties used only in /vendor.
+attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
+
+# All /vendor-defined properties which can't be written outside /vendor.
+attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
+
+# All /vendor-defined properties with no restrictions.
+attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
+
+# All service_manager types created by system_server
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which should be available to all ephemeral apps
+attribute ephemeral_app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
+
+# services which are explicitly disallowed for untrusted apps to access
+attribute protected_service;
+
+# services which served by vendor and also using the copy of libbinder on
+# system (for instance via libbinder_ndk). services using a different copy
+# of libbinder currently need their own context manager (e.g.
+# vndservicemanager)
+attribute vendor_service;
+
+# All types used for services managed by servicemanager.
+# On change, update CHECK_SC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute service_manager_type;
+
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
+# All HwBinder services that untrusted apps can't directly access
+attribute protected_hwservice;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+# All services declared as part of an HAL
+attribute hal_service_type;
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All third party apps (except isolated_app and ephemeral_app)
+attribute untrusted_app_all;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# All domains which have BPF access.
+attribute bpfdomain;
+expandattribute bpfdomain false;
+
+# update_engine related domains that need to apply an update and run
+# postinstall. This includes the background daemon and the sideload tool from
+# recovery for A/B devices.
+attribute update_engine_common;
+
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor hwservice.
+attribute vendor_hwservice_type;
+
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+expandattribute coredomain_socket false;
+
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+expandattribute socket_between_core_and_vendor_violators false;
+
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+expandattribute vendor_executes_system_violators false;
+
+# All domains which violate the requirement of not sharing files by path
+# between between vendor and core domains.
+# TODO(b/34980020)
+attribute data_between_core_and_vendor_violators;
+expandattribute data_between_core_and_vendor_violators false;
+
+# All system domains which violate the requirement of not executing vendor
+# binaries/libraries.
+# TODO(b/62041836)
+attribute system_executes_vendor_violators;
+expandattribute system_executes_vendor_violators false;
+
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
+# All system domains which violate the requirement of not writing to
+# /mnt/vendor/*. Must not be used on devices launched with P or later.
+attribute system_writes_mnt_vendor_violators;
+expandattribute system_writes_mnt_vendor_violators false;
+
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice_violators;
+expandattribute untrusted_app_visible_hwservice_violators false;
+
+# halserver domains that are accessible to untrusted applications. These
+# domains are typically those hosting hwservices attributed by the
+# untrusted_app_visible_hwservice_violators.
+# WARNING: Use of this attribute should be avoided unless absolutely necessary.
+# It is a temporary allowance to aid the transition to treble and will be
+# removed in the future platform version, requiring all halserver domains that
+# are labeled with this attribute to be submitted to AOSP in order to maintain
+# their app-visibility.
+attribute untrusted_app_visible_halserver_violators;
+expandattribute untrusted_app_visible_halserver_violators false;
+
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+expandattribute pdx_endpoint_socket_type false;
+attribute pdx_channel_socket_type;
+expandattribute pdx_channel_socket_type false;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(bufferhub_client)
+
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
+expandattribute halclientdomain true;
+
+# Exempt for halserverdomain to access sockets. Only builds for automotive
+# device types are allowed to use this attribute (enforced by CTS).
+# Unlike phone, in a car many modules are external from Android perspective and
+# HALs should be able to communicate with those devices through sockets.
+attribute hal_automotive_socket_exemption;
+
+# HALs
+hal_attribute(allocator);
+hal_attribute(atrace);
+hal_attribute(audio);
+hal_attribute(audiocontrol);
+hal_attribute(authsecret);
+hal_attribute(bluetooth);
+hal_attribute(bootctl);
+hal_attribute(broadcastradio);
+hal_attribute(camera);
+hal_attribute(can_bus);
+hal_attribute(can_controller);
+hal_attribute(cas);
+hal_attribute(codec2);
+hal_attribute(configstore);
+hal_attribute(confirmationui);
+hal_attribute(contexthub);
+hal_attribute(dice);
+hal_attribute(drm);
+hal_attribute(dumpstate);
+hal_attribute(evs);
+hal_attribute(face);
+hal_attribute(fingerprint);
+hal_attribute(gatekeeper);
+hal_attribute(gnss);
+hal_attribute(graphics_allocator);
+hal_attribute(graphics_composer);
+hal_attribute(health);
+hal_attribute(health_storage);
+hal_attribute(identity);
+hal_attribute(input_classifier);
+hal_attribute(input_processor);
+hal_attribute(ir);
+hal_attribute(keymaster);
+hal_attribute(keymint);
+hal_attribute(light);
+hal_attribute(lowpan);
+hal_attribute(memtrack);
+hal_attribute(neuralnetworks);
+hal_attribute(nfc);
+hal_attribute(nlinterceptor);
+hal_attribute(oemlock);
+hal_attribute(omx);
+hal_attribute(power);
+hal_attribute(power_stats);
+hal_attribute(rebootescrow);
+hal_attribute(secure_element);
+hal_attribute(sensors);
+hal_attribute(telephony);
+hal_attribute(tetheroffload);
+hal_attribute(thermal);
+hal_attribute(tv_cec);
+hal_attribute(tv_input);
+hal_attribute(tv_tuner);
+hal_attribute(usb);
+hal_attribute(usb_gadget);
+hal_attribute(uwb);
+# TODO(b/196225233): Remove this attribute and its usages elsewhere
+# once all chip vendors integrate to the new UWB stack.
+hal_attribute(uwb_vendor);
+hal_attribute(vehicle);
+hal_attribute(vibrator);
+hal_attribute(vr);
+hal_attribute(weaver);
+hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
+hal_attribute(wifi_supplicant);
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute automotive_display_service_server;
+attribute camera_service_server;
+attribute display_service_server;
+attribute evsmanager_service_server;
+attribute scheduler_service_server;
+attribute sensor_service_server;
+attribute stats_service_server;
+attribute system_suspend_internal_server;
+attribute system_suspend_server;
+attribute wifi_keystore_service_server;
+
+# All types used for super partition block devices.
+attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
+
+# Types used for module-specific APEX data directories under
+# /data/{misc,misc_ce,misc_de}/apexdata.
+attribute apex_data_file_type;
+
+# Domains used for charger.
+# This is the common type for domains that executes charger's
+# functionalities, including setting and getting necessary properties,
+# permissions to maintain the health loop, writing to kernel log, handling
+# inputs and drawing screens, etc.
+attribute charger_type;
diff --git a/prebuilts/api/33.0/public/audioserver.te b/prebuilts/api/33.0/public/audioserver.te
new file mode 100644
index 0000000..d593567
--- /dev/null
+++ b/prebuilts/api/33.0/public/audioserver.te
@@ -0,0 +1,10 @@
+# audioserver - audio services daemon
+type audioserver, domain;
+type audioserver_tmpfs, file_type;
+
+# Allow audioserver to signal audio HAL processes and dump their stacks.
+allow audioserver hal_audio_server:process signal;
+
+# Allow audioserver to access sensorservice.
+allow audioserver sensorservice_service:service_manager find;
+allow audioserver system_server:unix_stream_socket { read write };
diff --git a/prebuilts/api/26.0/public/blkid.te b/prebuilts/api/33.0/public/blkid.te
similarity index 100%
rename from prebuilts/api/26.0/public/blkid.te
rename to prebuilts/api/33.0/public/blkid.te
diff --git a/prebuilts/api/26.0/public/blkid_untrusted.te b/prebuilts/api/33.0/public/blkid_untrusted.te
similarity index 100%
rename from prebuilts/api/26.0/public/blkid_untrusted.te
rename to prebuilts/api/33.0/public/blkid_untrusted.te
diff --git a/prebuilts/api/26.0/public/bluetooth.te b/prebuilts/api/33.0/public/bluetooth.te
similarity index 100%
rename from prebuilts/api/26.0/public/bluetooth.te
rename to prebuilts/api/33.0/public/bluetooth.te
diff --git a/prebuilts/api/33.0/public/bootanim.te b/prebuilts/api/33.0/public/bootanim.te
new file mode 100644
index 0000000..9c7a0ee
--- /dev/null
+++ b/prebuilts/api/33.0/public/bootanim.te
@@ -0,0 +1,45 @@
+# bootanimation oneshot service
+type bootanim, domain;
+type bootanim_exec, system_file_type, exec_type, file_type;
+
+hal_client_domain(bootanim, hal_configstore)
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+binder_call(bootanim, audioserver)
+
+hwbinder_use(bootanim)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
+allow bootanim gpu_device:dir r_dir_perms;
+allow bootanim sysfs_gpu:file r_file_perms;
+
+# /oem access
+allow bootanim oemfs:dir search;
+allow bootanim oemfs:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
+
+allow bootanim audioserver_service:service_manager find;
+allow bootanim surfaceflinger_service:service_manager find;
+allow bootanim surfaceflinger:unix_stream_socket { read write };
+
+# Allow access to ion memory allocation device
+allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow bootanim hal_graphics_allocator:fd use;
+
+# Fences
+allow bootanim hal_graphics_composer:fd use;
+
+# Read access to pseudo filesystems.
+allow bootanim proc_meminfo:file r_file_perms;
+
+# System file accesses.
+allow bootanim system_file:dir r_dir_perms;
diff --git a/prebuilts/api/33.0/public/bootstat.te b/prebuilts/api/33.0/public/bootstat.te
new file mode 100644
index 0000000..5079c28
--- /dev/null
+++ b/prebuilts/api/33.0/public/bootstat.te
@@ -0,0 +1,32 @@
+# bootstat command
+type bootstat, domain;
+type bootstat_exec, system_file_type, exec_type, file_type;
+
+read_runtime_log_tags(bootstat)
+
+# Allow persistent storage in /data/misc/bootstat.
+allow bootstat bootstat_data_file:dir rw_dir_perms;
+allow bootstat bootstat_data_file:file create_file_perms;
+
+allow bootstat metadata_file:dir search;
+allow bootstat metadata_bootstat_file:dir rw_dir_perms;
+allow bootstat metadata_bootstat_file:file create_file_perms;
+
+# ToDo: TBI move access for the following to a system health HAL
+
+# Allow access to /sys/fs/pstore/ and syslog
+allow bootstat pstorefs:dir search;
+allow bootstat pstorefs:file r_file_perms;
+allow bootstat kernel:system syslog_read;
+
+# Allow access to reading the logs to read aspects of system health
+read_logd(bootstat)
+
+# Allow bootstat write to statsd.
+unix_socket_send(bootstat, statsdw, statsd)
+
+neverallow {
+ domain
+ -bootstat
+ -init
+} system_boot_reason_prop:property_service set;
diff --git a/prebuilts/api/33.0/public/bpfloader.te b/prebuilts/api/33.0/public/bpfloader.te
new file mode 100644
index 0000000..81c32ee
--- /dev/null
+++ b/prebuilts/api/33.0/public/bpfloader.te
@@ -0,0 +1 @@
+type bpfloader, domain, coredomain;
diff --git a/prebuilts/api/33.0/public/bufferhubd.te b/prebuilts/api/33.0/public/bufferhubd.te
new file mode 100644
index 0000000..37edb5d
--- /dev/null
+++ b/prebuilts/api/33.0/public/bufferhubd.te
@@ -0,0 +1,25 @@
+# bufferhubd
+type bufferhubd, domain, mlstrustedsubject;
+type bufferhubd_exec, system_file_type, exec_type, file_type;
+
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
+# TODO(b/112338294): remove these after migrate to Binder
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
+
+# Access the GPU.
+allow bufferhubd gpu_device:chr_file rw_file_perms;
+
+# Access /dev/ion
+allow bufferhubd ion_device:chr_file r_file_perms;
+
+# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
+# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
+# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
+# Thus, there is no need to use pdx_client macro.
+allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/prebuilts/api/33.0/public/camera_service_server.te b/prebuilts/api/33.0/public/camera_service_server.te
new file mode 100644
index 0000000..352e1b7
--- /dev/null
+++ b/prebuilts/api/33.0/public/camera_service_server.te
@@ -0,0 +1 @@
+add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/prebuilts/api/33.0/public/cameraserver.te b/prebuilts/api/33.0/public/cameraserver.te
new file mode 100644
index 0000000..d41339a
--- /dev/null
+++ b/prebuilts/api/33.0/public/cameraserver.te
@@ -0,0 +1,82 @@
+# cameraserver - camera daemon
+type cameraserver, domain;
+type cameraserver_exec, system_file_type, exec_type, file_type;
+type cameraserver_tmpfs, file_type;
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+hal_client_domain(cameraserver, hal_camera)
+
+hal_client_domain(cameraserver, hal_graphics_allocator)
+
+allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
+add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
+
+allow cameraserver activity_service:service_manager find;
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver package_native_service:service_manager find;
+allow cameraserver permission_checker_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+allow cameraserver hal_camera_service:service_manager find;
+
+# Allow to talk with surfaceflinger through unix stream socket
+allow cameraserver surfaceflinger:unix_stream_socket { read write };
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+allow cameraserver shell:fd use;
+allow cameraserver shell:unix_stream_socket { read write };
+allow cameraserver shell:fifo_file { read write };
+
+# Allow to talk with media codec
+allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
+hal_client_domain(cameraserver, hal_omx)
+hal_client_domain(cameraserver, hal_allocator)
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow cameraserver su:fd use;
+ allow cameraserver su:fifo_file { read write };
+ allow cameraserver su:unix_stream_socket { read write };
+')
diff --git a/prebuilts/api/33.0/public/charger.te b/prebuilts/api/33.0/public/charger.te
new file mode 100644
index 0000000..418dff9
--- /dev/null
+++ b/prebuilts/api/33.0/public/charger.te
@@ -0,0 +1,5 @@
+type charger, charger_type, domain;
+type charger_exec, system_file_type, exec_type, file_type;
+
+# The system charger is a client of HIDL health HAL.
+hal_client_domain(charger, hal_health)
diff --git a/prebuilts/api/33.0/public/charger_type.te b/prebuilts/api/33.0/public/charger_type.te
new file mode 100644
index 0000000..4241360
--- /dev/null
+++ b/prebuilts/api/33.0/public/charger_type.te
@@ -0,0 +1,37 @@
+# Write to /dev/kmsg
+allow charger_type kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger_type, rootfs)
+r_dir_file(charger_type, cgroup)
+r_dir_file(charger_type, cgroup_v2)
+
+# Allow to read /sys/class/power_supply directory
+allow charger_type sysfs_type:dir r_dir_perms;
+
+allow charger_type self:global_capability_class_set {
+ sys_boot
+ sys_tty_config
+};
+
+wakelock_use(charger_type)
+
+allow charger_type self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Read/write to /sys/power/state
+allow charger_type sysfs_power:file rw_file_perms;
+
+r_dir_file(charger_type, sysfs_batteryinfo)
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger_type pstorefs:dir r_dir_perms;
+allow charger_type pstorefs:file r_file_perms;
+
+allow charger_type graphics_device:dir r_dir_perms;
+allow charger_type graphics_device:chr_file rw_file_perms;
+allow charger_type input_device:dir r_dir_perms;
+allow charger_type input_device:chr_file r_file_perms;
+allow charger_type tty_device:chr_file rw_file_perms;
+allow charger_type proc_sysrq:file rw_file_perms;
diff --git a/prebuilts/api/33.0/public/charger_vendor.te b/prebuilts/api/33.0/public/charger_vendor.te
new file mode 100644
index 0000000..d8f3bb2
--- /dev/null
+++ b/prebuilts/api/33.0/public/charger_vendor.te
@@ -0,0 +1,6 @@
+# Context when health HAL runs charger mode
+
+type charger_vendor, charger_type, domain;
+hal_server_domain(charger_vendor, hal_health)
+
+typeattribute charger_vendor bpfdomain;
diff --git a/prebuilts/api/33.0/public/crash_dump.te b/prebuilts/api/33.0/public/crash_dump.te
new file mode 100644
index 0000000..45269c3
--- /dev/null
+++ b/prebuilts/api/33.0/public/crash_dump.te
@@ -0,0 +1,80 @@
+type crash_dump, domain;
+type crash_dump_exec, system_file_type, exec_type, file_type;
+
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+userdebug_or_eng(`
+ allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+
+ # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
+ allow crash_dump kmsg_debug_device:chr_file { open append };
+')
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow crash_dump dalvikcache_data_file:dir { search getattr };
+allow crash_dump dalvikcache_data_file:file r_file_perms;
+
+# Read APEX data directories.
+allow crash_dump apex_module_data_file:dir { getattr search };
+
+# Read uptime
+allow crash_dump proc_uptime:file r_file_perms;
+
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
+# Read all /data/local/tests
+r_dir_file(crash_dump, shell_test_data_file)
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Talk to ActivityManager.
+unix_socket_connect(crash_dump, system_ndebug, system_server)
+
+# Append to ANR files.
+allow crash_dump anr_data_file:file { append getattr };
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
+
+# Crash dump is not intended to access the following files. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump property_type:file read;
+
+###
+### neverallow assertions
+###
+
+# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
+# Do not allow the execution of crash_dump without a domain transition.
+neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/prebuilts/api/33.0/public/credstore.te b/prebuilts/api/33.0/public/credstore.te
new file mode 100644
index 0000000..97d942d
--- /dev/null
+++ b/prebuilts/api/33.0/public/credstore.te
@@ -0,0 +1,19 @@
+type credstore, domain;
+type credstore_exec, system_file_type, exec_type, file_type;
+
+# credstore daemon
+binder_use(credstore)
+binder_service(credstore)
+binder_call(credstore, system_server)
+
+allow credstore credstore_data_file:dir create_dir_perms;
+allow credstore credstore_data_file:file create_file_perms;
+
+add_service(credstore, credstore_service)
+allow credstore sec_key_att_app_id_provider_service:service_manager find;
+allow credstore dropbox_service:service_manager find;
+allow credstore authorization_service:service_manager find;
+allow credstore keystore:keystore2 get_auth_token;
+
+r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)
diff --git a/prebuilts/api/33.0/public/device.te b/prebuilts/api/33.0/public/device.te
new file mode 100644
index 0000000..1bb386f
--- /dev/null
+++ b/prebuilts/api/33.0/public/device.te
@@ -0,0 +1,125 @@
+# Device types
+type device, dev_type, fs_type;
+type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
+type keychord_device, dev_type;
+type loop_control_device, dev_type;
+type loop_device, dev_type;
+type pmsg_device, dev_type, mlstrustedobject;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type rtc_device, dev_type;
+type vd_device, dev_type;
+type vold_device, dev_type;
+type console_device, dev_type;
+type fscklogs, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
+type graphics_device, dev_type;
+type hw_random_device, dev_type;
+type input_device, dev_type;
+type port_device, dev_type;
+type lowpan_device, dev_type;
+type mtp_device, dev_type, mlstrustedobject;
+type nfc_device, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type kmsg_device, dev_type, mlstrustedobject;
+type kmsg_debug_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type, mlstrustedobject;
+type secure_element_device, dev_type;
+type sensors_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
+type tty_device, dev_type;
+type video_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
+type fuse_device, dev_type, mlstrustedobject;
+type iio_device, dev_type;
+type ion_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type qtaguid_device, dev_type;
+type watchdog_device, dev_type;
+type uhid_device, dev_type, mlstrustedobject;
+type uio_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type usbaccessory_device, dev_type, mlstrustedobject;
+type usb_device, dev_type, mlstrustedobject;
+type usb_serial_device, dev_type;
+type gnss_device, dev_type;
+type properties_device, dev_type;
+type properties_serial, dev_type;
+type property_info, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;
+
+# Partition layout block device
+type root_block_device, dev_type;
+
+# factory reset protection block device
+type frp_block_device, dev_type;
+
+# System block device mounted on /system.
+# Documented at https://source.android.com/devices/bootloader/partitions
+type system_block_device, dev_type;
+
+# Recovery block device.
+# Documented at https://source.android.com/devices/bootloader/partitions
+type recovery_block_device, dev_type;
+
+# boot block device.
+# Documented at https://source.android.com/devices/bootloader/partitions
+type boot_block_device, dev_type;
+
+# Userdata block device mounted on /data.
+# Documented at https://source.android.com/devices/bootloader/partitions
+type userdata_block_device, dev_type;
+
+# Cache block device mounted on /cache.
+# Documented at https://source.android.com/devices/bootloader/partitions
+type cache_block_device, dev_type;
+
+# Block device for any swap partition.
+type swap_block_device, dev_type;
+
+# Metadata block device mounted on /metadata, used for encryption metadata and
+# various other purposes.
+# Documented at https://source.android.com/devices/bootloader/partitions
+type metadata_block_device, dev_type;
+
+# The 'misc' partition used by recovery and A/B.
+# Documented at https://source.android.com/devices/bootloader/partitions
+type misc_block_device, dev_type;
+
+# 'super' partition to be used for logical partitioning.
+type super_block_device, super_block_device_type, dev_type;
+
+# sdcard devices; normally vold uses the vold_block_device label and creates a
+# separate device node. gsid, however, accesses the original devide node
+# created through uevents, so we use a separate label.
+type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;
+
+# Root disk file for disk tunables
+type rootdisk_sysdev, dev_type;
diff --git a/prebuilts/api/33.0/public/dhcp.te b/prebuilts/api/33.0/public/dhcp.te
new file mode 100644
index 0000000..1d875ab
--- /dev/null
+++ b/prebuilts/api/33.0/public/dhcp.te
@@ -0,0 +1,28 @@
+type dhcp, domain;
+type dhcp_exec, system_file_type, exec_type, file_type;
+
+net_domain(dhcp)
+
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms_no_ioctl;
+allow dhcp self:netlink_route_socket nlmsg_write;
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
+
+# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
+allow dhcp toolbox_exec:file rx_file_perms;
+
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net_type:file write;
+
+allow dhcp dhcp_data_file:dir create_dir_perms;
+allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/prebuilts/api/33.0/public/diced.te b/prebuilts/api/33.0/public/diced.te
new file mode 100644
index 0000000..0908936
--- /dev/null
+++ b/prebuilts/api/33.0/public/diced.te
@@ -0,0 +1,11 @@
+type diced, domain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+binder_use(diced)
+binder_service(diced)
+
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# Check SELinux permissions.
+selinux_check_access(diced)
diff --git a/prebuilts/api/26.0/public/display_service_server.te b/prebuilts/api/33.0/public/display_service_server.te
similarity index 100%
rename from prebuilts/api/26.0/public/display_service_server.te
rename to prebuilts/api/33.0/public/display_service_server.te
diff --git a/prebuilts/api/33.0/public/dnsmasq.te b/prebuilts/api/33.0/public/dnsmasq.te
new file mode 100644
index 0000000..86f1eb1
--- /dev/null
+++ b/prebuilts/api/33.0/public/dnsmasq.te
@@ -0,0 +1,28 @@
+# DNS, DHCP services
+type dnsmasq, domain;
+type dnsmasq_exec, system_file_type, exec_type, file_type;
+
+net_domain(dnsmasq)
+allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
+
+# TODO: Run with dhcp group to avoid need for dac_override.
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
+
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
+
+allow dnsmasq dhcp_data_file:dir w_dir_perms;
+allow dnsmasq dhcp_data_file:file create_file_perms;
+
+# Inherit and use open files from netd.
+allow dnsmasq netd:fd use;
+allow dnsmasq netd:fifo_file { getattr read write };
+# TODO: Investigate whether these inherited sockets should be closed on exec.
+allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
+allow dnsmasq netd:netlink_nflog_socket { read write };
+allow dnsmasq netd:netlink_route_socket { read write };
+allow dnsmasq netd:unix_stream_socket { getattr read write };
+allow dnsmasq netd:unix_dgram_socket { read write };
+allow dnsmasq netd:udp_socket { read write };
+
+# sometimes a network device vanishes and we try to load module netdev-{devicename}
+dontaudit dnsmasq kernel:system module_request;
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
new file mode 100644
index 0000000..6258c7a
--- /dev/null
+++ b/prebuilts/api/33.0/public/domain.te
@@ -0,0 +1,1348 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net_type:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+userdebug_or_eng(`
+ allow domain su:fd use;
+ allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
+ allow domain su:unix_dgram_socket sendto;
+
+ allow { domain -init } su:binder { call transfer };
+
+ # Running something like "pm dump com.android.bluetooth" requires
+ # fifo writes
+ allow domain su:fifo_file { write getattr };
+
+ # allow "gdbserver --attach" to work for su.
+ allow domain su:process sigchld;
+
+ # Allow writing coredumps to /cores/*
+ allow domain coredump_file:file create_file_perms;
+ allow domain coredump_file:dir ra_dir_perms;
+')
+
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
+
+# Root fs.
+allow domain tmpfs:dir { getattr search };
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain dmabuf_heap_device:dir r_dir_perms;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+
+# /dev/ashmem is being deprecated by means of constraining and eventually
+# removing all "open" permissions. We preserve the other permissions.
+allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
+# This device is used by libcutils, which is accessible to everyone.
+allow domain ashmem_libcutils_device:chr_file rw_file_perms;
+
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+allow domain binderfs_features:dir search;
+allow domain binderfs_features:file r_file_perms;
+
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+# Public readable properties
+get_prop(domain, aaudio_config_prop)
+get_prop(domain, apexd_select_prop)
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_odm_prop)
+get_prop(domain, build_prop)
+get_prop(domain, build_vendor_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_secure_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, gwp_asan_prop)
+get_prop(domain, hal_instrumentation_prop)
+get_prop(domain, hw_timeout_multiplier_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, surfaceflinger_prop)
+get_prop(domain, telephony_status_prop)
+get_prop(domain, vendor_socket_hook_prop)
+get_prop(domain, vndk_prop)
+get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
+
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
+get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
+
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts_file:file r_file_perms;
+
+allow domain init:key search;
+allow domain vold:key search;
+
+# logd access
+write_logd(domain)
+
+# Directory/link file access for path resolution.
+allow domain {
+ system_file
+ system_lib_file
+ system_seccomp_policy_file
+ system_security_cacerts_file
+}:dir r_dir_perms;
+allow domain system_file:lnk_file { getattr read };
+
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
+
+allow { appdomain coredomain } system_file:file { execute read open getattr map };
+
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain system_file:file { execute read open getattr map };
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr map };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow {
+ domain
+ -coredomain # access is explicitly granted to individual coredomains
+} same_process_hal_file:file { execute read open getattr map };
+
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr map };
+
+full_treble_only(`
+ # Allow all domains to be able to follow /system/vendor and/or
+ # /vendor/odm symlinks.
+ allow domain vendor_file_type:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
+ allow domain vendor_file:dir { getattr search };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
+# timezone related information.
+# This directory is considered to be a VNDK-stable
+allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
+allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+r_dir_file(domain, sysfs_usb);
+
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
+# files under /data.
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
+allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# /dev/cpu_variant:.*
+allow domain dev_cpu_variant:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to an allowlist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this allowlist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default allowlist for unix sockets.
+allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# All domains must clearly enumerate what ioctls they use
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
+# Allow a process to make a determination whether a file descriptor
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this allowlist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+# Support sqlite F2FS specific optimizations
+# ioctl permission on the specific file type is still required
+# TODO: consider only compiling these rules if we know the
+# /data partition is F2FS
+allowxperm domain { file_type sdcard_type }:file ioctl {
+ F2FS_IOC_ABORT_VOLATILE_WRITE
+ F2FS_IOC_COMMIT_ATOMIC_WRITE
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_PIN_FILE
+ F2FS_IOC_SET_PIN_FILE
+ F2FS_IOC_START_ATOMIC_WRITE
+};
+
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
+
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+# Under ASAN, /system/asan.options needs to be globally accessible.
+with_asan(`allow domain system_asan_options_file:file r_file_perms;')
+
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir { getattr search };
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# All ioctls on file-like objects (except chr_file and blk_file) and
+# sockets must be restricted to an allowlist.
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
+
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
+# Do not allow any domain other than init to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+
+# Limit device node creation to these allowed domains.
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+ -vold
+} self:global_capability_class_set mknod;
+
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow * self:memprotect mmap_zero;
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow * self:global_capability2_class_set mac_override;
+
+# Disallow attempts to set contexts not defined in current policy
+# This helps guarantee that unknown or dangerous contents will not ever
+# be set.
+neverallow * self:global_capability2_class_set mac_admin;
+
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow * kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
+
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow * kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
+# Only the kernel hwrng thread should be able to read from the HW RNG.
+neverallow {
+ domain
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
+} hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+ domain
+ -shell # stat of /dev, getattr only
+ -ueventd
+} keychord_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
+
+# The dynamic linker always calls access(2) on the path. Don't generate SElinux
+# denials since the linker does not actually access the path in case the path
+# does not exist or isn't accessible for the process.
+dontaudit domain postinstall_mnt_dir:dir audit_access;
+
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+ domain
+ -shell # Shell user should not have any abilities outside of getattr
+ -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
+
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
+neverallow * vendor_init:binder *;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
+
+# Files from cache should never be executed
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+
+# The test files and executables MUST not be accessible to any domain
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
+neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
+neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
+neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
+neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
+
+# Only the init property service should write to /data/property and /dev/__properties__
+neverallow { domain -init } property_data_file:dir no_w_dir_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+
+# Nobody should be doing writes to /system & /vendor
+# These partitions are intended to be read-only and must never be
+# modified. Doing so would violate important Android security guarantees
+# and invalidate dm-verity signatures.
+neverallow {
+ domain
+ with_asan(`-asan_extract')
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+} {
+ system_file_type
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+
+# Don't allow mounting on top of /system files or directories
+neverallow * exec_type:dir_file_class_set mounton;
+
+# Nothing should be writing to files in the rootfs.
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow * contextmount_type:dir_file_class_set
+ { create setattr relabelfrom relabelto append link rename };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
+
+# Do not allow service_manager add for default service labels.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
+# Require that domains explicitly label unknown properties, and do not allow
+# anyone but init to modify unknown properties.
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;
+
+compatible_property_only(`
+ neverallow { domain -init } mmc_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
+ neverallow { domain -init } exported_secure_prop:property_service set;
+ neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
+ neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
+')
+
+compatible_property_only(`
+ neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
+ neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
+')
+
+neverallow { domain -init } aac_drc_prop:property_service set;
+neverallow { domain -init } build_prop:property_service set;
+
+# Do not allow reading device's serial number from system properties except form
+# a few allowed domains.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -fastbootd
+ -hal_camera_server
+ -hal_cas_server
+ -hal_drm_server
+ userdebug_or_eng(`-incidentd')
+ -init
+ -mediadrmserver
+ -mediaserver
+ -recovery
+ -shell
+ -system_server
+ -vendor_init
+} serialno_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -init
+ -recovery
+ -system_server
+ -shell # Shell is further restricted in shell.te
+ -ueventd # Further restricted in ueventd.te
+} frp_block_device:blk_file no_rw_file_perms;
+
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+ -fastbootd
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
+
+# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
+neverallow {
+ domain
+ -fastbootd
+ userdebug_or_eng(`-fsck')
+ userdebug_or_eng(`-init')
+ -recovery
+ -update_engine
+} system_block_device:blk_file { write append };
+
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
+# The service managers are only allowed to access their own device node
+neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+
+# system services cant add vendor services
+neverallow {
+ coredomain
+} vendor_service:service_manager add;
+
+full_treble_only(`
+ # vendor services cant add system services
+ neverallow {
+ domain
+ -coredomain
+ } {
+ service_manager_type
+ -vendor_service
+ }:service_manager add;
+')
+
+full_treble_only(`
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ #
+ # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+
+ -app_api_service
+ -vendor_service # must be @VintfStability to be used by an app
+ -ephemeral_app_api_service
+
+ -apc_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -credstore_service
+ -keystore_maintenance_service
+ -keystore_service
+ -legacykeystore_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -virtual_touchpad_service
+ -vr_manager_service
+ userdebug_or_eng(`-hal_face_service')
+ }:service_manager find;
+')
+
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+')
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -data_between_core_and_vendor_violators # b/70393317
+ -socket_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -privapp_data_file
+ -pdx_endpoint_socket_type # used by VR layer
+ -pdx_channel_socket_type # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -app_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, vendor and system components are only allowed to share
+# files by passing open FDs over hwbinder. Ban all directory access and all file
+# accesses other than what can be applied to an open FD such as
+# ioctl/stat/read/write/append. This is enforced by segregating /data.
+# Vendor domains may directly access file in /data/vendor by path, but may only
+# access files outside of /data/vendor via an open FD passed over hwbinder.
+# Likewise, core domains may only directly access files outside /data/vendor by
+# path and files in /data/vendor by open FD.
+full_treble_only(`
+ # only coredomains may only access core_data_file_type, particularly not
+ # /data/vendor
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ -app_data_file_type
+ }:file_class_set ~{ append getattr ioctl read write map };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ -app_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ }:dir *;
+
+')
+full_treble_only(`
+ # vendor domains may only access files in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
+ } {
+ core_data_file_type
+ # libc includes functions like mktime and localtime which attempt to access
+ # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
+ # These functions are considered vndk-stable and thus must be allowed for
+ # all processes.
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:file_class_set ~{ append getattr ioctl read write map };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:file_class_set ~{ append getattr ioctl read write map };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -system_data_root_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ } {
+ system_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write map };
+')
+
+full_treble_only(`
+ # Non-vendor domains are not allowed to file execute shell
+ # from vendor
+ neverallow {
+ coredomain
+ -init
+ -shell
+ -ueventd
+ } vendor_shell_exec:file { execute execute_no_trans };
+')
+
+full_treble_only(`
+ # Do not allow vendor components to execute files from system
+ # except for the ones allowed here.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_executes_system_violators
+ -vendor_init
+ } {
+ system_file_type
+ -system_lib_file
+ -system_linker_exec
+ -crash_dump_exec
+ -iorap_prefetcherd_exec
+ -iorap_inode2filename_exec
+ -netutils_wrapper_exec
+ userdebug_or_eng(`-tcpdump_exec')
+ }:file { entrypoint execute execute_no_trans };
+')
+
+full_treble_only(`
+ # Do not allow coredomain to access entrypoint for files other
+ # than system_file_type and postinstall_file
+ neverallow coredomain {
+ file_type
+ -system_file_type
+ -postinstall_file
+ }:file entrypoint;
+ # Do not allow domains other than coredomain to access entrypoint
+ # for anything but vendor_file_type and init_exec for vendor_init.
+ neverallow { domain -coredomain } {
+ file_type
+ -vendor_file_type
+ -init_exec
+ }:file entrypoint;
+')
+
+full_treble_only(`
+ # Do not allow system components to execute files from vendor
+ # except for the ones allowed here.
+ neverallow {
+ coredomain
+ -init
+ -shell
+ -system_executes_vendor_violators
+ -ueventd
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vndk_sp_file
+ -vendor_app_file
+ -vendor_public_framework_file
+ -vendor_public_lib_file
+ }:file execute;
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ -system_executes_vendor_violators
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ }:file execute_no_trans;
+')
+
+full_treble_only(`
+ # Do not allow vendor components access to /system files except for the
+ # ones allowed here.
+ neverallow {
+ domain
+ -appdomain
+ -coredomain
+ -vendor_executes_system_violators
+ # vendor_init needs access to init_exec for domain transition. vendor_init
+ # neverallows are covered in public/vendor_init.te
+ -vendor_init
+ } {
+ system_file_type
+ -crash_dump_exec
+ -file_contexts_file
+ -iorap_inode2filename_exec
+ -netutils_wrapper_exec
+ -property_contexts_file
+ -system_event_log_tags_file
+ -system_group_file
+ -system_lib_file
+ with_asan(`-system_asan_options_file')
+ -system_linker_exec
+ -system_linker_config_file
+ -system_passwd_file
+ -system_seccomp_policy_file
+ -system_security_cacerts_file
+ -system_zoneinfo_file
+ -task_profiles_api_file
+ -task_profiles_file
+ userdebug_or_eng(`-tcpdump_exec')
+ }:file *;
+')
+
+# Only system_server should be able to send commands via the zygote socket
+neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } zygote_socket:sock_file write;
+
+neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } webview_zygote:sock_file write;
+neverallow { domain -system_server } app_zygote:sock_file write;
+
+neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
+
+# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
+# the tombstoned intercept socket.
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+
+# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
+neverallow { domain -init -system_server } heapdump_data_file:file read;
+
+# Android does not support System V IPCs.
+#
+# The reason for this is due to the fact that, by design, they lead to global
+# kernel resource leakage.
+#
+# For example, there is no way to automatically release a SysV semaphore
+# allocated in the kernel when:
+#
+# - a buggy or malicious process exits
+# - a non-buggy and non-malicious process crashes or is explicitly killed.
+#
+# Killing processes automatically to make room for new ones is an
+# important part of Android's application lifecycle implementation. This means
+# that, even assuming only non-buggy and non-malicious code, it is very likely
+# that over time, the kernel global tables used to implement SysV IPCs will fill
+# up.
+neverallow * *:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only dumpstate, shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow * {
+ file_type
+ -apk_data_file
+ -app_data_file
+ -asec_public_file
+}:file execmod;
+
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow * self:process { execstack execheap };
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
+
+neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -system_server
+ -system_app
+ -init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
+ -installd # for relabelfrom and unlink, check for this in explicit neverallow
+ -vold_prepare_subdirs # For unlink
+ with_asan(`-asan_extract')
+} system_data_file:file no_w_file_perms;
+# do not grant anything greater than r_file_perms and relabelfrom unlink
+# to installd
+neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+ -runas
+ -zygote
+} shell:process { transition dyntransition };
+
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have
+# the appdomain attribute. simpleperf is excluded as a domain transitioned to
+# when running an app-scoped profiling session.
+neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
+ appdomain -shell -simpleperf userdebug_or_eng(`-su')
+}:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -appdomain
+ -installd
+} { app_data_file privapp_data_file }:lnk_file read;
+
+neverallow {
+ domain
+ -shell
+ userdebug_or_eng(`-uncrypt')
+ -installd
+} shell_data_file:lnk_file read;
+
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -init
+ -installd
+ -iorap_inode2filename
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir { open search };
+
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
+
+# only service_manager_types can be added to service_manager
+# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
+
+# Prevent assigning non property types to properties
+# TODO - rework this: neverallow * ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow * domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
+
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, boot, and system_dlkm partitions.
+# TODO(b/218951883): Remove usage of system and rootfs as origin
+neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
+
+# Only allow filesystem caps to be set at build time. Runtime changes
+# to filesystem capabilities are not permitted.
+neverallow * self:global_capability_class_set setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
+
+# If an already existing file is opened with O_CREAT, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
+neverallow domain {
+ proc_type
+ sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ -system_writes_mnt_vendor_violators
+} mnt_vendor_file:dir *;
+
+# Only apps are allowed access to vendor public libraries.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
+')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+ domain
+ -coredomain
+} mnt_product_file:dir *;
+
+# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ # For access to block device information under /sys/class/block.
+ -apexd
+ # Read sysfs block device information.
+ -init
+ # Generate uevents for health info
+ -ueventd
+ # Recovery uses health HAL passthrough implementation.
+ -recovery
+ # Charger uses health HAL passthrough implementation.
+ -charger
+ # TODO(b/110891300): remove this exception
+ -incidentd
+ } sysfs_batteryinfo:file { open read };
+')
+
+neverallow {
+ domain
+ -hal_codec2_server
+ -hal_omx_server
+} hal_codec2_hwservice:hwservice_manager add;
+
+# Only apps targetting < Q are allowed to open /dev/ashmem directly.
+# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
+neverallow {
+ domain
+ -ephemeral_app # We don't distinguish ephemeral apps based on target API.
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
+
+neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/prebuilts/api/33.0/public/drmserver.te b/prebuilts/api/33.0/public/drmserver.te
new file mode 100644
index 0000000..d515079
--- /dev/null
+++ b/prebuilts/api/33.0/public/drmserver.te
@@ -0,0 +1,65 @@
+# drmserver - DRM service
+type drmserver, domain;
+type drmserver_exec, system_file_type, exec_type, file_type;
+
+typeattribute drmserver mlstrustedsubject;
+
+net_domain(drmserver)
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system_server)
+binder_call(drmserver, appdomain)
+binder_call(drmserver, mediametrics)
+binder_service(drmserver)
+# Inherit or receive open files from system_server.
+allow drmserver system_server:fd use;
+
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
+allow drmserver { sdcard_type fuse }:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
+allow drmserver { sdcard_type fuse }:file { read write getattr map };
+r_dir_file(drmserver, efs_file)
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket. Not.
+allow drmserver apk_data_file:dir rw_dir_perms;
+auditallow drmserver apk_data_file:dir { add_name write };
+allow drmserver drmserver_socket:sock_file create_file_perms;
+auditallow drmserver drmserver_socket:sock_file create;
+# Delete old socket file if present.
+allow drmserver apk_data_file:sock_file unlink;
+
+# After taking a video, drmserver looks at the video file.
+r_dir_file(drmserver, media_rw_data_file)
+
+# Read resources from open apk files passed over Binder.
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow drmserver radio_data_file:file { read getattr map };
+
+# /oem access
+allow drmserver oemfs:dir search;
+allow drmserver oemfs:file r_file_perms;
+
+# overlay package access
+allow drmserver vendor_overlay_file:file { read map };
+
+add_service(drmserver, drmserver_service)
+allow drmserver permission_service:service_manager find;
+allow drmserver mediametrics_service:service_manager find;
+
+selinux_check_access(drmserver)
+
+r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
+r_dir_file(drmserver, system_file)
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
new file mode 100644
index 0000000..2c75f30
--- /dev/null
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -0,0 +1,399 @@
+# dumpstate
+type dumpstate, domain, mlstrustedsubject;
+type dumpstate_exec, system_file_type, exec_type, file_type;
+
+net_domain(dumpstate)
+binder_use(dumpstate)
+wakelock_use(dumpstate)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+r_dir_file(dumpstate, domain)
+
+allow dumpstate self:global_capability_class_set {
+ # Send signals to processes
+ kill
+ # Run iptables
+ net_raw
+ net_admin
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
+allow dumpstate toolbox_exec:file rx_file_perms;
+
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
+# Create and write into /data/anr/
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
+allow dumpstate anr_data_file:dir rw_dir_perms;
+allow dumpstate anr_data_file:file create_file_perms;
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file r_file_perms;
+
+# Allow dumpstate to append into apps' private files.
+allow dumpstate { privapp_data_file app_data_file }:file append;
+
+# Read dmesg
+allow dumpstate self:global_capability2_class_set syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Read /sys/fs/pstore/console-ramoops
+allow dumpstate pstorefs:dir r_dir_perms;
+allow dumpstate pstorefs:file r_file_perms;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server zygote }:process signal;
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.c
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediametrics
+ mediaserver
+ mediaswcodec
+ sdcardd
+ surfaceflinger
+ vold
+
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
+ hal_audio_server
+ hal_audiocontrol_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_codec2_server
+ hal_drm_server
+ hal_evs_server
+ hal_face_server
+ hal_fingerprint_server
+ hal_graphics_allocator_server
+ hal_graphics_composer_server
+ hal_health_server
+ hal_neuralnetworks_server
+ hal_omx_server
+ hal_power_server
+ hal_power_stats_server
+ hal_sensors_server
+ hal_thermal_server
+ hal_vehicle_server
+ hal_vr_server
+ system_suspend_server
+}:process signal;
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
+
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
+
+# Other random bits of data we want to collect
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
+
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
+
+# df for
+allow dumpstate {
+ block_device
+ cache_file
+ metadata_file
+ rootfs
+ selinuxfs
+ storage_file
+ tmpfs
+}:dir { search getattr };
+allow dumpstate fuse_device:chr_file getattr;
+allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
+
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
+
+# Allow dumpstate to make binder calls to any binder service
+binder_call(dumpstate, binderservicedomain)
+binder_call(dumpstate, { appdomain netd wificond })
+
+# Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_dumpstate)
+dump_hal(hal_wifi)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_light)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
+dump_hal(hal_thermal)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_identity)
+dump_hal(hal_face)
+dump_hal(hal_fingerprint)
+dump_hal(hal_gnss)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
+
+# Vibrate the device after we are done collecting the bugreport
+hal_client_domain(dumpstate, hal_vibrator)
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:global_capability_class_set sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir create_dir_perms;
+allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+
+# For Bluetooth
+allow dumpstate bluetooth_data_file:dir search;
+allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
+allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+
+# For Nfc
+allow dumpstate nfc_logs_data_file:dir r_dir_perms;
+allow dumpstate nfc_logs_data_file:file r_file_perms;
+
+# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
+allow dumpstate gpu_device:chr_file rw_file_perms;
+allow dumpstate gpu_device:dir r_dir_perms;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
+read_runtime_log_tags(dumpstate)
+
+# Read files in /proc
+allow dumpstate {
+ proc_buddyinfo
+ proc_cmdline
+ proc_meminfo
+ proc_modules
+ proc_net_type
+ proc_pipe_conf
+ proc_pagetypeinfo
+ proc_qtaguid_ctrl
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file r_file_perms;
+
+# Read network state info files.
+allow dumpstate net_data_file:dir search;
+allow dumpstate net_data_file:file r_file_perms;
+
+# List sockets via ss.
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Access /data/tombstones.
+allow dumpstate tombstone_data_file:dir r_dir_perms;
+allow dumpstate tombstone_data_file:file r_file_perms;
+
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
+# Access /data/misc/recovery
+allow dumpstate recovery_data_file:dir r_dir_perms;
+allow dumpstate recovery_data_file:file r_file_perms;
+
+#Access /data/misc/update_engine_log
+allow dumpstate update_engine_log_data_file:dir r_dir_perms;
+allow dumpstate update_engine_log_data_file:file r_file_perms;
+
+# Access /data/misc/profiles/{cur,ref}/
+userdebug_or_eng(`
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:file r_file_perms;
+')
+
+# Access /data/misc/logd
+allow dumpstate misc_logd_file:dir r_dir_perms;
+allow dumpstate misc_logd_file:file r_file_perms;
+
+# Access /data/misc/prereboot
+allow dumpstate prereboot_data_file:dir r_dir_perms;
+allow dumpstate prereboot_data_file:file r_file_perms;
+
+allow dumpstate app_fuse_file:dir r_dir_perms;
+allow dumpstate overlayfs_file:dir r_dir_perms;
+
+allow dumpstate {
+ service_manager_type
+ -apex_service
+ -dumpstate_service
+ -gatekeeper_service
+ -hal_service_type
+ -virtual_touchpad_service
+ -vold_service
+ -default_android_service
+}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ apex_service
+ dumpstate_service
+ gatekeeper_service
+ hal_service_type
+ virtual_touchpad_service
+ vold_service
+}:service_manager find;
+
+# Most of these are neverallowed.
+dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
+
+allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;
+
+# Read any system properties
+get_prop(dumpstate, property_type)
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
+allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+add_service(dumpstate, dumpstate_service)
+
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
+# Allow dumpstate to run top
+allow dumpstate proc_stat:file r_file_perms;
+
+allow dumpstate proc_pressure_cpu:file r_file_perms;
+allow dumpstate proc_pressure_mem:file r_file_perms;
+allow dumpstate proc_pressure_io:file r_file_perms;
+
+# Allow dumpstate to run ps
+allow dumpstate proc_pid_max:file r_file_perms;
+
+# Allow dumpstate to talk to installd over binder
+binder_call(dumpstate, installd);
+
+# Allow dumpstate to talk to iorapd over binder.
+binder_call(dumpstate, iorapd)
+
+# Allow dumpstate to run ip xfrm policy
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Allow dumpstate to run iotop
+allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Allow dumpstate to run ss
+allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+
+# Allow dumpstate to read linkerconfig directory
+allow dumpstate linkerconfig_file:dir { read open };
+
+# For when dumpstate runs df
+dontaudit dumpstate {
+ mnt_vendor_file
+ mirror_data_file
+ mnt_user_file
+}:dir search;
+dontaudit dumpstate {
+ apex_mnt_dir
+ linkerconfig_file
+ mirror_data_file
+ mnt_user_file
+}:dir getattr;
+
+# Allow dumpstate to talk to bufferhubd over binder
+binder_call(dumpstate, bufferhubd);
+
+# Allow dumpstate to talk to mediaswcodec over binder
+binder_call(dumpstate, mediaswcodec);
+
+# Allow dumpstate to talk to these stable AIDL services over binder
+binder_call(dumpstate, hal_rebootescrow_server)
+allow hal_rebootescrow_server dumpstate:fifo_file write;
+allow hal_rebootescrow_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_authsecret_server)
+allow hal_authsecret_server dumpstate:fifo_file write;
+allow hal_authsecret_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_keymint_server)
+allow hal_keymint_server dumpstate:fifo_file write;
+allow hal_keymint_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_memtrack_server)
+allow hal_memtrack_server dumpstate:fifo_file write;
+allow hal_memtrack_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_oemlock_server)
+allow hal_oemlock_server dumpstate:fifo_file write;
+allow hal_oemlock_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_weaver_server)
+allow hal_weaver_server dumpstate:fifo_file write;
+allow hal_weaver_server dumpstate:fd use;
+
+#Access /data/misc/snapshotctl_log
+allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
+allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+allow dumpstate binderfs_logs_proc:file r_file_perms;
+
+allow dumpstate apex_info_file:file getattr;
+
+###
+### neverallow rules
+###
+
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+ domain
+ -system_server
+ -shell
+ -traceur_app
+ -dumpstate
+} dumpstate_service:service_manager find;
diff --git a/prebuilts/api/33.0/public/e2fs.te b/prebuilts/api/33.0/public/e2fs.te
new file mode 100644
index 0000000..dd5bd69
--- /dev/null
+++ b/prebuilts/api/33.0/public/e2fs.te
@@ -0,0 +1,26 @@
+type e2fs, domain, coredomain;
+type e2fs_exec, system_file_type, exec_type, file_type;
+
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
+allow e2fs block_device:dir search;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+allow e2fs dm_device:blk_file rw_file_perms;
+allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+
+allow e2fs {
+ proc_filesystems
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
+
+# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
+allow e2fs sysfs_fs_ext4_features:file r_file_perms;
+
+# access SELinux context files
+allow e2fs file_contexts_file:file r_file_perms;
diff --git a/prebuilts/api/26.0/public/ephemeral_app.te b/prebuilts/api/33.0/public/ephemeral_app.te
similarity index 100%
rename from prebuilts/api/26.0/public/ephemeral_app.te
rename to prebuilts/api/33.0/public/ephemeral_app.te
diff --git a/prebuilts/api/33.0/public/evsmanagerd.te b/prebuilts/api/33.0/public/evsmanagerd.te
new file mode 100644
index 0000000..cde0380
--- /dev/null
+++ b/prebuilts/api/33.0/public/evsmanagerd.te
@@ -0,0 +1,2 @@
+# evsmanager daemon
+type evsmanagerd, domain;
diff --git a/prebuilts/api/33.0/public/extra_free_kbytes.te b/prebuilts/api/33.0/public/extra_free_kbytes.te
new file mode 100644
index 0000000..ed0c935
--- /dev/null
+++ b/prebuilts/api/33.0/public/extra_free_kbytes.te
@@ -0,0 +1,13 @@
+# The extra_free_kbytes.sh script run by init.
+type extra_free_kbytes, domain;
+type extra_free_kbytes_exec, system_file_type, exec_type, file_type;
+
+# required permissions to run the script from init
+allow extra_free_kbytes shell_exec:file rx_file_perms;
+allow extra_free_kbytes system_file:file x_file_perms;
+allow extra_free_kbytes toolbox_exec:file rx_file_perms;
+
+# files used by the script
+allow extra_free_kbytes proc_extra_free_kbytes:file rw_file_perms;
+allow extra_free_kbytes proc_watermark_scale_factor:file rw_file_perms;
+allow extra_free_kbytes proc_zoneinfo:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/fastbootd.te b/prebuilts/api/33.0/public/fastbootd.te
new file mode 100644
index 0000000..0c43a89
--- /dev/null
+++ b/prebuilts/api/33.0/public/fastbootd.te
@@ -0,0 +1,122 @@
+# fastbootd (used in recovery init.rc for /sbin/fastbootd)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type fastbootd, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+ # fastbootd can only use HALs in passthrough mode
+ passthrough_hal_client_domain(fastbootd, hal_bootctl)
+
+ # fastbootd can use AIDL HALs in binder mode
+ binder_use(fastbootd)
+ hal_client_domain(fastbootd, hal_health)
+
+ # Access /dev/usb-ffs/fastbootd/ep0
+ allow fastbootd functionfs:dir search;
+ allow fastbootd functionfs:file rw_file_perms;
+
+ allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
+ # Log to serial
+ allow fastbootd kmsg_device:chr_file { open getattr write };
+
+ # battery info
+ allow fastbootd sysfs_batteryinfo:file r_file_perms;
+
+ allow fastbootd device:dir r_dir_perms;
+
+ # For dev/block/by-name dir
+ allow fastbootd block_device:dir r_dir_perms;
+
+ # Needed for DM_DEV_CREATE ioctl call
+ allow fastbootd self:capability sys_admin;
+
+ unix_socket_connect(fastbootd, recovery, recovery)
+
+ # Required for flashing
+ allow fastbootd dm_device:chr_file rw_file_perms;
+ allow fastbootd dm_device:blk_file rw_file_perms;
+
+ allow fastbootd cache_block_device:blk_file rw_file_perms;
+ allow fastbootd super_block_device_type:blk_file rw_file_perms;
+ allow fastbootd {
+ boot_block_device
+ metadata_block_device
+ system_block_device
+ userdata_block_device
+ }:blk_file { w_file_perms getattr ioctl };
+
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
+ allow fastbootd metadata_block_device:blk_file r_file_perms;
+ allow fastbootd {rootfs tmpfs}:dir mounton;
+ allow fastbootd metadata_file:dir { search getattr mounton };
+ allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file_type:file create_file_perms;
+
+ allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ allowxperm fastbootd {
+ metadata_block_device
+ userdata_block_device
+ dm_device
+ cache_block_device
+ }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
+
+ allow fastbootd misc_block_device:blk_file rw_file_perms;
+
+ allow fastbootd proc_cmdline:file r_file_perms;
+ allow fastbootd rootfs:dir r_dir_perms;
+
+ # Needed to read fstab node from device tree.
+ allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+ allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
+
+ # Needed because libdm reads sysfs to validate when a dm path is ready.
+ r_dir_file(fastbootd, sysfs_dm)
+
+ # Needed for realpath() call to resolve symlinks.
+ allow fastbootd block_device:dir getattr;
+ userdebug_or_eng(`
+ # Refined manipulation of /mnt/scratch, without these perms resorts
+ # to deleting scratch partition when partition(s) are flashed.
+ allow fastbootd self:process setfscreate;
+ allow fastbootd cache_file:dir search;
+ allow fastbootd proc_filesystems:file { getattr open read };
+ allow fastbootd self:capability sys_rawio;
+ dontaudit fastbootd kernel:system module_request;
+ allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
+ allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+ allow fastbootd {
+ system_file_type
+ unlabeled
+ vendor_file_type
+ }:dir { remove_name rmdir search write };
+ allow fastbootd {
+ overlayfs_file
+ system_file_type
+ unlabeled
+ vendor_file_type
+ }:{ file lnk_file } unlink;
+ allow fastbootd tmpfs:dir rw_dir_perms;
+ # Fetch vendor_boot partition
+ allow fastbootd boot_block_device:blk_file r_file_perms;
+ ')
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ allow fastbootd gsi_metadata_file_type:dir search;
+ allow fastbootd ota_metadata_file:dir rw_dir_perms;
+ allow fastbootd ota_metadata_file:file create_file_perms;
+')
+
+###
+### neverallow rules
+###
+
+# Write permission is required to wipe userdata
+# until recovery supports vold.
+neverallow fastbootd {
+ data_file_type
+}:file { no_x_file_perms };
diff --git a/prebuilts/api/33.0/public/file.te b/prebuilts/api/33.0/public/file.te
new file mode 100644
index 0000000..9d333f5
--- /dev/null
+++ b/prebuilts/api/33.0/public/file.te
@@ -0,0 +1,621 @@
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type, proc_type;
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
+type binderfs_features, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
+type proc_kpageflags, fs_type, proc_type;
+type proc_watermark_boost_factor, fs_type, proc_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, proc_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
+type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
+type proc_bluetooth_writable, fs_type, proc_type;
+type proc_abi, fs_type, proc_type;
+type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
+type proc_bpf, fs_type, proc_type;
+type proc_buddyinfo, fs_type, proc_type;
+type proc_cmdline, fs_type, proc_type;
+type proc_cpu_alignment, fs_type, proc_type;
+type proc_cpuinfo, fs_type, proc_type;
+type proc_dirty, fs_type, proc_type;
+type proc_diskstats, fs_type, proc_type;
+type proc_extra_free_kbytes, fs_type, proc_type;
+type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
+type proc_hostname, fs_type, proc_type;
+type proc_hung_task, fs_type, proc_type;
+type proc_interrupts, fs_type, proc_type;
+type proc_iomem, fs_type, proc_type;
+type proc_kallsyms, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
+type proc_kmsg, fs_type, proc_type;
+type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
+type proc_lowmemorykiller, fs_type, proc_type;
+type proc_max_map_count, fs_type, proc_type;
+type proc_meminfo, fs_type, proc_type;
+type proc_misc, fs_type, proc_type;
+type proc_modules, fs_type, proc_type;
+type proc_mounts, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
+type proc_page_cluster, fs_type, proc_type;
+type proc_pagetypeinfo, fs_type, proc_type;
+type proc_panic, fs_type, proc_type;
+type proc_perf, fs_type, proc_type;
+type proc_pid_max, fs_type, proc_type;
+type proc_pipe_conf, fs_type, proc_type;
+type proc_pressure_cpu, fs_type, proc_type;
+type proc_pressure_io, fs_type, proc_type;
+type proc_pressure_mem, fs_type, proc_type;
+type proc_random, fs_type, proc_type;
+type proc_sched, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
+type proc_stat, fs_type, proc_type;
+type proc_swaps, fs_type, proc_type;
+type proc_sysrq, fs_type, proc_type;
+type proc_timer, fs_type, proc_type;
+type proc_tty_drivers, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
+type proc_uid_concurrent_active_time, fs_type, proc_type;
+type proc_uid_concurrent_policy_time, fs_type, proc_type;
+type proc_uid_cpupower, fs_type, proc_type;
+type proc_uptime, fs_type, proc_type;
+type proc_version, fs_type, proc_type;
+type proc_vmallocinfo, fs_type, proc_type;
+type proc_vmstat, fs_type, proc_type;
+type proc_watermark_scale_factor, fs_type, proc_type;
+type proc_zoneinfo, fs_type, proc_type;
+type proc_vendor_sched, proc_type, fs_type;
+type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type cgroup_v2, fs_type;
+type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_android_usb, fs_type, sysfs_type;
+type sysfs_uio, sysfs_type, fs_type;
+type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devfreq_cur, fs_type, sysfs_type;
+type sysfs_devfreq_dir, fs_type, sysfs_type;
+type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_extcon, fs_type, sysfs_type;
+type sysfs_ion, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
+type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
+type sysfs_loop, fs_type, sysfs_type;
+type sysfs_gpu, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_suspend_stats, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
+type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_lru_gen_enabled, fs_type, sysfs_type;
+type sysfs_usb, fs_type, sysfs_type;
+type sysfs_wakeup, fs_type, sysfs_type;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type sysfs_fs_f2fs, sysfs_type, fs_type;
+type sysfs_fs_fuse_bpf, sysfs_type, fs_type;
+type sysfs_fs_incfs_features, sysfs_type, fs_type;
+type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
+type sysfs_vendor_sched, sysfs_type, fs_type;
+userdebug_or_eng(`
+ typeattribute sysfs_vendor_sched mlstrustedobject;
+')
+type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
+type fs_bpf_vendor, fs_type;
+type configfs, fs_type;
+# /sys/devices/cs_etm
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
+# /sys/devices/system/cpu
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+# /sys/module/lowmemorykiller
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+# /sys/module/wlan/parameters/fwpath
+type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+type sysfs_uhid, fs_type, sysfs_type;
+type sysfs_thermal, sysfs_type, fs_type;
+
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_zram_uevent, fs_type, sysfs_type;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type, mlstrustedobject;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type fuse, fusefs_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
+type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
+type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type securityfs, fs_type;
+
+type pstorefs, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type oemfs, fs_type, contextmount_type;
+type usbfs, fs_type;
+type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, fusefs_type, contextmount_type;
+
+# File types
+type unlabeled, file_type;
+
+# Default type for anything under /system.
+type system_file, system_file_type, file_type;
+# Default type for /system/asan.options
+type system_asan_options_file, system_file_type, file_type;
+# Type for /system/etc/event-log-tags (liblog implementation detail)
+type system_event_log_tags_file, system_file_type, file_type;
+# Default type for anything under /system/lib[64].
+type system_lib_file, system_file_type, file_type;
+# system libraries that are available only to bootstrap processes
+type system_bootstrap_lib_file, system_file_type, file_type;
+# Default type for the group file /system/etc/group.
+type system_group_file, system_file_type, file_type;
+# Default type for linker executable /system/bin/linker[64].
+type system_linker_exec, system_file_type, file_type;
+# Default type for linker config /system/etc/ld.config.*.
+type system_linker_config_file, system_file_type, file_type;
+# Default type for the passwd file /system/etc/passwd.
+type system_passwd_file, system_file_type, file_type;
+# Default type for linker config /system/etc/seccomp_policy/*.
+type system_seccomp_policy_file, system_file_type, file_type;
+# Default type for cacerts in /system/etc/security/cacerts/*.
+type system_security_cacerts_file, system_file_type, file_type;
+# Default type for /system/bin/tcpdump.
+type tcpdump_exec, system_file_type, exec_type, file_type;
+# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
+type system_zoneinfo_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/cgroups.json
+type cgroup_desc_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+type cgroup_desc_api_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles.json
+type task_profiles_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+type task_profiles_api_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;
+# Type for /system/apex/com.android.art
+type art_apex_dir, system_file_type, file_type;
+# /linkerconfig(/.*)?
+type linkerconfig_file, file_type;
+# Control files under /data/incremental
+type incremental_control_file, file_type, data_file_type, core_data_file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs and their lib/bin dependencies.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+# Type for all vendor public libraries. These libs should only be exposed to
+# apps. ABI stability of these libs is vendor's responsibility.
+type vendor_public_lib_file, vendor_file_type, file_type;
+# Type for all vendor public libraries for system. These libs should only be exposed to
+# system. ABI stability of these libs is vendor's responsibility.
+type vendor_public_framework_file, vendor_file_type, file_type;
+
+# Input configuration
+type vendor_keylayout_file, vendor_file_type, file_type;
+type vendor_keychars_file, vendor_file_type, file_type;
+type vendor_idc_file, vendor_file_type, file_type;
+
+# Type for vendor uuid mapping config file
+type vendor_uuid_mapping_config_file, vendor_file_type, file_type;
+
+# SoC-specific virtual machine disk files
+type vendor_vm_file, vendor_file_type, file_type;
+# SoC-specific virtual machine disk files that are mutable
+type vendor_vm_data_file, vendor_file_type, file_type;
+
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
+type vold_metadata_file, file_type;
+# GSI files within /metadata
+type gsi_metadata_file, gsi_metadata_file_type, file_type;
+# DSU (GSI) files within /metadata that are globally readable.
+type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
+# system_server shares Weaver slot information in /metadata
+type password_slot_metadata_file, file_type;
+# APEX files within /metadata
+type apex_metadata_file, file_type;
+# libsnapshot files within /metadata
+type ota_metadata_file, file_type;
+# property files within /metadata/bootstat
+type metadata_bootstat_file, file_type;
+# userspace reboot files within /metadata/userspacereboot
+type userspace_reboot_metadata_file, file_type;
+# Staged install files within /metadata/staged-install
+type staged_install_file, file_type;
+# Metadata information within /metadata/watchdog
+type watchdog_metadata_file, file_type;
+
+# Type for /dev/cpu_variant:.*.
+type dev_cpu_variant, file_type;
+# Speedup access for trusted applications to the runtime event tags
+type runtime_event_log_tags_file, file_type;
+# Type for /system/bin/logcat.
+type logcat_exec, system_file_type, exec_type, file_type;
+# Speedup access to cgroup map file
+type cgroup_rc_file, file_type;
+# /cores for coredumps on userdebug / eng builds
+type coredump_file, file_type;
+# Type of /data itself
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type, core_data_file_type;
+# Type for /data/system/packages.list.
+# TODO(b/129332765): Narrow down permissions to this.
+# Find out users of system_data_file that should be granted only this.
+type packages_list_file, file_type, data_file_type, core_data_file_type;
+type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
+# Unencrypted data
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
+# installd-create files in /data/misc/installd such as layout_version
+type install_data_file, file_type, data_file_type, core_data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type, core_data_file_type;
+# /data/adb - adb debugging files
+type adb_data_file, file_type, data_file_type, core_data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/vendor/tombstones/wifi - vendor wifi dumps
+type tombstone_wifi_data_file, file_type, data_file_type;
+# /data/apex - APEX data files
+type apex_data_file, file_type, data_file_type, core_data_file_type;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/app-private - forward-locked apps
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota
+type ota_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota_package
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profiles
+type user_profile_root_file, file_type, data_file_type, core_data_file_type;
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/prereboot
+type prereboot_data_file, file_type, data_file_type, core_data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+# /data/property
+type property_data_file, file_type, data_file_type, core_data_file_type;
+# /data/bootchart
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/dropbox
+type dropbox_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/nativetest
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local/tests
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/preloads
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
+# /data/preloads/media
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+# /data/server_configurable_flags
+type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
+# /data/app-staging
+type staging_data_file, file_type, data_file_type, core_data_file_type;
+# /vendor/apex
+type vendor_apex_file, vendor_file_type, file_type;
+
+# Mount locations managed by vold
+type mnt_media_rw_file, file_type;
+type mnt_user_file, file_type;
+type mnt_pass_through_file, file_type;
+type mnt_expand_file, file_type;
+type mnt_sdcard_file, file_type;
+type storage_file, file_type;
+
+# Label for storage dirs which are just mount stubs
+type mnt_media_rw_stub_file, file_type;
+type storage_stub_file, file_type;
+
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
+
+# Mount point used for APEX images
+type apex_mnt_dir, file_type;
+
+# /apex/apex-info-list.xml created by apexd
+type apex_info_file, file_type;
+
+# /postinstall: Mount point used by update_engine to run postinstall.
+type postinstall_mnt_dir, file_type;
+# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
+type postinstall_file, file_type;
+# /postinstall/apex: Mount point used for APEX images within /postinstall.
+type postinstall_apex_mnt_dir, file_type;
+
+# /data_mirror: Contains mirror directory for storing all apps data.
+type mirror_data_file, file_type, core_data_file_type;
+
+# /data/misc subdirectories
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_system_server_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
+type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type appcompat_data_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type credstore_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
+type stats_data_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type iorapd_data_file, file_type, data_file_type, core_data_file_type;
+type tee_data_file, file_type, data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/trace for method traces on userdebug / eng builds
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type gsi_data_file, file_type, data_file_type, core_data_file_type;
+type radio_core_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+# /data/data subdirectories - priv-app sandboxes
+type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+# Compatibility with type name used in Android 4.3 and 4.4.
+# Default type for anything under /cache
+type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for /cache/overlay /mnt/scratch/overlay
+type overlayfs_file, file_type, data_file_type, core_data_file_type;
+# Type for /cache/backup_stage/* (fd interchange with apps)
+type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# type for anything under /cache/backup (local transport storage)
+type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for shortcut manager icon file.
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for user icon file.
+type icon_file, file_type, data_file_type, core_data_file_type;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type, core_data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type, core_data_file_type;
+# /data/backup and /data/secure/backup
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# device policy
+type bluetooth_efs_file, file_type;
+# Type for fingerprint template file
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
+# Type for _new_ fingerprint template file
+type fingerprint_vendor_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for face template file
+type face_vendor_data_file, file_type, data_file_type;
+# Type for iris template file
+type iris_vendor_data_file, file_type, data_file_type;
+
+# Socket types
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
+type recovery_socket, file_type, coredomain_socket;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type snapuserd_socket, file_type, coredomain_socket;
+type snapuserd_proxy_socket, file_type, coredomain_socket;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
+type uncrypt_socket, file_type, coredomain_socket;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
+type zygote_socket, file_type, coredomain_socket;
+type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
+# PDX endpoint types
+type pdx_display_dir, pdx_endpoint_dir_type, file_type;
+type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
+type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
+
+pdx_service_socket_types(display_client, pdx_display_dir)
+pdx_service_socket_types(display_manager, pdx_display_dir)
+pdx_service_socket_types(display_screenshot, pdx_display_dir)
+pdx_service_socket_types(display_vsync, pdx_display_dir)
+pdx_service_socket_types(performance_client, pdx_performance_dir)
+pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+
+# file_contexts files
+type file_contexts_file, system_file_type, file_type;
+
+# mac_permissions file
+type mac_perms_file, system_file_type, file_type;
+
+# property_contexts file
+type property_contexts_file, system_file_type, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, system_file_type, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, system_file_type, file_type;
+
+# service_contexts file
+type service_contexts_file, system_file_type, file_type;
+
+# keystore2_key_contexts_file
+type keystore2_key_contexts_file, system_file_type, file_type;
+
+# vendor service_contexts file
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
+# hwservice_contexts file
+type hwservice_contexts_file, system_file_type, file_type;
+
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
+
+# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
+# system_dlkm
+type system_dlkm_file, system_dlkm_file_type, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
+allow postinstall_file self:filesystem associate;
+allow proc_net proc:filesystem associate;
+
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
+# Deprecated in SDK version 28
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+
+# It's a bug to assign the file_type attribute and fs_type attribute
+# to any type. Do not allow it.
+#
+# For example, the following is a bug:
+# type apk_data_file, file_type, data_file_type, fs_type;
+# Should be:
+# type apk_data_file, file_type, data_file_type;
+neverallow fs_type file_type:filesystem associate;
diff --git a/prebuilts/api/33.0/public/fingerprintd.te b/prebuilts/api/33.0/public/fingerprintd.te
new file mode 100644
index 0000000..8cf2411
--- /dev/null
+++ b/prebuilts/api/33.0/public/fingerprintd.te
@@ -0,0 +1,27 @@
+type fingerprintd, domain;
+type fingerprintd_exec, system_file_type, exec_type, file_type;
+
+binder_use(fingerprintd)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
+# need to find KeyStore and add self
+add_service(fingerprintd, fingerprintd_service)
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+allow fingerprintd keystore:keystore2 { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
+
+allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/33.0/public/flags_health_check.te b/prebuilts/api/33.0/public/flags_health_check.te
new file mode 100644
index 0000000..25a7768
--- /dev/null
+++ b/prebuilts/api/33.0/public/flags_health_check.te
@@ -0,0 +1,11 @@
+# The flags_health_check command run by init.
+type flags_health_check, domain, coredomain;
+type flags_health_check_exec, system_file_type, exec_type, file_type;
+
+allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
+allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
+
+# server_configurable_flags_data_file is used for storing whether server configurable flags which
+# have been reset during current booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/prebuilts/api/33.0/public/fsck.te b/prebuilts/api/33.0/public/fsck.te
new file mode 100644
index 0000000..1fb5d0d
--- /dev/null
+++ b/prebuilts/api/33.0/public/fsck.te
@@ -0,0 +1,73 @@
+# Any fsck program run by init
+type fsck, domain;
+type fsck_exec, system_file_type, exec_type, file_type;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow fsck tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck vold:fd use;
+allow fsck vold:fifo_file { read write getattr };
+
+# Run fsck on certain block devices
+allow fsck userdata_block_device:blk_file rw_file_perms;
+allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck dm_device:blk_file rw_file_perms;
+userdebug_or_eng(`
+allow fsck system_block_device:blk_file rw_file_perms;
+')
+
+# e2fsck performs a comprehensive search of /proc/mounts to check whether the
+# checked filesystem is currently mounted.
+allow fsck metadata_file:dir getattr;
+allow fsck block_device:dir search;
+allow fsck mirror_data_file:dir search;
+
+# For the block devices where we have ioctl access,
+# allow at a minimum the following common fsck ioctls.
+allowxperm fsck dev_type:blk_file ioctl {
+ BLKDISCARDZEROES
+ BLKROGET
+};
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
+
+allow fsck {
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
+allow fsck rootfs:dir r_dir_perms;
+
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+ boot_block_device
+ frp_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdebug_or_eng(`-system_block_device')
+ vold_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from init or vold via fsck binaries
+neverallow { domain -init -vold } fsck:process transition;
+neverallow * fsck:process dyntransition;
+neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/33.0/public/fsck_untrusted.te b/prebuilts/api/33.0/public/fsck_untrusted.te
new file mode 100644
index 0000000..8510c94
--- /dev/null
+++ b/prebuilts/api/33.0/public/fsck_untrusted.te
@@ -0,0 +1,49 @@
+# Any fsck program run on untrusted block devices
+type fsck_untrusted, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck_untrusted vold:fd use;
+allow fsck_untrusted vold:fifo_file { read write getattr };
+
+# Run fsck on vold block devices
+allow fsck_untrusted block_device:dir search;
+allow fsck_untrusted vold_device:blk_file rw_file_perms;
+
+allow fsck_untrusted proc_mounts:file r_file_perms;
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
+###
+### neverallow rules
+###
+
+# Untrusted fsck should never be run on block devices holding sensitive data
+neverallow fsck_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } fsck_untrusted:process transition;
+neverallow * fsck_untrusted:process dyntransition;
+neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/33.0/public/gatekeeperd.te b/prebuilts/api/33.0/public/gatekeeperd.te
new file mode 100644
index 0000000..d48c5f8
--- /dev/null
+++ b/prebuilts/api/33.0/public/gatekeeperd.te
@@ -0,0 +1,42 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, system_file_type, exec_type, file_type;
+
+# gatekeeperd
+binder_service(gatekeeperd)
+binder_use(gatekeeperd)
+
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hal_client_domain(gatekeeperd, hal_gatekeeper)
+###
+
+# need to find KeyStore and add self
+add_service(gatekeeperd, gatekeeper_service)
+
+# Need to add auth tokens to KeyStore
+use_keystore(gatekeeperd)
+allow gatekeeperd keystore:keystore_key { add_auth };
+allow gatekeeperd keystore:keystore2 { add_auth };
+allow gatekeeperd authorization_service:service_manager find;
+
+
+# For permissions checking
+allow gatekeeperd system_server:binder call;
+allow gatekeeperd permission_service:service_manager find;
+
+# for SID file access
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
+
+# For hardware properties retrieval
+allow gatekeeperd hardware_properties_service:service_manager find;
+
+r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/prebuilts/api/33.0/public/global_macros b/prebuilts/api/33.0/public/global_macros
new file mode 100644
index 0000000..2c87fde
--- /dev/null
+++ b/prebuilts/api/33.0/public/global_macros
@@ -0,0 +1,51 @@
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
+
+define(`devfile_class_set', `{ chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
+define(`dir_file_class_set', `{ dir file_class_set }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
+define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
+define(`w_file_perms', `{ open append write lock map }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
+define(`w_dir_perms', `{ open search write add_name remove_name lock }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/prebuilts/api/33.0/public/gmscore_app.te b/prebuilts/api/33.0/public/gmscore_app.te
new file mode 100644
index 0000000..b574bf3
--- /dev/null
+++ b/prebuilts/api/33.0/public/gmscore_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+
+type gmscore_app, domain;
diff --git a/prebuilts/api/33.0/public/gpuservice.te b/prebuilts/api/33.0/public/gpuservice.te
new file mode 100644
index 0000000..c862d0b
--- /dev/null
+++ b/prebuilts/api/33.0/public/gpuservice.te
@@ -0,0 +1,2 @@
+# gpuservice - server for gpu stats and other gpu related services
+type gpuservice, domain;
diff --git a/prebuilts/api/33.0/public/hal_allocator.te b/prebuilts/api/33.0/public/hal_allocator.te
new file mode 100644
index 0000000..6417b62
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_allocator.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_allocator_client, hal_allocator_server)
+
+hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
+allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
diff --git a/prebuilts/api/33.0/public/hal_atrace.te b/prebuilts/api/33.0/public/hal_atrace.te
new file mode 100644
index 0000000..51d9237
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_atrace.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_atrace_client, hal_atrace_server)
+
+hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_audio.te b/prebuilts/api/33.0/public/hal_audio.te
new file mode 100644
index 0000000..52caa00
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_audio.te
@@ -0,0 +1,41 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
+hal_attribute_service(hal_audio, hal_audio_service)
+
+allow hal_audio ion_device:chr_file r_file_perms;
+
+binder_call(hal_audio_server, servicemanager)
+
+r_dir_file(hal_audio, proc)
+r_dir_file(hal_audio, proc_asound)
+allow hal_audio_server audio_device:dir r_dir_perms;
+allow hal_audio_server audio_device:chr_file rw_file_perms;
+
+# Needed to provide debug dump output via dumpsys' pipes.
+allow hal_audio shell:fd use;
+allow hal_audio shell:fifo_file write;
+allow hal_audio dumpstate:fd use;
+allow hal_audio dumpstate:fifo_file write;
+
+# Needed to allow sound trigger hal to access shared memory from apps.
+allow hal_audio_server appdomain:fd use;
+
+# allow hal audio to use vnbinder
+vndbinder_use(hal_audio)
+
+###
+### neverallow rules
+###
+
+# Should never execute any executable without a domain transition
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
+
+# Only audio HAL may directly access the audio hardware
+neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
+
+get_prop(hal_audio, audio_config_prop)
+get_prop(hal_audio, bluetooth_a2dp_offload_prop)
+get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/prebuilts/api/33.0/public/hal_audiocontrol.te b/prebuilts/api/33.0/public/hal_audiocontrol.te
new file mode 100644
index 0000000..6f45b0e
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_audiocontrol.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
+binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
+
+hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
+hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
+
+binder_call(hal_audiocontrol_server, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_authsecret.te b/prebuilts/api/33.0/public/hal_authsecret.te
new file mode 100644
index 0000000..bbcdb9a
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_authsecret.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_authsecret_client, hal_authsecret_server)
+
+hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
+hal_attribute_service(hal_authsecret, hal_authsecret_service)
+
+binder_call(hal_authsecret_server, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_bluetooth.te b/prebuilts/api/33.0/public/hal_bluetooth.te
new file mode 100644
index 0000000..97177ba
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_bluetooth.te
@@ -0,0 +1,32 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_bluetooth_client, hal_bluetooth_server)
+binder_call(hal_bluetooth_server, hal_bluetooth_client)
+
+hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+
+wakelock_use(hal_bluetooth);
+
+# The HAL toggles rfkill to power the chip off/on.
+allow hal_bluetooth self:global_capability_class_set net_admin;
+
+# bluetooth factory file accesses.
+r_dir_file(hal_bluetooth, bluetooth_efs_file)
+
+allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# sysfs access.
+r_dir_file(hal_bluetooth, sysfs_type)
+allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth self:global_capability2_class_set wake_alarm;
+
+# Allow write access to bluetooth-specific properties
+set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(hal_bluetooth, bluetooth_audio_hal_prop)
+set_prop(hal_bluetooth, bluetooth_prop)
+set_prop(hal_bluetooth, exported_bluetooth_prop)
+
+# /proc access (bluesleep etc.).
+allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/33.0/public/hal_bootctl.te b/prebuilts/api/33.0/public/hal_bootctl.te
new file mode 100644
index 0000000..a1f3d7f
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_bootctl.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
+
+hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
+allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_broadcastradio.te b/prebuilts/api/33.0/public/hal_broadcastradio.te
new file mode 100644
index 0000000..84a2597
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_broadcastradio.te
@@ -0,0 +1,4 @@
+binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
+binder_call(hal_broadcastradio_server, hal_broadcastradio_client)
+
+hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_camera.te b/prebuilts/api/33.0/public/hal_camera.te
new file mode 100644
index 0000000..df70ab6
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_camera.te
@@ -0,0 +1,42 @@
+# HwBinder IPC from clients to server and callbacks
+binder_call(hal_camera_client, hal_camera_server)
+binder_call(hal_camera_server, hal_camera_client)
+
+#binder IPC from client to service manager and callbacks
+binder_use(hal_camera_server)
+
+hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
+hal_attribute_service(hal_camera, hal_camera_service)
+
+allow hal_camera device:dir r_dir_perms;
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Both the client and the server need to use the graphics allocator
+allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
+
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
+allow hal_camera { appdomain -isolated_app }:fd use;
+allow hal_camera surfaceflinger:fd use;
+allow hal_camera hal_allocator_server:fd use;
+
+# Needed to provide debug dump output via dumpsys' pipes.
+allow hal_camera shell:fd use;
+allow hal_camera shell:fifo_file write;
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only camera HAL may directly access the camera hardware
+neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/prebuilts/api/33.0/public/hal_can.te b/prebuilts/api/33.0/public/hal_can.te
new file mode 100644
index 0000000..959d1d9
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_can.te
@@ -0,0 +1,9 @@
+# CAN controller
+binder_call(hal_can_controller_client, hal_can_controller_server)
+binder_call(hal_can_controller_server, hal_can_controller_client)
+hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
+
+# CAN bus
+binder_call(hal_can_bus_client, hal_can_bus_server)
+binder_call(hal_can_bus_server, hal_can_bus_client)
+hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_cas.te b/prebuilts/api/33.0/public/hal_cas.te
new file mode 100644
index 0000000..e699a6b
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_cas.te
@@ -0,0 +1,38 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_cas_client, hal_cas_server)
+binder_call(hal_cas_server, hal_cas_client)
+
+hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
+allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_cas_server, serialno_prop)
+
+# Read files already opened under /data
+allow hal_cas system_data_file:file { getattr read };
+
+# Read access to pseudo filesystems
+r_dir_file(hal_cas, cgroup)
+allow hal_cas cgroup:dir { search write };
+allow hal_cas cgroup:file w_file_perms;
+
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_cas ion_device:chr_file rw_file_perms;
+allow hal_cas hal_graphics_allocator:fd use;
+
+allow hal_cas tee_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# hal_cas should never execute any executable without a
+# domain transition
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/33.0/public/hal_codec2.te b/prebuilts/api/33.0/public/hal_codec2.te
new file mode 100644
index 0000000..a379bb3
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_codec2.te
@@ -0,0 +1,27 @@
+get_prop(hal_codec2_client, media_variant_prop)
+get_prop(hal_codec2_server, media_variant_prop)
+get_prop(hal_codec2_client, codec2_config_prop)
+get_prop(hal_codec2_server, codec2_config_prop)
+
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/prebuilts/api/33.0/public/hal_configstore.te b/prebuilts/api/33.0/public/hal_configstore.te
new file mode 100644
index 0000000..069da47
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_configstore.te
@@ -0,0 +1,69 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
+
+hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
+
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
+
+###
+### neverallow rules
+###
+
+# Should never execute an executable without a domain transition
+neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access. Disallow sockets except for
+# for unix stream/dgram sockets used for logging/debugging.
+neverallow hal_configstore_server domain:{
+ rawip_socket tcp_socket udp_socket
+ netlink_route_socket netlink_selinux_socket
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+neverallow hal_configstore_server {
+ domain
+ -hal_configstore_server
+ -logd
+ userdebug_or_eng(`-su')
+ -tombstoned
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
+}:{ unix_dgram_socket unix_stream_socket } *;
+
+# Should never need access to anything on /data
+neverallow hal_configstore_server {
+ data_file_type
+ -anr_data_file # for crash dump collection
+ -tombstone_data_file # for crash dump collection
+ -zoneinfo_data_file # granted to domain
+ with_native_coverage(`-method_trace_data_file')
+}:{ file fifo_file sock_file } *;
+
+# Should never need sdcard access
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:dir ~getattr;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:file *;
+
+# Do not permit access to service_manager and vndservice_manager
+neverallow hal_configstore_server *:service_manager *;
+
+# No privileged capabilities
+neverallow hal_configstore_server self:capability_class_set *;
+
+# No ptracing other processes
+neverallow hal_configstore_server *:process ptrace;
+
+# no relabeling
+neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/prebuilts/api/33.0/public/hal_confirmationui.te b/prebuilts/api/33.0/public/hal_confirmationui.te
new file mode 100644
index 0000000..5d2e4b7
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_confirmationui.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_contexthub.te b/prebuilts/api/33.0/public/hal_contexthub.te
new file mode 100644
index 0000000..14c2dbc
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_contexthub.te
@@ -0,0 +1,10 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_service(hal_contexthub_server, hal_contexthub_service)
+binder_call(hal_contexthub_server, servicemanager)
+
+allow hal_contexthub_client hal_contexthub_service:service_manager find;
+
+hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_dice.te b/prebuilts/api/33.0/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_drm.te b/prebuilts/api/33.0/public/hal_drm.te
new file mode 100644
index 0000000..72fa308
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_drm.te
@@ -0,0 +1,58 @@
+# HwBinder IPC from client to server, and callbacks
+binder_use(hal_drm_server)
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
+
+hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+hal_attribute_service(hal_drm, hal_drm_service)
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# Read files already opened under /data
+allow hal_drm system_data_file:file { getattr read };
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to hidl_memory allocation service
+allow hal_drm hal_allocator_server:fd use;
+
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
+allow hal_drm sysfs:file r_file_perms;
+
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+allow hal_drm_server { appdomain -isolated_app }:fd use;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/33.0/public/hal_dumpstate.te b/prebuilts/api/33.0/public/hal_dumpstate.te
new file mode 100644
index 0000000..aee283a
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_dumpstate.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_dumpstate_client, hal_dumpstate_server)
+binder_call(hal_dumpstate_server, hal_dumpstate_client)
+
+set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
+
+hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
+hal_attribute_service(hal_dumpstate, hal_dumpstate_service)
+
+binder_call(hal_dumpstate_server, servicemanager)
+
+# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
+allow hal_dumpstate shell_data_file:file write;
+# allow reading /proc/interrupts for all hal impls
+allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_evs.te b/prebuilts/api/33.0/public/hal_evs.te
new file mode 100644
index 0000000..09a40d8
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_evs.te
@@ -0,0 +1,15 @@
+hwbinder_use(hal_evs_client)
+hwbinder_use(hal_evs_server)
+
+binder_call(hal_evs_client, hal_evs_server)
+binder_call(hal_evs_server, hal_evs_client)
+
+# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+# except it allows evsmanagerd to add hal_evs_hwservice.
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
+allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find };
+allow hal_evs_server hidl_base_hwservice:hwservice_manager add;
+neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add;
+
+# Allows to add a service
+hal_attribute_service(hal_evs, hal_evs_service)
diff --git a/prebuilts/api/33.0/public/hal_face.te b/prebuilts/api/33.0/public/hal_face.te
new file mode 100644
index 0000000..0134576
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_face.te
@@ -0,0 +1,15 @@
+# Allow HwBinder IPC from client to server, and vice versa for callbacks.
+binder_call(hal_face_client, hal_face_server)
+binder_call(hal_face_server, hal_face_client)
+
+hal_attribute_hwservice(hal_face, hal_face_hwservice)
+hal_attribute_service(hal_face, hal_face_service)
+
+binder_call(hal_face_server, servicemanager)
+
+# Allow access to the ion memory allocation device.
+allow hal_face ion_device:chr_file r_file_perms;
+
+# Allow read/write access to the face template directory.
+allow hal_face face_vendor_data_file:file create_file_perms;
+allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/prebuilts/api/33.0/public/hal_fingerprint.te b/prebuilts/api/33.0/public/hal_fingerprint.te
new file mode 100644
index 0000000..444cfda
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_fingerprint.te
@@ -0,0 +1,20 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_fingerprint_client, hal_fingerprint_server)
+binder_call(hal_fingerprint_server, hal_fingerprint_client)
+
+hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
+hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
+
+binder_call(hal_fingerprint_server, servicemanager)
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
+allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+
+r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
+r_dir_file(hal_fingerprint, sysfs)
+
+
diff --git a/prebuilts/api/33.0/public/hal_gatekeeper.te b/prebuilts/api/33.0/public/hal_gatekeeper.te
new file mode 100644
index 0000000..b918f88
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_gatekeeper.te
@@ -0,0 +1,7 @@
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+
+hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
+
+# TEE access.
+allow hal_gatekeeper tee_device:chr_file rw_file_perms;
+allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_gnss.te b/prebuilts/api/33.0/public/hal_gnss.te
new file mode 100644
index 0000000..832bc8d
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_gnss.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
+hal_attribute_service(hal_gnss, hal_gnss_service)
+binder_call(hal_gnss_server, servicemanager)
+binder_call(hal_gnss_client, servicemanager)
+
diff --git a/prebuilts/api/33.0/public/hal_graphics_allocator.te b/prebuilts/api/33.0/public/hal_graphics_allocator.te
new file mode 100644
index 0000000..7ef27113
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_graphics_allocator.te
@@ -0,0 +1,20 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
+hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
+
+# GPU device access
+allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator gpu_device:dir r_dir_perms;
+allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_graphics_allocator self:global_capability_class_set sys_nice;
+
+# IAllocator stable-aidl
+hal_attribute_service(hal_graphics_allocator, hal_graphics_allocator_service)
+binder_call(hal_graphics_allocator_server, servicemanager)
+binder_call(hal_graphics_allocator_client, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_graphics_composer.te b/prebuilts/api/33.0/public/hal_graphics_composer.te
new file mode 100644
index 0000000..e99d45f
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_graphics_composer.te
@@ -0,0 +1,42 @@
+type hal_graphics_composer_server_tmpfs, file_type;
+attribute hal_graphics_composer_client_tmpfs;
+expandattribute hal_graphics_composer_client_tmpfs true;
+
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
+allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
+
+hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
+
+# Coordinate with hal_graphics_mapper
+allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer gpu_device:dir r_dir_perms;
+allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_graphics_composer hal_graphics_allocator:fd use;
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:dir search;
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+
+# Fences
+allow hal_graphics_composer system_server:fd use;
+allow hal_graphics_composer bootanim:fd use;
+allow hal_graphics_composer appdomain:fd use;
+
+# allow self to set SCHED_FIFO
+allow hal_graphics_composer self:global_capability_class_set sys_nice;
+
+# allow surfaceflinger to use a pipe for dumpsys output
+allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write;
+
+
+binder_call(hal_graphics_composer_client, servicemanager)
+binder_call(hal_graphics_composer_server, servicemanager)
+
+hal_attribute_service(hal_graphics_composer, hal_graphics_composer_service)
diff --git a/prebuilts/api/33.0/public/hal_health.te b/prebuilts/api/33.0/public/hal_health.te
new file mode 100644
index 0000000..5d7aff5
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_health.te
@@ -0,0 +1,33 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+hal_attribute_hwservice(hal_health, hal_health_hwservice)
+hal_attribute_service(hal_health, hal_health_service)
+
+# Common rules for a health service.
+
+# Allow to listen to uevents for updates
+allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Allow to read /sys/class/power_supply directory
+allow hal_health_server sysfs:dir r_dir_perms;
+
+# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
+# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
+# HAL service.
+r_dir_file(hal_health_server, sysfs_batteryinfo)
+
+# Allow to wake up to send periodic events
+wakelock_use(hal_health_server)
+
+# Write to /dev/kmsg
+allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
+
+# Allow to use timerfd to wake itself up periodically to send health info.
+allow hal_health_server self:capability2 wake_alarm;
+
+# Use bpf programs
+allow hal_health_server fs_bpf_vendor:dir search;
+allow hal_health_server fs_bpf_vendor:file read;
+allow hal_health_server bpfloader:bpf prog_run;
diff --git a/prebuilts/api/33.0/public/hal_health_storage.te b/prebuilts/api/33.0/public/hal_health_storage.te
new file mode 100644
index 0000000..4938a16
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_health_storage.te
@@ -0,0 +1,11 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_storage_client, hal_health_storage_server)
+binder_call(hal_health_storage_server, hal_health_storage_client)
+
+binder_use(hal_health_storage_server)
+
+hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
+hal_attribute_service(hal_health_storage, hal_health_storage_service)
+
+# Allow ReadDefaultFstab().
+read_fstab(hal_health_storage_server)
diff --git a/prebuilts/api/33.0/public/hal_identity.te b/prebuilts/api/33.0/public/hal_identity.te
new file mode 100644
index 0000000..8d558ad
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_identity.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_identity_client, hal_identity_server)
+
+hal_attribute_service(hal_identity, hal_identity_service)
+
+binder_call(hal_identity_server, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_input_classifier.te b/prebuilts/api/33.0/public/hal_input_classifier.te
new file mode 100644
index 0000000..70a4b7d
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_input_classifier.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_classifier_client, hal_input_classifier_server)
+
+hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_input_processor.te b/prebuilts/api/33.0/public/hal_input_processor.te
new file mode 100644
index 0000000..77d1d70
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_input_processor.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_processor_client, hal_input_processor_server)
+binder_call(hal_input_processor_server, servicemanager)
+
+hal_attribute_service(hal_input_processor, hal_input_processor_service)
diff --git a/prebuilts/api/33.0/public/hal_ir.te b/prebuilts/api/33.0/public/hal_ir.te
new file mode 100644
index 0000000..452127a
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_ir.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+hal_attribute_service(hal_ir, hal_ir_service)
+binder_call(hal_ir_server, servicemanager)
+
+hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_keymaster.te b/prebuilts/api/33.0/public/hal_keymaster.te
new file mode 100644
index 0000000..3e164ad
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_keymaster.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
+
+hal_attribute_hwservice(hal_keymaster, hal_keymaster_hwservice)
+
+allow hal_keymaster tee_device:chr_file rw_file_perms;
+allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_keymint.te b/prebuilts/api/33.0/public/hal_keymint.te
new file mode 100644
index 0000000..9c65e22
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_keymint.te
@@ -0,0 +1,8 @@
+binder_call(hal_keymint_client, hal_keymint_server)
+
+hal_attribute_service(hal_keymint, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
+binder_call(hal_keymint_server, servicemanager)
+
+allow hal_keymint tee_device:chr_file rw_file_perms;
+allow hal_keymint ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_light.te b/prebuilts/api/33.0/public/hal_light.te
new file mode 100644
index 0000000..40829b6
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_light.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+hal_attribute_hwservice(hal_light, hal_light_hwservice)
+hal_attribute_service(hal_light, hal_light_service)
+
+binder_call(hal_light_server, servicemanager)
+binder_use(hal_light_client)
+
+allow hal_light_server dumpstate:fifo_file write;
+
+allow hal_light sysfs_leds:lnk_file read;
+allow hal_light sysfs_leds:file rw_file_perms;
+allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/prebuilts/api/33.0/public/hal_lowpan.te b/prebuilts/api/33.0/public/hal_lowpan.te
new file mode 100644
index 0000000..6fb95e9
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_lowpan.te
@@ -0,0 +1,20 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_lowpan_client, hal_lowpan_server)
+binder_call(hal_lowpan_server, hal_lowpan_client)
+
+
+# Allow hal_lowpan_client to be able to find the hal_lowpan_server
+hal_attribute_hwservice(hal_lowpan, hal_lowpan_hwservice)
+
+# hal_lowpan domain can write/read to/from lowpan_prop
+set_prop(hal_lowpan_server, lowpan_prop)
+
+# Allow hal_lowpan_server to open lowpan_devices
+allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# Only LoWPAN HAL may directly access LoWPAN hardware
+neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
diff --git a/prebuilts/api/33.0/public/hal_memtrack.te b/prebuilts/api/33.0/public/hal_memtrack.te
new file mode 100644
index 0000000..30a4480
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_memtrack.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
+
+hal_attribute_service(hal_memtrack, hal_memtrack_service)
+binder_call(hal_memtrack_server, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_neuralnetworks.te b/prebuilts/api/33.0/public/hal_neuralnetworks.te
new file mode 100644
index 0000000..04d0b59
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_neuralnetworks.te
@@ -0,0 +1,45 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
+binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
+
+hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
+allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_allocator:fd use;
+allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_graphics_allocator:fd use;
+
+# Allow NN HAL service to use a client-provided fd residing in /data/data/.
+allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
+allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
+
+# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
+allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
+
+# Allow NN HAL service to read a client-provided ION memory fd.
+allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
+
+# Allow NN HAL service to use a client-provided fd residing in /storage
+allow hal_neuralnetworks_server storage_file:file { getattr map read };
+
+# Allow NN HAL service to read a client-provided fd residing in /data/app/.
+allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
+
+# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
+# property to determine whether to deny NNAPI extensions use for apps
+# on product partition (apps in GSI are not allowed to use NNAPI extensions).
+get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+
+# Allow NN HAL client to read device_config_nnapi_native_prop.
+get_prop(hal_neuralnetworks_client, device_config_nnapi_native_prop)
+
+# This property is only expected to be found in /product/build.prop,
+# allow to be set only by init.
+neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
+
+# Define sepolicy for NN AIDL HAL service
+hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
+binder_call(hal_neuralnetworks_server, servicemanager)
+
+binder_use(hal_neuralnetworks_server)
+
+allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/prebuilts/api/33.0/public/hal_neverallows.te b/prebuilts/api/33.0/public/hal_neverallows.te
new file mode 100644
index 0000000..e77ea9d
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_neverallows.te
@@ -0,0 +1,92 @@
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+ halserverdomain
+ -hal_bluetooth_server
+ -hal_can_controller_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+ -hal_uwb_server
+ # TODO(b/196225233): Remove hal_uwb_vendor_server
+ -hal_uwb_vendor_server
+ -hal_nlinterceptor_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
+# NOTE: HALs for automotive devices have an exemption from this rule because in
+# a car it is common to have external modules and HALs need to communicate to
+# those modules using network. Using this exemption for non-automotive builds
+# will result in CTS failure.
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_can_controller_server
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+ -hal_uwb_server
+ # TODO(b/196225233): Remove hal_uwb_vendor_server
+ -hal_uwb_vendor_server
+ -hal_nlinterceptor_server
+} domain:{ udp_socket rawip_socket } *;
+
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_can_controller_server
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+ -hal_nlinterceptor_server
+} {
+ domain
+ userdebug_or_eng(`-su')
+}:tcp_socket *;
+
+# The UWB HAL is not actually a networking HAL but may need to bring up and down
+# interfaces. Restrict it to only these networking operations.
+neverallow hal_uwb_vendor_server self:global_capability_class_set { net_raw };
+
+# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
+# udp_socket is required to use interface ioctls.
+neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+# the platform.
+# 3) The platform cannot reason about defense in depth if there are
+# monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+ halserverdomain
+ -hal_dumpstate_server
+ -hal_telephony_server
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;
diff --git a/prebuilts/api/33.0/public/hal_nfc.te b/prebuilts/api/33.0/public/hal_nfc.te
new file mode 100644
index 0000000..3d0202b
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_nfc.te
@@ -0,0 +1,13 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_nfc_client, hal_nfc_server)
+binder_call(hal_nfc_server, hal_nfc_client)
+binder_call(hal_nfc_server, servicemanager)
+
+hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
+hal_attribute_service(hal_nfc, hal_nfc_service)
+
+# Set NFC properties (used by bcm2079x HAL).
+set_prop(hal_nfc, nfc_prop)
+
+# NFC device access.
+allow hal_nfc nfc_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_nlinterceptor.te b/prebuilts/api/33.0/public/hal_nlinterceptor.te
new file mode 100644
index 0000000..1a738a5
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_nlinterceptor.te
@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_readpriv nlmsg_write };
diff --git a/prebuilts/api/33.0/public/hal_oemlock.te b/prebuilts/api/33.0/public/hal_oemlock.te
new file mode 100644
index 0000000..9f38fa5
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_oemlock.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_oemlock_client, hal_oemlock_server)
+
+hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
+hal_attribute_service(hal_oemlock, hal_oemlock_service)
+
+binder_call(hal_oemlock_server, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_omx.te b/prebuilts/api/33.0/public/hal_omx.te
new file mode 100644
index 0000000..2611dcd
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_omx.te
@@ -0,0 +1,50 @@
+# applies all permissions to hal_omx NOT hal_omx_server
+# since OMX must always be in its own process.
+
+binder_call(hal_omx_server, binderservicedomain)
+binder_call(hal_omx_server, { appdomain -isolated_app })
+
+# Allow hal_omx_server access to composer sync fences
+allow hal_omx_server hal_graphics_composer:fd use;
+
+allow hal_omx_server ion_device:chr_file rw_file_perms;
+allow hal_omx_server hal_camera:fd use;
+
+crash_dump_fallback(hal_omx_server)
+
+# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use pdx_client macro.
+allow hal_omx_server bufferhubd:fd use;
+
+hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
+
+allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
+
+get_prop(hal_omx_client, media_variant_prop)
+get_prop(hal_omx_server, media_variant_prop)
+
+binder_call(hal_omx_client, hal_omx_server)
+binder_call(hal_omx_server, hal_omx_client)
+
+###
+### neverallow rules
+###
+
+# hal_omx_server should never execute any executable without a
+# domain transition
+neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
+neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/prebuilts/api/33.0/public/hal_power.te b/prebuilts/api/33.0/public/hal_power.te
new file mode 100644
index 0000000..aae32a0
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_power.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+hal_attribute_hwservice(hal_power, hal_power_hwservice)
+hal_attribute_service(hal_power, hal_power_service)
+
+binder_call(hal_power_server, servicemanager)
+binder_call(hal_power_client, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_power_stats.te b/prebuilts/api/33.0/public/hal_power_stats.te
new file mode 100644
index 0000000..4076eff
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_power_stats.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_stats_client, hal_power_stats_server)
+binder_call(hal_power_stats_server, hal_power_stats_client)
+
+hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
+hal_attribute_service(hal_power_stats, hal_power_stats_service)
+
+binder_call(hal_power_stats_server, servicemanager)
+binder_call(hal_power_stats_client, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_rebootescrow.te b/prebuilts/api/33.0/public/hal_rebootescrow.te
new file mode 100644
index 0000000..d16333b
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_rebootescrow.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
+
+hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service)
+
+binder_use(hal_rebootescrow_server)
diff --git a/prebuilts/api/33.0/public/hal_secure_element.te b/prebuilts/api/33.0/public/hal_secure_element.te
new file mode 100644
index 0000000..3724d35
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_secure_element.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_sensors.te b/prebuilts/api/33.0/public/hal_sensors.te
new file mode 100644
index 0000000..f25a2ea
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_sensors.te
@@ -0,0 +1,19 @@
+# HwBinder IPC from client to server
+binder_call(hal_sensors_client, hal_sensors_server)
+
+hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
+
+# Allow sensor hals to access ashmem memory allocated by apps
+allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
+
+# allow to run with real-time scheduling policy
+allow hal_sensors self:global_capability_class_set sys_nice;
+
+add_service(hal_sensors_server, hal_sensors_service)
+binder_call(hal_sensors_server, servicemanager)
+
+allow hal_sensors_client hal_sensors_service:service_manager find;
diff --git a/prebuilts/api/33.0/public/hal_telephony.te b/prebuilts/api/33.0/public/hal_telephony.te
new file mode 100644
index 0000000..e21796a
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_telephony.te
@@ -0,0 +1,48 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
+hal_attribute_service(hal_telephony, hal_radio_service)
+
+allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
+
+allow hal_telephony_server self:netlink_route_socket nlmsg_write;
+allow hal_telephony_server kernel:system module_request;
+allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
+allow hal_telephony_server cgroup:dir create_dir_perms;
+allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
+allow hal_telephony_server radio_device:chr_file rw_file_perms;
+allow hal_telephony_server radio_device:blk_file r_file_perms;
+allow hal_telephony_server efs_file:dir create_dir_perms;
+allow hal_telephony_server efs_file:file create_file_perms;
+allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
+allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
+allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
+
+# property service
+get_prop(hal_telephony_server, telephony_config_prop)
+set_prop(hal_telephony_server, radio_control_prop)
+set_prop(hal_telephony_server, radio_prop)
+set_prop(hal_telephony_server, telephony_status_prop)
+
+allow hal_telephony_server tty_device:chr_file rw_file_perms;
+
+# Allow hal_telephony_server to create and use netlink sockets.
+allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access to wake locks
+wakelock_use(hal_telephony_server)
+
+r_dir_file(hal_telephony_server, proc_net_type)
+r_dir_file(hal_telephony_server, sysfs_type)
+
+# granting the ioctl permission for hal_telephony_server should be device specific
+allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
+
+# Allow AIDL HAL shim to call HIDL HAL implementation
+binder_call(hal_telephony_server, hal_telephony_server)
diff --git a/prebuilts/api/33.0/public/hal_tetheroffload.te b/prebuilts/api/33.0/public/hal_tetheroffload.te
new file mode 100644
index 0000000..cf51723
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_tetheroffload.te
@@ -0,0 +1,8 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
+binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/prebuilts/api/33.0/public/hal_thermal.te b/prebuilts/api/33.0/public/hal_thermal.te
new file mode 100644
index 0000000..2115da1
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_thermal.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_tv_cec.te b/prebuilts/api/33.0/public/hal_tv_cec.te
new file mode 100644
index 0000000..6584904
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_tv_cec.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_cec_client, hal_tv_cec_server)
+binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+hal_attribute_hwservice(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_tv_input.te b/prebuilts/api/33.0/public/hal_tv_input.te
new file mode 100644
index 0000000..5a5bdda
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_tv_input.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_input_client, hal_tv_input_server)
+binder_call(hal_tv_input_server, hal_tv_input_client)
+
+hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_tv_tuner.te b/prebuilts/api/33.0/public/hal_tv_tuner.te
new file mode 100644
index 0000000..4b7c030
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_tv_tuner.te
@@ -0,0 +1,8 @@
+binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
+binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
+
+hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
+hal_attribute_service(hal_tv_tuner, hal_tv_tuner_service)
+
+binder_call(hal_tv_tuner_server, servicemanager)
+binder_call(hal_tv_tuner_client, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_usb.te b/prebuilts/api/33.0/public/hal_usb.te
new file mode 100644
index 0000000..45cafaa
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_usb.te
@@ -0,0 +1,21 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+hal_attribute_service(hal_usb, hal_usb_service)
+binder_call(hal_usb_server, servicemanager)
+
+hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
+
+allow hal_usb self:netlink_kobject_uevent_socket create;
+allow hal_usb self:netlink_kobject_uevent_socket setopt;
+allow hal_usb self:netlink_kobject_uevent_socket getopt;
+allow hal_usb self:netlink_kobject_uevent_socket bind;
+allow hal_usb self:netlink_kobject_uevent_socket read;
+allow hal_usb sysfs:dir open;
+allow hal_usb sysfs:dir read;
+allow hal_usb sysfs:file read;
+allow hal_usb sysfs:file open;
+allow hal_usb sysfs:file write;
+allow hal_usb sysfs:file getattr;
+
diff --git a/prebuilts/api/33.0/public/hal_usb_gadget.te b/prebuilts/api/33.0/public/hal_usb_gadget.te
new file mode 100644
index 0000000..a474652
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_usb_gadget.te
@@ -0,0 +1,13 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
+binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
+
+hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
+
+# Configuring usb gadget functions
+allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
+allow hal_usb_gadget_server configfs:dir rw_dir_perms;
+allow hal_usb_gadget_server configfs:file create_file_perms;
+allow hal_usb_gadget_server functionfs:dir { read search };
+allow hal_usb_gadget_server functionfs:file read;
+
diff --git a/prebuilts/api/33.0/public/hal_uwb.te b/prebuilts/api/33.0/public/hal_uwb.te
new file mode 100644
index 0000000..dc334fc
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_uwb.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_uwb_client, hal_uwb_server)
+binder_call(hal_uwb_server, hal_uwb_client)
+
+hal_attribute_service(hal_uwb, hal_uwb_service)
+
+binder_call(hal_uwb_server, servicemanager)
+binder_call(hal_uwb_client, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_vehicle.te b/prebuilts/api/33.0/public/hal_vehicle.te
new file mode 100644
index 0000000..c9eff55
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_vehicle.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vehicle_client, hal_vehicle_server)
+binder_call(hal_vehicle_server, hal_vehicle_client)
+
+
+hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
+hal_attribute_service(hal_vehicle, hal_vehicle_service)
diff --git a/prebuilts/api/33.0/public/hal_vibrator.te b/prebuilts/api/33.0/public/hal_vibrator.te
new file mode 100644
index 0000000..c902495
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_vibrator.te
@@ -0,0 +1,14 @@
+# HwBinder IPC client/server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+binder_call(hal_vibrator_server, hal_vibrator_client);
+
+hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
+hal_attribute_service(hal_vibrator, hal_vibrator_service)
+
+binder_call(hal_vibrator_server, servicemanager)
+
+allow hal_vibrator_server dumpstate:fifo_file write;
+
+# vibrator sysfs rw access
+allow hal_vibrator sysfs_vibrator:file rw_file_perms;
+allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/prebuilts/api/33.0/public/hal_vr.te b/prebuilts/api/33.0/public/hal_vr.te
new file mode 100644
index 0000000..e52c77f
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_vr.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
diff --git a/prebuilts/api/33.0/public/hal_weaver.te b/prebuilts/api/33.0/public/hal_weaver.te
new file mode 100644
index 0000000..2b34989
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_weaver.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_weaver_client, hal_weaver_server)
+
+hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
+hal_attribute_service(hal_weaver, hal_weaver_service)
+
+binder_call(hal_weaver_server, servicemanager)
diff --git a/prebuilts/api/33.0/public/hal_wifi.te b/prebuilts/api/33.0/public/hal_wifi.te
new file mode 100644
index 0000000..2e4fa78
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_wifi.te
@@ -0,0 +1,32 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_client, hal_wifi_server)
+binder_call(hal_wifi_server, hal_wifi_client)
+
+hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
+
+r_dir_file(hal_wifi, proc_net_type)
+r_dir_file(hal_wifi, sysfs_type)
+
+set_prop(hal_wifi_server, wifi_hal_prop)
+set_prop(hal_wifi, wifi_prop)
+userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
+
+# allow hal wifi set interfaces up and down and get the factory MAC
+allow hal_wifi self:udp_socket create_socket_perms;
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
+
+allow hal_wifi self:global_capability_class_set { net_admin net_raw };
+# allow hal_wifi to speak to nl80211 in the kernel
+allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
+# hal_wifi writes firmware paths to this file.
+allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
+# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
+allow hal_wifi proc_modules:file { getattr open read };
+# Allow hal_wifi to send dump info to dumpstate
+allow hal_wifi dumpstate:fifo_file write;
+
+# allow hal_wifi to write into /data/vendor/tombstones/wifi
+allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
+allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_wifi_hostapd.te b/prebuilts/api/33.0/public/hal_wifi_hostapd.te
new file mode 100644
index 0000000..eeb72ba
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_wifi_hostapd.te
@@ -0,0 +1,32 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
+hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
+
+binder_use(hal_wifi_hostapd_server)
+
+allow hal_wifi_hostapd_server dumpstate:fifo_file write;
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;
diff --git a/prebuilts/api/33.0/public/hal_wifi_supplicant.te b/prebuilts/api/33.0/public/hal_wifi_supplicant.te
new file mode 100644
index 0000000..b531a22
--- /dev/null
+++ b/prebuilts/api/33.0/public/hal_wifi_supplicant.te
@@ -0,0 +1,39 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
+binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+
+hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
+hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
+
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(hal_wifi_supplicant, sysfs_type)
+r_dir_file(hal_wifi_supplicant, proc_net_type)
+
+allow hal_wifi_supplicant kernel:system module_request;
+allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
+allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
+allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:packet_socket create_socket_perms;
+allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+use_keystore(hal_wifi_supplicant)
+binder_use(hal_wifi_supplicant_server)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+ get_info
+ use
+};
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;
diff --git a/prebuilts/api/33.0/public/healthd.te b/prebuilts/api/33.0/public/healthd.te
new file mode 100644
index 0000000..c5dcfb7
--- /dev/null
+++ b/prebuilts/api/33.0/public/healthd.te
@@ -0,0 +1,4 @@
+# healthd - battery/charger monitoring service daemon
+# healthd is removed. The type is kept for backwards compatibility.
+
+type healthd, domain;
diff --git a/prebuilts/api/33.0/public/heapprofd.te b/prebuilts/api/33.0/public/heapprofd.te
new file mode 100644
index 0000000..7ceb23f
--- /dev/null
+++ b/prebuilts/api/33.0/public/heapprofd.te
@@ -0,0 +1 @@
+type heapprofd, domain, coredomain;
diff --git a/prebuilts/api/33.0/public/hwservice.te b/prebuilts/api/33.0/public/hwservice.te
new file mode 100644
index 0000000..11b77f0
--- /dev/null
+++ b/prebuilts/api/33.0/public/hwservice.te
@@ -0,0 +1,101 @@
+# hwservice types. By default most of the HALs are protected_hwservice, which means
+# access from untrusted apps is prohibited.
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+
+# Following is the hwservices that are explicitly not marked with protected_hwservice.
+# These are directly accessible from untrusted apps.
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safer than ordinary hwservices which
+# are from vendor partition
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
+# - hal_drm_hwservice: versions > API 29 are designed specifically with
+# untrusted app access in mind.
+type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_cas_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_neuralnetworks_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+
+###
+### Neverallow rules
+###
+
+# hwservicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a
+# hwservice. Trigger a compile error if this occurs.
+neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
diff --git a/prebuilts/api/33.0/public/hwservicemanager.te b/prebuilts/api/33.0/public/hwservicemanager.te
new file mode 100644
index 0000000..7ec1872
--- /dev/null
+++ b/prebuilts/api/33.0/public/hwservicemanager.te
@@ -0,0 +1,20 @@
+# hwservicemanager - the Binder context manager for HAL services
+type hwservicemanager, domain, mlstrustedsubject;
+type hwservicemanager_exec, system_file_type, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/prebuilts/api/33.0/public/idmap.te b/prebuilts/api/33.0/public/idmap.te
new file mode 100644
index 0000000..f41f573
--- /dev/null
+++ b/prebuilts/api/33.0/public/idmap.te
@@ -0,0 +1,31 @@
+# idmap, when executed by installd
+type idmap, domain;
+type idmap_exec, system_file_type, exec_type, file_type;
+
+# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
+# Use open file to /data/resource-cache file inherited from installd.
+allow idmap installd:fd use;
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
+
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
+# Open and read from target and overlay apk files passed by argument.
+allow idmap apk_data_file:file r_file_perms;
+allow idmap apk_data_file:dir search;
+
+# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+binder_service(idmap)
+add_service(idmap, idmap_service)
diff --git a/prebuilts/api/26.0/public/incident.te b/prebuilts/api/33.0/public/incident.te
similarity index 100%
rename from prebuilts/api/26.0/public/incident.te
rename to prebuilts/api/33.0/public/incident.te
diff --git a/prebuilts/api/33.0/public/incident_helper.te b/prebuilts/api/33.0/public/incident_helper.te
new file mode 100644
index 0000000..bca1018
--- /dev/null
+++ b/prebuilts/api/33.0/public/incident_helper.te
@@ -0,0 +1,5 @@
+# The incident_helper is called by incidentd and
+# can only read/write data from/to incidentd
+
+# incident_helper
+type incident_helper, domain;
diff --git a/prebuilts/api/26.0/public/incidentd.te b/prebuilts/api/33.0/public/incidentd.te
similarity index 100%
rename from prebuilts/api/26.0/public/incidentd.te
rename to prebuilts/api/33.0/public/incidentd.te
diff --git a/prebuilts/api/33.0/public/init.te b/prebuilts/api/33.0/public/init.te
new file mode 100644
index 0000000..8dcdd33
--- /dev/null
+++ b/prebuilts/api/33.0/public/init.te
@@ -0,0 +1,676 @@
+# init is its own domain.
+type init, domain, mlstrustedsubject;
+type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+#
+# init direct restorecon calls.
+#
+# /dev/kmsg
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { getattr write relabelto };
+# /dev/kmsg_debug
+userdebug_or_eng(`
+ allow init kmsg_debug_device:chr_file { open write relabelto };
+')
+
+# allow init to mount and unmount debugfs in debug builds
+userdebug_or_eng(`
+ allow init debugfs:dir mounton;
+')
+
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device dm_user_device }:dir relabelto;
+# allow init to establish connection and communicate with lmkd
+unix_socket_connect(init, lmkd, lmkd)
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+allow init {
+ metadata_block_device
+ misc_block_device
+ recovery_block_device
+ system_block_device
+ userdata_block_device
+}:{ blk_file lnk_file } relabelto;
+
+allow init super_block_device:lnk_file relabelto;
+
+# Create /mnt/sdcard -> /storage/self/primary symlink.
+allow init mnt_sdcard_file:lnk_file create;
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Create /dev/fscklogs files.
+allow init fscklogs:file create_file_perms;
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init {
+ rootfs
+ cache_file
+ cgroup
+ linkerconfig_file
+ storage_file
+ mnt_user_file
+ system_data_file
+ system_data_root_file
+ system_dlkm_file
+ system_file
+ vendor_file
+ postinstall_mnt_dir
+ mirror_data_file
+}:dir mounton;
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
+# Bind-mount on /system/apex/com.android.art
+allow init art_apex_dir:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
+
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
+allow init configfs:{ file lnk_file } create_file_perms;
+
+# /metadata
+allow init metadata_file:dir mounton;
+
+# Run restorecon on /dev
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set { dac_override dac_read_search };
+
+# Set system clock.
+allow init self:global_capability_class_set sys_time;
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init {
+ fs_type
+ enforce_debugfs_restriction(`-debugfs_type')
+}:filesystem ~relabelto;
+
+# Allow init to mount/unmount debugfs in non-user builds.
+enforce_debugfs_restriction(`
+ userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
+')
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -iorapd_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -apex_info_file
+ -app_data_file
+ -exec_type
+ -gsi_data_file
+ -iorapd_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -runtime_event_log_tags_file
+ -shell_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -gsi_data_file
+ -iorapd_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -apex_mnt_dir
+ -app_data_file
+ -exec_type
+ -gsi_data_file
+ -iorapd_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init cache_file:lnk_file r_file_perms;
+
+allow init {
+ file_type
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+ -app_data_file
+ -privapp_data_file
+}:dir_file_class_set relabelto;
+
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow init debugfs_tracing:file w_file_perms;
+
+# Setup and control wifi event tracing (see wifi-events.rc)
+allow init debugfs_tracing_instances:dir create_dir_perms;
+allow init debugfs_tracing_instances:file w_file_perms;
+allow init debugfs_wifi_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow init {
+ fs_type
+ -contextmount_type
+ -keychord_device
+ -proc_type
+ -sdcard_type
+ -fusefs_type
+ -sysfs_type
+ -rootfs
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr };
+allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
+
+allow init {
+ binder_device
+ console_device
+ devpts
+ dm_device
+ hwbinder_device
+ input_device
+ kmsg_device
+ null_device
+ owntty_device
+ pmsg_device
+ ptmx_device
+ random_device
+ tty_device
+ zero_device
+}:chr_file { read open };
+
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
+
+userdebug_or_eng(`
+ # Overlayfs workdir write access check during mount to permit remount,rw
+ allow init overlayfs_file:dir { relabelfrom mounton write };
+ allow init overlayfs_file:file { append };
+ allow init system_block_device:blk_file { write };
+')
+
+allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
+
+allow init {
+ proc_abi
+ proc_bpf
+ proc_cpu_alignment
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net_type
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+ proc_watermark_boost_factor
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_bootconfig
+ proc_kmsg
+ proc_net
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_dm_verity
+ sysfs_leds
+ sysfs_power
+ sysfs_fs_f2fs
+ sysfs_dm
+ sysfs_lru_gen_enabled
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
+ LOOP_SET_STATUS64
+};
+
+# Allow init to write to vibrator/trigger
+allow init sysfs_vibrator:file w_file_perms;
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+ sysfs_zram
+}:file setattr;
+
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
+# Init will also walk through the directory as part of a recursive restorecon.
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates credstore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init credstore_data_file:dir { open create read getattr setattr search };
+allow init credstore_data_file:file { getattr };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates vold's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init vold_data_file:dir { open create read getattr setattr search };
+allow init vold_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Create /data/property and files within it.
+allow init property_data_file:dir create_dir_perms;
+allow init property_data_file:file create_file_perms;
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
+
+# swapon() needs write access to swap device
+# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
+allow init swap_block_device:blk_file rw_file_perms;
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# keychord retrieval from /dev/input/ devices
+allow init input_device:dir r_dir_perms;
+allow init input_device:chr_file rw_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# Access dm-user for OTA boot
+allow init dm_user_device:chr_file rw_file_perms;
+
+# Access metadata block device for storing dm-verity state
+allow init metadata_block_device:blk_file rw_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops to detect restarts caused
+# by dm-verity detecting corrupted blocks
+allow init pstorefs:dir search;
+allow init pstorefs:file r_file_perms;
+allow init kernel:system syslog_read;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+# Allow init to create /data/unencrypted
+allow init unencrypted_data_file:dir create_dir_perms;
+
+# Set encryption policy on dirs in /data
+allowxperm init { data_file_type unlabeled }:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+};
+
+# Raw writes to misc block device
+allow init misc_block_device:blk_file w_file_perms;
+
+r_dir_file(init, system_file)
+r_dir_file(init, system_dlkm_file_type)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
+
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+allow init metadata_bootstat_file:dir create_dir_perms;
+allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
+
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
+# init is using bootstrap bionic
+use_bootstrap_libs(init)
+
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
+# allow disk tuning
+allow init rootdisk_sysdev:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+# The init domain is only entered via an exec based transition from the
+# kernel domain, never via setcon().
+neverallow domain init:process dyntransition;
+neverallow { domain -kernel } init:process transition;
+neverallow init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow init shell_data_file:lnk_file read;
+neverallow init { app_data_file privapp_data_file }:lnk_file read;
+
+# init should never execute a program without changing to another domain.
+neverallow init { file_type fs_type }:file execute_no_trans;
+
+# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
+# when init is executing other binaries. The use of LD_PRELOAD for init spawned
+# services is generally considered a no-no, as it injects libraries which the
+# binary was not expecting. This is especially problematic for APEXes. The use
+# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
+# code into a process which wasn't expecting that code, with potentially
+# unexpected side effects. (b/140789528)
+neverallow init *:process noatsecure;
+
+# init can never add binder services
+neverallow init service_manager_type:service_manager { add find };
+# init can never list binder services
+neverallow init servicemanager:service_manager list;
+
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow init shell_data_file:dir { write add_name remove_name };
+
+# Init should not access sysfs node that are not explicitly labeled.
+neverallow init sysfs:file { open write };
+
+# No domain should be allowed to ptrace init.
+neverallow * init:process ptrace;
+
+# init owns the root of /data
+# TODO(b/140259336) We want to remove vendor_init
+# TODO(b/141108496) We want to remove toolbox
+neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
diff --git a/prebuilts/api/33.0/public/inputflinger.te b/prebuilts/api/33.0/public/inputflinger.te
new file mode 100644
index 0000000..b62c06d
--- /dev/null
+++ b/prebuilts/api/33.0/public/inputflinger.te
@@ -0,0 +1,16 @@
+# inputflinger
+type inputflinger, domain;
+type inputflinger_exec, system_file_type, exec_type, file_type;
+
+binder_use(inputflinger)
+binder_service(inputflinger)
+
+binder_call(inputflinger, system_server)
+
+wakelock_use(inputflinger)
+
+allow inputflinger input_device:dir r_dir_perms;
+allow inputflinger input_device:chr_file rw_file_perms;
+
+r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)
diff --git a/prebuilts/api/33.0/public/installd.te b/prebuilts/api/33.0/public/installd.te
new file mode 100644
index 0000000..46796af
--- /dev/null
+++ b/prebuilts/api/33.0/public/installd.te
@@ -0,0 +1,182 @@
+# installer daemon
+type installd, domain;
+type installd_exec, system_file_type, exec_type, file_type;
+typeattribute installd mlstrustedsubject;
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
+
+# Allow labeling of files under /data/app/com.example/oat/
+allow installd dalvikcache_data_file:dir relabelto;
+allow installd dalvikcache_data_file:file { relabelto link };
+
+# Allow movement of APK files between volumes
+allow installd apk_data_file:dir { create_dir_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom link };
+allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+
+allow installd asec_apk_file:file r_file_perms;
+allow installd apk_tmp_file:file { r_file_perms unlink };
+allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
+allow installd oemfs:dir r_dir_perms;
+allow installd oemfs:file r_file_perms;
+allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
+allow installd mnt_expand_file:dir { search getattr };
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+
+r_dir_file(installd, rootfs)
+# Scan through APKs in /system/app and /system/priv-app
+r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
+# Scan through JARs in /vendor/framework
+r_dir_file(installd, vendor_framework_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
+
+# Search /data/app-asec and stat files in it.
+allow installd asec_image_file:dir search;
+allow installd asec_image_file:file getattr;
+
+# Create /data/user and /data/user/0 if necessary.
+# Also required to initially create /data/data subdirectories
+# and lib symlinks before the setfilecon call. May want to
+# move symlink creation after setfilecon in installd.
+allow installd system_data_file:dir create_dir_perms;
+# Also, allow read for lnk_file so that we can process /data/user/0 links when
+# optimizing application code.
+allow installd system_data_file:lnk_file { create getattr read setattr unlink };
+
+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
+# Upgrade /data/media for multi-user if necessary.
+allow installd media_rw_data_file:dir create_dir_perms;
+allow installd media_rw_data_file:file { getattr unlink };
+# restorecon new /data/media directory.
+allow installd system_data_file:dir relabelfrom;
+allow installd media_rw_data_file:dir relabelto;
+
+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
+allow installd { sdcard_type fuse }:file { getattr unlink };
+
+# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
+allow installd mirror_data_file:dir { create_dir_perms mounton };
+
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
+# Create /data/misc/installd/layout_version.* file
+allow installd install_data_file:file create_file_perms;
+allow installd install_data_file:dir rw_dir_perms;
+
+# Create files under /data/dalvik-cache.
+allow installd dalvikcache_data_file:dir create_dir_perms;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd dalvikcache_data_file:lnk_file getattr;
+
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
+# Upgrade from unlabeled userdata.
+# Just need enough to remove and/or relabel it.
+allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
+allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
+# Read pkg.apk file for input during dexopt.
+allow installd unlabeled:file r_file_perms;
+
+# Upgrade from before system_app_data_file was used for system UID apps.
+# Just need enough to relabel it and to unlink removed package files.
+# Directory access covered by earlier rule above.
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
+
+# Manage /data/data subdirectories, including initially labeling them
+# upon creation via setfilecon or running restorecon_recursive,
+# setting owner/mode, creating symlinks within them, and deleting them
+# upon package uninstall.
+allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+
+# Allow setting extended attributes (for project quota IDs) on dirs and files
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
+# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
+allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
+
+# Allow zygote to unmount mirror directories
+allow installd labeledfs:filesystem unmount;
+
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };
+
+# Create and use pty created by android_fork_execvp().
+allow installd devpts:chr_file rw_file_perms;
+
+# execute toybox for app relocation
+allow installd toolbox_exec:file rx_file_perms;
+
+# Allow installd to publish a binder service and make binder calls.
+binder_use(installd)
+add_service(installd, installd_service)
+allow installd dumpstate:fifo_file { getattr write };
+
+# Allow installd to call into the system server so it can check permissions.
+binder_call(installd, system_server)
+allow installd permission_service:service_manager find;
+
+# Allow installd to read and write quotas
+allow installd block_device:dir { search };
+allow installd labeledfs:filesystem { quotaget quotamod };
+
+# Allow installd to delete from /data/preloads when trimming data caches
+# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
+allow installd preloads_data_file:file { r_file_perms unlink };
+allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow installd preloads_media_file:file { r_file_perms unlink };
+allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+# Allow installd to read /proc/filesystems
+allow installd proc_filesystems:file r_file_perms;
+
+#add for move app to sd card
+get_prop(installd, storage_config_prop)
+
+# Allow installd to access apps installed on the Incremental File System
+# Accessing files on the Incremental File System uses fds opened in the context of vold.
+allow installd vold:fd use;
+
+###
+### Neverallow rules
+###
+
+# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
+neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
+neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
+neverallow installd {
+ domain
+ -system_server
+ -servicemanager
+ userdebug_or_eng(`-su')
+}:binder call;
diff --git a/prebuilts/api/33.0/public/ioctl_defines b/prebuilts/api/33.0/public/ioctl_defines
new file mode 100644
index 0000000..fa96726
--- /dev/null
+++ b/prebuilts/api/33.0/public/ioctl_defines
@@ -0,0 +1,2752 @@
+define(`ADD_NEW_DISK', `0x40140921')
+define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
+define(`AGPIOC_ACQUIRE', `0x00004101')
+define(`AGPIOC_ALLOCATE', `0xc0084106')
+define(`AGPIOC_BIND', `0x40084108')
+define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
+define(`AGPIOC_DEALLOCATE', `0x40044107')
+define(`AGPIOC_INFO', `0x80084100')
+define(`AGPIOC_PROTECT', `0x40084105')
+define(`AGPIOC_RELEASE', `0x00004102')
+define(`AGPIOC_RESERVE', `0x40084104')
+define(`AGPIOC_SETUP', `0x40084103')
+define(`AGPIOC_UNBIND', `0x40084109')
+define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
+define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
+define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
+define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
+define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
+define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
+define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
+define(`ANDROID_ALARM_SET_RTC', `0x40106105')
+define(`ANDROID_ALARM_WAIT', `0x00006101')
+define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
+define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
+define(`APM_IOC_STANDBY', `0x00004101')
+define(`APM_IOC_SUSPEND', `0x00004102')
+define(`ASHMEM_GET_NAME', `0x81007702')
+define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
+define(`ASHMEM_GET_PROT_MASK', `0x00007706')
+define(`ASHMEM_GET_SIZE', `0x00007704')
+define(`ASHMEM_PIN', `0x40087707')
+define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
+define(`ASHMEM_SET_NAME', `0x41007701')
+define(`ASHMEM_SET_PROT_MASK', `0x40087705')
+define(`ASHMEM_SET_SIZE', `0x40087703')
+define(`ASHMEM_UNPIN', `0x40087708')
+define(`ATM_ADDADDR', `0x40106188')
+define(`ATM_ADDLECSADDR', `0x4010618e')
+define(`ATM_ADDPARTY', `0x401061f4')
+define(`ATMARPD_CTRL', `0x000061e1')
+define(`ATMARP_ENCAP', `0x000061e5')
+define(`ATMARP_MKIP', `0x000061e2')
+define(`ATMARP_SETENTRY', `0x000061e3')
+define(`ATM_DELADDR', `0x40106189')
+define(`ATM_DELLECSADDR', `0x4010618f')
+define(`ATM_DROPPARTY', `0x400461f5')
+define(`ATM_GETADDR', `0x40106186')
+define(`ATM_GETCIRANGE', `0x4010618a')
+define(`ATM_GETESI', `0x40106185')
+define(`ATM_GETLECSADDR', `0x40106190')
+define(`ATM_GETLINKRATE', `0x40106181')
+define(`ATM_GETLOOP', `0x40106152')
+define(`ATM_GETNAMES', `0x40106183')
+define(`ATM_GETSTAT', `0x40106150')
+define(`ATM_GETSTATZ', `0x40106151')
+define(`ATM_GETTYPE', `0x40106184')
+define(`ATMLEC_CTRL', `0x000061d0')
+define(`ATMLEC_DATA', `0x000061d1')
+define(`ATMLEC_MCAST', `0x000061d2')
+define(`ATMMPC_CTRL', `0x000061d8')
+define(`ATMMPC_DATA', `0x000061d9')
+define(`ATM_NEWBACKENDIF', `0x400261f3')
+define(`ATM_QUERYLOOP', `0x40106154')
+define(`ATM_RSTADDR', `0x40106187')
+define(`ATM_SETBACKEND', `0x400261f2')
+define(`ATM_SETCIRANGE', `0x4010618b')
+define(`ATM_SETESI', `0x4010618c')
+define(`ATM_SETESIF', `0x4010618d')
+define(`ATM_SETLOOP', `0x40106153')
+define(`ATM_SETSC', `0x400461f1')
+define(`ATMSIGD_CTRL', `0x000061f0')
+define(`ATMTCP_CREATE', `0x0000618e')
+define(`ATMTCP_REMOVE', `0x0000618f')
+define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
+define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
+define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
+define(`AUDIO_CONTINUE', `0x00006f04')
+define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
+define(`AUDIO_GET_PTS', `0x80086f13')
+define(`AUDIO_GET_STATUS', `0x80206f0a')
+define(`AUDIO_PAUSE', `0x00006f03')
+define(`AUDIO_PLAY', `0x00006f02')
+define(`AUDIO_SELECT_SOURCE', `0x00006f05')
+define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
+define(`AUDIO_SET_AV_SYNC', `0x00006f07')
+define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
+define(`AUDIO_SET_EXT_ID', `0x00006f10')
+define(`AUDIO_SET_ID', `0x00006f0d')
+define(`AUDIO_SET_KARAOKE', `0x400c6f12')
+define(`AUDIO_SET_MIXER', `0x40086f0e')
+define(`AUDIO_SET_MUTE', `0x00006f06')
+define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
+define(`AUDIO_STOP', `0x00006f01')
+define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
+define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
+define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
+define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
+define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
+define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
+define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
+define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
+define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
+define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
+define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
+define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
+define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
+define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
+define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
+define(`AUTOFS_IOC_CATATONIC', `0x00009362')
+define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
+define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
+define(`AUTOFS_IOC_FAIL', `0x00009361')
+define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
+define(`AUTOFS_IOC_PROTOVER', `0x80049363')
+define(`AUTOFS_IOC_READY', `0x00009360')
+define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
+define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
+define(`BC_ACQUIRE', `0x40046305')
+define(`BC_ACQUIRE_DONE', `0x40106309')
+define(`BC_ACQUIRE_RESULT', `0x40046302')
+define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
+define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
+define(`BC_DEAD_BINDER_DONE', `0x40086310')
+define(`BC_DECREFS', `0x40046307')
+define(`BC_ENTER_LOOPER', `0x0000630c')
+define(`BC_EXIT_LOOPER', `0x0000630d')
+define(`BC_FREE_BUFFER', `0x40086303')
+define(`BC_INCREFS', `0x40046304')
+define(`BC_INCREFS_DONE', `0x40106308')
+define(`BC_REGISTER_LOOPER', `0x0000630b')
+define(`BC_RELEASE', `0x40046306')
+define(`BC_REPLY', `0x40406301')
+define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
+define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
+define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
+define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
+define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
+define(`BINDER_SET_MAX_THREADS', `0x40046205')
+define(`BINDER_THREAD_EXIT', `0x40046208')
+define(`BINDER_VERSION', `0xc0046209')
+define(`BINDER_WRITE_READ', `0xc0306201')
+define(`BLKALIGNOFF', `0x0000127a')
+define(`BLKBSZGET', `0x80081270')
+define(`BLKBSZSET', `0x40081271')
+define(`BLKDISCARD', `0x00001277')
+define(`BLKDISCARDZEROES', `0x0000127c')
+define(`BLKFLSBUF', `0x00001261')
+define(`BLKFRAGET', `0x00001265')
+define(`BLKFRASET', `0x00001264')
+define(`BLKGETSIZE', `0x00001260')
+define(`BLKGETSIZE64', `0x80081272')
+define(`BLKI2OGRSTRAT', `0x80043201')
+define(`BLKI2OGWSTRAT', `0x80043202')
+define(`BLKI2OSRSTRAT', `0x40043203')
+define(`BLKI2OSWSTRAT', `0x40043204')
+define(`BLKIOMIN', `0x00001278')
+define(`BLKIOOPT', `0x00001279')
+define(`BLKPBSZGET', `0x0000127b')
+define(`BLKPG', `0x00001269')
+define(`BLKRAGET', `0x00001263')
+define(`BLKRASET', `0x00001262')
+define(`BLKROGET', `0x0000125e')
+define(`BLKROSET', `0x0000125d')
+define(`BLKROTATIONAL', `0x0000127e')
+define(`BLKRRPART', `0x0000125f')
+define(`BLKSECDISCARD', `0x0000127d')
+define(`BLKSECTGET', `0x00001267')
+define(`BLKSECTSET', `0x00001266')
+define(`BLKSSZGET', `0x00001268')
+define(`BLKTRACESETUP', `0xc0481273')
+define(`BLKTRACESTART', `0x00001274')
+define(`BLKTRACESTOP', `0x00001275')
+define(`BLKTRACETEARDOWN', `0x00001276')
+define(`BLKZEROOUT', `0x0000127f')
+define(`BR2684_SETFILT', `0x401c6190')
+define(`BR_ACQUIRE', `0x80107208')
+define(`BR_ACQUIRE_RESULT', `0x80047204')
+define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
+define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
+define(`BR_DEAD_BINDER', `0x8008720f')
+define(`BR_DEAD_REPLY', `0x00007205')
+define(`BR_DECREFS', `0x8010720a')
+define(`BR_ERROR', `0x80047200')
+define(`BR_FAILED_REPLY', `0x00007211')
+define(`BR_FINISHED', `0x0000720e')
+define(`BR_INCREFS', `0x80107207')
+define(`BR_NOOP', `0x0000720c')
+define(`BR_OK', `0x00007201')
+define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
+define(`BR_RELEASE', `0x80107209')
+define(`BR_REPLY', `0x80407203')
+define(`BR_SPAWN_LOOPER', `0x0000720d')
+define(`BR_TRANSACTION', `0x80407202')
+define(`BR_TRANSACTION_COMPLETE', `0x00007206')
+define(`BT819_FIFO_RESET_HIGH', `0x00006201')
+define(`BT819_FIFO_RESET_LOW', `0x00006200')
+define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
+define(`BTRFS_IOC_BALANCE', `0x5000940c')
+define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
+define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
+define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
+define(`BTRFS_IOC_CLONE', `0x40049409')
+define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
+define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
+define(`BTRFS_IOC_DEFRAG', `0x50009402')
+define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
+define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
+define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
+define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
+define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
+define(`BTRFS_IOC_FS_INFO', `0x8400941f')
+define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
+define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
+define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
+define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
+define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
+define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
+define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
+define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
+define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
+define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
+define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
+define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
+define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
+define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
+define(`BTRFS_IOC_RESIZE', `0x50009403')
+define(`BTRFS_IOC_RM_DEV', `0x5000940b')
+define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
+define(`BTRFS_IOC_SCRUB', `0xc400941b')
+define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
+define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
+define(`BTRFS_IOC_SEND', `0x40489426')
+define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
+define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
+define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
+define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
+define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
+define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
+define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
+define(`BTRFS_IOC_START_SYNC', `0x80089418')
+define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
+define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
+define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
+define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
+define(`BTRFS_IOC_SYNC', `0x00009408')
+define(`BTRFS_IOC_TRANS_END', `0x00009407')
+define(`BTRFS_IOC_TRANS_START', `0x00009406')
+define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
+define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
+define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
+define(`CA_GET_CAP', `0x80106f81')
+define(`CA_GET_DESCR_INFO', `0x80086f83')
+define(`CA_GET_MSG', `0x810c6f84')
+define(`CA_GET_SLOT_INFO', `0x800c6f82')
+define(`CAPI_CLR_FLAGS', `0x80044325')
+define(`CAPI_GET_ERRCODE', `0x80024321')
+define(`CAPI_GET_FLAGS', `0x80044323')
+define(`CAPI_GET_MANUFACTURER', `0xc0044306')
+define(`CAPI_GET_PROFILE', `0xc0404309')
+define(`CAPI_GET_SERIAL', `0xc0044308')
+define(`CAPI_GET_VERSION', `0xc0104307')
+define(`CAPI_INSTALLED', `0x80024322')
+define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
+define(`CAPI_NCCI_GETUNIT', `0x80044327')
+define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
+define(`CAPI_REGISTER', `0x400c4301')
+define(`CAPI_SET_FLAGS', `0x80044324')
+define(`CA_RESET', `0x00006f80')
+define(`CA_SEND_MSG', `0x410c6f85')
+define(`CA_SET_DESCR', `0x40106f86')
+define(`CA_SET_PID', `0x40086f87')
+define(`CCISS_BIG_PASSTHRU', `0xc0604212')
+define(`CCISS_DEREGDISK', `0x0000420c')
+define(`CCISS_GETBUSTYPES', `0x80044207')
+define(`CCISS_GETDRIVVER', `0x80044209')
+define(`CCISS_GETFIRMVER', `0x80044208')
+define(`CCISS_GETHEARTBEAT', `0x80044206')
+define(`CCISS_GETINTINFO', `0x80084202')
+define(`CCISS_GETLUNINFO', `0x800c4211')
+define(`CCISS_GETNODENAME', `0x80104204')
+define(`CCISS_GETPCIINFO', `0x80084201')
+define(`CCISS_PASSTHRU', `0xc058420b')
+define(`CCISS_REGNEWD', `0x0000420e')
+define(`CCISS_REGNEWDISK', `0x4004420d')
+define(`CCISS_RESCANDISK', `0x00004210')
+define(`CCISS_REVALIDVOLS', `0x0000420a')
+define(`CCISS_SETINTINFO', `0x40084203')
+define(`CCISS_SETNODENAME', `0x40104205')
+define(`CDROMAUDIOBUFSIZ', `0x00005382')
+define(`CDROM_CHANGER_NSLOTS', `0x00005328')
+define(`CDROM_CLEAR_OPTIONS', `0x00005321')
+define(`CDROMCLOSETRAY', `0x00005319')
+define(`CDROM_DEBUG', `0x00005330')
+define(`CDROM_DISC_STATUS', `0x00005327')
+define(`CDROM_DRIVE_STATUS', `0x00005326')
+define(`CDROMEJECT', `0x00005309')
+define(`CDROMEJECT_SW', `0x0000530f')
+define(`CDROM_GET_CAPABILITY', `0x00005331')
+define(`CDROM_GET_MCN', `0x00005311')
+define(`CDROMGETSPINDOWN', `0x0000531d')
+define(`CDROM_LAST_WRITTEN', `0x00005395')
+define(`CDROM_LOCKDOOR', `0x00005329')
+define(`CDROM_MEDIA_CHANGED', `0x00005325')
+define(`CDROMMULTISESSION', `0x00005310')
+define(`CDROM_NEXT_WRITABLE', `0x00005394')
+define(`CDROMPAUSE', `0x00005301')
+define(`CDROMPLAYBLK', `0x00005317')
+define(`CDROMPLAYMSF', `0x00005303')
+define(`CDROMPLAYTRKIND', `0x00005304')
+define(`CDROMREADALL', `0x00005318')
+define(`CDROMREADAUDIO', `0x0000530e')
+define(`CDROMREADCOOKED', `0x00005315')
+define(`CDROMREADMODE1', `0x0000530d')
+define(`CDROMREADMODE2', `0x0000530c')
+define(`CDROMREADRAW', `0x00005314')
+define(`CDROMREADTOCENTRY', `0x00005306')
+define(`CDROMREADTOCHDR', `0x00005305')
+define(`CDROMRESET', `0x00005312')
+define(`CDROMRESUME', `0x00005302')
+define(`CDROMSEEK', `0x00005316')
+define(`CDROM_SELECT_DISC', `0x00005323')
+define(`CDROM_SELECT_SPEED', `0x00005322')
+define(`CDROM_SEND_PACKET', `0x00005393')
+define(`CDROM_SET_OPTIONS', `0x00005320')
+define(`CDROMSETSPINDOWN', `0x0000531e')
+define(`CDROMSTART', `0x00005308')
+define(`CDROMSTOP', `0x00005307')
+define(`CDROMSUBCHNL', `0x0000530b')
+define(`CDROMVOLCTRL', `0x0000530a')
+define(`CDROMVOLREAD', `0x00005313')
+define(`CHIOEXCHANGE', `0x401c6302')
+define(`CHIOGELEM', `0x406c6310')
+define(`CHIOGPARAMS', `0x80146306')
+define(`CHIOGPICKER', `0x80046304')
+define(`CHIOGSTATUS', `0x40106308')
+define(`CHIOGVPARAMS', `0x80706313')
+define(`CHIOINITELEM', `0x00006311')
+define(`CHIOMOVE', `0x40146301')
+define(`CHIOPOSITION', `0x400c6303')
+define(`CHIOSPICKER', `0x40046305')
+define(`CHIOSVOLTAG', `0x40306312')
+define(`CIOC_KERNEL_VERSION', `0xc008630a')
+define(`CLEAR_ARRAY', `0x00000920')
+define(`CM_IOCARDOFF', `0x00006304')
+define(`CM_IOCGATR', `0xc0086301')
+define(`CM_IOCGSTATUS', `0x80086300')
+define(`CM_IOCSPTS', `0x40086302')
+define(`CM_IOCSRDR', `0x00006303')
+define(`CM_IOSDBGLVL', `0x400863fa')
+define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
+define(`CXL_IOCTL_START_WORK', `0x4040ca00')
+define(`DM_DEV_CREATE', `0xc138fd03')
+define(`DM_DEV_REMOVE', `0xc138fd04')
+define(`DM_DEV_RENAME', `0xc138fd05')
+define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
+define(`DM_DEV_STATUS', `0xc138fd07')
+define(`DM_DEV_SUSPEND', `0xc138fd06')
+define(`DM_DEV_WAIT', `0xc138fd08')
+define(`DM_LIST_DEVICES', `0xc138fd02')
+define(`DM_LIST_VERSIONS', `0xc138fd0d')
+define(`DM_REMOVE_ALL', `0xc138fd01')
+define(`DM_TABLE_CLEAR', `0xc138fd0a')
+define(`DM_TABLE_DEPS', `0xc138fd0b')
+define(`DM_TABLE_LOAD', `0xc138fd09')
+define(`DM_TABLE_STATUS', `0xc138fd0c')
+define(`DM_TARGET_MSG', `0xc138fd0e')
+define(`DM_VERSION', `0xc138fd00')
+define(`DMX_ADD_PID', `0x40026f33')
+define(`DMX_GET_CAPS', `0x80086f30')
+define(`DMX_GET_PES_PIDS', `0x800a6f2f')
+define(`DMX_GET_STC', `0xc0106f32')
+define(`DMX_REMOVE_PID', `0x40026f34')
+define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
+define(`DMX_SET_FILTER', `0x403c6f2b')
+define(`DMX_SET_PES_FILTER', `0x40146f2c')
+define(`DMX_SET_SOURCE', `0x40046f31')
+define(`DMX_START', `0x00006f29')
+define(`DMX_STOP', `0x00006f2a')
+define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
+define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
+define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
+define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
+define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
+define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
+define(`DRM_IOCTL_AGP_BIND', `0x40106436')
+define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
+define(`DRM_IOCTL_AGP_FREE', `0x40206435')
+define(`DRM_IOCTL_AGP_INFO', `0x80386433')
+define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
+define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
+define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
+define(`DRM_IOCTL_BLOCK', `0xc0046412')
+define(`DRM_IOCTL_CONTROL', `0x40086414')
+define(`DRM_IOCTL_DMA', `0xc0406429')
+define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
+define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
+define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
+define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
+define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
+define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
+define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
+define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
+define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
+define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
+define(`DRM_IOCTL_FINISH', `0x4008642c')
+define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
+define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
+define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
+define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
+define(`DRM_IOCTL_GET_CAP', `0xc010640c')
+define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
+define(`DRM_IOCTL_GET_CTX', `0xc0086423')
+define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
+define(`DRM_IOCTL_GET_MAP', `0xc0286404')
+define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
+define(`DRM_IOCTL_GET_STATS', `0x80f86406')
+define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
+define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
+define(`DRM_IOCTL_I810_COPY', `0x40106447')
+define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
+define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
+define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
+define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
+define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
+define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
+define(`DRM_IOCTL_I810_INIT', `0x40406440')
+define(`DRM_IOCTL_I810_MC', `0x4020644c')
+define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
+define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
+define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
+define(`DRM_IOCTL_I810_SWAP', `0x00006446')
+define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
+define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
+define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
+define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
+define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
+define(`DRM_IOCTL_I915_FLIP', `0x00006442')
+define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
+define(`DRM_IOCTL_I915_FREE', `0x40086449')
+define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
+define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
+define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
+define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
+define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
+define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
+define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
+define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
+define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
+define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
+define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
+define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
+define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
+define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
+define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
+define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
+define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
+define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
+define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
+define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
+define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
+define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
+define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
+define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
+define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
+define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
+define(`DRM_IOCTL_I915_INIT', `0x40446440')
+define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
+define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
+define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
+define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
+define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
+define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
+define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
+define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
+define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
+define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
+define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
+define(`DRM_IOCTL_LOCK', `0x4008642a')
+define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
+define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
+define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
+define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
+define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
+define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
+define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
+define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
+define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
+define(`DRM_IOCTL_MGA_INIT', `0x40806440')
+define(`DRM_IOCTL_MGA_RESET', `0x00006442')
+define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
+define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
+define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
+define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
+define(`DRM_IOCTL_MOD_CTX', `0x40086422')
+define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
+define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
+define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
+define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
+define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
+define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
+define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
+define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
+define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
+define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
+define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
+define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
+define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
+define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
+define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
+define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
+define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
+define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
+define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
+define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
+define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
+define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
+define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
+define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
+define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
+define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
+define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
+define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
+define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
+define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
+define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
+define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
+define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
+define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
+define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
+define(`DRM_IOCTL_NEW_CTX', `0x40086425')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
+define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
+define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
+define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
+define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
+define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
+define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
+define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
+define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
+define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
+define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
+define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
+define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
+define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
+define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
+define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
+define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
+define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
+define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
+define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
+define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
+define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
+define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
+define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
+define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
+define(`DRM_IOCTL_R128_FLIP', `0x00006453')
+define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
+define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
+define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
+define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
+define(`DRM_IOCTL_R128_INIT', `0x40786440')
+define(`DRM_IOCTL_R128_RESET', `0x00006446')
+define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
+define(`DRM_IOCTL_R128_SWAP', `0x00006447')
+define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
+define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
+define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
+define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
+define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
+define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
+define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
+define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
+define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
+define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
+define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
+define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
+define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
+define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
+define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
+define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
+define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
+define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
+define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
+define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
+define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
+define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
+define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
+define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
+define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
+define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
+define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
+define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
+define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
+define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
+define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
+define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
+define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
+define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
+define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
+define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
+define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
+define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
+define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
+define(`DRM_IOCTL_RES_CTX', `0xc0106426')
+define(`DRM_IOCTL_RM_CTX', `0xc0086421')
+define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
+define(`DRM_IOCTL_RM_MAP', `0x4028641b')
+define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
+define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
+define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
+define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
+define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
+define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
+define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
+define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
+define(`DRM_IOCTL_SG_FREE', `0x40106439')
+define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
+define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
+define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
+define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
+define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
+define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
+define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
+define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
+define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
+define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
+define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
+define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
+define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
+define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
+define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
+define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
+define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
+define(`DRM_IOCTL_UNLOCK', `0x4008642b')
+define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
+define(`DRM_IOCTL_VERSION', `0xc0406400')
+define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
+define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
+define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
+define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
+define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
+define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
+define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
+define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
+define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
+define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
+define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
+define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
+define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
+define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
+define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
+define(`DVD_AUTH', `0x00005392')
+define(`DVD_READ_STRUCT', `0x00005390')
+define(`DVD_WRITE_STRUCT', `0x00005391')
+define(`ECCGETLAYOUT', `0x81484d11')
+define(`ECCGETSTATS', `0x80104d12')
+define(`ENI_MEMDUMP', `0x40106160')
+define(`ENI_SETMULT', `0x40106167')
+define(`EVIOCGEFFECTS', `0x80044584')
+define(`EVIOCGID', `0x80084502')
+define(`EVIOCGKEYCODE', `0x80084504')
+define(`EVIOCGKEYCODE_V2', `0x80284504')
+define(`EVIOCGRAB', `0x40044590')
+define(`EVIOCGREP', `0x80084503')
+define(`EVIOCGVERSION', `0x80044501')
+define(`EVIOCREVOKE', `0x40044591')
+define(`EVIOCRMFF', `0x40044581')
+define(`EVIOCSCLOCKID', `0x400445a0')
+define(`EVIOCSFF', `0x40304580')
+define(`EVIOCSKEYCODE', `0x40084504')
+define(`EVIOCSKEYCODE_V2', `0x40284504')
+define(`EVIOCSREP', `0x40084503')
+define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
+define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
+define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
+define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
+define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
+define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
+define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
+define(`F2FS_IOC_DEFRAGMENT', `0xf508')
+define(`F2FS_IOC_MOVE_RANGE', `0xf509')
+define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
+define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
+define(`F2FS_IOC_GET_FEATURES', `0xf50c')
+define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
+define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
+define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
+define(`F2FS_IOC_RESIZE_FS', `0xf510')
+define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
+define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
+define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
+define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
+define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
+define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
+define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
+define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
+define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
+define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
+define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
+define(`FBIGET_BRIGHTNESS', `0x80044603')
+define(`FBIGET_COLOR', `0x80044605')
+define(`FBIO_ALLOC', `0x00004613')
+define(`FBIOBLANK', `0x00004611')
+define(`FBIO_CURSOR', `0xc0684608')
+define(`FBIO_FREE', `0x00004614')
+define(`FBIOGETCMAP', `0x00004604')
+define(`FBIOGET_CON2FBMAP', `0x0000460f')
+define(`FBIOGET_CONTRAST', `0x80044601')
+define(`FBIO_GETCONTROL2', `0x80084689')
+define(`FBIOGET_DISPINFO', `0x00004618')
+define(`FBIOGET_FSCREENINFO', `0x00004602')
+define(`FBIOGET_GLYPH', `0x00004615')
+define(`FBIOGET_HWCINFO', `0x00004616')
+define(`FBIOGET_VBLANK', `0x80204612')
+define(`FBIOGET_VSCREENINFO', `0x00004600')
+define(`FBIOPAN_DISPLAY', `0x00004606')
+define(`FBIOPUTCMAP', `0x00004605')
+define(`FBIOPUT_CON2FBMAP', `0x00004610')
+define(`FBIOPUT_CONTRAST', `0x40044602')
+define(`FBIOPUT_MODEINFO', `0x00004617')
+define(`FBIOPUT_VSCREENINFO', `0x00004601')
+define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
+define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
+define(`FBIO_WAITEVENT', `0x00004688')
+define(`FBIO_WAITFORVSYNC', `0x40044620')
+define(`FBIPUT_BRIGHTNESS', `0x40044603')
+define(`FBIPUT_COLOR', `0x40044606')
+define(`FBIPUT_HSYNC', `0x40044609')
+define(`FBIPUT_VSYNC', `0x4004460a')
+define(`FDCLRPRM', `0x00000241')
+define(`FDDEFPRM', `0x40200243')
+define(`FDEJECT', `0x0000025a')
+define(`FDFLUSH', `0x0000024b')
+define(`FDFMTBEG', `0x00000247')
+define(`FDFMTEND', `0x00000249')
+define(`FDFMTTRK', `0x400c0248')
+define(`FDGETDRVPRM', `0x80800211')
+define(`FDGETDRVSTAT', `0x80500212')
+define(`FDGETDRVTYP', `0x8010020f')
+define(`FDGETFDCSTAT', `0x80280215')
+define(`FDGETMAXERRS', `0x8014020e')
+define(`FDGETPRM', `0x80200204')
+define(`FDMSGOFF', `0x00000246')
+define(`FDMSGON', `0x00000245')
+define(`FDPOLLDRVSTAT', `0x80500213')
+define(`FDRAWCMD', `0x00000258')
+define(`FDRESET', `0x00000254')
+define(`FDSETDRVPRM', `0x40800290')
+define(`FDSETEMSGTRESH', `0x0000024a')
+define(`FDSETMAXERRS', `0x4014024c')
+define(`FDSETPRM', `0x40200242')
+define(`FDTWADDLE', `0x00000259')
+define(`FDWERRORCLR', `0x00000256')
+define(`FDWERRORGET', `0x80280217')
+define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
+define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
+define(`FE_DISEQC_SEND_BURST', `0x00006f41')
+define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
+define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
+define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
+define(`FE_GET_EVENT', `0x80286f4e')
+define(`FE_GET_FRONTEND', `0x80246f4d')
+define(`FE_GET_INFO', `0x80a86f3d')
+define(`FE_GET_PROPERTY', `0x80106f53')
+define(`FE_READ_BER', `0x80046f46')
+define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
+define(`FE_READ_SNR', `0x80026f48')
+define(`FE_READ_STATUS', `0x80046f45')
+define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
+define(`FE_SET_FRONTEND', `0x40246f4c')
+define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
+define(`FE_SET_PROPERTY', `0x40106f52')
+define(`FE_SET_TONE', `0x00006f42')
+define(`FE_SET_VOLTAGE', `0x00006f43')
+define(`FIBMAP', `0x00000001')
+define(`FIFREEZE', `0xc0045877')
+define(`FIGETBSZ', `0x00000002')
+define(`FIOASYNC', `0x00005452')
+define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
+define(`FIOGETOWN', `0x00008903')
+define(`FIONBIO', `0x00005421')
+define(`FIONCLEX', ifelse(target_arch, mips, 0x00006602, 0x00005450))
+define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
+define(`FIOQSIZE', `0x00005460')
+define(`FIOSETOWN', `0x00008901')
+define(`FITHAW', `0xc0045878')
+define(`FITRIM', `0xc0185879')
+define(`FS_IOC32_GETFLAGS', `0x80046601')
+define(`FS_IOC32_GETVERSION', `0x80047601')
+define(`FS_IOC32_SETFLAGS', `0x40046602')
+define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
+define(`FS_IOC_ENABLE_VERITY', `0x6685')
+define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`FS_IOC_FSGETXATTR', `0x801c581f')
+define(`FS_IOC_FSSETXATTR', `0x401c5820')
+define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
+define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
+define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
+define(`FS_IOC_GETFLAGS', `0x80086601')
+define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
+define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
+define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
+define(`FS_IOC_SETFLAGS', `0x40086602')
+define(`FS_IOC_SETVERSION', `0x40087602')
+define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
+define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
+define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
+define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
+define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
+define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
+define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
+define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
+define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_ENDPOINT_ALLOC', `0x000067e7')
+define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
+define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
+define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
+define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
+define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
+define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
+define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
+define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
+define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
+define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
+define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
+define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
+define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
+define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
+define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
+define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
+define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
+define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
+define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
+define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
+define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
+define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
+define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
+define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
+define(`GADGETFS_CLEAR_HALT', `0x00006703')
+define(`GADGETFS_FIFO_FLUSH', `0x00006702')
+define(`GADGETFS_FIFO_STATUS', `0x00006701')
+define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
+define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
+define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
+define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
+define(`GENWQE_GET_CARD_STATE', `0x8004a524')
+define(`GENWQE_PIN_MEM', `0xc020a528')
+define(`GENWQE_READ_REG16', `0x8010a522')
+define(`GENWQE_READ_REG32', `0x8010a520')
+define(`GENWQE_READ_REG64', `0x8010a51e')
+define(`GENWQE_SLU_READ', `0xc038a551')
+define(`GENWQE_SLU_UPDATE', `0xc038a550')
+define(`GENWQE_UNPIN_MEM', `0xc020a529')
+define(`GENWQE_WRITE_REG16', `0x4010a523')
+define(`GENWQE_WRITE_REG32', `0x4010a521')
+define(`GENWQE_WRITE_REG64', `0x4010a51f')
+define(`GET_ARRAY_INFO', `0x80480911')
+define(`GET_BITMAP_FILE', `0x90000915')
+define(`GET_DISK_INFO', `0x80140912')
+define(`GIGASET_BRKCHARS', `0x40064702')
+define(`GIGASET_CONFIG', `0xc0044701')
+define(`GIGASET_REDIR', `0xc0044700')
+define(`GIGASET_VERSION', `0xc0104703')
+define(`GIO_CMAP', `0x00004b70')
+define(`GIO_FONT', `0x00004b60')
+define(`GIO_FONTX', `0x00004b6b')
+define(`GIO_SCRNMAP', `0x00004b40')
+define(`GIO_UNIMAP', `0x00004b66')
+define(`GIO_UNISCRNMAP', `0x00004b69')
+define(`GSMIOC_DISABLE_NET', `0x00004703')
+define(`GSMIOC_ENABLE_NET', `0x40344702')
+define(`GSMIOC_GETCONF', `0x804c4700')
+define(`GSMIOC_SETCONF', `0x404c4701')
+define(`HCIBLOCKADDR', `0x400448e6')
+define(`HCIDEVDOWN', `0x400448ca')
+define(`HCIDEVRESET', `0x400448cb')
+define(`HCIDEVRESTAT', `0x400448cc')
+define(`HCIDEVUP', `0x400448c9')
+define(`HCIGETAUTHINFO', `0x800448d7')
+define(`HCIGETCONNINFO', `0x800448d5')
+define(`HCIGETCONNLIST', `0x800448d4')
+define(`HCIGETDEVINFO', `0x800448d3')
+define(`HCIGETDEVLIST', `0x800448d2')
+define(`HCIINQUIRY', `0x800448f0')
+define(`HCISETACLMTU', `0x400448e3')
+define(`HCISETAUTH', `0x400448de')
+define(`HCISETENCRYPT', `0x400448df')
+define(`HCISETLINKMODE', `0x400448e2')
+define(`HCISETLINKPOL', `0x400448e1')
+define(`HCISETPTYPE', `0x400448e0')
+define(`HCISETRAW', `0x400448dc')
+define(`HCISETSCAN', `0x400448dd')
+define(`HCISETSCOMTU', `0x400448e4')
+define(`HCIUNBLOCKADDR', `0x400448e7')
+define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
+define(`HDA_IOCTL_PVERSION', `0x80044810')
+define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
+define(`HDIO_DRIVE_CMD', `0x0000031f')
+define(`HDIO_DRIVE_RESET', `0x0000031c')
+define(`HDIO_DRIVE_TASK', `0x0000031e')
+define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
+define(`HDIO_GET_32BIT', `0x00000309')
+define(`HDIO_GET_ACOUSTIC', `0x0000030f')
+define(`HDIO_GET_ADDRESS', `0x00000310')
+define(`HDIO_GET_BUSSTATE', `0x0000031a')
+define(`HDIO_GET_DMA', `0x0000030b')
+define(`HDIO_GETGEO', `0x00000301')
+define(`HDIO_GET_IDENTITY', `0x0000030d')
+define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
+define(`HDIO_GET_MULTCOUNT', `0x00000304')
+define(`HDIO_GET_NICE', `0x0000030c')
+define(`HDIO_GET_NOWERR', `0x0000030a')
+define(`HDIO_GET_QDMA', `0x00000305')
+define(`HDIO_GET_UNMASKINTR', `0x00000302')
+define(`HDIO_GET_WCACHE', `0x0000030e')
+define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
+define(`HDIO_SCAN_HWIF', `0x00000328')
+define(`HDIO_SET_32BIT', `0x00000324')
+define(`HDIO_SET_ACOUSTIC', `0x0000032c')
+define(`HDIO_SET_ADDRESS', `0x0000032f')
+define(`HDIO_SET_BUSSTATE', `0x0000032d')
+define(`HDIO_SET_DMA', `0x00000326')
+define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
+define(`HDIO_SET_MULTCOUNT', `0x00000321')
+define(`HDIO_SET_NICE', `0x00000329')
+define(`HDIO_SET_NOWERR', `0x00000325')
+define(`HDIO_SET_PIO_MODE', `0x00000327')
+define(`HDIO_SET_QDMA', `0x0000032e')
+define(`HDIO_SET_UNMASKINTR', `0x00000322')
+define(`HDIO_SET_WCACHE', `0x0000032b')
+define(`HDIO_SET_XFER', `0x00000306')
+define(`HDIO_TRISTATE_HWIF', `0x0000031b')
+define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
+define(`HE_GET_REG', `0x40106160')
+define(`HIDIOCAPPLICATION', `0x00004802')
+define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
+define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
+define(`HIDIOCGDEVINFO', `0x801c4803')
+define(`HIDIOCGFIELDINFO', `0xc038480a')
+define(`HIDIOCGFLAG', `0x8004480e')
+define(`HIDIOCGRAWINFO', `0x80084803')
+define(`HIDIOCGRDESC', `0x90044802')
+define(`HIDIOCGRDESCSIZE', `0x80044801')
+define(`HIDIOCGREPORT', `0x400c4807')
+define(`HIDIOCGREPORTINFO', `0xc00c4809')
+define(`HIDIOCGSTRING', `0x81044804')
+define(`HIDIOCGUCODE', `0xc018480d')
+define(`HIDIOCGUSAGE', `0xc018480b')
+define(`HIDIOCGUSAGES', `0xd01c4813')
+define(`HIDIOCGVERSION', `0x80044801')
+define(`HIDIOCINITREPORT', `0x00004805')
+define(`HIDIOCSFLAG', `0x4004480f')
+define(`HIDIOCSREPORT', `0x400c4808')
+define(`HIDIOCSUSAGE', `0x4018480c')
+define(`HIDIOCSUSAGES', `0x501c4814')
+define(`HOT_ADD_DISK', `0x00000928')
+define(`HOT_GENERATE_ERROR', `0x0000092a')
+define(`HOT_REMOVE_DISK', `0x00000922')
+define(`HPET_DPI', `0x00006805')
+define(`HPET_EPI', `0x00006804')
+define(`HPET_IE_OFF', `0x00006802')
+define(`HPET_IE_ON', `0x00006801')
+define(`HPET_INFO', `0x80186803')
+define(`HPET_IRQFREQ', `0x40086806')
+define(`HSC_GET_RX', `0x400c6b14')
+define(`HSC_GET_TX', `0x40106b16')
+define(`HSC_RESET', `0x00006b10')
+define(`HSC_SEND_BREAK', `0x00006b12')
+define(`HSC_SET_PM', `0x00006b11')
+define(`HSC_SET_RX', `0x400c6b13')
+define(`HSC_SET_TX', `0x40106b15')
+define(`I2OEVTGET', `0x8068690b')
+define(`I2OEVTREG', `0x400c690a')
+define(`I2OGETIOPS', `0x80206900')
+define(`I2OHRTGET', `0xc0186901')
+define(`I2OHTML', `0xc0306909')
+define(`I2OLCTGET', `0xc0186902')
+define(`I2OPARMGET', `0xc0286904')
+define(`I2OPARMSET', `0xc0286903')
+define(`I2OPASSTHRU', `0x8010690c')
+define(`I2OPASSTHRU32', `0x8008690c')
+define(`I2OSWDEL', `0xc0306907')
+define(`I2OSWDL', `0xc0306905')
+define(`I2OSWUL', `0xc0306906')
+define(`I2OVALIDATE', `0x80046908')
+define(`I8K_BIOS_VERSION', `0x80046980')
+define(`I8K_FN_STATUS', `0x80086983')
+define(`I8K_GET_FAN', `0xc0086986')
+define(`I8K_GET_SPEED', `0xc0086985')
+define(`I8K_GET_TEMP', `0x80086984')
+define(`I8K_MACHINE_ID', `0x80046981')
+define(`I8K_POWER_STATUS', `0x80086982')
+define(`I8K_SET_FAN', `0xc0086987')
+define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
+define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
+define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
+define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
+define(`IDT77105_GETSTAT', `0x40106132')
+define(`IDT77105_GETSTATZ', `0x40106133')
+define(`IIOCDBGVAR', `0x0000497f')
+define(`IIOCDRVCTL', `0x00004980')
+define(`IIOCGETCPS', `0x00004915')
+define(`IIOCGETDVR', `0x00004916')
+define(`IIOCGETMAP', `0x00004911')
+define(`IIOCGETPRF', `0x0000490f')
+define(`IIOCGETSET', `0x00004908')
+define(`IIOCNETAIF', `0x00004901')
+define(`IIOCNETALN', `0x00004920')
+define(`IIOCNETANM', `0x00004905')
+define(`IIOCNETASL', `0x00004913')
+define(`IIOCNETDIF', `0x00004902')
+define(`IIOCNETDIL', `0x00004914')
+define(`IIOCNETDLN', `0x00004921')
+define(`IIOCNETDNM', `0x00004906')
+define(`IIOCNETDWRSET', `0x00004918')
+define(`IIOCNETGCF', `0x00004904')
+define(`IIOCNETGNM', `0x00004907')
+define(`IIOCNETGPN', `0x00004922')
+define(`IIOCNETHUP', `0x0000490b')
+define(`IIOCNETLCR', `0x00004917')
+define(`IIOCNETSCF', `0x00004903')
+define(`IIOCSETBRJ', `0x0000490d')
+define(`IIOCSETGST', `0x0000490c')
+define(`IIOCSETMAP', `0x00004912')
+define(`IIOCSETPRF', `0x00004910')
+define(`IIOCSETSET', `0x00004909')
+define(`IIOCSETVER', `0x0000490a')
+define(`IIOCSIGPRF', `0x0000490e')
+define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
+define(`IMADDTIMER', `0x80044940')
+define(`IMCLEAR_L2', `0x80044946')
+define(`IMCTRLREQ', `0x80044945')
+define(`IMDELTIMER', `0x80044941')
+define(`IMGETCOUNT', `0x80044943')
+define(`IMGETDEVINFO', `0x80044944')
+define(`IMGETVERSION', `0x80044942')
+define(`IMHOLD_L1', `0x80044948')
+define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
+define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
+define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
+define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
+define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
+define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
+define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
+define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
+define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
+define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
+define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
+define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
+define(`IOCTL_EVTCHN_RESET', `0x00004505')
+define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
+define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
+define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
+define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
+define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
+define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
+define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
+define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
+define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
+define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
+define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
+define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
+define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
+define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
+define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
+define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
+define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
+define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
+define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
+define(`IOCTL_VMCI_VERSION', `0x0000079f')
+define(`IOCTL_VMCI_VERSION2', `0x000007a7')
+define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
+define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
+define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
+define(`ION_IOC_ALLOC', `0xc0204900')
+define(`ION_IOC_CUSTOM', `0xc0104906')
+define(`ION_IOC_FREE', `0xc0044901')
+define(`ION_IOC_IMPORT', `0xc0084905')
+define(`ION_IOC_MAP', `0xc0084902')
+define(`ION_IOC_SHARE', `0xc0084904')
+define(`ION_IOC_SYNC', `0xc0084907')
+define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
+define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
+define(`ION_IOC_TEST_SET_FD', `0x000049f0')
+define(`IOW_GETINFO', `0x8028c003')
+define(`IOW_READ', `0x4008c002')
+define(`IOW_WRITE', `0x4008c001')
+define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
+define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
+define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
+define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
+define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
+define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
+define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
+define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
+define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
+define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
+define(`IPMICTL_SEND_COMMAND', `0x8028690d')
+define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
+define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
+define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
+define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
+define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
+define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
+define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
+define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
+define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
+define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
+define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
+define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
+define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
+define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
+define(`IXJCTL_AEC_START', `0x400471cb')
+define(`IXJCTL_AEC_STOP', `0x000071cc')
+define(`IXJCTL_CARDTYPE', `0x800471c1')
+define(`IXJCTL_CID', `0x800871d4')
+define(`IXJCTL_CIDCW', `0x400871d9')
+define(`IXJCTL_DAA_AGAIN', `0x400471d2')
+define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
+define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
+define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
+define(`IXJCTL_DSP_IDLE', `0x000071c5')
+define(`IXJCTL_DSP_RESET', `0x000071c0')
+define(`IXJCTL_DSP_TYPE', `0x800471c3')
+define(`IXJCTL_DSP_VERSION', `0x800471c4')
+define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
+define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
+define(`IXJCTL_FRAMES_READ', `0x800871e2')
+define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
+define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
+define(`IXJCTL_HZ', `0x400471e0')
+define(`IXJCTL_INIT_TONE', `0x400871c9')
+define(`IXJCTL_INTERCOM_START', `0x400471fd')
+define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
+define(`IXJCTL_MIXER', `0x400471cf')
+define(`IXJCTL_PLAY_CID', `0x000071d7')
+define(`IXJCTL_PORT', `0x400471d1')
+define(`IXJCTL_POTS_PSTN', `0x400471d5')
+define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
+define(`IXJCTL_RATE', `0x400471e1')
+define(`IXJCTL_READ_WAIT', `0x800871e4')
+define(`IXJCTL_SC_RXG', `0x400471ea')
+define(`IXJCTL_SC_TXG', `0x400471eb')
+define(`IXJCTL_SERIAL', `0x800471c2')
+define(`IXJCTL_SET_FILTER', `0x400871c7')
+define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
+define(`IXJCTL_SET_LED', `0x400471ce')
+define(`IXJCTL_SIGCTL', `0x400871e9')
+define(`IXJCTL_TESTRAM', `0x000071c6')
+define(`IXJCTL_TONE_CADENCE', `0x400871ca')
+define(`IXJCTL_VERSION', `0x800871da')
+define(`IXJCTL_VMWI', `0x800471d8')
+define(`IXJCTL_WRITE_WAIT', `0x800871e5')
+define(`JSIOCGAXES', `0x80016a11')
+define(`JSIOCGAXMAP', `0x80406a32')
+define(`JSIOCGBTNMAP', `0x84006a34')
+define(`JSIOCGBUTTONS', `0x80016a12')
+define(`JSIOCGCORR', `0x80246a22')
+define(`JSIOCGVERSION', `0x80046a01')
+define(`JSIOCSAXMAP', `0x40406a31')
+define(`JSIOCSBTNMAP', `0x44006a33')
+define(`JSIOCSCORR', `0x40246a21')
+define(`KCOV_DISABLE', `0x00006365')
+define(`KCOV_ENABLE', `0x00006364')
+define(`KCOV_INIT_TRACE', `0x80086301')
+define(`KDADDIO', `0x00004b34')
+define(`KDDELIO', `0x00004b35')
+define(`KDDISABIO', `0x00004b37')
+define(`KDENABIO', `0x00004b36')
+define(`KDFONTOP', `0x00004b72')
+define(`KDGETKEYCODE', `0x00004b4c')
+define(`KDGETLED', `0x00004b31')
+define(`KDGETMODE', `0x00004b3b')
+define(`KDGKBDIACR', `0x00004b4a')
+define(`KDGKBDIACRUC', `0x00004bfa')
+define(`KDGKBENT', `0x00004b46')
+define(`KDGKBLED', `0x00004b64')
+define(`KDGKBMETA', `0x00004b62')
+define(`KDGKBMODE', `0x00004b44')
+define(`KDGKBSENT', `0x00004b48')
+define(`KDGKBTYPE', `0x00004b33')
+define(`KDKBDREP', `0x00004b52')
+define(`KDMAPDISP', `0x00004b3c')
+define(`KDMKTONE', `0x00004b30')
+define(`KDSETKEYCODE', `0x00004b4d')
+define(`KDSETLED', `0x00004b32')
+define(`KDSETMODE', `0x00004b3a')
+define(`KDSIGACCEPT', `0x00004b4e')
+define(`KDSKBDIACR', `0x00004b4b')
+define(`KDSKBDIACRUC', `0x00004bfb')
+define(`KDSKBENT', `0x00004b47')
+define(`KDSKBLED', `0x00004b65')
+define(`KDSKBMETA', `0x00004b63')
+define(`KDSKBMODE', `0x00004b45')
+define(`KDSKBSENT', `0x00004b49')
+define(`KDUNMAPDISP', `0x00004b3d')
+define(`KIOCSOUND', `0x00004b2f')
+define(`KVM_ALLOCATE_RMA', `0x8008aea9')
+define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
+define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
+define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
+define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
+define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
+define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
+define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
+define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
+define(`KVM_CHECK_EXTENSION', `0x0000ae03')
+define(`KVM_CREATE_DEVICE', `0xc00caee0')
+define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
+define(`KVM_CREATE_PIT', `0x0000ae64')
+define(`KVM_CREATE_PIT2', `0x4040ae77')
+define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
+define(`KVM_CREATE_VCPU', `0x0000ae41')
+define(`KVM_CREATE_VM', `0x0000ae01')
+define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
+define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
+define(`KVM_DIRTY_TLB', `0x4010aeaa')
+define(`KVM_ENABLE_CAP', `0x4068aea3')
+define(`KVM_GET_API_VERSION', `0x0000ae00')
+define(`KVM_GET_CLOCK', `0x8030ae7c')
+define(`KVM_GET_CPUID2', `0xc008ae91')
+define(`KVM_GET_DEBUGREGS', `0x8080aea1')
+define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
+define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
+define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
+define(`KVM_GET_FPU', `0x81a0ae8c')
+define(`KVM_GET_IRQCHIP', `0xc208ae62')
+define(`KVM_GET_LAPIC', `0x8400ae8e')
+define(`KVM_GET_MP_STATE', `0x8004ae98')
+define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
+define(`KVM_GET_MSRS', `0xc008ae88')
+define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
+define(`KVM_GET_ONE_REG', `0x4010aeab')
+define(`KVM_GET_PIT', `0xc048ae65')
+define(`KVM_GET_PIT2', `0x8070ae9f')
+define(`KVM_GET_REG_LIST', `0xc008aeb0')
+define(`KVM_GET_REGS', `0x8090ae81')
+define(`KVM_GET_SREGS', `0x8138ae83')
+define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
+define(`KVM_GET_TSC_KHZ', `0x0000aea3')
+define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
+define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
+define(`KVM_GET_XCRS', `0x8188aea6')
+define(`KVM_GET_XSAVE', `0x9000aea4')
+define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
+define(`KVM_INTERRUPT', `0x4004ae86')
+define(`KVM_IOEVENTFD', `0x4040ae79')
+define(`KVM_IRQFD', `0x4020ae76')
+define(`KVM_IRQ_LINE', `0x4008ae61')
+define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
+define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
+define(`KVM_NMI', `0x0000ae9a')
+define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
+define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
+define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
+define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
+define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
+define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
+define(`KVM_REINJECT_CONTROL', `0x0000ae71')
+define(`KVM_RUN', `0x0000ae80')
+define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
+define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
+define(`KVM_S390_INTERRUPT', `0x4010ae94')
+define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
+define(`KVM_S390_STORE_STATUS', `0x4008ae95')
+define(`KVM_S390_UCAS_MAP', `0x4018ae50')
+define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
+define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
+define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
+define(`KVM_SET_CLOCK', `0x4030ae7b')
+define(`KVM_SET_CPUID', `0x4008ae8a')
+define(`KVM_SET_CPUID2', `0x4008ae90')
+define(`KVM_SET_DEBUGREGS', `0x4080aea2')
+define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
+define(`KVM_SET_FPU', `0x41a0ae8d')
+define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
+define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
+define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
+define(`KVM_SET_IRQCHIP', `0x8208ae63')
+define(`KVM_SET_LAPIC', `0x4400ae8f')
+define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
+define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
+define(`KVM_SET_MP_STATE', `0x4004ae99')
+define(`KVM_SET_MSRS', `0x4008ae89')
+define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
+define(`KVM_SET_ONE_REG', `0x4010aeac')
+define(`KVM_SET_PIT', `0x8048ae66')
+define(`KVM_SET_PIT2', `0x4070aea0')
+define(`KVM_SET_REGS', `0x4090ae82')
+define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
+define(`KVM_SET_SREGS', `0x4138ae84')
+define(`KVM_SET_TSC_KHZ', `0x0000aea2')
+define(`KVM_SET_TSS_ADDR', `0x0000ae47')
+define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
+define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
+define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
+define(`KVM_SET_XCRS', `0x4188aea7')
+define(`KVM_SET_XSAVE', `0x5000aea5')
+define(`KVM_SIGNAL_MSI', `0x4020aea5')
+define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
+define(`KVM_TRANSLATE', `0xc018ae85')
+define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
+define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
+define(`KVM_X86_SET_MCE', `0x4040ae9e')
+define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
+define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
+define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
+define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
+define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
+define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
+define(`KYRO_IOCTL_STRIDE', `0x00006b05')
+define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
+define(`LIRC_GET_FEATURES', `0x80046900')
+define(`LIRC_GET_LENGTH', `0x8004690f')
+define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
+define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
+define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
+define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
+define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
+define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
+define(`LIRC_GET_REC_CARRIER', `0x80046904')
+define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
+define(`LIRC_GET_REC_MODE', `0x80046902')
+define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
+define(`LIRC_GET_SEND_CARRIER', `0x80046903')
+define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
+define(`LIRC_GET_SEND_MODE', `0x80046901')
+define(`LIRC_NOTIFY_DECODE', `0x00006920')
+define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
+define(`LIRC_SET_REC_CARRIER', `0x40046914')
+define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
+define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
+define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
+define(`LIRC_SET_REC_FILTER', `0x4004691c')
+define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
+define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
+define(`LIRC_SET_REC_MODE', `0x40046912')
+define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
+define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
+define(`LIRC_SET_SEND_CARRIER', `0x40046913')
+define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
+define(`LIRC_SET_SEND_MODE', `0x40046911')
+define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
+define(`LIRC_SETUP_END', `0x00006922')
+define(`LIRC_SETUP_START', `0x00006921')
+define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
+define(`LOGGER_FLUSH_LOG', `0x0000ae04')
+define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
+define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
+define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
+define(`LOGGER_GET_VERSION', `0x0000ae05')
+define(`LOGGER_SET_VERSION', `0x0000ae06')
+define(`LOOP_CHANGE_FD', `0x00004c06')
+define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
+define(`LOOP_CTL_ADD', `0x00004c80')
+define(`LOOP_CTL_GET_FREE', `0x00004c82')
+define(`LOOP_CTL_REMOVE', `0x00004c81')
+define(`LOOP_GET_STATUS', `0x00004c03')
+define(`LOOP_GET_STATUS64', `0x00004c05')
+define(`LOOP_SET_BLOCK_SIZE', `0x00004c09')
+define(`LOOP_SET_CAPACITY', `0x00004c07')
+define(`LOOP_SET_DIRECT_IO', `0x00004c08')
+define(`LOOP_SET_FD', `0x00004c00')
+define(`LOOP_SET_STATUS', `0x00004c02')
+define(`LOOP_SET_STATUS64', `0x00004c04')
+define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
+define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
+define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
+define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
+define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
+define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
+define(`MBXFB_IOCG_ALPHA', `0x8018f401')
+define(`MBXFB_IOCS_ALPHA', `0x4018f402')
+define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
+define(`MBXFB_IOCS_REG', `0x400cf404')
+define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
+define(`MBXFB_IOCX_REG', `0xc00cf405')
+define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
+define(`MCE_GET_LOG_LEN', `0x80044d02')
+define(`MCE_GET_RECORD_LEN', `0x80044d01')
+define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
+define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
+define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
+define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
+define(`MEMERASE', `0x40084d02')
+define(`MEMERASE64', `0x40104d14')
+define(`MEMGETBADBLOCK', `0x40084d0b')
+define(`MEMGETINFO', `0x80204d01')
+define(`MEMGETOOBSEL', `0x80c84d0a')
+define(`MEMGETREGIONCOUNT', `0x80044d07')
+define(`MEMGETREGIONINFO', `0xc0104d08')
+define(`MEMISLOCKED', `0x80084d17')
+define(`MEMLOCK', `0x40084d05')
+define(`MEMREADOOB', `0xc0104d04')
+define(`MEMREADOOB64', `0xc0184d16')
+define(`MEMSETBADBLOCK', `0x40084d0c')
+define(`MEMUNLOCK', `0x40084d06')
+define(`MEMWRITE', `0xc0304d18')
+define(`MEMWRITEOOB', `0xc0104d03')
+define(`MEMWRITEOOB64', `0xc0184d15')
+define(`MEYEIOC_G_PARAMS', `0x800676c0')
+define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
+define(`MEYEIOC_S_PARAMS', `0x400676c1')
+define(`MEYEIOC_STILLCAPT', `0x000076c4')
+define(`MEYEIOC_STILLJCAPT', `0x800476c5')
+define(`MEYEIOC_SYNC', `0xc00476c3')
+define(`MFB_GET_ALPHA', `0x80014d00')
+define(`MFB_GET_AOID', `0x80084d04')
+define(`MFB_GET_GAMMA', `0x80014d01')
+define(`MFB_GET_PIXFMT', `0x80044d08')
+define(`MFB_SET_ALPHA', `0x40014d00')
+define(`MFB_SET_AOID', `0x40084d04')
+define(`MFB_SET_BRIGHTNESS', `0x40014d03')
+define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
+define(`MFB_SET_GAMMA', `0x40014d01')
+define(`MFB_SET_PIXFMT', `0x40044d08')
+define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
+define(`MGSL_IOCGGPIO', `0x80106d11')
+define(`MGSL_IOCGIF', `0x00006d0b')
+define(`MGSL_IOCGPARAMS', `0x80306d01')
+define(`MGSL_IOCGSTATS', `0x00006d07')
+define(`MGSL_IOCGTXIDLE', `0x00006d03')
+define(`MGSL_IOCGXCTRL', `0x00006d16')
+define(`MGSL_IOCGXSYNC', `0x00006d14')
+define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
+define(`MGSL_IOCRXENABLE', `0x00006d05')
+define(`MGSL_IOCSGPIO', `0x40106d10')
+define(`MGSL_IOCSIF', `0x00006d0a')
+define(`MGSL_IOCSPARAMS', `0x40306d00')
+define(`MGSL_IOCSTXIDLE', `0x00006d02')
+define(`MGSL_IOCSXCTRL', `0x00006d15')
+define(`MGSL_IOCSXSYNC', `0x00006d13')
+define(`MGSL_IOCTXABORT', `0x00006d06')
+define(`MGSL_IOCTXENABLE', `0x00006d04')
+define(`MGSL_IOCWAITEVENT', `0xc0046d08')
+define(`MGSL_IOCWAITGPIO', `0xc0106d12')
+define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
+define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
+define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
+define(`MMC_IOC_CMD', `0xc048b300')
+define(`MMTIMER_GETBITS', `0x00006d04')
+define(`MMTIMER_GETCOUNTER', `0x80086d09')
+define(`MMTIMER_GETFREQ', `0x80086d02')
+define(`MMTIMER_GETOFFSET', `0x00006d00')
+define(`MMTIMER_GETRES', `0x80086d01')
+define(`MMTIMER_MMAPAVAIL', `0x00006d06')
+define(`MSMFB_BLIT', `0x40046d02')
+define(`MSMFB_GRP_DISP', `0x40046d01')
+define(`MTDFILEMODE', `0x00004d13')
+define(`MTIOCGET', `0x80306d02')
+define(`MTIOCPOS', `0x80086d03')
+define(`MTIOCTOP', `0x40086d01')
+define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
+define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
+define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
+define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
+define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
+define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
+define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
+define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
+define(`MTRRIOC_SET_ENTRY', `0x40104d01')
+define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
+define(`NBD_CLEAR_QUE', `0x0000ab05')
+define(`NBD_CLEAR_SOCK', `0x0000ab04')
+define(`NBD_DISCONNECT', `0x0000ab08')
+define(`NBD_DO_IT', `0x0000ab03')
+define(`NBD_PRINT_DEBUG', `0x0000ab06')
+define(`NBD_SET_BLKSIZE', `0x0000ab01')
+define(`NBD_SET_FLAGS', `0x0000ab0a')
+define(`NBD_SET_SIZE', `0x0000ab02')
+define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
+define(`NBD_SET_SOCK', `0x0000ab00')
+define(`NBD_SET_TIMEOUT', `0x0000ab09')
+define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
+define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
+define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
+define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
+define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
+define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
+define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
+define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
+define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
+define(`NCP_IOC_GETROOT', `0x400c6e08')
+define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
+define(`NCP_IOC_NCPREQUEST', `0x80106e01')
+define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
+define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
+define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
+define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
+define(`NCP_IOC_SETROOT', `0x800c6e08')
+define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
+define(`NCP_IOC_SIGN_INIT', `0x80186e05')
+define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
+define(`NET_ADD_IF', `0xc0066f34')
+define(`NET_GET_IF', `0xc0066f36')
+define(`NET_REMOVE_IF', `0x00006f35')
+define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
+define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
+define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
+define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
+define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
+define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
+define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
+define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
+define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
+define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
+define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
+define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
+define(`NILFS_IOCTL_SYNC', `0x80086e8a')
+define(`NS_ADJBUFLEV', `0x00006163')
+define(`NS_GETPSTAT', `0xc0106161')
+define(`NS_SETBUFLEV', `0x40106162')
+define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
+define(`NVME_IOCTL_ID', `0x00004e40')
+define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
+define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
+define(`NVRAM_INIT', `0x00007040')
+define(`NVRAM_SETCKS', `0x00007041')
+define(`OLD_PHONE_RING_START', `0x00007187')
+define(`OMAPFB_CTRL_TEST', `0x40044f2e')
+define(`OMAPFB_GET_CAPS', `0x800c4f2a')
+define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
+define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
+define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
+define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
+define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
+define(`OMAPFB_LCD_TEST', `0x40044f2d')
+define(`OMAPFB_MEMORY_READ', `0x80184f3a')
+define(`OMAPFB_MIRROR', `0x40044f1f')
+define(`OMAPFB_QUERY_MEM', `0x40084f38')
+define(`OMAPFB_QUERY_PLANE', `0x40444f35')
+define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
+define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
+define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
+define(`OMAPFB_SETUP_MEM', `0x40084f37')
+define(`OMAPFB_SETUP_PLANE', `0x40444f34')
+define(`OMAPFB_SYNC_GFX', `0x00004f25')
+define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
+define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
+define(`OMAPFB_VSYNC', `0x00004f26')
+define(`OMAPFB_WAITFORGO', `0x00004f3c')
+define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
+define(`OSD_GET_CAPABILITY', `0x80106fa1')
+define(`OSD_SEND_CMD', `0x40206fa0')
+define(`OSIOCGNETADDR', `0x800489e1')
+define(`OSIOCSNETADDR', `0x400489e0')
+define(`OSS_GETVERSION', `0x80044d76')
+define(`OTPGETREGIONCOUNT', `0x40044d0e')
+define(`OTPGETREGIONINFO', `0x400c4d0f')
+define(`OTPLOCK', `0x800c4d10')
+define(`OTPSELECT', `0x80044d0d')
+define(`PACKET_CTRL_CMD', `0xc0185801')
+define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
+define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
+define(`PERF_EVENT_IOC_ID', `0x80082407')
+define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
+define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
+define(`PERF_EVENT_IOC_RESET', `0x00002403')
+define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
+define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
+define(`PHN_GET_REG', `0xc0087000')
+define(`PHN_GETREG', `0xc0087005')
+define(`PHN_GET_REGS', `0xc0087002')
+define(`PHN_GETREGS', `0xc0287007')
+define(`PHN_NOT_OH', `0x00007004')
+define(`PHN_SET_REG', `0x40087001')
+define(`PHN_SETREG', `0x40087006')
+define(`PHN_SET_REGS', `0x40087003')
+define(`PHN_SETREGS', `0x40287008')
+define(`PHONE_BUSY', `0x000071a1')
+define(`PHONE_CAPABILITIES', `0x00007180')
+define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
+define(`PHONE_CAPABILITIES_LIST', `0x80087181')
+define(`PHONE_CPT_STOP', `0x000071a4')
+define(`PHONE_DIALTONE', `0x000071a3')
+define(`PHONE_DTMF_OOB', `0x40047199')
+define(`PHONE_DTMF_READY', `0x80047196')
+define(`PHONE_EXCEPTION', `0x8004719a')
+define(`PHONE_FRAME', `0x4004718d')
+define(`PHONE_GET_DTMF', `0x80047197')
+define(`PHONE_GET_DTMF_ASCII', `0x80047198')
+define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
+define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
+define(`PHONE_GET_TONE_STATE', `0x000071a0')
+define(`PHONE_HOOKSTATE', `0x00007184')
+define(`PHONE_MAXRINGS', `0x40017185')
+define(`PHONE_PLAY_CODEC', `0x40047190')
+define(`PHONE_PLAY_DEPTH', `0x40047193')
+define(`PHONE_PLAY_LEVEL', `0x00007195')
+define(`PHONE_PLAY_START', `0x00007191')
+define(`PHONE_PLAY_STOP', `0x00007192')
+define(`PHONE_PLAY_TONE', `0x4001719b')
+define(`PHONE_PLAY_VOLUME', `0x40047194')
+define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
+define(`PHONE_PSTN_GET_STATE', `0x000071a5')
+define(`PHONE_PSTN_LINETEST', `0x000071a8')
+define(`PHONE_PSTN_SET_STATE', `0x400471a4')
+define(`PHONE_QUERY_CODEC', `0xc00871a7')
+define(`PHONE_REC_CODEC', `0x40047189')
+define(`PHONE_REC_DEPTH', `0x4004718c')
+define(`PHONE_REC_LEVEL', `0x0000718f')
+define(`PHONE_REC_START', `0x0000718a')
+define(`PHONE_REC_STOP', `0x0000718b')
+define(`PHONE_REC_VOLUME', `0x4004718e')
+define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
+define(`PHONE_RING', `0x00007183')
+define(`PHONE_RINGBACK', `0x000071a2')
+define(`PHONE_RING_CADENCE', `0x40027186')
+define(`PHONE_RING_START', `0x40087187')
+define(`PHONE_RING_STOP', `0x00007188')
+define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
+define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
+define(`PHONE_VAD', `0x400471a9')
+define(`PHONE_WINK', `0x400471aa')
+define(`PHONE_WINK_DURATION', `0x400471a6')
+define(`PIO_CMAP', `0x00004b71')
+define(`PIO_FONT', `0x00004b61')
+define(`PIO_FONTRESET', `0x00004b6d')
+define(`PIO_FONTX', `0x00004b6c')
+define(`PIO_SCRNMAP', `0x00004b41')
+define(`PIO_UNIMAP', `0x00004b67')
+define(`PIO_UNIMAPCLR', `0x00004b68')
+define(`PIO_UNISCRNMAP', `0x00004b6a')
+define(`PMU_IOC_CAN_SLEEP', `0x80084205')
+define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
+define(`PMU_IOC_GET_MODEL', `0x80084203')
+define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
+define(`PMU_IOC_HAS_ADB', `0x80084204')
+define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
+define(`PMU_IOC_SLEEP', `0x00004200')
+define(`PPCLAIM', `0x0000708b')
+define(`PPCLRIRQ', `0x80047093')
+define(`PPDATADIR', `0x40047090')
+define(`PPEXCL', `0x0000708f')
+define(`PPFCONTROL', `0x4002708e')
+define(`PPGETFLAGS', `0x8004709a')
+define(`PPGETMODE', `0x80047098')
+define(`PPGETMODES', `0x80047097')
+define(`PPGETPHASE', `0x80047099')
+define(`PPGETTIME', `0x80107095')
+define(`PPNEGOT', `0x40047091')
+define(`PPPIOCATTACH', `0x743d')
+define(`PPPIOCATTCHAN', `0x7438')
+define(`PPPIOCBUNDLE', `0x7481')
+define(`PPPIOCCONNECT', `0x743a')
+define(`PPPIOCDETACH', `0x743c')
+define(`PPPIOCDISCONN', `0x7439')
+define(`PPPIOCGASYNCMAP', `0x7458')
+define(`PPPIOCGCALLINFO', `0x7480')
+define(`PPPIOCGCHAN', `0x7437')
+define(`PPPIOCGCOMPRESSORS', `0x7486')
+define(`PPPIOCGDEBUG', `0x7441')
+define(`PPPIOCGFLAGS', `0x745a')
+define(`PPPIOCGIDLE', `0x743f')
+define(`PPPIOCGIFNAME', `0x7488')
+define(`PPPIOCGL2TPSTATS', `0x7436')
+define(`PPPIOCGMPFLAGS', `0x7482')
+define(`PPPIOCGMRU', `0x7453')
+define(`PPPIOCGNPMODE', `0x744c')
+define(`PPPIOCGRASYNCMAP', `0x7455')
+define(`PPPIOCGUNIT', `0x7456')
+define(`PPPIOCGXASYNCMAP', `0x7450')
+define(`PPPIOCNEWUNIT', `0x743e')
+define(`PPPIOCSACTIVE', `0x7446')
+define(`PPPIOCSASYNCMAP', `0x7457')
+define(`PPPIOCSCOMPRESS', `0x744d')
+define(`PPPIOCSCOMPRESSOR', `0x7487')
+define(`PPPIOCSDEBUG', `0x7440')
+define(`PPPIOCSFLAGS', `0x7459')
+define(`PPPIOCSMAXCID', `0x7451')
+define(`PPPIOCSMPFLAGS', `0x7483')
+define(`PPPIOCSMPMRU', `0x7485')
+define(`PPPIOCSMPMTU', `0x7484')
+define(`PPPIOCSMRRU', `0x743b')
+define(`PPPIOCSMRU', `0x7452')
+define(`PPPIOCSNPMODE', `0x744b')
+define(`PPPIOCSPASS', `0x7447')
+define(`PPPIOCSRASYNCMAP', `0x7454')
+define(`PPPIOCSXASYNCMAP', `0x744f')
+define(`PPPIOCXFERUNIT', `0x744e')
+define(`PPPOEIOCDFWD', `0x0000b101')
+define(`PPPOEIOCSFWD', `0x4008b100')
+define(`PPRCONTROL', `0x80017083')
+define(`PPRDATA', `0x80017085')
+define(`PPRELEASE', `0x0000708c')
+define(`PPRSTATUS', `0x80017081')
+define(`PPSETFLAGS', `0x4004709b')
+define(`PPSETMODE', `0x40047080')
+define(`PPSETPHASE', `0x40047094')
+define(`PPSETTIME', `0x40107096')
+define(`PPS_FETCH', `0xc00870a4')
+define(`PPS_GETCAP', `0x800870a3')
+define(`PPS_GETPARAMS', `0x800870a1')
+define(`PPS_KC_BIND', `0x400870a5')
+define(`PPS_SETPARAMS', `0x400870a2')
+define(`PPWCONTROL', `0x40017084')
+define(`PPWCTLONIRQ', `0x40017092')
+define(`PPWDATA', `0x40017086')
+define(`PPYIELD', `0x0000708d')
+define(`PROTECT_ARRAY', `0x00000927')
+define(`PTP_CLOCK_GETCAPS', `0x80503d01')
+define(`PTP_ENABLE_PPS', `0x40043d04')
+define(`PTP_EXTTS_REQUEST', `0x40103d02')
+define(`PTP_PEROUT_REQUEST', `0x40383d03')
+define(`PTP_PIN_GETFUNC', `0xc0603d06')
+define(`PTP_PIN_SETFUNC', `0x40603d07')
+define(`PTP_SYS_OFFSET', `0x43403d05')
+define(`RAID_AUTORUN', `0x00000914')
+define(`RAID_VERSION', `0x800c0910')
+define(`RAW_GETBIND', `0x0000ac01')
+define(`RAW_SETBIND', `0x0000ac00')
+define(`REISERFS_IOC_UNPACK', `0x4008cd01')
+define(`RESTART_ARRAY_RW', `0x00000934')
+define(`RFCOMMCREATEDEV', `0x400452c8')
+define(`RFCOMMGETDEVINFO', `0x800452d3')
+define(`RFCOMMGETDEVLIST', `0x800452d2')
+define(`RFCOMMRELEASEDEV', `0x400452c9')
+define(`RFCOMMSTEALDLC', `0x400452dc')
+define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
+define(`RNDADDENTROPY', `0x40085203')
+define(`RNDADDTOENTCNT', `0x40045201')
+define(`RNDCLEARPOOL', `0x00005206')
+define(`RNDGETENTCNT', `0x80045200')
+define(`RNDGETPOOL', `0x80085202')
+define(`RNDZAPENTCNT', `0x00005204')
+define(`ROCCATIOCGREPSIZE', `0x800448f1')
+define(`RTC_AIE_OFF', `0x00007002')
+define(`RTC_AIE_ON', `0x00007001')
+define(`RTC_ALM_READ', `0x80247008')
+define(`RTC_ALM_SET', `0x40247007')
+define(`RTC_EPOCH_READ', `0x8008700d')
+define(`RTC_EPOCH_SET', `0x4008700e')
+define(`RTC_IRQP_READ', `0x8008700b')
+define(`RTC_IRQP_SET', `0x4008700c')
+define(`RTC_PIE_OFF', `0x00007006')
+define(`RTC_PIE_ON', `0x00007005')
+define(`RTC_PLL_GET', `0x80207011')
+define(`RTC_PLL_SET', `0x40207012')
+define(`RTC_RD_TIME', `0x80247009')
+define(`RTC_SET_TIME', `0x4024700a')
+define(`RTC_UIE_OFF', `0x00007004')
+define(`RTC_UIE_ON', `0x00007003')
+define(`RTC_VL_CLR', `0x00007014')
+define(`RTC_VL_READ', `0x80047013')
+define(`RTC_WIE_OFF', `0x00007010')
+define(`RTC_WIE_ON', `0x0000700f')
+define(`RTC_WKALM_RD', `0x80287010')
+define(`RTC_WKALM_SET', `0x4028700f')
+define(`RUN_ARRAY', `0x400c0930')
+define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
+define(`SAA6588_CMD_CLOSE', `0x40045202')
+define(`SAA6588_CMD_POLL', `0x80045204')
+define(`SAA6588_CMD_READ', `0x80045203')
+define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
+define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
+define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
+define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
+define(`SCSI_IOCTL_GET_PCI', `0x00005387')
+define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
+define(`SET_ARRAY_INFO', `0x40480923')
+define(`SET_BITMAP_FILE', `0x4004092b')
+define(`SET_DISK_FAULTY', `0x00000929')
+define(`SET_DISK_INFO', `0x00000924')
+define(`SG_EMULATED_HOST', `0x00002203')
+define(`SG_GET_ACCESS_COUNT', `0x00002289')
+define(`SG_GET_COMMAND_Q', `0x00002270')
+define(`SG_GET_KEEP_ORPHAN', `0x00002288')
+define(`SG_GET_LOW_DMA', `0x0000227a')
+define(`SG_GET_NUM_WAITING', `0x0000227d')
+define(`SG_GET_PACK_ID', `0x0000227c')
+define(`SG_GET_REQUEST_TABLE', `0x00002286')
+define(`SG_GET_RESERVED_SIZE', `0x00002272')
+define(`SG_GET_SCSI_ID', `0x00002276')
+define(`SG_GET_SG_TABLESIZE', `0x0000227f')
+define(`SG_GET_TIMEOUT', `0x00002202')
+define(`SG_GET_TRANSFORM', `0x00002205')
+define(`SG_GET_VERSION_NUM', `0x00002282')
+define(`SG_IO', `0x00002285')
+define(`SG_NEXT_CMD_LEN', `0x00002283')
+define(`SG_SCSI_RESET', `0x00002284')
+define(`SG_SET_COMMAND_Q', `0x00002271')
+define(`SG_SET_DEBUG', `0x0000227e')
+define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
+define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
+define(`SG_SET_KEEP_ORPHAN', `0x00002287')
+define(`SG_SET_RESERVED_SIZE', `0x00002275')
+define(`SG_SET_TIMEOUT', `0x00002201')
+define(`SG_SET_TRANSFORM', `0x00002204')
+define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
+define(`SIOCADDDLCI', `0x00008980')
+define(`SIOCADDMULTI', `0x00008931')
+define(`SIOCADDRT', `0x0000890b')
+define(`SIOCATMARK', `0x00008905')
+define(`SIOCBONDCHANGEACTIVE', `0x00008995')
+define(`SIOCBONDENSLAVE', `0x00008990')
+define(`SIOCBONDINFOQUERY', `0x00008994')
+define(`SIOCBONDRELEASE', `0x00008991')
+define(`SIOCBONDSETHWADDR', `0x00008992')
+define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
+define(`SIOCBRADDBR', `0x000089a0')
+define(`SIOCBRADDIF', `0x000089a2')
+define(`SIOCBRDELBR', `0x000089a1')
+define(`SIOCBRDELIF', `0x000089a3')
+define(`SIOCDARP', `0x00008953')
+define(`SIOCDELDLCI', `0x00008981')
+define(`SIOCDELMULTI', `0x00008932')
+define(`SIOCDELRT', `0x0000890c')
+define(`SIOCDEVPRIVATE', `0x000089f0')
+define(`SIOCDEVPRIVATE_1', `0x000089f1')
+define(`SIOCDEVPRIVATE_2', `0x000089f2')
+define(`SIOCDEVPRIVATE_3', `0x000089f3')
+define(`SIOCDEVPRIVATE_4', `0x000089f4')
+define(`SIOCDEVPRIVATE_5', `0x000089f5')
+define(`SIOCDEVPRIVATE_6', `0x000089f6')
+define(`SIOCDEVPRIVATE_7', `0x000089f7')
+define(`SIOCDEVPRIVATE_8', `0x000089f8')
+define(`SIOCDEVPRIVATE_9', `0x000089f9')
+define(`SIOCDEVPRIVATE_A', `0x000089fa')
+define(`SIOCDEVPRIVATE_B', `0x000089fb')
+define(`SIOCDEVPRIVATE_C', `0x000089fc')
+define(`SIOCDEVPRIVATE_D', `0x000089fd')
+define(`SIOCDEVPRIVATE_E', `0x000089fe')
+define(`SIOCDEVPRIVLAST', `0x000089ff')
+define(`SIOCDIFADDR', `0x00008936')
+define(`SIOCDRARP', `0x00008960')
+define(`SIOCETHTOOL', `0x00008946')
+define(`SIOCGARP', `0x00008954')
+define(`SIOCGHWTSTAMP', `0x000089b1')
+define(`SIOCGIFADDR', `0x00008915')
+define(`SIOCGIFBR', `0x00008940')
+define(`SIOCGIFBRDADDR', `0x00008919')
+define(`SIOCGIFCONF', `0x00008912')
+define(`SIOCGIFCOUNT', `0x00008938')
+define(`SIOCGIFDSTADDR', `0x00008917')
+define(`SIOCGIFENCAP', `0x00008925')
+define(`SIOCGIFFLAGS', `0x00008913')
+define(`SIOCGIFHWADDR', `0x00008927')
+define(`SIOCGIFINDEX', `0x00008933')
+define(`SIOCGIFMAP', `0x00008970')
+define(`SIOCGIFMEM', `0x0000891f')
+define(`SIOCGIFMETRIC', `0x0000891d')
+define(`SIOCGIFMTU', `0x00008921')
+define(`SIOCGIFNAME', `0x00008910')
+define(`SIOCGIFNETMASK', `0x0000891b')
+define(`SIOCGIFPFLAGS', `0x00008935')
+define(`SIOCGIFSLAVE', `0x00008929')
+define(`SIOCGIFTXQLEN', `0x00008942')
+define(`SIOCGIFVLAN', `0x00008982')
+define(`SIOCGIWAP', `0x00008b15')
+define(`SIOCGIWAPLIST', `0x00008b17')
+define(`SIOCGIWAUTH', `0x00008b33')
+define(`SIOCGIWENCODE', `0x00008b2b')
+define(`SIOCGIWENCODEEXT', `0x00008b35')
+define(`SIOCGIWESSID', `0x00008b1b')
+define(`SIOCGIWFRAG', `0x00008b25')
+define(`SIOCGIWFREQ', `0x00008b05')
+define(`SIOCGIWGENIE', `0x00008b31')
+define(`SIOCGIWMODE', `0x00008b07')
+define(`SIOCGIWNAME', `0x00008b01')
+define(`SIOCGIWNICKN', `0x00008b1d')
+define(`SIOCGIWNWID', `0x00008b03')
+define(`SIOCGIWPOWER', `0x00008b2d')
+define(`SIOCGIWPRIV', `0x00008b0d')
+define(`SIOCGIWRANGE', `0x00008b0b')
+define(`SIOCGIWRATE', `0x00008b21')
+define(`SIOCGIWRETRY', `0x00008b29')
+define(`SIOCGIWRTS', `0x00008b23')
+define(`SIOCGIWSCAN', `0x00008b19')
+define(`SIOCGIWSENS', `0x00008b09')
+define(`SIOCGIWSPY', `0x00008b11')
+define(`SIOCGIWSTATS', `0x00008b0f')
+define(`SIOCGIWTHRSPY', `0x00008b13')
+define(`SIOCGIWTXPOW', `0x00008b27')
+define(`SIOCGMIIPHY', `0x00008947')
+define(`SIOCGMIIREG', `0x00008948')
+define(`SIOCGNETADDR', `0x800489e1')
+define(`SIOCGPGRP', `0x00008904')
+define(`SIOCGRARP', `0x00008961')
+define(`SIOCGSTAMP', `0x00008906')
+define(`SIOCGSTAMPNS', `0x00008907')
+define(`SIOCIWFIRST', `0x00008b00')
+define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
+define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
+define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
+define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
+define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
+define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
+define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
+define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
+define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
+define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
+define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
+define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
+define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
+define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
+define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
+define(`SIOCIWFIRSTPRIV', `0x00008be0')
+define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
+define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
+define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
+define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
+define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
+define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
+define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
+define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
+define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
+define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
+define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
+define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
+define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
+define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
+define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
+define(`SIOCIWLASTPRIV', `0x00008bff')
+define(`SIOCKILLADDR', `0x00008939')
+define(`SIOCMKCLIP', `0x000061e0')
+define(`SIOCOUTQNSD', `0x0000894b')
+define(`SIOCPROTOPRIVATE', `0x000089e0')
+define(`SIOCPROTOPRIVATE_1', `0x000089e1')
+define(`SIOCPROTOPRIVATE_2', `0x000089e2')
+define(`SIOCPROTOPRIVATE_3', `0x000089e3')
+define(`SIOCPROTOPRIVATE_4', `0x000089e4')
+define(`SIOCPROTOPRIVATE_5', `0x000089e5')
+define(`SIOCPROTOPRIVATE_6', `0x000089e6')
+define(`SIOCPROTOPRIVATE_7', `0x000089e7')
+define(`SIOCPROTOPRIVATE_8', `0x000089e8')
+define(`SIOCPROTOPRIVATE_9', `0x000089e9')
+define(`SIOCPROTOPRIVATE_A', `0x000089ea')
+define(`SIOCPROTOPRIVATE_B', `0x000089eb')
+define(`SIOCPROTOPRIVATE_C', `0x000089ec')
+define(`SIOCPROTOPRIVATE_D', `0x000089ed')
+define(`SIOCPROTOPRIVATE_E', `0x000089ee')
+define(`SIOCPROTOPRIVLAST', `0x000089ef')
+define(`SIOCRTMSG', `0x0000890d')
+define(`SIOCSARP', `0x00008955')
+define(`SIOCSHWTSTAMP', `0x000089b0')
+define(`SIOCSIFADDR', `0x00008916')
+define(`SIOCSIFATMTCP', `0x00006180')
+define(`SIOCSIFBR', `0x00008941')
+define(`SIOCSIFBRDADDR', `0x0000891a')
+define(`SIOCSIFDSTADDR', `0x00008918')
+define(`SIOCSIFENCAP', `0x00008926')
+define(`SIOCSIFFLAGS', `0x00008914')
+define(`SIOCSIFHWADDR', `0x00008924')
+define(`SIOCSIFHWBROADCAST', `0x00008937')
+define(`SIOCSIFLINK', `0x00008911')
+define(`SIOCSIFMAP', `0x00008971')
+define(`SIOCSIFMEM', `0x00008920')
+define(`SIOCSIFMETRIC', `0x0000891e')
+define(`SIOCSIFMTU', `0x00008922')
+define(`SIOCSIFNAME', `0x00008923')
+define(`SIOCSIFNETMASK', `0x0000891c')
+define(`SIOCSIFPFLAGS', `0x00008934')
+define(`SIOCSIFSLAVE', `0x00008930')
+define(`SIOCSIFTXQLEN', `0x00008943')
+define(`SIOCSIFVLAN', `0x00008983')
+define(`SIOCSIWAP', `0x00008b14')
+define(`SIOCSIWAUTH', `0x00008b32')
+define(`SIOCSIWCOMMIT', `0x00008b00')
+define(`SIOCSIWENCODE', `0x00008b2a')
+define(`SIOCSIWENCODEEXT', `0x00008b34')
+define(`SIOCSIWESSID', `0x00008b1a')
+define(`SIOCSIWFRAG', `0x00008b24')
+define(`SIOCSIWFREQ', `0x00008b04')
+define(`SIOCSIWGENIE', `0x00008b30')
+define(`SIOCSIWMLME', `0x00008b16')
+define(`SIOCSIWMODE', `0x00008b06')
+define(`SIOCSIWNICKN', `0x00008b1c')
+define(`SIOCSIWNWID', `0x00008b02')
+define(`SIOCSIWPMKSA', `0x00008b36')
+define(`SIOCSIWPOWER', `0x00008b2c')
+define(`SIOCSIWPRIV', `0x00008b0c')
+define(`SIOCSIWRANGE', `0x00008b0a')
+define(`SIOCSIWRATE', `0x00008b20')
+define(`SIOCSIWRETRY', `0x00008b28')
+define(`SIOCSIWRTS', `0x00008b22')
+define(`SIOCSIWSCAN', `0x00008b18')
+define(`SIOCSIWSENS', `0x00008b08')
+define(`SIOCSIWSPY', `0x00008b10')
+define(`SIOCSIWSTATS', `0x00008b0e')
+define(`SIOCSIWTHRSPY', `0x00008b12')
+define(`SIOCSIWTXPOW', `0x00008b26')
+define(`SIOCSMIIREG', `0x00008949')
+define(`SIOCSNETADDR', `0x400489e0')
+define(`SIOCSPGRP', `0x00008902')
+define(`SIOCSRARP', `0x00008962')
+define(`SIOCWANDEV', `0x0000894a')
+define(`SISFB_COMMAND', `0xc054f305')
+define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
+define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
+define(`SISFB_GET_INFO', `0x811cf301')
+define(`SISFB_GET_INFO_OLD', `0x80046ef8')
+define(`SISFB_GET_INFO_SIZE', `0x8004f300')
+define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
+define(`SISFB_GET_VBRSTATUS', `0x8004f302')
+define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
+define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
+define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
+define(`SISFB_SET_LOCK', `0x4004f306')
+define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
+define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
+define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
+define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
+define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
+define(`SNAPSHOT_FREE', `0x00003305')
+define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
+define(`SNAPSHOT_FREEZE', `0x00003301')
+define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
+define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
+define(`SNAPSHOT_POWER_OFF', `0x00003310')
+define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
+define(`SNAPSHOT_S2RAM', `0x0000330b')
+define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
+define(`SNAPSHOT_UNFREEZE', `0x00003302')
+define(`SNDCTL_COPR_HALT', `0xc0144307')
+define(`SNDCTL_COPR_LOAD', `0xcfb04301')
+define(`SNDCTL_COPR_RCODE', `0xc0144303')
+define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
+define(`SNDCTL_COPR_RDATA', `0xc0144302')
+define(`SNDCTL_COPR_RESET', `0x00004300')
+define(`SNDCTL_COPR_RUN', `0xc0144306')
+define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
+define(`SNDCTL_COPR_WCODE', `0x40144305')
+define(`SNDCTL_COPR_WDATA', `0x40144304')
+define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
+define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
+define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
+define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
+define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
+define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
+define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
+define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
+define(`SNDCTL_DSP_GETODELAY', `0x80045017')
+define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
+define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
+define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
+define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
+define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
+define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
+define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
+define(`SNDCTL_DSP_POST', `0x00005008')
+define(`SNDCTL_DSP_PROFILE', `0x40045017')
+define(`SNDCTL_DSP_RESET', `0x00005000')
+define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
+define(`SNDCTL_DSP_SETFMT', `0xc0045005')
+define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
+define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
+define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
+define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
+define(`SNDCTL_DSP_SPEED', `0xc0045002')
+define(`SNDCTL_DSP_STEREO', `0xc0045003')
+define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
+define(`SNDCTL_DSP_SYNC', `0x00005001')
+define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
+define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
+define(`SNDCTL_MIDI_INFO', `0xc074510c')
+define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
+define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
+define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
+define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
+define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
+define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
+define(`SNDCTL_SEQ_GETTIME', `0x80045113')
+define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
+define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
+define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
+define(`SNDCTL_SEQ_PANIC', `0x00005111')
+define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
+define(`SNDCTL_SEQ_RESET', `0x00005100')
+define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
+define(`SNDCTL_SEQ_SYNC', `0x00005101')
+define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
+define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
+define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
+define(`SNDCTL_SYNTH_ID', `0xc08c5114')
+define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
+define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
+define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
+define(`SNDCTL_TMR_CONTINUE', `0x00005404')
+define(`SNDCTL_TMR_METRONOME', `0x40045407')
+define(`SNDCTL_TMR_SELECT', `0x40045408')
+define(`SNDCTL_TMR_SOURCE', `0xc0045406')
+define(`SNDCTL_TMR_START', `0x00005402')
+define(`SNDCTL_TMR_STOP', `0x00005403')
+define(`SNDCTL_TMR_TEMPO', `0xc0045405')
+define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
+define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
+define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
+define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
+define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
+define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
+define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
+define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
+define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
+define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
+define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
+define(`SNDRV_COMPRESS_RESUME', `0x00004331')
+define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
+define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
+define(`SNDRV_COMPRESS_START', `0x00004332')
+define(`SNDRV_COMPRESS_STOP', `0x00004333')
+define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
+define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
+define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
+define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
+define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
+define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
+define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
+define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
+define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
+define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
+define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
+define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
+define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
+define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
+define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
+define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
+define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
+define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
+define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
+define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
+define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
+define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
+define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
+define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
+define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
+define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
+define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
+define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
+define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
+define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
+define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
+define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
+define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
+define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
+define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
+define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
+define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
+define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
+define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
+define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
+define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
+define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
+define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
+define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
+define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
+define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
+define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
+define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
+define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
+define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
+define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
+define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
+define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
+define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
+define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
+define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
+define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
+define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
+define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
+define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
+define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
+define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
+define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
+define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
+define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
+define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
+define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
+define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
+define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
+define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
+define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
+define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
+define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
+define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
+define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
+define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
+define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
+define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
+define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
+define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
+define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
+define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
+define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
+define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
+define(`SNDRV_PCM_IOCTL_START', `0x00004142')
+define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
+define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
+define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
+define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
+define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
+define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
+define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
+define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
+define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
+define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
+define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
+define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
+define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
+define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
+define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
+define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
+define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
+define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
+define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
+define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
+define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
+define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
+define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
+define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
+define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
+define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
+define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
+define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
+define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
+define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
+define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
+define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
+define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
+define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
+define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
+define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
+define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
+define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
+define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
+define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
+define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
+define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
+define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
+define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
+define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
+define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
+define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
+define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
+define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
+define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
+define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
+define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
+define(`SONET_CLRDIAG', `0xc0046113')
+define(`SONET_GETDIAG', `0x80046114')
+define(`SONET_GETFRAMING', `0x80046116')
+define(`SONET_GETFRSENSE', `0x80066117')
+define(`SONET_GETSTAT', `0x80246110')
+define(`SONET_GETSTATZ', `0x80246111')
+define(`SONET_SETDIAG', `0xc0046112')
+define(`SONET_SETFRAMING', `0x40046115')
+define(`SONYPI_IOCGBAT1CAP', `0x80027602')
+define(`SONYPI_IOCGBAT1REM', `0x80027603')
+define(`SONYPI_IOCGBAT2CAP', `0x80027604')
+define(`SONYPI_IOCGBAT2REM', `0x80027605')
+define(`SONYPI_IOCGBATFLAGS', `0x80017607')
+define(`SONYPI_IOCGBLUE', `0x80017608')
+define(`SONYPI_IOCGBRT', `0x80017600')
+define(`SONYPI_IOCGFAN', `0x8001760a')
+define(`SONYPI_IOCGTEMP', `0x8001760c')
+define(`SONYPI_IOCSBLUE', `0x40017609')
+define(`SONYPI_IOCSBRT', `0x40017600')
+define(`SONYPI_IOCSFAN', `0x4001760b')
+define(`SOUND_MIXER_3DSE', `0xc0044d68')
+define(`SOUND_MIXER_ACCESS', `0xc0804d66')
+define(`SOUND_MIXER_AGC', `0xc0044d67')
+define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
+define(`SOUND_MIXER_INFO', `0x805c4d65')
+define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
+define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
+define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
+define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
+define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
+define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
+define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
+define(`SOUND_PCM_READ_BITS', `0x80045005')
+define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
+define(`SOUND_PCM_READ_FILTER', `0x80045007')
+define(`SOUND_PCM_READ_RATE', `0x80045002')
+define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
+define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
+define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
+define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
+define(`SPI_IOC_RD_MODE', `0x80016b01')
+define(`SPI_IOC_RD_MODE32', `0x80046b05')
+define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
+define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
+define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
+define(`SPI_IOC_WR_MODE', `0x40016b01')
+define(`SPI_IOC_WR_MODE32', `0x40046b05')
+define(`SPIOCSTYPE', `0x40087101')
+define(`SSTFB_GET_VGAPASS', `0x800446dd')
+define(`SSTFB_SET_VGAPASS', `0x400446dd')
+define(`STOP_ARRAY', `0x00000932')
+define(`STOP_ARRAY_RO', `0x00000933')
+define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
+define(`SW_SYNC_IOC_INC', `0x40045701')
+define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
+define(`SYNC_IOC_MERGE', `0xc0283e01')
+define(`SYNC_IOC_WAIT', `0x40043e00')
+define(`TCFLSH', `0x0000540b')
+define(`TCGETA', `0x00005405')
+define(`TCGETS2', `0x802c542a')
+define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
+define(`TCGETX', `0x00005432')
+define(`TCSBRK', `0x00005409')
+define(`TCSBRKP', `0x00005425')
+define(`TCSETA', `0x00005406')
+define(`TCSETAF', `0x00005408')
+define(`TCSETAW', `0x00005407')
+define(`TCSETS', `0x00005402')
+define(`TCSETS2', `0x402c542b')
+define(`TCSETSF', `0x00005404')
+define(`TCSETSF2', `0x402c542d')
+define(`TCSETSW', `0x00005403')
+define(`TCSETSW2', `0x402c542c')
+define(`TCSETX', `0x00005433')
+define(`TCSETXF', `0x00005434')
+define(`TCSETXW', `0x00005435')
+define(`TCXONC', `0x0000540a')
+define(`TFD_IOC_SET_TICKS', `0x40085400')
+define(`TIOCCBRK', `0x00005428')
+define(`TIOCCONS', `0x0000541d')
+define(`TIOCEXCL', `0x0000540c')
+define(`TIOCGDEV', `0x80045432')
+define(`TIOCGETD', `0x00005424')
+define(`TIOCGEXCL', `0x80045440')
+define(`TIOCGICOUNT', `0x0000545d')
+define(`TIOCGLCKTRMIOS', `0x00005456')
+define(`TIOCGPGRP', `0x0000540f')
+define(`TIOCGPKT', `0x80045438')
+define(`TIOCGPTLCK', `0x80045439')
+define(`TIOCGPTN', `0x80045430')
+define(`TIOCGRS485', `0x0000542e')
+define(`TIOCGSERIAL', `0x0000541e')
+define(`TIOCGSID', `0x00005429')
+define(`TIOCGSOFTCAR', `0x00005419')
+define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
+define(`TIOCLINUX', `0x0000541c')
+define(`TIOCMBIC', `0x00005417')
+define(`TIOCMBIS', `0x00005416')
+define(`TIOCMGET', `0x00005415')
+define(`TIOCMIWAIT', `0x0000545c')
+define(`TIOCMSET', `0x00005418')
+define(`TIOCNOTTY', `0x00005422')
+define(`TIOCNXCL', `0x0000540d')
+define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
+define(`TIOCPKT', `0x00005420')
+define(`TIOCSBRK', `0x00005427')
+define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
+define(`TIOCSERCONFIG', `0x00005453')
+define(`TIOCSERGETLSR', `0x00005459')
+define(`TIOCSERGETMULTI', `0x0000545a')
+define(`TIOCSERGSTRUCT', `0x00005458')
+define(`TIOCSERGWILD', `0x00005454')
+define(`TIOCSERSETMULTI', `0x0000545b')
+define(`TIOCSERSWILD', `0x00005455')
+define(`TIOCSETD', `0x00005423')
+define(`TIOCSIG', `0x40045436')
+define(`TIOCSLCKTRMIOS', `0x00005457')
+define(`TIOCSPGRP', `0x00005410')
+define(`TIOCSPTLCK', `0x40045431')
+define(`TIOCSRS485', `0x0000542f')
+define(`TIOCSSERIAL', `0x0000541f')
+define(`TIOCSSOFTCAR', `0x0000541a')
+define(`TIOCSTI', `0x00005412')
+define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
+define(`TIOCVHANGUP', `0x00005437')
+define(`TOSH_SMM', `0xc0047490')
+define(`TUNATTACHFILTER', `0x401054d5')
+define(`TUNDETACHFILTER', `0x401054d6')
+define(`TUNER_SET_CONFIG', `0x4010645c')
+define(`TUNGETFEATURES', `0x800454cf')
+define(`TUNGETFILTER', `0x801054db')
+define(`TUNGETIFF', `0x800454d2')
+define(`TUNGETSNDBUF', `0x800454d3')
+define(`TUNGETVNETHDRSZ', `0x800454d7')
+define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETDEBUG', `0x400454c9')
+define(`TUNSETGROUP', `0x400454ce')
+define(`TUNSETIFF', `0x400454ca')
+define(`TUNSETIFINDEX', `0x400454da')
+define(`TUNSETLINK', `0x400454cd')
+define(`TUNSETNOCSUM', `0x400454c8')
+define(`TUNSETOFFLOAD', `0x400454d0')
+define(`TUNSETOWNER', `0x400454cc')
+define(`TUNSETPERSIST', `0x400454cb')
+define(`TUNSETQUEUE', `0x400454d9')
+define(`TUNSETSNDBUF', `0x400454d4')
+define(`TUNSETTXFILTER', `0x400454d1')
+define(`TUNSETVNETHDRSZ', `0x400454d8')
+define(`TUNSETVNETLE', `0x400454dc')
+define(`UBI_IOCATT', `0x40186f40')
+define(`UBI_IOCDET', `0x40046f41')
+define(`UBI_IOCEBCH', `0x40044f02')
+define(`UBI_IOCEBER', `0x40044f01')
+define(`UBI_IOCEBISMAP', `0x80044f05')
+define(`UBI_IOCEBMAP', `0x40084f03')
+define(`UBI_IOCEBUNMAP', `0x40044f04')
+define(`UBI_IOCMKVOL', `0x40986f00')
+define(`UBI_IOCRMVOL', `0x40046f01')
+define(`UBI_IOCRNVOL', `0x51106f03')
+define(`UBI_IOCRSVOL', `0x400c6f02')
+define(`UBI_IOCSETVOLPROP', `0x40104f06')
+define(`UBI_IOCVOLCRBLK', `0x40804f07')
+define(`UBI_IOCVOLRMBLK', `0x00004f08')
+define(`UBI_IOCVOLUP', `0x40084f00')
+define(`UDF_GETEABLOCK', `0x80086c41')
+define(`UDF_GETEASIZE', `0x80046c40')
+define(`UDF_GETVOLIDENT', `0x80086c42')
+define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
+define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
+define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
+define(`UI_DEV_CREATE', `0x00005501')
+define(`UI_DEV_DESTROY', `0x00005502')
+define(`UI_END_FF_ERASE', `0x400c55cb')
+define(`UI_END_FF_UPLOAD', `0x406855c9')
+define(`UI_GET_VERSION', `0x8004552d')
+define(`UI_SET_ABSBIT', `0x40045567')
+define(`UI_SET_EVBIT', `0x40045564')
+define(`UI_SET_FFBIT', `0x4004556b')
+define(`UI_SET_KEYBIT', `0x40045565')
+define(`UI_SET_LEDBIT', `0x40045569')
+define(`UI_SET_MSCBIT', `0x40045568')
+define(`UI_SET_PHYS', `0x4008556c')
+define(`UI_SET_PROPBIT', `0x4004556e')
+define(`UI_SET_RELBIT', `0x40045566')
+define(`UI_SET_SNDBIT', `0x4004556a')
+define(`UI_SET_SWBIT', `0x4004556d')
+define(`UNPROTECT_ARRAY', `0x00000926')
+define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
+define(`USBDEVFS_BULK', `0xc0185502')
+define(`USBDEVFS_BULK32', `0xc0105502')
+define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
+define(`USBDEVFS_CLAIM_PORT', `0x80045518')
+define(`USBDEVFS_CLEAR_HALT', `0x80045515')
+define(`USBDEVFS_CONNECT', `0x00005517')
+define(`USBDEVFS_CONNECTINFO', `0x40085511')
+define(`USBDEVFS_CONTROL', `0xc0185500')
+define(`USBDEVFS_CONTROL32', `0xc0105500')
+define(`USBDEVFS_DISCARDURB', `0x0000550b')
+define(`USBDEVFS_DISCONNECT', `0x00005516')
+define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
+define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
+define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
+define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
+define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
+define(`USBDEVFS_GETDRIVER', `0x41045508')
+define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
+define(`USBDEVFS_IOCTL', `0xc0105512')
+define(`USBDEVFS_IOCTL32', `0xc00c5512')
+define(`USBDEVFS_REAPURB', `0x4008550c')
+define(`USBDEVFS_REAPURB32', `0x4004550c')
+define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
+define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
+define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
+define(`USBDEVFS_RELEASE_PORT', `0x80045519')
+define(`USBDEVFS_RESET', `0x00005514')
+define(`USBDEVFS_RESETEP', `0x80045503')
+define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
+define(`USBDEVFS_SETINTERFACE', `0x80085504')
+define(`USBDEVFS_SUBMITURB', `0x8038550a')
+define(`USBDEVFS_SUBMITURB32', `0x802a550a')
+define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
+define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
+define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
+define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
+define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
+define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
+define(`UVCIOC_CTRL_MAP', `0xc0607520')
+define(`UVCIOC_CTRL_QUERY', `0xc0107521')
+define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
+define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
+define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
+define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
+define(`VFIO_CHECK_EXTENSION', `0x00003b65')
+define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
+define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
+define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
+define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
+define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
+define(`VFIO_DEVICE_RESET', `0x00003b6f')
+define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
+define(`VFIO_EEH_PE_OP', `0x00003b79')
+define(`VFIO_GET_API_VERSION', `0x00003b64')
+define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
+define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
+define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
+define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
+define(`VFIO_IOMMU_DISABLE', `0x00003b74')
+define(`VFIO_IOMMU_ENABLE', `0x00003b73')
+define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
+define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
+define(`VFIO_SET_IOMMU', `0x00003b66')
+define(`VHOST_GET_FEATURES', `0x8008af00')
+define(`VHOST_GET_VRING_BASE', `0xc008af12')
+define(`VHOST_NET_SET_BACKEND', `0x4008af30')
+define(`VHOST_RESET_OWNER', `0x0000af02')
+define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
+define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
+define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
+define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
+define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
+define(`VHOST_SET_FEATURES', `0x4008af00')
+define(`VHOST_SET_LOG_BASE', `0x4008af04')
+define(`VHOST_SET_LOG_FD', `0x4004af07')
+define(`VHOST_SET_MEM_TABLE', `0x4008af03')
+define(`VHOST_SET_OWNER', `0x0000af01')
+define(`VHOST_SET_VRING_ADDR', `0x4028af11')
+define(`VHOST_SET_VRING_BASE', `0x4008af12')
+define(`VHOST_SET_VRING_CALL', `0x4008af21')
+define(`VHOST_SET_VRING_ERR', `0x4008af22')
+define(`VHOST_SET_VRING_KICK', `0x4008af20')
+define(`VHOST_SET_VRING_NUM', `0x4008af10')
+define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
+define(`VIDEO_COMMAND', `0xc0486f3b')
+define(`VIDEO_CONTINUE', `0x00006f18')
+define(`VIDEO_FAST_FORWARD', `0x00006f1f')
+define(`VIDEO_FREEZE', `0x00006f17')
+define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
+define(`VIDEO_GET_EVENT', `0x80206f1c')
+define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
+define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
+define(`VIDEO_GET_NAVI', `0x84046f34')
+define(`VIDEO_GET_PTS', `0x80086f39')
+define(`VIDEO_GET_SIZE', `0x800c6f37')
+define(`VIDEO_GET_STATUS', `0x80146f1b')
+define(`VIDEO_PLAY', `0x00006f16')
+define(`VIDEO_SELECT_SOURCE', `0x00006f19')
+define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
+define(`VIDEO_SET_BLANK', `0x00006f1a')
+define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
+define(`VIDEO_SET_FORMAT', `0x00006f25')
+define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
+define(`VIDEO_SET_ID', `0x00006f23')
+define(`VIDEO_SET_SPU', `0x40086f32')
+define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
+define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
+define(`VIDEO_SET_SYSTEM', `0x00006f26')
+define(`VIDEO_SLOWMOTION', `0x00006f20')
+define(`VIDEO_STILLPICTURE', `0x40106f1e')
+define(`VIDEO_STOP', `0x00006f15')
+define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
+define(`VIDIOC_CREATE_BUFS', `0xc100565c')
+define(`VIDIOC_CROPCAP', `0xc02c563a')
+define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
+define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
+define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
+define(`VIDIOC_DECODER_CMD', `0xc0485660')
+define(`VIDIOC_DQBUF', `0xc0585611')
+define(`VIDIOC_DQEVENT', `0x80885659')
+define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_ENCODER_CMD', `0xc028564d')
+define(`VIDIOC_ENUMAUDIO', `0xc0345641')
+define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
+define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_ENUM_FMT', `0xc0405602')
+define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
+define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
+define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
+define(`VIDIOC_ENUMINPUT', `0xc050561a')
+define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
+define(`VIDIOC_ENUMSTD', `0xc0485619')
+define(`VIDIOC_EXPBUF', `0xc0405610')
+define(`VIDIOC_G_AUDIO', `0x80345621')
+define(`VIDIOC_G_AUDOUT', `0x80345631')
+define(`VIDIOC_G_CROP', `0xc014563b')
+define(`VIDIOC_G_CTRL', `0xc008561b')
+define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_G_EDID', `0xc0285628')
+define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
+define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
+define(`VIDIOC_G_FBUF', `0x8030560a')
+define(`VIDIOC_G_FMT', `0xc0d05604')
+define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
+define(`VIDIOC_G_INPUT', `0x80045626')
+define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
+define(`VIDIOC_G_MODULATOR', `0xc0445636')
+define(`VIDIOC_G_OUTPUT', `0x8004562e')
+define(`VIDIOC_G_PARM', `0xc0cc5615')
+define(`VIDIOC_G_PRIORITY', `0x80045643')
+define(`VIDIOC_G_SELECTION', `0xc040565e')
+define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
+define(`VIDIOC_G_STD', `0x80085617')
+define(`VIDIOC_G_TUNER', `0xc054561d')
+define(`VIDIOC_INT_RESET', `0x40046466')
+define(`VIDIOC_LOG_STATUS', `0x00005646')
+define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
+define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
+define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
+define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
+define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
+define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
+define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
+define(`VIDIOC_OVERLAY', `0x4004560e')
+define(`VIDIOC_PREPARE_BUF', `0xc058565d')
+define(`VIDIOC_QBUF', `0xc058560f')
+define(`VIDIOC_QUERYBUF', `0xc0585609')
+define(`VIDIOC_QUERYCAP', `0x80685600')
+define(`VIDIOC_QUERYCTRL', `0xc0445624')
+define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
+define(`VIDIOC_QUERYMENU', `0xc02c5625')
+define(`VIDIOC_QUERYSTD', `0x8008563f')
+define(`VIDIOC_REQBUFS', `0xc0145608')
+define(`VIDIOC_RESERVED', `0x00005601')
+define(`VIDIOC_S_AUDIO', `0x40345622')
+define(`VIDIOC_S_AUDOUT', `0x40345632')
+define(`VIDIOC_S_CROP', `0x4014563c')
+define(`VIDIOC_S_CTRL', `0xc008561c')
+define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_S_EDID', `0xc0285629')
+define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
+define(`VIDIOC_S_FBUF', `0x4030560b')
+define(`VIDIOC_S_FMT', `0xc0d05605')
+define(`VIDIOC_S_FREQUENCY', `0x402c5639')
+define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
+define(`VIDIOC_S_INPUT', `0xc0045627')
+define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
+define(`VIDIOC_S_MODULATOR', `0x40445637')
+define(`VIDIOC_S_OUTPUT', `0xc004562f')
+define(`VIDIOC_S_PARM', `0xc0cc5616')
+define(`VIDIOC_S_PRIORITY', `0x40045644')
+define(`VIDIOC_S_SELECTION', `0xc040565f')
+define(`VIDIOC_S_STD', `0x40085618')
+define(`VIDIOC_STREAMOFF', `0x40045613')
+define(`VIDIOC_STREAMON', `0x40045612')
+define(`VIDIOC_S_TUNER', `0x4054561e')
+define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
+define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
+define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
+define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
+define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
+define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
+define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
+define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
+define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
+define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
+define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
+define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
+define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
+define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
+define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
+define(`VIDIOC_TRY_FMT', `0xc0d05640')
+define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
+define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
+define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
+define(`VT_ACTIVATE', `0x00005606')
+define(`VT_DISALLOCATE', `0x00005608')
+define(`VT_GETHIFONTMASK', `0x0000560d')
+define(`VT_GETMODE', `0x00005601')
+define(`VT_GETSTATE', `0x00005603')
+define(`VT_LOCKSWITCH', `0x0000560b')
+define(`VT_OPENQRY', `0x00005600')
+define(`VT_RELDISP', `0x00005605')
+define(`VT_RESIZE', `0x00005609')
+define(`VT_RESIZEX', `0x0000560a')
+define(`VT_SENDSIG', `0x00005604')
+define(`VT_SETACTIVATE', `0x0000560f')
+define(`VT_SETMODE', `0x00005602')
+define(`VT_UNLOCKSWITCH', `0x0000560c')
+define(`VT_WAITACTIVE', `0x00005607')
+define(`VT_WAITEVENT', `0x0000560e')
+define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
+define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
+define(`WDIOC_GETBOOTSTATUS', `0x80045702')
+define(`WDIOC_GETPRETIMEOUT', `0x80045709')
+define(`WDIOC_GETSTATUS', `0x80045701')
+define(`WDIOC_GETSUPPORT', `0x80285700')
+define(`WDIOC_GETTEMP', `0x80045703')
+define(`WDIOC_GETTIMELEFT', `0x8004570a')
+define(`WDIOC_GETTIMEOUT', `0x80045707')
+define(`WDIOC_KEEPALIVE', `0x80045705')
+define(`WDIOC_SETOPTIONS', `0x80045704')
+define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
+define(`WDIOC_SETTIMEOUT', `0xc0045706')
+define(`WRITE_RAID_INFO', `0x00000925')
+define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
+define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
+define(`ZATM_GETPOOL', `0x40106161')
+define(`ZATM_GETPOOLZ', `0x40106162')
+define(`ZATM_SETPOOL', `0x40106163')
diff --git a/prebuilts/api/33.0/public/ioctl_macros b/prebuilts/api/33.0/public/ioctl_macros
new file mode 100644
index 0000000..47a5157
--- /dev/null
+++ b/prebuilts/api/33.0/public/ioctl_macros
@@ -0,0 +1,76 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# Socket ioctls for gathering information about the interface
+SIOCGSTAMP SIOCGSTAMPNS
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
+SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
+# Wireless extension ioctls. Primarily get functions.
+SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
+SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
+SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
+}')
+
+# socket ioctls never allowed to unprivileged apps
+define(`priv_sock_ioctls', `
+{
+# qualcomm rmnet ioctls
+WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
+# socket ioctls
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
+SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
+SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
+SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
+SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
+SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
+SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
+SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
+SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
+# device and protocol specific ioctls
+SIOCDEVPRIVATE-SIOCDEVPRIVLAST
+SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
+# Wireless extension ioctls
+SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
+SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
+SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
+SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
+SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
+SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
+# Dev private ioctl i.e. hardware specific ioctls
+SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
+}')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
+
+# commonly used TTY ioctls
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+ TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
+}')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+}')
diff --git a/prebuilts/api/33.0/public/iorap_inode2filename.te b/prebuilts/api/33.0/public/iorap_inode2filename.te
new file mode 100644
index 0000000..6f119ee
--- /dev/null
+++ b/prebuilts/api/33.0/public/iorap_inode2filename.te
@@ -0,0 +1,70 @@
+# iorap.inode2filename -> look up file paths from an inode
+type iorap_inode2filename, domain;
+type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
+type iorap_inode2filename_tmpfs, file_type;
+
+r_dir_file(iorap_inode2filename, rootfs)
+
+# Allow usage of pipes (child stdout -> parent pipe).
+allow iorap_inode2filename iorapd:fd use;
+allow iorap_inode2filename iorapd:fifo_file { read write getattr };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_inode2filename self:capability dac_read_search;
+
+typeattribute iorap_inode2filename mlstrustedsubject;
+
+# Grant access to open most of the files under /
+allow iorap_inode2filename apex_data_file:dir { getattr open read search };
+allow iorap_inode2filename apex_data_file:file { getattr };
+allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
+allow iorap_inode2filename apex_mnt_dir:file { getattr };
+allow iorap_inode2filename apk_data_file:dir { getattr open read search };
+allow iorap_inode2filename apk_data_file:file { getattr };
+allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
+allow iorap_inode2filename app_data_file_type:file { getattr };
+allow iorap_inode2filename backup_data_file:dir { getattr open read search };
+allow iorap_inode2filename backup_data_file:file { getattr };
+allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
+allow iorap_inode2filename bootchart_data_file:file { getattr };
+allow iorap_inode2filename metadata_file:dir { getattr open read search search };
+allow iorap_inode2filename metadata_file:file { getattr };
+allow iorap_inode2filename packages_list_file:dir { getattr open read search };
+allow iorap_inode2filename packages_list_file:file { getattr };
+allow iorap_inode2filename property_data_file:dir { getattr open read search };
+allow iorap_inode2filename property_data_file:file { getattr };
+allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
+allow iorap_inode2filename resourcecache_data_file:file { getattr };
+allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
+allow iorap_inode2filename ringtone_file:dir { getattr open read search };
+allow iorap_inode2filename ringtone_file:file { getattr };
+allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
+allow iorap_inode2filename same_process_hal_file:file { getattr };
+allow iorap_inode2filename sepolicy_file:file { getattr };
+allow iorap_inode2filename staging_data_file:dir { getattr open read search };
+allow iorap_inode2filename staging_data_file:file { getattr };
+allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
+allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
+allow iorap_inode2filename system_data_file:dir { getattr open read search };
+allow iorap_inode2filename system_data_file:file { getattr };
+allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
+allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
+allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
+allow iorap_inode2filename textclassifier_data_file:file { getattr };
+allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
+allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
+allow iorap_inode2filename user_profile_data_file:file { getattr };
+allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
+allow iorap_inode2filename unlabeled:file { getattr };
+allow iorap_inode2filename vendor_file:dir { getattr open read search };
+allow iorap_inode2filename vendor_file:file { getattr };
+allow iorap_inode2filename vendor_overlay_file:file { getattr };
+allow iorap_inode2filename zygote_exec:file { getattr };
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
+neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/33.0/public/iorap_prefetcherd.te b/prebuilts/api/33.0/public/iorap_prefetcherd.te
new file mode 100644
index 0000000..4b218fb
--- /dev/null
+++ b/prebuilts/api/33.0/public/iorap_prefetcherd.te
@@ -0,0 +1,55 @@
+# volume manager
+type iorap_prefetcherd, domain;
+type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
+type iorap_prefetcherd_tmpfs, file_type;
+
+r_dir_file(iorap_prefetcherd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
+
+# iorap_prefetcherd temporarily changes its priority when running benchmarks
+allow iorap_prefetcherd self:global_capability_class_set sys_nice;
+
+# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
+allow iorap_prefetcherd iorapd:fd use;
+allow iorap_prefetcherd iorapd:fifo_file { read write };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_prefetcherd self:capability dac_read_search;
+
+typeattribute iorap_prefetcherd mlstrustedsubject;
+
+# Grant logcat access
+allow iorap_prefetcherd logcat_exec:file { open read };
+
+# Grant access to open most of the files under /
+allow iorap_prefetcherd apk_data_file:dir { open read search };
+allow iorap_prefetcherd apk_data_file:file { open read };
+allow iorap_prefetcherd app_data_file:dir { open read search };
+allow iorap_prefetcherd app_data_file:file { open read };
+allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
+allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
+allow iorap_prefetcherd packages_list_file:dir { open read search };
+allow iorap_prefetcherd packages_list_file:file { open read };
+allow iorap_prefetcherd privapp_data_file:dir { open read search };
+allow iorap_prefetcherd privapp_data_file:file { open read };
+allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
+allow iorap_prefetcherd same_process_hal_file:file { open read };
+allow iorap_prefetcherd system_data_file:dir { open read search };
+allow iorap_prefetcherd system_data_file:file { open read };
+allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_root_file:dir { open read search };
+allow iorap_prefetcherd user_profile_data_file:dir { open read search };
+allow iorap_prefetcherd user_profile_data_file:file { open read };
+allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
+allow iorap_prefetcherd vendor_overlay_file:file { open read };
+# Note: Do not add any /vendor labels because they can be customized
+# by the vendor and we won't know about them beforehand.
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
+neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/33.0/public/iorapd.te b/prebuilts/api/33.0/public/iorapd.te
new file mode 100644
index 0000000..8fded0c
--- /dev/null
+++ b/prebuilts/api/33.0/public/iorapd.te
@@ -0,0 +1,94 @@
+# volume manager
+type iorapd, domain;
+type iorapd_exec, exec_type, file_type, system_file_type;
+type iorapd_tmpfs, file_type;
+
+r_dir_file(iorapd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorapd proc_drop_caches:file rw_file_perms;
+
+# Give iorapd a place where only iorapd can store files; everyone else is off limits
+allow iorapd iorapd_data_file:dir create_dir_perms;
+allow iorapd iorapd_data_file:file create_file_perms;
+
+# Allow iorapd to publish a binder service and make binder calls.
+binder_use(iorapd)
+add_service(iorapd, iorapd_service)
+
+# Allow iorapd to call into the system server so it can check permissions.
+binder_call(iorapd, system_server)
+allow iorapd permission_service:service_manager find;
+# IUserManager
+allow iorapd user_service:service_manager find;
+# IPackageManagerNative
+allow iorapd package_native_service:service_manager find;
+# Allow dumpstate (bugreport) to call into iorapd.
+allow iorapd dumpstate:fd use;
+allow iorapd dumpstate:fifo_file write;
+
+# TODO: does each of the service_manager allow finds above need the binder_call?
+
+# iorapd temporarily changes its priority when running benchmarks
+allow iorapd self:global_capability_class_set sys_nice;
+
+# Allow to access Perfetto traced's privileged consumer socket to start/stop
+# tracing sessions and read trace data.
+unix_socket_connect(iorapd, traced_consumer, traced)
+
+# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
+allow iorapd system_file:file rx_file_perms;
+
+# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
+allow iorapd iorap_inode2filename:process signull;
+allow iorapd iorap_prefetcherd:process signull;
+
+# Allowing system_server to check for the existence and size of files under iorapd
+# dir without collecting any sensitive app data.
+# This is used to predict if iorapd is doing prefetching or not.
+allow system_server iorapd_data_file:dir { getattr open read search };
+allow system_server iorapd_data_file:file getattr;
+
+###
+### neverallow rules
+###
+
+neverallow {
+ domain
+ -iorapd
+} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -iorapd
+ -system_server
+} iorapd_data_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -iorapd
+} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vendor_init
+ -iorapd
+ -system_server
+} { iorapd_data_file }:notdevfile_class_set *;
+
+# Only system_server and shell (for dumpsys) can interact with iorapd over binder
+neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
+neverallow iorapd {
+ domain
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow { domain -init } iorapd:process { transition dyntransition };
+neverallow iorapd domain:{ udp_socket rawip_socket } *;
+neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/prebuilts/api/26.0/public/isolated_app.te b/prebuilts/api/33.0/public/isolated_app.te
similarity index 100%
rename from prebuilts/api/26.0/public/isolated_app.te
rename to prebuilts/api/33.0/public/isolated_app.te
diff --git a/prebuilts/api/33.0/public/kernel.te b/prebuilts/api/33.0/public/kernel.te
new file mode 100644
index 0000000..09d2480
--- /dev/null
+++ b/prebuilts/api/33.0/public/kernel.te
@@ -0,0 +1,146 @@
+# Life begins with the kernel.
+type kernel, domain, mlstrustedsubject;
+
+allow kernel self:global_capability_class_set sys_nice;
+
+# Root fs.
+r_dir_file(kernel, rootfs)
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Mount usbfs.
+allow kernel usbfs:filesystem mount;
+allow kernel usbfs:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Write to /proc/1/oom_adj prior to switching to init domain.
+allow kernel self:global_capability_class_set sys_resource;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel { sdcard_type fuse }:file { read write };
+
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel vold:fd use;
+allow kernel { app_data_file privapp_data_file }:file read;
+allow kernel asec_image_file:file read;
+
+# Allow mounting loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
+userdebug_or_eng(`
+ allow kernel update_engine_data_file:file { read write };
+ allow kernel nativetest_data_file:file { read write };
+')
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file { read write };
+
+# Allow the kernel to read APEX file descriptors and (staged) data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+allow kernel {
+ apex_data_file
+ staging_data_file
+ vendor_apex_file
+}:file read;
+# Also allow the kernel to read /data/local/tmp files via loop device
+# for ApexTestCases
+userdebug_or_eng(`
+ allow kernel shell_data_file:file read;
+')
+
+# Allow the first-stage init (which is running in the kernel domain) to execute the
+# dynamic linker when it re-executes /init to switch into the second stage.
+# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
+# before the domain is switched to the target domain. So, we need to allow the kernel
+# domain (the source domain) to execute the dynamic linker (system_file type).
+# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
+# kernel older than 4.8.
+allow kernel system_file:file execute;
+# The label for the dynamic linker is rootfs in the recovery partition. This is because
+# the recovery partition which is rootfs does not support xattr and thus labeling can't be
+# done at build-time. All files are by default labeled as rootfs upon booting.
+recovery_only(`
+ allow kernel rootfs:file execute;
+')
+
+# required by VTS lidbm unit test
+allow kernel appdomain_tmpfs:file { read write };
+
+###
+### neverallow rules
+###
+
+# The initial task starts in the kernel domain (assigned via
+# initial_sid_contexts), but nothing ever transitions to it.
+neverallow * kernel:process { transition dyntransition };
+
+# The kernel domain is never entered via an exec, nor should it
+# ever execute a program outside the rootfs without changing to another domain.
+# If you encounter an execute_no_trans denial on the kernel domain, then
+# possible causes include:
+# - The program is a kernel usermodehelper. In this case, define a domain
+# for the program and domain_auto_trans() to it.
+# - You are running an exploit which switched to the init task credentials
+# and is then trying to exec a shell or other program. You lose!
+neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
+
+# Nobody should be ptracing kernel threads
+neverallow * kernel:process ptrace;
diff --git a/prebuilts/api/33.0/public/keystore.te b/prebuilts/api/33.0/public/keystore.te
new file mode 100644
index 0000000..e1c58a4
--- /dev/null
+++ b/prebuilts/api/33.0/public/keystore.te
@@ -0,0 +1,50 @@
+type keystore, domain, keystore2_key_type;
+type keystore_exec, system_file_type, exec_type, file_type;
+
+# keystore daemon
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+binder_call(keystore, system_server)
+binder_call(keystore, wificond)
+
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+
+add_service(keystore, keystore_service)
+add_service(keystore, remotelyprovisionedkeypool_service)
+add_service(keystore, remoteprovisioning_service)
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
+allow keystore dropbox_service:service_manager find;
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
+add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
+r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
+
+###
+### Neverallow rules
+###
+### Protect ourself from others
+###
+
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow { domain -keystore -init } keystore_data_file:dir *;
+neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
+
+# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
+neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+
+# The software KeyMint implementation used in km_compat needs
+# to read the vendor security patch level.
+get_prop(keystore, vendor_security_patch_level_prop);
diff --git a/prebuilts/api/33.0/public/keystore_keys.te b/prebuilts/api/33.0/public/keystore_keys.te
new file mode 100644
index 0000000..3c35984
--- /dev/null
+++ b/prebuilts/api/33.0/public/keystore_keys.te
@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;
diff --git a/prebuilts/api/33.0/public/llkd.te b/prebuilts/api/33.0/public/llkd.te
new file mode 100644
index 0000000..1faa429
--- /dev/null
+++ b/prebuilts/api/33.0/public/llkd.te
@@ -0,0 +1,3 @@
+# llkd Live LocK Daemon
+type llkd, domain, mlstrustedsubject;
+type llkd_exec, system_file_type, exec_type, file_type;
diff --git a/prebuilts/api/33.0/public/lmkd.te b/prebuilts/api/33.0/public/lmkd.te
new file mode 100644
index 0000000..de6052d
--- /dev/null
+++ b/prebuilts/api/33.0/public/lmkd.te
@@ -0,0 +1,72 @@
+# lmkd low memory killer daemon
+type lmkd, domain, mlstrustedsubject;
+type lmkd_exec, system_file_type, exec_type, file_type;
+
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
+
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:global_capability_class_set ipc_lock;
+
+## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
+## TODO: maybe scope this down?
+r_dir_file(lmkd, domain)
+allow lmkd domain:file write;
+
+## Writes to /sys/module/lowmemorykiller/parameters/minfree
+r_dir_file(lmkd, sysfs_lowmemorykiller)
+allow lmkd sysfs_lowmemorykiller:file w_file_perms;
+
+# setsched and send kill signals to any registered process
+allow lmkd domain:process { setsched sigkill };
+# TODO: delete this line b/131761776
+allow lmkd kernel:process { setsched };
+
+# Clean up old cgroups
+allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
+
+# Allow to read memcg stats
+allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
+
+# Set self to SCHED_FIFO
+allow lmkd self:global_capability_class_set sys_nice;
+
+allow lmkd proc_zoneinfo:file r_file_perms;
+allow lmkd proc_vmstat:file r_file_perms;
+
+# live lock watchdog process allowed to look through /proc/
+allow lmkd domain:dir { search open read };
+allow lmkd domain:file { open read };
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow lmkd proc_sysrq:file rw_file_perms;
+
+# Read /proc/lowmemorykiller
+allow lmkd proc_lowmemorykiller:file r_file_perms;
+
+# Read /proc/meminfo
+allow lmkd proc_meminfo:file r_file_perms;
+
+# Read /proc/pressure/cpu and /proc/pressure/io
+allow lmkd proc_pressure_cpu:file r_file_perms;
+allow lmkd proc_pressure_io:file r_file_perms;
+
+# Read/Write /proc/pressure/memory
+allow lmkd proc_pressure_mem:file rw_file_perms;
+
+# Allow lmkd to connect during reinit.
+allow lmkd lmkd_socket:sock_file write;
+
+# Allow lmkd to write to statsd.
+unix_socket_send(lmkd, statsdw, statsd)
+
+### neverallow rules
+
+# never honor LD_PRELOAD
+neverallow * lmkd:process noatsecure;
+neverallow lmkd self:global_capability_class_set sys_ptrace;
diff --git a/prebuilts/api/33.0/public/logd.te b/prebuilts/api/33.0/public/logd.te
new file mode 100644
index 0000000..8187179
--- /dev/null
+++ b/prebuilts/api/33.0/public/logd.te
@@ -0,0 +1,74 @@
+# android user-space log manager
+type logd, domain, mlstrustedsubject;
+type logd_exec, system_file_type, exec_type, file_type;
+
+# Read access to pseudo filesystems.
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kernel:system syslog_read;
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd packages_list_file:file r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+ # Access to /data/misc/logd/event-log-tags
+ allow logd misc_logd_file:dir r_dir_perms;
+ allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
+
+r_dir_file(logd, domain)
+
+allow logd kernel:system syslog_mod;
+
+control_logd(logd)
+read_runtime_log_tags(logd)
+
+allow runtime_event_log_tags_file tmpfs:filesystem associate;
+# Typically harmlessly blindly trying to access via liblog
+# event tag mapping while in the untrusted_app domain.
+# Access for that domain is controlled and gated via the
+# event log tag service (albeit at a performance penalty,
+# expected to be locally cached).
+dontaudit domain runtime_event_log_tags_file:file { map open read };
+
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
+
+# Only init is allowed to enter the logd domain via exec()
+neverallow { domain -init } logd:process transition;
+neverallow * logd:process dyntransition;
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -init
+ -logd
+} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/prebuilts/api/33.0/public/logpersist.te b/prebuilts/api/33.0/public/logpersist.te
new file mode 100644
index 0000000..c8e6af4
--- /dev/null
+++ b/prebuilts/api/33.0/public/logpersist.te
@@ -0,0 +1,30 @@
+# android debug logging, logpersist domains
+type logpersist, domain;
+
+# logcatd is a shell script that execs logcat with various parameters.
+allow logpersist shell_exec:file rx_file_perms;
+allow logpersist logcat_exec:file rx_file_perms;
+
+###
+### Neverallow rules
+###
+### logpersist should NEVER do any of this
+
+# Block device access.
+neverallow logpersist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logpersist domain:process ptrace;
+
+# Write to files in /data/data or system files on /data except misc_logd_file
+neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init should be allowed to enter the logpersist domain via exec()
+# Following is a list of debug domains we know that transition to logpersist
+# neverallow_with_undefined_domains {
+# domain
+# -init # goldfish, logcatd, raft
+# -mmi # bat, mtp8996, msmcobalt
+# -system_app # Smith.apk
+# } logpersist:process transition;
+neverallow * logpersist:process dyntransition;
diff --git a/prebuilts/api/26.0/public/mdnsd.te b/prebuilts/api/33.0/public/mdnsd.te
similarity index 100%
rename from prebuilts/api/26.0/public/mdnsd.te
rename to prebuilts/api/33.0/public/mdnsd.te
diff --git a/prebuilts/api/33.0/public/mediadrmserver.te b/prebuilts/api/33.0/public/mediadrmserver.te
new file mode 100644
index 0000000..a52295e
--- /dev/null
+++ b/prebuilts/api/33.0/public/mediadrmserver.te
@@ -0,0 +1,33 @@
+# mediadrmserver - mediadrm daemon
+type mediadrmserver, domain;
+type mediadrmserver_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+hal_client_domain(mediadrmserver, hal_drm)
+
+add_service(mediadrmserver, mediadrmserver_service)
+allow mediadrmserver mediaserver_service:service_manager find;
+allow mediadrmserver mediametrics_service:service_manager find;
+allow mediadrmserver processinfo_service:service_manager find;
+allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
+
+# TODO(b/80317992): remove
+binder_call(mediadrmserver, hal_omx_server)
+
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/33.0/public/mediaextractor.te b/prebuilts/api/33.0/public/mediaextractor.te
new file mode 100644
index 0000000..1315b8f
--- /dev/null
+++ b/prebuilts/api/33.0/public/mediaextractor.te
@@ -0,0 +1,73 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain;
+type mediaextractor_exec, system_file_type, exec_type, file_type;
+type mediaextractor_tmpfs, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+add_service(mediaextractor, mediaextractor_service)
+allow mediaextractor mediametrics_service:service_manager find;
+allow mediaextractor hidl_token_hwservice:hwservice_manager find;
+
+allow mediaextractor system_server:fd use;
+
+hal_client_domain(mediaextractor, hal_cas)
+hal_client_domain(mediaextractor, hal_allocator)
+
+r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
+allow mediaextractor proc_meminfo:file r_file_perms;
+
+crash_dump_fallback(mediaextractor)
+
+# allow mediaextractor read permissions for file sources
+allow mediaextractor { sdcard_type fuse }:file { getattr read };
+allow mediaextractor media_rw_data_file:file { getattr read };
+allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
+
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
+# overlay package access
+allow mediaextractor vendor_overlay_file:file { read map };
+
+# scan extractor library directory to dynamically load extractors
+allow mediaextractor system_file:dir { read open };
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+ data_file_type
+ -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+ userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+ with_native_coverage(`-method_trace_data_file')
+}:file open;
diff --git a/prebuilts/api/33.0/public/mediametrics.te b/prebuilts/api/33.0/public/mediametrics.te
new file mode 100644
index 0000000..76f819e
--- /dev/null
+++ b/prebuilts/api/33.0/public/mediametrics.te
@@ -0,0 +1,46 @@
+# mediametrics - daemon for collecting media.metrics data
+type mediametrics, domain;
+type mediametrics_exec, system_file_type, exec_type, file_type;
+
+
+binder_use(mediametrics)
+binder_call(mediametrics, binderservicedomain)
+binder_service(mediametrics)
+
+add_service(mediametrics, mediametrics_service)
+
+allow mediametrics system_server:fd use;
+
+r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
+allow mediametrics proc_meminfo:file r_file_perms;
+
+# allows interactions with dumpsys to GMScore
+allow mediametrics { app_data_file privapp_data_file }:file write;
+
+# allow access to package manager for uid->apk mapping
+allow mediametrics package_native_service:service_manager find;
+
+# Allow metrics service to send information to statsd socket.
+unix_socket_send(mediametrics, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# mediametrics should never execute any executable without a
+# domain transition
+neverallow mediametrics { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/prebuilts/api/27.0/public/mediaprovider.te b/prebuilts/api/33.0/public/mediaprovider.te
similarity index 100%
rename from prebuilts/api/27.0/public/mediaprovider.te
rename to prebuilts/api/33.0/public/mediaprovider.te
diff --git a/prebuilts/api/33.0/public/mediaserver.te b/prebuilts/api/33.0/public/mediaserver.te
new file mode 100644
index 0000000..621b6d7
--- /dev/null
+++ b/prebuilts/api/33.0/public/mediaserver.te
@@ -0,0 +1,151 @@
+# mediaserver - multimedia daemon
+type mediaserver, domain;
+type mediaserver_exec, system_file_type, exec_type, file_type;
+type mediaserver_tmpfs, file_type;
+
+typeattribute mediaserver mlstrustedsubject;
+
+net_domain(mediaserver)
+
+r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, fuse)
+r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
+
+# stat /proc/self
+allow mediaserver proc:lnk_file getattr;
+
+# open /vendor/lib/mediadrm
+allow mediaserver system_file:dir r_dir_perms;
+
+userdebug_or_eng(`
+ # ptrace to processes in the same domain for memory leak detection
+ allow mediaserver self:process ptrace;
+')
+
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+
+allow mediaserver media_data_file:dir create_dir_perms;
+allow mediaserver media_data_file:file create_file_perms;
+allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
+allow mediaserver { sdcard_type fuse }:file write;
+allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:dir r_dir_perms;
+allow mediaserver video_device:dir r_dir_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow mediaserver apk_data_file:file { read getattr };
+allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow mediaserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file r_file_perms;
+
+r_dir_file(mediaserver, media_rw_data_file)
+
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(mediaserver, bluetooth, bluetooth)
+
+add_service(mediaserver, mediaserver_service)
+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
+allow mediaserver audio_service:service_manager find;
+allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediametrics_service:service_manager find;
+allow mediaserver media_session_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver permission_checker_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+allow mediaserver surfaceflinger_service:service_manager find;
+
+# for ModDrm/MediaPlayer
+allow mediaserver mediadrmserver_service:service_manager find;
+
+# For hybrid interfaces
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
+# /vendor apk access
+allow mediaserver vendor_app_file:file { read map getattr };
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
+
+allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
+allow mediaserver hal_camera:fd use;
+
+allow mediaserver system_server:fd use;
+
+# b/120491318 allow mediaserver to access void:fd
+allow mediaserver vold:fd use;
+
+# overlay package access
+allow mediaserver vendor_overlay_file:file { read getattr map };
+
+hal_client_domain(mediaserver, hal_allocator)
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/33.0/public/mediaswcodec.te b/prebuilts/api/33.0/public/mediaswcodec.te
new file mode 100644
index 0000000..edbab03
--- /dev/null
+++ b/prebuilts/api/33.0/public/mediaswcodec.te
@@ -0,0 +1,29 @@
+type mediaswcodec, domain;
+type mediaswcodec_exec, system_file_type, exec_type, file_type;
+
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
+
+hal_client_domain(mediaswcodec, hal_allocator)
+hal_client_domain(mediaswcodec, hal_graphics_allocator)
+
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
+allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaswcodec gpu_device:chr_file rw_file_perms;
+allow mediaswcodec gpu_device:dir r_dir_perms;
diff --git a/prebuilts/api/33.0/public/mediatranscoding.te b/prebuilts/api/33.0/public/mediatranscoding.te
new file mode 100644
index 0000000..420d038
--- /dev/null
+++ b/prebuilts/api/33.0/public/mediatranscoding.te
@@ -0,0 +1 @@
+type mediatranscoding, domain;
diff --git a/prebuilts/api/33.0/public/modprobe.te b/prebuilts/api/33.0/public/modprobe.te
new file mode 100644
index 0000000..2c7d64b
--- /dev/null
+++ b/prebuilts/api/33.0/public/modprobe.te
@@ -0,0 +1,10 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
+allow modprobe self:global_capability_class_set sys_module;
+allow modprobe kernel:key search;
+recovery_only(`
+ allow modprobe rootfs:system module_load;
+ allow modprobe rootfs:file r_file_perms;
+')
diff --git a/prebuilts/api/33.0/public/mtp.te b/prebuilts/api/33.0/public/mtp.te
new file mode 100644
index 0000000..add63c0
--- /dev/null
+++ b/prebuilts/api/33.0/public/mtp.te
@@ -0,0 +1,11 @@
+# vpn tunneling protocol manager
+type mtp, domain;
+type mtp_exec, system_file_type, exec_type, file_type;
+
+net_domain(mtp)
+
+# pptp policy
+allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
+allow mtp self:global_capability_class_set net_raw;
+allow mtp ppp:process signal;
+allow mtp vpn_data_file:dir search;
diff --git a/prebuilts/api/33.0/public/net.te b/prebuilts/api/33.0/public/net.te
new file mode 100644
index 0000000..31c9c45
--- /dev/null
+++ b/prebuilts/api/33.0/public/net.te
@@ -0,0 +1,26 @@
+## Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/prebuilts/api/33.0/public/netd.te b/prebuilts/api/33.0/public/netd.te
new file mode 100644
index 0000000..64b4c7d
--- /dev/null
+++ b/prebuilts/api/33.0/public/netd.te
@@ -0,0 +1,186 @@
+# network manager
+type netd, domain, mlstrustedsubject;
+type netd_exec, system_file_type, exec_type, file_type;
+
+net_domain(netd)
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(netd, cgroup)
+
+allow netd system_server:fd use;
+
+allow netd self:global_capability_class_set { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for netd to operate.
+dontaudit netd self:global_capability_class_set fsetid;
+
+# Allow netd to open /dev/tun, set it up and pass it to clatd
+allow netd tun_device:chr_file rw_file_perms;
+allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allow netd self:tun_socket create;
+
+allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
+allow netd devpts:chr_file rw_file_perms;
+
+# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
+# exist, suppress the denial.
+allow netd system_file:file lock;
+dontaudit netd system_file:dir write;
+
+# Allow netd to write to qtaguid ctrl file.
+# TODO: Add proper rules to prevent other process to access qtaguid_proc file
+# after migration complete
+allow netd proc_qtaguid_ctrl:file rw_file_perms;
+# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
+allow netd qtaguid_device:chr_file r_file_perms;
+
+r_dir_file(netd, proc_net_type)
+# For /proc/sys/net/ipv[46]/route/flush.
+allow netd proc_net_type:file rw_file_perms;
+
+# Enables PppController and interface enumeration (among others)
+allow netd sysfs:dir r_dir_perms;
+r_dir_file(netd, sysfs_net)
+
+# Allows setting interface MTU
+allow netd sysfs_net:file w_file_perms;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
+
+r_dir_file(netd, cgroup_v2)
+
+allow netd fs_bpf:file { read write };
+
+# TODO: netd previously thought it needed these permissions to do WiFi related
+# work. However, after all the WiFi stuff is gone, we still need them.
+# Why?
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
+
+# Needed to update /data/misc/net/rt_tables
+allow netd net_data_file:file create_file_perms;
+allow netd net_data_file:dir rw_dir_perms;
+allow netd self:global_capability_class_set fowner;
+
+# Needed to lock the iptables lock.
+allow netd system_file:file lock;
+
+# Allow netd to spawn dnsmasq in it's own domain
+allow netd dnsmasq:process signal;
+
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+add_service(netd, netd_service)
+add_service(netd, dnsresolver_service)
+add_service(netd, mdns_service)
+allow netd dumpstate:fifo_file { getattr write };
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
+
+# Allow netd to talk to the framework service which collects netd events.
+allow netd netd_listener_service:service_manager find;
+
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{
+ icmp_socket
+ tcp_socket
+ udp_socket
+ rawip_socket
+ tun_socket
+} { read write getattr setattr getopt setopt };
+allow netd netdomain:fd use;
+
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# Allow netd to register as hal server.
+add_hwservice(netd, system_net_netd_hwservice)
+hwbinder_use(netd)
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
+
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} netd_service:service_manager find;
+
+# only system_server, dumpstate and network stack app may find dnsresolver service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} dnsresolver_service:service_manager find;
+
+# only system_server, dumpstate and network stack app may find mdns service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} mdns_service:service_manager find;
+
+# apps may not interact with netd over binder.
+neverallow { appdomain -network_stack } netd:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
+
+# If an already existing file is opened with O_CREATE, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+neverallow netd proc_net:dir no_w_dir_perms;
+dontaudit netd proc_net:dir write;
+
+neverallow netd sysfs_net:dir no_w_dir_perms;
+dontaudit netd sysfs_net:dir write;
+
+# Netd should not have SYS_ADMIN privs.
+neverallow netd self:capability sys_admin;
+dontaudit netd self:capability sys_admin;
+
+# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
+# (things it requires should be built directly into the kernel)
+dontaudit netd self:capability sys_module;
+
+dontaudit netd kernel:system module_request;
+
+dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/prebuilts/api/33.0/public/netutils_wrapper.te b/prebuilts/api/33.0/public/netutils_wrapper.te
new file mode 100644
index 0000000..27aa749
--- /dev/null
+++ b/prebuilts/api/33.0/public/netutils_wrapper.te
@@ -0,0 +1,4 @@
+type netutils_wrapper, domain;
+type netutils_wrapper_exec, system_file_type, exec_type, file_type;
+
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/prebuilts/api/33.0/public/network_stack.te b/prebuilts/api/33.0/public/network_stack.te
new file mode 100644
index 0000000..feff664
--- /dev/null
+++ b/prebuilts/api/33.0/public/network_stack.te
@@ -0,0 +1,2 @@
+# Network stack service app
+type network_stack, domain;
diff --git a/prebuilts/api/33.0/public/neverallow_macros b/prebuilts/api/33.0/public/neverallow_macros
new file mode 100644
index 0000000..59fa441
--- /dev/null
+++ b/prebuilts/api/33.0/public/neverallow_macros
@@ -0,0 +1,15 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/prebuilts/api/26.0/public/nfc.te b/prebuilts/api/33.0/public/nfc.te
similarity index 100%
rename from prebuilts/api/26.0/public/nfc.te
rename to prebuilts/api/33.0/public/nfc.te
diff --git a/prebuilts/api/33.0/public/otapreopt_chroot.te b/prebuilts/api/33.0/public/otapreopt_chroot.te
new file mode 100644
index 0000000..db8dd1a
--- /dev/null
+++ b/prebuilts/api/33.0/public/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# otapreopt_chroot seclabel
+
+# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
+type otapreopt_chroot, domain;
diff --git a/prebuilts/api/33.0/public/perfetto.te b/prebuilts/api/33.0/public/perfetto.te
new file mode 100644
index 0000000..cec0e6f
--- /dev/null
+++ b/prebuilts/api/33.0/public/perfetto.te
@@ -0,0 +1 @@
+type perfetto, domain, coredomain;
diff --git a/prebuilts/api/33.0/public/performanced.te b/prebuilts/api/33.0/public/performanced.te
new file mode 100644
index 0000000..d694fda
--- /dev/null
+++ b/prebuilts/api/33.0/public/performanced.te
@@ -0,0 +1,31 @@
+# performanced
+type performanced, domain, mlstrustedsubject;
+type performanced_exec, system_file_type, exec_type, file_type;
+
+# Needed to check for app permissions.
+binder_use(performanced)
+binder_call(performanced, system_server)
+allow performanced permission_service:service_manager find;
+
+pdx_server(performanced, performance_client)
+
+# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
+allow performanced self:global_capability_class_set { setuid setgid sys_nice };
+
+# Access /proc to validate we're only affecting threads in the same thread group.
+# Performanced also shields unbound kernel threads. It scans every task in the
+# root cpu set, but only affects the kernel threads.
+r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
+dontaudit performanced domain:dir read;
+allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+
+# These /proc accesses only show up in permissive mode but they
+# generate a lot of noise in the log.
+userdebug_or_eng(`
+ dontaudit performanced domain:dir open;
+ dontaudit performanced domain:file { open read getattr };
+')
+
+# Access /dev/cpuset/cpuset.cpus
+r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)
diff --git a/prebuilts/api/26.0/public/platform_app.te b/prebuilts/api/33.0/public/platform_app.te
similarity index 100%
rename from prebuilts/api/26.0/public/platform_app.te
rename to prebuilts/api/33.0/public/platform_app.te
diff --git a/prebuilts/api/33.0/public/postinstall.te b/prebuilts/api/33.0/public/postinstall.te
new file mode 100644
index 0000000..bcea2dc
--- /dev/null
+++ b/prebuilts/api/33.0/public/postinstall.te
@@ -0,0 +1,45 @@
+# Domain where the postinstall program runs during the update.
+# Extend the permissions in this domain to allow this program to access other
+# files needed by the specific device on your device's sepolicy directory.
+type postinstall, domain;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine_common:fd use;
+allow postinstall update_engine_common:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
+
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+ allow postinstall rootfs:file rx_file_perms;
+')
+
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
+
+# Allow postinstall scripts to trigger f2fs garbage collection
+allow postinstall sysfs_fs_f2fs:file rw_file_perms;
+allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
+
+# No domain other than update_engine and recovery (via update_engine_sideload)
+# should transition to postinstall, as it is only meant to run during the
+# update.
+neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/prebuilts/api/33.0/public/ppp.te b/prebuilts/api/33.0/public/ppp.te
new file mode 100644
index 0000000..b736def
--- /dev/null
+++ b/prebuilts/api/33.0/public/ppp.te
@@ -0,0 +1,23 @@
+# Point to Point Protocol daemon
+type ppp, domain;
+type ppp_device, dev_type;
+type ppp_exec, system_file_type, exec_type, file_type;
+
+net_domain(ppp)
+
+r_dir_file(ppp, proc_net_type)
+
+allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
+
+# ioctls needed for VPN.
+allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
+allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
+
+allow ppp mtp:unix_dgram_socket rw_socket_perms;
+allow ppp ppp_device:chr_file rw_file_perms;
+allow ppp self:global_capability_class_set net_admin;
+allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
+allow ppp vpn_data_file:dir w_dir_perms;
+allow ppp vpn_data_file:file create_file_perms;
+allow ppp mtp:fd use;
diff --git a/prebuilts/api/26.0/public/priv_app.te b/prebuilts/api/33.0/public/priv_app.te
similarity index 100%
rename from prebuilts/api/26.0/public/priv_app.te
rename to prebuilts/api/33.0/public/priv_app.te
diff --git a/prebuilts/api/33.0/public/profman.te b/prebuilts/api/33.0/public/profman.te
new file mode 100644
index 0000000..c014d79
--- /dev/null
+++ b/prebuilts/api/33.0/public/profman.te
@@ -0,0 +1,33 @@
+# profman
+type profman, domain;
+type profman_exec, system_file_type, exec_type, file_type;
+
+allow profman user_profile_data_file:file { getattr read write lock map };
+
+# Dumping profile info opens the application APK file for pretty printing.
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
+allow profman apk_data_file:dir { getattr read search };
+
+allow profman oemfs:file { read map };
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
+
+allow profman installd:fd use;
+
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
+allow profman { privapp_data_file app_data_file }:dir { getattr read search };
+
+# Allow query ART device config properties
+get_prop(profman, device_config_runtime_native_prop)
+get_prop(profman, device_config_runtime_native_boot_prop)
+
+###
+### neverallow rules
+###
+
+neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
new file mode 100644
index 0000000..6024f07
--- /dev/null
+++ b/prebuilts/api/33.0/public/property.te
@@ -0,0 +1,338 @@
+# Properties used only in /system
+#
+# DO NOT ADD system_internal_prop here.
+# Instead, add to private/property.te.
+# TODO(b/150331497): move these to private/property.te
+system_internal_prop(apexd_prop)
+system_internal_prop(bootloader_boot_reason_prop)
+system_internal_prop(device_config_activity_manager_native_boot_prop)
+system_internal_prop(device_config_boot_count_prop)
+system_internal_prop(device_config_input_native_boot_prop)
+system_internal_prop(device_config_media_native_prop)
+system_internal_prop(device_config_netd_native_prop)
+system_internal_prop(device_config_reset_performed_prop)
+system_internal_prop(firstboot_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_internal_prop(boottime_prop)
+ system_internal_prop(charger_prop)
+ system_internal_prop(cold_boot_done_prop)
+ system_internal_prop(ctl_adbd_prop)
+ system_internal_prop(ctl_apexd_prop)
+ system_internal_prop(ctl_bootanim_prop)
+ system_internal_prop(ctl_bugreport_prop)
+ system_internal_prop(ctl_console_prop)
+ system_internal_prop(ctl_dumpstate_prop)
+ system_internal_prop(ctl_fuse_prop)
+ system_internal_prop(ctl_gsid_prop)
+ system_internal_prop(ctl_interface_restart_prop)
+ system_internal_prop(ctl_interface_stop_prop)
+ system_internal_prop(ctl_mdnsd_prop)
+ system_internal_prop(ctl_restart_prop)
+ system_internal_prop(ctl_rildaemon_prop)
+ system_internal_prop(ctl_sigstop_prop)
+ system_internal_prop(dynamic_system_prop)
+ system_internal_prop(heapprofd_enabled_prop)
+ system_internal_prop(llkd_prop)
+ system_internal_prop(lpdumpd_prop)
+ system_internal_prop(mmc_prop)
+ system_internal_prop(mock_ota_prop)
+ system_internal_prop(net_dns_prop)
+ system_internal_prop(overlay_prop)
+ system_internal_prop(persistent_properties_ready_prop)
+ system_internal_prop(safemode_prop)
+ system_internal_prop(system_lmk_prop)
+ system_internal_prop(system_trace_prop)
+ system_internal_prop(test_boot_reason_prop)
+ system_internal_prop(time_prop)
+ system_internal_prop(traced_enabled_prop)
+ system_internal_prop(traced_lazy_prop)
+')
+
+# Properties which can't be written outside system
+system_restricted_prop(aac_drc_prop)
+system_restricted_prop(arm64_memtag_prop)
+system_restricted_prop(binder_cache_bluetooth_server_prop)
+system_restricted_prop(binder_cache_system_server_prop)
+system_restricted_prop(binder_cache_telephony_server_prop)
+system_restricted_prop(boot_status_prop)
+system_restricted_prop(bootanim_system_prop)
+system_restricted_prop(bootloader_prop)
+system_restricted_prop(boottime_public_prop)
+system_restricted_prop(bq_config_prop)
+system_restricted_prop(build_bootimage_prop)
+system_restricted_prop(build_prop)
+system_restricted_prop(device_config_nnapi_native_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(device_config_surface_flinger_native_boot_prop)
+system_restricted_prop(fingerprint_prop)
+system_restricted_prop(gwp_asan_prop)
+system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(hypervisor_prop)
+system_restricted_prop(init_service_status_prop)
+system_restricted_prop(libc_debug_prop)
+system_restricted_prop(module_sdkextensions_prop)
+system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(persist_wm_debug_prop)
+system_restricted_prop(power_debug_prop)
+system_restricted_prop(property_service_version_prop)
+system_restricted_prop(provisioned_prop)
+system_restricted_prop(restorecon_prop)
+system_restricted_prop(retaildemo_prop)
+system_restricted_prop(smart_idle_maint_enabled_prop)
+system_restricted_prop(socket_hook_prop)
+system_restricted_prop(sqlite_log_prop)
+system_restricted_prop(surfaceflinger_display_prop)
+system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(ab_update_gki_prop)
+system_restricted_prop(usb_prop)
+system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vold_status_prop)
+system_restricted_prop(vts_status_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_restricted_prop(config_prop)
+ system_restricted_prop(cppreopt_prop)
+ system_restricted_prop(dalvik_prop)
+ system_restricted_prop(debuggerd_prop)
+ system_restricted_prop(device_logging_prop)
+ system_restricted_prop(dhcp_prop)
+ system_restricted_prop(dumpstate_prop)
+ system_restricted_prop(exported3_system_prop)
+ system_restricted_prop(exported_dumpstate_prop)
+ system_restricted_prop(exported_secure_prop)
+ system_restricted_prop(heapprofd_prop)
+ system_restricted_prop(net_radio_prop)
+ system_restricted_prop(pan_result_prop)
+ system_restricted_prop(persist_debug_prop)
+ system_restricted_prop(shell_prop)
+ system_restricted_prop(test_harness_prop)
+ system_restricted_prop(theme_prop)
+ system_restricted_prop(use_memfd_prop)
+ system_restricted_prop(vold_prop)
+')
+
+# Properties which can be written only by vendor_init
+system_vendor_config_prop(apexd_config_prop)
+system_vendor_config_prop(apexd_select_prop)
+system_vendor_config_prop(aaudio_config_prop)
+system_vendor_config_prop(apk_verity_prop)
+system_vendor_config_prop(audio_config_prop)
+system_vendor_config_prop(bootanim_config_prop)
+system_vendor_config_prop(bluetooth_config_prop)
+system_vendor_config_prop(build_config_prop)
+system_vendor_config_prop(build_odm_prop)
+system_vendor_config_prop(build_vendor_prop)
+system_vendor_config_prop(camera_calibration_prop)
+system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(camera2_extensions_prop)
+system_vendor_config_prop(camerax_extensions_prop)
+system_vendor_config_prop(charger_config_prop)
+system_vendor_config_prop(codec2_config_prop)
+system_vendor_config_prop(cpu_variant_prop)
+system_vendor_config_prop(dalvik_config_prop)
+system_vendor_config_prop(debugfs_restriction_prop)
+system_vendor_config_prop(drm_service_config_prop)
+system_vendor_config_prop(exported_camera_prop)
+system_vendor_config_prop(exported_config_prop)
+system_vendor_config_prop(exported_default_prop)
+system_vendor_config_prop(ffs_config_prop)
+system_vendor_config_prop(framework_watchdog_config_prop)
+system_vendor_config_prop(graphics_config_prop)
+system_vendor_config_prop(hdmi_config_prop)
+system_vendor_config_prop(hw_timeout_multiplier_prop)
+system_vendor_config_prop(incremental_prop)
+system_vendor_config_prop(keyguard_config_prop)
+system_vendor_config_prop(lmkd_config_prop)
+system_vendor_config_prop(media_config_prop)
+system_vendor_config_prop(media_variant_prop)
+system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(mm_events_config_prop)
+system_vendor_config_prop(oem_unlock_prop)
+system_vendor_config_prop(packagemanager_config_prop)
+system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(sendbug_config_prop)
+system_vendor_config_prop(soc_prop)
+system_vendor_config_prop(storage_config_prop)
+system_vendor_config_prop(storagemanager_config_prop)
+system_vendor_config_prop(surfaceflinger_prop)
+system_vendor_config_prop(suspend_prop)
+system_vendor_config_prop(systemsound_config_prop)
+system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(tombstone_config_prop)
+system_vendor_config_prop(usb_config_prop)
+system_vendor_config_prop(userspace_reboot_config_prop)
+system_vendor_config_prop(vehicle_hal_prop)
+system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vendor_socket_hook_prop)
+system_vendor_config_prop(virtual_ab_prop)
+system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(vts_config_prop)
+system_vendor_config_prop(vold_config_prop)
+system_vendor_config_prop(wifi_config_prop)
+system_vendor_config_prop(zram_config_prop)
+system_vendor_config_prop(zygote_config_prop)
+system_vendor_config_prop(dck_prop)
+
+# Properties with no restrictions
+system_public_prop(adbd_config_prop)
+system_public_prop(audio_prop)
+system_public_prop(bluetooth_a2dp_offload_prop)
+system_public_prop(bluetooth_audio_hal_prop)
+system_public_prop(bluetooth_prop)
+system_public_prop(bpf_progs_loaded_prop)
+system_public_prop(charger_status_prop)
+system_public_prop(ctl_default_prop)
+system_public_prop(ctl_interface_start_prop)
+system_public_prop(ctl_start_prop)
+system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_runtime_prop)
+system_public_prop(debug_prop)
+system_public_prop(dumpstate_options_prop)
+system_public_prop(exported_system_prop)
+system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_overlay_prop)
+system_public_prop(exported_pm_prop)
+system_public_prop(ffs_control_prop)
+system_public_prop(gesture_prop)
+system_public_prop(hal_dumpstate_config_prop)
+system_public_prop(sota_prop)
+system_public_prop(hwservicemanager_prop)
+system_public_prop(lmkd_prop)
+system_public_prop(logd_prop)
+system_public_prop(logpersistd_logging_prop)
+system_public_prop(log_prop)
+system_public_prop(log_tag_prop)
+system_public_prop(lowpan_prop)
+system_public_prop(nfc_prop)
+system_public_prop(ota_prop)
+system_public_prop(powerctl_prop)
+system_public_prop(qemu_hw_prop)
+system_public_prop(qemu_sf_lcd_density_prop)
+system_public_prop(radio_control_prop)
+system_public_prop(radio_prop)
+system_public_prop(serialno_prop)
+system_public_prop(surfaceflinger_color_prop)
+system_public_prop(system_prop)
+system_public_prop(telephony_status_prop)
+system_public_prop(usb_control_prop)
+system_public_prop(vold_post_fs_data_prop)
+system_public_prop(wifi_hal_prop)
+system_public_prop(wifi_log_prop)
+system_public_prop(wifi_prop)
+system_public_prop(zram_control_prop)
+
+# Properties which don't have entries on property_contexts
+system_internal_prop(default_prop)
+
+# Properties used in default HAL implementations
+vendor_internal_prop(rebootescrow_hal_prop)
+
+vendor_public_prop(persist_vendor_debug_wifi_prop)
+
+# Properties which are public for devices launching with Android O or earlier
+# This should not be used for any new properties.
+not_compatible_property(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_public_prop(boottime_prop)
+ system_public_prop(charger_prop)
+ system_public_prop(cold_boot_done_prop)
+ system_public_prop(ctl_adbd_prop)
+ system_public_prop(ctl_apexd_prop)
+ system_public_prop(ctl_bootanim_prop)
+ system_public_prop(ctl_bugreport_prop)
+ system_public_prop(ctl_console_prop)
+ system_public_prop(ctl_dumpstate_prop)
+ system_public_prop(ctl_fuse_prop)
+ system_public_prop(ctl_gsid_prop)
+ system_public_prop(ctl_interface_restart_prop)
+ system_public_prop(ctl_interface_stop_prop)
+ system_public_prop(ctl_mdnsd_prop)
+ system_public_prop(ctl_restart_prop)
+ system_public_prop(ctl_rildaemon_prop)
+ system_public_prop(ctl_sigstop_prop)
+ system_public_prop(dynamic_system_prop)
+ system_public_prop(heapprofd_enabled_prop)
+ system_public_prop(llkd_prop)
+ system_public_prop(lpdumpd_prop)
+ system_public_prop(mmc_prop)
+ system_public_prop(mock_ota_prop)
+ system_public_prop(net_dns_prop)
+ system_public_prop(overlay_prop)
+ system_public_prop(persistent_properties_ready_prop)
+ system_public_prop(safemode_prop)
+ system_public_prop(system_lmk_prop)
+ system_public_prop(system_trace_prop)
+ system_public_prop(test_boot_reason_prop)
+ system_public_prop(time_prop)
+ system_public_prop(traced_enabled_prop)
+ system_public_prop(traced_lazy_prop)
+
+ system_public_prop(config_prop)
+ system_public_prop(cppreopt_prop)
+ system_public_prop(dalvik_prop)
+ system_public_prop(debuggerd_prop)
+ system_public_prop(device_logging_prop)
+ system_public_prop(dhcp_prop)
+ system_public_prop(dumpstate_prop)
+ system_public_prop(exported3_system_prop)
+ system_public_prop(exported_dumpstate_prop)
+ system_public_prop(exported_secure_prop)
+ system_public_prop(heapprofd_prop)
+ system_public_prop(net_radio_prop)
+ system_public_prop(pan_result_prop)
+ system_public_prop(persist_debug_prop)
+ system_public_prop(shell_prop)
+ system_public_prop(test_harness_prop)
+ system_public_prop(theme_prop)
+ system_public_prop(use_memfd_prop)
+ system_public_prop(vold_prop)
+')
+
+not_compatible_property(`
+ vendor_public_prop(vendor_default_prop)
+')
+
+compatible_property_only(`
+ vendor_internal_prop(vendor_default_prop)
+')
+
+typeattribute log_prop log_property_type;
+typeattribute log_tag_prop log_property_type;
+typeattribute wifi_log_prop log_property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+typeattribute audio_prop core_property_type;
+typeattribute config_prop core_property_type;
+typeattribute cppreopt_prop core_property_type;
+typeattribute dalvik_prop core_property_type;
+typeattribute debuggerd_prop core_property_type;
+typeattribute debug_prop core_property_type;
+typeattribute dhcp_prop core_property_type;
+typeattribute dumpstate_prop core_property_type;
+typeattribute logd_prop core_property_type;
+typeattribute net_radio_prop core_property_type;
+typeattribute nfc_prop core_property_type;
+typeattribute ota_prop core_property_type;
+typeattribute pan_result_prop core_property_type;
+typeattribute persist_debug_prop core_property_type;
+typeattribute powerctl_prop core_property_type;
+typeattribute radio_prop core_property_type;
+typeattribute restorecon_prop core_property_type;
+typeattribute shell_prop core_property_type;
+typeattribute system_prop core_property_type;
+typeattribute usb_prop core_property_type;
+typeattribute vold_prop core_property_type;
+
diff --git a/prebuilts/api/33.0/public/racoon.te b/prebuilts/api/33.0/public/racoon.te
new file mode 100644
index 0000000..e4b299e
--- /dev/null
+++ b/prebuilts/api/33.0/public/racoon.te
@@ -0,0 +1,35 @@
+# IKE key management daemon
+type racoon, domain;
+type racoon_exec, system_file_type, exec_type, file_type;
+
+typeattribute racoon mlstrustedsubject;
+
+net_domain(racoon)
+allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
+
+binder_use(racoon)
+
+allow racoon tun_device:chr_file r_file_perms;
+allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
+allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
+allow racoon kernel:system module_request;
+
+allow racoon self:key_socket create_socket_perms_no_ioctl;
+allow racoon self:tun_socket create_socket_perms_no_ioctl;
+allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+ get
+ sign
+ verify
+};
diff --git a/prebuilts/api/33.0/public/radio.te b/prebuilts/api/33.0/public/radio.te
new file mode 100644
index 0000000..e03b706
--- /dev/null
+++ b/prebuilts/api/33.0/public/radio.te
@@ -0,0 +1,36 @@
+# phone subsystem
+type radio, domain, mlstrustedsubject;
+
+net_domain(radio)
+bluetooth_domain(radio)
+binder_service(radio)
+
+# Talks to hal_telephony_server via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
+
+allow radio net_data_file:dir search;
+allow radio net_data_file:file r_file_perms;
+
+add_service(radio, radio_service)
+allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
+allow radio drmserver_service:service_manager find;
+allow radio mediaserver_service:service_manager find;
+allow radio nfc_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
+allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
+
+# Perform HwBinder IPC.
+hwbinder_use(radio)
+hal_client_domain(radio, hal_telephony)
+
+# Used by TelephonyManager
+allow radio proc_cmdline:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/recovery.te b/prebuilts/api/33.0/public/recovery.te
new file mode 100755
index 0000000..324320b
--- /dev/null
+++ b/prebuilts/api/33.0/public/recovery.te
@@ -0,0 +1,171 @@
+# recovery console (used in recovery init.rc for /sbin/recovery)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type recovery, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+ # Allow recovery to perform an update as update_engine would do.
+ typeattribute recovery update_engine_common;
+ # Recovery can use HIDL HALs in passthrough mode
+ passthrough_hal_client_domain(recovery, hal_bootctl)
+
+ # Recovery can use AIDL HALs in binder mode
+ binder_use(recovery)
+ hal_client_domain(recovery, hal_health)
+
+ allow recovery self:global_capability_class_set {
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ setuid
+ setgid
+ sys_admin
+ sys_tty_config
+ };
+
+ # Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
+ allow recovery rootfs:file execute_no_trans;
+ allow recovery system_file:file execute_no_trans;
+ allow recovery toolbox_exec:file rx_file_perms;
+
+ # Mount filesystems.
+ allow recovery rootfs:dir mounton;
+ allow recovery tmpfs:dir mounton;
+ allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
+ allow recovery unlabeled:filesystem ~relabelto;
+ allow recovery contextmount_type:filesystem relabelto;
+
+ # We may be asked to set an SELinux label for a type not known to the
+ # currently loaded policy. Allow it.
+ allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
+
+ # Write to /proc/sys/vm/drop_caches
+ allow recovery proc_drop_caches:file w_file_perms;
+
+ # Read /proc/swaps
+ allow recovery proc_swaps:file r_file_perms;
+
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
+ # Write to /sys/class/android_usb/android0/enable.
+ r_dir_file(recovery, sysfs_android_usb)
+ allow recovery sysfs_android_usb:file w_file_perms;
+
+ # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
+ allow recovery sysfs_devices_system_cpu:file w_file_perms;
+
+ allow recovery sysfs_batteryinfo:file r_file_perms;
+
+ # Read /sysfs/fs/ext4/features
+ r_dir_file(recovery, sysfs_fs_ext4_features)
+
+ # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
+ # control backlight brightness.
+ allow recovery sysfs_leds:dir r_dir_perms;
+ allow recovery sysfs_leds:file rw_file_perms;
+ allow recovery sysfs_leds:lnk_file read;
+
+ allow recovery kernel:system syslog_read;
+
+ # Access /dev/usb-ffs/adb/ep0
+ allow recovery functionfs:dir search;
+ allow recovery functionfs:file rw_file_perms;
+ allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
+
+ # Access to /sys/fs/selinux/policyvers for compatibility check
+ allow recovery selinuxfs:file r_file_perms;
+
+ # Required to e.g. wipe userdata/cache.
+ allow recovery device:dir r_dir_perms;
+ allow recovery block_device:dir r_dir_perms;
+ allow recovery dev_type:blk_file rw_file_perms;
+ allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
+
+ # GUI
+ allow recovery graphics_device:chr_file rw_file_perms;
+ allow recovery graphics_device:dir r_dir_perms;
+ allow recovery input_device:dir r_dir_perms;
+ allow recovery input_device:chr_file r_file_perms;
+ allow recovery tty_device:chr_file rw_file_perms;
+
+ # Create /tmp/recovery.log and execute /tmp/update_binary.
+ allow recovery tmpfs:file { create_file_perms x_file_perms };
+ allow recovery tmpfs:dir create_dir_perms;
+
+ # Manage files on /cache and /cache/recovery
+ allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+ allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+ # Read /sys/class/thermal/*/temp for thermal info.
+ r_dir_file(recovery, sysfs_thermal)
+
+ # Read files on /oem.
+ r_dir_file(recovery, oemfs);
+
+ # Use setfscreatecon() to label files for OTA updates.
+ allow recovery self:process setfscreate;
+
+ # Allow recovery to create a fuse filesystem, and read files from it.
+ allow recovery fuse_device:chr_file rw_file_perms;
+ allow recovery fuse:dir r_dir_perms;
+ allow recovery fuse:file r_file_perms;
+
+ wakelock_use(recovery)
+
+ # This line seems suspect, as it should not really need to
+ # set scheduling parameters for a kernel domain task.
+ allow recovery kernel:process setsched;
+
+ # These are needed to update dynamic partitions in recovery.
+ r_dir_file(recovery, sysfs_dm)
+ allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ allow recovery gsi_metadata_file_type:dir search;
+ allow recovery ota_metadata_file:dir rw_dir_perms;
+ allow recovery ota_metadata_file:file create_file_perms;
+
+ # Allow mounting /metadata for writing update states
+ allow recovery metadata_file:dir { getattr mounton };
+
+ # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
+ allow recovery devpts:chr_file rw_file_perms;
+ allow recovery kmsg_device:chr_file { getattr w_file_perms };
+')
+
+###
+### neverallow rules
+###
+
+# Recovery should never touch /data.
+#
+# In particular, if /data is encrypted, it is not accessible
+# to recovery anyway.
+#
+# For now, we only enforce write/execute restrictions, as domain.te
+# contains a number of read-only rules that apply to all
+# domains, including recovery.
+#
+# TODO: tighten this up further.
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
+}:dir no_w_dir_perms;
diff --git a/prebuilts/api/33.0/public/recovery_persist.te b/prebuilts/api/33.0/public/recovery_persist.te
new file mode 100644
index 0000000..d4b4562
--- /dev/null
+++ b/prebuilts/api/33.0/public/recovery_persist.te
@@ -0,0 +1,32 @@
+# android recovery persistent log manager
+type recovery_persist, domain;
+type recovery_persist_exec, system_file_type, exec_type, file_type;
+
+allow recovery_persist pstorefs:dir search;
+allow recovery_persist pstorefs:file r_file_perms;
+
+allow recovery_persist recovery_data_file:file create_file_perms;
+allow recovery_persist recovery_data_file:dir create_dir_perms;
+
+allow recovery_persist cache_file:dir search;
+allow recovery_persist cache_file:lnk_file read;
+allow recovery_persist cache_recovery_file:dir rw_dir_perms;
+allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
+
+###
+### Neverallow rules
+###
+### recovery_persist should NEVER do any of this
+
+# Block device access.
+neverallow recovery_persist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_persist domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_persist system_file:dir_file_class_set write;
+
+# Write to files in /data/data
+neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+
diff --git a/prebuilts/api/33.0/public/recovery_refresh.te b/prebuilts/api/33.0/public/recovery_refresh.te
new file mode 100644
index 0000000..d6870dc
--- /dev/null
+++ b/prebuilts/api/33.0/public/recovery_refresh.te
@@ -0,0 +1,24 @@
+# android recovery refresh log manager
+type recovery_refresh, domain;
+type recovery_refresh_exec, system_file_type, exec_type, file_type;
+
+allow recovery_refresh pstorefs:dir search;
+allow recovery_refresh pstorefs:file r_file_perms;
+# NB: domain inherits write_logd which hands us write to pmsg_device
+
+###
+### Neverallow rules
+###
+### recovery_refresh should NEVER do any of this
+
+# Block device access.
+neverallow recovery_refresh dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_refresh domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_refresh system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
diff --git a/prebuilts/api/26.0/public/roles b/prebuilts/api/33.0/public/roles
similarity index 100%
rename from prebuilts/api/26.0/public/roles
rename to prebuilts/api/33.0/public/roles
diff --git a/prebuilts/api/33.0/public/rootdisk_sysdev.te b/prebuilts/api/33.0/public/rootdisk_sysdev.te
new file mode 100644
index 0000000..f92fd79
--- /dev/null
+++ b/prebuilts/api/33.0/public/rootdisk_sysdev.te
@@ -0,0 +1 @@
+allow rootdisk_sysdev sysfs:filesystem associate;
diff --git a/prebuilts/api/33.0/public/rs.te b/prebuilts/api/33.0/public/rs.te
new file mode 100644
index 0000000..16b6e96
--- /dev/null
+++ b/prebuilts/api/33.0/public/rs.te
@@ -0,0 +1,2 @@
+type rs, domain, coredomain;
+type rs_exec, system_file_type, exec_type, file_type;
diff --git a/prebuilts/api/33.0/public/rss_hwm_reset.te b/prebuilts/api/33.0/public/rss_hwm_reset.te
new file mode 100644
index 0000000..163e1ac
--- /dev/null
+++ b/prebuilts/api/33.0/public/rss_hwm_reset.te
@@ -0,0 +1,2 @@
+# rss_hwm_reset resets RSS high-water mark counters for all procesess.
+type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
diff --git a/prebuilts/api/33.0/public/runas.te b/prebuilts/api/33.0/public/runas.te
new file mode 100644
index 0000000..356a019
--- /dev/null
+++ b/prebuilts/api/33.0/public/runas.te
@@ -0,0 +1,43 @@
+type runas, domain, mlstrustedsubject;
+type runas_exec, system_file_type, exec_type, file_type;
+
+allow runas adbd:fd use;
+allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
+allow runas shell:fd use;
+allow runas shell:fifo_file { read write };
+allow runas shell:unix_stream_socket { read write };
+allow runas devpts:chr_file { read write ioctl };
+allow runas shell_data_file:file { read write };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+allow runas system_data_file:lnk_file getattr;
+allow runas packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow runas system_data_file:lnk_file read;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:global_capability_class_set { setuid setgid };
+
+# run-as switches to the app security context.
+selinux_check_context(runas) # validate context
+allow runas self:process setcurrent;
+allow runas non_system_app_set:process dyntransition; # setcon
+
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:global_capability_class_set ~{ setuid setgid };
+neverallow runas self:global_capability2_class_set *;
diff --git a/prebuilts/api/33.0/public/runas_app.te b/prebuilts/api/33.0/public/runas_app.te
new file mode 100644
index 0000000..cdaa799
--- /dev/null
+++ b/prebuilts/api/33.0/public/runas_app.te
@@ -0,0 +1 @@
+type runas_app, domain;
diff --git a/prebuilts/api/33.0/public/scheduler_service_server.te b/prebuilts/api/33.0/public/scheduler_service_server.te
new file mode 100644
index 0000000..b3cede1
--- /dev/null
+++ b/prebuilts/api/33.0/public/scheduler_service_server.te
@@ -0,0 +1 @@
+add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
diff --git a/prebuilts/api/33.0/public/sdcardd.te b/prebuilts/api/33.0/public/sdcardd.te
new file mode 100644
index 0000000..220e7d0
--- /dev/null
+++ b/prebuilts/api/33.0/public/sdcardd.te
@@ -0,0 +1,46 @@
+type sdcardd, domain;
+type sdcardd_exec, system_file_type, exec_type, file_type;
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd sdcardfs:filesystem remount;
+allow sdcardd tmpfs:dir r_dir_perms;
+allow sdcardd mnt_media_rw_file:dir r_dir_perms;
+allow sdcardd storage_file:dir search;
+allow sdcardd storage_stub_file:dir { search mounton };
+allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
+
+allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
+allow sdcardd { sdcard_type fuse }:file create_file_perms;
+
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file r_file_perms;
+allow sdcardd packages_list_file:file r_file_perms;
+
+# Read /data/misc/installd/layout_version
+allow sdcardd install_data_file:file r_file_perms;
+allow sdcardd install_data_file:dir search;
+
+# Allow stdin/out back to vold
+allow sdcardd vold:fd use;
+allow sdcardd vold:fifo_file { read write getattr };
+
+# Allow running on top of expanded storage
+allow sdcardd mnt_expand_file:dir search;
+
+# access /proc/filesystems
+allow sdcardd proc_filesystems:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# The sdcard daemon should no longer be started from init
+neverallow init sdcardd_exec:file execute;
+neverallow init sdcardd:process { transition dyntransition };
diff --git a/prebuilts/api/33.0/public/secure_element.te b/prebuilts/api/33.0/public/secure_element.te
new file mode 100644
index 0000000..4ce6714
--- /dev/null
+++ b/prebuilts/api/33.0/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/prebuilts/api/33.0/public/sensor_service_server.te b/prebuilts/api/33.0/public/sensor_service_server.te
new file mode 100644
index 0000000..7c526a5
--- /dev/null
+++ b/prebuilts/api/33.0/public/sensor_service_server.te
@@ -0,0 +1 @@
+add_hwservice(sensor_service_server, fwk_sensor_hwservice)
diff --git a/prebuilts/api/33.0/public/service.te b/prebuilts/api/33.0/public/service.te
new file mode 100644
index 0000000..e862b40
--- /dev/null
+++ b/prebuilts/api/33.0/public/service.te
@@ -0,0 +1,321 @@
+type aidl_lazy_test_service, service_manager_type;
+type apc_service, service_manager_type;
+type apex_service, service_manager_type;
+type artd_service, service_manager_type;
+type audioserver_service, service_manager_type;
+type authorization_service, service_manager_type;
+type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type bluetooth_service, service_manager_type;
+type cameraserver_service, service_manager_type;
+type default_android_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
+type dnsresolver_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type dumpstate_service, service_manager_type;
+type evsmanagerd_service, service_manager_type;
+type fingerprintd_service, service_manager_type;
+type fwk_automotive_display_service, service_manager_type;
+type gatekeeper_service, app_api_service, service_manager_type;
+type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type idmap_service, service_manager_type;
+type iorapd_service, service_manager_type;
+type incident_service, service_manager_type;
+type installd_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
+type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
+type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
+type lpdump_service, service_manager_type;
+type mdns_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type mediametrics_service, service_manager_type;
+type mediaextractor_service, service_manager_type;
+type mediadrmserver_service, service_manager_type;
+type mediatranscoding_service, app_api_service, service_manager_type;
+type netd_service, service_manager_type;
+type nfc_service, service_manager_type;
+type radio_service, service_manager_type;
+type remotelyprovisionedkeypool_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
+type secure_element_service, service_manager_type;
+type service_manager_service, service_manager_type;
+type storaged_service, service_manager_type;
+type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type system_app_service, service_manager_type;
+type system_suspend_control_internal_service, service_manager_type;
+type system_suspend_control_service, service_manager_type;
+type update_engine_service, service_manager_type;
+type update_engine_stable_service, service_manager_type;
+type virtualization_service, service_manager_type;
+type virtual_touchpad_service, service_manager_type;
+type vold_service, service_manager_type;
+type vr_hwc_service, service_manager_type;
+type vrflinger_vsync_service, service_manager_type;
+
+# system_server_services broken down
+type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type adb_service, system_api_service, system_server_service, service_manager_type;
+type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
+type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type app_binding_service, system_server_service, service_manager_type;
+type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type app_integrity_service, system_api_service, system_server_service, service_manager_type;
+type app_prediction_service, app_api_service, system_server_service, service_manager_type;
+type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type attestation_verification_service, app_api_service, system_server_service, service_manager_type;
+type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type auth_service, app_api_service, system_server_service, service_manager_type;
+type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type battery_service, system_server_service, service_manager_type;
+type binder_calls_stats_service, system_server_service, service_manager_type;
+type blob_store_service, app_api_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type broadcastradio_service, system_server_service, service_manager_type;
+type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
+type cameraproxy_service, system_server_service, service_manager_type;
+type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type cloudsearch_service, app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
+type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
+# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
+type coverage_service, system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dataloader_manager_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
+type device_config_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
+type diskstats_service, system_api_service, system_server_service, service_manager_type;
+type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type domain_verification_service, app_api_service, system_server_service, service_manager_type;
+type color_display_service, system_api_service, system_server_service, service_manager_type;
+type external_vibrator_service, system_server_service, service_manager_type;
+type file_integrity_service, app_api_service, system_server_service, service_manager_type;
+type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netd_listener_service, system_server_service, service_manager_type;
+type network_watchlist_service, system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
+type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lowpan_service, system_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type biometric_service, app_api_service, system_server_service, service_manager_type;
+type bugreport_service, app_api_service, system_server_service, service_manager_type;
+type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type face_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type gnss_time_update_service, system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hardware_service, system_server_service, service_manager_type;
+type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
+type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type incremental_service, system_server_service, service_manager_type;
+type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type iris_service, app_api_service, system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type locale_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type location_time_zone_manager_service, system_server_service, service_manager_type;
+type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type looper_stats_service, system_server_service, service_manager_type;
+type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type nearby_service, app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_stack_service, system_server_service, service_manager_type;
+type network_time_update_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type oem_lock_service, system_api_service, system_server_service, service_manager_type;
+type otadexopt_service, system_server_service, service_manager_type;
+type overlay_service, system_api_service, system_server_service, service_manager_type;
+type pac_proxy_service, app_api_service, system_server_service, service_manager_type;
+type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type people_service, app_api_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
+type powerstats_service, app_api_service, system_server_service, service_manager_type;
+type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
+type recovery_service, system_server_service, service_manager_type;
+type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type resources_manager_service, system_api_service, system_server_service, service_manager_type;
+type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
+type runtime_service, system_server_service, service_manager_type;
+type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
+type scheduling_policy_service, system_server_service, service_manager_type;
+type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type search_ui_service, app_api_service, system_server_service, service_manager_type;
+type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type serial_service, system_api_service, system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
+type slice_service, app_api_service, system_server_service, service_manager_type;
+type smartspace_service, app_api_service, system_server_service, service_manager_type;
+type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
+type system_config_service, system_api_service, system_server_service, service_manager_type;
+type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
+type system_update_service, system_server_service, service_manager_type;
+type soundtrigger_middleware_service, system_server_service, service_manager_type;
+type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type tare_service, app_api_service, system_server_service, service_manager_type;
+type task_service, system_server_service, service_manager_type;
+type testharness_service, system_server_service, service_manager_type;
+type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timedetector_service, app_api_service, system_server_service, service_manager_type;
+type timezone_service, system_server_service, service_manager_type;
+type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
+type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
+type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type updatelock_service, system_api_service, system_server_service, service_manager_type;
+type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
+type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uwb_service, app_api_service, system_server_service, service_manager_type;
+type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type virtual_device_service, app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vpn_management_service, app_api_service, system_server_service, service_manager_type;
+type vr_manager_service, system_server_service, service_manager_type;
+type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type;
+type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type wifip2p_service, app_api_service, system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
+type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wifinl80211_service, service_manager_type;
+type wifiaware_service, app_api_service, system_server_service, service_manager_type;
+type window_service, system_api_service, system_server_service, service_manager_type;
+type inputflinger_service, system_api_service, system_server_service, service_manager_type;
+type wpantund_service, system_api_service, service_manager_type;
+type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type emergency_affordance_service, system_server_service, service_manager_type;
+
+###
+### HAL Services
+###
+
+type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
+type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_drm_service, vendor_service, hal_service_type, service_manager_type;
+type hal_dumpstate_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_evs_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_face_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_fingerprint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_gnss_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_allocator_service, vendor_service, hal_service_type, service_manager_type;
+type hal_graphics_composer_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_storage_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_identity_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_input_processor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_ir_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_keymint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_light_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_memtrack_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_neuralnetworks_service, vendor_service, hal_service_type, service_manager_type;
+type hal_nfc_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_oemlock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_stats_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_rebootescrow_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_sensors_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_secureclock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_sharedsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_tuner_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_uwb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_vehicle_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_vibrator_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_weaver_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_hostapd_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_supplicant_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+
+###
+### Neverallow rules
+###
+
+# servicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a service.
+# Trigger a compile error if this occurs.
+neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
diff --git a/prebuilts/api/33.0/public/servicemanager.te b/prebuilts/api/33.0/public/servicemanager.te
new file mode 100644
index 0000000..a812338
--- /dev/null
+++ b/prebuilts/api/33.0/public/servicemanager.te
@@ -0,0 +1,40 @@
+# servicemanager - the Binder context manager
+type servicemanager, domain, mlstrustedsubject;
+type servicemanager_exec, system_file_type, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -vendor_init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
+# nonplat_service_contexts only accessible on non full-treble devices
+not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')
+
+add_service(servicemanager, service_manager_service)
+allow servicemanager dumpstate:fd use;
+allow servicemanager dumpstate:fifo_file write;
+
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
+
+recovery_only(`
+ # In recovery, log to kmsg.
+ allow servicemanager kmsg_device:chr_file rw_file_perms;
+
+ # Read VINTF files.
+ r_dir_file(servicemanager, rootfs)
+')
diff --git a/prebuilts/api/33.0/public/sgdisk.te b/prebuilts/api/33.0/public/sgdisk.te
new file mode 100644
index 0000000..e5a9152
--- /dev/null
+++ b/prebuilts/api/33.0/public/sgdisk.te
@@ -0,0 +1,36 @@
+# sgdisk called from vold
+type sgdisk, domain;
+type sgdisk_exec, system_file_type, exec_type, file_type;
+
+# Allowed to read/write low-level partition tables
+allow sgdisk block_device:dir search;
+allow sgdisk vold_device:blk_file rw_file_perms;
+# HDIO_GETGEO needed to get the number of disk heads
+# on vold_device. How quaint.
+allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
+# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
+# is granted to all block device users in domain.te, so
+# no need to mention it here. sgdisk should not be
+# using the BLKGETSIZE ioctl as it is useless for devices over
+# 2T in size, but we allow it for now and hope that sgdisk
+# will fix their bug.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
+# Force a re-read of the partition table.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
+# Allow reading of the physical block size.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
+
+# Inherit and use pty created by android_fork_execvp()
+allow sgdisk devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow sgdisk vold:fd use;
+allow sgdisk vold:fifo_file { read write getattr };
+
+# Used to probe kernel to reload partition tables
+allow sgdisk self:global_capability_class_set sys_admin;
+
+# Only allow entry from vold
+neverallow { domain -vold } sgdisk:process transition;
+neverallow * sgdisk:process dyntransition;
+neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/prebuilts/api/33.0/public/shared_relro.te b/prebuilts/api/33.0/public/shared_relro.te
new file mode 100644
index 0000000..6dd5bd7
--- /dev/null
+++ b/prebuilts/api/33.0/public/shared_relro.te
@@ -0,0 +1,2 @@
+# Process which creates/updates shared RELRO files to be used by other apps.
+type shared_relro, domain;
diff --git a/prebuilts/api/33.0/public/shell.te b/prebuilts/api/33.0/public/shell.te
new file mode 100644
index 0000000..4175c86
--- /dev/null
+++ b/prebuilts/api/33.0/public/shell.te
@@ -0,0 +1,230 @@
+# Domain for shell processes spawned by ADB or console service.
+type shell, domain, mlstrustedsubject;
+type shell_exec, system_file_type, exec_type, file_type;
+
+# Create and use network sockets.
+net_domain(shell)
+
+# logcat
+read_logd(shell)
+control_logd(shell)
+get_prop(shell, logd_prop)
+# logcat -L (directly, or via dumpstate)
+allow shell pstorefs:dir search;
+allow shell pstorefs:file r_file_perms;
+
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# read files in /data/anr
+allow shell anr_data_file:dir r_dir_perms;
+allow shell anr_data_file:file r_file_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+# Access /data/local/tests.
+allow shell shell_test_data_file:dir create_dir_perms;
+allow shell shell_test_data_file:file create_file_perms;
+allow shell shell_test_data_file:file rx_file_perms;
+allow shell shell_test_data_file:lnk_file create_file_perms;
+allow shell shell_test_data_file:sock_file create_file_perms;
+
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
+
+# Read/execute files in /data/nativetest
+userdebug_or_eng(`
+ allow shell nativetest_data_file:dir r_dir_perms;
+ allow shell nativetest_data_file:file rx_file_perms;
+')
+
+# adb bugreport
+unix_socket_connect(shell, dumpstate, dumpstate)
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+
+allow shell input_device:dir r_dir_perms;
+allow shell input_device:chr_file r_file_perms;
+
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell tzdatacheck_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+allow shell zygote_exec:file rx_file_perms;
+
+r_dir_file(shell, apk_data_file)
+
+userdebug_or_eng(`
+ # "systrace --boot" support - allow boottrace service to run
+ allow shell boottrace_data_file:dir rw_dir_perms;
+ allow shell boottrace_data_file:file create_file_perms;
+')
+
+# allow shell access to services
+allow shell servicemanager:service_manager list;
+# don't allow shell to access GateKeeper service
+# TODO: why is this so broad? Tightening candidate? It needs at list:
+# - dumpstate_service (so it can receive dumpstate progress updates)
+allow shell {
+ service_manager_type
+ -apex_service
+ -dnsresolver_service
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -iorapd_service
+ -mdns_service
+ -netd_service
+ -system_suspend_control_internal_service
+ -system_suspend_control_service
+ -virtual_touchpad_service
+ -vold_service
+ -default_android_service
+}:service_manager find;
+allow shell dumpstate:binder call;
+
+# allow shell to get information from hwservicemanager
+# for instance, listing hardware services with lshal
+hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
+r_dir_file(shell, proc_net_type)
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_loadavg # b/124024827
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_slabinfo
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_vmstat
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# enable shell domain to read/write files/dirs for bootchart data
+# User will creates the start and stop file via adb shell
+# and read other files created by init process under /data/bootchart
+allow shell bootchart_data_file:dir rw_dir_perms;
+allow shell bootchart_data_file:file create_file_perms;
+
+# Make sure strace works for the non-privileged shell user
+allow shell self:process ptrace;
+
+# allow shell to get battery info
+allow shell sysfs:dir r_dir_perms;
+allow shell sysfs_batteryinfo:dir r_dir_perms;
+allow shell sysfs_batteryinfo:file r_file_perms;
+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file rw_file_perms;
+
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
+# Allow shell to start up vendor shell
+allow shell vendor_shell_exec:file rx_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. Allow shell to
+# execute them.
+recovery_only(`
+ allow shell rootfs:file rx_file_perms;
+')
+
+###
+### Neverallow rules
+###
+
+# Do not allow shell to hard link to any files.
+# In particular, if shell hard links to app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure the shell user never has this
+# capability.
+neverallow shell file_type:file link;
+
+# Do not allow privileged socket ioctl commands
+neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+ fuse_device
+ hw_random_device
+ port_device
+}:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;
+
+# b/30861057: Shell access to existing input devices is an abuse
+# vector. The shell user can inject events that look like they
+# originate from the touchscreen etc.
+# Everyone should have already moved to UiAutomation#injectInputEvent
+# if they are running instrumentation tests (i.e. CTS), Monkey for
+# their stress tests, and the input command (adb shell input ...) for
+# injecting swipes and things.
+neverallow shell input_device:chr_file no_w_file_perms;
diff --git a/prebuilts/api/33.0/public/simpleperf.te b/prebuilts/api/33.0/public/simpleperf.te
new file mode 100644
index 0000000..218fee7
--- /dev/null
+++ b/prebuilts/api/33.0/public/simpleperf.te
@@ -0,0 +1 @@
+type simpleperf, domain;
diff --git a/prebuilts/api/33.0/public/simpleperf_app_runner.te b/prebuilts/api/33.0/public/simpleperf_app_runner.te
new file mode 100644
index 0000000..3719d9f
--- /dev/null
+++ b/prebuilts/api/33.0/public/simpleperf_app_runner.te
@@ -0,0 +1,2 @@
+type simpleperf_app_runner, domain, mlstrustedsubject;
+type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
diff --git a/prebuilts/api/33.0/public/slideshow.te b/prebuilts/api/33.0/public/slideshow.te
new file mode 100644
index 0000000..10fbbb8
--- /dev/null
+++ b/prebuilts/api/33.0/public/slideshow.te
@@ -0,0 +1,14 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+allow slideshow kmsg_device:chr_file rw_file_perms;
+wakelock_use(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:global_capability_class_set sys_tty_config;
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+
diff --git a/prebuilts/api/33.0/public/stats_service_server.te b/prebuilts/api/33.0/public/stats_service_server.te
new file mode 100644
index 0000000..ab8e58a
--- /dev/null
+++ b/prebuilts/api/33.0/public/stats_service_server.te
@@ -0,0 +1,4 @@
+add_hwservice(stats_service_server, fwk_stats_hwservice)
+add_service(stats_service_server, fwk_stats_service)
+
+binder_use(stats_service_server)
diff --git a/prebuilts/api/33.0/public/statsd.te b/prebuilts/api/33.0/public/statsd.te
new file mode 100644
index 0000000..1a09586
--- /dev/null
+++ b/prebuilts/api/33.0/public/statsd.te
@@ -0,0 +1,85 @@
+type statsd, domain, mlstrustedsubject;
+
+type statsd_exec, system_file_type, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ allow statsd su:fifo_file read;
+')
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, incidentd)
+binder_call(statsd, system_server)
+
+# Allow statsd to interact with gpuservice
+allow statsd gpu_service:service_manager find;
+binder_call(statsd, gpuservice)
+
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
+# Allow statsd to interact with mediametrics
+allow statsd mediametrics_service:service_manager find;
+binder_call(statsd, mediametrics)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ app_api_service
+ incident_service
+ system_api_service
+}:service_manager find;
+
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
+hal_client_domain(statsd, hal_power)
+hal_client_domain(statsd, hal_power_stats)
+hal_client_domain(statsd, hal_thermal)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read write };
+
+unix_socket_send(statsd, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/prebuilts/api/33.0/public/su.te b/prebuilts/api/33.0/public/su.te
new file mode 100644
index 0000000..8328140
--- /dev/null
+++ b/prebuilts/api/33.0/public/su.te
@@ -0,0 +1,109 @@
+# Domain used for su processes, as well as for adbd and adb shell
+# after performing an adb root command.
+
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
+# File types must be defined for file_contexts.
+type su_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ typeattribute su mlstrustedsubject;
+
+ # Add su to various domains
+ net_domain(su)
+
+ # grant su access to vndbinder
+ vndbinder_use(su)
+
+ dontaudit su self:capability_class_set *;
+ dontaudit su self:capability2 *;
+ dontaudit su kernel:security *;
+ dontaudit su { kernel file_type }:system *;
+ dontaudit su self:memprotect *;
+ dontaudit su domain:anon_inode *;
+ dontaudit su domain:{ process process2 } *;
+ dontaudit su domain:fd *;
+ dontaudit su domain:dir *;
+ dontaudit su domain:lnk_file *;
+ dontaudit su domain:{ fifo_file file } *;
+ dontaudit su domain:socket_class_set *;
+ dontaudit su domain:ipc_class_set *;
+ dontaudit su domain:key *;
+ dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit su node_type:node *;
+ dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit su netif_type:netif *;
+ dontaudit su port_type:socket_class_set *;
+ dontaudit su port_type:{ tcp_socket dccp_socket } *;
+ dontaudit su domain:peer *;
+ dontaudit su domain:binder *;
+ dontaudit su property_type:property_service *;
+ dontaudit su property_type:file *;
+ dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
+ dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
+ dontaudit su keystore:keystore_key *;
+ dontaudit su keystore:keystore2 *;
+ dontaudit su domain:drmservice *;
+ dontaudit su unlabeled:filesystem *;
+ dontaudit su postinstall_file:filesystem *;
+ dontaudit su domain:bpf *;
+ dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
+
+ # VTS tests run in the permissive su domain on debug builds, but the HALs
+ # being tested run in enforcing mode. Because hal_foo_server is enforcing
+ # su needs to be declared as hal_foo_client to grant hal_foo_server
+ # permission to interact with it.
+ typeattribute su halclientdomain;
+ typeattribute su hal_allocator_client;
+ typeattribute su hal_atrace_client;
+ typeattribute su hal_audio_client;
+ typeattribute su hal_authsecret_client;
+ typeattribute su hal_bluetooth_client;
+ typeattribute su hal_bootctl_client;
+ typeattribute su hal_camera_client;
+ typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
+ typeattribute su hal_contexthub_client;
+ typeattribute su hal_drm_client;
+ typeattribute su hal_cas_client;
+ typeattribute su hal_dumpstate_client;
+ typeattribute su hal_fingerprint_client;
+ typeattribute su hal_gatekeeper_client;
+ typeattribute su hal_gnss_client;
+ typeattribute su hal_graphics_allocator_client;
+ typeattribute su hal_graphics_composer_client;
+ typeattribute su hal_health_client;
+ typeattribute su hal_input_classifier_client;
+ typeattribute su hal_ir_client;
+ typeattribute su hal_keymaster_client;
+ typeattribute su hal_light_client;
+ typeattribute su hal_memtrack_client;
+ typeattribute su hal_neuralnetworks_client;
+ typeattribute su hal_nfc_client;
+ typeattribute su hal_oemlock_client;
+ typeattribute su hal_power_client;
+ typeattribute su hal_rebootescrow_client;
+ typeattribute su hal_secure_element_client;
+ typeattribute su hal_sensors_client;
+ typeattribute su hal_telephony_client;
+ typeattribute su hal_tetheroffload_client;
+ typeattribute su hal_thermal_client;
+ typeattribute su hal_tv_cec_client;
+ typeattribute su hal_tv_input_client;
+ typeattribute su hal_tv_tuner_client;
+ typeattribute su hal_usb_client;
+ typeattribute su hal_vibrator_client;
+ typeattribute su hal_vr_client;
+ typeattribute su hal_weaver_client;
+ typeattribute su hal_wifi_client;
+ typeattribute su hal_wifi_hostapd_client;
+ typeattribute su hal_wifi_supplicant_client;
+')
diff --git a/prebuilts/api/33.0/public/surfaceflinger.te b/prebuilts/api/33.0/public/surfaceflinger.te
new file mode 100644
index 0000000..c1e4844
--- /dev/null
+++ b/prebuilts/api/33.0/public/surfaceflinger.te
@@ -0,0 +1,3 @@
+# surfaceflinger - display compositor service
+type surfaceflinger, domain;
+type surfaceflinger_tmpfs, file_type;
diff --git a/prebuilts/api/26.0/public/system_app.te b/prebuilts/api/33.0/public/system_app.te
similarity index 100%
rename from prebuilts/api/26.0/public/system_app.te
rename to prebuilts/api/33.0/public/system_app.te
diff --git a/prebuilts/api/33.0/public/system_server.te b/prebuilts/api/33.0/public/system_server.te
new file mode 100644
index 0000000..cb7f288
--- /dev/null
+++ b/prebuilts/api/33.0/public/system_server.te
@@ -0,0 +1,18 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain;
+type system_server_tmpfs, file_type, mlstrustedobject;
+
+# Power controls for debugging/diagnostics
+get_prop(system_server, power_debug_prop)
+set_prop(system_server, power_debug_prop)
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -system_server
+ -shell
+} power_debug_prop:property_service set;
diff --git a/prebuilts/api/33.0/public/system_suspend_internal_server.te b/prebuilts/api/33.0/public/system_suspend_internal_server.te
new file mode 100644
index 0000000..67bff77
--- /dev/null
+++ b/prebuilts/api/33.0/public/system_suspend_internal_server.te
@@ -0,0 +1,11 @@
+# To serve ISuspendControlServiceInternal.
+add_service(system_suspend_internal_server, system_suspend_control_internal_service)
+
+neverallow {
+ domain
+ -atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend_internal_server # implements system_suspend_control_internal_service
+ -system_server # configures system_suspend via ISuspendControlServiceInternal
+ -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;
diff --git a/prebuilts/api/33.0/public/system_suspend_server.te b/prebuilts/api/33.0/public/system_suspend_server.te
new file mode 100644
index 0000000..8e8310d
--- /dev/null
+++ b/prebuilts/api/33.0/public/system_suspend_server.te
@@ -0,0 +1,6 @@
+# Required to export a HIDL interface.
+hwbinder_use(system_suspend_server)
+get_prop(system_suspend_server, hwservicemanager_prop)
+
+# To serve ISystemSuspend.hal.
+add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/prebuilts/api/33.0/public/te_macros b/prebuilts/api/33.0/public/te_macros
new file mode 100644
index 0000000..58d04b4
--- /dev/null
+++ b/prebuilts/api/33.0/public/te_macros
@@ -0,0 +1,1037 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute map };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint open read execute getattr map };
+# New domain can send SIGCHLD to its caller.
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
+define(`tmpfs_domain', `
+type_transition $1 tmpfs:file $1_tmpfs;
+allow $1 $1_tmpfs:file { read write getattr map };
+')
+
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
+')
+
+#####################################
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+')
+
+####################################
+# userfaultfd_use(domain)
+# Allow domain to create/use userfaultfd.
+define(`userfaultfd_use', `
+# Set up a type_transition to "userfaultfd" named anonymous inode object.
+type $1_userfaultfd;
+type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
+# Allow domain to create/use userfaultfd anon_inode.
+allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Suppress errors generate during bugreport
+dontaudit su $1_userfaultfd:anon_inode *;
+# Other domains may not use userfaultfd anon_inodes created by this domain.
+neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
+# This domain may not use userfaultfd anon_inodes created by other domains.
+neverallow $1 ~$1_userfaultfd:anon_inode *;
+')
+
+####################################
+# virtualizationservice_use(domain)
+# Allow domain to create and communicate with a virtual machine using
+# virtualizationservice.
+define(`virtualizationservice_use', `
+allow $1 virtualization_service:service_manager find;
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let virtualizationservice call back to the client.
+binder_call(virtualizationservice, $1)
+# Let the client pass file descriptors to virtualizationservice and on
+# to crosvm
+allow { virtualizationservice crosvm } $1:fd use;
+# Allow piping console log to the client
+allow { virtualizationservice crosvm } $1:fifo_file write;
+# Allow client to read/write vsock created by virtualizationservice to
+# communicate with the VM that it created. Notice that we do not grant
+# permission to create a vsock; the client can only connect to VMs
+# that it owns.
+allow $1 virtualizationservice:vsock_socket { getattr read write };
+# Allow client to inspect hypervisor capabilities
+get_prop($1, hypervisor_prop)
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label tmpfs objects for all apps.
+type_transition $1 tmpfs:file appdomain_tmpfs;
+userfaultfd_use($1)
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
+')
+
+#####################################
+# untrusted_app_domain(domain)
+# Allow a base set of permissions required for all untrusted apps.
+define(`untrusted_app_domain', `
+typeattribute $1 untrusted_app_all;
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+# hal_*_client and halclientdomain attributes are always expanded for
+# performance reasons. Neverallow rules targeting expanded attributes can not be
+# verified by CTS since these attributes are already expanded by that time.
+build_test_only(`
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
+')
+')
+
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+# type hal_foo_default, domain;
+# hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+# hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+')
+
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+# passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
+define(`unix_socket_connect', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+get_prop($1, $2)
+')
+
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file { getattr open read map };
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
+# Allow servicemanager to send out callbacks
+allow servicemanager $1:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open map };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open map };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:global_capability2_class_set block_suspend;
+# system_suspend permissions
+binder_call($1, system_suspend_server)
+allow $1 system_suspend_hwservice:hwservice_manager find;
+# halclientdomain permissions
+hwbinder_use($1)
+get_prop($1, hwservicemanager_prop)
+allow $1 hidl_manager_hwservice:hwservice_manager find;
+# AIDL suspend hal permissions
+allow $1 hal_system_suspend_service:service_manager find;
+binder_use($1)
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Recovery only
+# SELinux rules which apply only to recovery mode
+#
+define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+
+#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
+#####################################
+# Compatible property only
+# SELinux rules which apply only to devices with compatible property
+#
+define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
+ifelse(target_compatible_property, `cts',
+# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not compatible property
+# SELinux rules which apply only to devices without compatible property
+#
+define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# Build-time-only test
+# SELinux rules which are verified during build, but not as part of *TS testing.
+#
+define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+ allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
+# TODO: Figure out why write is needed.
+allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned:fd use;
+allow $1 tombstoned_crash_socket:sock_file write;
+allow $1 tombstone_data_file:file append;
+')
+
+#####################################
+# WITH_DEXPREOPT builds
+# SELinux rules which apply only when pre-opting.
+#
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+unix_socket_send($1, logdw, logd)
+allow $1 pmsg_device:chr_file w_file_perms;
+')
+
+#####################################
+# read_logd(domain)
+# Ability to run logcat and read from android
+# log daemon via sockets
+define(`read_logd', `
+allow $1 logcat_exec:file rx_file_perms;
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# read_runtime_log_tags(domain)
+# ability to directly map the runtime event log tags
+define(`read_runtime_log_tags', `
+allow $1 runtime_event_log_tags_file:file r_file_perms;
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
+ allow $1 keystore_service:service_manager find;
+ allow $1 legacykeystore_service:service_manager find;
+ binder_call($1, keystore)
+ binder_call(keystore, $1)
+')
+
+#####################################
+# use_credstore(domain)
+# Ability to use credstore.
+define(`use_credstore', `
+ allow credstore $1:dir search;
+ allow credstore $1:file { read open };
+ allow credstore $1:process getattr;
+ allow $1 credstore_service:service_manager find;
+ binder_call($1, credstore)
+ binder_call(credstore, $1)
+')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')
+
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+ allow $1 $2:service_manager { add find };
+ neverallow { domain -$1 } $2:service_manager add;
+
+ # On debug builds with root, allow binder services to use binder over TCP.
+ # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
+ userdebug_or_eng(`
+ allow $1 su:tcp_socket { accept getopt read write };
+ ')
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
+ neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
+###########################################
+# hal_attribute_hwservice(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_hwservice', `
+ allow $1_client $2:hwservice_manager find;
+ add_hwservice($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+ ')
+')
+
+###########################################
+# hal_attribute_service(attribute, service)
+# Ability for domain to get a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_service
+define(`hal_attribute_service', `
+ allow $1_client $2:service_manager find;
+ add_service($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow {
+ domain
+ -$1_client
+ -$1_server
+ # some services are allowed to find all services
+ -atrace
+ -dumpstate
+ -shell
+ -system_app
+ -traceur_app
+ } $2:service_manager find;
+ ')
+')
+
+###################################
+# can_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by central
+# heapprofd.
+define(`can_profile_heap', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # Allow daemon to use the passed fds.
+ allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
+
+ # To read and write from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ # We need to write to /proc/$PID/page_idle to find idle allocations.
+ # The client only opens /proc/self/page_idle with RDWR, everything else
+ # with RDONLY.
+ # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+ # sys_ptrace.
+ allow heapprofd $1:file rw_file_perms;
+ # Allow searching the /proc/[pid] directory for cmdline.
+ allow heapprofd $1:dir r_dir_perms;
+')
+
+###################################
+# never_profile_heap(domain)
+# Opt out of heap profiling by heapprofd.
+define(`never_profile_heap', `
+ neverallow heapprofd $1:file read;
+ neverallow heapprofd $1:process signal;
+')
+
+###################################
+# can_profile_perf(domain)
+# Allow processes within the domain to be profiled, and have their stacks
+# sampled, by traced_perf.
+define(`can_profile_perf', `
+ # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
+ # reads /proc/[pid]/cmdline.
+ allow traced_perf $1:file r_file_perms;
+ allow traced_perf $1:dir r_dir_perms;
+
+ # Allow central daemon to send signal to request /proc/[pid]/maps and
+ # /proc/[pid]/mem fds from this process.
+ allow traced_perf $1:process signal;
+
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, traced_perf, traced_perf)
+ # Allow daemon to use the passed fds.
+ allow traced_perf $1:fd use;
+')
+
+###################################
+# never_profile_perf(domain)
+# Opt out of profiling by traced_perf.
+define(`never_profile_perf', `
+ neverallow traced_perf $1:file read;
+ neverallow traced_perf $1:process signal;
+')
+
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+# When applying this macro, you might need to also allow traced to use the
+# producer tmpfs domain, if the producer will be the one creating the shared
+# memory.
+define(`perfetto_producer', `
+ allow $1 traced:fd use;
+ allow $1 traced_tmpfs:file { read write getattr map };
+ unix_socket_connect($1, traced_producer, traced)
+
+ # Also allow the service to use the producer file descriptors. This is
+ # necessary when the producer is creating the shared memory, as it will be
+ # passed to the service as a file descriptor (obtained from memfd_create).
+ allow traced $1:fd use;
+')
+
+###########################################
+# dump_hal(hal_type)
+# Ability to dump the hal debug info
+#
+define(`dump_hal', `
+ hal_client_domain(dumpstate, $1);
+ allow $1_server dumpstate:fifo_file write;
+ allow $1_server dumpstate:fd use;
+')
+
+#####################################
+# treble_sysprop_neverallow(rules)
+# SELinux neverallow rules which enforces the accessibility of each property
+# outside the owner.
+#
+# For devices launching with R or later, exported properties must be explicitly marked as
+# "restricted" or "public", depending on the accessibility outside the owner.
+# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these rules only for devices launching with R or later.
+#
+# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
+#
+define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
+ifelse(target_treble_sysprop_neverallow, `cts',
+# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# enforce_sysprop_owner(rules)
+# SELinux neverallow rules which enforces the owner of each property.
+#
+# For devices launching with S or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these ules only for devices launching with S or later.
+#
+define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
+ifelse(target_enforce_sysprop_owner, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+###########################################
+# define_prop(name, owner, scope)
+# Define a property with given owner and scope
+#
+define(`define_prop', `
+ type $1, property_type, $2_property_type, $2_$3_property_type;
+')
+
+###########################################
+# system_internal_prop(name)
+# Define a /system-owned property used only in /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_internal_prop', `
+ define_prop($1, system, internal)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# system_restricted_prop(name)
+# Define a /system-owned property which can't be written outside /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_restricted_prop', `
+ define_prop($1, system, restricted)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:property_service set;
+ ')
+')
+
+###########################################
+# system_public_prop(name)
+# Define a /system-owned property with no restrictions
+#
+define(`system_public_prop', `define_prop($1, system, public)')
+
+###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+ system_public_prop($1)
+ set_prop(vendor_init, $1)
+ neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
+# product_internal_prop(name)
+# Define a /product-owned property used only in /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_internal_prop', `
+ define_prop($1, product, internal)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# product_restricted_prop(name)
+# Define a /product-owned property which can't be written outside /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_restricted_prop', `
+ define_prop($1, product, restricted)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:property_service set;
+ ')
+')
+
+###########################################
+# product_public_prop(name)
+# Define a /product-owned property with no restrictions
+#
+define(`product_public_prop', `define_prop($1, product, public)')
+
+###########################################
+# vendor_internal_prop(name)
+# Define a /vendor-owned property used only in /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_internal_prop', `
+ define_prop($1, vendor, internal)
+ treble_sysprop_neverallow(`
+# init and dumpstate are in coredomain, but should be able to read all props.
+ neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# vendor_restricted_prop(name)
+# Define a /vendor-owned property which can't be written outside /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_restricted_prop', `
+ define_prop($1, vendor, restricted)
+ treble_sysprop_neverallow(`
+# init is in coredomain, but should be able to write all props.
+ neverallow { coredomain -init } $1:property_service set;
+ ')
+')
+
+###########################################
+# vendor_public_prop(name)
+# Define a /vendor-owned property with no restrictions
+#
+define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
+')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/prebuilts/api/33.0/public/tee.te b/prebuilts/api/33.0/public/tee.te
new file mode 100644
index 0000000..0f9b32d
--- /dev/null
+++ b/prebuilts/api/33.0/public/tee.te
@@ -0,0 +1,11 @@
+##
+# trusted execution environment (tee) daemon
+#
+type tee, domain;
+
+# Device(s) for communicating with the TEE
+type tee_device, dev_type;
+
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
+
diff --git a/prebuilts/api/33.0/public/tombstoned.te b/prebuilts/api/33.0/public/tombstoned.te
new file mode 100644
index 0000000..ea2abbb
--- /dev/null
+++ b/prebuilts/api/33.0/public/tombstoned.te
@@ -0,0 +1,17 @@
+# debugger interface
+type tombstoned, domain, mlstrustedsubject;
+type tombstoned_exec, system_file_type, exec_type, file_type;
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { append create getattr open link unlink };
diff --git a/prebuilts/api/33.0/public/toolbox.te b/prebuilts/api/33.0/public/toolbox.te
new file mode 100644
index 0000000..4c2cc3e
--- /dev/null
+++ b/prebuilts/api/33.0/public/toolbox.te
@@ -0,0 +1,38 @@
+# Any toolbox command run by init.
+# At present, the only known usage is for running mkswap via fs_mgr.
+# Do NOT use this domain for toolbox when run by any other domain.
+type toolbox, domain;
+type toolbox_exec, system_file_type, exec_type, file_type;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow toolbox tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow toolbox devpts:chr_file { read write getattr ioctl };
+
+# mkswap-specific.
+# Read/write block devices used for swap partitions.
+# Assign swap_block_device type any such partition in your
+# device/<vendor>/<product>/sepolicy/file_contexts file.
+allow toolbox block_device:dir search;
+allow toolbox swap_block_device:blk_file rw_file_perms;
+
+# Only allow entry from init via the toolbox binary.
+neverallow { domain -init } toolbox:process transition;
+neverallow * toolbox:process dyntransition;
+neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_root_file:dir { remove_name write };
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
+
+# chattr +F and chattr +P /data/media in init
+allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
+allowxperm toolbox media_rw_data_file:dir ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
diff --git a/prebuilts/api/33.0/public/traced.te b/prebuilts/api/33.0/public/traced.te
new file mode 100644
index 0000000..922d46e
--- /dev/null
+++ b/prebuilts/api/33.0/public/traced.te
@@ -0,0 +1,3 @@
+type traced, domain, coredomain, mlstrustedsubject;
+type traced_tmpfs, file_type;
+
diff --git a/prebuilts/api/33.0/public/traced_perf.te b/prebuilts/api/33.0/public/traced_perf.te
new file mode 100644
index 0000000..f9a0324
--- /dev/null
+++ b/prebuilts/api/33.0/public/traced_perf.te
@@ -0,0 +1 @@
+type traced_perf, domain;
diff --git a/prebuilts/api/33.0/public/traced_probes.te b/prebuilts/api/33.0/public/traced_probes.te
new file mode 100644
index 0000000..3e587c8
--- /dev/null
+++ b/prebuilts/api/33.0/public/traced_probes.te
@@ -0,0 +1 @@
+type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/prebuilts/api/33.0/public/traceur_app.te b/prebuilts/api/33.0/public/traceur_app.te
new file mode 100644
index 0000000..1ab150d
--- /dev/null
+++ b/prebuilts/api/33.0/public/traceur_app.te
@@ -0,0 +1,27 @@
+type traceur_app, domain;
+
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
+
+allow traceur_app {
+ service_manager_type
+ -apex_service
+ -dnsresolver_service
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -iorapd_service
+ -lpdump_service
+ -mdns_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -default_android_service
+}:service_manager find;
+
+# Allow traceur_app to use atrace HAL
+hal_client_domain(traceur_app, hal_atrace)
+
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;
diff --git a/prebuilts/api/33.0/public/tzdatacheck.te b/prebuilts/api/33.0/public/tzdatacheck.te
new file mode 100644
index 0000000..cf9b95d
--- /dev/null
+++ b/prebuilts/api/33.0/public/tzdatacheck.te
@@ -0,0 +1,18 @@
+# The tzdatacheck command run by init.
+type tzdatacheck, domain;
+type tzdatacheck_exec, system_file_type, exec_type, file_type;
+
+allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
+allow tzdatacheck zoneinfo_data_file:file unlink;
+
+# Below are strong assertion that only init, system_server and tzdatacheck
+# can modify the /data time zone rules directories. This is to make it very
+# clear that only these domains should modify the actual time zone rules data.
+# The tzdatacheck binary itself may be executed by shell for tests but it must
+# not be able to modify the real rules.
+# If other users / binaries could modify time zone rules on device this might
+# have negative implications for users (who may get incorrect local times)
+# or break assumptions made / invalidate data held by the components actually
+# responsible for updating time zone rules.
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/prebuilts/api/33.0/public/ueventd.te b/prebuilts/api/33.0/public/ueventd.te
new file mode 100644
index 0000000..4e3c7c2
--- /dev/null
+++ b/prebuilts/api/33.0/public/ueventd.te
@@ -0,0 +1,82 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+type ueventd_tmpfs, file_type;
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
+
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. ueventd has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow ueventd rootfs:file { r_file_perms execute };
+')
+
+# Suppress denials for ueventd to getattr /postinstall. This occurs when the
+# linker tries to resolve paths in ld.config.txt.
+dontaudit ueventd postinstall_mnt_dir:dir getattr;
+
+# ueventd loads modules in response to modalias events.
+allow ueventd self:global_capability_class_set sys_module;
+allow ueventd vendor_file:system module_load;
+allow ueventd kernel:key search;
+
+# ueventd is using bootstrap bionic
+use_bootstrap_libs(ueventd)
+
+# Allow ueventd to run shell scripts from vendor
+allow ueventd vendor_shell_exec:file execute;
+
+#####
+##### neverallow rules
+#####
+
+# Restrict ueventd access on block devices to maintenence operations.
+neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
+
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
+
+# Nobody should be able to ptrace ueventd
+neverallow * ueventd:process ptrace;
+
+# ueventd should never execute a program without changing to another domain.
+neverallow ueventd { file_type fs_type }:file execute_no_trans;
diff --git a/prebuilts/api/33.0/public/uncrypt.te b/prebuilts/api/33.0/public/uncrypt.te
new file mode 100644
index 0000000..3b04671
--- /dev/null
+++ b/prebuilts/api/33.0/public/uncrypt.te
@@ -0,0 +1,46 @@
+# uncrypt
+type uncrypt, domain, mlstrustedsubject;
+type uncrypt_exec, system_file_type, exec_type, file_type;
+
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
+
+userdebug_or_eng(`
+ # For debugging, allow /data/local/tmp access
+ r_dir_file(uncrypt, shell_data_file)
+')
+
+# Read /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
+
+# Raw writes to block device
+allow uncrypt self:global_capability_class_set sys_rawio;
+allow uncrypt misc_block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
+
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+ proc_bootconfig
+ proc_cmdline
+
+}:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)
diff --git a/prebuilts/api/33.0/public/untrusted_app.te b/prebuilts/api/33.0/public/untrusted_app.te
new file mode 100644
index 0000000..0a67614
--- /dev/null
+++ b/prebuilts/api/33.0/public/untrusted_app.te
@@ -0,0 +1,33 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion >= 32.
+type untrusted_app, domain;
+# This file defines the rules for untrusted apps running with
+# 29 < targetSdkVersion <= 31.
+type untrusted_app_30, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion = 29.
+type untrusted_app_29, domain;
+# This file defines the rules for untrusted apps running with
+# 25 < targetSdkVersion <= 28.
+type untrusted_app_27, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion <= 25.
+type untrusted_app_25, domain;
diff --git a/prebuilts/api/33.0/public/update_engine.te b/prebuilts/api/33.0/public/update_engine.te
new file mode 100644
index 0000000..ab7090b
--- /dev/null
+++ b/prebuilts/api/33.0/public/update_engine.te
@@ -0,0 +1,78 @@
+# Domain for update_engine daemon.
+type update_engine, domain, update_engine_common;
+type update_engine_exec, system_file_type, exec_type, file_type;
+
+net_domain(update_engine);
+
+# Following permissions are needed for update_engine.
+allow update_engine self:process { setsched };
+allow update_engine self:global_capability_class_set { fowner sys_admin };
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit update_engine self:global_capability_class_set fsetid;
+
+allow update_engine kmsg_device:chr_file { getattr w_file_perms };
+allow update_engine update_engine_exec:file rx_file_perms;
+wakelock_use(update_engine);
+
+# Ignore these denials.
+dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:global_capability_class_set sys_rawio;
+
+# Allow using persistent storage in /data/misc/update_engine.
+allow update_engine update_engine_data_file:dir create_dir_perms;
+allow update_engine update_engine_data_file:file create_file_perms;
+
+# Allow using persistent storage in /data/misc/update_engine_log.
+allow update_engine update_engine_log_data_file:dir create_dir_perms;
+allow update_engine update_engine_log_data_file:file create_file_perms;
+
+# Don't allow kernel module loading, just silence the logs.
+dontaudit update_engine kernel:system module_request;
+
+# Register the service to perform Binder IPC.
+binder_use(update_engine)
+add_service(update_engine, update_engine_service)
+add_service(update_engine, update_engine_stable_service)
+
+# Allow update_engine to call the callback function provided by priv_app/GMS core.
+binder_call(update_engine, priv_app)
+# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow update_engine priv_app:binder { call transfer };
+ auditallow priv_app update_engine:binder transfer;
+ auditallow update_engine priv_app:fd use;
+')
+
+binder_call(update_engine, gmscore_app)
+
+# Allow update_engine to call the callback function provided by system_server.
+binder_call(update_engine, system_server)
+
+# Read OTA zip file at /data/ota_package/.
+allow update_engine ota_package_file:file r_file_perms;
+allow update_engine ota_package_file:dir r_dir_perms;
+
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
+
+# access /proc/misc
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
+
+# Allow ReadDefaultFstab().
+# update_engine tries to determine the parent path for all devices (e.g.
+# /dev/block/by-name) by reading the default fstab and looking for the misc
+# device.
+read_fstab(update_engine)
+
+# Allow to write to snapshotctl_log logs.
+# TODO(b/148818798) revert when parent bug is fixed.
+userdebug_or_eng(`
+allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
+allow update_engine snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/prebuilts/api/33.0/public/update_engine_common.te b/prebuilts/api/33.0/public/update_engine_common.te
new file mode 100644
index 0000000..e8fd29e
--- /dev/null
+++ b/prebuilts/api/33.0/public/update_engine_common.te
@@ -0,0 +1,98 @@
+# update_engine payload application permissions. These are shared between the
+# background daemon and the recovery tool to sideload an update.
+
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine_common block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine_common boot_block_device:blk_file rw_file_perms;
+allow update_engine_common system_block_device:blk_file rw_file_perms;
+
+# Where ioctls are granted via standard allow rules to block devices,
+# automatically allow common ioctls that are generally needed by
+# update_engine.
+allowxperm update_engine_common dev_type:blk_file ioctl {
+ BLKDISCARD
+ BLKDISCARDZEROES
+ BLKROGET
+ BLKROSET
+ BLKSECDISCARD
+ BLKZEROOUT
+};
+
+# Allow to set recovery options in the BCB. Used to trigger factory reset when
+# the update to an older version (channel change) or incompatible version
+# requires it.
+allow update_engine_common misc_block_device:blk_file rw_file_perms;
+
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
+# Allow update_engine_common to mount on the /postinstall directory and reset the
+# labels on the mounted filesystem to postinstall_file.
+allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
+allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
+
+# Allow update_engine_common to read and execute postinstall_file.
+allow update_engine_common postinstall_file:file rx_file_perms;
+allow update_engine_common postinstall_file:lnk_file r_file_perms;
+allow update_engine_common postinstall_file:dir r_dir_perms;
+
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine_common shell_exec:file rx_file_perms;
+
+# Allow update_engine_common to suspend, resume and kill the postinstall program.
+allow update_engine_common postinstall:process { signal sigstop sigkill };
+
+# access /proc/cmdline
+allow update_engine_common proc_cmdline:file r_file_perms;
+
+# Read files in /sys/firmware/devicetree/base/firmware/android/
+r_dir_file(update_engine_common, sysfs_dt_firmware_android)
+
+# Needed because libdm reads sysfs to validate when a dm path is ready.
+r_dir_file(update_engine_common, sysfs_dm)
+
+# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
+allow update_engine_common sysfs:dir r_dir_perms;
+allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
+
+# read / write on /dev/device-mapper to map / unmap devices
+allow update_engine_common dm_device:chr_file rw_file_perms;
+
+# apply / verify updates on devices mapped via device mapper
+allow update_engine_common dm_device:blk_file rw_file_perms;
+
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+
+# read / write metadata on super device to resize partitions
+allow update_engine_common super_block_device_type:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;
+
+# Allow update_engine_common to write to statsd socket.
+unix_socket_send(update_engine_common, statsdw, statsd)
+
+# Allow to read Virtual A/B feature flags.
+get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read GKI related flags.
+get_prop(update_engine_common, ab_update_gki_prop)
+get_prop(update_engine_common, build_bootimage_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common metadata_file:dir search;
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/prebuilts/api/33.0/public/update_verifier.te b/prebuilts/api/33.0/public/update_verifier.te
new file mode 100644
index 0000000..68b43f0
--- /dev/null
+++ b/prebuilts/api/33.0/public/update_verifier.te
@@ -0,0 +1,33 @@
+# update_verifier
+type update_verifier, domain;
+type update_verifier_exec, system_file_type, exec_type, file_type;
+
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+
+# Read all blocks in DM wrapped system partition.
+allow update_verifier dm_device:blk_file r_file_perms;
+
+# Write to kernel message.
+allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
+
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
+
+# Access Checkpoint commands over binder
+allow update_verifier vold_service:service_manager find;
+binder_call(update_verifier, servicemanager)
+binder_call(update_verifier, vold)
diff --git a/prebuilts/api/33.0/public/usbd.te b/prebuilts/api/33.0/public/usbd.te
new file mode 100644
index 0000000..6f34954
--- /dev/null
+++ b/prebuilts/api/33.0/public/usbd.te
@@ -0,0 +1,2 @@
+type usbd, domain;
+type usbd_exec, system_file_type, exec_type, file_type;
diff --git a/prebuilts/api/33.0/public/userdata_sysdev.te b/prebuilts/api/33.0/public/userdata_sysdev.te
new file mode 100644
index 0000000..9974f36
--- /dev/null
+++ b/prebuilts/api/33.0/public/userdata_sysdev.te
@@ -0,0 +1 @@
+allow userdata_sysdev sysfs:filesystem associate;
diff --git a/prebuilts/api/33.0/public/vdc.te b/prebuilts/api/33.0/public/vdc.te
new file mode 100644
index 0000000..dfe6888
--- /dev/null
+++ b/prebuilts/api/33.0/public/vdc.te
@@ -0,0 +1,20 @@
+# vdc is a helper program for making Binder calls to vold. It is spawned from
+# init for various reasons, such as initializing file-based encryption and
+# metadata encryption, and managing userdata checkpointing.
+#
+# We also transition into this domain from dumpstate, when
+# collecting bug reports.
+
+type vdc, domain;
+type vdc_exec, system_file_type, exec_type, file_type;
+
+# vdc can be invoked with logwrapper, so let it write to pty
+allow vdc devpts:chr_file rw_file_perms;
+
+# vdc writes directly to kmsg during the boot process
+allow vdc kmsg_device:chr_file { getattr w_file_perms };
+
+# vdc talks to vold over Binder
+binder_use(vdc)
+binder_call(vdc, vold)
+allow vdc vold_service:service_manager find;
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
new file mode 100644
index 0000000..bc6d3b9
--- /dev/null
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -0,0 +1,303 @@
+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open getattr write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
+# Set encryption policy on dirs in /data
+allowxperm vendor_init data_file_type:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+};
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_dlkm_file_type
+ -system_file_type
+ -mnt_product_file
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -runtime_event_log_tags_file
+ -system_dlkm_file_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -apex_info_file
+ -userspace_reboot_metadata_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_dlkm_file_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -apex_mnt_dir
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_dlkm_file_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -mnt_product_file
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -keychord_device
+ -sdcard_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr map };
+
+allow vendor_init tracefs_type:file { open read setattr map };
+
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can read properties
+allow vendor_init serialno_prop:file { getattr open read map };
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
+# vendor_init is using bootstrap bionic
+use_bootstrap_libs(vendor_init)
+
+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow vendor_init rootfs:file { r_file_perms execute };
+')
+
+not_compatible_property(`
+ set_prop(vendor_init, {
+ property_type
+ -system_internal_property_type
+ -system_restricted_property_type
+ })
+')
+
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
+set_prop(vendor_init, apk_verity_prop)
+set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, bluetooth_config_prop)
+set_prop(vendor_init, camera2_extensions_prop)
+set_prop(vendor_init, camerax_extensions_prop)
+set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_runtime_prop)
+set_prop(vendor_init, debug_prop)
+set_prop(vendor_init, exported_bluetooth_prop)
+set_prop(vendor_init, exported_camera_prop)
+set_prop(vendor_init, exported_config_prop)
+set_prop(vendor_init, exported_default_prop)
+set_prop(vendor_init, exported_overlay_prop)
+set_prop(vendor_init, exported_pm_prop)
+set_prop(vendor_init, ffs_control_prop)
+set_prop(vendor_init, hw_timeout_multiplier_prop)
+set_prop(vendor_init, incremental_prop)
+set_prop(vendor_init, lmkd_prop)
+set_prop(vendor_init, logd_prop)
+set_prop(vendor_init, log_tag_prop)
+set_prop(vendor_init, log_prop)
+set_prop(vendor_init, qemu_hw_prop)
+set_prop(vendor_init, radio_control_prop)
+set_prop(vendor_init, rebootescrow_hal_prop)
+set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, soc_prop)
+set_prop(vendor_init, surfaceflinger_color_prop)
+set_prop(vendor_init, usb_control_prop)
+set_prop(vendor_init, userspace_reboot_config_prop)
+set_prop(vendor_init, vehicle_hal_prop)
+set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
+set_prop(vendor_init, vndk_prop)
+set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, vold_post_fs_data_prop)
+set_prop(vendor_init, wifi_hal_prop)
+set_prop(vendor_init, wifi_log_prop)
+set_prop(vendor_init, zram_control_prop)
+
+get_prop(vendor_init, boot_status_prop)
+get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, ota_prop)
+get_prop(vendor_init, power_debug_prop)
+get_prop(vendor_init, provisioned_prop)
+get_prop(vendor_init, retaildemo_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
+get_prop(vendor_init, test_harness_prop)
+get_prop(vendor_init, theme_prop)
+set_prop(vendor_init, dck_prop)
+
+
+###
+### neverallow rules
+###
+
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
+# The vendor_init domain is only entered via an exec based transition from the
+# init domain, never via setcon().
+neverallow domain vendor_init:process dyntransition;
+neverallow { domain -init } vendor_init:process transition;
+neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
+neverallow vendor_init shell_data_file:lnk_file read;
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow vendor_init shell_data_file:dir { write add_name remove_name };
+
+# init should never execute a program without changing to another domain.
+neverallow vendor_init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow vendor_init service_manager_type:service_manager { add find };
+neverallow vendor_init servicemanager:service_manager list;
+
+# vendor_init should never be ptraced
+neverallow * vendor_init:process ptrace;
diff --git a/prebuilts/api/33.0/public/vendor_misc_writer.te b/prebuilts/api/33.0/public/vendor_misc_writer.te
new file mode 100644
index 0000000..3bc3a9f
--- /dev/null
+++ b/prebuilts/api/33.0/public/vendor_misc_writer.te
@@ -0,0 +1,16 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
+dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
+dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(vendor_misc_writer)
diff --git a/prebuilts/api/33.0/public/vendor_modprobe.te b/prebuilts/api/33.0/public/vendor_modprobe.te
new file mode 100644
index 0000000..529c4aa
--- /dev/null
+++ b/prebuilts/api/33.0/public/vendor_modprobe.te
@@ -0,0 +1 @@
+type vendor_modprobe, domain;
diff --git a/prebuilts/api/33.0/public/vendor_shell.te b/prebuilts/api/33.0/public/vendor_shell.te
new file mode 100644
index 0000000..5d7cb31
--- /dev/null
+++ b/prebuilts/api/33.0/public/vendor_shell.te
@@ -0,0 +1,21 @@
+type vendor_shell, domain;
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/prebuilts/api/26.0/public/vendor_toolbox.te b/prebuilts/api/33.0/public/vendor_toolbox.te
similarity index 100%
rename from prebuilts/api/26.0/public/vendor_toolbox.te
rename to prebuilts/api/33.0/public/vendor_toolbox.te
diff --git a/prebuilts/api/33.0/public/virtual_touchpad.te b/prebuilts/api/33.0/public/virtual_touchpad.te
new file mode 100644
index 0000000..49c8704
--- /dev/null
+++ b/prebuilts/api/33.0/public/virtual_touchpad.te
@@ -0,0 +1,16 @@
+type virtual_touchpad, domain;
+type virtual_touchpad_exec, system_file_type, exec_type, file_type;
+
+binder_use(virtual_touchpad)
+binder_service(virtual_touchpad)
+add_service(virtual_touchpad, virtual_touchpad_service)
+
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
+# Requires access to /dev/uinput to create and feed the virtual device.
+allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/prebuilts/api/33.0/public/vndservice.te b/prebuilts/api/33.0/public/vndservice.te
new file mode 100644
index 0000000..efd9adf
--- /dev/null
+++ b/prebuilts/api/33.0/public/vndservice.te
@@ -0,0 +1,2 @@
+type service_manager_vndservice, vndservice_manager_type;
+type default_android_vndservice, vndservice_manager_type;
diff --git a/prebuilts/api/26.0/public/vndservicemanager.te b/prebuilts/api/33.0/public/vndservicemanager.te
similarity index 100%
rename from prebuilts/api/26.0/public/vndservicemanager.te
rename to prebuilts/api/33.0/public/vndservicemanager.te
diff --git a/prebuilts/api/33.0/public/vold.te b/prebuilts/api/33.0/public/vold.te
new file mode 100644
index 0000000..b0fb6d0
--- /dev/null
+++ b/prebuilts/api/33.0/public/vold.te
@@ -0,0 +1,343 @@
+# volume manager
+type vold, domain;
+type vold_exec, exec_type, file_type, system_file_type;
+
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
+# XXX Label sysfs files with a specific type?
+allow vold {
+ sysfs # writing to /sys/*/uevent during coldboot.
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
+ sysfs_usb
+ sysfs_zram_uevent
+ sysfs_fs_f2fs
+}:file w_file_perms;
+
+r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
+allow vold {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_drop_caches
+ proc_filesystems
+ proc_meminfo
+ proc_mounts
+}:file r_file_perms;
+
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
+# Allow us to jump into execution domains of above tools
+allow vold self:process setexec;
+
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
+# Run fstrim on mounted partitions
+# allowxperm still requires the ioctl permission for the individual type
+allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
+
+# Get/set file-based encryption policies on dirs in /data and adoptable storage,
+# and add/remove file-based encryption keys.
+allowxperm vold data_file_type:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+ FS_IOC_ADD_ENCRYPTION_KEY
+ FS_IOC_REMOVE_ENCRYPTION_KEY
+};
+
+# Only vold and init should ever set file-based encryption policies.
+neverallowxperm {
+ domain
+ -vold
+ -init
+ -vendor_init
+} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
+
+# Only vold should ever add/remove file-based encryption keys.
+neverallowxperm {
+ domain
+ -vold
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+
+# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
+# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
+# location of the file's blocks on the raw block device to erase.
+allowxperm vold {
+ vold_data_file
+ vold_metadata_file
+}:file ioctl {
+ F2FS_IOC_SEC_TRIM_FILE
+ FS_IOC_FIEMAP
+};
+
+typeattribute vold mlstrustedsubject;
+allow vold self:process setfscreate;
+allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
+allow vold block_device:dir create_dir_perms;
+allow vold device:dir write;
+allow vold devpts:chr_file rw_file_perms;
+allow vold rootfs:dir mounton;
+allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
+
+# Manage locations where storage is mounted
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
+
+# Access to storage that backs emulated FUSE daemons for migration optimization
+allow vold media_rw_data_file:dir create_dir_perms;
+allow vold media_rw_data_file:file create_file_perms;
+# Allow mounting (lower filesystem) on parts of media for performance
+allow vold media_rw_data_file:dir mounton;
+
+# Allow setting extended attributes (for project quota IDs) on files and dirs
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
+allowxperm vold media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
+# Allow mounting of storage devices
+allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
+
+# Manage per-user primary symlinks
+allow vold mnt_user_file:dir { create_dir_perms mounton };
+allow vold mnt_user_file:lnk_file create_file_perms;
+allow vold mnt_user_file:file create_file_perms;
+
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+
+# Allow to mount incremental file system on /data/incremental and create files
+allow vold apk_data_file:dir { mounton rw_dir_perms };
+# Allow to create and write files in /data/incremental
+allow vold apk_data_file:file { rw_file_perms unlink };
+# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
+allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
+
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir create_dir_perms;
+allow vold tmpfs:dir mounton;
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow vold loop_control_device:chr_file rw_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold loop_device:blk_file ioctl {
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_GET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_STATUS64
+};
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
+allow vold dm_device:chr_file rw_file_perms;
+allow vold dm_device:blk_file rw_file_perms;
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir r_dir_perms;
+allow vold domain:{ file lnk_file } r_file_perms;
+allow vold domain:process { signal sigkill };
+allow vold self:global_capability_class_set { sys_ptrace kill };
+
+allow vold kmsg_device:chr_file rw_file_perms;
+
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
+
+# Log fsck results
+allow vold fscklogs:dir rw_dir_perms;
+allow vold fscklogs:file create_file_perms;
+
+# Mount and unmount filesystems.
+allow vold labeledfs:filesystem { mount unmount remount };
+
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+allow vold {
+ system_data_file
+ system_data_root_file
+}:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold system_data_file:lnk_file getattr;
+
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
+# for secdiscard
+allow vold system_data_file:file read;
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
+allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
+# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
+wakelock_use(vold)
+
+# Allow vold to publish a binder service and make binder calls.
+binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to health storage HAL
+hal_client_domain(vold, hal_health_storage)
+
+# talk to bootloader HAL
+full_treble_only(`hal_client_domain(vold, hal_bootctl)')
+
+# Access userdata block device.
+allow vold userdata_block_device:blk_file rw_file_perms;
+allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
+
+# Access metadata block device used for encryption meta-data.
+allow vold metadata_block_device:blk_file rw_file_perms;
+allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
+
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
+allow vold unencrypted_data_file:dir create_dir_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir create_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
+# vold temporarily changes its priority when running benchmarks
+allow vold self:global_capability_class_set sys_nice;
+
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:global_capability_class_set sys_chroot;
+allow vold storage_file:dir mounton;
+
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
+
+# MoveStorage.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
+# Prepare profile dir for users.
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
+
+# Raw writes to misc block device
+allow vold misc_block_device:blk_file w_file_perms;
+
+# vold might need to search or mount /mnt/vendor/*
+allow vold mnt_vendor_file:dir search;
+
+dontaudit vold self:global_capability_class_set sys_resource;
+
+# Allow ReadDefaultFstab().
+read_fstab(vold)
+
+# vold might need to search loopback apex files
+allow vold vendor_apex_file:file r_file_perms;
+
+neverallow {
+ domain
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
+neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold {
+ domain
+ -hal_health_storage_server
+ -system_suspend_server
+ -hal_bootctl_server
+ -hwservicemanager
+ -iorapd_service
+ -keystore
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow vold fsck_exec:file execute_no_trans;
+neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;
diff --git a/prebuilts/api/33.0/public/vold_prepare_subdirs.te b/prebuilts/api/33.0/public/vold_prepare_subdirs.te
new file mode 100644
index 0000000..3087fa8
--- /dev/null
+++ b/prebuilts/api/33.0/public/vold_prepare_subdirs.te
@@ -0,0 +1,6 @@
+# SELinux directory creation and labelling for vold-managed directories
+
+type vold_prepare_subdirs, domain;
+type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
+
+typeattribute vold_prepare_subdirs coredomain;
diff --git a/prebuilts/api/33.0/public/watchdogd.te b/prebuilts/api/33.0/public/watchdogd.te
new file mode 100644
index 0000000..72e3685
--- /dev/null
+++ b/prebuilts/api/33.0/public/watchdogd.te
@@ -0,0 +1,6 @@
+# watchdogd seclabel is specified in init.<board>.rc
+type watchdogd, domain;
+type watchdogd_exec, system_file_type, exec_type, file_type;
+
+allow watchdogd watchdog_device:chr_file rw_file_perms;
+allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/33.0/public/webview_zygote.te b/prebuilts/api/33.0/public/webview_zygote.te
new file mode 100644
index 0000000..ace3a01
--- /dev/null
+++ b/prebuilts/api/33.0/public/webview_zygote.te
@@ -0,0 +1,6 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+type webview_zygote, domain;
+type webview_zygote_exec, exec_type, file_type;
+type webview_zygote_tmpfs, file_type;
diff --git a/prebuilts/api/33.0/public/wificond.te b/prebuilts/api/33.0/public/wificond.te
new file mode 100644
index 0000000..98db0d7
--- /dev/null
+++ b/prebuilts/api/33.0/public/wificond.te
@@ -0,0 +1,44 @@
+# wificond
+type wificond, domain;
+type wificond_exec, system_file_type, exec_type, file_type;
+
+binder_use(wificond)
+binder_call(wificond, system_server)
+binder_call(wificond, keystore)
+
+add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
+
+# create sockets to set interfaces up and down
+allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
+allow wificond self:global_capability_class_set { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
+allow wificond self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+r_dir_file(wificond, proc_net_type)
+
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
+
+# dumpstate support
+allow wificond dumpstate:fd use;
+allow wificond dumpstate:fifo_file write;
+
+#### Offer the Wifi Keystore HwBinder service ###
+hwbinder_use(wificond)
+typeattribute wificond wifi_keystore_service_server;
+add_hwservice(wificond, system_wifi_keystore_hwservice)
+
+# Allow keystore binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
+allow wificond keystore:keystore_key get;
+
+# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond wifi_key:keystore2_key {
+ get_info
+ use
+};
diff --git a/prebuilts/api/33.0/public/wpantund.te b/prebuilts/api/33.0/public/wpantund.te
new file mode 100644
index 0000000..8ddd693
--- /dev/null
+++ b/prebuilts/api/33.0/public/wpantund.te
@@ -0,0 +1,29 @@
+type wpantund, domain;
+type wpantund_exec, system_file_type, exec_type, file_type;
+
+hal_client_domain(wpantund, hal_lowpan)
+net_domain(wpantund)
+
+binder_use(wpantund)
+binder_call(wpantund, system_server)
+
+# wpantund needs to be able to check in with the lowpan_service
+allow wpantund lowpan_service:service_manager find;
+
+# Allow wpantund to call any callbacks that have been registered with it.
+# Generally, only privileged apps are able to register callbacks with
+# wpantund, so we are limiting the scope for callbacks to only privileged
+# apps. We also add shell to allow the command-line utility `lowpanctl`
+# to work properly from `adb shell`.
+allow wpantund {priv_app shell}:binder call;
+
+# create sockets to set interfaces up and down, add multicast groups, etc.
+allow wpantund self:udp_socket create_socket_perms;
+
+# setting interface state up/down and changing MTU are privileged ioctls
+allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
+
+# Allow us to bring up a TUN network interface.
+allow wpantund tun_device:chr_file rw_file_perms;
+allow wpantund self:global_capability_class_set { net_admin net_raw };
+allow wpantund self:tun_socket create;
diff --git a/prebuilts/api/33.0/public/zygote.te b/prebuilts/api/33.0/public/zygote.te
new file mode 100644
index 0000000..071354e
--- /dev/null
+++ b/prebuilts/api/33.0/public/zygote.te
@@ -0,0 +1,4 @@
+# zygote
+type zygote, domain;
+type zygote_tmpfs, file_type;
+type zygote_exec, system_file_type, exec_type, file_type;
diff --git a/private/access_vectors b/private/access_vectors
index 7496c65..0f8dd5f 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -395,6 +395,7 @@
nlmsg_read
nlmsg_write
nlmsg_readpriv
+ nlmsg_getneigh
}
class netlink_tcpdiag_socket
@@ -721,16 +722,18 @@
change_user
clear_ns
clear_uid
+ delete_all_keys
early_boot_ended
+ get_attestation_key
get_auth_token
get_state
list
lock
+ migrate_any_key
pull_metrics
report_off_body
reset
unlock
- delete_all_keys
}
class keystore2_key
@@ -748,6 +751,16 @@
use_dev_id
}
+class diced
+{
+ demote
+ demote_self
+ derive
+ get_attestation_chain
+ use_seal
+ use_sign
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/private/adbd.te b/private/adbd.te
index 4273995..48fa849 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -77,8 +77,8 @@
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
+allow adbd { sdcard_type fuse }:dir create_dir_perms;
+allow adbd { sdcard_type fuse }:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
@@ -129,6 +129,7 @@
binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd gpu_device:dir r_dir_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
diff --git a/private/apexd.te b/private/apexd.te
index 09799bd..6db0fd9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -13,29 +13,32 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
+allow apexd sepolicy_metadata_file:dir create_dir_perms;
+allow apexd sepolicy_metadata_file:file create_file_perms;
+# Allow apexd to setup fs-verity for SEPolicy files in metadata
+allowxperm apexd sepolicy_metadata_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
allow apexd apex_ota_reserved_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
-allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
-allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_art_data_file:file { create_file_perms relabelto };
-allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_permission_data_file:file { create_file_perms relabelto };
+allow apexd apex_data_file_type:dir { create_dir_perms relabelto };
+allow apexd apex_data_file_type:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
-allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
-allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
-# Allow apexd to read directories under /data/misc_de in order to snapshot and
-# restore apex data for all users.
-allow apexd system_data_file:dir r_dir_perms;
+# Allow apexd to read /data/misc_de and the directories under it, in order to
+# snapshot and restore apex data for all users.
+allow apexd {
+ system_userdir_file
+ system_data_file
+}:dir r_dir_perms;
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
@@ -52,8 +55,8 @@
LOOP_CONFIGURE
};
# Allow apexd to access /dev/block
-allow apexd bdev_type:dir r_dir_perms;
-allow apexd bdev_type:blk_file getattr;
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -107,8 +110,9 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
-allow apexd sysfs_block_type:dir r_dir_perms;
-allow apexd sysfs_block_type:file r_file_perms;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
@@ -131,30 +135,8 @@
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
-# Apex pre- & post-install permission.
-
-# Allow self-execute for the fork mount helper.
-allow apexd apexd_exec:file execute_no_trans;
-
-# Unshare and make / private so that hooks cannot influence the
-# running system.
-allow apexd rootfs:dir mounton;
-
-# Allow to execute shell for pre- and postinstall scripts. A transition
-# rule is required, thus restricted to execute and not execute_no_trans.
-allow apexd shell_exec:file { r_file_perms execute };
-
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-
-# Allow transition to test APEX preinstall domain.
-userdebug_or_eng(`
- domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
-')
-
-# Allow transition to GKI update pre/post install domain
-domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
+use_bootstrap_libs(apexd)
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
@@ -182,6 +164,13 @@
# Allow apexd to read per-device configuration properties.
get_prop(apexd, apexd_config_prop)
+# Allow apexd to read apex selection properties.
+# These are used to choose between multi-installed APEXes at activation time.
+get_prop(apexd, apexd_select_prop)
+#
+# Allow apexd to read apexd_payload_metadata_prop
+get_prop(apexd, apexd_payload_metadata_prop)
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
@@ -214,3 +203,6 @@
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
+
+# Allow calling derive_classpath to gather BCP information for staged sessions
+domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
diff --git a/private/apexd_derive_classpath.te b/private/apexd_derive_classpath.te
new file mode 100644
index 0000000..d4c5496
--- /dev/null
+++ b/private/apexd_derive_classpath.te
@@ -0,0 +1,9 @@
+# Exclusive domain for apexd calling into derive_classpath binary
+type apexd_derive_classpath, domain, coredomain;
+
+# Allow the binary to write into output file at location /apex/derive_classpath_temp
+allow apexd_derive_classpath apexd:fd use;
+allow apexd_derive_classpath apex_mnt_dir:file { write open };
+# Allow the binary to log using logwrap
+allow apexd_derive_classpath apexd_devpts:chr_file { read write };
+
diff --git a/private/app.te b/private/app.te
index 30c76d3..7033cb6 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,7 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
get_prop(appdomain, dck_prop)
+get_prop(appdomain, persist_wm_debug_prop)
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process)
@@ -41,7 +42,7 @@
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow appdomain mnt_media_rw_file:dir search;
+allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
@@ -72,6 +73,9 @@
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
+# Allow to read system_user_mode_emulation_prop, which is used by UserManager.java
+userdebug_or_eng(`get_prop(appdomain, system_user_mode_emulation_prop)')
+
# Allow font file read by apps.
allow appdomain font_data_file:file r_file_perms;
allow appdomain font_data_file:dir r_dir_perms;
@@ -87,6 +91,383 @@
allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# For AppFuse.
+allow appdomain vold:fd use;
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
+allow appdomain system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+
+# Perform binder IPC to sdk sandbox.
+binder_call(appdomain, sdk_sandbox)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write map };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write map };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read map };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read map };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -sdk_sandbox
+ -shell
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -sdk_sandbox
+ -shell
+ -su
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
+allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
+
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read map };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app -sdk_sandbox })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write map };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
@@ -95,6 +476,7 @@
isolated_app
nfc
radio
+ sdk_sandbox
shared_relro
system_app
} {
@@ -104,3 +486,7 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
+
+# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
+neverallow { appdomain -gmscore_app } checkin_data_file:file *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c7fa4e8..304f5a2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -11,6 +11,7 @@
untrusted_app_25
untrusted_app_27
untrusted_app_29
+ untrusted_app_30
untrusted_app_all
}')
# Receive or send uevent messages.
@@ -116,16 +117,25 @@
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
+# Apps can read/write an already open vsock (e.g. created by
+# virtualizationservice) but nothing more than that (e.g. creating a
+# new vsock, etc.)
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
+
# Disallow sending RTM_GETLINK messages on netlink sockets.
+neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+
+# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-} domain:netlink_route_socket { bind nlmsg_readpriv };
+ -untrusted_app_30
+} domain:netlink_route_socket nlmsg_getneigh;
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
@@ -139,6 +149,7 @@
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-sdcard_type
+ -fuse
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 004c108..8a62341 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -56,6 +56,9 @@
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
+# For ART (allow userfaultfd and related ioctls)
+userfaultfd_use(app_zygote)
+
# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
allow app_zygote apex_module_data_file:dir search;
# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
diff --git a/private/artd.te b/private/artd.te
new file mode 100644
index 0000000..0aa12dc
--- /dev/null
+++ b/private/artd.te
@@ -0,0 +1,16 @@
+# art service daemon
+type artd, domain;
+type artd_exec, system_file_type, exec_type, file_type;
+
+# Allow artd to publish a binder service and make binder calls.
+binder_use(artd)
+add_service(artd, artd_service)
+allow artd dumpstate:fifo_file { getattr write };
+
+typeattribute artd coredomain;
+
+init_daemon_domain(artd)
+
+# Allow query ART device config properties
+get_prop(artd, device_config_runtime_native_prop)
+get_prop(artd, device_config_runtime_native_boot_prop)
diff --git a/private/atrace.te b/private/atrace.te
index d9e351c..ca0e527 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -12,10 +12,10 @@
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
-# Allow atrace to write data when a pipe is used for stdout/stderr
-# This is used by Perfetto to capture the output on error in atrace.
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
allow atrace traced_probes:fd use;
-allow atrace traced_probes:fifo_file write;
+allow atrace traced_probes:fifo_file { getattr write };
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
@@ -33,6 +33,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-stats_service
-tracingproxy_service
@@ -44,7 +45,6 @@
# Allow notifying the processes hosting specific binder services that
# trace-related system properties have changed.
binder_use(atrace)
-allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
allow atrace system_server:binder call;
allow atrace cameraserver:binder call;
diff --git a/private/audioserver.te b/private/audioserver.te
index 2d0b46d..ca29373 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -7,6 +7,7 @@
tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
+r_dir_file(audioserver, fuse)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
@@ -95,7 +96,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow using wake locks
wakelock_use(audioserver)
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index d757a52..db20696 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -4,7 +4,7 @@
typeattribute automotive_display_service automotive_display_service_server;
-# Allow to add a display service to the manager
+# Allow to add a display service to the hwservicemanager
add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
# Allow init to launch automotive display service
@@ -36,3 +36,9 @@
# Allow to access EGL files
allow automotive_display_service gpu_device:chr_file rw_file_perms;
allow automotive_display_service gpu_device:dir search;
+
+# Allow to add a service to the servicemanager
+add_service(automotive_display_service, fwk_automotive_display_service);
+
+# Allow to communicate with EVS services
+binder_call(automotive_display_service, hal_evs)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 8fc6d20..d548e80 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -15,7 +15,7 @@
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set { create_file_perms link };
allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
@@ -36,9 +36,16 @@
# allow Bluetooth to access uhid device for HID profile
allow bluetooth uhid_device:chr_file rw_file_perms;
+allow bluetooth gpu_device:chr_file rw_file_perms;
+allow bluetooth gpu_device:dir r_dir_perms;
+
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+# For Bluetooth to check what profile are available
+allow bluetooth proc_filesystems:file r_file_perms;
+get_prop(bluetooth, incremental_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
@@ -58,6 +65,7 @@
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
allow bluetooth system_suspend_control_service:service_manager find;
+allow bluetooth hal_audio_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/bootanim.te b/private/bootanim.te
index 855bc3d..f4fb0bc 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -15,3 +15,6 @@
# Allow updating boot animation status.
set_prop(bootanim, bootanim_system_prop)
+
+# Allow accessing /data/bootanim
+r_dir_file(bootanim, bootanim_data_file)
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
new file mode 100644
index 0000000..2be7f88
--- /dev/null
+++ b/private/bpfdomain.te
@@ -0,0 +1,14 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+ bpfdomain
+ -bpfloader
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+
+allow bpfdomain fs_bpf:dir search;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 343ec7a..d7b27b5 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,43 +1,66 @@
-# bpf program loader
-type bpfloader, domain;
type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
+
+typeattribute bpfloader bpfdomain;
+
+# allow bpfloader to write to the kernel log (starts early)
+allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
+allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin net_admin };
+allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
+
set_prop(bpfloader, bpf_progs_loaded_prop)
+allow bpfloader bpfloader_exec:file execute_no_trans;
+
###
### Neverallow rules
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow {
+ domain
+ -bpfloader
+ -gpuservice
+ -hal_health_server
+ -mediaprovider_app
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
+# this should perhaps be moved to the bpfloader binary itself. Allow both.
+neverallow { domain -bpfloader -init } proc_bpf:file write;
diff --git a/private/bug_map b/private/bug_map
index 5b042ae..083c213 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -25,9 +25,9 @@
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
+system_server system_server capability b/228030183
system_server zygote process b/77856826
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 2be3c9e..96d7dbd 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -4,3 +4,6 @@
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)
+
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver gpu_device:dir r_dir_perms;
diff --git a/private/charger.te b/private/charger.te
index 8be113f..c5f3a50 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -2,16 +2,13 @@
# charger needs to tell init to continue the boot
# process when running in charger mode.
+# The system charger needs to be allowed to set these properties on legacy devices.
set_prop(charger, system_prop)
set_prop(charger, exported_system_prop)
set_prop(charger, exported3_system_prop)
-set_prop(charger, charger_status_prop)
+# The system charger can read ro.charger.*
get_prop(charger, charger_prop)
-get_prop(charger, charger_config_prop)
-
-# get minui properties
-get_prop(charger, recovery_config_prop)
compatible_property_only(`
neverallow {
@@ -21,11 +18,3 @@
-charger
} charger_prop:file no_rw_file_perms;
')
-
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
- -charger
-} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/charger_type.te b/private/charger_type.te
new file mode 100644
index 0000000..3647496
--- /dev/null
+++ b/private/charger_type.te
@@ -0,0 +1,38 @@
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger_type, charger_status_prop)
+get_prop(charger_type, charger_config_prop)
+
+# get minui properties
+get_prop(charger_type, recovery_config_prop)
+
+### Neverallow rules for charger properties
+
+# charger_config_prop: Only init and vendor_init is allowed to set it
+neverallow {
+ domain
+ -init
+ -vendor_init
+} charger_config_prop:property_service set;
+
+# charger_status_prop: Only init, vendor_init, charger, and charger_vendor
+# are allowed to set it
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -charger
+ -charger_vendor
+} charger_status_prop:property_service set;
+
+# Both charger_config_prop and charger_status_prop:
+# Only init, vendor_init, dumpstate, charger, and charger_vendor
+# are allowed to read it
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -vendor_init
+ -charger
+ -charger_vendor
+} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/clatd.te b/private/clatd.te
index 0fa774a..1f21d69 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -4,33 +4,10 @@
net_domain(clatd)
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
+# Access objects inherited from system_server.
+allow clatd system_server:fd use;
+allow clatd system_server:packet_socket { read write };
+allow clatd system_server:rawip_socket { read write };
allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
deleted file mode 100644
index 498bca5..0000000
--- a/private/compat/26.0/26.0.cil
+++ /dev/null
@@ -1,786 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_keystore)
-(typeattribute hal_wifi_keystore_client)
-(typeattribute hal_wifi_keystore_server)
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type untrusted_v2_app)
-(type asan_reboot_prop)
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type log_device)
-(type mediacasserver_service)
-(type mediacodec)
-(type mediacodec_exec)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type tracing_shell_writable)
-(type tracing_shell_writable_debug)
-(type vold_socket)
-(type webview_zygote_socket)
-(type rild)
-(type netd_socket)
-
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0
- ( debugfs
- debugfs_wakeup_sources
- ))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0
- ( default_prop pm_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset hal_omx_server (mediacodec_26_0))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0
- ( qtaguid_proc
- proc_qtaguid_ctrl))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_26_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
deleted file mode 100644
index 2e85b23..0000000
--- a/private/compat/26.0/26.0.compat.cil
+++ /dev/null
@@ -1,11 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
deleted file mode 100644
index 98d5840..0000000
--- a/private/compat/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,238 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- adbd_exec
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- audio_config_prop
- atrace
- binder_calls_stats_service
- biometric_service
- boot_status_prop
- bootloader_boot_reason_prop
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- broadcastradio_service
- cgroup_bpf
- charger_exec
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- dalvik_config_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- e2fs
- e2fs_exec
- exfat
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_radio_prop
- exported3_system_prop
- fastbootd
- fingerprint_vendor_data_file
- flags_health_check
- flags_health_check_exec
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_broadcastradio_hwservice
- hal_cas_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_lowpan_hwservice
- hal_neuralnetworks_hwservice
- hal_secure_element_hwservice
- hal_tetheroffload_hwservice
- hal_wifi_hostapd_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_offload_hwservice
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- kmsg_debug_device
- last_boot_reason_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- lmkd_config_prop
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- mediaextractor_update_service
- mediaprovider_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- netd_stable_secret_prop
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- overlayfs_file
- package_native_service
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- recovery_socket
- role_service
- runas_app
- art_apex_dir
- runtime_service
- secure_element
- secure_element_device
- secure_element_tmpfs
- secure_element_service
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- staging_data_file
- stats
- stats_data_file
- stats_exec
- stats_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- statscompanion_service
- storaged_data_file
- super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
- sysfs_fs_ext4_features
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_net_netd_hwservice
- system_update_service
- systemsound_config_prop
- test_boot_reason_prop
- thermal_service
- thermalcallback_hwservice
- thermalserviced
- thermalserviced_exec
- thermalserviced_tmpfs
- time_prop
- timedetector_service
- timezone_service
- tombstoned_java_trace_socket
- tombstone_wifi_data_file
- trace_data_file
- traceur_app
- traceur_app_tmpfs
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- vendor_default_prop
- vendor_security_patch_level_prop
- uri_grants_service
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_init
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_config_prop
- vold_metadata_file
- vold_post_fs_data_prop
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vold_status_prop
- vrflinger_vsync_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- wm_trace_data_file))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- adbd_tmpfs
- untrusted_app_27_tmpfs))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
deleted file mode 100644
index 0d883c0..0000000
--- a/private/compat/27.0/27.0.cil
+++ /dev/null
@@ -1,1507 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type mediacodec)
-(type mediacodec_exec)
-(type netd_socket)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type rild)
-(type untrusted_v2_app)
-(type webview_zygote_socket)
-(type vold_socket)
-
-(expandtypeattribute (accessibility_service_27_0) true)
-(expandtypeattribute (account_service_27_0) true)
-(expandtypeattribute (activity_service_27_0) true)
-(expandtypeattribute (adbd_27_0) true)
-(expandtypeattribute (adb_data_file_27_0) true)
-(expandtypeattribute (adbd_exec_27_0) true)
-(expandtypeattribute (adbd_socket_27_0) true)
-(expandtypeattribute (adb_keys_file_27_0) true)
-(expandtypeattribute (alarm_device_27_0) true)
-(expandtypeattribute (alarm_service_27_0) true)
-(expandtypeattribute (anr_data_file_27_0) true)
-(expandtypeattribute (apk_data_file_27_0) true)
-(expandtypeattribute (apk_private_data_file_27_0) true)
-(expandtypeattribute (apk_private_tmp_file_27_0) true)
-(expandtypeattribute (apk_tmp_file_27_0) true)
-(expandtypeattribute (app_data_file_27_0) true)
-(expandtypeattribute (app_fuse_file_27_0) true)
-(expandtypeattribute (app_fusefs_27_0) true)
-(expandtypeattribute (appops_service_27_0) true)
-(expandtypeattribute (appwidget_service_27_0) true)
-(expandtypeattribute (asec_apk_file_27_0) true)
-(expandtypeattribute (asec_image_file_27_0) true)
-(expandtypeattribute (asec_public_file_27_0) true)
-(expandtypeattribute (ashmem_device_27_0) true)
-(expandtypeattribute (assetatlas_service_27_0) true)
-(expandtypeattribute (audio_data_file_27_0) true)
-(expandtypeattribute (audio_device_27_0) true)
-(expandtypeattribute (audiohal_data_file_27_0) true)
-(expandtypeattribute (audio_prop_27_0) true)
-(expandtypeattribute (audio_seq_device_27_0) true)
-(expandtypeattribute (audioserver_27_0) true)
-(expandtypeattribute (audioserver_data_file_27_0) true)
-(expandtypeattribute (audioserver_service_27_0) true)
-(expandtypeattribute (audio_service_27_0) true)
-(expandtypeattribute (audio_timer_device_27_0) true)
-(expandtypeattribute (autofill_service_27_0) true)
-(expandtypeattribute (backup_data_file_27_0) true)
-(expandtypeattribute (backup_service_27_0) true)
-(expandtypeattribute (batteryproperties_service_27_0) true)
-(expandtypeattribute (battery_service_27_0) true)
-(expandtypeattribute (batterystats_service_27_0) true)
-(expandtypeattribute (binder_device_27_0) true)
-(expandtypeattribute (binfmt_miscfs_27_0) true)
-(expandtypeattribute (blkid_27_0) true)
-(expandtypeattribute (blkid_untrusted_27_0) true)
-(expandtypeattribute (block_device_27_0) true)
-(expandtypeattribute (bluetooth_27_0) true)
-(expandtypeattribute (bluetooth_data_file_27_0) true)
-(expandtypeattribute (bluetooth_efs_file_27_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
-(expandtypeattribute (bluetooth_manager_service_27_0) true)
-(expandtypeattribute (bluetooth_prop_27_0) true)
-(expandtypeattribute (bluetooth_service_27_0) true)
-(expandtypeattribute (bluetooth_socket_27_0) true)
-(expandtypeattribute (bootanim_27_0) true)
-(expandtypeattribute (bootanim_exec_27_0) true)
-(expandtypeattribute (boot_block_device_27_0) true)
-(expandtypeattribute (bootchart_data_file_27_0) true)
-(expandtypeattribute (bootstat_27_0) true)
-(expandtypeattribute (bootstat_data_file_27_0) true)
-(expandtypeattribute (bootstat_exec_27_0) true)
-(expandtypeattribute (boottime_prop_27_0) true)
-(expandtypeattribute (boottrace_data_file_27_0) true)
-(expandtypeattribute (broadcastradio_service_27_0) true)
-(expandtypeattribute (bufferhubd_27_0) true)
-(expandtypeattribute (bufferhubd_exec_27_0) true)
-(expandtypeattribute (cache_backup_file_27_0) true)
-(expandtypeattribute (cache_block_device_27_0) true)
-(expandtypeattribute (cache_file_27_0) true)
-(expandtypeattribute (cache_private_backup_file_27_0) true)
-(expandtypeattribute (cache_recovery_file_27_0) true)
-(expandtypeattribute (camera_data_file_27_0) true)
-(expandtypeattribute (camera_device_27_0) true)
-(expandtypeattribute (cameraproxy_service_27_0) true)
-(expandtypeattribute (cameraserver_27_0) true)
-(expandtypeattribute (cameraserver_exec_27_0) true)
-(expandtypeattribute (cameraserver_service_27_0) true)
-(expandtypeattribute (cgroup_27_0) true)
-(expandtypeattribute (charger_27_0) true)
-(expandtypeattribute (clatd_27_0) true)
-(expandtypeattribute (clatd_exec_27_0) true)
-(expandtypeattribute (clipboard_service_27_0) true)
-(expandtypeattribute (commontime_management_service_27_0) true)
-(expandtypeattribute (companion_device_service_27_0) true)
-(expandtypeattribute (configfs_27_0) true)
-(expandtypeattribute (config_prop_27_0) true)
-(expandtypeattribute (connectivity_service_27_0) true)
-(expandtypeattribute (connmetrics_service_27_0) true)
-(expandtypeattribute (console_device_27_0) true)
-(expandtypeattribute (consumer_ir_service_27_0) true)
-(expandtypeattribute (content_service_27_0) true)
-(expandtypeattribute (contexthub_service_27_0) true)
-(expandtypeattribute (coredump_file_27_0) true)
-(expandtypeattribute (country_detector_service_27_0) true)
-(expandtypeattribute (coverage_service_27_0) true)
-(expandtypeattribute (cppreopt_prop_27_0) true)
-(expandtypeattribute (cppreopts_27_0) true)
-(expandtypeattribute (cppreopts_exec_27_0) true)
-(expandtypeattribute (cpuctl_device_27_0) true)
-(expandtypeattribute (cpuinfo_service_27_0) true)
-(expandtypeattribute (crash_dump_27_0) true)
-(expandtypeattribute (crash_dump_exec_27_0) true)
-(expandtypeattribute (ctl_bootanim_prop_27_0) true)
-(expandtypeattribute (ctl_bugreport_prop_27_0) true)
-(expandtypeattribute (ctl_console_prop_27_0) true)
-(expandtypeattribute (ctl_default_prop_27_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
-(expandtypeattribute (ctl_fuse_prop_27_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
-(expandtypeattribute (dalvikcache_data_file_27_0) true)
-(expandtypeattribute (dalvik_prop_27_0) true)
-(expandtypeattribute (dbinfo_service_27_0) true)
-(expandtypeattribute (debugfs_27_0) true)
-(expandtypeattribute (debugfs_mmc_27_0) true)
-(expandtypeattribute (debugfs_trace_marker_27_0) true)
-(expandtypeattribute (debugfs_tracing_27_0) true)
-(expandtypeattribute (debugfs_tracing_debug_27_0) true)
-(expandtypeattribute (debugfs_tracing_instances_27_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
-(expandtypeattribute (debuggerd_prop_27_0) true)
-(expandtypeattribute (debug_prop_27_0) true)
-(expandtypeattribute (default_android_hwservice_27_0) true)
-(expandtypeattribute (default_android_service_27_0) true)
-(expandtypeattribute (default_android_vndservice_27_0) true)
-(expandtypeattribute (default_prop_27_0) true)
-(expandtypeattribute (device_27_0) true)
-(expandtypeattribute (device_identifiers_service_27_0) true)
-(expandtypeattribute (deviceidle_service_27_0) true)
-(expandtypeattribute (device_logging_prop_27_0) true)
-(expandtypeattribute (device_policy_service_27_0) true)
-(expandtypeattribute (devicestoragemonitor_service_27_0) true)
-(expandtypeattribute (devpts_27_0) true)
-(expandtypeattribute (dex2oat_27_0) true)
-(expandtypeattribute (dex2oat_exec_27_0) true)
-(expandtypeattribute (dhcp_27_0) true)
-(expandtypeattribute (dhcp_data_file_27_0) true)
-(expandtypeattribute (dhcp_exec_27_0) true)
-(expandtypeattribute (dhcp_prop_27_0) true)
-(expandtypeattribute (diskstats_service_27_0) true)
-(expandtypeattribute (display_service_27_0) true)
-(expandtypeattribute (dm_device_27_0) true)
-(expandtypeattribute (dnsmasq_27_0) true)
-(expandtypeattribute (dnsmasq_exec_27_0) true)
-(expandtypeattribute (dnsproxyd_socket_27_0) true)
-(expandtypeattribute (DockObserver_service_27_0) true)
-(expandtypeattribute (dreams_service_27_0) true)
-(expandtypeattribute (drm_data_file_27_0) true)
-(expandtypeattribute (drmserver_27_0) true)
-(expandtypeattribute (drmserver_exec_27_0) true)
-(expandtypeattribute (drmserver_service_27_0) true)
-(expandtypeattribute (drmserver_socket_27_0) true)
-(expandtypeattribute (dropbox_service_27_0) true)
-(expandtypeattribute (dumpstate_27_0) true)
-(expandtypeattribute (dumpstate_exec_27_0) true)
-(expandtypeattribute (dumpstate_options_prop_27_0) true)
-(expandtypeattribute (dumpstate_prop_27_0) true)
-(expandtypeattribute (dumpstate_service_27_0) true)
-(expandtypeattribute (dumpstate_socket_27_0) true)
-(expandtypeattribute (e2fs_27_0) true)
-(expandtypeattribute (e2fs_exec_27_0) true)
-(expandtypeattribute (efs_file_27_0) true)
-(expandtypeattribute (ephemeral_app_27_0) true)
-(expandtypeattribute (ethernet_service_27_0) true)
-(expandtypeattribute (ffs_prop_27_0) true)
-(expandtypeattribute (file_contexts_file_27_0) true)
-(expandtypeattribute (fingerprintd_27_0) true)
-(expandtypeattribute (fingerprintd_data_file_27_0) true)
-(expandtypeattribute (fingerprintd_exec_27_0) true)
-(expandtypeattribute (fingerprintd_service_27_0) true)
-(expandtypeattribute (fingerprint_prop_27_0) true)
-(expandtypeattribute (fingerprint_service_27_0) true)
-(expandtypeattribute (firstboot_prop_27_0) true)
-(expandtypeattribute (font_service_27_0) true)
-(expandtypeattribute (frp_block_device_27_0) true)
-(expandtypeattribute (fsck_27_0) true)
-(expandtypeattribute (fsck_exec_27_0) true)
-(expandtypeattribute (fscklogs_27_0) true)
-(expandtypeattribute (fsck_untrusted_27_0) true)
-(expandtypeattribute (full_device_27_0) true)
-(expandtypeattribute (functionfs_27_0) true)
-(expandtypeattribute (fuse_27_0) true)
-(expandtypeattribute (fuse_device_27_0) true)
-(expandtypeattribute (fwk_display_hwservice_27_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
-(expandtypeattribute (fwmarkd_socket_27_0) true)
-(expandtypeattribute (gatekeeperd_27_0) true)
-(expandtypeattribute (gatekeeper_data_file_27_0) true)
-(expandtypeattribute (gatekeeperd_exec_27_0) true)
-(expandtypeattribute (gatekeeper_service_27_0) true)
-(expandtypeattribute (gfxinfo_service_27_0) true)
-(expandtypeattribute (gps_control_27_0) true)
-(expandtypeattribute (gpu_device_27_0) true)
-(expandtypeattribute (gpu_service_27_0) true)
-(expandtypeattribute (graphics_device_27_0) true)
-(expandtypeattribute (graphicsstats_service_27_0) true)
-(expandtypeattribute (hal_audio_hwservice_27_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
-(expandtypeattribute (hal_camera_hwservice_27_0) true)
-(expandtypeattribute (hal_cas_hwservice_27_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
-(expandtypeattribute (hal_drm_hwservice_27_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_service_27_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
-(expandtypeattribute (hal_gnss_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
-(expandtypeattribute (hal_health_hwservice_27_0) true)
-(expandtypeattribute (hal_ir_hwservice_27_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
-(expandtypeattribute (hal_light_hwservice_27_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
-(expandtypeattribute (hal_nfc_hwservice_27_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
-(expandtypeattribute (hal_omx_hwservice_27_0) true)
-(expandtypeattribute (hal_power_hwservice_27_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
-(expandtypeattribute (hal_sensors_hwservice_27_0) true)
-(expandtypeattribute (hal_telephony_hwservice_27_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
-(expandtypeattribute (hal_thermal_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
-(expandtypeattribute (hal_usb_hwservice_27_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
-(expandtypeattribute (hal_vr_hwservice_27_0) true)
-(expandtypeattribute (hal_weaver_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
-(expandtypeattribute (hardware_properties_service_27_0) true)
-(expandtypeattribute (hardware_service_27_0) true)
-(expandtypeattribute (hci_attach_dev_27_0) true)
-(expandtypeattribute (hdmi_control_service_27_0) true)
-(expandtypeattribute (healthd_27_0) true)
-(expandtypeattribute (healthd_exec_27_0) true)
-(expandtypeattribute (heapdump_data_file_27_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
-(expandtypeattribute (hidl_base_hwservice_27_0) true)
-(expandtypeattribute (hidl_manager_hwservice_27_0) true)
-(expandtypeattribute (hidl_memory_hwservice_27_0) true)
-(expandtypeattribute (hidl_token_hwservice_27_0) true)
-(expandtypeattribute (hwbinder_device_27_0) true)
-(expandtypeattribute (hw_random_device_27_0) true)
-(expandtypeattribute (hwservice_contexts_file_27_0) true)
-(expandtypeattribute (hwservicemanager_27_0) true)
-(expandtypeattribute (hwservicemanager_exec_27_0) true)
-(expandtypeattribute (hwservicemanager_prop_27_0) true)
-(expandtypeattribute (i2c_device_27_0) true)
-(expandtypeattribute (icon_file_27_0) true)
-(expandtypeattribute (idmap_27_0) true)
-(expandtypeattribute (idmap_exec_27_0) true)
-(expandtypeattribute (iio_device_27_0) true)
-(expandtypeattribute (imms_service_27_0) true)
-(expandtypeattribute (incident_27_0) true)
-(expandtypeattribute (incidentd_27_0) true)
-(expandtypeattribute (incident_data_file_27_0) true)
-(expandtypeattribute (incident_service_27_0) true)
-(expandtypeattribute (init_27_0) true)
-(expandtypeattribute (init_exec_27_0) true)
-(expandtypeattribute (inotify_27_0) true)
-(expandtypeattribute (input_device_27_0) true)
-(expandtypeattribute (inputflinger_27_0) true)
-(expandtypeattribute (inputflinger_exec_27_0) true)
-(expandtypeattribute (inputflinger_service_27_0) true)
-(expandtypeattribute (input_method_service_27_0) true)
-(expandtypeattribute (input_service_27_0) true)
-(expandtypeattribute (installd_27_0) true)
-(expandtypeattribute (install_data_file_27_0) true)
-(expandtypeattribute (installd_exec_27_0) true)
-(expandtypeattribute (installd_service_27_0) true)
-(expandtypeattribute (install_recovery_27_0) true)
-(expandtypeattribute (install_recovery_exec_27_0) true)
-(expandtypeattribute (ion_device_27_0) true)
-(expandtypeattribute (IProxyService_service_27_0) true)
-(expandtypeattribute (ipsec_service_27_0) true)
-(expandtypeattribute (isolated_app_27_0) true)
-(expandtypeattribute (jobscheduler_service_27_0) true)
-(expandtypeattribute (kernel_27_0) true)
-(expandtypeattribute (keychain_data_file_27_0) true)
-(expandtypeattribute (keychord_device_27_0) true)
-(expandtypeattribute (keystore_27_0) true)
-(expandtypeattribute (keystore_data_file_27_0) true)
-(expandtypeattribute (keystore_exec_27_0) true)
-(expandtypeattribute (keystore_service_27_0) true)
-(expandtypeattribute (kmem_device_27_0) true)
-(expandtypeattribute (kmsg_debug_device_27_0) true)
-(expandtypeattribute (kmsg_device_27_0) true)
-(expandtypeattribute (labeledfs_27_0) true)
-(expandtypeattribute (launcherapps_service_27_0) true)
-(expandtypeattribute (lmkd_27_0) true)
-(expandtypeattribute (lmkd_exec_27_0) true)
-(expandtypeattribute (lmkd_socket_27_0) true)
-(expandtypeattribute (location_service_27_0) true)
-(expandtypeattribute (lock_settings_service_27_0) true)
-(expandtypeattribute (logcat_exec_27_0) true)
-(expandtypeattribute (logd_27_0) true)
-(expandtypeattribute (logd_exec_27_0) true)
-(expandtypeattribute (logd_prop_27_0) true)
-(expandtypeattribute (logdr_socket_27_0) true)
-(expandtypeattribute (logd_socket_27_0) true)
-(expandtypeattribute (logdw_socket_27_0) true)
-(expandtypeattribute (logpersist_27_0) true)
-(expandtypeattribute (logpersistd_logging_prop_27_0) true)
-(expandtypeattribute (log_prop_27_0) true)
-(expandtypeattribute (log_tag_prop_27_0) true)
-(expandtypeattribute (loop_control_device_27_0) true)
-(expandtypeattribute (loop_device_27_0) true)
-(expandtypeattribute (mac_perms_file_27_0) true)
-(expandtypeattribute (mdnsd_27_0) true)
-(expandtypeattribute (mdnsd_socket_27_0) true)
-(expandtypeattribute (mdns_socket_27_0) true)
-(expandtypeattribute (mediacodec_27_0) true)
-(expandtypeattribute (mediacodec_exec_27_0) true)
-(expandtypeattribute (mediacodec_service_27_0) true)
-(expandtypeattribute (media_data_file_27_0) true)
-(expandtypeattribute (mediadrmserver_27_0) true)
-(expandtypeattribute (mediadrmserver_exec_27_0) true)
-(expandtypeattribute (mediadrmserver_service_27_0) true)
-(expandtypeattribute (mediaextractor_27_0) true)
-(expandtypeattribute (mediaextractor_exec_27_0) true)
-(expandtypeattribute (mediaextractor_service_27_0) true)
-(expandtypeattribute (mediametrics_27_0) true)
-(expandtypeattribute (mediametrics_exec_27_0) true)
-(expandtypeattribute (mediametrics_service_27_0) true)
-(expandtypeattribute (media_projection_service_27_0) true)
-(expandtypeattribute (mediaprovider_27_0) true)
-(expandtypeattribute (media_router_service_27_0) true)
-(expandtypeattribute (media_rw_data_file_27_0) true)
-(expandtypeattribute (mediaserver_27_0) true)
-(expandtypeattribute (mediaserver_exec_27_0) true)
-(expandtypeattribute (mediaserver_service_27_0) true)
-(expandtypeattribute (media_session_service_27_0) true)
-(expandtypeattribute (meminfo_service_27_0) true)
-(expandtypeattribute (metadata_block_device_27_0) true)
-(expandtypeattribute (method_trace_data_file_27_0) true)
-(expandtypeattribute (midi_service_27_0) true)
-(expandtypeattribute (misc_block_device_27_0) true)
-(expandtypeattribute (misc_logd_file_27_0) true)
-(expandtypeattribute (misc_user_data_file_27_0) true)
-(expandtypeattribute (mmc_prop_27_0) true)
-(expandtypeattribute (mnt_expand_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
-(expandtypeattribute (mnt_user_file_27_0) true)
-(expandtypeattribute (modprobe_27_0) true)
-(expandtypeattribute (mount_service_27_0) true)
-(expandtypeattribute (mqueue_27_0) true)
-(expandtypeattribute (mtd_device_27_0) true)
-(expandtypeattribute (mtp_27_0) true)
-(expandtypeattribute (mtp_device_27_0) true)
-(expandtypeattribute (mtpd_socket_27_0) true)
-(expandtypeattribute (mtp_exec_27_0) true)
-(expandtypeattribute (nativetest_data_file_27_0) true)
-(expandtypeattribute (netd_27_0) true)
-(expandtypeattribute (net_data_file_27_0) true)
-(expandtypeattribute (netd_exec_27_0) true)
-(expandtypeattribute (netd_listener_service_27_0) true)
-(expandtypeattribute (net_dns_prop_27_0) true)
-(expandtypeattribute (netd_service_27_0) true)
-(expandtypeattribute (netd_socket_27_0) true)
-(expandtypeattribute (netd_stable_secret_prop_27_0) true)
-(expandtypeattribute (netif_27_0) true)
-(expandtypeattribute (netpolicy_service_27_0) true)
-(expandtypeattribute (net_radio_prop_27_0) true)
-(expandtypeattribute (netstats_service_27_0) true)
-(expandtypeattribute (netutils_wrapper_27_0) true)
-(expandtypeattribute (netutils_wrapper_exec_27_0) true)
-(expandtypeattribute (network_management_service_27_0) true)
-(expandtypeattribute (network_score_service_27_0) true)
-(expandtypeattribute (network_time_update_service_27_0) true)
-(expandtypeattribute (nfc_27_0) true)
-(expandtypeattribute (nfc_data_file_27_0) true)
-(expandtypeattribute (nfc_device_27_0) true)
-(expandtypeattribute (nfc_prop_27_0) true)
-(expandtypeattribute (nfc_service_27_0) true)
-(expandtypeattribute (node_27_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
-(expandtypeattribute (notification_service_27_0) true)
-(expandtypeattribute (null_device_27_0) true)
-(expandtypeattribute (oemfs_27_0) true)
-(expandtypeattribute (oem_lock_service_27_0) true)
-(expandtypeattribute (ota_data_file_27_0) true)
-(expandtypeattribute (otadexopt_service_27_0) true)
-(expandtypeattribute (ota_package_file_27_0) true)
-(expandtypeattribute (otapreopt_chroot_27_0) true)
-(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
-(expandtypeattribute (otapreopt_slot_27_0) true)
-(expandtypeattribute (otapreopt_slot_exec_27_0) true)
-(expandtypeattribute (overlay_prop_27_0) true)
-(expandtypeattribute (overlay_service_27_0) true)
-(expandtypeattribute (owntty_device_27_0) true)
-(expandtypeattribute (package_native_service_27_0) true)
-(expandtypeattribute (package_service_27_0) true)
-(expandtypeattribute (pan_result_prop_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_dir_27_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_dir_27_0) true)
-(expandtypeattribute (performanced_27_0) true)
-(expandtypeattribute (performanced_exec_27_0) true)
-(expandtypeattribute (permission_service_27_0) true)
-(expandtypeattribute (persist_debug_prop_27_0) true)
-(expandtypeattribute (persistent_data_block_service_27_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
-(expandtypeattribute (pinner_service_27_0) true)
-(expandtypeattribute (pipefs_27_0) true)
-(expandtypeattribute (platform_app_27_0) true)
-(expandtypeattribute (pmsg_device_27_0) true)
-(expandtypeattribute (port_27_0) true)
-(expandtypeattribute (port_device_27_0) true)
-(expandtypeattribute (postinstall_27_0) true)
-(expandtypeattribute (postinstall_dexopt_27_0) true)
-(expandtypeattribute (postinstall_file_27_0) true)
-(expandtypeattribute (postinstall_mnt_dir_27_0) true)
-(expandtypeattribute (powerctl_prop_27_0) true)
-(expandtypeattribute (power_service_27_0) true)
-(expandtypeattribute (ppp_27_0) true)
-(expandtypeattribute (ppp_device_27_0) true)
-(expandtypeattribute (ppp_exec_27_0) true)
-(expandtypeattribute (preloads_data_file_27_0) true)
-(expandtypeattribute (preloads_media_file_27_0) true)
-(expandtypeattribute (preopt2cachename_27_0) true)
-(expandtypeattribute (preopt2cachename_exec_27_0) true)
-(expandtypeattribute (print_service_27_0) true)
-(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
-(expandtypeattribute (proc_bluetooth_writable_27_0) true)
-(expandtypeattribute (proc_cpuinfo_27_0) true)
-(expandtypeattribute (proc_drop_caches_27_0) true)
-(expandtypeattribute (processinfo_service_27_0) true)
-(expandtypeattribute (proc_interrupts_27_0) true)
-(expandtypeattribute (proc_iomem_27_0) true)
-(expandtypeattribute (proc_meminfo_27_0) true)
-(expandtypeattribute (proc_misc_27_0) true)
-(expandtypeattribute (proc_modules_27_0) true)
-(expandtypeattribute (proc_net_27_0) true)
-(expandtypeattribute (proc_overcommit_memory_27_0) true)
-(expandtypeattribute (proc_perf_27_0) true)
-(expandtypeattribute (proc_security_27_0) true)
-(expandtypeattribute (proc_stat_27_0) true)
-(expandtypeattribute (procstats_service_27_0) true)
-(expandtypeattribute (proc_sysrq_27_0) true)
-(expandtypeattribute (proc_timer_27_0) true)
-(expandtypeattribute (proc_tty_drivers_27_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
-(expandtypeattribute (proc_uid_io_stats_27_0) true)
-(expandtypeattribute (proc_uid_procstat_set_27_0) true)
-(expandtypeattribute (proc_uid_time_in_state_27_0) true)
-(expandtypeattribute (proc_zoneinfo_27_0) true)
-(expandtypeattribute (profman_27_0) true)
-(expandtypeattribute (profman_dump_data_file_27_0) true)
-(expandtypeattribute (profman_exec_27_0) true)
-(expandtypeattribute (properties_device_27_0) true)
-(expandtypeattribute (properties_serial_27_0) true)
-(expandtypeattribute (property_contexts_file_27_0) true)
-(expandtypeattribute (property_data_file_27_0) true)
-(expandtypeattribute (property_socket_27_0) true)
-(expandtypeattribute (pstorefs_27_0) true)
-(expandtypeattribute (ptmx_device_27_0) true)
-(expandtypeattribute (qtaguid_device_27_0) true)
-(expandtypeattribute (qtaguid_proc_27_0) true)
-(expandtypeattribute (racoon_27_0) true)
-(expandtypeattribute (racoon_exec_27_0) true)
-(expandtypeattribute (racoon_socket_27_0) true)
-(expandtypeattribute (radio_27_0) true)
-(expandtypeattribute (radio_data_file_27_0) true)
-(expandtypeattribute (radio_device_27_0) true)
-(expandtypeattribute (radio_prop_27_0) true)
-(expandtypeattribute (radio_service_27_0) true)
-(expandtypeattribute (ram_device_27_0) true)
-(expandtypeattribute (random_device_27_0) true)
-(expandtypeattribute (reboot_data_file_27_0) true)
-(expandtypeattribute (recovery_27_0) true)
-(expandtypeattribute (recovery_block_device_27_0) true)
-(expandtypeattribute (recovery_data_file_27_0) true)
-(expandtypeattribute (recovery_persist_27_0) true)
-(expandtypeattribute (recovery_persist_exec_27_0) true)
-(expandtypeattribute (recovery_refresh_27_0) true)
-(expandtypeattribute (recovery_refresh_exec_27_0) true)
-(expandtypeattribute (recovery_service_27_0) true)
-(expandtypeattribute (registry_service_27_0) true)
-(expandtypeattribute (resourcecache_data_file_27_0) true)
-(expandtypeattribute (restorecon_prop_27_0) true)
-(expandtypeattribute (restrictions_service_27_0) true)
-(expandtypeattribute (rild_27_0) true)
-(expandtypeattribute (rild_debug_socket_27_0) true)
-(expandtypeattribute (rild_socket_27_0) true)
-(expandtypeattribute (ringtone_file_27_0) true)
-(expandtypeattribute (root_block_device_27_0) true)
-(expandtypeattribute (rootfs_27_0) true)
-(expandtypeattribute (rpmsg_device_27_0) true)
-(expandtypeattribute (rtc_device_27_0) true)
-(expandtypeattribute (rttmanager_service_27_0) true)
-(expandtypeattribute (runas_27_0) true)
-(expandtypeattribute (runas_exec_27_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
-(expandtypeattribute (safemode_prop_27_0) true)
-(expandtypeattribute (same_process_hal_file_27_0) true)
-(expandtypeattribute (samplingprofiler_service_27_0) true)
-(expandtypeattribute (scheduling_policy_service_27_0) true)
-(expandtypeattribute (sdcardd_27_0) true)
-(expandtypeattribute (sdcardd_exec_27_0) true)
-(expandtypeattribute (sdcardfs_27_0) true)
-(expandtypeattribute (seapp_contexts_file_27_0) true)
-(expandtypeattribute (search_service_27_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
-(expandtypeattribute (selinuxfs_27_0) true)
-(expandtypeattribute (sensors_device_27_0) true)
-(expandtypeattribute (sensorservice_service_27_0) true)
-(expandtypeattribute (sepolicy_file_27_0) true)
-(expandtypeattribute (serial_device_27_0) true)
-(expandtypeattribute (serialno_prop_27_0) true)
-(expandtypeattribute (serial_service_27_0) true)
-(expandtypeattribute (service_contexts_file_27_0) true)
-(expandtypeattribute (servicediscovery_service_27_0) true)
-(expandtypeattribute (servicemanager_27_0) true)
-(expandtypeattribute (servicemanager_exec_27_0) true)
-(expandtypeattribute (settings_service_27_0) true)
-(expandtypeattribute (sgdisk_27_0) true)
-(expandtypeattribute (sgdisk_exec_27_0) true)
-(expandtypeattribute (shared_relro_27_0) true)
-(expandtypeattribute (shared_relro_file_27_0) true)
-(expandtypeattribute (shell_27_0) true)
-(expandtypeattribute (shell_data_file_27_0) true)
-(expandtypeattribute (shell_exec_27_0) true)
-(expandtypeattribute (shell_prop_27_0) true)
-(expandtypeattribute (shm_27_0) true)
-(expandtypeattribute (shortcut_manager_icons_27_0) true)
-(expandtypeattribute (shortcut_service_27_0) true)
-(expandtypeattribute (slideshow_27_0) true)
-(expandtypeattribute (socket_device_27_0) true)
-(expandtypeattribute (sockfs_27_0) true)
-(expandtypeattribute (statusbar_service_27_0) true)
-(expandtypeattribute (storaged_service_27_0) true)
-(expandtypeattribute (storage_file_27_0) true)
-(expandtypeattribute (storagestats_service_27_0) true)
-(expandtypeattribute (storage_stub_file_27_0) true)
-(expandtypeattribute (su_27_0) true)
-(expandtypeattribute (su_exec_27_0) true)
-(expandtypeattribute (surfaceflinger_27_0) true)
-(expandtypeattribute (surfaceflinger_service_27_0) true)
-(expandtypeattribute (swap_block_device_27_0) true)
-(expandtypeattribute (sysfs_27_0) true)
-(expandtypeattribute (sysfs_batteryinfo_27_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
-(expandtypeattribute (sysfs_hwrandom_27_0) true)
-(expandtypeattribute (sysfs_leds_27_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
-(expandtypeattribute (sysfs_mac_address_27_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
-(expandtypeattribute (sysfs_thermal_27_0) true)
-(expandtypeattribute (sysfs_uio_27_0) true)
-(expandtypeattribute (sysfs_usb_27_0) true)
-(expandtypeattribute (sysfs_usermodehelper_27_0) true)
-(expandtypeattribute (sysfs_vibrator_27_0) true)
-(expandtypeattribute (sysfs_wake_lock_27_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
-(expandtypeattribute (sysfs_zram_27_0) true)
-(expandtypeattribute (sysfs_zram_uevent_27_0) true)
-(expandtypeattribute (system_app_27_0) true)
-(expandtypeattribute (system_app_data_file_27_0) true)
-(expandtypeattribute (system_app_service_27_0) true)
-(expandtypeattribute (system_block_device_27_0) true)
-(expandtypeattribute (system_data_file_27_0) true)
-(expandtypeattribute (system_file_27_0) true)
-(expandtypeattribute (systemkeys_data_file_27_0) true)
-(expandtypeattribute (system_ndebug_socket_27_0) true)
-(expandtypeattribute (system_net_netd_hwservice_27_0) true)
-(expandtypeattribute (system_prop_27_0) true)
-(expandtypeattribute (system_radio_prop_27_0) true)
-(expandtypeattribute (system_server_27_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
-(expandtypeattribute (system_wpa_socket_27_0) true)
-(expandtypeattribute (task_service_27_0) true)
-(expandtypeattribute (tee_27_0) true)
-(expandtypeattribute (tee_data_file_27_0) true)
-(expandtypeattribute (tee_device_27_0) true)
-(expandtypeattribute (telecom_service_27_0) true)
-(expandtypeattribute (textclassification_service_27_0) true)
-(expandtypeattribute (textclassifier_data_file_27_0) true)
-(expandtypeattribute (textservices_service_27_0) true)
-(expandtypeattribute (thermalcallback_hwservice_27_0) true)
-(expandtypeattribute (thermal_service_27_0) true)
-(expandtypeattribute (thermalserviced_27_0) true)
-(expandtypeattribute (thermalserviced_exec_27_0) true)
-(expandtypeattribute (timezone_service_27_0) true)
-(expandtypeattribute (tmpfs_27_0) true)
-(expandtypeattribute (tombstoned_27_0) true)
-(expandtypeattribute (tombstone_data_file_27_0) true)
-(expandtypeattribute (tombstoned_crash_socket_27_0) true)
-(expandtypeattribute (tombstoned_exec_27_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
-(expandtypeattribute (toolbox_27_0) true)
-(expandtypeattribute (toolbox_exec_27_0) true)
-(expandtypeattribute (trust_service_27_0) true)
-(expandtypeattribute (tty_device_27_0) true)
-(expandtypeattribute (tun_device_27_0) true)
-(expandtypeattribute (tv_input_service_27_0) true)
-(expandtypeattribute (tzdatacheck_27_0) true)
-(expandtypeattribute (tzdatacheck_exec_27_0) true)
-(expandtypeattribute (ueventd_27_0) true)
-(expandtypeattribute (uhid_device_27_0) true)
-(expandtypeattribute (uimode_service_27_0) true)
-(expandtypeattribute (uio_device_27_0) true)
-(expandtypeattribute (uncrypt_27_0) true)
-(expandtypeattribute (uncrypt_exec_27_0) true)
-(expandtypeattribute (uncrypt_socket_27_0) true)
-(expandtypeattribute (unencrypted_data_file_27_0) true)
-(expandtypeattribute (unlabeled_27_0) true)
-(expandtypeattribute (untrusted_app_25_27_0) true)
-(expandtypeattribute (untrusted_app_27_0) true)
-(expandtypeattribute (untrusted_v2_app_27_0) true)
-(expandtypeattribute (update_engine_27_0) true)
-(expandtypeattribute (update_engine_data_file_27_0) true)
-(expandtypeattribute (update_engine_exec_27_0) true)
-(expandtypeattribute (update_engine_service_27_0) true)
-(expandtypeattribute (updatelock_service_27_0) true)
-(expandtypeattribute (update_verifier_27_0) true)
-(expandtypeattribute (update_verifier_exec_27_0) true)
-(expandtypeattribute (usagestats_service_27_0) true)
-(expandtypeattribute (usbaccessory_device_27_0) true)
-(expandtypeattribute (usb_device_27_0) true)
-(expandtypeattribute (usbfs_27_0) true)
-(expandtypeattribute (usb_service_27_0) true)
-(expandtypeattribute (userdata_block_device_27_0) true)
-(expandtypeattribute (usermodehelper_27_0) true)
-(expandtypeattribute (user_profile_data_file_27_0) true)
-(expandtypeattribute (user_service_27_0) true)
-(expandtypeattribute (vcs_device_27_0) true)
-(expandtypeattribute (vdc_27_0) true)
-(expandtypeattribute (vdc_exec_27_0) true)
-(expandtypeattribute (vendor_app_file_27_0) true)
-(expandtypeattribute (vendor_configs_file_27_0) true)
-(expandtypeattribute (vendor_file_27_0) true)
-(expandtypeattribute (vendor_framework_file_27_0) true)
-(expandtypeattribute (vendor_hal_file_27_0) true)
-(expandtypeattribute (vendor_overlay_file_27_0) true)
-(expandtypeattribute (vendor_shell_exec_27_0) true)
-(expandtypeattribute (vendor_toolbox_exec_27_0) true)
-(expandtypeattribute (vfat_27_0) true)
-(expandtypeattribute (vibrator_service_27_0) true)
-(expandtypeattribute (video_device_27_0) true)
-(expandtypeattribute (virtual_touchpad_27_0) true)
-(expandtypeattribute (virtual_touchpad_exec_27_0) true)
-(expandtypeattribute (virtual_touchpad_service_27_0) true)
-(expandtypeattribute (vndbinder_device_27_0) true)
-(expandtypeattribute (vndk_sp_file_27_0) true)
-(expandtypeattribute (vndservice_contexts_file_27_0) true)
-(expandtypeattribute (vndservicemanager_27_0) true)
-(expandtypeattribute (voiceinteraction_service_27_0) true)
-(expandtypeattribute (vold_27_0) true)
-(expandtypeattribute (vold_data_file_27_0) true)
-(expandtypeattribute (vold_device_27_0) true)
-(expandtypeattribute (vold_exec_27_0) true)
-(expandtypeattribute (vold_prop_27_0) true)
-(expandtypeattribute (vold_socket_27_0) true)
-(expandtypeattribute (vpn_data_file_27_0) true)
-(expandtypeattribute (vr_hwc_27_0) true)
-(expandtypeattribute (vr_hwc_exec_27_0) true)
-(expandtypeattribute (vr_hwc_service_27_0) true)
-(expandtypeattribute (vr_manager_service_27_0) true)
-(expandtypeattribute (wallpaper_file_27_0) true)
-(expandtypeattribute (wallpaper_service_27_0) true)
-(expandtypeattribute (watchdogd_27_0) true)
-(expandtypeattribute (watchdog_device_27_0) true)
-(expandtypeattribute (webviewupdate_service_27_0) true)
-(expandtypeattribute (webview_zygote_27_0) true)
-(expandtypeattribute (webview_zygote_exec_27_0) true)
-(expandtypeattribute (webview_zygote_socket_27_0) true)
-(expandtypeattribute (wifiaware_service_27_0) true)
-(expandtypeattribute (wificond_27_0) true)
-(expandtypeattribute (wificond_exec_27_0) true)
-(expandtypeattribute (wificond_service_27_0) true)
-(expandtypeattribute (wifi_data_file_27_0) true)
-(expandtypeattribute (wifi_log_prop_27_0) true)
-(expandtypeattribute (wifip2p_service_27_0) true)
-(expandtypeattribute (wifi_prop_27_0) true)
-(expandtypeattribute (wifiscanner_service_27_0) true)
-(expandtypeattribute (wifi_service_27_0) true)
-(expandtypeattribute (window_service_27_0) true)
-(expandtypeattribute (wpa_socket_27_0) true)
-(expandtypeattribute (zero_device_27_0) true)
-(expandtypeattribute (zoneinfo_data_file_27_0) true)
-(expandtypeattribute (zygote_27_0) true)
-(expandtypeattribute (zygote_exec_27_0) true)
-(expandtypeattribute (zygote_socket_27_0) true)
-(typeattributeset accessibility_service_27_0 (accessibility_service))
-(typeattributeset account_service_27_0 (account_service))
-(typeattributeset activity_service_27_0 (activity_service))
-(typeattributeset adbd_27_0 (adbd))
-(typeattributeset adb_data_file_27_0 (adb_data_file))
-(typeattributeset adbd_exec_27_0 (adbd_exec))
-(typeattributeset adbd_socket_27_0 (adbd_socket))
-(typeattributeset adb_keys_file_27_0 (adb_keys_file))
-(typeattributeset alarm_device_27_0 (alarm_device))
-(typeattributeset alarm_service_27_0 (alarm_service))
-(typeattributeset anr_data_file_27_0 (anr_data_file))
-(typeattributeset apk_data_file_27_0 (apk_data_file))
-(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_27_0 (app_fuse_file))
-(typeattributeset app_fusefs_27_0 (app_fusefs))
-(typeattributeset appops_service_27_0 (appops_service))
-(typeattributeset appwidget_service_27_0 (appwidget_service))
-(typeattributeset asec_apk_file_27_0 (asec_apk_file))
-(typeattributeset asec_image_file_27_0 (asec_image_file))
-(typeattributeset asec_public_file_27_0 (asec_public_file))
-(typeattributeset ashmem_device_27_0 (ashmem_device))
-(typeattributeset assetatlas_service_27_0 (assetatlas_service))
-(typeattributeset audio_data_file_27_0 (audio_data_file))
-(typeattributeset audio_device_27_0 (audio_device))
-(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
-(typeattributeset audio_prop_27_0 (audio_prop))
-(typeattributeset audio_seq_device_27_0 (audio_seq_device))
-(typeattributeset audioserver_27_0 (audioserver))
-(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
-(typeattributeset audioserver_service_27_0 (audioserver_service))
-(typeattributeset audio_service_27_0 (audio_service))
-(typeattributeset audio_timer_device_27_0 (audio_timer_device))
-(typeattributeset autofill_service_27_0 (autofill_service))
-(typeattributeset backup_data_file_27_0 (backup_data_file))
-(typeattributeset backup_service_27_0 (backup_service))
-(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
-(typeattributeset battery_service_27_0 (battery_service))
-(typeattributeset batterystats_service_27_0 (batterystats_service))
-(typeattributeset binder_device_27_0 (binder_device))
-(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
-(typeattributeset blkid_27_0 (blkid))
-(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
-(typeattributeset block_device_27_0 (block_device))
-(typeattributeset bluetooth_27_0 (bluetooth))
-(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_27_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
-(typeattributeset bootanim_27_0 (bootanim))
-(typeattributeset bootanim_exec_27_0 (bootanim_exec))
-(typeattributeset boot_block_device_27_0 (boot_block_device))
-(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
-(typeattributeset bootstat_27_0 (bootstat))
-(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_27_0 (bootstat_exec))
-(typeattributeset boottime_prop_27_0 (boottime_prop))
-(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
-(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
-(typeattributeset bufferhubd_27_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_27_0 (cache_backup_file))
-(typeattributeset cache_block_device_27_0 (cache_block_device))
-(typeattributeset cache_file_27_0 (cache_file))
-(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
-(typeattributeset camera_data_file_27_0 (camera_data_file))
-(typeattributeset camera_device_27_0 (camera_device))
-(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
-(typeattributeset cameraserver_27_0 (cameraserver))
-(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_27_0 (cameraserver_service))
-(typeattributeset cgroup_27_0 (cgroup))
-(typeattributeset charger_27_0 (charger))
-(typeattributeset clatd_27_0 (clatd))
-(typeattributeset clatd_exec_27_0 (clatd_exec))
-(typeattributeset clipboard_service_27_0 (clipboard_service))
-(typeattributeset commontime_management_service_27_0 (commontime_management_service))
-(typeattributeset companion_device_service_27_0 (companion_device_service))
-(typeattributeset configfs_27_0 (configfs))
-(typeattributeset config_prop_27_0 (config_prop))
-(typeattributeset connectivity_service_27_0 (connectivity_service))
-(typeattributeset connmetrics_service_27_0 (connmetrics_service))
-(typeattributeset console_device_27_0 (console_device))
-(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
-(typeattributeset content_service_27_0 (content_service))
-(typeattributeset contexthub_service_27_0 (contexthub_service))
-(typeattributeset coredump_file_27_0 (coredump_file))
-(typeattributeset country_detector_service_27_0 (country_detector_service))
-(typeattributeset coverage_service_27_0 (coverage_service))
-(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
-(typeattributeset cppreopts_27_0 (cppreopts))
-(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_27_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
-(typeattributeset crash_dump_27_0 (crash_dump))
-(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_27_0 (dalvik_prop))
-(typeattributeset dbinfo_service_27_0 (dbinfo_service))
-(typeattributeset debugfs_27_0
- ( debugfs
- debugfs_wakeup_sources))
-(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
-(typeattributeset debug_prop_27_0 (debug_prop))
-(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
-(typeattributeset default_android_service_27_0 (default_android_service))
-(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
-(typeattributeset default_prop_27_0
- ( default_prop
- pm_prop))
-(typeattributeset device_27_0 (device))
-(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_27_0 (deviceidle_service))
-(typeattributeset device_logging_prop_27_0 (device_logging_prop))
-(typeattributeset device_policy_service_27_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
-(typeattributeset devpts_27_0 (devpts))
-(typeattributeset dex2oat_27_0 (dex2oat))
-(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
-(typeattributeset dhcp_27_0 (dhcp))
-(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_27_0 (dhcp_exec))
-(typeattributeset dhcp_prop_27_0 (dhcp_prop))
-(typeattributeset diskstats_service_27_0 (diskstats_service))
-(typeattributeset display_service_27_0 (display_service))
-(typeattributeset dm_device_27_0 (dm_device))
-(typeattributeset dnsmasq_27_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_27_0 (DockObserver_service))
-(typeattributeset dreams_service_27_0 (dreams_service))
-(typeattributeset drm_data_file_27_0 (drm_data_file))
-(typeattributeset drmserver_27_0 (drmserver))
-(typeattributeset drmserver_exec_27_0 (drmserver_exec))
-(typeattributeset drmserver_service_27_0 (drmserver_service))
-(typeattributeset drmserver_socket_27_0 (drmserver_socket))
-(typeattributeset dropbox_service_27_0 (dropbox_service))
-(typeattributeset dumpstate_27_0 (dumpstate))
-(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_27_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
-(typeattributeset e2fs_27_0 (e2fs))
-(typeattributeset e2fs_exec_27_0 (e2fs_exec))
-(typeattributeset efs_file_27_0 (efs_file))
-(typeattributeset ephemeral_app_27_0 (ephemeral_app))
-(typeattributeset ethernet_service_27_0 (ethernet_service))
-(typeattributeset ffs_prop_27_0 (ffs_prop))
-(typeattributeset file_contexts_file_27_0 (file_contexts_file))
-(typeattributeset fingerprintd_27_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_27_0 (fingerprint_service))
-(typeattributeset firstboot_prop_27_0 (firstboot_prop))
-(typeattributeset font_service_27_0 (font_service))
-(typeattributeset frp_block_device_27_0 (frp_block_device))
-(typeattributeset fsck_27_0 (fsck))
-(typeattributeset fsck_exec_27_0 (fsck_exec))
-(typeattributeset fscklogs_27_0 (fscklogs))
-(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
-(typeattributeset full_device_27_0 (full_device))
-(typeattributeset functionfs_27_0 (functionfs))
-(typeattributeset fuse_27_0 (fuse))
-(typeattributeset fuse_device_27_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_27_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
-(typeattributeset gps_control_27_0 (gps_control))
-(typeattributeset gpu_device_27_0 (gpu_device))
-(typeattributeset gpu_service_27_0 (gpu_service))
-(typeattributeset graphics_device_27_0 (graphics_device))
-(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
-(typeattributeset hardware_service_27_0 (hardware_service))
-(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
-(typeattributeset healthd_27_0 (healthd))
-(typeattributeset healthd_exec_27_0 (healthd_exec))
-(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_27_0 (hwbinder_device))
-(typeattributeset hw_random_device_27_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_27_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_27_0 (i2c_device))
-(typeattributeset icon_file_27_0 (icon_file))
-(typeattributeset idmap_27_0 (idmap))
-(typeattributeset idmap_exec_27_0 (idmap_exec))
-(typeattributeset iio_device_27_0 (iio_device))
-(typeattributeset imms_service_27_0 (imms_service))
-(typeattributeset incident_27_0 (incident))
-(typeattributeset incidentd_27_0 (incidentd))
-(typeattributeset incident_data_file_27_0 (incident_data_file))
-(typeattributeset incident_service_27_0 (incident_service))
-(typeattributeset init_27_0 (init))
-(typeattributeset init_exec_27_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_27_0 (inotify))
-(typeattributeset input_device_27_0 (input_device))
-(typeattributeset inputflinger_27_0 (inputflinger))
-(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_27_0 (inputflinger_service))
-(typeattributeset input_method_service_27_0 (input_method_service))
-(typeattributeset input_service_27_0 (input_service))
-(typeattributeset installd_27_0 (installd))
-(typeattributeset install_data_file_27_0 (install_data_file))
-(typeattributeset installd_exec_27_0 (installd_exec))
-(typeattributeset installd_service_27_0 (installd_service))
-(typeattributeset install_recovery_27_0 (install_recovery))
-(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
-(typeattributeset ion_device_27_0 (ion_device))
-(typeattributeset IProxyService_service_27_0 (IProxyService_service))
-(typeattributeset ipsec_service_27_0 (ipsec_service))
-(typeattributeset isolated_app_27_0 (isolated_app))
-(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
-(typeattributeset kernel_27_0 (kernel))
-(typeattributeset keychain_data_file_27_0 (keychain_data_file))
-(typeattributeset keychord_device_27_0 (keychord_device))
-(typeattributeset keystore_27_0 (keystore))
-(typeattributeset keystore_data_file_27_0 (keystore_data_file))
-(typeattributeset keystore_exec_27_0 (keystore_exec))
-(typeattributeset keystore_service_27_0 (keystore_service))
-(typeattributeset kmem_device_27_0 (kmem_device))
-(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_27_0 (kmsg_device))
-(typeattributeset labeledfs_27_0 (labeledfs))
-(typeattributeset launcherapps_service_27_0 (launcherapps_service))
-(typeattributeset lmkd_27_0 (lmkd))
-(typeattributeset lmkd_exec_27_0 (lmkd_exec))
-(typeattributeset lmkd_socket_27_0 (lmkd_socket))
-(typeattributeset location_service_27_0 (location_service))
-(typeattributeset lock_settings_service_27_0 (lock_settings_service))
-(typeattributeset logcat_exec_27_0 (logcat_exec))
-(typeattributeset logd_27_0 (logd))
-(typeattributeset logd_exec_27_0 (logd_exec))
-(typeattributeset logd_prop_27_0 (logd_prop))
-(typeattributeset logdr_socket_27_0 (logdr_socket))
-(typeattributeset logd_socket_27_0 (logd_socket))
-(typeattributeset logdw_socket_27_0 (logdw_socket))
-(typeattributeset logpersist_27_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_27_0 (log_prop))
-(typeattributeset log_tag_prop_27_0 (log_tag_prop))
-(typeattributeset loop_control_device_27_0 (loop_control_device))
-(typeattributeset loop_device_27_0 (loop_device))
-(typeattributeset mac_perms_file_27_0 (mac_perms_file))
-(typeattributeset mdnsd_27_0 (mdnsd))
-(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
-(typeattributeset mdns_socket_27_0 (mdns_socket))
-(typeattributeset hal_omx_server (mediacodec_27_0))
-(typeattributeset mediacodec_27_0 (mediacodec))
-(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_27_0 (mediacodec_service))
-(typeattributeset media_data_file_27_0 (media_data_file))
-(typeattributeset mediadrmserver_27_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_27_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
-(typeattributeset mediametrics_27_0 (mediametrics))
-(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_27_0 (mediametrics_service))
-(typeattributeset media_projection_service_27_0 (media_projection_service))
-(typeattributeset mediaprovider_27_0 (mediaprovider))
-(typeattributeset media_router_service_27_0 (media_router_service))
-(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
-(typeattributeset mediaserver_27_0 (mediaserver))
-(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_27_0 (mediaserver_service))
-(typeattributeset media_session_service_27_0 (media_session_service))
-(typeattributeset meminfo_service_27_0 (meminfo_service))
-(typeattributeset metadata_block_device_27_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
-(typeattributeset midi_service_27_0 (midi_service))
-(typeattributeset misc_block_device_27_0 (misc_block_device))
-(typeattributeset misc_logd_file_27_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
-(typeattributeset mmc_prop_27_0 (mmc_prop))
-(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_27_0 (mnt_user_file))
-(typeattributeset modprobe_27_0 (modprobe))
-(typeattributeset mount_service_27_0 (mount_service))
-(typeattributeset mqueue_27_0 (mqueue))
-(typeattributeset mtd_device_27_0 (mtd_device))
-(typeattributeset mtp_27_0 (mtp))
-(typeattributeset mtp_device_27_0 (mtp_device))
-(typeattributeset mtpd_socket_27_0 (mtpd_socket))
-(typeattributeset mtp_exec_27_0 (mtp_exec))
-(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
-(typeattributeset netd_27_0 (netd))
-(typeattributeset net_data_file_27_0 (net_data_file))
-(typeattributeset netd_exec_27_0 (netd_exec))
-(typeattributeset netd_listener_service_27_0 (netd_listener_service))
-(typeattributeset net_dns_prop_27_0 (net_dns_prop))
-(typeattributeset netd_service_27_0 (netd_service))
-(typeattributeset netd_socket_27_0 (netd_socket))
-(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
-(typeattributeset netif_27_0 (netif))
-(typeattributeset netpolicy_service_27_0 (netpolicy_service))
-(typeattributeset net_radio_prop_27_0 (net_radio_prop))
-(typeattributeset netstats_service_27_0 (netstats_service))
-(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_27_0 (network_management_service))
-(typeattributeset network_score_service_27_0 (network_score_service))
-(typeattributeset network_time_update_service_27_0 (network_time_update_service))
-(typeattributeset nfc_27_0 (nfc))
-(typeattributeset nfc_data_file_27_0 (nfc_data_file))
-(typeattributeset nfc_device_27_0 (nfc_device))
-(typeattributeset nfc_prop_27_0 (nfc_prop))
-(typeattributeset nfc_service_27_0 (nfc_service))
-(typeattributeset node_27_0 (node))
-(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_27_0 (notification_service))
-(typeattributeset null_device_27_0 (null_device))
-(typeattributeset oemfs_27_0 (oemfs))
-(typeattributeset oem_lock_service_27_0 (oem_lock_service))
-(typeattributeset ota_data_file_27_0 (ota_data_file))
-(typeattributeset otadexopt_service_27_0 (otadexopt_service))
-(typeattributeset ota_package_file_27_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_27_0 (overlay_prop))
-(typeattributeset overlay_service_27_0 (overlay_service))
-(typeattributeset owntty_device_27_0 (owntty_device))
-(typeattributeset package_native_service_27_0 (package_native_service))
-(typeattributeset package_service_27_0 (package_service))
-(typeattributeset pan_result_prop_27_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
-(typeattributeset performanced_27_0 (performanced))
-(typeattributeset performanced_exec_27_0 (performanced_exec))
-(typeattributeset permission_service_27_0 (permission_service))
-(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_27_0 (pinner_service))
-(typeattributeset pipefs_27_0 (pipefs))
-(typeattributeset platform_app_27_0 (platform_app))
-(typeattributeset pmsg_device_27_0 (pmsg_device))
-(typeattributeset port_27_0 (port))
-(typeattributeset port_device_27_0 (port_device))
-(typeattributeset postinstall_27_0 (postinstall))
-(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_27_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_27_0 (powerctl_prop))
-(typeattributeset power_service_27_0 (power_service))
-(typeattributeset ppp_27_0 (ppp))
-(typeattributeset ppp_device_27_0 (ppp_device))
-(typeattributeset ppp_exec_27_0 (ppp_exec))
-(typeattributeset preloads_data_file_27_0 (preloads_data_file))
-(typeattributeset preloads_media_file_27_0 (preloads_media_file))
-(typeattributeset preopt2cachename_27_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
-(typeattributeset print_service_27_0 (print_service))
-(typeattributeset priv_app_27_0 (priv_app))
-(typeattributeset proc_27_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
-(typeattributeset processinfo_service_27_0 (processinfo_service))
-(typeattributeset proc_interrupts_27_0 (proc_interrupts))
-(typeattributeset proc_iomem_27_0 (proc_iomem))
-(typeattributeset proc_meminfo_27_0 (proc_meminfo))
-(typeattributeset proc_misc_27_0 (proc_misc))
-(typeattributeset proc_modules_27_0 (proc_modules))
-(typeattributeset proc_net_27_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_27_0 (proc_perf))
-(typeattributeset proc_security_27_0 (proc_security))
-(typeattributeset proc_stat_27_0 (proc_stat))
-(typeattributeset procstats_service_27_0 (procstats_service))
-(typeattributeset proc_sysrq_27_0 (proc_sysrq))
-(typeattributeset proc_timer_27_0 (proc_timer))
-(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
-(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
-(typeattributeset profman_27_0 (profman))
-(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
-(typeattributeset profman_exec_27_0 (profman_exec))
-(typeattributeset properties_device_27_0 (properties_device))
-(typeattributeset properties_serial_27_0 (properties_serial))
-(typeattributeset property_contexts_file_27_0 (property_contexts_file))
-(typeattributeset property_data_file_27_0 (property_data_file))
-(typeattributeset property_socket_27_0 (property_socket))
-(typeattributeset pstorefs_27_0 (pstorefs))
-(typeattributeset ptmx_device_27_0 (ptmx_device))
-(typeattributeset qtaguid_device_27_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_27_0
- ( proc_qtaguid_ctrl
- qtaguid_proc))
-(typeattributeset racoon_27_0 (racoon))
-(typeattributeset racoon_exec_27_0 (racoon_exec))
-(typeattributeset racoon_socket_27_0 (racoon_socket))
-(typeattributeset radio_27_0 (radio))
-(typeattributeset radio_data_file_27_0 (radio_data_file))
-(typeattributeset radio_device_27_0 (radio_device))
-(typeattributeset radio_prop_27_0 (radio_prop))
-(typeattributeset radio_service_27_0 (radio_service))
-(typeattributeset ram_device_27_0 (ram_device))
-(typeattributeset random_device_27_0 (random_device))
-(typeattributeset reboot_data_file_27_0 (reboot_data_file))
-(typeattributeset recovery_27_0 (recovery))
-(typeattributeset recovery_block_device_27_0 (recovery_block_device))
-(typeattributeset recovery_data_file_27_0 (recovery_data_file))
-(typeattributeset recovery_persist_27_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_27_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_27_0 (recovery_service))
-(typeattributeset registry_service_27_0 (registry_service))
-(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_27_0 (restorecon_prop))
-(typeattributeset restrictions_service_27_0 (restrictions_service))
-(typeattributeset rild_27_0 (rild))
-(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
-(typeattributeset rild_socket_27_0 (rild_socket))
-(typeattributeset ringtone_file_27_0 (ringtone_file))
-(typeattributeset root_block_device_27_0 (root_block_device))
-(typeattributeset rootfs_27_0 (rootfs))
-(typeattributeset rpmsg_device_27_0 (rpmsg_device))
-(typeattributeset rtc_device_27_0 (rtc_device))
-(typeattributeset rttmanager_service_27_0 (rttmanager_service))
-(typeattributeset runas_27_0 (runas))
-(typeattributeset runas_exec_27_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
-(typeattributeset sdcardd_27_0 (sdcardd))
-(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
-(typeattributeset sdcardfs_27_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
-(typeattributeset search_service_27_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_27_0 (selinuxfs))
-(typeattributeset sensors_device_27_0 (sensors_device))
-(typeattributeset sensorservice_service_27_0 (sensorservice_service))
-(typeattributeset sepolicy_file_27_0 (sepolicy_file))
-(typeattributeset serial_device_27_0 (serial_device))
-(typeattributeset serialno_prop_27_0 (serialno_prop))
-(typeattributeset serial_service_27_0 (serial_service))
-(typeattributeset service_contexts_file_27_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
-(typeattributeset servicemanager_27_0 (servicemanager))
-(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
-(typeattributeset settings_service_27_0 (settings_service))
-(typeattributeset sgdisk_27_0 (sgdisk))
-(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
-(typeattributeset shared_relro_27_0 (shared_relro))
-(typeattributeset shared_relro_file_27_0 (shared_relro_file))
-(typeattributeset shell_27_0 (shell))
-(typeattributeset shell_data_file_27_0 (shell_data_file))
-(typeattributeset shell_exec_27_0 (shell_exec))
-(typeattributeset shell_prop_27_0 (shell_prop))
-(typeattributeset shm_27_0 (shm))
-(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_27_0 (shortcut_service))
-(typeattributeset slideshow_27_0 (slideshow))
-(typeattributeset socket_device_27_0 (socket_device))
-(typeattributeset sockfs_27_0 (sockfs))
-(typeattributeset statusbar_service_27_0 (statusbar_service))
-(typeattributeset storaged_service_27_0 (storaged_service))
-(typeattributeset storage_file_27_0 (storage_file))
-(typeattributeset storagestats_service_27_0 (storagestats_service))
-(typeattributeset storage_stub_file_27_0 (storage_stub_file))
-(typeattributeset su_27_0 (su))
-(typeattributeset su_exec_27_0 (su_exec))
-(typeattributeset surfaceflinger_27_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_27_0 (swap_block_device))
-(typeattributeset sysfs_27_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_27_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_27_0 (sysfs_uio))
-(typeattributeset sysfs_usb_27_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_27_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
-(typeattributeset system_app_27_0 (system_app))
-(typeattributeset system_app_data_file_27_0 (system_app_data_file))
-(typeattributeset system_app_service_27_0 (system_app_service))
-(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_27_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_27_0 (system_prop))
-(typeattributeset system_radio_prop_27_0 (system_radio_prop))
-(typeattributeset system_server_27_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
-(typeattributeset task_service_27_0 (task_service))
-(typeattributeset tee_27_0 (tee))
-(typeattributeset tee_data_file_27_0 (tee_data_file))
-(typeattributeset tee_device_27_0 (tee_device))
-(typeattributeset telecom_service_27_0 (telecom_service))
-(typeattributeset textclassification_service_27_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
-(typeattributeset textservices_service_27_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_27_0 (thermal_service))
-(typeattributeset thermalserviced_27_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
-(typeattributeset timezone_service_27_0 (timezone_service))
-(typeattributeset tmpfs_27_0 (tmpfs))
-(typeattributeset tombstoned_27_0 (tombstoned))
-(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_27_0 (toolbox))
-(typeattributeset toolbox_exec_27_0 (toolbox_exec))
-(typeattributeset trust_service_27_0 (trust_service))
-(typeattributeset tty_device_27_0 (tty_device))
-(typeattributeset tun_device_27_0 (tun_device))
-(typeattributeset tv_input_service_27_0 (tv_input_service))
-(typeattributeset tzdatacheck_27_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
-(typeattributeset ueventd_27_0 (ueventd))
-(typeattributeset uhid_device_27_0 (uhid_device))
-(typeattributeset uimode_service_27_0 (uimode_service))
-(typeattributeset uio_device_27_0 (uio_device))
-(typeattributeset uncrypt_27_0 (uncrypt))
-(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
-(typeattributeset unlabeled_27_0 (unlabeled))
-(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
-(typeattributeset update_engine_27_0 (update_engine))
-(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_27_0 (update_engine_exec))
-(typeattributeset update_engine_service_27_0 (update_engine_service))
-(typeattributeset updatelock_service_27_0 (updatelock_service))
-(typeattributeset update_verifier_27_0 (update_verifier))
-(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
-(typeattributeset usagestats_service_27_0 (usagestats_service))
-(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
-(typeattributeset usb_device_27_0 (usb_device))
-(typeattributeset usbfs_27_0 (usbfs))
-(typeattributeset usb_service_27_0 (usb_service))
-(typeattributeset userdata_block_device_27_0 (userdata_block_device))
-(typeattributeset usermodehelper_27_0 (usermodehelper))
-(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
-(typeattributeset user_service_27_0 (user_service))
-(typeattributeset vcs_device_27_0 (vcs_device))
-(typeattributeset vdc_27_0 (vdc))
-(typeattributeset vdc_exec_27_0 (vdc_exec))
-(typeattributeset vendor_app_file_27_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
-(typeattributeset vendor_file_27_0 (vendor_file))
-(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
-(typeattributeset vfat_27_0 (vfat))
-(typeattributeset vibrator_service_27_0 (vibrator_service))
-(typeattributeset video_device_27_0 (video_device))
-(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_27_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_27_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
-(typeattributeset vold_27_0 (vold))
-(typeattributeset vold_data_file_27_0 (vold_data_file))
-(typeattributeset vold_device_27_0 (vold_device))
-(typeattributeset vold_exec_27_0 (vold_exec))
-(typeattributeset vold_prop_27_0 (vold_prop))
-(typeattributeset vold_socket_27_0 (vold_socket))
-(typeattributeset vpn_data_file_27_0 (vpn_data_file))
-(typeattributeset vr_hwc_27_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_27_0 (vr_manager_service))
-(typeattributeset wallpaper_file_27_0 (wallpaper_file))
-(typeattributeset wallpaper_service_27_0 (wallpaper_service))
-(typeattributeset watchdogd_27_0 (watchdogd))
-(typeattributeset watchdog_device_27_0 (watchdog_device))
-(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
-(typeattributeset webview_zygote_27_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_27_0 (wifiaware_service))
-(typeattributeset wificond_27_0 (wificond))
-(typeattributeset wificond_exec_27_0 (wificond_exec))
-(typeattributeset wificond_service_27_0 (wificond_service))
-(typeattributeset wifi_data_file_27_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_27_0 (wifip2p_service))
-(typeattributeset wifi_prop_27_0 (wifi_prop))
-(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
-(typeattributeset wifi_service_27_0 (wifi_service))
-(typeattributeset window_service_27_0 (window_service))
-(typeattributeset wpa_socket_27_0 (wpa_socket))
-(typeattributeset zero_device_27_0 (zero_device))
-(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
-(typeattributeset zygote_27_0 (zygote))
-(typeattributeset zygote_exec_27_0 (zygote_exec))
-(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
deleted file mode 100644
index 2e85b23..0000000
--- a/private/compat/27.0/27.0.compat.cil
+++ /dev/null
@@ -1,11 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
deleted file mode 100644
index 427f4d4..0000000
--- a/private/compat/27.0/27.0.ignore.cil
+++ /dev/null
@@ -1,260 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- aac_drc_prop
- aaudio_config_prop
- activity_task_service
- adb_service
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- art_apex_dir
- atrace
- audio_config_prop
- binder_calls_stats_service
- biometric_service
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- boot_status_prop
- bootanim_system_prop
- bootloader_boot_reason_prop
- bootloader_prop
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- build_bootimage_prop
- build_odm_prop
- build_prop
- build_vendor_prop
- camera_calibration_prop
- camera_config_prop
- cgroup_bpf
- charger_config_prop
- charger_exec
- charger_status_prop
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- dalvik_config_prop
- dalvik_runtime_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- drm_service_config_prop
- exfat
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- fastbootd
- ffs_config_prop
- ffs_control_prop
- flags_health_check
- flags_health_check_exec
- fingerprint_vendor_data_file
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_instrumentation_prop
- hal_lowpan_hwservice
- hal_secure_element_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_hostapd_hwservice
- hdmi_config_prop
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- init_service_status_private_prop
- init_service_status_prop
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- keyguard_config_prop
- last_boot_reason_prop
- libc_debug_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- lmkd_config_prop
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- media_config_prop
- mediadrm_config_prop
- mediaextractor_update_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- oem_unlock_prop
- overlayfs_file
- packagemanager_config_prop
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- property_service_version_prop
- provisioned_prop
- radio_control_prop
- recovery_config_prop
- recovery_socket
- retaildemo_prop
- role_service
- runas_app
- runtime_service
- secure_element
- secure_element_device
- secure_element_service
- secure_element_tmpfs
- sendbug_config_prop
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- stats
- stats_data_file
- stats_exec
- stats_service
- statscompanion_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- storaged_data_file
- super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
- staging_data_file
- storagemanager_config_prop
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_update_service
- systemsound_config_prop
- telephony_config_prop
- telephony_status_prop
- test_boot_reason_prop
- time_prop
- timedetector_service
- tombstone_config_prop
- tombstone_wifi_data_file
- trace_data_file
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- traceur_app
- traceur_app_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- uri_grants_service
- usb_config_prop
- usb_control_prop
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_default_prop
- vendor_init
- vendor_security_patch_level_prop
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_config_prop
- vold_metadata_file
- vold_post_fs_data_prop
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vold_status_prop
- vrflinger_vsync_service
- vts_config_prop
- vts_status_prop
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wifi_config_prop
- wifi_hal_prop
- wm_trace_data_file
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- zram_config_prop
- zram_control_prop))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- untrusted_app_27_tmpfs))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index ce6c22d..ba0a494 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -14,13 +14,16 @@
apex_info_file
apex_ota_reserved_file
apex_scheduling_data_file
+ apex_system_server_data_file
apexd_config_prop
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
+ artd
+ artd_exec
+ artd_service
authorization_service
bootanim_config_prop
- camera2_extensions_prop
camerax_extensions_prop
cgroup_desc_api_file
cgroup_v2
@@ -70,7 +73,6 @@
hal_uwb_service
hal_weaver_service
hw_timeout_multiplier_prop
- hypervisor_prop
keystore_compat_hal_service
keystore_maintenance_service
keystore_metrics_service
@@ -87,7 +89,6 @@
memtrackproxy_service
mm_events_config_prop
music_recognition_service
- mtectrl
nfc_logs_data_file
odrefresh
odrefresh_exec
@@ -146,11 +147,10 @@
vd_device
vendor_kernel_modules
vendor_modprobe
+ vendor_uuid_mapping_config_file
vibrator_manager_service
virtualization_service
vpn_management_service
watchdog_metadata_file
wifi_key
- zygote_config_prop
- proc_vendor_sched
- sysfs_vendor_sched))
+ zygote_config_prop))
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 009d8b2..ba6944e 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -1,3 +1,14 @@
+;; types removed from current policy
+(type apex_appsearch_data_file)
+(type apex_permission_data_file)
+(type apex_scheduling_data_file)
+(type apex_wifi_data_file)
+(type healthd_exec)
+(type nonplat_service_contexts_file)
+(type sysfs_block)
+(type vr_hwc)
+(type vr_hwc_exec)
+
(expandtypeattribute (DockObserver_service_31_0) true)
(expandtypeattribute (IProxyService_service_31_0) true)
(expandtypeattribute (aac_drc_prop_31_0) true)
@@ -1255,18 +1266,18 @@
(typeattributeset alarm_service_31_0 (alarm_service))
(typeattributeset anr_data_file_31_0 (anr_data_file))
(typeattributeset apc_service_31_0 (apc_service))
-(typeattributeset apex_appsearch_data_file_31_0 (apex_appsearch_data_file))
+(typeattributeset apex_appsearch_data_file_31_0 (apex_appsearch_data_file apex_system_server_data_file))
(typeattributeset apex_data_file_31_0 (apex_data_file))
(typeattributeset apex_info_file_31_0 (apex_info_file))
(typeattributeset apex_metadata_file_31_0 (apex_metadata_file))
(typeattributeset apex_mnt_dir_31_0 (apex_mnt_dir))
(typeattributeset apex_module_data_file_31_0 (apex_module_data_file))
(typeattributeset apex_ota_reserved_file_31_0 (apex_ota_reserved_file))
-(typeattributeset apex_permission_data_file_31_0 (apex_permission_data_file))
+(typeattributeset apex_permission_data_file_31_0 (apex_permission_data_file apex_system_server_data_file))
(typeattributeset apex_rollback_data_file_31_0 (apex_rollback_data_file))
-(typeattributeset apex_scheduling_data_file_31_0 (apex_scheduling_data_file))
+(typeattributeset apex_scheduling_data_file_31_0 (apex_scheduling_data_file apex_system_server_data_file))
(typeattributeset apex_service_31_0 (apex_service))
-(typeattributeset apex_wifi_data_file_31_0 (apex_wifi_data_file))
+(typeattributeset apex_wifi_data_file_31_0 (apex_wifi_data_file apex_system_server_data_file))
(typeattributeset apexd_31_0 (apexd))
(typeattributeset apexd_config_prop_31_0 (apexd_config_prop))
(typeattributeset apexd_exec_31_0 (apexd_exec))
@@ -1959,7 +1970,11 @@
(typeattributeset print_service_31_0 (print_service))
(typeattributeset priv_app_31_0 (priv_app))
(typeattributeset privapp_data_file_31_0 (privapp_data_file))
-(typeattributeset proc_31_0 (proc))
+(typeattributeset proc_31_0
+ ( proc
+ proc_bpf
+ proc_cpu_alignment
+))
(typeattributeset proc_abi_31_0 (proc_abi))
(typeattributeset proc_asound_31_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_31_0 (proc_bluetooth_writable))
@@ -1990,7 +2005,10 @@
(typeattributeset proc_misc_31_0 (proc_misc))
(typeattributeset proc_modules_31_0 (proc_modules))
(typeattributeset proc_mounts_31_0 (proc_mounts))
-(typeattributeset proc_net_31_0 (proc_net))
+(typeattributeset proc_net_31_0
+ ( proc_bpf
+ proc_net
+))
(typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp))
(typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory))
(typeattributeset proc_page_cluster_31_0 (proc_page_cluster))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 4e95cc6..22381b5 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -5,5 +5,48 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ apexd_select_prop
+ artd_service
+ attestation_verification_service
+ camera2_extensions_prop
+ device_config_nnapi_native_prop
+ dice_maintenance_service
+ dice_node_service
+ diced
+ diced_exec
+ extra_free_kbytes
+ extra_free_kbytes_exec
+ hal_contexthub_service
+ hal_dice_service
+ hal_dumpstate_service
+ hal_graphics_composer_service
+ hal_health_service
+ hal_radio_service
+ hal_sensors_service
+ hal_system_suspend_service
+ hal_tv_tuner_service
+ hal_uwb_service
+ hal_uwb_vendor_service
+ hal_wifi_hostapd_service
+ hal_wifi_supplicant_service
+ hal_nlinterceptor_service
hypervisor_prop
+ locale_service
+ power_stats_service
+ snapuserd_prop
+ snapuserd_proxy_socket
+ tare_service
+ transformer_service
+ proc_watermark_boost_factor
+ proc_watermark_scale_factor
+ untrusted_app_30
+ proc_vendor_sched
+ sdk_sandbox_service
+ sysfs_fs_fuse_bpf
+ sysfs_vendor_sched
+ tv_iapp_service
+ vendor_uuid_mapping_config_file
+ vendor_vm_file
+ vendor_vm_data_file
+ virtual_device_service
))
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
new file mode 100644
index 0000000..a99b628
--- /dev/null
+++ b/private/compat/32.0/32.0.cil
@@ -0,0 +1,2483 @@
+;; types removed from current policy
+(type apex_appsearch_data_file)
+(type apex_permission_data_file)
+(type apex_scheduling_data_file)
+(type apex_wifi_data_file)
+(type healthd_exec)
+(type nonplat_service_contexts_file)
+(type sysfs_block)
+(type vr_hwc)
+(type vr_hwc_exec)
+
+(expandtypeattribute (DockObserver_service_32_0) true)
+(expandtypeattribute (IProxyService_service_32_0) true)
+(expandtypeattribute (aac_drc_prop_32_0) true)
+(expandtypeattribute (aaudio_config_prop_32_0) true)
+(expandtypeattribute (ab_update_gki_prop_32_0) true)
+(expandtypeattribute (accessibility_service_32_0) true)
+(expandtypeattribute (account_service_32_0) true)
+(expandtypeattribute (activity_service_32_0) true)
+(expandtypeattribute (activity_task_service_32_0) true)
+(expandtypeattribute (adb_data_file_32_0) true)
+(expandtypeattribute (adb_keys_file_32_0) true)
+(expandtypeattribute (adb_service_32_0) true)
+(expandtypeattribute (adbd_32_0) true)
+(expandtypeattribute (adbd_config_prop_32_0) true)
+(expandtypeattribute (adbd_exec_32_0) true)
+(expandtypeattribute (adbd_socket_32_0) true)
+(expandtypeattribute (aidl_lazy_test_server_32_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_32_0) true)
+(expandtypeattribute (aidl_lazy_test_service_32_0) true)
+(expandtypeattribute (alarm_service_32_0) true)
+(expandtypeattribute (anr_data_file_32_0) true)
+(expandtypeattribute (apc_service_32_0) true)
+(expandtypeattribute (apex_appsearch_data_file_32_0) true)
+(expandtypeattribute (apex_data_file_32_0) true)
+(expandtypeattribute (apex_info_file_32_0) true)
+(expandtypeattribute (apex_metadata_file_32_0) true)
+(expandtypeattribute (apex_mnt_dir_32_0) true)
+(expandtypeattribute (apex_module_data_file_32_0) true)
+(expandtypeattribute (apex_ota_reserved_file_32_0) true)
+(expandtypeattribute (apex_permission_data_file_32_0) true)
+(expandtypeattribute (apex_rollback_data_file_32_0) true)
+(expandtypeattribute (apex_scheduling_data_file_32_0) true)
+(expandtypeattribute (apex_service_32_0) true)
+(expandtypeattribute (apex_wifi_data_file_32_0) true)
+(expandtypeattribute (apexd_32_0) true)
+(expandtypeattribute (apexd_config_prop_32_0) true)
+(expandtypeattribute (apexd_exec_32_0) true)
+(expandtypeattribute (apexd_prop_32_0) true)
+(expandtypeattribute (apk_data_file_32_0) true)
+(expandtypeattribute (apk_private_data_file_32_0) true)
+(expandtypeattribute (apk_private_tmp_file_32_0) true)
+(expandtypeattribute (apk_tmp_file_32_0) true)
+(expandtypeattribute (apk_verity_prop_32_0) true)
+(expandtypeattribute (app_binding_service_32_0) true)
+(expandtypeattribute (app_data_file_32_0) true)
+(expandtypeattribute (app_fuse_file_32_0) true)
+(expandtypeattribute (app_fusefs_32_0) true)
+(expandtypeattribute (app_hibernation_service_32_0) true)
+(expandtypeattribute (app_integrity_service_32_0) true)
+(expandtypeattribute (app_prediction_service_32_0) true)
+(expandtypeattribute (app_search_service_32_0) true)
+(expandtypeattribute (app_zygote_32_0) true)
+(expandtypeattribute (app_zygote_tmpfs_32_0) true)
+(expandtypeattribute (appcompat_data_file_32_0) true)
+(expandtypeattribute (appdomain_tmpfs_32_0) true)
+(expandtypeattribute (appops_service_32_0) true)
+(expandtypeattribute (appwidget_service_32_0) true)
+(expandtypeattribute (arm64_memtag_prop_32_0) true)
+(expandtypeattribute (art_apex_dir_32_0) true)
+(expandtypeattribute (asec_apk_file_32_0) true)
+(expandtypeattribute (asec_image_file_32_0) true)
+(expandtypeattribute (asec_public_file_32_0) true)
+(expandtypeattribute (ashmem_device_32_0) true)
+(expandtypeattribute (ashmem_libcutils_device_32_0) true)
+(expandtypeattribute (assetatlas_service_32_0) true)
+(expandtypeattribute (atrace_32_0) true)
+(expandtypeattribute (audio_config_prop_32_0) true)
+(expandtypeattribute (audio_data_file_32_0) true)
+(expandtypeattribute (audio_device_32_0) true)
+(expandtypeattribute (audio_prop_32_0) true)
+(expandtypeattribute (audio_service_32_0) true)
+(expandtypeattribute (audiohal_data_file_32_0) true)
+(expandtypeattribute (audioserver_32_0) true)
+(expandtypeattribute (audioserver_data_file_32_0) true)
+(expandtypeattribute (audioserver_service_32_0) true)
+(expandtypeattribute (audioserver_tmpfs_32_0) true)
+(expandtypeattribute (auth_service_32_0) true)
+(expandtypeattribute (authorization_service_32_0) true)
+(expandtypeattribute (autofill_service_32_0) true)
+(expandtypeattribute (backup_data_file_32_0) true)
+(expandtypeattribute (backup_service_32_0) true)
+(expandtypeattribute (battery_service_32_0) true)
+(expandtypeattribute (batteryproperties_service_32_0) true)
+(expandtypeattribute (batterystats_service_32_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_32_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_32_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_32_0) true)
+(expandtypeattribute (binder_calls_stats_service_32_0) true)
+(expandtypeattribute (binder_device_32_0) true)
+(expandtypeattribute (binderfs_32_0) true)
+(expandtypeattribute (binderfs_logs_32_0) true)
+(expandtypeattribute (binderfs_logs_proc_32_0) true)
+(expandtypeattribute (binfmt_miscfs_32_0) true)
+(expandtypeattribute (biometric_service_32_0) true)
+(expandtypeattribute (blkid_32_0) true)
+(expandtypeattribute (blkid_untrusted_32_0) true)
+(expandtypeattribute (blob_store_service_32_0) true)
+(expandtypeattribute (block_device_32_0) true)
+(expandtypeattribute (bluetooth_32_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_32_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_32_0) true)
+(expandtypeattribute (bluetooth_data_file_32_0) true)
+(expandtypeattribute (bluetooth_efs_file_32_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_32_0) true)
+(expandtypeattribute (bluetooth_manager_service_32_0) true)
+(expandtypeattribute (bluetooth_prop_32_0) true)
+(expandtypeattribute (bluetooth_service_32_0) true)
+(expandtypeattribute (bluetooth_socket_32_0) true)
+(expandtypeattribute (boot_block_device_32_0) true)
+(expandtypeattribute (boot_status_prop_32_0) true)
+(expandtypeattribute (bootanim_32_0) true)
+(expandtypeattribute (bootanim_config_prop_32_0) true)
+(expandtypeattribute (bootanim_exec_32_0) true)
+(expandtypeattribute (bootanim_system_prop_32_0) true)
+(expandtypeattribute (bootchart_data_file_32_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_32_0) true)
+(expandtypeattribute (bootloader_prop_32_0) true)
+(expandtypeattribute (bootstat_32_0) true)
+(expandtypeattribute (bootstat_data_file_32_0) true)
+(expandtypeattribute (bootstat_exec_32_0) true)
+(expandtypeattribute (boottime_prop_32_0) true)
+(expandtypeattribute (boottime_public_prop_32_0) true)
+(expandtypeattribute (boottrace_data_file_32_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_32_0) true)
+(expandtypeattribute (bq_config_prop_32_0) true)
+(expandtypeattribute (broadcastradio_service_32_0) true)
+(expandtypeattribute (bufferhubd_32_0) true)
+(expandtypeattribute (bufferhubd_exec_32_0) true)
+(expandtypeattribute (bugreport_service_32_0) true)
+(expandtypeattribute (build_bootimage_prop_32_0) true)
+(expandtypeattribute (build_config_prop_32_0) true)
+(expandtypeattribute (build_odm_prop_32_0) true)
+(expandtypeattribute (build_prop_32_0) true)
+(expandtypeattribute (build_vendor_prop_32_0) true)
+(expandtypeattribute (cache_backup_file_32_0) true)
+(expandtypeattribute (cache_block_device_32_0) true)
+(expandtypeattribute (cache_file_32_0) true)
+(expandtypeattribute (cache_private_backup_file_32_0) true)
+(expandtypeattribute (cache_recovery_file_32_0) true)
+(expandtypeattribute (cacheinfo_service_32_0) true)
+(expandtypeattribute (camera2_extensions_prop_32_0) true)
+(expandtypeattribute (camera_calibration_prop_32_0) true)
+(expandtypeattribute (camera_config_prop_32_0) true)
+(expandtypeattribute (camera_data_file_32_0) true)
+(expandtypeattribute (camera_device_32_0) true)
+(expandtypeattribute (cameraproxy_service_32_0) true)
+(expandtypeattribute (cameraserver_32_0) true)
+(expandtypeattribute (cameraserver_exec_32_0) true)
+(expandtypeattribute (cameraserver_service_32_0) true)
+(expandtypeattribute (cameraserver_tmpfs_32_0) true)
+(expandtypeattribute (camerax_extensions_prop_32_0) true)
+(expandtypeattribute (cgroup_32_0) true)
+(expandtypeattribute (cgroup_desc_api_file_32_0) true)
+(expandtypeattribute (cgroup_desc_file_32_0) true)
+(expandtypeattribute (cgroup_rc_file_32_0) true)
+(expandtypeattribute (cgroup_v2_32_0) true)
+(expandtypeattribute (charger_32_0) true)
+(expandtypeattribute (charger_config_prop_32_0) true)
+(expandtypeattribute (charger_exec_32_0) true)
+(expandtypeattribute (charger_prop_32_0) true)
+(expandtypeattribute (charger_status_prop_32_0) true)
+(expandtypeattribute (clipboard_service_32_0) true)
+(expandtypeattribute (codec2_config_prop_32_0) true)
+(expandtypeattribute (cold_boot_done_prop_32_0) true)
+(expandtypeattribute (color_display_service_32_0) true)
+(expandtypeattribute (companion_device_service_32_0) true)
+(expandtypeattribute (config_prop_32_0) true)
+(expandtypeattribute (configfs_32_0) true)
+(expandtypeattribute (connectivity_service_32_0) true)
+(expandtypeattribute (connmetrics_service_32_0) true)
+(expandtypeattribute (console_device_32_0) true)
+(expandtypeattribute (consumer_ir_service_32_0) true)
+(expandtypeattribute (content_capture_service_32_0) true)
+(expandtypeattribute (content_service_32_0) true)
+(expandtypeattribute (content_suggestions_service_32_0) true)
+(expandtypeattribute (contexthub_service_32_0) true)
+(expandtypeattribute (coredump_file_32_0) true)
+(expandtypeattribute (country_detector_service_32_0) true)
+(expandtypeattribute (coverage_service_32_0) true)
+(expandtypeattribute (cppreopt_prop_32_0) true)
+(expandtypeattribute (cpu_variant_prop_32_0) true)
+(expandtypeattribute (cpuinfo_service_32_0) true)
+(expandtypeattribute (crash_dump_32_0) true)
+(expandtypeattribute (crash_dump_exec_32_0) true)
+(expandtypeattribute (credstore_32_0) true)
+(expandtypeattribute (credstore_data_file_32_0) true)
+(expandtypeattribute (credstore_exec_32_0) true)
+(expandtypeattribute (credstore_service_32_0) true)
+(expandtypeattribute (crossprofileapps_service_32_0) true)
+(expandtypeattribute (ctl_adbd_prop_32_0) true)
+(expandtypeattribute (ctl_apexd_prop_32_0) true)
+(expandtypeattribute (ctl_bootanim_prop_32_0) true)
+(expandtypeattribute (ctl_bugreport_prop_32_0) true)
+(expandtypeattribute (ctl_console_prop_32_0) true)
+(expandtypeattribute (ctl_default_prop_32_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_32_0) true)
+(expandtypeattribute (ctl_fuse_prop_32_0) true)
+(expandtypeattribute (ctl_gsid_prop_32_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_32_0) true)
+(expandtypeattribute (ctl_interface_start_prop_32_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_32_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_32_0) true)
+(expandtypeattribute (ctl_restart_prop_32_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_32_0) true)
+(expandtypeattribute (ctl_sigstop_prop_32_0) true)
+(expandtypeattribute (ctl_start_prop_32_0) true)
+(expandtypeattribute (ctl_stop_prop_32_0) true)
+(expandtypeattribute (dalvik_config_prop_32_0) true)
+(expandtypeattribute (dalvik_prop_32_0) true)
+(expandtypeattribute (dalvik_runtime_prop_32_0) true)
+(expandtypeattribute (dalvikcache_data_file_32_0) true)
+(expandtypeattribute (dataloader_manager_service_32_0) true)
+(expandtypeattribute (dbinfo_service_32_0) true)
+(expandtypeattribute (dck_prop_32_0) true)
+(expandtypeattribute (debug_prop_32_0) true)
+(expandtypeattribute (debugfs_32_0) true)
+(expandtypeattribute (debugfs_bootreceiver_tracing_32_0) true)
+(expandtypeattribute (debugfs_kprobes_32_0) true)
+(expandtypeattribute (debugfs_mm_events_tracing_32_0) true)
+(expandtypeattribute (debugfs_mmc_32_0) true)
+(expandtypeattribute (debugfs_restriction_prop_32_0) true)
+(expandtypeattribute (debugfs_trace_marker_32_0) true)
+(expandtypeattribute (debugfs_tracing_32_0) true)
+(expandtypeattribute (debugfs_tracing_debug_32_0) true)
+(expandtypeattribute (debugfs_tracing_instances_32_0) true)
+(expandtypeattribute (debugfs_tracing_printk_formats_32_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_32_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_32_0) true)
+(expandtypeattribute (debuggerd_prop_32_0) true)
+(expandtypeattribute (default_android_hwservice_32_0) true)
+(expandtypeattribute (default_android_service_32_0) true)
+(expandtypeattribute (default_android_vndservice_32_0) true)
+(expandtypeattribute (default_prop_32_0) true)
+(expandtypeattribute (dev_cpu_variant_32_0) true)
+(expandtypeattribute (device_32_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_32_0) true)
+(expandtypeattribute (device_config_boot_count_prop_32_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_32_0) true)
+(expandtypeattribute (device_config_media_native_prop_32_0) true)
+(expandtypeattribute (device_config_netd_native_prop_32_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_32_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_32_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_32_0) true)
+(expandtypeattribute (device_config_service_32_0) true)
+(expandtypeattribute (device_identifiers_service_32_0) true)
+(expandtypeattribute (device_logging_prop_32_0) true)
+(expandtypeattribute (device_policy_service_32_0) true)
+(expandtypeattribute (device_state_service_32_0) true)
+(expandtypeattribute (deviceidle_service_32_0) true)
+(expandtypeattribute (devicestoragemonitor_service_32_0) true)
+(expandtypeattribute (devpts_32_0) true)
+(expandtypeattribute (dhcp_32_0) true)
+(expandtypeattribute (dhcp_data_file_32_0) true)
+(expandtypeattribute (dhcp_exec_32_0) true)
+(expandtypeattribute (dhcp_prop_32_0) true)
+(expandtypeattribute (diskstats_service_32_0) true)
+(expandtypeattribute (display_service_32_0) true)
+(expandtypeattribute (dm_device_32_0) true)
+(expandtypeattribute (dm_user_device_32_0) true)
+(expandtypeattribute (dmabuf_heap_device_32_0) true)
+(expandtypeattribute (dmabuf_system_heap_device_32_0) true)
+(expandtypeattribute (dmabuf_system_secure_heap_device_32_0) true)
+(expandtypeattribute (dnsmasq_32_0) true)
+(expandtypeattribute (dnsmasq_exec_32_0) true)
+(expandtypeattribute (dnsproxyd_socket_32_0) true)
+(expandtypeattribute (dnsresolver_service_32_0) true)
+(expandtypeattribute (domain_verification_service_32_0) true)
+(expandtypeattribute (dreams_service_32_0) true)
+(expandtypeattribute (drm_data_file_32_0) true)
+(expandtypeattribute (drm_service_config_prop_32_0) true)
+(expandtypeattribute (drmserver_32_0) true)
+(expandtypeattribute (drmserver_exec_32_0) true)
+(expandtypeattribute (drmserver_service_32_0) true)
+(expandtypeattribute (drmserver_socket_32_0) true)
+(expandtypeattribute (dropbox_data_file_32_0) true)
+(expandtypeattribute (dropbox_service_32_0) true)
+(expandtypeattribute (dumpstate_32_0) true)
+(expandtypeattribute (dumpstate_exec_32_0) true)
+(expandtypeattribute (dumpstate_options_prop_32_0) true)
+(expandtypeattribute (dumpstate_prop_32_0) true)
+(expandtypeattribute (dumpstate_service_32_0) true)
+(expandtypeattribute (dumpstate_socket_32_0) true)
+(expandtypeattribute (dynamic_system_prop_32_0) true)
+(expandtypeattribute (e2fs_32_0) true)
+(expandtypeattribute (e2fs_exec_32_0) true)
+(expandtypeattribute (efs_file_32_0) true)
+(expandtypeattribute (emergency_affordance_service_32_0) true)
+(expandtypeattribute (ephemeral_app_32_0) true)
+(expandtypeattribute (ethernet_service_32_0) true)
+(expandtypeattribute (exfat_32_0) true)
+(expandtypeattribute (exported3_system_prop_32_0) true)
+(expandtypeattribute (exported_bluetooth_prop_32_0) true)
+(expandtypeattribute (exported_camera_prop_32_0) true)
+(expandtypeattribute (exported_config_prop_32_0) true)
+(expandtypeattribute (exported_default_prop_32_0) true)
+(expandtypeattribute (exported_dumpstate_prop_32_0) true)
+(expandtypeattribute (exported_overlay_prop_32_0) true)
+(expandtypeattribute (exported_pm_prop_32_0) true)
+(expandtypeattribute (exported_secure_prop_32_0) true)
+(expandtypeattribute (exported_system_prop_32_0) true)
+(expandtypeattribute (external_vibrator_service_32_0) true)
+(expandtypeattribute (face_service_32_0) true)
+(expandtypeattribute (face_vendor_data_file_32_0) true)
+(expandtypeattribute (fastbootd_32_0) true)
+(expandtypeattribute (ffs_config_prop_32_0) true)
+(expandtypeattribute (ffs_control_prop_32_0) true)
+(expandtypeattribute (file_contexts_file_32_0) true)
+(expandtypeattribute (file_integrity_service_32_0) true)
+(expandtypeattribute (fingerprint_prop_32_0) true)
+(expandtypeattribute (fingerprint_service_32_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_32_0) true)
+(expandtypeattribute (fingerprintd_32_0) true)
+(expandtypeattribute (fingerprintd_data_file_32_0) true)
+(expandtypeattribute (fingerprintd_exec_32_0) true)
+(expandtypeattribute (fingerprintd_service_32_0) true)
+(expandtypeattribute (firstboot_prop_32_0) true)
+(expandtypeattribute (flags_health_check_32_0) true)
+(expandtypeattribute (flags_health_check_exec_32_0) true)
+(expandtypeattribute (font_service_32_0) true)
+(expandtypeattribute (framework_watchdog_config_prop_32_0) true)
+(expandtypeattribute (frp_block_device_32_0) true)
+(expandtypeattribute (fs_bpf_32_0) true)
+(expandtypeattribute (fs_bpf_tethering_32_0) true)
+(expandtypeattribute (fsck_32_0) true)
+(expandtypeattribute (fsck_exec_32_0) true)
+(expandtypeattribute (fsck_untrusted_32_0) true)
+(expandtypeattribute (fscklogs_32_0) true)
+(expandtypeattribute (functionfs_32_0) true)
+(expandtypeattribute (fuse_32_0) true)
+(expandtypeattribute (fuse_device_32_0) true)
+(expandtypeattribute (fusectlfs_32_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_32_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_32_0) true)
+(expandtypeattribute (fwk_camera_hwservice_32_0) true)
+(expandtypeattribute (fwk_display_hwservice_32_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_32_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_32_0) true)
+(expandtypeattribute (fwk_stats_hwservice_32_0) true)
+(expandtypeattribute (fwk_stats_service_32_0) true)
+(expandtypeattribute (fwmarkd_socket_32_0) true)
+(expandtypeattribute (game_service_32_0) true)
+(expandtypeattribute (gatekeeper_data_file_32_0) true)
+(expandtypeattribute (gatekeeper_service_32_0) true)
+(expandtypeattribute (gatekeeperd_32_0) true)
+(expandtypeattribute (gatekeeperd_exec_32_0) true)
+(expandtypeattribute (gfxinfo_service_32_0) true)
+(expandtypeattribute (gmscore_app_32_0) true)
+(expandtypeattribute (gnss_device_32_0) true)
+(expandtypeattribute (gnss_time_update_service_32_0) true)
+(expandtypeattribute (gps_control_32_0) true)
+(expandtypeattribute (gpu_device_32_0) true)
+(expandtypeattribute (gpu_service_32_0) true)
+(expandtypeattribute (gpuservice_32_0) true)
+(expandtypeattribute (graphics_config_prop_32_0) true)
+(expandtypeattribute (graphics_device_32_0) true)
+(expandtypeattribute (graphicsstats_service_32_0) true)
+(expandtypeattribute (gsi_data_file_32_0) true)
+(expandtypeattribute (gsi_metadata_file_32_0) true)
+(expandtypeattribute (gsi_public_metadata_file_32_0) true)
+(expandtypeattribute (hal_atrace_hwservice_32_0) true)
+(expandtypeattribute (hal_audio_hwservice_32_0) true)
+(expandtypeattribute (hal_audio_service_32_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_32_0) true)
+(expandtypeattribute (hal_audiocontrol_service_32_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_32_0) true)
+(expandtypeattribute (hal_authsecret_service_32_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_32_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_32_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_32_0) true)
+(expandtypeattribute (hal_camera_hwservice_32_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_32_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_32_0) true)
+(expandtypeattribute (hal_cas_hwservice_32_0) true)
+(expandtypeattribute (hal_codec2_hwservice_32_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_32_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_32_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_32_0) true)
+(expandtypeattribute (hal_drm_hwservice_32_0) true)
+(expandtypeattribute (hal_dumpstate_config_prop_32_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_32_0) true)
+(expandtypeattribute (hal_evs_hwservice_32_0) true)
+(expandtypeattribute (hal_face_hwservice_32_0) true)
+(expandtypeattribute (hal_face_service_32_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_32_0) true)
+(expandtypeattribute (hal_fingerprint_service_32_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_32_0) true)
+(expandtypeattribute (hal_gnss_hwservice_32_0) true)
+(expandtypeattribute (hal_gnss_service_32_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_32_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_32_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_32_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_32_0) true)
+(expandtypeattribute (hal_health_hwservice_32_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_32_0) true)
+(expandtypeattribute (hal_health_storage_service_32_0) true)
+(expandtypeattribute (hal_identity_service_32_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_32_0) true)
+(expandtypeattribute (hal_instrumentation_prop_32_0) true)
+(expandtypeattribute (hal_ir_hwservice_32_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_32_0) true)
+(expandtypeattribute (hal_keymint_service_32_0) true)
+(expandtypeattribute (hal_light_hwservice_32_0) true)
+(expandtypeattribute (hal_light_service_32_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_32_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_32_0) true)
+(expandtypeattribute (hal_memtrack_service_32_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_32_0) true)
+(expandtypeattribute (hal_neuralnetworks_service_32_0) true)
+(expandtypeattribute (hal_nfc_hwservice_32_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_32_0) true)
+(expandtypeattribute (hal_oemlock_service_32_0) true)
+(expandtypeattribute (hal_omx_hwservice_32_0) true)
+(expandtypeattribute (hal_power_hwservice_32_0) true)
+(expandtypeattribute (hal_power_service_32_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_32_0) true)
+(expandtypeattribute (hal_power_stats_service_32_0) true)
+(expandtypeattribute (hal_rebootescrow_service_32_0) true)
+(expandtypeattribute (hal_remotelyprovisionedcomponent_service_32_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_32_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_32_0) true)
+(expandtypeattribute (hal_secureclock_service_32_0) true)
+(expandtypeattribute (hal_sensors_hwservice_32_0) true)
+(expandtypeattribute (hal_sharedsecret_service_32_0) true)
+(expandtypeattribute (hal_telephony_hwservice_32_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_32_0) true)
+(expandtypeattribute (hal_thermal_hwservice_32_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_32_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_32_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_32_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_32_0) true)
+(expandtypeattribute (hal_usb_hwservice_32_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_32_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_32_0) true)
+(expandtypeattribute (hal_vibrator_service_32_0) true)
+(expandtypeattribute (hal_vr_hwservice_32_0) true)
+(expandtypeattribute (hal_weaver_hwservice_32_0) true)
+(expandtypeattribute (hal_weaver_service_32_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_32_0) true)
+(expandtypeattribute (hal_wifi_hwservice_32_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_32_0) true)
+(expandtypeattribute (hardware_properties_service_32_0) true)
+(expandtypeattribute (hardware_service_32_0) true)
+(expandtypeattribute (hci_attach_dev_32_0) true)
+(expandtypeattribute (hdmi_config_prop_32_0) true)
+(expandtypeattribute (hdmi_control_service_32_0) true)
+(expandtypeattribute (healthd_32_0) true)
+(expandtypeattribute (healthd_exec_32_0) true)
+(expandtypeattribute (heapdump_data_file_32_0) true)
+(expandtypeattribute (heapprofd_32_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_32_0) true)
+(expandtypeattribute (heapprofd_prop_32_0) true)
+(expandtypeattribute (heapprofd_socket_32_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_32_0) true)
+(expandtypeattribute (hidl_base_hwservice_32_0) true)
+(expandtypeattribute (hidl_manager_hwservice_32_0) true)
+(expandtypeattribute (hidl_memory_hwservice_32_0) true)
+(expandtypeattribute (hidl_token_hwservice_32_0) true)
+(expandtypeattribute (hint_service_32_0) true)
+(expandtypeattribute (hw_random_device_32_0) true)
+(expandtypeattribute (hw_timeout_multiplier_prop_32_0) true)
+(expandtypeattribute (hwbinder_device_32_0) true)
+(expandtypeattribute (hwservice_contexts_file_32_0) true)
+(expandtypeattribute (hwservicemanager_32_0) true)
+(expandtypeattribute (hwservicemanager_exec_32_0) true)
+(expandtypeattribute (hwservicemanager_prop_32_0) true)
+(expandtypeattribute (hypervisor_prop_32_0) true)
+(expandtypeattribute (icon_file_32_0) true)
+(expandtypeattribute (idmap_32_0) true)
+(expandtypeattribute (idmap_exec_32_0) true)
+(expandtypeattribute (idmap_service_32_0) true)
+(expandtypeattribute (iio_device_32_0) true)
+(expandtypeattribute (imms_service_32_0) true)
+(expandtypeattribute (incident_32_0) true)
+(expandtypeattribute (incident_data_file_32_0) true)
+(expandtypeattribute (incident_helper_32_0) true)
+(expandtypeattribute (incident_service_32_0) true)
+(expandtypeattribute (incidentd_32_0) true)
+(expandtypeattribute (incremental_control_file_32_0) true)
+(expandtypeattribute (incremental_prop_32_0) true)
+(expandtypeattribute (incremental_service_32_0) true)
+(expandtypeattribute (init_32_0) true)
+(expandtypeattribute (init_exec_32_0) true)
+(expandtypeattribute (init_service_status_prop_32_0) true)
+(expandtypeattribute (init_tmpfs_32_0) true)
+(expandtypeattribute (inotify_32_0) true)
+(expandtypeattribute (input_device_32_0) true)
+(expandtypeattribute (input_method_service_32_0) true)
+(expandtypeattribute (input_service_32_0) true)
+(expandtypeattribute (inputflinger_32_0) true)
+(expandtypeattribute (inputflinger_exec_32_0) true)
+(expandtypeattribute (inputflinger_service_32_0) true)
+(expandtypeattribute (install_data_file_32_0) true)
+(expandtypeattribute (installd_32_0) true)
+(expandtypeattribute (installd_exec_32_0) true)
+(expandtypeattribute (installd_service_32_0) true)
+(expandtypeattribute (ion_device_32_0) true)
+(expandtypeattribute (iorap_inode2filename_32_0) true)
+(expandtypeattribute (iorap_inode2filename_exec_32_0) true)
+(expandtypeattribute (iorap_inode2filename_tmpfs_32_0) true)
+(expandtypeattribute (iorap_prefetcherd_32_0) true)
+(expandtypeattribute (iorap_prefetcherd_exec_32_0) true)
+(expandtypeattribute (iorap_prefetcherd_tmpfs_32_0) true)
+(expandtypeattribute (iorapd_32_0) true)
+(expandtypeattribute (iorapd_data_file_32_0) true)
+(expandtypeattribute (iorapd_exec_32_0) true)
+(expandtypeattribute (iorapd_service_32_0) true)
+(expandtypeattribute (iorapd_tmpfs_32_0) true)
+(expandtypeattribute (ipsec_service_32_0) true)
+(expandtypeattribute (iris_service_32_0) true)
+(expandtypeattribute (iris_vendor_data_file_32_0) true)
+(expandtypeattribute (isolated_app_32_0) true)
+(expandtypeattribute (jobscheduler_service_32_0) true)
+(expandtypeattribute (kernel_32_0) true)
+(expandtypeattribute (keychain_data_file_32_0) true)
+(expandtypeattribute (keychord_device_32_0) true)
+(expandtypeattribute (keyguard_config_prop_32_0) true)
+(expandtypeattribute (keystore2_key_contexts_file_32_0) true)
+(expandtypeattribute (keystore_32_0) true)
+(expandtypeattribute (keystore_compat_hal_service_32_0) true)
+(expandtypeattribute (keystore_data_file_32_0) true)
+(expandtypeattribute (keystore_exec_32_0) true)
+(expandtypeattribute (keystore_maintenance_service_32_0) true)
+(expandtypeattribute (keystore_metrics_service_32_0) true)
+(expandtypeattribute (keystore_service_32_0) true)
+(expandtypeattribute (kmsg_debug_device_32_0) true)
+(expandtypeattribute (kmsg_device_32_0) true)
+(expandtypeattribute (labeledfs_32_0) true)
+(expandtypeattribute (launcherapps_service_32_0) true)
+(expandtypeattribute (legacy_permission_service_32_0) true)
+(expandtypeattribute (legacykeystore_service_32_0) true)
+(expandtypeattribute (libc_debug_prop_32_0) true)
+(expandtypeattribute (light_service_32_0) true)
+(expandtypeattribute (linkerconfig_file_32_0) true)
+(expandtypeattribute (llkd_32_0) true)
+(expandtypeattribute (llkd_exec_32_0) true)
+(expandtypeattribute (llkd_prop_32_0) true)
+(expandtypeattribute (lmkd_32_0) true)
+(expandtypeattribute (lmkd_config_prop_32_0) true)
+(expandtypeattribute (lmkd_exec_32_0) true)
+(expandtypeattribute (lmkd_prop_32_0) true)
+(expandtypeattribute (lmkd_socket_32_0) true)
+(expandtypeattribute (location_service_32_0) true)
+(expandtypeattribute (location_time_zone_manager_service_32_0) true)
+(expandtypeattribute (lock_settings_service_32_0) true)
+(expandtypeattribute (log_prop_32_0) true)
+(expandtypeattribute (log_tag_prop_32_0) true)
+(expandtypeattribute (logcat_exec_32_0) true)
+(expandtypeattribute (logd_32_0) true)
+(expandtypeattribute (logd_exec_32_0) true)
+(expandtypeattribute (logd_prop_32_0) true)
+(expandtypeattribute (logd_socket_32_0) true)
+(expandtypeattribute (logdr_socket_32_0) true)
+(expandtypeattribute (logdw_socket_32_0) true)
+(expandtypeattribute (logpersist_32_0) true)
+(expandtypeattribute (logpersistd_logging_prop_32_0) true)
+(expandtypeattribute (loop_control_device_32_0) true)
+(expandtypeattribute (loop_device_32_0) true)
+(expandtypeattribute (looper_stats_service_32_0) true)
+(expandtypeattribute (lowpan_device_32_0) true)
+(expandtypeattribute (lowpan_prop_32_0) true)
+(expandtypeattribute (lowpan_service_32_0) true)
+(expandtypeattribute (lpdump_service_32_0) true)
+(expandtypeattribute (lpdumpd_prop_32_0) true)
+(expandtypeattribute (mac_perms_file_32_0) true)
+(expandtypeattribute (mdns_socket_32_0) true)
+(expandtypeattribute (mdnsd_32_0) true)
+(expandtypeattribute (mdnsd_socket_32_0) true)
+(expandtypeattribute (media_communication_service_32_0) true)
+(expandtypeattribute (media_config_prop_32_0) true)
+(expandtypeattribute (media_data_file_32_0) true)
+(expandtypeattribute (media_metrics_service_32_0) true)
+(expandtypeattribute (media_projection_service_32_0) true)
+(expandtypeattribute (media_router_service_32_0) true)
+(expandtypeattribute (media_rw_data_file_32_0) true)
+(expandtypeattribute (media_session_service_32_0) true)
+(expandtypeattribute (media_variant_prop_32_0) true)
+(expandtypeattribute (mediadrm_config_prop_32_0) true)
+(expandtypeattribute (mediadrmserver_32_0) true)
+(expandtypeattribute (mediadrmserver_exec_32_0) true)
+(expandtypeattribute (mediadrmserver_service_32_0) true)
+(expandtypeattribute (mediaextractor_32_0) true)
+(expandtypeattribute (mediaextractor_exec_32_0) true)
+(expandtypeattribute (mediaextractor_service_32_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_32_0) true)
+(expandtypeattribute (mediametrics_32_0) true)
+(expandtypeattribute (mediametrics_exec_32_0) true)
+(expandtypeattribute (mediametrics_service_32_0) true)
+(expandtypeattribute (mediaprovider_32_0) true)
+(expandtypeattribute (mediaserver_32_0) true)
+(expandtypeattribute (mediaserver_exec_32_0) true)
+(expandtypeattribute (mediaserver_service_32_0) true)
+(expandtypeattribute (mediaserver_tmpfs_32_0) true)
+(expandtypeattribute (mediaswcodec_32_0) true)
+(expandtypeattribute (mediaswcodec_exec_32_0) true)
+(expandtypeattribute (mediatranscoding_service_32_0) true)
+(expandtypeattribute (meminfo_service_32_0) true)
+(expandtypeattribute (memtrackproxy_service_32_0) true)
+(expandtypeattribute (metadata_block_device_32_0) true)
+(expandtypeattribute (metadata_bootstat_file_32_0) true)
+(expandtypeattribute (metadata_file_32_0) true)
+(expandtypeattribute (method_trace_data_file_32_0) true)
+(expandtypeattribute (midi_service_32_0) true)
+(expandtypeattribute (mirror_data_file_32_0) true)
+(expandtypeattribute (misc_block_device_32_0) true)
+(expandtypeattribute (misc_logd_file_32_0) true)
+(expandtypeattribute (misc_user_data_file_32_0) true)
+(expandtypeattribute (mm_events_config_prop_32_0) true)
+(expandtypeattribute (mmc_prop_32_0) true)
+(expandtypeattribute (mnt_expand_file_32_0) true)
+(expandtypeattribute (mnt_media_rw_file_32_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_32_0) true)
+(expandtypeattribute (mnt_pass_through_file_32_0) true)
+(expandtypeattribute (mnt_product_file_32_0) true)
+(expandtypeattribute (mnt_sdcard_file_32_0) true)
+(expandtypeattribute (mnt_user_file_32_0) true)
+(expandtypeattribute (mnt_vendor_file_32_0) true)
+(expandtypeattribute (mock_ota_prop_32_0) true)
+(expandtypeattribute (modprobe_32_0) true)
+(expandtypeattribute (module_sdkextensions_prop_32_0) true)
+(expandtypeattribute (mount_service_32_0) true)
+(expandtypeattribute (mqueue_32_0) true)
+(expandtypeattribute (mtp_32_0) true)
+(expandtypeattribute (mtp_device_32_0) true)
+(expandtypeattribute (mtp_exec_32_0) true)
+(expandtypeattribute (mtpd_socket_32_0) true)
+(expandtypeattribute (music_recognition_service_32_0) true)
+(expandtypeattribute (nativetest_data_file_32_0) true)
+(expandtypeattribute (net_data_file_32_0) true)
+(expandtypeattribute (net_dns_prop_32_0) true)
+(expandtypeattribute (net_radio_prop_32_0) true)
+(expandtypeattribute (netd_32_0) true)
+(expandtypeattribute (netd_exec_32_0) true)
+(expandtypeattribute (netd_listener_service_32_0) true)
+(expandtypeattribute (netd_service_32_0) true)
+(expandtypeattribute (netif_32_0) true)
+(expandtypeattribute (netpolicy_service_32_0) true)
+(expandtypeattribute (netstats_service_32_0) true)
+(expandtypeattribute (netutils_wrapper_32_0) true)
+(expandtypeattribute (netutils_wrapper_exec_32_0) true)
+(expandtypeattribute (network_management_service_32_0) true)
+(expandtypeattribute (network_score_service_32_0) true)
+(expandtypeattribute (network_stack_32_0) true)
+(expandtypeattribute (network_stack_service_32_0) true)
+(expandtypeattribute (network_time_update_service_32_0) true)
+(expandtypeattribute (network_watchlist_data_file_32_0) true)
+(expandtypeattribute (network_watchlist_service_32_0) true)
+(expandtypeattribute (nfc_32_0) true)
+(expandtypeattribute (nfc_data_file_32_0) true)
+(expandtypeattribute (nfc_device_32_0) true)
+(expandtypeattribute (nfc_logs_data_file_32_0) true)
+(expandtypeattribute (nfc_prop_32_0) true)
+(expandtypeattribute (nfc_service_32_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_32_0) true)
+(expandtypeattribute (node_32_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_32_0) true)
+(expandtypeattribute (notification_service_32_0) true)
+(expandtypeattribute (null_device_32_0) true)
+(expandtypeattribute (oem_lock_service_32_0) true)
+(expandtypeattribute (oem_unlock_prop_32_0) true)
+(expandtypeattribute (oemfs_32_0) true)
+(expandtypeattribute (ota_data_file_32_0) true)
+(expandtypeattribute (ota_metadata_file_32_0) true)
+(expandtypeattribute (ota_package_file_32_0) true)
+(expandtypeattribute (ota_prop_32_0) true)
+(expandtypeattribute (otadexopt_service_32_0) true)
+(expandtypeattribute (otapreopt_chroot_32_0) true)
+(expandtypeattribute (overlay_prop_32_0) true)
+(expandtypeattribute (overlay_service_32_0) true)
+(expandtypeattribute (overlayfs_file_32_0) true)
+(expandtypeattribute (owntty_device_32_0) true)
+(expandtypeattribute (pac_proxy_service_32_0) true)
+(expandtypeattribute (package_native_service_32_0) true)
+(expandtypeattribute (package_service_32_0) true)
+(expandtypeattribute (packagemanager_config_prop_32_0) true)
+(expandtypeattribute (packages_list_file_32_0) true)
+(expandtypeattribute (pan_result_prop_32_0) true)
+(expandtypeattribute (password_slot_metadata_file_32_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_32_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_32_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_32_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_display_dir_32_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_32_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_32_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_32_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_32_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_32_0) true)
+(expandtypeattribute (pdx_performance_dir_32_0) true)
+(expandtypeattribute (people_service_32_0) true)
+(expandtypeattribute (perfetto_32_0) true)
+(expandtypeattribute (performanced_32_0) true)
+(expandtypeattribute (performanced_exec_32_0) true)
+(expandtypeattribute (permission_checker_service_32_0) true)
+(expandtypeattribute (permission_service_32_0) true)
+(expandtypeattribute (permissionmgr_service_32_0) true)
+(expandtypeattribute (persist_debug_prop_32_0) true)
+(expandtypeattribute (persist_vendor_debug_wifi_prop_32_0) true)
+(expandtypeattribute (persistent_data_block_service_32_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_32_0) true)
+(expandtypeattribute (pinner_service_32_0) true)
+(expandtypeattribute (pipefs_32_0) true)
+(expandtypeattribute (platform_app_32_0) true)
+(expandtypeattribute (platform_compat_service_32_0) true)
+(expandtypeattribute (pmsg_device_32_0) true)
+(expandtypeattribute (port_32_0) true)
+(expandtypeattribute (port_device_32_0) true)
+(expandtypeattribute (postinstall_32_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_32_0) true)
+(expandtypeattribute (postinstall_file_32_0) true)
+(expandtypeattribute (postinstall_mnt_dir_32_0) true)
+(expandtypeattribute (power_debug_prop_32_0) true)
+(expandtypeattribute (power_service_32_0) true)
+(expandtypeattribute (powerctl_prop_32_0) true)
+(expandtypeattribute (powerstats_service_32_0) true)
+(expandtypeattribute (ppp_32_0) true)
+(expandtypeattribute (ppp_device_32_0) true)
+(expandtypeattribute (ppp_exec_32_0) true)
+(expandtypeattribute (preloads_data_file_32_0) true)
+(expandtypeattribute (preloads_media_file_32_0) true)
+(expandtypeattribute (prereboot_data_file_32_0) true)
+(expandtypeattribute (print_service_32_0) true)
+(expandtypeattribute (priv_app_32_0) true)
+(expandtypeattribute (privapp_data_file_32_0) true)
+(expandtypeattribute (proc_32_0) true)
+(expandtypeattribute (proc_abi_32_0) true)
+(expandtypeattribute (proc_asound_32_0) true)
+(expandtypeattribute (proc_bluetooth_writable_32_0) true)
+(expandtypeattribute (proc_bootconfig_32_0) true)
+(expandtypeattribute (proc_buddyinfo_32_0) true)
+(expandtypeattribute (proc_cmdline_32_0) true)
+(expandtypeattribute (proc_cpuinfo_32_0) true)
+(expandtypeattribute (proc_dirty_32_0) true)
+(expandtypeattribute (proc_diskstats_32_0) true)
+(expandtypeattribute (proc_drop_caches_32_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_32_0) true)
+(expandtypeattribute (proc_filesystems_32_0) true)
+(expandtypeattribute (proc_fs_verity_32_0) true)
+(expandtypeattribute (proc_hostname_32_0) true)
+(expandtypeattribute (proc_hung_task_32_0) true)
+(expandtypeattribute (proc_interrupts_32_0) true)
+(expandtypeattribute (proc_iomem_32_0) true)
+(expandtypeattribute (proc_kallsyms_32_0) true)
+(expandtypeattribute (proc_keys_32_0) true)
+(expandtypeattribute (proc_kmsg_32_0) true)
+(expandtypeattribute (proc_kpageflags_32_0) true)
+(expandtypeattribute (proc_loadavg_32_0) true)
+(expandtypeattribute (proc_locks_32_0) true)
+(expandtypeattribute (proc_lowmemorykiller_32_0) true)
+(expandtypeattribute (proc_max_map_count_32_0) true)
+(expandtypeattribute (proc_meminfo_32_0) true)
+(expandtypeattribute (proc_min_free_order_shift_32_0) true)
+(expandtypeattribute (proc_misc_32_0) true)
+(expandtypeattribute (proc_modules_32_0) true)
+(expandtypeattribute (proc_mounts_32_0) true)
+(expandtypeattribute (proc_net_32_0) true)
+(expandtypeattribute (proc_net_tcp_udp_32_0) true)
+(expandtypeattribute (proc_overcommit_memory_32_0) true)
+(expandtypeattribute (proc_page_cluster_32_0) true)
+(expandtypeattribute (proc_pagetypeinfo_32_0) true)
+(expandtypeattribute (proc_panic_32_0) true)
+(expandtypeattribute (proc_perf_32_0) true)
+(expandtypeattribute (proc_pid_max_32_0) true)
+(expandtypeattribute (proc_pipe_conf_32_0) true)
+(expandtypeattribute (proc_pressure_cpu_32_0) true)
+(expandtypeattribute (proc_pressure_io_32_0) true)
+(expandtypeattribute (proc_pressure_mem_32_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_32_0) true)
+(expandtypeattribute (proc_qtaguid_stat_32_0) true)
+(expandtypeattribute (proc_random_32_0) true)
+(expandtypeattribute (proc_sched_32_0) true)
+(expandtypeattribute (proc_security_32_0) true)
+(expandtypeattribute (proc_slabinfo_32_0) true)
+(expandtypeattribute (proc_stat_32_0) true)
+(expandtypeattribute (proc_swaps_32_0) true)
+(expandtypeattribute (proc_sysrq_32_0) true)
+(expandtypeattribute (proc_timer_32_0) true)
+(expandtypeattribute (proc_tty_drivers_32_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_32_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_32_0) true)
+(expandtypeattribute (proc_uid_cpupower_32_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_32_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_32_0) true)
+(expandtypeattribute (proc_uid_io_stats_32_0) true)
+(expandtypeattribute (proc_uid_procstat_set_32_0) true)
+(expandtypeattribute (proc_uid_time_in_state_32_0) true)
+(expandtypeattribute (proc_uptime_32_0) true)
+(expandtypeattribute (proc_vendor_sched_32_0) true)
+(expandtypeattribute (proc_version_32_0) true)
+(expandtypeattribute (proc_vmallocinfo_32_0) true)
+(expandtypeattribute (proc_vmstat_32_0) true)
+(expandtypeattribute (proc_zoneinfo_32_0) true)
+(expandtypeattribute (processinfo_service_32_0) true)
+(expandtypeattribute (procstats_service_32_0) true)
+(expandtypeattribute (profman_32_0) true)
+(expandtypeattribute (profman_dump_data_file_32_0) true)
+(expandtypeattribute (profman_exec_32_0) true)
+(expandtypeattribute (properties_device_32_0) true)
+(expandtypeattribute (properties_serial_32_0) true)
+(expandtypeattribute (property_contexts_file_32_0) true)
+(expandtypeattribute (property_data_file_32_0) true)
+(expandtypeattribute (property_info_32_0) true)
+(expandtypeattribute (property_service_version_prop_32_0) true)
+(expandtypeattribute (property_socket_32_0) true)
+(expandtypeattribute (provisioned_prop_32_0) true)
+(expandtypeattribute (pstorefs_32_0) true)
+(expandtypeattribute (ptmx_device_32_0) true)
+(expandtypeattribute (qemu_hw_prop_32_0) true)
+(expandtypeattribute (qemu_sf_lcd_density_prop_32_0) true)
+(expandtypeattribute (qtaguid_device_32_0) true)
+(expandtypeattribute (racoon_32_0) true)
+(expandtypeattribute (racoon_exec_32_0) true)
+(expandtypeattribute (racoon_socket_32_0) true)
+(expandtypeattribute (radio_32_0) true)
+(expandtypeattribute (radio_control_prop_32_0) true)
+(expandtypeattribute (radio_core_data_file_32_0) true)
+(expandtypeattribute (radio_data_file_32_0) true)
+(expandtypeattribute (radio_device_32_0) true)
+(expandtypeattribute (radio_prop_32_0) true)
+(expandtypeattribute (radio_service_32_0) true)
+(expandtypeattribute (ram_device_32_0) true)
+(expandtypeattribute (random_device_32_0) true)
+(expandtypeattribute (reboot_readiness_service_32_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_32_0) true)
+(expandtypeattribute (recovery_32_0) true)
+(expandtypeattribute (recovery_block_device_32_0) true)
+(expandtypeattribute (recovery_config_prop_32_0) true)
+(expandtypeattribute (recovery_data_file_32_0) true)
+(expandtypeattribute (recovery_persist_32_0) true)
+(expandtypeattribute (recovery_persist_exec_32_0) true)
+(expandtypeattribute (recovery_refresh_32_0) true)
+(expandtypeattribute (recovery_refresh_exec_32_0) true)
+(expandtypeattribute (recovery_service_32_0) true)
+(expandtypeattribute (recovery_socket_32_0) true)
+(expandtypeattribute (registry_service_32_0) true)
+(expandtypeattribute (remoteprovisioning_service_32_0) true)
+(expandtypeattribute (resourcecache_data_file_32_0) true)
+(expandtypeattribute (restorecon_prop_32_0) true)
+(expandtypeattribute (restrictions_service_32_0) true)
+(expandtypeattribute (retaildemo_prop_32_0) true)
+(expandtypeattribute (rild_debug_socket_32_0) true)
+(expandtypeattribute (rild_socket_32_0) true)
+(expandtypeattribute (ringtone_file_32_0) true)
+(expandtypeattribute (role_service_32_0) true)
+(expandtypeattribute (rollback_service_32_0) true)
+(expandtypeattribute (root_block_device_32_0) true)
+(expandtypeattribute (rootfs_32_0) true)
+(expandtypeattribute (rpmsg_device_32_0) true)
+(expandtypeattribute (rs_32_0) true)
+(expandtypeattribute (rs_exec_32_0) true)
+(expandtypeattribute (rss_hwm_reset_32_0) true)
+(expandtypeattribute (rtc_device_32_0) true)
+(expandtypeattribute (rttmanager_service_32_0) true)
+(expandtypeattribute (runas_32_0) true)
+(expandtypeattribute (runas_app_32_0) true)
+(expandtypeattribute (runas_exec_32_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_32_0) true)
+(expandtypeattribute (runtime_service_32_0) true)
+(expandtypeattribute (safemode_prop_32_0) true)
+(expandtypeattribute (same_process_hal_file_32_0) true)
+(expandtypeattribute (samplingprofiler_service_32_0) true)
+(expandtypeattribute (scheduling_policy_service_32_0) true)
+(expandtypeattribute (sdcard_block_device_32_0) true)
+(expandtypeattribute (sdcardd_32_0) true)
+(expandtypeattribute (sdcardd_exec_32_0) true)
+(expandtypeattribute (sdcardfs_32_0) true)
+(expandtypeattribute (seapp_contexts_file_32_0) true)
+(expandtypeattribute (search_service_32_0) true)
+(expandtypeattribute (search_ui_service_32_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_32_0) true)
+(expandtypeattribute (secure_element_32_0) true)
+(expandtypeattribute (secure_element_device_32_0) true)
+(expandtypeattribute (secure_element_service_32_0) true)
+(expandtypeattribute (securityfs_32_0) true)
+(expandtypeattribute (selinuxfs_32_0) true)
+(expandtypeattribute (sendbug_config_prop_32_0) true)
+(expandtypeattribute (sensor_privacy_service_32_0) true)
+(expandtypeattribute (sensors_device_32_0) true)
+(expandtypeattribute (sensorservice_service_32_0) true)
+(expandtypeattribute (sepolicy_file_32_0) true)
+(expandtypeattribute (serial_device_32_0) true)
+(expandtypeattribute (serial_service_32_0) true)
+(expandtypeattribute (serialno_prop_32_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_32_0) true)
+(expandtypeattribute (service_contexts_file_32_0) true)
+(expandtypeattribute (service_manager_service_32_0) true)
+(expandtypeattribute (service_manager_vndservice_32_0) true)
+(expandtypeattribute (servicediscovery_service_32_0) true)
+(expandtypeattribute (servicemanager_32_0) true)
+(expandtypeattribute (servicemanager_exec_32_0) true)
+(expandtypeattribute (settings_service_32_0) true)
+(expandtypeattribute (sgdisk_32_0) true)
+(expandtypeattribute (sgdisk_exec_32_0) true)
+(expandtypeattribute (shared_relro_32_0) true)
+(expandtypeattribute (shared_relro_file_32_0) true)
+(expandtypeattribute (shell_32_0) true)
+(expandtypeattribute (shell_data_file_32_0) true)
+(expandtypeattribute (shell_exec_32_0) true)
+(expandtypeattribute (shell_prop_32_0) true)
+(expandtypeattribute (shell_test_data_file_32_0) true)
+(expandtypeattribute (shm_32_0) true)
+(expandtypeattribute (shortcut_manager_icons_32_0) true)
+(expandtypeattribute (shortcut_service_32_0) true)
+(expandtypeattribute (simpleperf_32_0) true)
+(expandtypeattribute (simpleperf_app_runner_32_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_32_0) true)
+(expandtypeattribute (slice_service_32_0) true)
+(expandtypeattribute (slideshow_32_0) true)
+(expandtypeattribute (smartspace_service_32_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_32_0) true)
+(expandtypeattribute (snapuserd_socket_32_0) true)
+(expandtypeattribute (soc_prop_32_0) true)
+(expandtypeattribute (socket_device_32_0) true)
+(expandtypeattribute (socket_hook_prop_32_0) true)
+(expandtypeattribute (sockfs_32_0) true)
+(expandtypeattribute (sota_prop_32_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_32_0) true)
+(expandtypeattribute (speech_recognition_service_32_0) true)
+(expandtypeattribute (sqlite_log_prop_32_0) true)
+(expandtypeattribute (staged_install_file_32_0) true)
+(expandtypeattribute (staging_data_file_32_0) true)
+(expandtypeattribute (stats_data_file_32_0) true)
+(expandtypeattribute (statsd_32_0) true)
+(expandtypeattribute (statsd_exec_32_0) true)
+(expandtypeattribute (statsdw_socket_32_0) true)
+(expandtypeattribute (statusbar_service_32_0) true)
+(expandtypeattribute (storage_config_prop_32_0) true)
+(expandtypeattribute (storage_file_32_0) true)
+(expandtypeattribute (storage_stub_file_32_0) true)
+(expandtypeattribute (storaged_service_32_0) true)
+(expandtypeattribute (storagemanager_config_prop_32_0) true)
+(expandtypeattribute (storagestats_service_32_0) true)
+(expandtypeattribute (su_32_0) true)
+(expandtypeattribute (su_exec_32_0) true)
+(expandtypeattribute (super_block_device_32_0) true)
+(expandtypeattribute (surfaceflinger_32_0) true)
+(expandtypeattribute (surfaceflinger_color_prop_32_0) true)
+(expandtypeattribute (surfaceflinger_display_prop_32_0) true)
+(expandtypeattribute (surfaceflinger_prop_32_0) true)
+(expandtypeattribute (surfaceflinger_service_32_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_32_0) true)
+(expandtypeattribute (suspend_prop_32_0) true)
+(expandtypeattribute (swap_block_device_32_0) true)
+(expandtypeattribute (sysfs_32_0) true)
+(expandtypeattribute (sysfs_android_usb_32_0) true)
+(expandtypeattribute (sysfs_batteryinfo_32_0) true)
+(expandtypeattribute (sysfs_block_32_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_32_0) true)
+(expandtypeattribute (sysfs_devfreq_cur_32_0) true)
+(expandtypeattribute (sysfs_devfreq_dir_32_0) true)
+(expandtypeattribute (sysfs_devices_block_32_0) true)
+(expandtypeattribute (sysfs_devices_cs_etm_32_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_32_0) true)
+(expandtypeattribute (sysfs_dm_32_0) true)
+(expandtypeattribute (sysfs_dm_verity_32_0) true)
+(expandtypeattribute (sysfs_dma_heap_32_0) true)
+(expandtypeattribute (sysfs_dmabuf_stats_32_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_32_0) true)
+(expandtypeattribute (sysfs_extcon_32_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_32_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_32_0) true)
+(expandtypeattribute (sysfs_fs_incfs_features_32_0) true)
+(expandtypeattribute (sysfs_fs_incfs_metrics_32_0) true)
+(expandtypeattribute (sysfs_hwrandom_32_0) true)
+(expandtypeattribute (sysfs_ion_32_0) true)
+(expandtypeattribute (sysfs_ipv4_32_0) true)
+(expandtypeattribute (sysfs_kernel_notes_32_0) true)
+(expandtypeattribute (sysfs_leds_32_0) true)
+(expandtypeattribute (sysfs_loop_32_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_32_0) true)
+(expandtypeattribute (sysfs_net_32_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_32_0) true)
+(expandtypeattribute (sysfs_power_32_0) true)
+(expandtypeattribute (sysfs_rtc_32_0) true)
+(expandtypeattribute (sysfs_suspend_stats_32_0) true)
+(expandtypeattribute (sysfs_switch_32_0) true)
+(expandtypeattribute (sysfs_thermal_32_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_32_0) true)
+(expandtypeattribute (sysfs_uhid_32_0) true)
+(expandtypeattribute (sysfs_uio_32_0) true)
+(expandtypeattribute (sysfs_usb_32_0) true)
+(expandtypeattribute (sysfs_usermodehelper_32_0) true)
+(expandtypeattribute (sysfs_vendor_sched_32_0) true)
+(expandtypeattribute (sysfs_vibrator_32_0) true)
+(expandtypeattribute (sysfs_wake_lock_32_0) true)
+(expandtypeattribute (sysfs_wakeup_32_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_32_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_32_0) true)
+(expandtypeattribute (sysfs_zram_32_0) true)
+(expandtypeattribute (sysfs_zram_uevent_32_0) true)
+(expandtypeattribute (system_app_32_0) true)
+(expandtypeattribute (system_app_data_file_32_0) true)
+(expandtypeattribute (system_app_service_32_0) true)
+(expandtypeattribute (system_asan_options_file_32_0) true)
+(expandtypeattribute (system_block_device_32_0) true)
+(expandtypeattribute (system_boot_reason_prop_32_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_32_0) true)
+(expandtypeattribute (system_config_service_32_0) true)
+(expandtypeattribute (system_data_file_32_0) true)
+(expandtypeattribute (system_data_root_file_32_0) true)
+(expandtypeattribute (system_event_log_tags_file_32_0) true)
+(expandtypeattribute (system_file_32_0) true)
+(expandtypeattribute (system_group_file_32_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_32_0) true)
+(expandtypeattribute (system_lib_file_32_0) true)
+(expandtypeattribute (system_linker_config_file_32_0) true)
+(expandtypeattribute (system_linker_exec_32_0) true)
+(expandtypeattribute (system_lmk_prop_32_0) true)
+(expandtypeattribute (system_ndebug_socket_32_0) true)
+(expandtypeattribute (system_net_netd_hwservice_32_0) true)
+(expandtypeattribute (system_passwd_file_32_0) true)
+(expandtypeattribute (system_prop_32_0) true)
+(expandtypeattribute (system_seccomp_policy_file_32_0) true)
+(expandtypeattribute (system_security_cacerts_file_32_0) true)
+(expandtypeattribute (system_server_32_0) true)
+(expandtypeattribute (system_server_dumper_service_32_0) true)
+(expandtypeattribute (system_server_tmpfs_32_0) true)
+(expandtypeattribute (system_suspend_control_internal_service_32_0) true)
+(expandtypeattribute (system_suspend_control_service_32_0) true)
+(expandtypeattribute (system_suspend_hwservice_32_0) true)
+(expandtypeattribute (system_trace_prop_32_0) true)
+(expandtypeattribute (system_unsolzygote_socket_32_0) true)
+(expandtypeattribute (system_update_service_32_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_32_0) true)
+(expandtypeattribute (system_wpa_socket_32_0) true)
+(expandtypeattribute (system_zoneinfo_file_32_0) true)
+(expandtypeattribute (systemkeys_data_file_32_0) true)
+(expandtypeattribute (systemsound_config_prop_32_0) true)
+(expandtypeattribute (task_profiles_api_file_32_0) true)
+(expandtypeattribute (task_profiles_file_32_0) true)
+(expandtypeattribute (task_service_32_0) true)
+(expandtypeattribute (tcpdump_exec_32_0) true)
+(expandtypeattribute (tee_32_0) true)
+(expandtypeattribute (tee_data_file_32_0) true)
+(expandtypeattribute (tee_device_32_0) true)
+(expandtypeattribute (telecom_service_32_0) true)
+(expandtypeattribute (telephony_config_prop_32_0) true)
+(expandtypeattribute (telephony_status_prop_32_0) true)
+(expandtypeattribute (test_boot_reason_prop_32_0) true)
+(expandtypeattribute (test_harness_prop_32_0) true)
+(expandtypeattribute (testharness_service_32_0) true)
+(expandtypeattribute (tethering_service_32_0) true)
+(expandtypeattribute (textclassification_service_32_0) true)
+(expandtypeattribute (textclassifier_data_file_32_0) true)
+(expandtypeattribute (textservices_service_32_0) true)
+(expandtypeattribute (texttospeech_service_32_0) true)
+(expandtypeattribute (theme_prop_32_0) true)
+(expandtypeattribute (thermal_service_32_0) true)
+(expandtypeattribute (time_prop_32_0) true)
+(expandtypeattribute (timedetector_service_32_0) true)
+(expandtypeattribute (timezone_service_32_0) true)
+(expandtypeattribute (timezonedetector_service_32_0) true)
+(expandtypeattribute (tmpfs_32_0) true)
+(expandtypeattribute (tombstone_config_prop_32_0) true)
+(expandtypeattribute (tombstone_data_file_32_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_32_0) true)
+(expandtypeattribute (tombstoned_32_0) true)
+(expandtypeattribute (tombstoned_crash_socket_32_0) true)
+(expandtypeattribute (tombstoned_exec_32_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_32_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_32_0) true)
+(expandtypeattribute (toolbox_32_0) true)
+(expandtypeattribute (toolbox_exec_32_0) true)
+(expandtypeattribute (trace_data_file_32_0) true)
+(expandtypeattribute (traced_32_0) true)
+(expandtypeattribute (traced_consumer_socket_32_0) true)
+(expandtypeattribute (traced_enabled_prop_32_0) true)
+(expandtypeattribute (traced_lazy_prop_32_0) true)
+(expandtypeattribute (traced_perf_32_0) true)
+(expandtypeattribute (traced_perf_socket_32_0) true)
+(expandtypeattribute (traced_probes_32_0) true)
+(expandtypeattribute (traced_producer_socket_32_0) true)
+(expandtypeattribute (traced_tmpfs_32_0) true)
+(expandtypeattribute (traceur_app_32_0) true)
+(expandtypeattribute (translation_service_32_0) true)
+(expandtypeattribute (trust_service_32_0) true)
+(expandtypeattribute (tty_device_32_0) true)
+(expandtypeattribute (tun_device_32_0) true)
+(expandtypeattribute (tv_input_service_32_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_32_0) true)
+(expandtypeattribute (tzdatacheck_32_0) true)
+(expandtypeattribute (tzdatacheck_exec_32_0) true)
+(expandtypeattribute (ueventd_32_0) true)
+(expandtypeattribute (ueventd_tmpfs_32_0) true)
+(expandtypeattribute (uhid_device_32_0) true)
+(expandtypeattribute (uimode_service_32_0) true)
+(expandtypeattribute (uio_device_32_0) true)
+(expandtypeattribute (uncrypt_32_0) true)
+(expandtypeattribute (uncrypt_exec_32_0) true)
+(expandtypeattribute (uncrypt_socket_32_0) true)
+(expandtypeattribute (unencrypted_data_file_32_0) true)
+(expandtypeattribute (unlabeled_32_0) true)
+(expandtypeattribute (untrusted_app_25_32_0) true)
+(expandtypeattribute (untrusted_app_27_32_0) true)
+(expandtypeattribute (untrusted_app_29_32_0) true)
+(expandtypeattribute (untrusted_app_32_0) true)
+(expandtypeattribute (update_engine_32_0) true)
+(expandtypeattribute (update_engine_data_file_32_0) true)
+(expandtypeattribute (update_engine_exec_32_0) true)
+(expandtypeattribute (update_engine_log_data_file_32_0) true)
+(expandtypeattribute (update_engine_service_32_0) true)
+(expandtypeattribute (update_engine_stable_service_32_0) true)
+(expandtypeattribute (update_verifier_32_0) true)
+(expandtypeattribute (update_verifier_exec_32_0) true)
+(expandtypeattribute (updatelock_service_32_0) true)
+(expandtypeattribute (uri_grants_service_32_0) true)
+(expandtypeattribute (usagestats_service_32_0) true)
+(expandtypeattribute (usb_config_prop_32_0) true)
+(expandtypeattribute (usb_control_prop_32_0) true)
+(expandtypeattribute (usb_device_32_0) true)
+(expandtypeattribute (usb_prop_32_0) true)
+(expandtypeattribute (usb_serial_device_32_0) true)
+(expandtypeattribute (usb_service_32_0) true)
+(expandtypeattribute (usbaccessory_device_32_0) true)
+(expandtypeattribute (usbd_32_0) true)
+(expandtypeattribute (usbd_exec_32_0) true)
+(expandtypeattribute (usbfs_32_0) true)
+(expandtypeattribute (use_memfd_prop_32_0) true)
+(expandtypeattribute (user_profile_data_file_32_0) true)
+(expandtypeattribute (user_profile_root_file_32_0) true)
+(expandtypeattribute (user_service_32_0) true)
+(expandtypeattribute (userdata_block_device_32_0) true)
+(expandtypeattribute (userdata_sysdev_32_0) true)
+(expandtypeattribute (usermodehelper_32_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_32_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_32_0) true)
+(expandtypeattribute (userspace_reboot_metadata_file_32_0) true)
+(expandtypeattribute (uwb_service_32_0) true)
+(expandtypeattribute (vcn_management_service_32_0) true)
+(expandtypeattribute (vd_device_32_0) true)
+(expandtypeattribute (vdc_32_0) true)
+(expandtypeattribute (vdc_exec_32_0) true)
+(expandtypeattribute (vehicle_hal_prop_32_0) true)
+(expandtypeattribute (vendor_apex_file_32_0) true)
+(expandtypeattribute (vendor_app_file_32_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_32_0) true)
+(expandtypeattribute (vendor_configs_file_32_0) true)
+(expandtypeattribute (vendor_data_file_32_0) true)
+(expandtypeattribute (vendor_default_prop_32_0) true)
+(expandtypeattribute (vendor_file_32_0) true)
+(expandtypeattribute (vendor_framework_file_32_0) true)
+(expandtypeattribute (vendor_hal_file_32_0) true)
+(expandtypeattribute (vendor_idc_file_32_0) true)
+(expandtypeattribute (vendor_init_32_0) true)
+(expandtypeattribute (vendor_kernel_modules_32_0) true)
+(expandtypeattribute (vendor_keychars_file_32_0) true)
+(expandtypeattribute (vendor_keylayout_file_32_0) true)
+(expandtypeattribute (vendor_misc_writer_32_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_32_0) true)
+(expandtypeattribute (vendor_modprobe_32_0) true)
+(expandtypeattribute (vendor_overlay_file_32_0) true)
+(expandtypeattribute (vendor_public_framework_file_32_0) true)
+(expandtypeattribute (vendor_public_lib_file_32_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_32_0) true)
+(expandtypeattribute (vendor_service_contexts_file_32_0) true)
+(expandtypeattribute (vendor_shell_32_0) true)
+(expandtypeattribute (vendor_shell_exec_32_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_32_0) true)
+(expandtypeattribute (vendor_task_profiles_file_32_0) true)
+(expandtypeattribute (vendor_toolbox_exec_32_0) true)
+(expandtypeattribute (vfat_32_0) true)
+(expandtypeattribute (vibrator_manager_service_32_0) true)
+(expandtypeattribute (vibrator_service_32_0) true)
+(expandtypeattribute (video_device_32_0) true)
+(expandtypeattribute (virtual_ab_prop_32_0) true)
+(expandtypeattribute (virtual_touchpad_32_0) true)
+(expandtypeattribute (virtual_touchpad_exec_32_0) true)
+(expandtypeattribute (virtual_touchpad_service_32_0) true)
+(expandtypeattribute (virtualization_service_32_0) true)
+(expandtypeattribute (vndbinder_device_32_0) true)
+(expandtypeattribute (vndk_prop_32_0) true)
+(expandtypeattribute (vndk_sp_file_32_0) true)
+(expandtypeattribute (vndservice_contexts_file_32_0) true)
+(expandtypeattribute (vndservicemanager_32_0) true)
+(expandtypeattribute (voiceinteraction_service_32_0) true)
+(expandtypeattribute (vold_32_0) true)
+(expandtypeattribute (vold_config_prop_32_0) true)
+(expandtypeattribute (vold_data_file_32_0) true)
+(expandtypeattribute (vold_device_32_0) true)
+(expandtypeattribute (vold_exec_32_0) true)
+(expandtypeattribute (vold_metadata_file_32_0) true)
+(expandtypeattribute (vold_post_fs_data_prop_32_0) true)
+(expandtypeattribute (vold_prepare_subdirs_32_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_32_0) true)
+(expandtypeattribute (vold_prop_32_0) true)
+(expandtypeattribute (vold_service_32_0) true)
+(expandtypeattribute (vold_status_prop_32_0) true)
+(expandtypeattribute (vpn_data_file_32_0) true)
+(expandtypeattribute (vpn_management_service_32_0) true)
+(expandtypeattribute (vr_hwc_32_0) true)
+(expandtypeattribute (vr_hwc_exec_32_0) true)
+(expandtypeattribute (vr_hwc_service_32_0) true)
+(expandtypeattribute (vr_manager_service_32_0) true)
+(expandtypeattribute (vrflinger_vsync_service_32_0) true)
+(expandtypeattribute (vts_config_prop_32_0) true)
+(expandtypeattribute (vts_status_prop_32_0) true)
+(expandtypeattribute (wallpaper_file_32_0) true)
+(expandtypeattribute (wallpaper_service_32_0) true)
+(expandtypeattribute (watchdog_device_32_0) true)
+(expandtypeattribute (watchdog_metadata_file_32_0) true)
+(expandtypeattribute (watchdogd_32_0) true)
+(expandtypeattribute (watchdogd_exec_32_0) true)
+(expandtypeattribute (webview_zygote_32_0) true)
+(expandtypeattribute (webview_zygote_exec_32_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_32_0) true)
+(expandtypeattribute (webviewupdate_service_32_0) true)
+(expandtypeattribute (wifi_config_prop_32_0) true)
+(expandtypeattribute (wifi_data_file_32_0) true)
+(expandtypeattribute (wifi_hal_prop_32_0) true)
+(expandtypeattribute (wifi_key_32_0) true)
+(expandtypeattribute (wifi_log_prop_32_0) true)
+(expandtypeattribute (wifi_prop_32_0) true)
+(expandtypeattribute (wifi_service_32_0) true)
+(expandtypeattribute (wifiaware_service_32_0) true)
+(expandtypeattribute (wificond_32_0) true)
+(expandtypeattribute (wificond_exec_32_0) true)
+(expandtypeattribute (wifinl80211_service_32_0) true)
+(expandtypeattribute (wifip2p_service_32_0) true)
+(expandtypeattribute (wifiscanner_service_32_0) true)
+(expandtypeattribute (window_service_32_0) true)
+(expandtypeattribute (wpa_socket_32_0) true)
+(expandtypeattribute (wpantund_32_0) true)
+(expandtypeattribute (wpantund_exec_32_0) true)
+(expandtypeattribute (wpantund_service_32_0) true)
+(expandtypeattribute (zero_device_32_0) true)
+(expandtypeattribute (zoneinfo_data_file_32_0) true)
+(expandtypeattribute (zram_config_prop_32_0) true)
+(expandtypeattribute (zram_control_prop_32_0) true)
+(expandtypeattribute (zygote_32_0) true)
+(expandtypeattribute (zygote_config_prop_32_0) true)
+(expandtypeattribute (zygote_exec_32_0) true)
+(expandtypeattribute (zygote_socket_32_0) true)
+(expandtypeattribute (zygote_tmpfs_32_0) true)
+(typeattributeset DockObserver_service_32_0 (DockObserver_service))
+(typeattributeset IProxyService_service_32_0 (IProxyService_service))
+(typeattributeset aac_drc_prop_32_0 (aac_drc_prop))
+(typeattributeset aaudio_config_prop_32_0 (aaudio_config_prop))
+(typeattributeset ab_update_gki_prop_32_0 (ab_update_gki_prop))
+(typeattributeset accessibility_service_32_0 (accessibility_service))
+(typeattributeset account_service_32_0 (account_service))
+(typeattributeset activity_service_32_0 (activity_service))
+(typeattributeset activity_task_service_32_0 (activity_task_service))
+(typeattributeset adb_data_file_32_0 (adb_data_file))
+(typeattributeset adb_keys_file_32_0 (adb_keys_file))
+(typeattributeset adb_service_32_0 (adb_service))
+(typeattributeset adbd_32_0 (adbd))
+(typeattributeset adbd_config_prop_32_0 (adbd_config_prop))
+(typeattributeset adbd_exec_32_0 (adbd_exec))
+(typeattributeset adbd_socket_32_0 (adbd_socket))
+(typeattributeset aidl_lazy_test_server_32_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_32_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_32_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_32_0 (alarm_service))
+(typeattributeset anr_data_file_32_0 (anr_data_file))
+(typeattributeset apc_service_32_0 (apc_service))
+(typeattributeset apex_appsearch_data_file_32_0 (apex_appsearch_data_file apex_system_server_data_file))
+(typeattributeset apex_data_file_32_0 (apex_data_file))
+(typeattributeset apex_info_file_32_0 (apex_info_file))
+(typeattributeset apex_metadata_file_32_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_32_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_32_0 (apex_module_data_file))
+(typeattributeset apex_ota_reserved_file_32_0 (apex_ota_reserved_file))
+(typeattributeset apex_permission_data_file_32_0 (apex_permission_data_file apex_system_server_data_file))
+(typeattributeset apex_rollback_data_file_32_0 (apex_rollback_data_file))
+(typeattributeset apex_scheduling_data_file_32_0 (apex_scheduling_data_file apex_system_server_data_file))
+(typeattributeset apex_service_32_0 (apex_service))
+(typeattributeset apex_wifi_data_file_32_0 (apex_wifi_data_file apex_system_server_data_file))
+(typeattributeset apexd_32_0 (apexd))
+(typeattributeset apexd_config_prop_32_0 (apexd_config_prop))
+(typeattributeset apexd_exec_32_0 (apexd_exec))
+(typeattributeset apexd_prop_32_0 (apexd_prop))
+(typeattributeset apk_data_file_32_0 (apk_data_file))
+(typeattributeset apk_private_data_file_32_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_32_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_32_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_32_0 (apk_verity_prop))
+(typeattributeset app_binding_service_32_0 (app_binding_service))
+(typeattributeset app_data_file_32_0 (app_data_file))
+(typeattributeset app_fuse_file_32_0 (app_fuse_file))
+(typeattributeset app_fusefs_32_0 (app_fusefs))
+(typeattributeset app_hibernation_service_32_0 (app_hibernation_service))
+(typeattributeset app_integrity_service_32_0 (app_integrity_service))
+(typeattributeset app_prediction_service_32_0 (app_prediction_service))
+(typeattributeset app_search_service_32_0 (app_search_service))
+(typeattributeset app_zygote_32_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_32_0 (app_zygote_tmpfs))
+(typeattributeset appcompat_data_file_32_0 (appcompat_data_file))
+(typeattributeset appdomain_tmpfs_32_0 (appdomain_tmpfs))
+(typeattributeset appops_service_32_0 (appops_service))
+(typeattributeset appwidget_service_32_0 (appwidget_service))
+(typeattributeset arm64_memtag_prop_32_0 (arm64_memtag_prop))
+(typeattributeset art_apex_dir_32_0 (art_apex_dir))
+(typeattributeset asec_apk_file_32_0 (asec_apk_file))
+(typeattributeset asec_image_file_32_0 (asec_image_file))
+(typeattributeset asec_public_file_32_0 (asec_public_file))
+(typeattributeset ashmem_device_32_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_32_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_32_0 (assetatlas_service))
+(typeattributeset atrace_32_0 (atrace))
+(typeattributeset audio_config_prop_32_0 (audio_config_prop))
+(typeattributeset audio_data_file_32_0 (audio_data_file))
+(typeattributeset audio_device_32_0 (audio_device))
+(typeattributeset audio_prop_32_0 (audio_prop))
+(typeattributeset audio_service_32_0 (audio_service))
+(typeattributeset audiohal_data_file_32_0 (audiohal_data_file))
+(typeattributeset audioserver_32_0 (audioserver))
+(typeattributeset audioserver_data_file_32_0 (audioserver_data_file))
+(typeattributeset audioserver_service_32_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_32_0 (audioserver_tmpfs))
+(typeattributeset auth_service_32_0 (auth_service))
+(typeattributeset authorization_service_32_0 (authorization_service))
+(typeattributeset autofill_service_32_0 (autofill_service))
+(typeattributeset backup_data_file_32_0 (backup_data_file))
+(typeattributeset backup_service_32_0 (backup_service))
+(typeattributeset battery_service_32_0 (battery_service))
+(typeattributeset batteryproperties_service_32_0 (batteryproperties_service))
+(typeattributeset batterystats_service_32_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_32_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_32_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_32_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_32_0 (binder_calls_stats_service))
+(typeattributeset binder_device_32_0 (binder_device))
+(typeattributeset binderfs_32_0 (binderfs))
+(typeattributeset binderfs_logs_32_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_32_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_32_0 (binfmt_miscfs))
+(typeattributeset biometric_service_32_0 (biometric_service))
+(typeattributeset blkid_32_0 (blkid))
+(typeattributeset blkid_untrusted_32_0 (blkid_untrusted))
+(typeattributeset blob_store_service_32_0 (blob_store_service))
+(typeattributeset block_device_32_0 (block_device))
+(typeattributeset bluetooth_32_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_32_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_32_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_data_file_32_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_32_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_32_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_32_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_32_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_32_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_32_0 (bluetooth_socket))
+(typeattributeset boot_block_device_32_0 (boot_block_device))
+(typeattributeset boot_status_prop_32_0 (boot_status_prop))
+(typeattributeset bootanim_32_0 (bootanim))
+(typeattributeset bootanim_config_prop_32_0 (bootanim_config_prop))
+(typeattributeset bootanim_exec_32_0 (bootanim_exec))
+(typeattributeset bootanim_system_prop_32_0 (bootanim_system_prop))
+(typeattributeset bootchart_data_file_32_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_32_0 (bootloader_boot_reason_prop))
+(typeattributeset bootloader_prop_32_0 (bootloader_prop))
+(typeattributeset bootstat_32_0 (bootstat))
+(typeattributeset bootstat_data_file_32_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_32_0 (bootstat_exec))
+(typeattributeset boottime_prop_32_0 (boottime_prop))
+(typeattributeset boottime_public_prop_32_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_32_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_32_0 (bpf_progs_loaded_prop))
+(typeattributeset bq_config_prop_32_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_32_0 (broadcastradio_service))
+(typeattributeset bufferhubd_32_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_32_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_32_0 (bugreport_service))
+(typeattributeset build_bootimage_prop_32_0 (build_bootimage_prop))
+(typeattributeset build_config_prop_32_0 (build_config_prop))
+(typeattributeset build_odm_prop_32_0 (build_odm_prop))
+(typeattributeset build_prop_32_0 (build_prop))
+(typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
+(typeattributeset cache_backup_file_32_0 (cache_backup_file))
+(typeattributeset cache_block_device_32_0 (cache_block_device))
+(typeattributeset cache_file_32_0 (cache_file))
+(typeattributeset cache_private_backup_file_32_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_32_0 (cache_recovery_file))
+(typeattributeset cacheinfo_service_32_0 (cacheinfo_service))
+(typeattributeset camera2_extensions_prop_32_0 (camera2_extensions_prop))
+(typeattributeset camera_calibration_prop_32_0 (camera_calibration_prop))
+(typeattributeset camera_config_prop_32_0 (camera_config_prop))
+(typeattributeset camera_data_file_32_0 (camera_data_file))
+(typeattributeset camera_device_32_0 (camera_device))
+(typeattributeset cameraproxy_service_32_0 (cameraproxy_service))
+(typeattributeset cameraserver_32_0 (cameraserver))
+(typeattributeset cameraserver_exec_32_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_32_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_32_0 (cameraserver_tmpfs))
+(typeattributeset camerax_extensions_prop_32_0 (camerax_extensions_prop))
+(typeattributeset cgroup_32_0 (cgroup))
+(typeattributeset cgroup_desc_api_file_32_0 (cgroup_desc_api_file))
+(typeattributeset cgroup_desc_file_32_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_32_0 (cgroup_rc_file))
+(typeattributeset cgroup_v2_32_0 (cgroup_v2))
+(typeattributeset charger_32_0 (charger))
+(typeattributeset charger_config_prop_32_0 (charger_config_prop))
+(typeattributeset charger_exec_32_0 (charger_exec))
+(typeattributeset charger_prop_32_0 (charger_prop))
+(typeattributeset charger_status_prop_32_0 (charger_status_prop))
+(typeattributeset clipboard_service_32_0 (clipboard_service))
+(typeattributeset codec2_config_prop_32_0 (codec2_config_prop))
+(typeattributeset cold_boot_done_prop_32_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_32_0 (color_display_service))
+(typeattributeset companion_device_service_32_0 (companion_device_service))
+(typeattributeset config_prop_32_0 (config_prop))
+(typeattributeset configfs_32_0 (configfs))
+(typeattributeset connectivity_service_32_0 (connectivity_service))
+(typeattributeset connmetrics_service_32_0 (connmetrics_service))
+(typeattributeset console_device_32_0 (console_device))
+(typeattributeset consumer_ir_service_32_0 (consumer_ir_service))
+(typeattributeset content_capture_service_32_0 (content_capture_service))
+(typeattributeset content_service_32_0 (content_service))
+(typeattributeset content_suggestions_service_32_0 (content_suggestions_service))
+(typeattributeset contexthub_service_32_0 (contexthub_service))
+(typeattributeset coredump_file_32_0 (coredump_file))
+(typeattributeset country_detector_service_32_0 (country_detector_service))
+(typeattributeset coverage_service_32_0 (coverage_service))
+(typeattributeset cppreopt_prop_32_0 (cppreopt_prop))
+(typeattributeset cpu_variant_prop_32_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_32_0 (cpuinfo_service))
+(typeattributeset crash_dump_32_0 (crash_dump))
+(typeattributeset crash_dump_exec_32_0 (crash_dump_exec))
+(typeattributeset credstore_32_0 (credstore))
+(typeattributeset credstore_data_file_32_0 (credstore_data_file))
+(typeattributeset credstore_exec_32_0 (credstore_exec))
+(typeattributeset credstore_service_32_0 (credstore_service))
+(typeattributeset crossprofileapps_service_32_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_32_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_32_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_32_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_32_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_32_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_32_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_32_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_32_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_32_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_32_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_32_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_32_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_32_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_32_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_32_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_32_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_32_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_32_0 (ctl_stop_prop))
+(typeattributeset dalvik_config_prop_32_0 (dalvik_config_prop))
+(typeattributeset dalvik_prop_32_0 (dalvik_prop))
+(typeattributeset dalvik_runtime_prop_32_0 (dalvik_runtime_prop))
+(typeattributeset dalvikcache_data_file_32_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_32_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_32_0 (dbinfo_service))
+(typeattributeset dck_prop_32_0 (dck_prop))
+(typeattributeset debug_prop_32_0 (debug_prop))
+(typeattributeset debugfs_32_0 (debugfs))
+(typeattributeset debugfs_bootreceiver_tracing_32_0 (debugfs_bootreceiver_tracing))
+(typeattributeset debugfs_kprobes_32_0 (debugfs_kprobes))
+(typeattributeset debugfs_mm_events_tracing_32_0 (debugfs_mm_events_tracing))
+(typeattributeset debugfs_mmc_32_0 (debugfs_mmc))
+(typeattributeset debugfs_restriction_prop_32_0 (debugfs_restriction_prop))
+(typeattributeset debugfs_trace_marker_32_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_32_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_32_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_32_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_tracing_printk_formats_32_0 (debugfs_tracing_printk_formats))
+(typeattributeset debugfs_wakeup_sources_32_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_32_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_32_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_32_0 (default_android_hwservice))
+(typeattributeset default_android_service_32_0 (default_android_service))
+(typeattributeset default_android_vndservice_32_0 (default_android_vndservice))
+(typeattributeset default_prop_32_0 (default_prop))
+(typeattributeset dev_cpu_variant_32_0 (dev_cpu_variant))
+(typeattributeset device_32_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_32_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_32_0 (device_config_boot_count_prop))
+(typeattributeset device_config_input_native_boot_prop_32_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_32_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_32_0 (device_config_netd_native_prop))
+(typeattributeset device_config_reset_performed_prop_32_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_32_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_32_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_32_0 (device_config_service))
+(typeattributeset device_identifiers_service_32_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_32_0 (device_logging_prop))
+(typeattributeset device_policy_service_32_0 (device_policy_service))
+(typeattributeset device_state_service_32_0 (device_state_service))
+(typeattributeset deviceidle_service_32_0 (deviceidle_service))
+(typeattributeset devicestoragemonitor_service_32_0 (devicestoragemonitor_service))
+(typeattributeset devpts_32_0 (devpts))
+(typeattributeset dhcp_32_0 (dhcp))
+(typeattributeset dhcp_data_file_32_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_32_0 (dhcp_exec))
+(typeattributeset dhcp_prop_32_0 (dhcp_prop))
+(typeattributeset diskstats_service_32_0 (diskstats_service))
+(typeattributeset display_service_32_0 (display_service))
+(typeattributeset dm_device_32_0 (dm_device))
+(typeattributeset dm_user_device_32_0 (dm_user_device))
+(typeattributeset dmabuf_heap_device_32_0 (dmabuf_heap_device))
+(typeattributeset dmabuf_system_heap_device_32_0 (dmabuf_system_heap_device))
+(typeattributeset dmabuf_system_secure_heap_device_32_0 (dmabuf_system_secure_heap_device))
+(typeattributeset dnsmasq_32_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_32_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_32_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_32_0 (dnsresolver_service))
+(typeattributeset domain_verification_service_32_0 (domain_verification_service))
+(typeattributeset dreams_service_32_0 (dreams_service))
+(typeattributeset drm_data_file_32_0 (drm_data_file))
+(typeattributeset drm_service_config_prop_32_0 (drm_service_config_prop))
+(typeattributeset drmserver_32_0 (drmserver))
+(typeattributeset drmserver_exec_32_0 (drmserver_exec))
+(typeattributeset drmserver_service_32_0 (drmserver_service))
+(typeattributeset drmserver_socket_32_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_32_0 (dropbox_data_file))
+(typeattributeset dropbox_service_32_0 (dropbox_service))
+(typeattributeset dumpstate_32_0 (dumpstate))
+(typeattributeset dumpstate_exec_32_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_32_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_32_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_32_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_32_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_32_0 (dynamic_system_prop))
+(typeattributeset e2fs_32_0 (e2fs))
+(typeattributeset e2fs_exec_32_0 (e2fs_exec))
+(typeattributeset efs_file_32_0 (efs_file))
+(typeattributeset emergency_affordance_service_32_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_32_0 (ephemeral_app))
+(typeattributeset ethernet_service_32_0 (ethernet_service))
+(typeattributeset exfat_32_0 (exfat))
+(typeattributeset exported3_system_prop_32_0 (exported3_system_prop))
+(typeattributeset exported_bluetooth_prop_32_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_32_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_32_0 (exported_config_prop))
+(typeattributeset exported_default_prop_32_0 (exported_default_prop))
+(typeattributeset exported_dumpstate_prop_32_0 (exported_dumpstate_prop))
+(typeattributeset exported_overlay_prop_32_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_32_0 (exported_pm_prop))
+(typeattributeset exported_secure_prop_32_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_32_0 (exported_system_prop))
+(typeattributeset external_vibrator_service_32_0 (external_vibrator_service))
+(typeattributeset face_service_32_0 (face_service))
+(typeattributeset face_vendor_data_file_32_0 (face_vendor_data_file))
+(typeattributeset fastbootd_32_0 (fastbootd))
+(typeattributeset ffs_config_prop_32_0 (ffs_config_prop))
+(typeattributeset ffs_control_prop_32_0 (ffs_control_prop))
+(typeattributeset file_contexts_file_32_0 (file_contexts_file))
+(typeattributeset file_integrity_service_32_0 (file_integrity_service))
+(typeattributeset fingerprint_prop_32_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_32_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_32_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_32_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_32_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_32_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_32_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_32_0 (firstboot_prop))
+(typeattributeset flags_health_check_32_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_32_0 (flags_health_check_exec))
+(typeattributeset font_service_32_0 (font_service))
+(typeattributeset framework_watchdog_config_prop_32_0 (framework_watchdog_config_prop))
+(typeattributeset frp_block_device_32_0 (frp_block_device))
+(typeattributeset fs_bpf_32_0 (fs_bpf))
+(typeattributeset fs_bpf_tethering_32_0 (fs_bpf_tethering))
+(typeattributeset fsck_32_0 (fsck))
+(typeattributeset fsck_exec_32_0 (fsck_exec))
+(typeattributeset fsck_untrusted_32_0 (fsck_untrusted))
+(typeattributeset fscklogs_32_0 (fscklogs))
+(typeattributeset functionfs_32_0 (functionfs))
+(typeattributeset fuse_32_0 (fuse))
+(typeattributeset fuse_device_32_0 (fuse_device))
+(typeattributeset fusectlfs_32_0 (fusectlfs))
+(typeattributeset fwk_automotive_display_hwservice_32_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_bufferhub_hwservice_32_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_32_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_32_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_32_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_32_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_32_0 (fwk_stats_hwservice))
+(typeattributeset fwk_stats_service_32_0 (fwk_stats_service))
+(typeattributeset fwmarkd_socket_32_0 (fwmarkd_socket))
+(typeattributeset game_service_32_0 (game_service))
+(typeattributeset gatekeeper_data_file_32_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_32_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_32_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_32_0 (gatekeeperd_exec))
+(typeattributeset gfxinfo_service_32_0 (gfxinfo_service))
+(typeattributeset gmscore_app_32_0 (gmscore_app))
+(typeattributeset gnss_device_32_0 (gnss_device))
+(typeattributeset gnss_time_update_service_32_0 (gnss_time_update_service))
+(typeattributeset gps_control_32_0 (gps_control))
+(typeattributeset gpu_device_32_0 (gpu_device))
+(typeattributeset gpu_service_32_0 (gpu_service))
+(typeattributeset gpuservice_32_0 (gpuservice))
+(typeattributeset graphics_config_prop_32_0 (graphics_config_prop))
+(typeattributeset graphics_device_32_0 (graphics_device))
+(typeattributeset graphicsstats_service_32_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_32_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_32_0 (gsi_metadata_file))
+(typeattributeset gsi_public_metadata_file_32_0 (gsi_public_metadata_file))
+(typeattributeset hal_atrace_hwservice_32_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_32_0 (hal_audio_hwservice))
+(typeattributeset hal_audio_service_32_0 (hal_audio_service))
+(typeattributeset hal_audiocontrol_hwservice_32_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audiocontrol_service_32_0 (hal_audiocontrol_service))
+(typeattributeset hal_authsecret_hwservice_32_0 (hal_authsecret_hwservice))
+(typeattributeset hal_authsecret_service_32_0 (hal_authsecret_service))
+(typeattributeset hal_bluetooth_hwservice_32_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_32_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_32_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_32_0 (hal_camera_hwservice))
+(typeattributeset hal_can_bus_hwservice_32_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_32_0 (hal_can_controller_hwservice))
+(typeattributeset hal_cas_hwservice_32_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_32_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_32_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_32_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_32_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_32_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_config_prop_32_0 (hal_dumpstate_config_prop))
+(typeattributeset hal_dumpstate_hwservice_32_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_evs_hwservice_32_0 (hal_evs_hwservice))
+(typeattributeset hal_face_hwservice_32_0 (hal_face_hwservice))
+(typeattributeset hal_face_service_32_0 (hal_face_service))
+(typeattributeset hal_fingerprint_hwservice_32_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_32_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_32_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_32_0 (hal_gnss_hwservice))
+(typeattributeset hal_gnss_service_32_0 (hal_gnss_service))
+(typeattributeset hal_graphics_allocator_hwservice_32_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_32_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_32_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_mapper_hwservice_32_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_32_0 (hal_health_hwservice))
+(typeattributeset hal_health_storage_hwservice_32_0 (hal_health_storage_hwservice))
+(typeattributeset hal_health_storage_service_32_0 (hal_health_storage_service))
+(typeattributeset hal_identity_service_32_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_32_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_instrumentation_prop_32_0 (hal_instrumentation_prop))
+(typeattributeset hal_ir_hwservice_32_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_32_0 (hal_keymaster_hwservice))
+(typeattributeset hal_keymint_service_32_0 (hal_keymint_service))
+(typeattributeset hal_light_hwservice_32_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_32_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_32_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_32_0 (hal_memtrack_hwservice))
+(typeattributeset hal_memtrack_service_32_0 (hal_memtrack_service))
+(typeattributeset hal_neuralnetworks_hwservice_32_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_neuralnetworks_service_32_0 (hal_neuralnetworks_service))
+(typeattributeset hal_nfc_hwservice_32_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_32_0 (hal_oemlock_hwservice))
+(typeattributeset hal_oemlock_service_32_0 (hal_oemlock_service))
+(typeattributeset hal_omx_hwservice_32_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_32_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_32_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_32_0 (hal_power_stats_hwservice))
+(typeattributeset hal_power_stats_service_32_0 (hal_power_stats_service))
+(typeattributeset hal_rebootescrow_service_32_0 (hal_rebootescrow_service))
+(typeattributeset hal_remotelyprovisionedcomponent_service_32_0 (hal_remotelyprovisionedcomponent_service))
+(typeattributeset hal_renderscript_hwservice_32_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_32_0 (hal_secure_element_hwservice))
+(typeattributeset hal_secureclock_service_32_0 (hal_secureclock_service))
+(typeattributeset hal_sensors_hwservice_32_0 (hal_sensors_hwservice))
+(typeattributeset hal_sharedsecret_service_32_0 (hal_sharedsecret_service))
+(typeattributeset hal_telephony_hwservice_32_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_32_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_32_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_32_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_32_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_tuner_hwservice_32_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_usb_gadget_hwservice_32_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_32_0 (hal_usb_hwservice))
+(typeattributeset hal_vehicle_hwservice_32_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vibrator_hwservice_32_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_32_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_32_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_32_0 (hal_weaver_hwservice))
+(typeattributeset hal_weaver_service_32_0 (hal_weaver_service))
+(typeattributeset hal_wifi_hostapd_hwservice_32_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hwservice_32_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_32_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_32_0 (hardware_properties_service))
+(typeattributeset hardware_service_32_0 (hardware_service))
+(typeattributeset hci_attach_dev_32_0 (hci_attach_dev))
+(typeattributeset hdmi_config_prop_32_0 (hdmi_config_prop))
+(typeattributeset hdmi_control_service_32_0 (hdmi_control_service))
+(typeattributeset healthd_32_0 (healthd))
+(typeattributeset healthd_exec_32_0 (healthd_exec))
+(typeattributeset heapdump_data_file_32_0 (heapdump_data_file))
+(typeattributeset heapprofd_32_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_32_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_32_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_32_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_32_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_32_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_32_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_32_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_32_0 (hidl_token_hwservice))
+(typeattributeset hint_service_32_0 (hint_service))
+(typeattributeset hw_random_device_32_0 (hw_random_device))
+(typeattributeset hw_timeout_multiplier_prop_32_0 (hw_timeout_multiplier_prop))
+(typeattributeset hwbinder_device_32_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_32_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_32_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_32_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_32_0 (hwservicemanager_prop))
+(typeattributeset hypervisor_prop_32_0 (hypervisor_prop))
+(typeattributeset icon_file_32_0 (icon_file))
+(typeattributeset idmap_32_0 (idmap))
+(typeattributeset idmap_exec_32_0 (idmap_exec))
+(typeattributeset idmap_service_32_0 (idmap_service))
+(typeattributeset iio_device_32_0 (iio_device))
+(typeattributeset imms_service_32_0 (imms_service))
+(typeattributeset incident_32_0 (incident))
+(typeattributeset incident_data_file_32_0 (incident_data_file))
+(typeattributeset incident_helper_32_0 (incident_helper))
+(typeattributeset incident_service_32_0 (incident_service))
+(typeattributeset incidentd_32_0 (incidentd))
+(typeattributeset incremental_control_file_32_0 (incremental_control_file))
+(typeattributeset incremental_prop_32_0 (incremental_prop))
+(typeattributeset incremental_service_32_0 (incremental_service))
+(typeattributeset init_32_0 (init))
+(typeattributeset init_exec_32_0 (init_exec))
+(typeattributeset init_service_status_prop_32_0 (init_service_status_prop))
+(typeattributeset init_tmpfs_32_0 (init_tmpfs))
+(typeattributeset inotify_32_0 (inotify))
+(typeattributeset input_device_32_0 (input_device))
+(typeattributeset input_method_service_32_0 (input_method_service))
+(typeattributeset input_service_32_0 (input_service))
+(typeattributeset inputflinger_32_0 (inputflinger))
+(typeattributeset inputflinger_exec_32_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_32_0 (inputflinger_service))
+(typeattributeset install_data_file_32_0 (install_data_file))
+(typeattributeset installd_32_0 (installd))
+(typeattributeset installd_exec_32_0 (installd_exec))
+(typeattributeset installd_service_32_0 (installd_service))
+(typeattributeset ion_device_32_0 (ion_device))
+(typeattributeset iorap_inode2filename_32_0 (iorap_inode2filename))
+(typeattributeset iorap_inode2filename_exec_32_0 (iorap_inode2filename_exec))
+(typeattributeset iorap_inode2filename_tmpfs_32_0 (iorap_inode2filename_tmpfs))
+(typeattributeset iorap_prefetcherd_32_0 (iorap_prefetcherd))
+(typeattributeset iorap_prefetcherd_exec_32_0 (iorap_prefetcherd_exec))
+(typeattributeset iorap_prefetcherd_tmpfs_32_0 (iorap_prefetcherd_tmpfs))
+(typeattributeset iorapd_32_0 (iorapd))
+(typeattributeset iorapd_data_file_32_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_32_0 (iorapd_exec))
+(typeattributeset iorapd_service_32_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_32_0 (iorapd_tmpfs))
+(typeattributeset ipsec_service_32_0 (ipsec_service))
+(typeattributeset iris_service_32_0 (iris_service))
+(typeattributeset iris_vendor_data_file_32_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_32_0 (isolated_app))
+(typeattributeset jobscheduler_service_32_0 (jobscheduler_service))
+(typeattributeset kernel_32_0 (kernel))
+(typeattributeset keychain_data_file_32_0 (keychain_data_file))
+(typeattributeset keychord_device_32_0 (keychord_device))
+(typeattributeset keyguard_config_prop_32_0 (keyguard_config_prop))
+(typeattributeset keystore2_key_contexts_file_32_0 (keystore2_key_contexts_file))
+(typeattributeset keystore_32_0 (keystore))
+(typeattributeset keystore_compat_hal_service_32_0 (keystore_compat_hal_service))
+(typeattributeset keystore_data_file_32_0 (keystore_data_file))
+(typeattributeset keystore_exec_32_0 (keystore_exec))
+(typeattributeset keystore_maintenance_service_32_0 (keystore_maintenance_service))
+(typeattributeset keystore_metrics_service_32_0 (keystore_metrics_service))
+(typeattributeset keystore_service_32_0 (keystore_service))
+(typeattributeset kmsg_debug_device_32_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_32_0 (kmsg_device))
+(typeattributeset labeledfs_32_0 (labeledfs))
+(typeattributeset launcherapps_service_32_0 (launcherapps_service))
+(typeattributeset legacy_permission_service_32_0 (legacy_permission_service))
+(typeattributeset legacykeystore_service_32_0 (legacykeystore_service))
+(typeattributeset libc_debug_prop_32_0 (libc_debug_prop))
+(typeattributeset light_service_32_0 (light_service))
+(typeattributeset linkerconfig_file_32_0 (linkerconfig_file))
+(typeattributeset llkd_32_0 (llkd))
+(typeattributeset llkd_exec_32_0 (llkd_exec))
+(typeattributeset llkd_prop_32_0 (llkd_prop))
+(typeattributeset lmkd_32_0 (lmkd))
+(typeattributeset lmkd_config_prop_32_0 (lmkd_config_prop))
+(typeattributeset lmkd_exec_32_0 (lmkd_exec))
+(typeattributeset lmkd_prop_32_0 (lmkd_prop))
+(typeattributeset lmkd_socket_32_0 (lmkd_socket))
+(typeattributeset location_service_32_0 (location_service))
+(typeattributeset location_time_zone_manager_service_32_0 (location_time_zone_manager_service))
+(typeattributeset lock_settings_service_32_0 (lock_settings_service))
+(typeattributeset log_prop_32_0 (log_prop))
+(typeattributeset log_tag_prop_32_0 (log_tag_prop))
+(typeattributeset logcat_exec_32_0 (logcat_exec))
+(typeattributeset logd_32_0 (logd))
+(typeattributeset logd_exec_32_0 (logd_exec))
+(typeattributeset logd_prop_32_0 (logd_prop))
+(typeattributeset logd_socket_32_0 (logd_socket))
+(typeattributeset logdr_socket_32_0 (logdr_socket))
+(typeattributeset logdw_socket_32_0 (logdw_socket))
+(typeattributeset logpersist_32_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_32_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_32_0 (loop_control_device))
+(typeattributeset loop_device_32_0 (loop_device))
+(typeattributeset looper_stats_service_32_0 (looper_stats_service))
+(typeattributeset lowpan_device_32_0 (lowpan_device))
+(typeattributeset lowpan_prop_32_0 (lowpan_prop))
+(typeattributeset lowpan_service_32_0 (lowpan_service))
+(typeattributeset lpdump_service_32_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_32_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_32_0 (mac_perms_file))
+(typeattributeset mdns_socket_32_0 (mdns_socket))
+(typeattributeset mdnsd_32_0 (mdnsd))
+(typeattributeset mdnsd_socket_32_0 (mdnsd_socket))
+(typeattributeset media_communication_service_32_0 (media_communication_service))
+(typeattributeset media_config_prop_32_0 (media_config_prop))
+(typeattributeset media_data_file_32_0 (media_data_file))
+(typeattributeset media_metrics_service_32_0 (media_metrics_service))
+(typeattributeset media_projection_service_32_0 (media_projection_service))
+(typeattributeset media_router_service_32_0 (media_router_service))
+(typeattributeset media_rw_data_file_32_0 (media_rw_data_file))
+(typeattributeset media_session_service_32_0 (media_session_service))
+(typeattributeset media_variant_prop_32_0 (media_variant_prop))
+(typeattributeset mediadrm_config_prop_32_0 (mediadrm_config_prop))
+(typeattributeset mediadrmserver_32_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_32_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_32_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_32_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_32_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_32_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_32_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_32_0 (mediametrics))
+(typeattributeset mediametrics_exec_32_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_32_0 (mediametrics_service))
+(typeattributeset mediaprovider_32_0 (mediaprovider))
+(typeattributeset mediaserver_32_0 (mediaserver))
+(typeattributeset mediaserver_exec_32_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_32_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_32_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_32_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_32_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_service_32_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_32_0 (meminfo_service))
+(typeattributeset memtrackproxy_service_32_0 (memtrackproxy_service))
+(typeattributeset metadata_block_device_32_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_32_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_32_0 (metadata_file))
+(typeattributeset method_trace_data_file_32_0 (method_trace_data_file))
+(typeattributeset midi_service_32_0 (midi_service))
+(typeattributeset mirror_data_file_32_0 (mirror_data_file))
+(typeattributeset misc_block_device_32_0 (misc_block_device))
+(typeattributeset misc_logd_file_32_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_32_0 (misc_user_data_file))
+(typeattributeset mm_events_config_prop_32_0 (mm_events_config_prop))
+(typeattributeset mmc_prop_32_0 (mmc_prop))
+(typeattributeset mnt_expand_file_32_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_32_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_32_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_32_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_32_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_32_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_32_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_32_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_32_0 (mock_ota_prop))
+(typeattributeset modprobe_32_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_32_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_32_0 (mount_service))
+(typeattributeset mqueue_32_0 (mqueue))
+(typeattributeset mtp_32_0 (mtp))
+(typeattributeset mtp_device_32_0 (mtp_device))
+(typeattributeset mtp_exec_32_0 (mtp_exec))
+(typeattributeset mtpd_socket_32_0 (mtpd_socket))
+(typeattributeset music_recognition_service_32_0 (music_recognition_service))
+(typeattributeset nativetest_data_file_32_0 (nativetest_data_file))
+(typeattributeset net_data_file_32_0 (net_data_file))
+(typeattributeset net_dns_prop_32_0 (net_dns_prop))
+(typeattributeset net_radio_prop_32_0 (net_radio_prop))
+(typeattributeset netd_32_0 (netd))
+(typeattributeset netd_exec_32_0 (netd_exec))
+(typeattributeset netd_listener_service_32_0 (netd_listener_service))
+(typeattributeset netd_service_32_0 (netd_service))
+(typeattributeset netif_32_0 (netif))
+(typeattributeset netpolicy_service_32_0 (netpolicy_service))
+(typeattributeset netstats_service_32_0 (netstats_service))
+(typeattributeset netutils_wrapper_32_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_32_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_32_0 (network_management_service))
+(typeattributeset network_score_service_32_0 (network_score_service))
+(typeattributeset network_stack_32_0 (network_stack))
+(typeattributeset network_stack_service_32_0 (network_stack_service))
+(typeattributeset network_time_update_service_32_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_32_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_32_0 (network_watchlist_service))
+(typeattributeset nfc_32_0 (nfc))
+(typeattributeset nfc_data_file_32_0 (nfc_data_file))
+(typeattributeset nfc_device_32_0 (nfc_device))
+(typeattributeset nfc_logs_data_file_32_0 (nfc_logs_data_file))
+(typeattributeset nfc_prop_32_0 (nfc_prop))
+(typeattributeset nfc_service_32_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_32_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_32_0 (node))
+(typeattributeset nonplat_service_contexts_file_32_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_32_0 (notification_service))
+(typeattributeset null_device_32_0 (null_device))
+(typeattributeset oem_lock_service_32_0 (oem_lock_service))
+(typeattributeset oem_unlock_prop_32_0 (oem_unlock_prop))
+(typeattributeset oemfs_32_0 (oemfs))
+(typeattributeset ota_data_file_32_0 (ota_data_file))
+(typeattributeset ota_metadata_file_32_0 (ota_metadata_file))
+(typeattributeset ota_package_file_32_0 (ota_package_file))
+(typeattributeset ota_prop_32_0 (ota_prop))
+(typeattributeset otadexopt_service_32_0 (otadexopt_service))
+(typeattributeset otapreopt_chroot_32_0 (otapreopt_chroot))
+(typeattributeset overlay_prop_32_0 (overlay_prop))
+(typeattributeset overlay_service_32_0 (overlay_service))
+(typeattributeset overlayfs_file_32_0 (overlayfs_file))
+(typeattributeset owntty_device_32_0 (owntty_device))
+(typeattributeset pac_proxy_service_32_0 (pac_proxy_service))
+(typeattributeset package_native_service_32_0 (package_native_service))
+(typeattributeset package_service_32_0 (package_service))
+(typeattributeset packagemanager_config_prop_32_0 (packagemanager_config_prop))
+(typeattributeset packages_list_file_32_0 (packages_list_file))
+(typeattributeset pan_result_prop_32_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_32_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_32_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_32_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_32_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_32_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_32_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_32_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_32_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_32_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_32_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_32_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_32_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_32_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_32_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_32_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_32_0 (pdx_performance_dir))
+(typeattributeset people_service_32_0 (people_service))
+(typeattributeset perfetto_32_0 (perfetto))
+(typeattributeset performanced_32_0 (performanced))
+(typeattributeset performanced_exec_32_0 (performanced_exec))
+(typeattributeset permission_checker_service_32_0 (permission_checker_service))
+(typeattributeset permission_service_32_0 (permission_service))
+(typeattributeset permissionmgr_service_32_0 (permissionmgr_service))
+(typeattributeset persist_debug_prop_32_0 (persist_debug_prop))
+(typeattributeset persist_vendor_debug_wifi_prop_32_0 (persist_vendor_debug_wifi_prop))
+(typeattributeset persistent_data_block_service_32_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_32_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_32_0 (pinner_service))
+(typeattributeset pipefs_32_0 (pipefs))
+(typeattributeset platform_app_32_0 (platform_app))
+(typeattributeset platform_compat_service_32_0 (platform_compat_service))
+(typeattributeset pmsg_device_32_0 (pmsg_device))
+(typeattributeset port_32_0 (port))
+(typeattributeset port_device_32_0 (port_device))
+(typeattributeset postinstall_32_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_32_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_32_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_32_0 (postinstall_mnt_dir))
+(typeattributeset power_debug_prop_32_0 (power_debug_prop))
+(typeattributeset power_service_32_0 (power_service))
+(typeattributeset powerctl_prop_32_0 (powerctl_prop))
+(typeattributeset powerstats_service_32_0 (powerstats_service))
+(typeattributeset ppp_32_0 (ppp))
+(typeattributeset ppp_device_32_0 (ppp_device))
+(typeattributeset ppp_exec_32_0 (ppp_exec))
+(typeattributeset preloads_data_file_32_0 (preloads_data_file))
+(typeattributeset preloads_media_file_32_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_32_0 (prereboot_data_file))
+(typeattributeset print_service_32_0 (print_service))
+(typeattributeset priv_app_32_0 (priv_app))
+(typeattributeset privapp_data_file_32_0 (privapp_data_file))
+(typeattributeset proc_32_0 (proc proc_bpf proc_cpu_alignment))
+(typeattributeset proc_abi_32_0 (proc_abi))
+(typeattributeset proc_asound_32_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_32_0 (proc_bluetooth_writable))
+(typeattributeset proc_bootconfig_32_0 (proc_bootconfig))
+(typeattributeset proc_buddyinfo_32_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_32_0 (proc_cmdline))
+(typeattributeset proc_cpuinfo_32_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_32_0 (proc_dirty))
+(typeattributeset proc_diskstats_32_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_32_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_32_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_32_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_32_0 (proc_fs_verity))
+(typeattributeset proc_hostname_32_0 (proc_hostname))
+(typeattributeset proc_hung_task_32_0 (proc_hung_task))
+(typeattributeset proc_interrupts_32_0 (proc_interrupts))
+(typeattributeset proc_iomem_32_0 (proc_iomem))
+(typeattributeset proc_kallsyms_32_0 (proc_kallsyms))
+(typeattributeset proc_keys_32_0 (proc_keys))
+(typeattributeset proc_kmsg_32_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_32_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_32_0 (proc_loadavg))
+(typeattributeset proc_locks_32_0 (proc_locks))
+(typeattributeset proc_lowmemorykiller_32_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_32_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_32_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_32_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_32_0 (proc_misc))
+(typeattributeset proc_modules_32_0 (proc_modules))
+(typeattributeset proc_mounts_32_0 (proc_mounts))
+(typeattributeset proc_net_32_0 (proc_net proc_bpf))
+(typeattributeset proc_net_tcp_udp_32_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_32_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_32_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_32_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_32_0 (proc_panic))
+(typeattributeset proc_perf_32_0 (proc_perf))
+(typeattributeset proc_pid_max_32_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_32_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_32_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_32_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_32_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_32_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_32_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_32_0 (proc_random))
+(typeattributeset proc_sched_32_0 (proc_sched))
+(typeattributeset proc_security_32_0 (proc_security))
+(typeattributeset proc_slabinfo_32_0 (proc_slabinfo))
+(typeattributeset proc_stat_32_0 (proc_stat))
+(typeattributeset proc_swaps_32_0 (proc_swaps))
+(typeattributeset proc_sysrq_32_0 (proc_sysrq))
+(typeattributeset proc_timer_32_0 (proc_timer))
+(typeattributeset proc_tty_drivers_32_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_32_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_32_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_32_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_32_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_32_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_32_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_32_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_32_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_32_0 (proc_uptime))
+(typeattributeset proc_vendor_sched_32_0 (proc_vendor_sched))
+(typeattributeset proc_version_32_0 (proc_version))
+(typeattributeset proc_vmallocinfo_32_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_32_0 (proc_vmstat))
+(typeattributeset proc_zoneinfo_32_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_32_0 (processinfo_service))
+(typeattributeset procstats_service_32_0 (procstats_service))
+(typeattributeset profman_32_0 (profman))
+(typeattributeset profman_dump_data_file_32_0 (profman_dump_data_file))
+(typeattributeset profman_exec_32_0 (profman_exec))
+(typeattributeset properties_device_32_0 (properties_device))
+(typeattributeset properties_serial_32_0 (properties_serial))
+(typeattributeset property_contexts_file_32_0 (property_contexts_file))
+(typeattributeset property_data_file_32_0 (property_data_file))
+(typeattributeset property_info_32_0 (property_info))
+(typeattributeset property_service_version_prop_32_0 (property_service_version_prop))
+(typeattributeset property_socket_32_0 (property_socket))
+(typeattributeset provisioned_prop_32_0 (provisioned_prop))
+(typeattributeset pstorefs_32_0 (pstorefs))
+(typeattributeset ptmx_device_32_0 (ptmx_device))
+(typeattributeset qemu_hw_prop_32_0 (qemu_hw_prop))
+(typeattributeset qemu_sf_lcd_density_prop_32_0 (qemu_sf_lcd_density_prop))
+(typeattributeset qtaguid_device_32_0 (qtaguid_device))
+(typeattributeset racoon_32_0 (racoon))
+(typeattributeset racoon_exec_32_0 (racoon_exec))
+(typeattributeset racoon_socket_32_0 (racoon_socket))
+(typeattributeset radio_32_0 (radio))
+(typeattributeset radio_control_prop_32_0 (radio_control_prop))
+(typeattributeset radio_core_data_file_32_0 (radio_core_data_file))
+(typeattributeset radio_data_file_32_0 (radio_data_file))
+(typeattributeset radio_device_32_0 (radio_device))
+(typeattributeset radio_prop_32_0 (radio_prop))
+(typeattributeset radio_service_32_0 (radio_service))
+(typeattributeset ram_device_32_0 (ram_device))
+(typeattributeset random_device_32_0 (random_device))
+(typeattributeset reboot_readiness_service_32_0 (reboot_readiness_service))
+(typeattributeset rebootescrow_hal_prop_32_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_32_0 (recovery))
+(typeattributeset recovery_block_device_32_0 (recovery_block_device))
+(typeattributeset recovery_config_prop_32_0 (recovery_config_prop))
+(typeattributeset recovery_data_file_32_0 (recovery_data_file))
+(typeattributeset recovery_persist_32_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_32_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_32_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_32_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_32_0 (recovery_service))
+(typeattributeset recovery_socket_32_0 (recovery_socket))
+(typeattributeset registry_service_32_0 (registry_service))
+(typeattributeset remoteprovisioning_service_32_0 (remoteprovisioning_service))
+(typeattributeset resourcecache_data_file_32_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_32_0 (restorecon_prop))
+(typeattributeset restrictions_service_32_0 (restrictions_service))
+(typeattributeset retaildemo_prop_32_0 (retaildemo_prop))
+(typeattributeset rild_debug_socket_32_0 (rild_debug_socket))
+(typeattributeset rild_socket_32_0 (rild_socket))
+(typeattributeset ringtone_file_32_0 (ringtone_file))
+(typeattributeset role_service_32_0 (role_service))
+(typeattributeset rollback_service_32_0 (rollback_service))
+(typeattributeset root_block_device_32_0 (root_block_device))
+(typeattributeset rootfs_32_0 (rootfs))
+(typeattributeset rpmsg_device_32_0 (rpmsg_device))
+(typeattributeset rs_32_0 (rs))
+(typeattributeset rs_exec_32_0 (rs_exec))
+(typeattributeset rss_hwm_reset_32_0 (rss_hwm_reset))
+(typeattributeset rtc_device_32_0 (rtc_device))
+(typeattributeset rttmanager_service_32_0 (rttmanager_service))
+(typeattributeset runas_32_0 (runas))
+(typeattributeset runas_app_32_0 (runas_app))
+(typeattributeset runas_exec_32_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_32_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_32_0 (runtime_service))
+(typeattributeset safemode_prop_32_0 (safemode_prop))
+(typeattributeset same_process_hal_file_32_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_32_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_32_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_32_0 (sdcard_block_device))
+(typeattributeset sdcardd_32_0 (sdcardd))
+(typeattributeset sdcardd_exec_32_0 (sdcardd_exec))
+(typeattributeset sdcardfs_32_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_32_0 (seapp_contexts_file))
+(typeattributeset search_service_32_0 (search_service))
+(typeattributeset search_ui_service_32_0 (search_ui_service))
+(typeattributeset sec_key_att_app_id_provider_service_32_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_32_0 (secure_element))
+(typeattributeset secure_element_device_32_0 (secure_element_device))
+(typeattributeset secure_element_service_32_0 (secure_element_service))
+(typeattributeset securityfs_32_0 (securityfs))
+(typeattributeset selinuxfs_32_0 (selinuxfs))
+(typeattributeset sendbug_config_prop_32_0 (sendbug_config_prop))
+(typeattributeset sensor_privacy_service_32_0 (sensor_privacy_service))
+(typeattributeset sensors_device_32_0 (sensors_device))
+(typeattributeset sensorservice_service_32_0 (sensorservice_service))
+(typeattributeset sepolicy_file_32_0 (sepolicy_file))
+(typeattributeset serial_device_32_0 (serial_device))
+(typeattributeset serial_service_32_0 (serial_service))
+(typeattributeset serialno_prop_32_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_32_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_32_0 (service_contexts_file))
+(typeattributeset service_manager_service_32_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_32_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_32_0 (servicediscovery_service))
+(typeattributeset servicemanager_32_0 (servicemanager))
+(typeattributeset servicemanager_exec_32_0 (servicemanager_exec))
+(typeattributeset settings_service_32_0 (settings_service))
+(typeattributeset sgdisk_32_0 (sgdisk))
+(typeattributeset sgdisk_exec_32_0 (sgdisk_exec))
+(typeattributeset shared_relro_32_0 (shared_relro))
+(typeattributeset shared_relro_file_32_0 (shared_relro_file))
+(typeattributeset shell_32_0 (shell))
+(typeattributeset shell_data_file_32_0 (shell_data_file))
+(typeattributeset shell_exec_32_0 (shell_exec))
+(typeattributeset shell_prop_32_0 (shell_prop))
+(typeattributeset shell_test_data_file_32_0 (shell_test_data_file))
+(typeattributeset shm_32_0 (shm))
+(typeattributeset shortcut_manager_icons_32_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_32_0 (shortcut_service))
+(typeattributeset simpleperf_32_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_32_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_32_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_32_0 (slice_service))
+(typeattributeset slideshow_32_0 (slideshow))
+(typeattributeset smartspace_service_32_0 (smartspace_service))
+(typeattributeset snapshotctl_log_data_file_32_0 (snapshotctl_log_data_file))
+(typeattributeset snapuserd_socket_32_0 (snapuserd_socket))
+(typeattributeset soc_prop_32_0 (soc_prop))
+(typeattributeset socket_device_32_0 (socket_device))
+(typeattributeset socket_hook_prop_32_0 (socket_hook_prop))
+(typeattributeset sockfs_32_0 (sockfs))
+(typeattributeset sota_prop_32_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_32_0 (soundtrigger_middleware_service))
+(typeattributeset speech_recognition_service_32_0 (speech_recognition_service))
+(typeattributeset sqlite_log_prop_32_0 (sqlite_log_prop))
+(typeattributeset staged_install_file_32_0 (staged_install_file))
+(typeattributeset staging_data_file_32_0 (staging_data_file))
+(typeattributeset stats_data_file_32_0 (stats_data_file))
+(typeattributeset statsd_32_0 (statsd))
+(typeattributeset statsd_exec_32_0 (statsd_exec))
+(typeattributeset statsdw_socket_32_0 (statsdw_socket))
+(typeattributeset statusbar_service_32_0 (statusbar_service))
+(typeattributeset storage_config_prop_32_0 (storage_config_prop))
+(typeattributeset storage_file_32_0 (storage_file))
+(typeattributeset storage_stub_file_32_0 (storage_stub_file))
+(typeattributeset storaged_service_32_0 (storaged_service))
+(typeattributeset storagemanager_config_prop_32_0 (storagemanager_config_prop))
+(typeattributeset storagestats_service_32_0 (storagestats_service))
+(typeattributeset su_32_0 (su))
+(typeattributeset su_exec_32_0 (su_exec))
+(typeattributeset super_block_device_32_0 (super_block_device))
+(typeattributeset surfaceflinger_32_0 (surfaceflinger))
+(typeattributeset surfaceflinger_color_prop_32_0 (surfaceflinger_color_prop))
+(typeattributeset surfaceflinger_display_prop_32_0 (surfaceflinger_display_prop))
+(typeattributeset surfaceflinger_prop_32_0 (surfaceflinger_prop))
+(typeattributeset surfaceflinger_service_32_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_32_0 (surfaceflinger_tmpfs))
+(typeattributeset suspend_prop_32_0 (suspend_prop))
+(typeattributeset swap_block_device_32_0 (swap_block_device))
+(typeattributeset sysfs_32_0 (sysfs))
+(typeattributeset sysfs_android_usb_32_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_32_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_block_32_0 (sysfs_block))
+(typeattributeset sysfs_bluetooth_writable_32_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devfreq_cur_32_0 (sysfs_devfreq_cur))
+(typeattributeset sysfs_devfreq_dir_32_0 (sysfs_devfreq_dir))
+(typeattributeset sysfs_devices_block_32_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_cs_etm_32_0 (sysfs_devices_cs_etm))
+(typeattributeset sysfs_devices_system_cpu_32_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_32_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_32_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dma_heap_32_0 (sysfs_dma_heap))
+(typeattributeset sysfs_dmabuf_stats_32_0 (sysfs_dmabuf_stats))
+(typeattributeset sysfs_dt_firmware_android_32_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_32_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_32_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_32_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_fs_incfs_features_32_0 (sysfs_fs_incfs_features))
+(typeattributeset sysfs_fs_incfs_metrics_32_0 (sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_hwrandom_32_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_32_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_32_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_32_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_32_0 (sysfs_leds))
+(typeattributeset sysfs_loop_32_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_32_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_net_32_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_32_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_32_0 (sysfs_power))
+(typeattributeset sysfs_rtc_32_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_32_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_32_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_32_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_32_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uhid_32_0 (sysfs_uhid))
+(typeattributeset sysfs_uio_32_0 (sysfs_uio))
+(typeattributeset sysfs_usb_32_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_32_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vendor_sched_32_0 (sysfs_vendor_sched))
+(typeattributeset sysfs_vibrator_32_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_32_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_32_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_32_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_32_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_32_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_32_0 (sysfs_zram_uevent))
+(typeattributeset system_app_32_0 (system_app))
+(typeattributeset system_app_data_file_32_0 (system_app_data_file))
+(typeattributeset system_app_service_32_0 (system_app_service))
+(typeattributeset system_asan_options_file_32_0 (system_asan_options_file))
+(typeattributeset system_block_device_32_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_32_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_32_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_32_0 (system_config_service))
+(typeattributeset system_data_file_32_0 (system_data_file))
+(typeattributeset system_data_root_file_32_0 (system_data_root_file))
+(typeattributeset system_event_log_tags_file_32_0 (system_event_log_tags_file))
+(typeattributeset system_file_32_0 (system_file))
+(typeattributeset system_group_file_32_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_32_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_32_0 (system_lib_file))
+(typeattributeset system_linker_config_file_32_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_32_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_32_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_32_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_32_0 (system_net_netd_hwservice))
+(typeattributeset system_passwd_file_32_0 (system_passwd_file))
+(typeattributeset system_prop_32_0 (system_prop))
+(typeattributeset system_seccomp_policy_file_32_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_32_0 (system_security_cacerts_file))
+(typeattributeset system_server_32_0 (system_server))
+(typeattributeset system_server_dumper_service_32_0 (system_server_dumper_service))
+(typeattributeset system_server_tmpfs_32_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_internal_service_32_0 (system_suspend_control_internal_service))
+(typeattributeset system_suspend_control_service_32_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_32_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_32_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_32_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_32_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_32_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_32_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_32_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_32_0 (systemkeys_data_file))
+(typeattributeset systemsound_config_prop_32_0 (systemsound_config_prop))
+(typeattributeset task_profiles_api_file_32_0 (task_profiles_api_file))
+(typeattributeset task_profiles_file_32_0 (task_profiles_file))
+(typeattributeset task_service_32_0 (task_service))
+(typeattributeset tcpdump_exec_32_0 (tcpdump_exec))
+(typeattributeset tee_32_0 (tee))
+(typeattributeset tee_data_file_32_0 (tee_data_file))
+(typeattributeset tee_device_32_0 (tee_device))
+(typeattributeset telecom_service_32_0 (telecom_service))
+(typeattributeset telephony_config_prop_32_0 (telephony_config_prop))
+(typeattributeset telephony_status_prop_32_0 (telephony_status_prop))
+(typeattributeset test_boot_reason_prop_32_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_32_0 (test_harness_prop))
+(typeattributeset testharness_service_32_0 (testharness_service))
+(typeattributeset tethering_service_32_0 (tethering_service))
+(typeattributeset textclassification_service_32_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_32_0 (textclassifier_data_file))
+(typeattributeset textservices_service_32_0 (textservices_service))
+(typeattributeset texttospeech_service_32_0 (texttospeech_service))
+(typeattributeset theme_prop_32_0 (theme_prop))
+(typeattributeset thermal_service_32_0 (thermal_service))
+(typeattributeset time_prop_32_0 (time_prop))
+(typeattributeset timedetector_service_32_0 (timedetector_service))
+(typeattributeset timezone_service_32_0 (timezone_service))
+(typeattributeset timezonedetector_service_32_0 (timezonedetector_service))
+(typeattributeset tmpfs_32_0 (tmpfs))
+(typeattributeset tombstone_config_prop_32_0 (tombstone_config_prop))
+(typeattributeset tombstone_data_file_32_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_32_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_32_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_32_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_32_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_32_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_32_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_32_0 (toolbox))
+(typeattributeset toolbox_exec_32_0 (toolbox_exec))
+(typeattributeset trace_data_file_32_0 (trace_data_file))
+(typeattributeset traced_32_0 (traced))
+(typeattributeset traced_consumer_socket_32_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_32_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_32_0 (traced_lazy_prop))
+(typeattributeset traced_perf_32_0 (traced_perf))
+(typeattributeset traced_perf_socket_32_0 (traced_perf_socket))
+(typeattributeset traced_probes_32_0 (traced_probes))
+(typeattributeset traced_producer_socket_32_0 (traced_producer_socket))
+(typeattributeset traced_tmpfs_32_0 (traced_tmpfs))
+(typeattributeset traceur_app_32_0 (traceur_app))
+(typeattributeset translation_service_32_0 (translation_service))
+(typeattributeset trust_service_32_0 (trust_service))
+(typeattributeset tty_device_32_0 (tty_device))
+(typeattributeset tun_device_32_0 (tun_device))
+(typeattributeset tv_input_service_32_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_32_0 (tv_tuner_resource_mgr_service))
+(typeattributeset tzdatacheck_32_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_32_0 (tzdatacheck_exec))
+(typeattributeset ueventd_32_0 (ueventd))
+(typeattributeset ueventd_tmpfs_32_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_32_0 (uhid_device))
+(typeattributeset uimode_service_32_0 (uimode_service))
+(typeattributeset uio_device_32_0 (uio_device))
+(typeattributeset uncrypt_32_0 (uncrypt))
+(typeattributeset uncrypt_exec_32_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_32_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_32_0 (unencrypted_data_file))
+(typeattributeset unlabeled_32_0 (unlabeled))
+(typeattributeset untrusted_app_25_32_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_32_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_32_0 (untrusted_app_29))
+(typeattributeset untrusted_app_32_0 (untrusted_app))
+(typeattributeset update_engine_32_0 (update_engine))
+(typeattributeset update_engine_data_file_32_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_32_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_32_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_32_0 (update_engine_service))
+(typeattributeset update_engine_stable_service_32_0 (update_engine_stable_service))
+(typeattributeset update_verifier_32_0 (update_verifier))
+(typeattributeset update_verifier_exec_32_0 (update_verifier_exec))
+(typeattributeset updatelock_service_32_0 (updatelock_service))
+(typeattributeset uri_grants_service_32_0 (uri_grants_service))
+(typeattributeset usagestats_service_32_0 (usagestats_service))
+(typeattributeset usb_config_prop_32_0 (usb_config_prop))
+(typeattributeset usb_control_prop_32_0 (usb_control_prop))
+(typeattributeset usb_device_32_0 (usb_device))
+(typeattributeset usb_prop_32_0 (usb_prop))
+(typeattributeset usb_serial_device_32_0 (usb_serial_device))
+(typeattributeset usb_service_32_0 (usb_service))
+(typeattributeset usbaccessory_device_32_0 (usbaccessory_device))
+(typeattributeset usbd_32_0 (usbd))
+(typeattributeset usbd_exec_32_0 (usbd_exec))
+(typeattributeset usbfs_32_0 (usbfs))
+(typeattributeset use_memfd_prop_32_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_32_0 (user_profile_data_file))
+(typeattributeset user_profile_root_file_32_0 (user_profile_root_file))
+(typeattributeset user_service_32_0 (user_service))
+(typeattributeset userdata_block_device_32_0 (userdata_block_device))
+(typeattributeset userdata_sysdev_32_0 (userdata_sysdev))
+(typeattributeset usermodehelper_32_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_32_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_32_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_metadata_file_32_0 (userspace_reboot_metadata_file))
+(typeattributeset uwb_service_32_0 (uwb_service))
+(typeattributeset vcn_management_service_32_0 (vcn_management_service))
+(typeattributeset vd_device_32_0 (vd_device))
+(typeattributeset vdc_32_0 (vdc))
+(typeattributeset vdc_exec_32_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_32_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_32_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_32_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_32_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_32_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_32_0 (vendor_data_file))
+(typeattributeset vendor_default_prop_32_0 (vendor_default_prop))
+(typeattributeset vendor_file_32_0 (vendor_file))
+(typeattributeset vendor_framework_file_32_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_32_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_32_0 (vendor_idc_file))
+(typeattributeset vendor_init_32_0 (vendor_init))
+(typeattributeset vendor_kernel_modules_32_0 (vendor_kernel_modules))
+(typeattributeset vendor_keychars_file_32_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_32_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_32_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_32_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_modprobe_32_0 (vendor_modprobe))
+(typeattributeset vendor_overlay_file_32_0 (vendor_overlay_file))
+(typeattributeset vendor_public_framework_file_32_0 (vendor_public_framework_file))
+(typeattributeset vendor_public_lib_file_32_0 (vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_32_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_service_contexts_file_32_0 (vendor_service_contexts_file))
+(typeattributeset vendor_shell_32_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_32_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_32_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_32_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_32_0 (vendor_toolbox_exec))
+(typeattributeset vfat_32_0 (vfat))
+(typeattributeset vibrator_manager_service_32_0 (vibrator_manager_service))
+(typeattributeset vibrator_service_32_0 (vibrator_service))
+(typeattributeset video_device_32_0 (video_device))
+(typeattributeset virtual_ab_prop_32_0 (virtual_ab_prop))
+(typeattributeset virtual_touchpad_32_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_32_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_32_0 (virtual_touchpad_service))
+(typeattributeset virtualization_service_32_0 (virtualization_service))
+(typeattributeset vndbinder_device_32_0 (vndbinder_device))
+(typeattributeset vndk_prop_32_0 (vndk_prop))
+(typeattributeset vndk_sp_file_32_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_32_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_32_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_32_0 (voiceinteraction_service))
+(typeattributeset vold_32_0 (vold))
+(typeattributeset vold_config_prop_32_0 (vold_config_prop))
+(typeattributeset vold_data_file_32_0 (vold_data_file))
+(typeattributeset vold_device_32_0 (vold_device))
+(typeattributeset vold_exec_32_0 (vold_exec))
+(typeattributeset vold_metadata_file_32_0 (vold_metadata_file))
+(typeattributeset vold_post_fs_data_prop_32_0 (vold_post_fs_data_prop))
+(typeattributeset vold_prepare_subdirs_32_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_32_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_32_0 (vold_prop))
+(typeattributeset vold_service_32_0 (vold_service))
+(typeattributeset vold_status_prop_32_0 (vold_status_prop))
+(typeattributeset vpn_data_file_32_0 (vpn_data_file))
+(typeattributeset vpn_management_service_32_0 (vpn_management_service))
+(typeattributeset vr_hwc_32_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_32_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_32_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_32_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_32_0 (vrflinger_vsync_service))
+(typeattributeset vts_config_prop_32_0 (vts_config_prop))
+(typeattributeset vts_status_prop_32_0 (vts_status_prop))
+(typeattributeset wallpaper_file_32_0 (wallpaper_file))
+(typeattributeset wallpaper_service_32_0 (wallpaper_service))
+(typeattributeset watchdog_device_32_0 (watchdog_device))
+(typeattributeset watchdog_metadata_file_32_0 (watchdog_metadata_file))
+(typeattributeset watchdogd_32_0 (watchdogd))
+(typeattributeset watchdogd_exec_32_0 (watchdogd_exec))
+(typeattributeset webview_zygote_32_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_32_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_32_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_32_0 (webviewupdate_service))
+(typeattributeset wifi_config_prop_32_0 (wifi_config_prop))
+(typeattributeset wifi_data_file_32_0 (wifi_data_file))
+(typeattributeset wifi_hal_prop_32_0 (wifi_hal_prop))
+(typeattributeset wifi_key_32_0 (wifi_key))
+(typeattributeset wifi_log_prop_32_0 (wifi_log_prop))
+(typeattributeset wifi_prop_32_0 (wifi_prop))
+(typeattributeset wifi_service_32_0 (wifi_service))
+(typeattributeset wifiaware_service_32_0 (wifiaware_service))
+(typeattributeset wificond_32_0 (wificond))
+(typeattributeset wificond_exec_32_0 (wificond_exec))
+(typeattributeset wifinl80211_service_32_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_32_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_32_0 (wifiscanner_service))
+(typeattributeset window_service_32_0 (window_service))
+(typeattributeset wpa_socket_32_0 (wpa_socket))
+(typeattributeset wpantund_32_0 (wpantund))
+(typeattributeset wpantund_exec_32_0 (wpantund_exec))
+(typeattributeset wpantund_service_32_0 (wpantund_service))
+(typeattributeset zero_device_32_0 (zero_device))
+(typeattributeset zoneinfo_data_file_32_0 (zoneinfo_data_file))
+(typeattributeset zram_config_prop_32_0 (zram_config_prop))
+(typeattributeset zram_control_prop_32_0 (zram_control_prop))
+(typeattributeset zygote_32_0 (zygote))
+(typeattributeset zygote_config_prop_32_0 (zygote_config_prop))
+(typeattributeset zygote_exec_32_0 (zygote_exec))
+(typeattributeset zygote_socket_32_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_32_0 (zygote_tmpfs))
diff --git a/private/compat/32.0/32.0.compat.cil b/private/compat/32.0/32.0.compat.cil
new file mode 100644
index 0000000..628abfc
--- /dev/null
+++ b/private/compat/32.0/32.0.compat.cil
@@ -0,0 +1 @@
+;; This file can't be empty.
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
new file mode 100644
index 0000000..b3805ed
--- /dev/null
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -0,0 +1,81 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ adservices_manager_service
+ apexd_select_prop
+ artd_service
+ attestation_verification_service
+ bluetooth_config_prop
+ binderfs_features
+ charger_vendor
+ cloudsearch
+ cloudsearch_service
+ connectivity_native_service
+ device_config_nnapi_native_prop
+ device_config_surface_flinger_native_boot_prop
+ dice_maintenance_service
+ dice_node_service
+ diced
+ diced_exec
+ fwk_automotive_display_service
+ evsmanagerd
+ evsmanagerd_service
+ extra_free_kbytes
+ extra_free_kbytes_exec
+ fs_bpf_vendor
+ game_mode_intervention_list_file
+ gesture_prop
+ gwp_asan_prop
+ hal_contexthub_service
+ hal_camera_service
+ hal_evs_service
+ hal_dice_service
+ hal_drm_service
+ hal_dumpstate_service
+ hal_graphics_allocator_service
+ hal_graphics_composer_service
+ hal_health_service
+ hal_input_processor_service
+ hal_ir_service
+ hal_nfc_service
+ hal_nlinterceptor_service
+ hal_radio_service
+ hal_sensors_service
+ hal_system_suspend_service
+ hal_tv_tuner_service
+ hal_usb_service
+ hal_uwb_service
+ hal_vehicle_service
+ hal_wifi_hostapd_service
+ hal_wifi_supplicant_service
+ locale_service
+ mdns_service
+ nearby_service
+ persist_wm_debug_prop
+ proc_watermark_boost_factor
+ proc_watermark_scale_factor
+ remotelyprovisionedkeypool_service
+ resources_manager_service
+ rootdisk_sysdev
+ sdk_sandbox_service
+ selection_toolbar_service
+ smart_idle_maint_enabled_prop
+ snapuserd_proxy_socket
+ sysfs_fs_fuse_bpf
+ sysfs_gpu
+ sysfs_lru_gen_enabled
+ system_dlkm_file
+ system_user_mode_emulation_prop
+ tare_service
+ tv_iapp_service
+ untrusted_app_30
+ vendor_uuid_mapping_config_file
+ vendor_vm_data_file
+ vendor_vm_file
+ virtual_device_service
+ wallpaper_effects_generation_service
+))
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
new file mode 100644
index 0000000..4439277
--- /dev/null
+++ b/private/compat/33.0/33.0.cil
@@ -0,0 +1,2606 @@
+(expandtypeattribute (DockObserver_service_33_0) true)
+(expandtypeattribute (IProxyService_service_33_0) true)
+(expandtypeattribute (aac_drc_prop_33_0) true)
+(expandtypeattribute (aaudio_config_prop_33_0) true)
+(expandtypeattribute (ab_update_gki_prop_33_0) true)
+(expandtypeattribute (accessibility_service_33_0) true)
+(expandtypeattribute (account_service_33_0) true)
+(expandtypeattribute (activity_service_33_0) true)
+(expandtypeattribute (activity_task_service_33_0) true)
+(expandtypeattribute (adb_data_file_33_0) true)
+(expandtypeattribute (adb_keys_file_33_0) true)
+(expandtypeattribute (adb_service_33_0) true)
+(expandtypeattribute (adbd_33_0) true)
+(expandtypeattribute (adbd_config_prop_33_0) true)
+(expandtypeattribute (adbd_exec_33_0) true)
+(expandtypeattribute (adbd_socket_33_0) true)
+(expandtypeattribute (adservices_manager_service_33_0) true)
+(expandtypeattribute (aidl_lazy_test_server_33_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_33_0) true)
+(expandtypeattribute (aidl_lazy_test_service_33_0) true)
+(expandtypeattribute (alarm_service_33_0) true)
+(expandtypeattribute (anr_data_file_33_0) true)
+(expandtypeattribute (apc_service_33_0) true)
+(expandtypeattribute (apex_data_file_33_0) true)
+(expandtypeattribute (apex_info_file_33_0) true)
+(expandtypeattribute (apex_metadata_file_33_0) true)
+(expandtypeattribute (apex_mnt_dir_33_0) true)
+(expandtypeattribute (apex_module_data_file_33_0) true)
+(expandtypeattribute (apex_ota_reserved_file_33_0) true)
+(expandtypeattribute (apex_rollback_data_file_33_0) true)
+(expandtypeattribute (apex_service_33_0) true)
+(expandtypeattribute (apex_system_server_data_file_33_0) true)
+(expandtypeattribute (apexd_33_0) true)
+(expandtypeattribute (apexd_config_prop_33_0) true)
+(expandtypeattribute (apexd_exec_33_0) true)
+(expandtypeattribute (apexd_prop_33_0) true)
+(expandtypeattribute (apexd_select_prop_33_0) true)
+(expandtypeattribute (apk_data_file_33_0) true)
+(expandtypeattribute (apk_private_data_file_33_0) true)
+(expandtypeattribute (apk_private_tmp_file_33_0) true)
+(expandtypeattribute (apk_tmp_file_33_0) true)
+(expandtypeattribute (apk_verity_prop_33_0) true)
+(expandtypeattribute (app_binding_service_33_0) true)
+(expandtypeattribute (app_data_file_33_0) true)
+(expandtypeattribute (app_fuse_file_33_0) true)
+(expandtypeattribute (app_fusefs_33_0) true)
+(expandtypeattribute (app_hibernation_service_33_0) true)
+(expandtypeattribute (app_integrity_service_33_0) true)
+(expandtypeattribute (app_prediction_service_33_0) true)
+(expandtypeattribute (app_search_service_33_0) true)
+(expandtypeattribute (app_zygote_33_0) true)
+(expandtypeattribute (app_zygote_tmpfs_33_0) true)
+(expandtypeattribute (appcompat_data_file_33_0) true)
+(expandtypeattribute (appdomain_tmpfs_33_0) true)
+(expandtypeattribute (appops_service_33_0) true)
+(expandtypeattribute (appwidget_service_33_0) true)
+(expandtypeattribute (arm64_memtag_prop_33_0) true)
+(expandtypeattribute (art_apex_dir_33_0) true)
+(expandtypeattribute (artd_service_33_0) true)
+(expandtypeattribute (asec_apk_file_33_0) true)
+(expandtypeattribute (asec_image_file_33_0) true)
+(expandtypeattribute (asec_public_file_33_0) true)
+(expandtypeattribute (ashmem_device_33_0) true)
+(expandtypeattribute (ashmem_libcutils_device_33_0) true)
+(expandtypeattribute (assetatlas_service_33_0) true)
+(expandtypeattribute (atrace_33_0) true)
+(expandtypeattribute (attestation_verification_service_33_0) true)
+(expandtypeattribute (audio_config_prop_33_0) true)
+(expandtypeattribute (audio_data_file_33_0) true)
+(expandtypeattribute (audio_device_33_0) true)
+(expandtypeattribute (audio_prop_33_0) true)
+(expandtypeattribute (audio_service_33_0) true)
+(expandtypeattribute (audiohal_data_file_33_0) true)
+(expandtypeattribute (audioserver_33_0) true)
+(expandtypeattribute (audioserver_data_file_33_0) true)
+(expandtypeattribute (audioserver_service_33_0) true)
+(expandtypeattribute (audioserver_tmpfs_33_0) true)
+(expandtypeattribute (auth_service_33_0) true)
+(expandtypeattribute (authorization_service_33_0) true)
+(expandtypeattribute (autofill_service_33_0) true)
+(expandtypeattribute (backup_data_file_33_0) true)
+(expandtypeattribute (backup_service_33_0) true)
+(expandtypeattribute (battery_service_33_0) true)
+(expandtypeattribute (batteryproperties_service_33_0) true)
+(expandtypeattribute (batterystats_service_33_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_33_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_33_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_33_0) true)
+(expandtypeattribute (binder_calls_stats_service_33_0) true)
+(expandtypeattribute (binder_device_33_0) true)
+(expandtypeattribute (binderfs_33_0) true)
+(expandtypeattribute (binderfs_features_33_0) true)
+(expandtypeattribute (binderfs_logs_33_0) true)
+(expandtypeattribute (binderfs_logs_proc_33_0) true)
+(expandtypeattribute (binfmt_miscfs_33_0) true)
+(expandtypeattribute (biometric_service_33_0) true)
+(expandtypeattribute (blkid_33_0) true)
+(expandtypeattribute (blkid_untrusted_33_0) true)
+(expandtypeattribute (blob_store_service_33_0) true)
+(expandtypeattribute (block_device_33_0) true)
+(expandtypeattribute (bluetooth_33_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_33_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_33_0) true)
+(expandtypeattribute (bluetooth_config_prop_33_0) true)
+(expandtypeattribute (bluetooth_data_file_33_0) true)
+(expandtypeattribute (bluetooth_efs_file_33_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_33_0) true)
+(expandtypeattribute (bluetooth_manager_service_33_0) true)
+(expandtypeattribute (bluetooth_prop_33_0) true)
+(expandtypeattribute (bluetooth_service_33_0) true)
+(expandtypeattribute (bluetooth_socket_33_0) true)
+(expandtypeattribute (boot_block_device_33_0) true)
+(expandtypeattribute (boot_status_prop_33_0) true)
+(expandtypeattribute (bootanim_33_0) true)
+(expandtypeattribute (bootanim_config_prop_33_0) true)
+(expandtypeattribute (bootanim_exec_33_0) true)
+(expandtypeattribute (bootanim_system_prop_33_0) true)
+(expandtypeattribute (bootchart_data_file_33_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_33_0) true)
+(expandtypeattribute (bootloader_prop_33_0) true)
+(expandtypeattribute (bootstat_33_0) true)
+(expandtypeattribute (bootstat_data_file_33_0) true)
+(expandtypeattribute (bootstat_exec_33_0) true)
+(expandtypeattribute (boottime_prop_33_0) true)
+(expandtypeattribute (boottime_public_prop_33_0) true)
+(expandtypeattribute (boottrace_data_file_33_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_33_0) true)
+(expandtypeattribute (bpfloader_33_0) true)
+(expandtypeattribute (bq_config_prop_33_0) true)
+(expandtypeattribute (broadcastradio_service_33_0) true)
+(expandtypeattribute (bufferhubd_33_0) true)
+(expandtypeattribute (bufferhubd_exec_33_0) true)
+(expandtypeattribute (bugreport_service_33_0) true)
+(expandtypeattribute (build_bootimage_prop_33_0) true)
+(expandtypeattribute (build_config_prop_33_0) true)
+(expandtypeattribute (build_odm_prop_33_0) true)
+(expandtypeattribute (build_prop_33_0) true)
+(expandtypeattribute (build_vendor_prop_33_0) true)
+(expandtypeattribute (cache_backup_file_33_0) true)
+(expandtypeattribute (cache_block_device_33_0) true)
+(expandtypeattribute (cache_file_33_0) true)
+(expandtypeattribute (cache_private_backup_file_33_0) true)
+(expandtypeattribute (cache_recovery_file_33_0) true)
+(expandtypeattribute (cacheinfo_service_33_0) true)
+(expandtypeattribute (camera2_extensions_prop_33_0) true)
+(expandtypeattribute (camera_calibration_prop_33_0) true)
+(expandtypeattribute (camera_config_prop_33_0) true)
+(expandtypeattribute (camera_data_file_33_0) true)
+(expandtypeattribute (camera_device_33_0) true)
+(expandtypeattribute (cameraproxy_service_33_0) true)
+(expandtypeattribute (cameraserver_33_0) true)
+(expandtypeattribute (cameraserver_exec_33_0) true)
+(expandtypeattribute (cameraserver_service_33_0) true)
+(expandtypeattribute (cameraserver_tmpfs_33_0) true)
+(expandtypeattribute (camerax_extensions_prop_33_0) true)
+(expandtypeattribute (cgroup_33_0) true)
+(expandtypeattribute (cgroup_desc_api_file_33_0) true)
+(expandtypeattribute (cgroup_desc_file_33_0) true)
+(expandtypeattribute (cgroup_rc_file_33_0) true)
+(expandtypeattribute (cgroup_v2_33_0) true)
+(expandtypeattribute (charger_33_0) true)
+(expandtypeattribute (charger_config_prop_33_0) true)
+(expandtypeattribute (charger_exec_33_0) true)
+(expandtypeattribute (charger_prop_33_0) true)
+(expandtypeattribute (charger_status_prop_33_0) true)
+(expandtypeattribute (charger_vendor_33_0) true)
+(expandtypeattribute (clipboard_service_33_0) true)
+(expandtypeattribute (cloudsearch_service_33_0) true)
+(expandtypeattribute (codec2_config_prop_33_0) true)
+(expandtypeattribute (cold_boot_done_prop_33_0) true)
+(expandtypeattribute (color_display_service_33_0) true)
+(expandtypeattribute (companion_device_service_33_0) true)
+(expandtypeattribute (config_prop_33_0) true)
+(expandtypeattribute (configfs_33_0) true)
+(expandtypeattribute (connectivity_native_service_33_0) true)
+(expandtypeattribute (connectivity_service_33_0) true)
+(expandtypeattribute (connmetrics_service_33_0) true)
+(expandtypeattribute (console_device_33_0) true)
+(expandtypeattribute (consumer_ir_service_33_0) true)
+(expandtypeattribute (content_capture_service_33_0) true)
+(expandtypeattribute (content_service_33_0) true)
+(expandtypeattribute (content_suggestions_service_33_0) true)
+(expandtypeattribute (contexthub_service_33_0) true)
+(expandtypeattribute (coredump_file_33_0) true)
+(expandtypeattribute (country_detector_service_33_0) true)
+(expandtypeattribute (coverage_service_33_0) true)
+(expandtypeattribute (cppreopt_prop_33_0) true)
+(expandtypeattribute (cpu_variant_prop_33_0) true)
+(expandtypeattribute (cpuinfo_service_33_0) true)
+(expandtypeattribute (crash_dump_33_0) true)
+(expandtypeattribute (crash_dump_exec_33_0) true)
+(expandtypeattribute (credstore_33_0) true)
+(expandtypeattribute (credstore_data_file_33_0) true)
+(expandtypeattribute (credstore_exec_33_0) true)
+(expandtypeattribute (credstore_service_33_0) true)
+(expandtypeattribute (crossprofileapps_service_33_0) true)
+(expandtypeattribute (ctl_adbd_prop_33_0) true)
+(expandtypeattribute (ctl_apexd_prop_33_0) true)
+(expandtypeattribute (ctl_bootanim_prop_33_0) true)
+(expandtypeattribute (ctl_bugreport_prop_33_0) true)
+(expandtypeattribute (ctl_console_prop_33_0) true)
+(expandtypeattribute (ctl_default_prop_33_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_33_0) true)
+(expandtypeattribute (ctl_fuse_prop_33_0) true)
+(expandtypeattribute (ctl_gsid_prop_33_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_33_0) true)
+(expandtypeattribute (ctl_interface_start_prop_33_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_33_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_33_0) true)
+(expandtypeattribute (ctl_restart_prop_33_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_33_0) true)
+(expandtypeattribute (ctl_sigstop_prop_33_0) true)
+(expandtypeattribute (ctl_start_prop_33_0) true)
+(expandtypeattribute (ctl_stop_prop_33_0) true)
+(expandtypeattribute (dalvik_config_prop_33_0) true)
+(expandtypeattribute (dalvik_prop_33_0) true)
+(expandtypeattribute (dalvik_runtime_prop_33_0) true)
+(expandtypeattribute (dalvikcache_data_file_33_0) true)
+(expandtypeattribute (dataloader_manager_service_33_0) true)
+(expandtypeattribute (dbinfo_service_33_0) true)
+(expandtypeattribute (dck_prop_33_0) true)
+(expandtypeattribute (debug_prop_33_0) true)
+(expandtypeattribute (debugfs_33_0) true)
+(expandtypeattribute (debugfs_bootreceiver_tracing_33_0) true)
+(expandtypeattribute (debugfs_kprobes_33_0) true)
+(expandtypeattribute (debugfs_mm_events_tracing_33_0) true)
+(expandtypeattribute (debugfs_mmc_33_0) true)
+(expandtypeattribute (debugfs_restriction_prop_33_0) true)
+(expandtypeattribute (debugfs_trace_marker_33_0) true)
+(expandtypeattribute (debugfs_tracing_33_0) true)
+(expandtypeattribute (debugfs_tracing_debug_33_0) true)
+(expandtypeattribute (debugfs_tracing_instances_33_0) true)
+(expandtypeattribute (debugfs_tracing_printk_formats_33_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_33_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_33_0) true)
+(expandtypeattribute (debuggerd_prop_33_0) true)
+(expandtypeattribute (default_android_hwservice_33_0) true)
+(expandtypeattribute (default_android_service_33_0) true)
+(expandtypeattribute (default_android_vndservice_33_0) true)
+(expandtypeattribute (default_prop_33_0) true)
+(expandtypeattribute (dev_cpu_variant_33_0) true)
+(expandtypeattribute (device_33_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_boot_count_prop_33_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_media_native_prop_33_0) true)
+(expandtypeattribute (device_config_netd_native_prop_33_0) true)
+(expandtypeattribute (device_config_nnapi_native_prop_33_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_33_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_33_0) true)
+(expandtypeattribute (device_config_service_33_0) true)
+(expandtypeattribute (device_config_surface_flinger_native_boot_prop_33_0) true)
+(expandtypeattribute (device_identifiers_service_33_0) true)
+(expandtypeattribute (device_logging_prop_33_0) true)
+(expandtypeattribute (device_policy_service_33_0) true)
+(expandtypeattribute (device_state_service_33_0) true)
+(expandtypeattribute (deviceidle_service_33_0) true)
+(expandtypeattribute (devicestoragemonitor_service_33_0) true)
+(expandtypeattribute (devpts_33_0) true)
+(expandtypeattribute (dhcp_33_0) true)
+(expandtypeattribute (dhcp_data_file_33_0) true)
+(expandtypeattribute (dhcp_exec_33_0) true)
+(expandtypeattribute (dhcp_prop_33_0) true)
+(expandtypeattribute (dice_maintenance_service_33_0) true)
+(expandtypeattribute (dice_node_service_33_0) true)
+(expandtypeattribute (diced_33_0) true)
+(expandtypeattribute (diced_exec_33_0) true)
+(expandtypeattribute (diskstats_service_33_0) true)
+(expandtypeattribute (display_service_33_0) true)
+(expandtypeattribute (dm_device_33_0) true)
+(expandtypeattribute (dm_user_device_33_0) true)
+(expandtypeattribute (dmabuf_heap_device_33_0) true)
+(expandtypeattribute (dmabuf_system_heap_device_33_0) true)
+(expandtypeattribute (dmabuf_system_secure_heap_device_33_0) true)
+(expandtypeattribute (dnsmasq_33_0) true)
+(expandtypeattribute (dnsmasq_exec_33_0) true)
+(expandtypeattribute (dnsproxyd_socket_33_0) true)
+(expandtypeattribute (dnsresolver_service_33_0) true)
+(expandtypeattribute (domain_verification_service_33_0) true)
+(expandtypeattribute (dreams_service_33_0) true)
+(expandtypeattribute (drm_data_file_33_0) true)
+(expandtypeattribute (drm_service_config_prop_33_0) true)
+(expandtypeattribute (drmserver_33_0) true)
+(expandtypeattribute (drmserver_exec_33_0) true)
+(expandtypeattribute (drmserver_service_33_0) true)
+(expandtypeattribute (drmserver_socket_33_0) true)
+(expandtypeattribute (dropbox_data_file_33_0) true)
+(expandtypeattribute (dropbox_service_33_0) true)
+(expandtypeattribute (dumpstate_33_0) true)
+(expandtypeattribute (dumpstate_exec_33_0) true)
+(expandtypeattribute (dumpstate_options_prop_33_0) true)
+(expandtypeattribute (dumpstate_prop_33_0) true)
+(expandtypeattribute (dumpstate_service_33_0) true)
+(expandtypeattribute (dumpstate_socket_33_0) true)
+(expandtypeattribute (dynamic_system_prop_33_0) true)
+(expandtypeattribute (e2fs_33_0) true)
+(expandtypeattribute (e2fs_exec_33_0) true)
+(expandtypeattribute (efs_file_33_0) true)
+(expandtypeattribute (emergency_affordance_service_33_0) true)
+(expandtypeattribute (ephemeral_app_33_0) true)
+(expandtypeattribute (ethernet_service_33_0) true)
+(expandtypeattribute (evsmanagerd_33_0) true)
+(expandtypeattribute (evsmanagerd_service_33_0) true)
+(expandtypeattribute (exfat_33_0) true)
+(expandtypeattribute (exported3_system_prop_33_0) true)
+(expandtypeattribute (exported_bluetooth_prop_33_0) true)
+(expandtypeattribute (exported_camera_prop_33_0) true)
+(expandtypeattribute (exported_config_prop_33_0) true)
+(expandtypeattribute (exported_default_prop_33_0) true)
+(expandtypeattribute (exported_dumpstate_prop_33_0) true)
+(expandtypeattribute (exported_overlay_prop_33_0) true)
+(expandtypeattribute (exported_pm_prop_33_0) true)
+(expandtypeattribute (exported_secure_prop_33_0) true)
+(expandtypeattribute (exported_system_prop_33_0) true)
+(expandtypeattribute (external_vibrator_service_33_0) true)
+(expandtypeattribute (extra_free_kbytes_33_0) true)
+(expandtypeattribute (extra_free_kbytes_exec_33_0) true)
+(expandtypeattribute (face_service_33_0) true)
+(expandtypeattribute (face_vendor_data_file_33_0) true)
+(expandtypeattribute (fastbootd_33_0) true)
+(expandtypeattribute (ffs_config_prop_33_0) true)
+(expandtypeattribute (ffs_control_prop_33_0) true)
+(expandtypeattribute (file_contexts_file_33_0) true)
+(expandtypeattribute (file_integrity_service_33_0) true)
+(expandtypeattribute (fingerprint_prop_33_0) true)
+(expandtypeattribute (fingerprint_service_33_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_33_0) true)
+(expandtypeattribute (fingerprintd_33_0) true)
+(expandtypeattribute (fingerprintd_data_file_33_0) true)
+(expandtypeattribute (fingerprintd_exec_33_0) true)
+(expandtypeattribute (fingerprintd_service_33_0) true)
+(expandtypeattribute (firstboot_prop_33_0) true)
+(expandtypeattribute (flags_health_check_33_0) true)
+(expandtypeattribute (flags_health_check_exec_33_0) true)
+(expandtypeattribute (font_service_33_0) true)
+(expandtypeattribute (framework_watchdog_config_prop_33_0) true)
+(expandtypeattribute (frp_block_device_33_0) true)
+(expandtypeattribute (fs_bpf_33_0) true)
+(expandtypeattribute (fs_bpf_tethering_33_0) true)
+(expandtypeattribute (fs_bpf_vendor_33_0) true)
+(expandtypeattribute (fsck_33_0) true)
+(expandtypeattribute (fsck_exec_33_0) true)
+(expandtypeattribute (fsck_untrusted_33_0) true)
+(expandtypeattribute (fscklogs_33_0) true)
+(expandtypeattribute (functionfs_33_0) true)
+(expandtypeattribute (fuse_33_0) true)
+(expandtypeattribute (fuse_device_33_0) true)
+(expandtypeattribute (fusectlfs_33_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_33_0) true)
+(expandtypeattribute (fwk_automotive_display_service_33_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_33_0) true)
+(expandtypeattribute (fwk_camera_hwservice_33_0) true)
+(expandtypeattribute (fwk_display_hwservice_33_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_33_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_33_0) true)
+(expandtypeattribute (fwk_stats_hwservice_33_0) true)
+(expandtypeattribute (fwk_stats_service_33_0) true)
+(expandtypeattribute (fwmarkd_socket_33_0) true)
+(expandtypeattribute (game_mode_intervention_list_file_33_0) true)
+(expandtypeattribute (game_service_33_0) true)
+(expandtypeattribute (gatekeeper_data_file_33_0) true)
+(expandtypeattribute (gatekeeper_service_33_0) true)
+(expandtypeattribute (gatekeeperd_33_0) true)
+(expandtypeattribute (gatekeeperd_exec_33_0) true)
+(expandtypeattribute (gesture_prop_33_0) true)
+(expandtypeattribute (gfxinfo_service_33_0) true)
+(expandtypeattribute (gmscore_app_33_0) true)
+(expandtypeattribute (gnss_device_33_0) true)
+(expandtypeattribute (gnss_time_update_service_33_0) true)
+(expandtypeattribute (gps_control_33_0) true)
+(expandtypeattribute (gpu_device_33_0) true)
+(expandtypeattribute (gpu_service_33_0) true)
+(expandtypeattribute (gpuservice_33_0) true)
+(expandtypeattribute (graphics_config_prop_33_0) true)
+(expandtypeattribute (graphics_device_33_0) true)
+(expandtypeattribute (graphicsstats_service_33_0) true)
+(expandtypeattribute (gsi_data_file_33_0) true)
+(expandtypeattribute (gsi_metadata_file_33_0) true)
+(expandtypeattribute (gsi_public_metadata_file_33_0) true)
+(expandtypeattribute (gwp_asan_prop_33_0) true)
+(expandtypeattribute (hal_atrace_hwservice_33_0) true)
+(expandtypeattribute (hal_audio_hwservice_33_0) true)
+(expandtypeattribute (hal_audio_service_33_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_33_0) true)
+(expandtypeattribute (hal_audiocontrol_service_33_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_33_0) true)
+(expandtypeattribute (hal_authsecret_service_33_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_33_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_33_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_33_0) true)
+(expandtypeattribute (hal_camera_hwservice_33_0) true)
+(expandtypeattribute (hal_camera_service_33_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_33_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_33_0) true)
+(expandtypeattribute (hal_cas_hwservice_33_0) true)
+(expandtypeattribute (hal_codec2_hwservice_33_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_33_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_33_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_33_0) true)
+(expandtypeattribute (hal_contexthub_service_33_0) true)
+(expandtypeattribute (hal_dice_service_33_0) true)
+(expandtypeattribute (hal_drm_hwservice_33_0) true)
+(expandtypeattribute (hal_drm_service_33_0) true)
+(expandtypeattribute (hal_dumpstate_config_prop_33_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_33_0) true)
+(expandtypeattribute (hal_dumpstate_service_33_0) true)
+(expandtypeattribute (hal_evs_hwservice_33_0) true)
+(expandtypeattribute (hal_evs_service_33_0) true)
+(expandtypeattribute (hal_face_hwservice_33_0) true)
+(expandtypeattribute (hal_face_service_33_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_33_0) true)
+(expandtypeattribute (hal_fingerprint_service_33_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_33_0) true)
+(expandtypeattribute (hal_gnss_hwservice_33_0) true)
+(expandtypeattribute (hal_gnss_service_33_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_33_0) true)
+(expandtypeattribute (hal_graphics_allocator_service_33_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_33_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_33_0) true)
+(expandtypeattribute (hal_graphics_composer_service_33_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_33_0) true)
+(expandtypeattribute (hal_health_hwservice_33_0) true)
+(expandtypeattribute (hal_health_service_33_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_33_0) true)
+(expandtypeattribute (hal_health_storage_service_33_0) true)
+(expandtypeattribute (hal_identity_service_33_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_33_0) true)
+(expandtypeattribute (hal_input_processor_service_33_0) true)
+(expandtypeattribute (hal_instrumentation_prop_33_0) true)
+(expandtypeattribute (hal_ir_hwservice_33_0) true)
+(expandtypeattribute (hal_ir_service_33_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_33_0) true)
+(expandtypeattribute (hal_keymint_service_33_0) true)
+(expandtypeattribute (hal_light_hwservice_33_0) true)
+(expandtypeattribute (hal_light_service_33_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_33_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_33_0) true)
+(expandtypeattribute (hal_memtrack_service_33_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_33_0) true)
+(expandtypeattribute (hal_neuralnetworks_service_33_0) true)
+(expandtypeattribute (hal_nfc_hwservice_33_0) true)
+(expandtypeattribute (hal_nfc_service_33_0) true)
+(expandtypeattribute (hal_nlinterceptor_service_33_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_33_0) true)
+(expandtypeattribute (hal_oemlock_service_33_0) true)
+(expandtypeattribute (hal_omx_hwservice_33_0) true)
+(expandtypeattribute (hal_power_hwservice_33_0) true)
+(expandtypeattribute (hal_power_service_33_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_33_0) true)
+(expandtypeattribute (hal_power_stats_service_33_0) true)
+(expandtypeattribute (hal_radio_service_33_0) true)
+(expandtypeattribute (hal_rebootescrow_service_33_0) true)
+(expandtypeattribute (hal_remotelyprovisionedcomponent_service_33_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_33_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_33_0) true)
+(expandtypeattribute (hal_secureclock_service_33_0) true)
+(expandtypeattribute (hal_sensors_hwservice_33_0) true)
+(expandtypeattribute (hal_sensors_service_33_0) true)
+(expandtypeattribute (hal_sharedsecret_service_33_0) true)
+(expandtypeattribute (hal_system_suspend_service_33_0) true)
+(expandtypeattribute (hal_telephony_hwservice_33_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_33_0) true)
+(expandtypeattribute (hal_thermal_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_tuner_service_33_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_33_0) true)
+(expandtypeattribute (hal_usb_hwservice_33_0) true)
+(expandtypeattribute (hal_usb_service_33_0) true)
+(expandtypeattribute (hal_uwb_service_33_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_33_0) true)
+(expandtypeattribute (hal_vehicle_service_33_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_33_0) true)
+(expandtypeattribute (hal_vibrator_service_33_0) true)
+(expandtypeattribute (hal_vr_hwservice_33_0) true)
+(expandtypeattribute (hal_weaver_hwservice_33_0) true)
+(expandtypeattribute (hal_weaver_service_33_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_hostapd_service_33_0) true)
+(expandtypeattribute (hal_wifi_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_supplicant_service_33_0) true)
+(expandtypeattribute (hardware_properties_service_33_0) true)
+(expandtypeattribute (hardware_service_33_0) true)
+(expandtypeattribute (hci_attach_dev_33_0) true)
+(expandtypeattribute (hdmi_config_prop_33_0) true)
+(expandtypeattribute (hdmi_control_service_33_0) true)
+(expandtypeattribute (healthd_33_0) true)
+(expandtypeattribute (heapdump_data_file_33_0) true)
+(expandtypeattribute (heapprofd_33_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_33_0) true)
+(expandtypeattribute (heapprofd_prop_33_0) true)
+(expandtypeattribute (heapprofd_socket_33_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_33_0) true)
+(expandtypeattribute (hidl_base_hwservice_33_0) true)
+(expandtypeattribute (hidl_manager_hwservice_33_0) true)
+(expandtypeattribute (hidl_memory_hwservice_33_0) true)
+(expandtypeattribute (hidl_token_hwservice_33_0) true)
+(expandtypeattribute (hint_service_33_0) true)
+(expandtypeattribute (hw_random_device_33_0) true)
+(expandtypeattribute (hw_timeout_multiplier_prop_33_0) true)
+(expandtypeattribute (hwbinder_device_33_0) true)
+(expandtypeattribute (hwservice_contexts_file_33_0) true)
+(expandtypeattribute (hwservicemanager_33_0) true)
+(expandtypeattribute (hwservicemanager_exec_33_0) true)
+(expandtypeattribute (hwservicemanager_prop_33_0) true)
+(expandtypeattribute (hypervisor_prop_33_0) true)
+(expandtypeattribute (icon_file_33_0) true)
+(expandtypeattribute (idmap_33_0) true)
+(expandtypeattribute (idmap_exec_33_0) true)
+(expandtypeattribute (idmap_service_33_0) true)
+(expandtypeattribute (iio_device_33_0) true)
+(expandtypeattribute (imms_service_33_0) true)
+(expandtypeattribute (incident_33_0) true)
+(expandtypeattribute (incident_data_file_33_0) true)
+(expandtypeattribute (incident_helper_33_0) true)
+(expandtypeattribute (incident_service_33_0) true)
+(expandtypeattribute (incidentd_33_0) true)
+(expandtypeattribute (incremental_control_file_33_0) true)
+(expandtypeattribute (incremental_prop_33_0) true)
+(expandtypeattribute (incremental_service_33_0) true)
+(expandtypeattribute (init_33_0) true)
+(expandtypeattribute (init_exec_33_0) true)
+(expandtypeattribute (init_service_status_prop_33_0) true)
+(expandtypeattribute (init_tmpfs_33_0) true)
+(expandtypeattribute (inotify_33_0) true)
+(expandtypeattribute (input_device_33_0) true)
+(expandtypeattribute (input_method_service_33_0) true)
+(expandtypeattribute (input_service_33_0) true)
+(expandtypeattribute (inputflinger_33_0) true)
+(expandtypeattribute (inputflinger_exec_33_0) true)
+(expandtypeattribute (inputflinger_service_33_0) true)
+(expandtypeattribute (install_data_file_33_0) true)
+(expandtypeattribute (installd_33_0) true)
+(expandtypeattribute (installd_exec_33_0) true)
+(expandtypeattribute (installd_service_33_0) true)
+(expandtypeattribute (ion_device_33_0) true)
+(expandtypeattribute (iorap_inode2filename_33_0) true)
+(expandtypeattribute (iorap_inode2filename_exec_33_0) true)
+(expandtypeattribute (iorap_inode2filename_tmpfs_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_exec_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_tmpfs_33_0) true)
+(expandtypeattribute (iorapd_33_0) true)
+(expandtypeattribute (iorapd_data_file_33_0) true)
+(expandtypeattribute (iorapd_exec_33_0) true)
+(expandtypeattribute (iorapd_service_33_0) true)
+(expandtypeattribute (iorapd_tmpfs_33_0) true)
+(expandtypeattribute (ipsec_service_33_0) true)
+(expandtypeattribute (iris_service_33_0) true)
+(expandtypeattribute (iris_vendor_data_file_33_0) true)
+(expandtypeattribute (isolated_app_33_0) true)
+(expandtypeattribute (jobscheduler_service_33_0) true)
+(expandtypeattribute (kernel_33_0) true)
+(expandtypeattribute (keychain_data_file_33_0) true)
+(expandtypeattribute (keychord_device_33_0) true)
+(expandtypeattribute (keyguard_config_prop_33_0) true)
+(expandtypeattribute (keystore2_key_contexts_file_33_0) true)
+(expandtypeattribute (keystore_33_0) true)
+(expandtypeattribute (keystore_compat_hal_service_33_0) true)
+(expandtypeattribute (keystore_data_file_33_0) true)
+(expandtypeattribute (keystore_exec_33_0) true)
+(expandtypeattribute (keystore_maintenance_service_33_0) true)
+(expandtypeattribute (keystore_metrics_service_33_0) true)
+(expandtypeattribute (keystore_service_33_0) true)
+(expandtypeattribute (kmsg_debug_device_33_0) true)
+(expandtypeattribute (kmsg_device_33_0) true)
+(expandtypeattribute (labeledfs_33_0) true)
+(expandtypeattribute (launcherapps_service_33_0) true)
+(expandtypeattribute (legacy_permission_service_33_0) true)
+(expandtypeattribute (legacykeystore_service_33_0) true)
+(expandtypeattribute (libc_debug_prop_33_0) true)
+(expandtypeattribute (light_service_33_0) true)
+(expandtypeattribute (linkerconfig_file_33_0) true)
+(expandtypeattribute (llkd_33_0) true)
+(expandtypeattribute (llkd_exec_33_0) true)
+(expandtypeattribute (llkd_prop_33_0) true)
+(expandtypeattribute (lmkd_33_0) true)
+(expandtypeattribute (lmkd_config_prop_33_0) true)
+(expandtypeattribute (lmkd_exec_33_0) true)
+(expandtypeattribute (lmkd_prop_33_0) true)
+(expandtypeattribute (lmkd_socket_33_0) true)
+(expandtypeattribute (locale_service_33_0) true)
+(expandtypeattribute (location_service_33_0) true)
+(expandtypeattribute (location_time_zone_manager_service_33_0) true)
+(expandtypeattribute (lock_settings_service_33_0) true)
+(expandtypeattribute (log_prop_33_0) true)
+(expandtypeattribute (log_tag_prop_33_0) true)
+(expandtypeattribute (logcat_exec_33_0) true)
+(expandtypeattribute (logd_33_0) true)
+(expandtypeattribute (logd_exec_33_0) true)
+(expandtypeattribute (logd_prop_33_0) true)
+(expandtypeattribute (logd_socket_33_0) true)
+(expandtypeattribute (logdr_socket_33_0) true)
+(expandtypeattribute (logdw_socket_33_0) true)
+(expandtypeattribute (logpersist_33_0) true)
+(expandtypeattribute (logpersistd_logging_prop_33_0) true)
+(expandtypeattribute (loop_control_device_33_0) true)
+(expandtypeattribute (loop_device_33_0) true)
+(expandtypeattribute (looper_stats_service_33_0) true)
+(expandtypeattribute (lowpan_device_33_0) true)
+(expandtypeattribute (lowpan_prop_33_0) true)
+(expandtypeattribute (lowpan_service_33_0) true)
+(expandtypeattribute (lpdump_service_33_0) true)
+(expandtypeattribute (lpdumpd_prop_33_0) true)
+(expandtypeattribute (mac_perms_file_33_0) true)
+(expandtypeattribute (mdns_service_33_0) true)
+(expandtypeattribute (mdns_socket_33_0) true)
+(expandtypeattribute (mdnsd_33_0) true)
+(expandtypeattribute (mdnsd_socket_33_0) true)
+(expandtypeattribute (media_communication_service_33_0) true)
+(expandtypeattribute (media_config_prop_33_0) true)
+(expandtypeattribute (media_data_file_33_0) true)
+(expandtypeattribute (media_metrics_service_33_0) true)
+(expandtypeattribute (media_projection_service_33_0) true)
+(expandtypeattribute (media_router_service_33_0) true)
+(expandtypeattribute (media_rw_data_file_33_0) true)
+(expandtypeattribute (media_session_service_33_0) true)
+(expandtypeattribute (media_variant_prop_33_0) true)
+(expandtypeattribute (mediadrm_config_prop_33_0) true)
+(expandtypeattribute (mediadrmserver_33_0) true)
+(expandtypeattribute (mediadrmserver_exec_33_0) true)
+(expandtypeattribute (mediadrmserver_service_33_0) true)
+(expandtypeattribute (mediaextractor_33_0) true)
+(expandtypeattribute (mediaextractor_exec_33_0) true)
+(expandtypeattribute (mediaextractor_service_33_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_33_0) true)
+(expandtypeattribute (mediametrics_33_0) true)
+(expandtypeattribute (mediametrics_exec_33_0) true)
+(expandtypeattribute (mediametrics_service_33_0) true)
+(expandtypeattribute (mediaprovider_33_0) true)
+(expandtypeattribute (mediaserver_33_0) true)
+(expandtypeattribute (mediaserver_exec_33_0) true)
+(expandtypeattribute (mediaserver_service_33_0) true)
+(expandtypeattribute (mediaserver_tmpfs_33_0) true)
+(expandtypeattribute (mediaswcodec_33_0) true)
+(expandtypeattribute (mediaswcodec_exec_33_0) true)
+(expandtypeattribute (mediatranscoding_33_0) true)
+(expandtypeattribute (mediatranscoding_service_33_0) true)
+(expandtypeattribute (meminfo_service_33_0) true)
+(expandtypeattribute (memtrackproxy_service_33_0) true)
+(expandtypeattribute (metadata_block_device_33_0) true)
+(expandtypeattribute (metadata_bootstat_file_33_0) true)
+(expandtypeattribute (metadata_file_33_0) true)
+(expandtypeattribute (method_trace_data_file_33_0) true)
+(expandtypeattribute (midi_service_33_0) true)
+(expandtypeattribute (mirror_data_file_33_0) true)
+(expandtypeattribute (misc_block_device_33_0) true)
+(expandtypeattribute (misc_logd_file_33_0) true)
+(expandtypeattribute (misc_user_data_file_33_0) true)
+(expandtypeattribute (mm_events_config_prop_33_0) true)
+(expandtypeattribute (mmc_prop_33_0) true)
+(expandtypeattribute (mnt_expand_file_33_0) true)
+(expandtypeattribute (mnt_media_rw_file_33_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_33_0) true)
+(expandtypeattribute (mnt_pass_through_file_33_0) true)
+(expandtypeattribute (mnt_product_file_33_0) true)
+(expandtypeattribute (mnt_sdcard_file_33_0) true)
+(expandtypeattribute (mnt_user_file_33_0) true)
+(expandtypeattribute (mnt_vendor_file_33_0) true)
+(expandtypeattribute (mock_ota_prop_33_0) true)
+(expandtypeattribute (modprobe_33_0) true)
+(expandtypeattribute (module_sdkextensions_prop_33_0) true)
+(expandtypeattribute (mount_service_33_0) true)
+(expandtypeattribute (mqueue_33_0) true)
+(expandtypeattribute (mtp_33_0) true)
+(expandtypeattribute (mtp_device_33_0) true)
+(expandtypeattribute (mtp_exec_33_0) true)
+(expandtypeattribute (mtpd_socket_33_0) true)
+(expandtypeattribute (music_recognition_service_33_0) true)
+(expandtypeattribute (nativetest_data_file_33_0) true)
+(expandtypeattribute (nearby_service_33_0) true)
+(expandtypeattribute (net_data_file_33_0) true)
+(expandtypeattribute (net_dns_prop_33_0) true)
+(expandtypeattribute (net_radio_prop_33_0) true)
+(expandtypeattribute (netd_33_0) true)
+(expandtypeattribute (netd_exec_33_0) true)
+(expandtypeattribute (netd_listener_service_33_0) true)
+(expandtypeattribute (netd_service_33_0) true)
+(expandtypeattribute (netif_33_0) true)
+(expandtypeattribute (netpolicy_service_33_0) true)
+(expandtypeattribute (netstats_service_33_0) true)
+(expandtypeattribute (netutils_wrapper_33_0) true)
+(expandtypeattribute (netutils_wrapper_exec_33_0) true)
+(expandtypeattribute (network_management_service_33_0) true)
+(expandtypeattribute (network_score_service_33_0) true)
+(expandtypeattribute (network_stack_33_0) true)
+(expandtypeattribute (network_stack_service_33_0) true)
+(expandtypeattribute (network_time_update_service_33_0) true)
+(expandtypeattribute (network_watchlist_data_file_33_0) true)
+(expandtypeattribute (network_watchlist_service_33_0) true)
+(expandtypeattribute (nfc_33_0) true)
+(expandtypeattribute (nfc_data_file_33_0) true)
+(expandtypeattribute (nfc_device_33_0) true)
+(expandtypeattribute (nfc_logs_data_file_33_0) true)
+(expandtypeattribute (nfc_prop_33_0) true)
+(expandtypeattribute (nfc_service_33_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_33_0) true)
+(expandtypeattribute (node_33_0) true)
+(expandtypeattribute (notification_service_33_0) true)
+(expandtypeattribute (null_device_33_0) true)
+(expandtypeattribute (oem_lock_service_33_0) true)
+(expandtypeattribute (oem_unlock_prop_33_0) true)
+(expandtypeattribute (oemfs_33_0) true)
+(expandtypeattribute (ota_data_file_33_0) true)
+(expandtypeattribute (ota_metadata_file_33_0) true)
+(expandtypeattribute (ota_package_file_33_0) true)
+(expandtypeattribute (ota_prop_33_0) true)
+(expandtypeattribute (otadexopt_service_33_0) true)
+(expandtypeattribute (otapreopt_chroot_33_0) true)
+(expandtypeattribute (overlay_prop_33_0) true)
+(expandtypeattribute (overlay_service_33_0) true)
+(expandtypeattribute (overlayfs_file_33_0) true)
+(expandtypeattribute (owntty_device_33_0) true)
+(expandtypeattribute (pac_proxy_service_33_0) true)
+(expandtypeattribute (package_native_service_33_0) true)
+(expandtypeattribute (package_service_33_0) true)
+(expandtypeattribute (packagemanager_config_prop_33_0) true)
+(expandtypeattribute (packages_list_file_33_0) true)
+(expandtypeattribute (pan_result_prop_33_0) true)
+(expandtypeattribute (password_slot_metadata_file_33_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_33_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_dir_33_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_performance_dir_33_0) true)
+(expandtypeattribute (people_service_33_0) true)
+(expandtypeattribute (perfetto_33_0) true)
+(expandtypeattribute (performanced_33_0) true)
+(expandtypeattribute (performanced_exec_33_0) true)
+(expandtypeattribute (permission_checker_service_33_0) true)
+(expandtypeattribute (permission_service_33_0) true)
+(expandtypeattribute (permissionmgr_service_33_0) true)
+(expandtypeattribute (persist_debug_prop_33_0) true)
+(expandtypeattribute (persist_vendor_debug_wifi_prop_33_0) true)
+(expandtypeattribute (persist_wm_debug_prop_33_0) true)
+(expandtypeattribute (persistent_data_block_service_33_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_33_0) true)
+(expandtypeattribute (pinner_service_33_0) true)
+(expandtypeattribute (pipefs_33_0) true)
+(expandtypeattribute (platform_app_33_0) true)
+(expandtypeattribute (platform_compat_service_33_0) true)
+(expandtypeattribute (pmsg_device_33_0) true)
+(expandtypeattribute (port_33_0) true)
+(expandtypeattribute (port_device_33_0) true)
+(expandtypeattribute (postinstall_33_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_33_0) true)
+(expandtypeattribute (postinstall_file_33_0) true)
+(expandtypeattribute (postinstall_mnt_dir_33_0) true)
+(expandtypeattribute (power_debug_prop_33_0) true)
+(expandtypeattribute (power_service_33_0) true)
+(expandtypeattribute (powerctl_prop_33_0) true)
+(expandtypeattribute (powerstats_service_33_0) true)
+(expandtypeattribute (ppp_33_0) true)
+(expandtypeattribute (ppp_device_33_0) true)
+(expandtypeattribute (ppp_exec_33_0) true)
+(expandtypeattribute (preloads_data_file_33_0) true)
+(expandtypeattribute (preloads_media_file_33_0) true)
+(expandtypeattribute (prereboot_data_file_33_0) true)
+(expandtypeattribute (print_service_33_0) true)
+(expandtypeattribute (priv_app_33_0) true)
+(expandtypeattribute (privapp_data_file_33_0) true)
+(expandtypeattribute (proc_33_0) true)
+(expandtypeattribute (proc_abi_33_0) true)
+(expandtypeattribute (proc_asound_33_0) true)
+(expandtypeattribute (proc_bluetooth_writable_33_0) true)
+(expandtypeattribute (proc_bootconfig_33_0) true)
+(expandtypeattribute (proc_bpf_33_0) true)
+(expandtypeattribute (proc_buddyinfo_33_0) true)
+(expandtypeattribute (proc_cmdline_33_0) true)
+(expandtypeattribute (proc_cpu_alignment_33_0) true)
+(expandtypeattribute (proc_cpuinfo_33_0) true)
+(expandtypeattribute (proc_dirty_33_0) true)
+(expandtypeattribute (proc_diskstats_33_0) true)
+(expandtypeattribute (proc_drop_caches_33_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_33_0) true)
+(expandtypeattribute (proc_filesystems_33_0) true)
+(expandtypeattribute (proc_fs_verity_33_0) true)
+(expandtypeattribute (proc_hostname_33_0) true)
+(expandtypeattribute (proc_hung_task_33_0) true)
+(expandtypeattribute (proc_interrupts_33_0) true)
+(expandtypeattribute (proc_iomem_33_0) true)
+(expandtypeattribute (proc_kallsyms_33_0) true)
+(expandtypeattribute (proc_keys_33_0) true)
+(expandtypeattribute (proc_kmsg_33_0) true)
+(expandtypeattribute (proc_kpageflags_33_0) true)
+(expandtypeattribute (proc_loadavg_33_0) true)
+(expandtypeattribute (proc_locks_33_0) true)
+(expandtypeattribute (proc_lowmemorykiller_33_0) true)
+(expandtypeattribute (proc_max_map_count_33_0) true)
+(expandtypeattribute (proc_meminfo_33_0) true)
+(expandtypeattribute (proc_min_free_order_shift_33_0) true)
+(expandtypeattribute (proc_misc_33_0) true)
+(expandtypeattribute (proc_modules_33_0) true)
+(expandtypeattribute (proc_mounts_33_0) true)
+(expandtypeattribute (proc_net_33_0) true)
+(expandtypeattribute (proc_net_tcp_udp_33_0) true)
+(expandtypeattribute (proc_overcommit_memory_33_0) true)
+(expandtypeattribute (proc_page_cluster_33_0) true)
+(expandtypeattribute (proc_pagetypeinfo_33_0) true)
+(expandtypeattribute (proc_panic_33_0) true)
+(expandtypeattribute (proc_perf_33_0) true)
+(expandtypeattribute (proc_pid_max_33_0) true)
+(expandtypeattribute (proc_pipe_conf_33_0) true)
+(expandtypeattribute (proc_pressure_cpu_33_0) true)
+(expandtypeattribute (proc_pressure_io_33_0) true)
+(expandtypeattribute (proc_pressure_mem_33_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_33_0) true)
+(expandtypeattribute (proc_qtaguid_stat_33_0) true)
+(expandtypeattribute (proc_random_33_0) true)
+(expandtypeattribute (proc_sched_33_0) true)
+(expandtypeattribute (proc_security_33_0) true)
+(expandtypeattribute (proc_slabinfo_33_0) true)
+(expandtypeattribute (proc_stat_33_0) true)
+(expandtypeattribute (proc_swaps_33_0) true)
+(expandtypeattribute (proc_sysrq_33_0) true)
+(expandtypeattribute (proc_timer_33_0) true)
+(expandtypeattribute (proc_tty_drivers_33_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_33_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_33_0) true)
+(expandtypeattribute (proc_uid_cpupower_33_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_33_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_33_0) true)
+(expandtypeattribute (proc_uid_io_stats_33_0) true)
+(expandtypeattribute (proc_uid_procstat_set_33_0) true)
+(expandtypeattribute (proc_uid_time_in_state_33_0) true)
+(expandtypeattribute (proc_uptime_33_0) true)
+(expandtypeattribute (proc_vendor_sched_33_0) true)
+(expandtypeattribute (proc_version_33_0) true)
+(expandtypeattribute (proc_vmallocinfo_33_0) true)
+(expandtypeattribute (proc_vmstat_33_0) true)
+(expandtypeattribute (proc_watermark_boost_factor_33_0) true)
+(expandtypeattribute (proc_watermark_scale_factor_33_0) true)
+(expandtypeattribute (proc_zoneinfo_33_0) true)
+(expandtypeattribute (processinfo_service_33_0) true)
+(expandtypeattribute (procstats_service_33_0) true)
+(expandtypeattribute (profman_33_0) true)
+(expandtypeattribute (profman_dump_data_file_33_0) true)
+(expandtypeattribute (profman_exec_33_0) true)
+(expandtypeattribute (properties_device_33_0) true)
+(expandtypeattribute (properties_serial_33_0) true)
+(expandtypeattribute (property_contexts_file_33_0) true)
+(expandtypeattribute (property_data_file_33_0) true)
+(expandtypeattribute (property_info_33_0) true)
+(expandtypeattribute (property_service_version_prop_33_0) true)
+(expandtypeattribute (property_socket_33_0) true)
+(expandtypeattribute (provisioned_prop_33_0) true)
+(expandtypeattribute (pstorefs_33_0) true)
+(expandtypeattribute (ptmx_device_33_0) true)
+(expandtypeattribute (qemu_hw_prop_33_0) true)
+(expandtypeattribute (qemu_sf_lcd_density_prop_33_0) true)
+(expandtypeattribute (qtaguid_device_33_0) true)
+(expandtypeattribute (racoon_33_0) true)
+(expandtypeattribute (racoon_exec_33_0) true)
+(expandtypeattribute (racoon_socket_33_0) true)
+(expandtypeattribute (radio_33_0) true)
+(expandtypeattribute (radio_control_prop_33_0) true)
+(expandtypeattribute (radio_core_data_file_33_0) true)
+(expandtypeattribute (radio_data_file_33_0) true)
+(expandtypeattribute (radio_device_33_0) true)
+(expandtypeattribute (radio_prop_33_0) true)
+(expandtypeattribute (radio_service_33_0) true)
+(expandtypeattribute (ram_device_33_0) true)
+(expandtypeattribute (random_device_33_0) true)
+(expandtypeattribute (reboot_readiness_service_33_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_33_0) true)
+(expandtypeattribute (recovery_33_0) true)
+(expandtypeattribute (recovery_block_device_33_0) true)
+(expandtypeattribute (recovery_config_prop_33_0) true)
+(expandtypeattribute (recovery_data_file_33_0) true)
+(expandtypeattribute (recovery_persist_33_0) true)
+(expandtypeattribute (recovery_persist_exec_33_0) true)
+(expandtypeattribute (recovery_refresh_33_0) true)
+(expandtypeattribute (recovery_refresh_exec_33_0) true)
+(expandtypeattribute (recovery_service_33_0) true)
+(expandtypeattribute (recovery_socket_33_0) true)
+(expandtypeattribute (registry_service_33_0) true)
+(expandtypeattribute (remotelyprovisionedkeypool_service_33_0) true)
+(expandtypeattribute (remoteprovisioning_service_33_0) true)
+(expandtypeattribute (resourcecache_data_file_33_0) true)
+(expandtypeattribute (resources_manager_service_33_0) true)
+(expandtypeattribute (restorecon_prop_33_0) true)
+(expandtypeattribute (restrictions_service_33_0) true)
+(expandtypeattribute (retaildemo_prop_33_0) true)
+(expandtypeattribute (rild_debug_socket_33_0) true)
+(expandtypeattribute (rild_socket_33_0) true)
+(expandtypeattribute (ringtone_file_33_0) true)
+(expandtypeattribute (role_service_33_0) true)
+(expandtypeattribute (rollback_service_33_0) true)
+(expandtypeattribute (root_block_device_33_0) true)
+(expandtypeattribute (rootdisk_sysdev_33_0) true)
+(expandtypeattribute (rootfs_33_0) true)
+(expandtypeattribute (rpmsg_device_33_0) true)
+(expandtypeattribute (rs_33_0) true)
+(expandtypeattribute (rs_exec_33_0) true)
+(expandtypeattribute (rss_hwm_reset_33_0) true)
+(expandtypeattribute (rtc_device_33_0) true)
+(expandtypeattribute (rttmanager_service_33_0) true)
+(expandtypeattribute (runas_33_0) true)
+(expandtypeattribute (runas_app_33_0) true)
+(expandtypeattribute (runas_exec_33_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_33_0) true)
+(expandtypeattribute (runtime_service_33_0) true)
+(expandtypeattribute (safemode_prop_33_0) true)
+(expandtypeattribute (same_process_hal_file_33_0) true)
+(expandtypeattribute (samplingprofiler_service_33_0) true)
+(expandtypeattribute (scheduling_policy_service_33_0) true)
+(expandtypeattribute (sdcard_block_device_33_0) true)
+(expandtypeattribute (sdcardd_33_0) true)
+(expandtypeattribute (sdcardd_exec_33_0) true)
+(expandtypeattribute (sdcardfs_33_0) true)
+(expandtypeattribute (sdk_sandbox_service_33_0) true)
+(expandtypeattribute (seapp_contexts_file_33_0) true)
+(expandtypeattribute (search_service_33_0) true)
+(expandtypeattribute (search_ui_service_33_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_33_0) true)
+(expandtypeattribute (secure_element_33_0) true)
+(expandtypeattribute (secure_element_device_33_0) true)
+(expandtypeattribute (secure_element_service_33_0) true)
+(expandtypeattribute (securityfs_33_0) true)
+(expandtypeattribute (selection_toolbar_service_33_0) true)
+(expandtypeattribute (selinuxfs_33_0) true)
+(expandtypeattribute (sendbug_config_prop_33_0) true)
+(expandtypeattribute (sensor_privacy_service_33_0) true)
+(expandtypeattribute (sensors_device_33_0) true)
+(expandtypeattribute (sensorservice_service_33_0) true)
+(expandtypeattribute (sepolicy_file_33_0) true)
+(expandtypeattribute (serial_device_33_0) true)
+(expandtypeattribute (serial_service_33_0) true)
+(expandtypeattribute (serialno_prop_33_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_33_0) true)
+(expandtypeattribute (service_contexts_file_33_0) true)
+(expandtypeattribute (service_manager_service_33_0) true)
+(expandtypeattribute (service_manager_vndservice_33_0) true)
+(expandtypeattribute (servicediscovery_service_33_0) true)
+(expandtypeattribute (servicemanager_33_0) true)
+(expandtypeattribute (servicemanager_exec_33_0) true)
+(expandtypeattribute (settings_service_33_0) true)
+(expandtypeattribute (sgdisk_33_0) true)
+(expandtypeattribute (sgdisk_exec_33_0) true)
+(expandtypeattribute (shared_relro_33_0) true)
+(expandtypeattribute (shared_relro_file_33_0) true)
+(expandtypeattribute (shell_33_0) true)
+(expandtypeattribute (shell_data_file_33_0) true)
+(expandtypeattribute (shell_exec_33_0) true)
+(expandtypeattribute (shell_prop_33_0) true)
+(expandtypeattribute (shell_test_data_file_33_0) true)
+(expandtypeattribute (shm_33_0) true)
+(expandtypeattribute (shortcut_manager_icons_33_0) true)
+(expandtypeattribute (shortcut_service_33_0) true)
+(expandtypeattribute (simpleperf_33_0) true)
+(expandtypeattribute (simpleperf_app_runner_33_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_33_0) true)
+(expandtypeattribute (slice_service_33_0) true)
+(expandtypeattribute (slideshow_33_0) true)
+(expandtypeattribute (smart_idle_maint_enabled_prop_33_0) true)
+(expandtypeattribute (smartspace_service_33_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_33_0) true)
+(expandtypeattribute (snapuserd_proxy_socket_33_0) true)
+(expandtypeattribute (snapuserd_socket_33_0) true)
+(expandtypeattribute (soc_prop_33_0) true)
+(expandtypeattribute (socket_device_33_0) true)
+(expandtypeattribute (socket_hook_prop_33_0) true)
+(expandtypeattribute (sockfs_33_0) true)
+(expandtypeattribute (sota_prop_33_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_33_0) true)
+(expandtypeattribute (speech_recognition_service_33_0) true)
+(expandtypeattribute (sqlite_log_prop_33_0) true)
+(expandtypeattribute (staged_install_file_33_0) true)
+(expandtypeattribute (staging_data_file_33_0) true)
+(expandtypeattribute (stats_data_file_33_0) true)
+(expandtypeattribute (statsd_33_0) true)
+(expandtypeattribute (statsd_exec_33_0) true)
+(expandtypeattribute (statsdw_socket_33_0) true)
+(expandtypeattribute (statusbar_service_33_0) true)
+(expandtypeattribute (storage_config_prop_33_0) true)
+(expandtypeattribute (storage_file_33_0) true)
+(expandtypeattribute (storage_stub_file_33_0) true)
+(expandtypeattribute (storaged_service_33_0) true)
+(expandtypeattribute (storagemanager_config_prop_33_0) true)
+(expandtypeattribute (storagestats_service_33_0) true)
+(expandtypeattribute (su_33_0) true)
+(expandtypeattribute (su_exec_33_0) true)
+(expandtypeattribute (super_block_device_33_0) true)
+(expandtypeattribute (surfaceflinger_33_0) true)
+(expandtypeattribute (surfaceflinger_color_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_display_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_service_33_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_33_0) true)
+(expandtypeattribute (suspend_prop_33_0) true)
+(expandtypeattribute (swap_block_device_33_0) true)
+(expandtypeattribute (sysfs_33_0) true)
+(expandtypeattribute (sysfs_android_usb_33_0) true)
+(expandtypeattribute (sysfs_batteryinfo_33_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_33_0) true)
+(expandtypeattribute (sysfs_devfreq_cur_33_0) true)
+(expandtypeattribute (sysfs_devfreq_dir_33_0) true)
+(expandtypeattribute (sysfs_devices_block_33_0) true)
+(expandtypeattribute (sysfs_devices_cs_etm_33_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_33_0) true)
+(expandtypeattribute (sysfs_dm_33_0) true)
+(expandtypeattribute (sysfs_dm_verity_33_0) true)
+(expandtypeattribute (sysfs_dma_heap_33_0) true)
+(expandtypeattribute (sysfs_dmabuf_stats_33_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_33_0) true)
+(expandtypeattribute (sysfs_extcon_33_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_33_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_33_0) true)
+(expandtypeattribute (sysfs_fs_fuse_bpf_33_0) true)
+(expandtypeattribute (sysfs_fs_incfs_features_33_0) true)
+(expandtypeattribute (sysfs_fs_incfs_metrics_33_0) true)
+(expandtypeattribute (sysfs_gpu_33_0) true)
+(expandtypeattribute (sysfs_hwrandom_33_0) true)
+(expandtypeattribute (sysfs_ion_33_0) true)
+(expandtypeattribute (sysfs_ipv4_33_0) true)
+(expandtypeattribute (sysfs_kernel_notes_33_0) true)
+(expandtypeattribute (sysfs_leds_33_0) true)
+(expandtypeattribute (sysfs_loop_33_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_33_0) true)
+(expandtypeattribute (sysfs_lru_gen_enabled_33_0) true)
+(expandtypeattribute (sysfs_net_33_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_33_0) true)
+(expandtypeattribute (sysfs_power_33_0) true)
+(expandtypeattribute (sysfs_rtc_33_0) true)
+(expandtypeattribute (sysfs_suspend_stats_33_0) true)
+(expandtypeattribute (sysfs_switch_33_0) true)
+(expandtypeattribute (sysfs_thermal_33_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_33_0) true)
+(expandtypeattribute (sysfs_uhid_33_0) true)
+(expandtypeattribute (sysfs_uio_33_0) true)
+(expandtypeattribute (sysfs_usb_33_0) true)
+(expandtypeattribute (sysfs_usermodehelper_33_0) true)
+(expandtypeattribute (sysfs_vendor_sched_33_0) true)
+(expandtypeattribute (sysfs_vibrator_33_0) true)
+(expandtypeattribute (sysfs_wake_lock_33_0) true)
+(expandtypeattribute (sysfs_wakeup_33_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_33_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_33_0) true)
+(expandtypeattribute (sysfs_zram_33_0) true)
+(expandtypeattribute (sysfs_zram_uevent_33_0) true)
+(expandtypeattribute (system_app_33_0) true)
+(expandtypeattribute (system_app_data_file_33_0) true)
+(expandtypeattribute (system_app_service_33_0) true)
+(expandtypeattribute (system_asan_options_file_33_0) true)
+(expandtypeattribute (system_block_device_33_0) true)
+(expandtypeattribute (system_boot_reason_prop_33_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_33_0) true)
+(expandtypeattribute (system_config_service_33_0) true)
+(expandtypeattribute (system_data_file_33_0) true)
+(expandtypeattribute (system_data_root_file_33_0) true)
+(expandtypeattribute (system_dlkm_file_33_0) true)
+(expandtypeattribute (system_event_log_tags_file_33_0) true)
+(expandtypeattribute (system_file_33_0) true)
+(expandtypeattribute (system_group_file_33_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_33_0) true)
+(expandtypeattribute (system_lib_file_33_0) true)
+(expandtypeattribute (system_linker_config_file_33_0) true)
+(expandtypeattribute (system_linker_exec_33_0) true)
+(expandtypeattribute (system_lmk_prop_33_0) true)
+(expandtypeattribute (system_ndebug_socket_33_0) true)
+(expandtypeattribute (system_net_netd_hwservice_33_0) true)
+(expandtypeattribute (system_passwd_file_33_0) true)
+(expandtypeattribute (system_prop_33_0) true)
+(expandtypeattribute (system_seccomp_policy_file_33_0) true)
+(expandtypeattribute (system_security_cacerts_file_33_0) true)
+(expandtypeattribute (system_server_33_0) true)
+(expandtypeattribute (system_server_dumper_service_33_0) true)
+(expandtypeattribute (system_server_tmpfs_33_0) true)
+(expandtypeattribute (system_suspend_control_internal_service_33_0) true)
+(expandtypeattribute (system_suspend_control_service_33_0) true)
+(expandtypeattribute (system_suspend_hwservice_33_0) true)
+(expandtypeattribute (system_trace_prop_33_0) true)
+(expandtypeattribute (system_unsolzygote_socket_33_0) true)
+(expandtypeattribute (system_update_service_33_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_33_0) true)
+(expandtypeattribute (system_wpa_socket_33_0) true)
+(expandtypeattribute (system_zoneinfo_file_33_0) true)
+(expandtypeattribute (systemkeys_data_file_33_0) true)
+(expandtypeattribute (systemsound_config_prop_33_0) true)
+(expandtypeattribute (tare_service_33_0) true)
+(expandtypeattribute (task_profiles_api_file_33_0) true)
+(expandtypeattribute (task_profiles_file_33_0) true)
+(expandtypeattribute (task_service_33_0) true)
+(expandtypeattribute (tcpdump_exec_33_0) true)
+(expandtypeattribute (tee_33_0) true)
+(expandtypeattribute (tee_data_file_33_0) true)
+(expandtypeattribute (tee_device_33_0) true)
+(expandtypeattribute (telecom_service_33_0) true)
+(expandtypeattribute (telephony_config_prop_33_0) true)
+(expandtypeattribute (telephony_status_prop_33_0) true)
+(expandtypeattribute (test_boot_reason_prop_33_0) true)
+(expandtypeattribute (test_harness_prop_33_0) true)
+(expandtypeattribute (testharness_service_33_0) true)
+(expandtypeattribute (tethering_service_33_0) true)
+(expandtypeattribute (textclassification_service_33_0) true)
+(expandtypeattribute (textclassifier_data_file_33_0) true)
+(expandtypeattribute (textservices_service_33_0) true)
+(expandtypeattribute (texttospeech_service_33_0) true)
+(expandtypeattribute (theme_prop_33_0) true)
+(expandtypeattribute (thermal_service_33_0) true)
+(expandtypeattribute (time_prop_33_0) true)
+(expandtypeattribute (timedetector_service_33_0) true)
+(expandtypeattribute (timezone_service_33_0) true)
+(expandtypeattribute (timezonedetector_service_33_0) true)
+(expandtypeattribute (tmpfs_33_0) true)
+(expandtypeattribute (tombstone_config_prop_33_0) true)
+(expandtypeattribute (tombstone_data_file_33_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_33_0) true)
+(expandtypeattribute (tombstoned_33_0) true)
+(expandtypeattribute (tombstoned_crash_socket_33_0) true)
+(expandtypeattribute (tombstoned_exec_33_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_33_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_33_0) true)
+(expandtypeattribute (toolbox_33_0) true)
+(expandtypeattribute (toolbox_exec_33_0) true)
+(expandtypeattribute (trace_data_file_33_0) true)
+(expandtypeattribute (traced_33_0) true)
+(expandtypeattribute (traced_consumer_socket_33_0) true)
+(expandtypeattribute (traced_enabled_prop_33_0) true)
+(expandtypeattribute (traced_lazy_prop_33_0) true)
+(expandtypeattribute (traced_perf_33_0) true)
+(expandtypeattribute (traced_perf_socket_33_0) true)
+(expandtypeattribute (traced_probes_33_0) true)
+(expandtypeattribute (traced_producer_socket_33_0) true)
+(expandtypeattribute (traced_tmpfs_33_0) true)
+(expandtypeattribute (traceur_app_33_0) true)
+(expandtypeattribute (translation_service_33_0) true)
+(expandtypeattribute (trust_service_33_0) true)
+(expandtypeattribute (tty_device_33_0) true)
+(expandtypeattribute (tun_device_33_0) true)
+(expandtypeattribute (tv_iapp_service_33_0) true)
+(expandtypeattribute (tv_input_service_33_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_33_0) true)
+(expandtypeattribute (tzdatacheck_33_0) true)
+(expandtypeattribute (tzdatacheck_exec_33_0) true)
+(expandtypeattribute (ueventd_33_0) true)
+(expandtypeattribute (ueventd_tmpfs_33_0) true)
+(expandtypeattribute (uhid_device_33_0) true)
+(expandtypeattribute (uimode_service_33_0) true)
+(expandtypeattribute (uio_device_33_0) true)
+(expandtypeattribute (uncrypt_33_0) true)
+(expandtypeattribute (uncrypt_exec_33_0) true)
+(expandtypeattribute (uncrypt_socket_33_0) true)
+(expandtypeattribute (unencrypted_data_file_33_0) true)
+(expandtypeattribute (unlabeled_33_0) true)
+(expandtypeattribute (untrusted_app_25_33_0) true)
+(expandtypeattribute (untrusted_app_27_33_0) true)
+(expandtypeattribute (untrusted_app_29_33_0) true)
+(expandtypeattribute (untrusted_app_30_33_0) true)
+(expandtypeattribute (untrusted_app_33_0) true)
+(expandtypeattribute (update_engine_33_0) true)
+(expandtypeattribute (update_engine_data_file_33_0) true)
+(expandtypeattribute (update_engine_exec_33_0) true)
+(expandtypeattribute (update_engine_log_data_file_33_0) true)
+(expandtypeattribute (update_engine_service_33_0) true)
+(expandtypeattribute (update_engine_stable_service_33_0) true)
+(expandtypeattribute (update_verifier_33_0) true)
+(expandtypeattribute (update_verifier_exec_33_0) true)
+(expandtypeattribute (updatelock_service_33_0) true)
+(expandtypeattribute (uri_grants_service_33_0) true)
+(expandtypeattribute (usagestats_service_33_0) true)
+(expandtypeattribute (usb_config_prop_33_0) true)
+(expandtypeattribute (usb_control_prop_33_0) true)
+(expandtypeattribute (usb_device_33_0) true)
+(expandtypeattribute (usb_prop_33_0) true)
+(expandtypeattribute (usb_serial_device_33_0) true)
+(expandtypeattribute (usb_service_33_0) true)
+(expandtypeattribute (usbaccessory_device_33_0) true)
+(expandtypeattribute (usbd_33_0) true)
+(expandtypeattribute (usbd_exec_33_0) true)
+(expandtypeattribute (usbfs_33_0) true)
+(expandtypeattribute (use_memfd_prop_33_0) true)
+(expandtypeattribute (user_profile_data_file_33_0) true)
+(expandtypeattribute (user_profile_root_file_33_0) true)
+(expandtypeattribute (user_service_33_0) true)
+(expandtypeattribute (userdata_block_device_33_0) true)
+(expandtypeattribute (userdata_sysdev_33_0) true)
+(expandtypeattribute (usermodehelper_33_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_33_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_33_0) true)
+(expandtypeattribute (userspace_reboot_metadata_file_33_0) true)
+(expandtypeattribute (uwb_service_33_0) true)
+(expandtypeattribute (vcn_management_service_33_0) true)
+(expandtypeattribute (vd_device_33_0) true)
+(expandtypeattribute (vdc_33_0) true)
+(expandtypeattribute (vdc_exec_33_0) true)
+(expandtypeattribute (vehicle_hal_prop_33_0) true)
+(expandtypeattribute (vendor_apex_file_33_0) true)
+(expandtypeattribute (vendor_app_file_33_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_33_0) true)
+(expandtypeattribute (vendor_configs_file_33_0) true)
+(expandtypeattribute (vendor_data_file_33_0) true)
+(expandtypeattribute (vendor_default_prop_33_0) true)
+(expandtypeattribute (vendor_file_33_0) true)
+(expandtypeattribute (vendor_framework_file_33_0) true)
+(expandtypeattribute (vendor_hal_file_33_0) true)
+(expandtypeattribute (vendor_idc_file_33_0) true)
+(expandtypeattribute (vendor_init_33_0) true)
+(expandtypeattribute (vendor_kernel_modules_33_0) true)
+(expandtypeattribute (vendor_keychars_file_33_0) true)
+(expandtypeattribute (vendor_keylayout_file_33_0) true)
+(expandtypeattribute (vendor_misc_writer_33_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_33_0) true)
+(expandtypeattribute (vendor_modprobe_33_0) true)
+(expandtypeattribute (vendor_overlay_file_33_0) true)
+(expandtypeattribute (vendor_public_framework_file_33_0) true)
+(expandtypeattribute (vendor_public_lib_file_33_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_33_0) true)
+(expandtypeattribute (vendor_service_contexts_file_33_0) true)
+(expandtypeattribute (vendor_shell_33_0) true)
+(expandtypeattribute (vendor_shell_exec_33_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_33_0) true)
+(expandtypeattribute (vendor_task_profiles_file_33_0) true)
+(expandtypeattribute (vendor_toolbox_exec_33_0) true)
+(expandtypeattribute (vendor_uuid_mapping_config_file_33_0) true)
+(expandtypeattribute (vendor_vm_data_file_33_0) true)
+(expandtypeattribute (vendor_vm_file_33_0) true)
+(expandtypeattribute (vfat_33_0) true)
+(expandtypeattribute (vibrator_manager_service_33_0) true)
+(expandtypeattribute (vibrator_service_33_0) true)
+(expandtypeattribute (video_device_33_0) true)
+(expandtypeattribute (virtual_ab_prop_33_0) true)
+(expandtypeattribute (virtual_device_service_33_0) true)
+(expandtypeattribute (virtual_touchpad_33_0) true)
+(expandtypeattribute (virtual_touchpad_exec_33_0) true)
+(expandtypeattribute (virtual_touchpad_service_33_0) true)
+(expandtypeattribute (virtualization_service_33_0) true)
+(expandtypeattribute (vndbinder_device_33_0) true)
+(expandtypeattribute (vndk_prop_33_0) true)
+(expandtypeattribute (vndk_sp_file_33_0) true)
+(expandtypeattribute (vndservice_contexts_file_33_0) true)
+(expandtypeattribute (vndservicemanager_33_0) true)
+(expandtypeattribute (voiceinteraction_service_33_0) true)
+(expandtypeattribute (vold_33_0) true)
+(expandtypeattribute (vold_config_prop_33_0) true)
+(expandtypeattribute (vold_data_file_33_0) true)
+(expandtypeattribute (vold_device_33_0) true)
+(expandtypeattribute (vold_exec_33_0) true)
+(expandtypeattribute (vold_metadata_file_33_0) true)
+(expandtypeattribute (vold_post_fs_data_prop_33_0) true)
+(expandtypeattribute (vold_prepare_subdirs_33_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_33_0) true)
+(expandtypeattribute (vold_prop_33_0) true)
+(expandtypeattribute (vold_service_33_0) true)
+(expandtypeattribute (vold_status_prop_33_0) true)
+(expandtypeattribute (vpn_data_file_33_0) true)
+(expandtypeattribute (vpn_management_service_33_0) true)
+(expandtypeattribute (vr_hwc_service_33_0) true)
+(expandtypeattribute (vr_manager_service_33_0) true)
+(expandtypeattribute (vrflinger_vsync_service_33_0) true)
+(expandtypeattribute (vts_config_prop_33_0) true)
+(expandtypeattribute (vts_status_prop_33_0) true)
+(expandtypeattribute (wallpaper_effects_generation_service_33_0) true)
+(expandtypeattribute (wallpaper_file_33_0) true)
+(expandtypeattribute (wallpaper_service_33_0) true)
+(expandtypeattribute (watchdog_device_33_0) true)
+(expandtypeattribute (watchdog_metadata_file_33_0) true)
+(expandtypeattribute (watchdogd_33_0) true)
+(expandtypeattribute (watchdogd_exec_33_0) true)
+(expandtypeattribute (webview_zygote_33_0) true)
+(expandtypeattribute (webview_zygote_exec_33_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_33_0) true)
+(expandtypeattribute (webviewupdate_service_33_0) true)
+(expandtypeattribute (wifi_config_prop_33_0) true)
+(expandtypeattribute (wifi_data_file_33_0) true)
+(expandtypeattribute (wifi_hal_prop_33_0) true)
+(expandtypeattribute (wifi_key_33_0) true)
+(expandtypeattribute (wifi_log_prop_33_0) true)
+(expandtypeattribute (wifi_prop_33_0) true)
+(expandtypeattribute (wifi_service_33_0) true)
+(expandtypeattribute (wifiaware_service_33_0) true)
+(expandtypeattribute (wificond_33_0) true)
+(expandtypeattribute (wificond_exec_33_0) true)
+(expandtypeattribute (wifinl80211_service_33_0) true)
+(expandtypeattribute (wifip2p_service_33_0) true)
+(expandtypeattribute (wifiscanner_service_33_0) true)
+(expandtypeattribute (window_service_33_0) true)
+(expandtypeattribute (wpa_socket_33_0) true)
+(expandtypeattribute (wpantund_33_0) true)
+(expandtypeattribute (wpantund_exec_33_0) true)
+(expandtypeattribute (wpantund_service_33_0) true)
+(expandtypeattribute (zero_device_33_0) true)
+(expandtypeattribute (zoneinfo_data_file_33_0) true)
+(expandtypeattribute (zram_config_prop_33_0) true)
+(expandtypeattribute (zram_control_prop_33_0) true)
+(expandtypeattribute (zygote_33_0) true)
+(expandtypeattribute (zygote_config_prop_33_0) true)
+(expandtypeattribute (zygote_exec_33_0) true)
+(expandtypeattribute (zygote_socket_33_0) true)
+(expandtypeattribute (zygote_tmpfs_33_0) true)
+(typeattributeset DockObserver_service_33_0 (DockObserver_service))
+(typeattributeset IProxyService_service_33_0 (IProxyService_service))
+(typeattributeset aac_drc_prop_33_0 (aac_drc_prop))
+(typeattributeset aaudio_config_prop_33_0 (aaudio_config_prop))
+(typeattributeset ab_update_gki_prop_33_0 (ab_update_gki_prop))
+(typeattributeset accessibility_service_33_0 (accessibility_service))
+(typeattributeset account_service_33_0 (account_service))
+(typeattributeset activity_service_33_0 (activity_service))
+(typeattributeset activity_task_service_33_0 (activity_task_service))
+(typeattributeset adb_data_file_33_0 (adb_data_file))
+(typeattributeset adb_keys_file_33_0 (adb_keys_file))
+(typeattributeset adb_service_33_0 (adb_service))
+(typeattributeset adbd_33_0 (adbd))
+(typeattributeset adbd_config_prop_33_0 (adbd_config_prop))
+(typeattributeset adbd_exec_33_0 (adbd_exec))
+(typeattributeset adbd_socket_33_0 (adbd_socket))
+(typeattributeset adservices_manager_service_33_0 (adservices_manager_service))
+(typeattributeset aidl_lazy_test_server_33_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_33_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_33_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_33_0 (alarm_service))
+(typeattributeset anr_data_file_33_0 (anr_data_file))
+(typeattributeset apc_service_33_0 (apc_service))
+(typeattributeset apex_data_file_33_0 (apex_data_file))
+(typeattributeset apex_info_file_33_0 (apex_info_file))
+(typeattributeset apex_metadata_file_33_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_33_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_33_0 (apex_module_data_file))
+(typeattributeset apex_ota_reserved_file_33_0 (apex_ota_reserved_file))
+(typeattributeset apex_rollback_data_file_33_0 (apex_rollback_data_file))
+(typeattributeset apex_service_33_0 (apex_service))
+(typeattributeset apex_system_server_data_file_33_0 (apex_system_server_data_file))
+(typeattributeset apexd_33_0 (apexd))
+(typeattributeset apexd_config_prop_33_0 (apexd_config_prop))
+(typeattributeset apexd_exec_33_0 (apexd_exec))
+(typeattributeset apexd_prop_33_0 (apexd_prop))
+(typeattributeset apexd_select_prop_33_0 (apexd_select_prop))
+(typeattributeset apk_data_file_33_0 (apk_data_file))
+(typeattributeset apk_private_data_file_33_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_33_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_33_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_33_0 (apk_verity_prop))
+(typeattributeset app_binding_service_33_0 (app_binding_service))
+(typeattributeset app_data_file_33_0 (app_data_file))
+(typeattributeset app_fuse_file_33_0 (app_fuse_file))
+(typeattributeset app_fusefs_33_0 (app_fusefs))
+(typeattributeset app_hibernation_service_33_0 (app_hibernation_service))
+(typeattributeset app_integrity_service_33_0 (app_integrity_service))
+(typeattributeset app_prediction_service_33_0 (app_prediction_service))
+(typeattributeset app_search_service_33_0 (app_search_service))
+(typeattributeset app_zygote_33_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_33_0 (app_zygote_tmpfs))
+(typeattributeset appcompat_data_file_33_0 (appcompat_data_file))
+(typeattributeset appdomain_tmpfs_33_0 (appdomain_tmpfs))
+(typeattributeset appops_service_33_0 (appops_service))
+(typeattributeset appwidget_service_33_0 (appwidget_service))
+(typeattributeset arm64_memtag_prop_33_0 (arm64_memtag_prop))
+(typeattributeset art_apex_dir_33_0 (art_apex_dir))
+(typeattributeset artd_service_33_0 (artd_service))
+(typeattributeset asec_apk_file_33_0 (asec_apk_file))
+(typeattributeset asec_image_file_33_0 (asec_image_file))
+(typeattributeset asec_public_file_33_0 (asec_public_file))
+(typeattributeset ashmem_device_33_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_33_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_33_0 (assetatlas_service))
+(typeattributeset atrace_33_0 (atrace))
+(typeattributeset attestation_verification_service_33_0 (attestation_verification_service))
+(typeattributeset audio_config_prop_33_0 (audio_config_prop))
+(typeattributeset audio_data_file_33_0 (audio_data_file))
+(typeattributeset audio_device_33_0 (audio_device))
+(typeattributeset audio_prop_33_0 (audio_prop))
+(typeattributeset audio_service_33_0 (audio_service))
+(typeattributeset audiohal_data_file_33_0 (audiohal_data_file))
+(typeattributeset audioserver_33_0 (audioserver))
+(typeattributeset audioserver_data_file_33_0 (audioserver_data_file))
+(typeattributeset audioserver_service_33_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_33_0 (audioserver_tmpfs))
+(typeattributeset auth_service_33_0 (auth_service))
+(typeattributeset authorization_service_33_0 (authorization_service))
+(typeattributeset autofill_service_33_0 (autofill_service))
+(typeattributeset backup_data_file_33_0 (backup_data_file))
+(typeattributeset backup_service_33_0 (backup_service))
+(typeattributeset battery_service_33_0 (battery_service))
+(typeattributeset batteryproperties_service_33_0 (batteryproperties_service))
+(typeattributeset batterystats_service_33_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_33_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_33_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_33_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_33_0 (binder_calls_stats_service))
+(typeattributeset binder_device_33_0 (binder_device))
+(typeattributeset binderfs_33_0 (binderfs))
+(typeattributeset binderfs_features_33_0 (binderfs_features))
+(typeattributeset binderfs_logs_33_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_33_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_33_0 (binfmt_miscfs))
+(typeattributeset biometric_service_33_0 (biometric_service))
+(typeattributeset blkid_33_0 (blkid))
+(typeattributeset blkid_untrusted_33_0 (blkid_untrusted))
+(typeattributeset blob_store_service_33_0 (blob_store_service))
+(typeattributeset block_device_33_0 (block_device))
+(typeattributeset bluetooth_33_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_33_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_33_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_config_prop_33_0 (bluetooth_config_prop))
+(typeattributeset bluetooth_data_file_33_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_33_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_33_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_33_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_33_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_33_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_33_0 (bluetooth_socket))
+(typeattributeset boot_block_device_33_0 (boot_block_device))
+(typeattributeset boot_status_prop_33_0 (boot_status_prop))
+(typeattributeset bootanim_33_0 (bootanim))
+(typeattributeset bootanim_config_prop_33_0 (bootanim_config_prop))
+(typeattributeset bootanim_exec_33_0 (bootanim_exec))
+(typeattributeset bootanim_system_prop_33_0 (bootanim_system_prop))
+(typeattributeset bootchart_data_file_33_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_33_0 (bootloader_boot_reason_prop))
+(typeattributeset bootloader_prop_33_0 (bootloader_prop))
+(typeattributeset bootstat_33_0 (bootstat))
+(typeattributeset bootstat_data_file_33_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_33_0 (bootstat_exec))
+(typeattributeset boottime_prop_33_0 (boottime_prop))
+(typeattributeset boottime_public_prop_33_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_33_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_33_0 (bpf_progs_loaded_prop))
+(typeattributeset bpfloader_33_0 (bpfloader))
+(typeattributeset bq_config_prop_33_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_33_0 (broadcastradio_service))
+(typeattributeset bufferhubd_33_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_33_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_33_0 (bugreport_service))
+(typeattributeset build_bootimage_prop_33_0 (build_bootimage_prop))
+(typeattributeset build_config_prop_33_0 (build_config_prop))
+(typeattributeset build_odm_prop_33_0 (build_odm_prop))
+(typeattributeset build_prop_33_0 (build_prop))
+(typeattributeset build_vendor_prop_33_0 (build_vendor_prop))
+(typeattributeset cache_backup_file_33_0 (cache_backup_file))
+(typeattributeset cache_block_device_33_0 (cache_block_device))
+(typeattributeset cache_file_33_0 (cache_file))
+(typeattributeset cache_private_backup_file_33_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_33_0 (cache_recovery_file))
+(typeattributeset cacheinfo_service_33_0 (cacheinfo_service))
+(typeattributeset camera2_extensions_prop_33_0 (camera2_extensions_prop))
+(typeattributeset camera_calibration_prop_33_0 (camera_calibration_prop))
+(typeattributeset camera_config_prop_33_0 (camera_config_prop))
+(typeattributeset camera_data_file_33_0 (camera_data_file))
+(typeattributeset camera_device_33_0 (camera_device))
+(typeattributeset cameraproxy_service_33_0 (cameraproxy_service))
+(typeattributeset cameraserver_33_0 (cameraserver))
+(typeattributeset cameraserver_exec_33_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_33_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_33_0 (cameraserver_tmpfs))
+(typeattributeset camerax_extensions_prop_33_0 (camerax_extensions_prop))
+(typeattributeset cgroup_33_0 (cgroup))
+(typeattributeset cgroup_desc_api_file_33_0 (cgroup_desc_api_file))
+(typeattributeset cgroup_desc_file_33_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_33_0 (cgroup_rc_file))
+(typeattributeset cgroup_v2_33_0 (cgroup_v2))
+(typeattributeset charger_33_0 (charger))
+(typeattributeset charger_config_prop_33_0 (charger_config_prop))
+(typeattributeset charger_exec_33_0 (charger_exec))
+(typeattributeset charger_prop_33_0 (charger_prop))
+(typeattributeset charger_status_prop_33_0 (charger_status_prop))
+(typeattributeset charger_vendor_33_0 (charger_vendor))
+(typeattributeset clipboard_service_33_0 (clipboard_service))
+(typeattributeset cloudsearch_service_33_0 (cloudsearch_service))
+(typeattributeset codec2_config_prop_33_0 (codec2_config_prop))
+(typeattributeset cold_boot_done_prop_33_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_33_0 (color_display_service))
+(typeattributeset companion_device_service_33_0 (companion_device_service))
+(typeattributeset config_prop_33_0 (config_prop))
+(typeattributeset configfs_33_0 (configfs))
+(typeattributeset connectivity_native_service_33_0 (connectivity_native_service))
+(typeattributeset connectivity_service_33_0 (connectivity_service))
+(typeattributeset connmetrics_service_33_0 (connmetrics_service))
+(typeattributeset console_device_33_0 (console_device))
+(typeattributeset consumer_ir_service_33_0 (consumer_ir_service))
+(typeattributeset content_capture_service_33_0 (content_capture_service))
+(typeattributeset content_service_33_0 (content_service))
+(typeattributeset content_suggestions_service_33_0 (content_suggestions_service))
+(typeattributeset contexthub_service_33_0 (contexthub_service))
+(typeattributeset coredump_file_33_0 (coredump_file))
+(typeattributeset country_detector_service_33_0 (country_detector_service))
+(typeattributeset coverage_service_33_0 (coverage_service))
+(typeattributeset cppreopt_prop_33_0 (cppreopt_prop))
+(typeattributeset cpu_variant_prop_33_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_33_0 (cpuinfo_service))
+(typeattributeset crash_dump_33_0 (crash_dump))
+(typeattributeset crash_dump_exec_33_0 (crash_dump_exec))
+(typeattributeset credstore_33_0 (credstore))
+(typeattributeset credstore_data_file_33_0 (credstore_data_file))
+(typeattributeset credstore_exec_33_0 (credstore_exec))
+(typeattributeset credstore_service_33_0 (credstore_service))
+(typeattributeset crossprofileapps_service_33_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_33_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_33_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_33_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_33_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_33_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_33_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_33_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_33_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_33_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_33_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_33_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_33_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_33_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_33_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_33_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_33_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_33_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_33_0 (ctl_stop_prop))
+(typeattributeset dalvik_config_prop_33_0 (dalvik_config_prop))
+(typeattributeset dalvik_prop_33_0 (dalvik_prop))
+(typeattributeset dalvik_runtime_prop_33_0 (dalvik_runtime_prop))
+(typeattributeset dalvikcache_data_file_33_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_33_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_33_0 (dbinfo_service))
+(typeattributeset dck_prop_33_0 (dck_prop))
+(typeattributeset debug_prop_33_0 (debug_prop))
+(typeattributeset debugfs_33_0 (debugfs))
+(typeattributeset debugfs_bootreceiver_tracing_33_0 (debugfs_bootreceiver_tracing))
+(typeattributeset debugfs_kprobes_33_0 (debugfs_kprobes))
+(typeattributeset debugfs_mm_events_tracing_33_0 (debugfs_mm_events_tracing))
+(typeattributeset debugfs_mmc_33_0 (debugfs_mmc))
+(typeattributeset debugfs_restriction_prop_33_0 (debugfs_restriction_prop))
+(typeattributeset debugfs_trace_marker_33_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_33_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_33_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_33_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_tracing_printk_formats_33_0 (debugfs_tracing_printk_formats))
+(typeattributeset debugfs_wakeup_sources_33_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_33_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_33_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_33_0 (default_android_hwservice))
+(typeattributeset default_android_service_33_0 (default_android_service))
+(typeattributeset default_android_vndservice_33_0 (default_android_vndservice))
+(typeattributeset default_prop_33_0 (default_prop))
+(typeattributeset dev_cpu_variant_33_0 (dev_cpu_variant))
+(typeattributeset device_33_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_33_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_33_0 (device_config_boot_count_prop))
+(typeattributeset device_config_input_native_boot_prop_33_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_33_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_33_0 (device_config_netd_native_prop))
+(typeattributeset device_config_nnapi_native_prop_33_0 (device_config_nnapi_native_prop))
+(typeattributeset device_config_reset_performed_prop_33_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_33_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_33_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_33_0 (device_config_service))
+(typeattributeset device_config_surface_flinger_native_boot_prop_33_0 (device_config_surface_flinger_native_boot_prop))
+(typeattributeset device_identifiers_service_33_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_33_0 (device_logging_prop))
+(typeattributeset device_policy_service_33_0 (device_policy_service))
+(typeattributeset device_state_service_33_0 (device_state_service))
+(typeattributeset deviceidle_service_33_0 (deviceidle_service))
+(typeattributeset devicestoragemonitor_service_33_0 (devicestoragemonitor_service))
+(typeattributeset devpts_33_0 (devpts))
+(typeattributeset dhcp_33_0 (dhcp))
+(typeattributeset dhcp_data_file_33_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_33_0 (dhcp_exec))
+(typeattributeset dhcp_prop_33_0 (dhcp_prop))
+(typeattributeset dice_maintenance_service_33_0 (dice_maintenance_service))
+(typeattributeset dice_node_service_33_0 (dice_node_service))
+(typeattributeset diced_33_0 (diced))
+(typeattributeset diced_exec_33_0 (diced_exec))
+(typeattributeset diskstats_service_33_0 (diskstats_service))
+(typeattributeset display_service_33_0 (display_service))
+(typeattributeset dm_device_33_0 (dm_device))
+(typeattributeset dm_user_device_33_0 (dm_user_device))
+(typeattributeset dmabuf_heap_device_33_0 (dmabuf_heap_device))
+(typeattributeset dmabuf_system_heap_device_33_0 (dmabuf_system_heap_device))
+(typeattributeset dmabuf_system_secure_heap_device_33_0 (dmabuf_system_secure_heap_device))
+(typeattributeset dnsmasq_33_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_33_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_33_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_33_0 (dnsresolver_service))
+(typeattributeset domain_verification_service_33_0 (domain_verification_service))
+(typeattributeset dreams_service_33_0 (dreams_service))
+(typeattributeset drm_data_file_33_0 (drm_data_file))
+(typeattributeset drm_service_config_prop_33_0 (drm_service_config_prop))
+(typeattributeset drmserver_33_0 (drmserver))
+(typeattributeset drmserver_exec_33_0 (drmserver_exec))
+(typeattributeset drmserver_service_33_0 (drmserver_service))
+(typeattributeset drmserver_socket_33_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_33_0 (dropbox_data_file))
+(typeattributeset dropbox_service_33_0 (dropbox_service))
+(typeattributeset dumpstate_33_0 (dumpstate))
+(typeattributeset dumpstate_exec_33_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_33_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_33_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_33_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_33_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_33_0 (dynamic_system_prop))
+(typeattributeset e2fs_33_0 (e2fs))
+(typeattributeset e2fs_exec_33_0 (e2fs_exec))
+(typeattributeset efs_file_33_0 (efs_file))
+(typeattributeset emergency_affordance_service_33_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_33_0 (ephemeral_app))
+(typeattributeset ethernet_service_33_0 (ethernet_service))
+(typeattributeset evsmanagerd_33_0 (evsmanagerd))
+(typeattributeset evsmanagerd_service_33_0 (evsmanagerd_service))
+(typeattributeset exfat_33_0 (exfat))
+(typeattributeset exported3_system_prop_33_0 (exported3_system_prop))
+(typeattributeset exported_bluetooth_prop_33_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_33_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_33_0 (exported_config_prop))
+(typeattributeset exported_default_prop_33_0 (exported_default_prop))
+(typeattributeset exported_dumpstate_prop_33_0 (exported_dumpstate_prop))
+(typeattributeset exported_overlay_prop_33_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_33_0 (exported_pm_prop))
+(typeattributeset exported_secure_prop_33_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_33_0 (exported_system_prop))
+(typeattributeset external_vibrator_service_33_0 (external_vibrator_service))
+(typeattributeset extra_free_kbytes_33_0 (extra_free_kbytes))
+(typeattributeset extra_free_kbytes_exec_33_0 (extra_free_kbytes_exec))
+(typeattributeset face_service_33_0 (face_service))
+(typeattributeset face_vendor_data_file_33_0 (face_vendor_data_file))
+(typeattributeset fastbootd_33_0 (fastbootd))
+(typeattributeset ffs_config_prop_33_0 (ffs_config_prop))
+(typeattributeset ffs_control_prop_33_0 (ffs_control_prop))
+(typeattributeset file_contexts_file_33_0 (file_contexts_file))
+(typeattributeset file_integrity_service_33_0 (file_integrity_service))
+(typeattributeset fingerprint_prop_33_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_33_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_33_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_33_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_33_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_33_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_33_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_33_0 (firstboot_prop))
+(typeattributeset flags_health_check_33_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_33_0 (flags_health_check_exec))
+(typeattributeset font_service_33_0 (font_service))
+(typeattributeset framework_watchdog_config_prop_33_0 (framework_watchdog_config_prop))
+(typeattributeset frp_block_device_33_0 (frp_block_device))
+(typeattributeset fs_bpf_33_0 (fs_bpf))
+(typeattributeset fs_bpf_tethering_33_0 (fs_bpf_tethering))
+(typeattributeset fs_bpf_vendor_33_0 (fs_bpf_vendor))
+(typeattributeset fsck_33_0 (fsck))
+(typeattributeset fsck_exec_33_0 (fsck_exec))
+(typeattributeset fsck_untrusted_33_0 (fsck_untrusted))
+(typeattributeset fscklogs_33_0 (fscklogs))
+(typeattributeset functionfs_33_0 (functionfs))
+(typeattributeset fuse_33_0 (fuse))
+(typeattributeset fuse_device_33_0 (fuse_device))
+(typeattributeset fusectlfs_33_0 (fusectlfs))
+(typeattributeset fwk_automotive_display_hwservice_33_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_automotive_display_service_33_0 (fwk_automotive_display_service))
+(typeattributeset fwk_bufferhub_hwservice_33_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_33_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_33_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_33_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_33_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_33_0 (fwk_stats_hwservice))
+(typeattributeset fwk_stats_service_33_0 (fwk_stats_service))
+(typeattributeset fwmarkd_socket_33_0 (fwmarkd_socket))
+(typeattributeset game_mode_intervention_list_file_33_0 (game_mode_intervention_list_file))
+(typeattributeset game_service_33_0 (game_service))
+(typeattributeset gatekeeper_data_file_33_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_33_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_33_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_33_0 (gatekeeperd_exec))
+(typeattributeset gesture_prop_33_0 (gesture_prop))
+(typeattributeset gfxinfo_service_33_0 (gfxinfo_service))
+(typeattributeset gmscore_app_33_0 (gmscore_app))
+(typeattributeset gnss_device_33_0 (gnss_device))
+(typeattributeset gnss_time_update_service_33_0 (gnss_time_update_service))
+(typeattributeset gps_control_33_0 (gps_control))
+(typeattributeset gpu_device_33_0 (gpu_device))
+(typeattributeset gpu_service_33_0 (gpu_service))
+(typeattributeset gpuservice_33_0 (gpuservice))
+(typeattributeset graphics_config_prop_33_0 (graphics_config_prop))
+(typeattributeset graphics_device_33_0 (graphics_device))
+(typeattributeset graphicsstats_service_33_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_33_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_33_0 (gsi_metadata_file))
+(typeattributeset gsi_public_metadata_file_33_0 (gsi_public_metadata_file))
+(typeattributeset gwp_asan_prop_33_0 (gwp_asan_prop))
+(typeattributeset hal_atrace_hwservice_33_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_33_0 (hal_audio_hwservice))
+(typeattributeset hal_audio_service_33_0 (hal_audio_service))
+(typeattributeset hal_audiocontrol_hwservice_33_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audiocontrol_service_33_0 (hal_audiocontrol_service))
+(typeattributeset hal_authsecret_hwservice_33_0 (hal_authsecret_hwservice))
+(typeattributeset hal_authsecret_service_33_0 (hal_authsecret_service))
+(typeattributeset hal_bluetooth_hwservice_33_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_33_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_33_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_33_0 (hal_camera_hwservice))
+(typeattributeset hal_camera_service_33_0 (hal_camera_service))
+(typeattributeset hal_can_bus_hwservice_33_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_33_0 (hal_can_controller_hwservice))
+(typeattributeset hal_cas_hwservice_33_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_33_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_33_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_33_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_33_0 (hal_contexthub_hwservice))
+(typeattributeset hal_contexthub_service_33_0 (hal_contexthub_service))
+(typeattributeset hal_dice_service_33_0 (hal_dice_service))
+(typeattributeset hal_drm_hwservice_33_0 (hal_drm_hwservice))
+(typeattributeset hal_drm_service_33_0 (hal_drm_service))
+(typeattributeset hal_dumpstate_config_prop_33_0 (hal_dumpstate_config_prop))
+(typeattributeset hal_dumpstate_hwservice_33_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_dumpstate_service_33_0 (hal_dumpstate_service))
+(typeattributeset hal_evs_hwservice_33_0 (hal_evs_hwservice))
+(typeattributeset hal_evs_service_33_0 (hal_evs_service))
+(typeattributeset hal_face_hwservice_33_0 (hal_face_hwservice))
+(typeattributeset hal_face_service_33_0 (hal_face_service))
+(typeattributeset hal_fingerprint_hwservice_33_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_33_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_33_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_33_0 (hal_gnss_hwservice))
+(typeattributeset hal_gnss_service_33_0 (hal_gnss_service))
+(typeattributeset hal_graphics_allocator_hwservice_33_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_allocator_service_33_0 (hal_graphics_allocator_service))
+(typeattributeset hal_graphics_composer_hwservice_33_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_33_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_composer_service_33_0 (hal_graphics_composer_service))
+(typeattributeset hal_graphics_mapper_hwservice_33_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_33_0 (hal_health_hwservice))
+(typeattributeset hal_health_service_33_0 (hal_health_service))
+(typeattributeset hal_health_storage_hwservice_33_0 (hal_health_storage_hwservice))
+(typeattributeset hal_health_storage_service_33_0 (hal_health_storage_service))
+(typeattributeset hal_identity_service_33_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_33_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_input_processor_service_33_0 (hal_input_processor_service))
+(typeattributeset hal_instrumentation_prop_33_0 (hal_instrumentation_prop))
+(typeattributeset hal_ir_hwservice_33_0 (hal_ir_hwservice))
+(typeattributeset hal_ir_service_33_0 (hal_ir_service))
+(typeattributeset hal_keymaster_hwservice_33_0 (hal_keymaster_hwservice))
+(typeattributeset hal_keymint_service_33_0 (hal_keymint_service))
+(typeattributeset hal_light_hwservice_33_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_33_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_33_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_33_0 (hal_memtrack_hwservice))
+(typeattributeset hal_memtrack_service_33_0 (hal_memtrack_service))
+(typeattributeset hal_neuralnetworks_hwservice_33_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_neuralnetworks_service_33_0 (hal_neuralnetworks_service))
+(typeattributeset hal_nfc_hwservice_33_0 (hal_nfc_hwservice))
+(typeattributeset hal_nfc_service_33_0 (hal_nfc_service))
+(typeattributeset hal_nlinterceptor_service_33_0 (hal_nlinterceptor_service))
+(typeattributeset hal_oemlock_hwservice_33_0 (hal_oemlock_hwservice))
+(typeattributeset hal_oemlock_service_33_0 (hal_oemlock_service))
+(typeattributeset hal_omx_hwservice_33_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_33_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_33_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_33_0 (hal_power_stats_hwservice))
+(typeattributeset hal_power_stats_service_33_0 (hal_power_stats_service))
+(typeattributeset hal_radio_service_33_0 (hal_radio_service))
+(typeattributeset hal_rebootescrow_service_33_0 (hal_rebootescrow_service))
+(typeattributeset hal_remotelyprovisionedcomponent_service_33_0 (hal_remotelyprovisionedcomponent_service))
+(typeattributeset hal_renderscript_hwservice_33_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_33_0 (hal_secure_element_hwservice))
+(typeattributeset hal_secureclock_service_33_0 (hal_secureclock_service))
+(typeattributeset hal_sensors_hwservice_33_0 (hal_sensors_hwservice))
+(typeattributeset hal_sensors_service_33_0 (hal_sensors_service))
+(typeattributeset hal_sharedsecret_service_33_0 (hal_sharedsecret_service))
+(typeattributeset hal_system_suspend_service_33_0 (hal_system_suspend_service))
+(typeattributeset hal_telephony_hwservice_33_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_33_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_33_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_33_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_33_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_tuner_hwservice_33_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_tv_tuner_service_33_0 (hal_tv_tuner_service))
+(typeattributeset hal_usb_gadget_hwservice_33_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_33_0 (hal_usb_hwservice))
+(typeattributeset hal_usb_service_33_0 (hal_usb_service))
+(typeattributeset hal_uwb_service_33_0 (hal_uwb_service))
+(typeattributeset hal_vehicle_hwservice_33_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vehicle_service_33_0 (hal_vehicle_service))
+(typeattributeset hal_vibrator_hwservice_33_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_33_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_33_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_33_0 (hal_weaver_hwservice))
+(typeattributeset hal_weaver_service_33_0 (hal_weaver_service))
+(typeattributeset hal_wifi_hostapd_hwservice_33_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hostapd_service_33_0 (hal_wifi_hostapd_service))
+(typeattributeset hal_wifi_hwservice_33_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_33_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hal_wifi_supplicant_service_33_0 (hal_wifi_supplicant_service))
+(typeattributeset hardware_properties_service_33_0 (hardware_properties_service))
+(typeattributeset hardware_service_33_0 (hardware_service))
+(typeattributeset hci_attach_dev_33_0 (hci_attach_dev))
+(typeattributeset hdmi_config_prop_33_0 (hdmi_config_prop))
+(typeattributeset hdmi_control_service_33_0 (hdmi_control_service))
+(typeattributeset healthd_33_0 (healthd))
+(typeattributeset heapdump_data_file_33_0 (heapdump_data_file))
+(typeattributeset heapprofd_33_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_33_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_33_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_33_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_33_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_33_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_33_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_33_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_33_0 (hidl_token_hwservice))
+(typeattributeset hint_service_33_0 (hint_service))
+(typeattributeset hw_random_device_33_0 (hw_random_device))
+(typeattributeset hw_timeout_multiplier_prop_33_0 (hw_timeout_multiplier_prop))
+(typeattributeset hwbinder_device_33_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_33_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_33_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_33_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_33_0 (hwservicemanager_prop))
+(typeattributeset hypervisor_prop_33_0 (hypervisor_prop))
+(typeattributeset icon_file_33_0 (icon_file))
+(typeattributeset idmap_33_0 (idmap))
+(typeattributeset idmap_exec_33_0 (idmap_exec))
+(typeattributeset idmap_service_33_0 (idmap_service))
+(typeattributeset iio_device_33_0 (iio_device))
+(typeattributeset imms_service_33_0 (imms_service))
+(typeattributeset incident_33_0 (incident))
+(typeattributeset incident_data_file_33_0 (incident_data_file))
+(typeattributeset incident_helper_33_0 (incident_helper))
+(typeattributeset incident_service_33_0 (incident_service))
+(typeattributeset incidentd_33_0 (incidentd))
+(typeattributeset incremental_control_file_33_0 (incremental_control_file))
+(typeattributeset incremental_prop_33_0 (incremental_prop))
+(typeattributeset incremental_service_33_0 (incremental_service))
+(typeattributeset init_33_0 (init))
+(typeattributeset init_exec_33_0 (init_exec))
+(typeattributeset init_service_status_prop_33_0 (init_service_status_prop))
+(typeattributeset init_tmpfs_33_0 (init_tmpfs))
+(typeattributeset inotify_33_0 (inotify))
+(typeattributeset input_device_33_0 (input_device))
+(typeattributeset input_method_service_33_0 (input_method_service))
+(typeattributeset input_service_33_0 (input_service))
+(typeattributeset inputflinger_33_0 (inputflinger))
+(typeattributeset inputflinger_exec_33_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_33_0 (inputflinger_service))
+(typeattributeset install_data_file_33_0 (install_data_file))
+(typeattributeset installd_33_0 (installd))
+(typeattributeset installd_exec_33_0 (installd_exec))
+(typeattributeset installd_service_33_0 (installd_service))
+(typeattributeset ion_device_33_0 (ion_device))
+(typeattributeset iorap_inode2filename_33_0 (iorap_inode2filename))
+(typeattributeset iorap_inode2filename_exec_33_0 (iorap_inode2filename_exec))
+(typeattributeset iorap_inode2filename_tmpfs_33_0 (iorap_inode2filename_tmpfs))
+(typeattributeset iorap_prefetcherd_33_0 (iorap_prefetcherd))
+(typeattributeset iorap_prefetcherd_exec_33_0 (iorap_prefetcherd_exec))
+(typeattributeset iorap_prefetcherd_tmpfs_33_0 (iorap_prefetcherd_tmpfs))
+(typeattributeset iorapd_33_0 (iorapd))
+(typeattributeset iorapd_data_file_33_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_33_0 (iorapd_exec))
+(typeattributeset iorapd_service_33_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_33_0 (iorapd_tmpfs))
+(typeattributeset ipsec_service_33_0 (ipsec_service))
+(typeattributeset iris_service_33_0 (iris_service))
+(typeattributeset iris_vendor_data_file_33_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_33_0 (isolated_app))
+(typeattributeset jobscheduler_service_33_0 (jobscheduler_service))
+(typeattributeset kernel_33_0 (kernel))
+(typeattributeset keychain_data_file_33_0 (keychain_data_file))
+(typeattributeset keychord_device_33_0 (keychord_device))
+(typeattributeset keyguard_config_prop_33_0 (keyguard_config_prop))
+(typeattributeset keystore2_key_contexts_file_33_0 (keystore2_key_contexts_file))
+(typeattributeset keystore_33_0 (keystore))
+(typeattributeset keystore_compat_hal_service_33_0 (keystore_compat_hal_service))
+(typeattributeset keystore_data_file_33_0 (keystore_data_file))
+(typeattributeset keystore_exec_33_0 (keystore_exec))
+(typeattributeset keystore_maintenance_service_33_0 (keystore_maintenance_service))
+(typeattributeset keystore_metrics_service_33_0 (keystore_metrics_service))
+(typeattributeset keystore_service_33_0 (keystore_service))
+(typeattributeset kmsg_debug_device_33_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_33_0 (kmsg_device))
+(typeattributeset labeledfs_33_0 (labeledfs))
+(typeattributeset launcherapps_service_33_0 (launcherapps_service))
+(typeattributeset legacy_permission_service_33_0 (legacy_permission_service))
+(typeattributeset legacykeystore_service_33_0 (legacykeystore_service))
+(typeattributeset libc_debug_prop_33_0 (libc_debug_prop))
+(typeattributeset light_service_33_0 (light_service))
+(typeattributeset linkerconfig_file_33_0 (linkerconfig_file))
+(typeattributeset llkd_33_0 (llkd))
+(typeattributeset llkd_exec_33_0 (llkd_exec))
+(typeattributeset llkd_prop_33_0 (llkd_prop))
+(typeattributeset lmkd_33_0 (lmkd))
+(typeattributeset lmkd_config_prop_33_0 (lmkd_config_prop))
+(typeattributeset lmkd_exec_33_0 (lmkd_exec))
+(typeattributeset lmkd_prop_33_0 (lmkd_prop))
+(typeattributeset lmkd_socket_33_0 (lmkd_socket))
+(typeattributeset locale_service_33_0 (locale_service))
+(typeattributeset location_service_33_0 (location_service))
+(typeattributeset location_time_zone_manager_service_33_0 (location_time_zone_manager_service))
+(typeattributeset lock_settings_service_33_0 (lock_settings_service))
+(typeattributeset log_prop_33_0 (log_prop))
+(typeattributeset log_tag_prop_33_0 (log_tag_prop))
+(typeattributeset logcat_exec_33_0 (logcat_exec))
+(typeattributeset logd_33_0 (logd))
+(typeattributeset logd_exec_33_0 (logd_exec))
+(typeattributeset logd_prop_33_0 (logd_prop))
+(typeattributeset logd_socket_33_0 (logd_socket))
+(typeattributeset logdr_socket_33_0 (logdr_socket))
+(typeattributeset logdw_socket_33_0 (logdw_socket))
+(typeattributeset logpersist_33_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_33_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_33_0 (loop_control_device))
+(typeattributeset loop_device_33_0 (loop_device))
+(typeattributeset looper_stats_service_33_0 (looper_stats_service))
+(typeattributeset lowpan_device_33_0 (lowpan_device))
+(typeattributeset lowpan_prop_33_0 (lowpan_prop))
+(typeattributeset lowpan_service_33_0 (lowpan_service))
+(typeattributeset lpdump_service_33_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_33_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_33_0 (mac_perms_file))
+(typeattributeset mdns_service_33_0 (mdns_service))
+(typeattributeset mdns_socket_33_0 (mdns_socket))
+(typeattributeset mdnsd_33_0 (mdnsd))
+(typeattributeset mdnsd_socket_33_0 (mdnsd_socket))
+(typeattributeset media_communication_service_33_0 (media_communication_service))
+(typeattributeset media_config_prop_33_0 (media_config_prop))
+(typeattributeset media_data_file_33_0 (media_data_file))
+(typeattributeset media_metrics_service_33_0 (media_metrics_service))
+(typeattributeset media_projection_service_33_0 (media_projection_service))
+(typeattributeset media_router_service_33_0 (media_router_service))
+(typeattributeset media_rw_data_file_33_0 (media_rw_data_file media_userdir_file))
+(typeattributeset media_session_service_33_0 (media_session_service))
+(typeattributeset media_variant_prop_33_0 (media_variant_prop))
+(typeattributeset mediadrm_config_prop_33_0 (mediadrm_config_prop))
+(typeattributeset mediadrmserver_33_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_33_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_33_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_33_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_33_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_33_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_33_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_33_0 (mediametrics))
+(typeattributeset mediametrics_exec_33_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_33_0 (mediametrics_service))
+(typeattributeset mediaprovider_33_0 (mediaprovider))
+(typeattributeset mediaserver_33_0 (mediaserver))
+(typeattributeset mediaserver_exec_33_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_33_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_33_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_33_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_33_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_33_0 (mediatranscoding))
+(typeattributeset mediatranscoding_service_33_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_33_0 (meminfo_service))
+(typeattributeset memtrackproxy_service_33_0 (memtrackproxy_service))
+(typeattributeset metadata_block_device_33_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_33_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_33_0 (metadata_file))
+(typeattributeset method_trace_data_file_33_0 (method_trace_data_file))
+(typeattributeset midi_service_33_0 (midi_service))
+(typeattributeset mirror_data_file_33_0 (mirror_data_file))
+(typeattributeset misc_block_device_33_0 (misc_block_device))
+(typeattributeset misc_logd_file_33_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_33_0 (misc_user_data_file))
+(typeattributeset mm_events_config_prop_33_0 (mm_events_config_prop))
+(typeattributeset mmc_prop_33_0 (mmc_prop))
+(typeattributeset mnt_expand_file_33_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_33_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_33_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_33_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_33_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_33_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_33_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_33_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_33_0 (mock_ota_prop))
+(typeattributeset modprobe_33_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_33_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_33_0 (mount_service))
+(typeattributeset mqueue_33_0 (mqueue))
+(typeattributeset mtp_33_0 (mtp))
+(typeattributeset mtp_device_33_0 (mtp_device))
+(typeattributeset mtp_exec_33_0 (mtp_exec))
+(typeattributeset mtpd_socket_33_0 (mtpd_socket))
+(typeattributeset music_recognition_service_33_0 (music_recognition_service))
+(typeattributeset nativetest_data_file_33_0 (nativetest_data_file))
+(typeattributeset nearby_service_33_0 (nearby_service))
+(typeattributeset net_data_file_33_0 (net_data_file))
+(typeattributeset net_dns_prop_33_0 (net_dns_prop))
+(typeattributeset net_radio_prop_33_0 (net_radio_prop))
+(typeattributeset netd_33_0 (netd))
+(typeattributeset netd_exec_33_0 (netd_exec))
+(typeattributeset netd_listener_service_33_0 (netd_listener_service))
+(typeattributeset netd_service_33_0 (netd_service))
+(typeattributeset netif_33_0 (netif))
+(typeattributeset netpolicy_service_33_0 (netpolicy_service))
+(typeattributeset netstats_service_33_0 (netstats_service))
+(typeattributeset netutils_wrapper_33_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_33_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_33_0 (network_management_service))
+(typeattributeset network_score_service_33_0 (network_score_service))
+(typeattributeset network_stack_33_0 (network_stack))
+(typeattributeset network_stack_service_33_0 (network_stack_service))
+(typeattributeset network_time_update_service_33_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_33_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_33_0 (network_watchlist_service))
+(typeattributeset nfc_33_0 (nfc))
+(typeattributeset nfc_data_file_33_0 (nfc_data_file))
+(typeattributeset nfc_device_33_0 (nfc_device))
+(typeattributeset nfc_logs_data_file_33_0 (nfc_logs_data_file))
+(typeattributeset nfc_prop_33_0 (nfc_prop))
+(typeattributeset nfc_service_33_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_33_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_33_0 (node))
+(typeattributeset notification_service_33_0 (notification_service))
+(typeattributeset null_device_33_0 (null_device))
+(typeattributeset oem_lock_service_33_0 (oem_lock_service))
+(typeattributeset oem_unlock_prop_33_0 (oem_unlock_prop))
+(typeattributeset oemfs_33_0 (oemfs))
+(typeattributeset ota_data_file_33_0 (ota_data_file))
+(typeattributeset ota_metadata_file_33_0 (ota_metadata_file))
+(typeattributeset ota_package_file_33_0 (ota_package_file))
+(typeattributeset ota_prop_33_0 (ota_prop))
+(typeattributeset otadexopt_service_33_0 (otadexopt_service))
+(typeattributeset otapreopt_chroot_33_0 (otapreopt_chroot))
+(typeattributeset overlay_prop_33_0 (overlay_prop))
+(typeattributeset overlay_service_33_0 (overlay_service))
+(typeattributeset overlayfs_file_33_0 (overlayfs_file))
+(typeattributeset owntty_device_33_0 (owntty_device))
+(typeattributeset pac_proxy_service_33_0 (pac_proxy_service))
+(typeattributeset package_native_service_33_0 (package_native_service))
+(typeattributeset package_service_33_0 (package_service))
+(typeattributeset packagemanager_config_prop_33_0 (packagemanager_config_prop))
+(typeattributeset packages_list_file_33_0 (packages_list_file))
+(typeattributeset pan_result_prop_33_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_33_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_33_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_33_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_33_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_33_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_33_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_33_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_33_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_33_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_33_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_33_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_33_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_33_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_33_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_33_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_33_0 (pdx_performance_dir))
+(typeattributeset people_service_33_0 (people_service))
+(typeattributeset perfetto_33_0 (perfetto))
+(typeattributeset performanced_33_0 (performanced))
+(typeattributeset performanced_exec_33_0 (performanced_exec))
+(typeattributeset permission_checker_service_33_0 (permission_checker_service))
+(typeattributeset permission_service_33_0 (permission_service))
+(typeattributeset permissionmgr_service_33_0 (permissionmgr_service))
+(typeattributeset persist_debug_prop_33_0 (persist_debug_prop))
+(typeattributeset persist_vendor_debug_wifi_prop_33_0 (persist_vendor_debug_wifi_prop))
+(typeattributeset persist_wm_debug_prop_33_0 (persist_wm_debug_prop))
+(typeattributeset persistent_data_block_service_33_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_33_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_33_0 (pinner_service))
+(typeattributeset pipefs_33_0 (pipefs))
+(typeattributeset platform_app_33_0 (platform_app))
+(typeattributeset platform_compat_service_33_0 (platform_compat_service))
+(typeattributeset pmsg_device_33_0 (pmsg_device))
+(typeattributeset port_33_0 (port))
+(typeattributeset port_device_33_0 (port_device))
+(typeattributeset postinstall_33_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_33_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_33_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_33_0 (postinstall_mnt_dir))
+(typeattributeset power_debug_prop_33_0 (power_debug_prop))
+(typeattributeset power_service_33_0 (power_service))
+(typeattributeset powerctl_prop_33_0 (powerctl_prop))
+(typeattributeset powerstats_service_33_0 (powerstats_service))
+(typeattributeset ppp_33_0 (ppp))
+(typeattributeset ppp_device_33_0 (ppp_device))
+(typeattributeset ppp_exec_33_0 (ppp_exec))
+(typeattributeset preloads_data_file_33_0 (preloads_data_file))
+(typeattributeset preloads_media_file_33_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_33_0 (prereboot_data_file))
+(typeattributeset print_service_33_0 (print_service))
+(typeattributeset priv_app_33_0 (priv_app))
+(typeattributeset privapp_data_file_33_0 (privapp_data_file))
+(typeattributeset proc_33_0 (proc))
+(typeattributeset proc_abi_33_0 (proc_abi))
+(typeattributeset proc_asound_33_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_33_0 (proc_bluetooth_writable))
+(typeattributeset proc_bootconfig_33_0 (proc_bootconfig))
+(typeattributeset proc_bpf_33_0 (proc_bpf))
+(typeattributeset proc_buddyinfo_33_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_33_0 (proc_cmdline))
+(typeattributeset proc_cpu_alignment_33_0 (proc_cpu_alignment))
+(typeattributeset proc_cpuinfo_33_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_33_0 (proc_dirty))
+(typeattributeset proc_diskstats_33_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_33_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_33_0 (proc_fs_verity))
+(typeattributeset proc_hostname_33_0 (proc_hostname))
+(typeattributeset proc_hung_task_33_0 (proc_hung_task))
+(typeattributeset proc_interrupts_33_0 (proc_interrupts))
+(typeattributeset proc_iomem_33_0 (proc_iomem))
+(typeattributeset proc_kallsyms_33_0 (proc_kallsyms))
+(typeattributeset proc_keys_33_0 (proc_keys))
+(typeattributeset proc_kmsg_33_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_33_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_33_0 (proc_loadavg))
+(typeattributeset proc_locks_33_0 (proc_locks))
+(typeattributeset proc_lowmemorykiller_33_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_33_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_33_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_33_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_33_0 (proc_misc))
+(typeattributeset proc_modules_33_0 (proc_modules))
+(typeattributeset proc_mounts_33_0 (proc_mounts))
+(typeattributeset proc_net_33_0 (proc_net))
+(typeattributeset proc_net_tcp_udp_33_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_33_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_33_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_33_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_33_0 (proc_panic))
+(typeattributeset proc_perf_33_0 (proc_perf))
+(typeattributeset proc_pid_max_33_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_33_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_33_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_33_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_33_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_33_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_33_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_33_0 (proc_random))
+(typeattributeset proc_sched_33_0 (proc_sched))
+(typeattributeset proc_security_33_0 (proc_security))
+(typeattributeset proc_slabinfo_33_0 (proc_slabinfo))
+(typeattributeset proc_stat_33_0 (proc_stat))
+(typeattributeset proc_swaps_33_0 (proc_swaps))
+(typeattributeset proc_sysrq_33_0 (proc_sysrq))
+(typeattributeset proc_timer_33_0 (proc_timer))
+(typeattributeset proc_tty_drivers_33_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_33_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_33_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_33_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_33_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_33_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_33_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_33_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_33_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_33_0 (proc_uptime))
+(typeattributeset proc_vendor_sched_33_0 (proc_vendor_sched))
+(typeattributeset proc_version_33_0 (proc_version))
+(typeattributeset proc_vmallocinfo_33_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_33_0 (proc_vmstat))
+(typeattributeset proc_watermark_boost_factor_33_0 (proc_watermark_boost_factor))
+(typeattributeset proc_watermark_scale_factor_33_0 (proc_watermark_scale_factor))
+(typeattributeset proc_zoneinfo_33_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_33_0 (processinfo_service))
+(typeattributeset procstats_service_33_0 (procstats_service))
+(typeattributeset profman_33_0 (profman))
+(typeattributeset profman_dump_data_file_33_0 (profman_dump_data_file))
+(typeattributeset profman_exec_33_0 (profman_exec))
+(typeattributeset properties_device_33_0 (properties_device))
+(typeattributeset properties_serial_33_0 (properties_serial))
+(typeattributeset property_contexts_file_33_0 (property_contexts_file))
+(typeattributeset property_data_file_33_0 (property_data_file))
+(typeattributeset property_info_33_0 (property_info))
+(typeattributeset property_service_version_prop_33_0 (property_service_version_prop))
+(typeattributeset property_socket_33_0 (property_socket))
+(typeattributeset provisioned_prop_33_0 (provisioned_prop))
+(typeattributeset pstorefs_33_0 (pstorefs))
+(typeattributeset ptmx_device_33_0 (ptmx_device))
+(typeattributeset qemu_hw_prop_33_0 (qemu_hw_prop))
+(typeattributeset qemu_sf_lcd_density_prop_33_0 (qemu_sf_lcd_density_prop))
+(typeattributeset qtaguid_device_33_0 (qtaguid_device))
+(typeattributeset racoon_33_0 (racoon))
+(typeattributeset racoon_exec_33_0 (racoon_exec))
+(typeattributeset racoon_socket_33_0 (racoon_socket))
+(typeattributeset radio_33_0 (radio))
+(typeattributeset radio_control_prop_33_0 (radio_control_prop))
+(typeattributeset radio_core_data_file_33_0 (radio_core_data_file))
+(typeattributeset radio_data_file_33_0 (radio_data_file))
+(typeattributeset radio_device_33_0 (radio_device))
+(typeattributeset radio_prop_33_0 (radio_prop))
+(typeattributeset radio_service_33_0 (radio_service))
+(typeattributeset ram_device_33_0 (ram_device))
+(typeattributeset random_device_33_0 (random_device))
+(typeattributeset reboot_readiness_service_33_0 (reboot_readiness_service))
+(typeattributeset rebootescrow_hal_prop_33_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_33_0 (recovery))
+(typeattributeset recovery_block_device_33_0 (recovery_block_device))
+(typeattributeset recovery_config_prop_33_0 (recovery_config_prop))
+(typeattributeset recovery_data_file_33_0 (recovery_data_file))
+(typeattributeset recovery_persist_33_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_33_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_33_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_33_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_33_0 (recovery_service))
+(typeattributeset recovery_socket_33_0 (recovery_socket))
+(typeattributeset registry_service_33_0 (registry_service))
+(typeattributeset remotelyprovisionedkeypool_service_33_0 (remotelyprovisionedkeypool_service))
+(typeattributeset remoteprovisioning_service_33_0 (remoteprovisioning_service))
+(typeattributeset resourcecache_data_file_33_0 (resourcecache_data_file))
+(typeattributeset resources_manager_service_33_0 (resources_manager_service))
+(typeattributeset restorecon_prop_33_0 (restorecon_prop))
+(typeattributeset restrictions_service_33_0 (restrictions_service))
+(typeattributeset retaildemo_prop_33_0 (retaildemo_prop))
+(typeattributeset rild_debug_socket_33_0 (rild_debug_socket))
+(typeattributeset rild_socket_33_0 (rild_socket))
+(typeattributeset ringtone_file_33_0 (ringtone_file))
+(typeattributeset role_service_33_0 (role_service))
+(typeattributeset rollback_service_33_0 (rollback_service))
+(typeattributeset root_block_device_33_0 (root_block_device))
+(typeattributeset rootdisk_sysdev_33_0 (rootdisk_sysdev))
+(typeattributeset rootfs_33_0 (rootfs))
+(typeattributeset rpmsg_device_33_0 (rpmsg_device))
+(typeattributeset rs_33_0 (rs))
+(typeattributeset rs_exec_33_0 (rs_exec))
+(typeattributeset rss_hwm_reset_33_0 (rss_hwm_reset))
+(typeattributeset rtc_device_33_0 (rtc_device))
+(typeattributeset rttmanager_service_33_0 (rttmanager_service))
+(typeattributeset runas_33_0 (runas))
+(typeattributeset runas_app_33_0 (runas_app))
+(typeattributeset runas_exec_33_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_33_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_33_0 (runtime_service))
+(typeattributeset safemode_prop_33_0 (safemode_prop))
+(typeattributeset same_process_hal_file_33_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_33_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_33_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_33_0 (sdcard_block_device))
+(typeattributeset sdcardd_33_0 (sdcardd))
+(typeattributeset sdcardd_exec_33_0 (sdcardd_exec))
+(typeattributeset sdcardfs_33_0 (sdcardfs))
+(typeattributeset sdk_sandbox_service_33_0 (sdk_sandbox_service))
+(typeattributeset seapp_contexts_file_33_0 (seapp_contexts_file))
+(typeattributeset search_service_33_0 (search_service))
+(typeattributeset search_ui_service_33_0 (search_ui_service))
+(typeattributeset sec_key_att_app_id_provider_service_33_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_33_0 (secure_element))
+(typeattributeset secure_element_device_33_0 (secure_element_device))
+(typeattributeset secure_element_service_33_0 (secure_element_service))
+(typeattributeset securityfs_33_0 (securityfs))
+(typeattributeset selection_toolbar_service_33_0 (selection_toolbar_service))
+(typeattributeset selinuxfs_33_0 (selinuxfs))
+(typeattributeset sendbug_config_prop_33_0 (sendbug_config_prop))
+(typeattributeset sensor_privacy_service_33_0 (sensor_privacy_service))
+(typeattributeset sensors_device_33_0 (sensors_device))
+(typeattributeset sensorservice_service_33_0 (sensorservice_service))
+(typeattributeset sepolicy_file_33_0 (sepolicy_file))
+(typeattributeset serial_device_33_0 (serial_device))
+(typeattributeset serial_service_33_0 (serial_service))
+(typeattributeset serialno_prop_33_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_33_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_33_0 (service_contexts_file))
+(typeattributeset service_manager_service_33_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_33_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_33_0 (servicediscovery_service))
+(typeattributeset servicemanager_33_0 (servicemanager))
+(typeattributeset servicemanager_exec_33_0 (servicemanager_exec))
+(typeattributeset settings_service_33_0 (settings_service))
+(typeattributeset sgdisk_33_0 (sgdisk))
+(typeattributeset sgdisk_exec_33_0 (sgdisk_exec))
+(typeattributeset shared_relro_33_0 (shared_relro))
+(typeattributeset shared_relro_file_33_0 (shared_relro_file))
+(typeattributeset shell_33_0 (shell))
+(typeattributeset shell_data_file_33_0 (shell_data_file))
+(typeattributeset shell_exec_33_0 (shell_exec))
+(typeattributeset shell_prop_33_0 (shell_prop))
+(typeattributeset shell_test_data_file_33_0 (shell_test_data_file))
+(typeattributeset shm_33_0 (shm))
+(typeattributeset shortcut_manager_icons_33_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_33_0 (shortcut_service))
+(typeattributeset simpleperf_33_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_33_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_33_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_33_0 (slice_service))
+(typeattributeset slideshow_33_0 (slideshow))
+(typeattributeset smart_idle_maint_enabled_prop_33_0 (smart_idle_maint_enabled_prop))
+(typeattributeset smartspace_service_33_0 (smartspace_service))
+(typeattributeset snapshotctl_log_data_file_33_0 (snapshotctl_log_data_file))
+(typeattributeset snapuserd_proxy_socket_33_0 (snapuserd_proxy_socket))
+(typeattributeset snapuserd_socket_33_0 (snapuserd_socket))
+(typeattributeset soc_prop_33_0 (soc_prop))
+(typeattributeset socket_device_33_0 (socket_device))
+(typeattributeset socket_hook_prop_33_0 (socket_hook_prop))
+(typeattributeset sockfs_33_0 (sockfs))
+(typeattributeset sota_prop_33_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_33_0 (soundtrigger_middleware_service))
+(typeattributeset speech_recognition_service_33_0 (speech_recognition_service))
+(typeattributeset sqlite_log_prop_33_0 (sqlite_log_prop))
+(typeattributeset staged_install_file_33_0 (staged_install_file))
+(typeattributeset staging_data_file_33_0 (staging_data_file))
+(typeattributeset stats_data_file_33_0 (stats_data_file))
+(typeattributeset statsd_33_0 (statsd))
+(typeattributeset statsd_exec_33_0 (statsd_exec))
+(typeattributeset statsdw_socket_33_0 (statsdw_socket))
+(typeattributeset statusbar_service_33_0 (statusbar_service))
+(typeattributeset storage_config_prop_33_0 (storage_config_prop))
+(typeattributeset storage_file_33_0 (storage_file))
+(typeattributeset storage_stub_file_33_0 (storage_stub_file))
+(typeattributeset storaged_service_33_0 (storaged_service))
+(typeattributeset storagemanager_config_prop_33_0 (storagemanager_config_prop))
+(typeattributeset storagestats_service_33_0 (storagestats_service))
+(typeattributeset su_33_0 (su))
+(typeattributeset su_exec_33_0 (su_exec))
+(typeattributeset super_block_device_33_0 (super_block_device))
+(typeattributeset surfaceflinger_33_0 (surfaceflinger))
+(typeattributeset surfaceflinger_color_prop_33_0 (surfaceflinger_color_prop))
+(typeattributeset surfaceflinger_display_prop_33_0 (surfaceflinger_display_prop))
+(typeattributeset surfaceflinger_prop_33_0 (surfaceflinger_prop))
+(typeattributeset surfaceflinger_service_33_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_33_0 (surfaceflinger_tmpfs))
+(typeattributeset suspend_prop_33_0 (suspend_prop))
+(typeattributeset swap_block_device_33_0 (swap_block_device))
+(typeattributeset sysfs_33_0 (sysfs))
+(typeattributeset sysfs_android_usb_33_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_33_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_33_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devfreq_cur_33_0 (sysfs_devfreq_cur))
+(typeattributeset sysfs_devfreq_dir_33_0 (sysfs_devfreq_dir))
+(typeattributeset sysfs_devices_block_33_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_cs_etm_33_0 (sysfs_devices_cs_etm))
+(typeattributeset sysfs_devices_system_cpu_33_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_33_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_33_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dma_heap_33_0 (sysfs_dma_heap))
+(typeattributeset sysfs_dmabuf_stats_33_0 (sysfs_dmabuf_stats))
+(typeattributeset sysfs_dt_firmware_android_33_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_33_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_33_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_33_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_fs_fuse_bpf_33_0 (sysfs_fs_fuse_bpf))
+(typeattributeset sysfs_fs_incfs_features_33_0 (sysfs_fs_incfs_features))
+(typeattributeset sysfs_fs_incfs_metrics_33_0 (sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_gpu_33_0 (sysfs_gpu))
+(typeattributeset sysfs_hwrandom_33_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_33_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_33_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_33_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_33_0 (sysfs_leds))
+(typeattributeset sysfs_loop_33_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_33_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_lru_gen_enabled_33_0 (sysfs_lru_gen_enabled))
+(typeattributeset sysfs_net_33_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_33_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_33_0 (sysfs_power))
+(typeattributeset sysfs_rtc_33_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_33_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_33_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_33_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_33_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uhid_33_0 (sysfs_uhid))
+(typeattributeset sysfs_uio_33_0 (sysfs_uio))
+(typeattributeset sysfs_usb_33_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_33_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vendor_sched_33_0 (sysfs_vendor_sched))
+(typeattributeset sysfs_vibrator_33_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_33_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_33_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_33_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_33_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_33_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_33_0 (sysfs_zram_uevent))
+(typeattributeset system_app_33_0 (system_app))
+(typeattributeset system_app_data_file_33_0 (system_app_data_file))
+(typeattributeset system_app_service_33_0 (system_app_service))
+(typeattributeset system_asan_options_file_33_0 (system_asan_options_file))
+(typeattributeset system_block_device_33_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_33_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_33_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_33_0 (system_config_service))
+(typeattributeset system_data_file_33_0 (system_data_file system_userdir_file))
+(typeattributeset system_data_root_file_33_0 (system_data_root_file))
+(typeattributeset system_dlkm_file_33_0 (system_dlkm_file))
+(typeattributeset system_event_log_tags_file_33_0 (system_event_log_tags_file))
+(typeattributeset system_file_33_0 (system_file))
+(typeattributeset system_group_file_33_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_33_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_33_0 (system_lib_file))
+(typeattributeset system_linker_config_file_33_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_33_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_33_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_33_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_33_0 (system_net_netd_hwservice))
+(typeattributeset system_passwd_file_33_0 (system_passwd_file))
+(typeattributeset system_prop_33_0 (system_prop))
+(typeattributeset system_seccomp_policy_file_33_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_33_0 (system_security_cacerts_file))
+(typeattributeset system_server_33_0 (system_server))
+(typeattributeset system_server_dumper_service_33_0 (system_server_dumper_service))
+(typeattributeset system_server_tmpfs_33_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_internal_service_33_0 (system_suspend_control_internal_service))
+(typeattributeset system_suspend_control_service_33_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_33_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_33_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_33_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_33_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_33_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_33_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_33_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_33_0 (systemkeys_data_file))
+(typeattributeset systemsound_config_prop_33_0 (systemsound_config_prop))
+(typeattributeset tare_service_33_0 (tare_service))
+(typeattributeset task_profiles_api_file_33_0 (task_profiles_api_file))
+(typeattributeset task_profiles_file_33_0 (task_profiles_file))
+(typeattributeset task_service_33_0 (task_service))
+(typeattributeset tcpdump_exec_33_0 (tcpdump_exec))
+(typeattributeset tee_33_0 (tee))
+(typeattributeset tee_data_file_33_0 (tee_data_file))
+(typeattributeset tee_device_33_0 (tee_device))
+(typeattributeset telecom_service_33_0 (telecom_service))
+(typeattributeset telephony_config_prop_33_0 (telephony_config_prop))
+(typeattributeset telephony_status_prop_33_0 (telephony_status_prop))
+(typeattributeset test_boot_reason_prop_33_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_33_0 (test_harness_prop))
+(typeattributeset testharness_service_33_0 (testharness_service))
+(typeattributeset tethering_service_33_0 (tethering_service))
+(typeattributeset textclassification_service_33_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_33_0 (textclassifier_data_file))
+(typeattributeset textservices_service_33_0 (textservices_service))
+(typeattributeset texttospeech_service_33_0 (texttospeech_service))
+(typeattributeset theme_prop_33_0 (theme_prop))
+(typeattributeset thermal_service_33_0 (thermal_service))
+(typeattributeset time_prop_33_0 (time_prop))
+(typeattributeset timedetector_service_33_0 (timedetector_service))
+(typeattributeset timezone_service_33_0 (timezone_service))
+(typeattributeset timezonedetector_service_33_0 (timezonedetector_service))
+(typeattributeset tmpfs_33_0 (tmpfs))
+(typeattributeset tombstone_config_prop_33_0 (tombstone_config_prop))
+(typeattributeset tombstone_data_file_33_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_33_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_33_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_33_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_33_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_33_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_33_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_33_0 (toolbox))
+(typeattributeset toolbox_exec_33_0 (toolbox_exec))
+(typeattributeset trace_data_file_33_0 (trace_data_file))
+(typeattributeset traced_33_0 (traced))
+(typeattributeset traced_consumer_socket_33_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_33_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_33_0 (traced_lazy_prop))
+(typeattributeset traced_perf_33_0 (traced_perf))
+(typeattributeset traced_perf_socket_33_0 (traced_perf_socket))
+(typeattributeset traced_probes_33_0 (traced_probes))
+(typeattributeset traced_producer_socket_33_0 (traced_producer_socket))
+(typeattributeset traced_tmpfs_33_0 (traced_tmpfs))
+(typeattributeset traceur_app_33_0 (traceur_app))
+(typeattributeset translation_service_33_0 (translation_service))
+(typeattributeset trust_service_33_0 (trust_service))
+(typeattributeset tty_device_33_0 (tty_device))
+(typeattributeset tun_device_33_0 (tun_device))
+(typeattributeset tv_iapp_service_33_0 (tv_iapp_service))
+(typeattributeset tv_input_service_33_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_33_0 (tv_tuner_resource_mgr_service))
+(typeattributeset tzdatacheck_33_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_33_0 (tzdatacheck_exec))
+(typeattributeset ueventd_33_0 (ueventd))
+(typeattributeset ueventd_tmpfs_33_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_33_0 (uhid_device))
+(typeattributeset uimode_service_33_0 (uimode_service))
+(typeattributeset uio_device_33_0 (uio_device))
+(typeattributeset uncrypt_33_0 (uncrypt))
+(typeattributeset uncrypt_exec_33_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_33_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_33_0 (unencrypted_data_file))
+(typeattributeset unlabeled_33_0 (unlabeled))
+(typeattributeset untrusted_app_25_33_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_33_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_33_0 (untrusted_app_29))
+(typeattributeset untrusted_app_30_33_0 (untrusted_app_30))
+(typeattributeset untrusted_app_33_0 (untrusted_app))
+(typeattributeset update_engine_33_0 (update_engine))
+(typeattributeset update_engine_data_file_33_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_33_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_33_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_33_0 (update_engine_service))
+(typeattributeset update_engine_stable_service_33_0 (update_engine_stable_service))
+(typeattributeset update_verifier_33_0 (update_verifier))
+(typeattributeset update_verifier_exec_33_0 (update_verifier_exec))
+(typeattributeset updatelock_service_33_0 (updatelock_service))
+(typeattributeset uri_grants_service_33_0 (uri_grants_service))
+(typeattributeset usagestats_service_33_0 (usagestats_service))
+(typeattributeset usb_config_prop_33_0 (usb_config_prop))
+(typeattributeset usb_control_prop_33_0 (usb_control_prop))
+(typeattributeset usb_device_33_0 (usb_device))
+(typeattributeset usb_prop_33_0 (usb_prop))
+(typeattributeset usb_serial_device_33_0 (usb_serial_device))
+(typeattributeset usb_service_33_0 (usb_service))
+(typeattributeset usbaccessory_device_33_0 (usbaccessory_device))
+(typeattributeset usbd_33_0 (usbd))
+(typeattributeset usbd_exec_33_0 (usbd_exec))
+(typeattributeset usbfs_33_0 (usbfs))
+(typeattributeset use_memfd_prop_33_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_33_0 (user_profile_data_file))
+(typeattributeset user_profile_root_file_33_0 (user_profile_root_file))
+(typeattributeset user_service_33_0 (user_service))
+(typeattributeset userdata_block_device_33_0 (userdata_block_device))
+(typeattributeset userdata_sysdev_33_0 (userdata_sysdev))
+(typeattributeset usermodehelper_33_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_33_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_33_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_metadata_file_33_0 (userspace_reboot_metadata_file))
+(typeattributeset uwb_service_33_0 (uwb_service))
+(typeattributeset vcn_management_service_33_0 (vcn_management_service))
+(typeattributeset vd_device_33_0 (vd_device))
+(typeattributeset vdc_33_0 (vdc))
+(typeattributeset vdc_exec_33_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_33_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_33_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
+(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
+(typeattributeset vendor_file_33_0 (vendor_file))
+(typeattributeset vendor_framework_file_33_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_33_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_33_0 (vendor_idc_file))
+(typeattributeset vendor_init_33_0 (vendor_init))
+(typeattributeset vendor_kernel_modules_33_0 (vendor_kernel_modules))
+(typeattributeset vendor_keychars_file_33_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_33_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_33_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_33_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_modprobe_33_0 (vendor_modprobe))
+(typeattributeset vendor_overlay_file_33_0 (vendor_overlay_file))
+(typeattributeset vendor_public_framework_file_33_0 (vendor_public_framework_file))
+(typeattributeset vendor_public_lib_file_33_0 (vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_33_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_service_contexts_file_33_0 (vendor_service_contexts_file))
+(typeattributeset vendor_shell_33_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_33_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_33_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_33_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_33_0 (vendor_toolbox_exec))
+(typeattributeset vendor_uuid_mapping_config_file_33_0 (vendor_uuid_mapping_config_file))
+(typeattributeset vendor_vm_data_file_33_0 (vendor_vm_data_file))
+(typeattributeset vendor_vm_file_33_0 (vendor_vm_file))
+(typeattributeset vfat_33_0 (vfat))
+(typeattributeset vibrator_manager_service_33_0 (vibrator_manager_service))
+(typeattributeset vibrator_service_33_0 (vibrator_service))
+(typeattributeset video_device_33_0 (video_device))
+(typeattributeset virtual_ab_prop_33_0 (virtual_ab_prop))
+(typeattributeset virtual_device_service_33_0 (virtual_device_service))
+(typeattributeset virtual_touchpad_33_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_33_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_33_0 (virtual_touchpad_service))
+(typeattributeset virtualization_service_33_0 (virtualization_service))
+(typeattributeset vndbinder_device_33_0 (vndbinder_device))
+(typeattributeset vndk_prop_33_0 (vndk_prop))
+(typeattributeset vndk_sp_file_33_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_33_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_33_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_33_0 (voiceinteraction_service))
+(typeattributeset vold_33_0 (vold))
+(typeattributeset vold_config_prop_33_0 (vold_config_prop))
+(typeattributeset vold_data_file_33_0 (vold_data_file))
+(typeattributeset vold_device_33_0 (vold_device))
+(typeattributeset vold_exec_33_0 (vold_exec))
+(typeattributeset vold_metadata_file_33_0 (vold_metadata_file))
+(typeattributeset vold_post_fs_data_prop_33_0 (vold_post_fs_data_prop))
+(typeattributeset vold_prepare_subdirs_33_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_33_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_33_0 (vold_prop))
+(typeattributeset vold_service_33_0 (vold_service))
+(typeattributeset vold_status_prop_33_0 (vold_status_prop))
+(typeattributeset vpn_data_file_33_0 (vpn_data_file))
+(typeattributeset vpn_management_service_33_0 (vpn_management_service))
+(typeattributeset vr_hwc_service_33_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_33_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_33_0 (vrflinger_vsync_service))
+(typeattributeset vts_config_prop_33_0 (vts_config_prop))
+(typeattributeset vts_status_prop_33_0 (vts_status_prop))
+(typeattributeset wallpaper_effects_generation_service_33_0 (wallpaper_effects_generation_service))
+(typeattributeset wallpaper_file_33_0 (wallpaper_file))
+(typeattributeset wallpaper_service_33_0 (wallpaper_service))
+(typeattributeset watchdog_device_33_0 (watchdog_device))
+(typeattributeset watchdog_metadata_file_33_0 (watchdog_metadata_file))
+(typeattributeset watchdogd_33_0 (watchdogd))
+(typeattributeset watchdogd_exec_33_0 (watchdogd_exec))
+(typeattributeset webview_zygote_33_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_33_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_33_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_33_0 (webviewupdate_service))
+(typeattributeset wifi_config_prop_33_0 (wifi_config_prop))
+(typeattributeset wifi_data_file_33_0 (wifi_data_file))
+(typeattributeset wifi_hal_prop_33_0 (wifi_hal_prop))
+(typeattributeset wifi_key_33_0 (wifi_key))
+(typeattributeset wifi_log_prop_33_0 (wifi_log_prop))
+(typeattributeset wifi_prop_33_0 (wifi_prop))
+(typeattributeset wifi_service_33_0 (wifi_service))
+(typeattributeset wifiaware_service_33_0 (wifiaware_service))
+(typeattributeset wificond_33_0 (wificond))
+(typeattributeset wificond_exec_33_0 (wificond_exec))
+(typeattributeset wifinl80211_service_33_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_33_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_33_0 (wifiscanner_service))
+(typeattributeset window_service_33_0 (window_service))
+(typeattributeset wpa_socket_33_0 (wpa_socket))
+(typeattributeset wpantund_33_0 (wpantund))
+(typeattributeset wpantund_exec_33_0 (wpantund_exec))
+(typeattributeset wpantund_service_33_0 (wpantund_service))
+(typeattributeset zero_device_33_0 (zero_device))
+(typeattributeset zoneinfo_data_file_33_0 (zoneinfo_data_file))
+(typeattributeset zram_config_prop_33_0 (zram_config_prop))
+(typeattributeset zram_control_prop_33_0 (zram_control_prop))
+(typeattributeset zygote_33_0 (zygote))
+(typeattributeset zygote_config_prop_33_0 (zygote_config_prop))
+(typeattributeset zygote_exec_33_0 (zygote_exec))
+(typeattributeset zygote_socket_33_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_33_0 (zygote_tmpfs))
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
new file mode 100644
index 0000000..628abfc
--- /dev/null
+++ b/private/compat/33.0/33.0.compat.cil
@@ -0,0 +1 @@
+;; This file can't be empty.
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
new file mode 100644
index 0000000..3beb247
--- /dev/null
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -0,0 +1,11 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ device_config_vendor_system_native_prop
+ virtual_face_hal_prop
+ virtual_fingerprint_hal_prop
+ ))
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
new file mode 100644
index 0000000..01504ee
--- /dev/null
+++ b/private/compos_fd_server.te
@@ -0,0 +1,26 @@
+# Make ART inputs and outputs available to the CompOS VM
+type compos_fd_server, domain, coredomain;
+
+# Allow access to open fds inherited from composd
+allow compos_fd_server composd:fd use;
+
+# Allow creating new files and directories in the staging directory.
+allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
+allow compos_fd_server apex_art_staging_data_file:file create_file_perms;
+
+# Allow creating new files and directories in the artifacts directory.
+allow compos_fd_server apex_art_data_file:dir create_dir_perms;
+allow compos_fd_server apex_art_data_file:file create_file_perms;
+
+# Use a pipe to signal readiness
+allow compos_fd_server composd:fifo_file write;
+
+# TODO(b/196109647) - remove this when no longer needed by minijail
+allow compos_fd_server composd:fifo_file read;
+
+# Create a listening vsock for the VM to connect back to
+allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Only composd can enter the domain via exec
+neverallow { domain -composd } compos_fd_server:process transition;
+neverallow * compos_fd_server:process dyntransition;
diff --git a/private/compos_verify.te b/private/compos_verify.te
new file mode 100644
index 0000000..0a281f8
--- /dev/null
+++ b/private/compos_verify.te
@@ -0,0 +1,23 @@
+# Run by odsign to verify a CompOS signature
+type compos_verify, domain, coredomain;
+type compos_verify_exec, exec_type, file_type, system_file_type;
+
+# Start a VM
+binder_use(compos_verify);
+virtualizationservice_use(compos_verify);
+
+# Access instance image files
+allow compos_verify apex_module_data_file:dir search;
+r_dir_file(compos_verify, apex_compos_data_file)
+
+# Read CompOS info & signature files
+allow compos_verify apex_art_data_file:dir search;
+allow compos_verify apex_art_data_file:file r_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify odsign:fd use;
+allow compos_verify odsign_devpts:chr_file { read write };
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify:process transition;
+neverallow * compos_verify:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
new file mode 100644
index 0000000..d007d66
--- /dev/null
+++ b/private/composd.te
@@ -0,0 +1,37 @@
+type composd, domain, coredomain;
+type composd_exec, system_file_type, exec_type, file_type;
+
+# Host dynamic AIDL services
+init_daemon_domain(composd)
+binder_use(composd)
+add_service(composd, compos_service)
+
+# Call back into system server
+binder_call(composd, system_server)
+
+# Start a VM
+virtualizationservice_use(composd)
+
+# Prepare staging directory for odrefresh
+allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+allow composd apex_art_staging_data_file:file { getattr unlink };
+
+# Delete files in the odrefresh target directory
+allow composd apex_art_data_file:file unlink;
+
+# Access our APEX data files
+allow composd apex_module_data_file:dir search;
+allow composd apex_compos_data_file:dir create_dir_perms;
+allow composd apex_compos_data_file:file create_file_perms;
+
+# Run fd_server in its own domain, and send SIGTERM when finished.
+domain_auto_trans(composd, fd_server_exec, compos_fd_server)
+allow composd compos_fd_server:process signal;
+
+# Read ART's properties
+get_prop(composd, dalvik_config_prop)
+get_prop(composd, device_config_runtime_native_boot_prop)
+
+# We never create any artifact files directly
+neverallow composd apex_art_data_file:file ~unlink;
diff --git a/private/coredomain.te b/private/coredomain.te
index b7f4f5d..e4c9a52 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -37,6 +37,7 @@
-init
# generic access to sysfs_type
+ -apexd
-ueventd
-vold
} sysfs_leds:file *;
@@ -75,6 +76,7 @@
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
+ userdebug_or_eng(`-simpleperf_boot')
-system_server
-traced_perf
-mediaserver
@@ -120,6 +122,7 @@
-zygote
-heapprofd
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open;
')
@@ -137,6 +140,7 @@
# /sys
neverallow {
coredomain
+ -apexd
-init
-ueventd
-vold
@@ -145,6 +149,7 @@
# /dev
neverallow {
coredomain
+ -apexd
-fsck
-init
-ueventd
@@ -173,6 +178,7 @@
-system_server
-traceur_app
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
@@ -187,7 +193,6 @@
-bootstat
-charger
-dumpstate
- -healthd
userdebug_or_eng(`-incidentd')
-init
-logd
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 9233a4d..90ffeb5 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,6 +8,7 @@
-apexd
-bpfloader
-crash_dump
+ -diced
-init
-kernel
-keystore
@@ -40,6 +41,7 @@
apexd
userdebug_or_eng(`-apexd')
bpfloader
+ diced
init
kernel
keystore
diff --git a/private/credstore.te b/private/credstore.te
index 8d87e2f..c410d76 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -4,3 +4,9 @@
# talk to Identity Credential
hal_client_domain(credstore, hal_identity)
+
+# talk to keymint, specifically for IRemotelyProvisionedComponent/default
+hal_client_domain(credstore, hal_keymint)
+
+# credstore needs to get keys from the remotely provisioned pool
+allow credstore remotelyprovisionedkeypool_service:service_manager find;
diff --git a/private/crosvm.te b/private/crosvm.te
index 5d7080a..e47abd7 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -2,15 +2,104 @@
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
-# Let crosvm create temporary files.
-tmpfs_domain(crosvm)
-
-# Let crosvm receive file descriptors from virtmanager.
-allow crosvm virtmanager:fd use;
-
# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+
+# Let crosvm mlock VM memory and page tables.
+allow crosvm self:capability ipc_lock;
+
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from VirtualizationService.
+allow crosvm virtualizationservice:fd use;
+
+# Allow sending VirtualizationService the failure reason from the VM via pipe.
+allow crosvm virtualizationservice:fifo_file write;
+
+# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
+# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
+# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
+# the files are passed as file descriptors.
+allow crosvm {
+ virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ apex_compos_data_file
+ shell_data_file
+}:file { getattr read ioctl lock };
+
+# Allow searching the directory where the composite disk images are.
+allow crosvm virtualizationservice_data_file:dir search;
+
+# Don't allow crosvm to open files that it doesn't own.
+# This is important because a malicious application could try to start a VM with a composite disk
+# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
+# open them on its behalf. By preventing crosvm from opening any other files we prevent this
+# potential privilege escalation. See http://b/192453819 for more discussion.
+neverallow crosvm {
+ virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ userdebug_or_eng(`-shell_data_file')
+}:file open;
+
+# The instance image and the composite image should be writable as well because they could represent
+# mutable disks.
+allow crosvm {
+ virtualizationservice_data_file
+ app_data_file
+ apex_compos_data_file
+}:file write;
+
+# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
+allow crosvm adbd:fd use;
+allow crosvm adbd:unix_stream_socket { read write };
+
+# For ACPI
+allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
+# compliance tests and demo apps. Write access to instance.img is particularily important because
+# the VM has to initialize the disk image on its first boot. Note that open access is still not
+# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
+# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
+allow crosvm shell_data_file:file write;
+
+# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
+full_treble_only(`
+ neverallow crosvm {
+ vendor_file_type
+ -vendor_vm_file
+ -vendor_vm_data_file
+ # These types are not required for crosvm, but the access is granted to globally in domain.te
+ # thus should be exempted here.
+ -vendor_configs_file
+ -vndk_sp_file
+ -vendor_task_profiles_file
+ }:file *;
+')
+
+# app_data_file and shell_data_file is the only app_data_file_type that is
+# allowed for crosvm to read. Note that the use of app_data_file is allowed
+# only for the instance disk image. This is enforced inside the
+# virtualizationservice by checking the file context of all disk image files.
+neverallow crosvm {
+ app_data_file_type
+ -app_data_file
+ -shell_data_file
+}:file read;
+
+# Only virtualizationservice can run crosvm
+neverallow {
+ domain
+ -crosvm
+ -virtualizationservice
+} crosvm_exec:file no_x_file_perms;
diff --git a/private/diced.te b/private/diced.te
new file mode 100644
index 0000000..b37809c
--- /dev/null
+++ b/private/diced.te
@@ -0,0 +1,6 @@
+typeattribute diced coredomain;
+
+init_daemon_domain(diced)
+
+# Talk to dice HAL.
+hal_client_domain(diced, hal_dice)
diff --git a/private/dmesgd.te b/private/dmesgd.te
new file mode 100644
index 0000000..7a12882
--- /dev/null
+++ b/private/dmesgd.te
@@ -0,0 +1,15 @@
+type dmesgd, domain, coredomain;
+type dmesgd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(dmesgd)
+
+allow dmesgd dmesgd_data_file:dir create_dir_perms;
+allow dmesgd dmesgd_data_file:file create_file_perms;
+
+allow dmesgd kernel:system syslog_read;
+allow dmesgd shell_exec:file rx_file_perms;
+allow dmesgd toolbox_exec:file rx_file_perms;
+binder_use(dmesgd)
+binder_call(dmesgd, system_server)
+allow dmesgd dropbox_service:service_manager find;
+allow dmesgd proc_version:file r_file_perms;
diff --git a/private/domain.te b/private/domain.te
index b91d36d..f95df34 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,26 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+ -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
@@ -121,6 +141,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
@@ -203,8 +224,31 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow {
+ domain
+ -init
+ -system_server
+ -apexd
+ -installd
+ -iorap_inode2filename
+ -priv_app
+ -virtualizationservice
+} staging_data_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_app
+ -system_server
+ -apexd
+ -adbd
+ -kernel
+ -installd
+ -iorap_inode2filename
+ -priv_app
+ -shell
+ -virtualizationservice
+ -crosvm
+} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@@ -282,7 +326,9 @@
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
- # art processes
+ # art-related processes
+ -composd
+ -compos_fd_server
-odrefresh
-odsign
# others
@@ -293,7 +339,9 @@
neverallow {
domain
- # art processes
+ # art-related processes
+ -composd
+ -compos_fd_server
-odrefresh
-odsign
# others
@@ -354,8 +402,8 @@
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
+# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
+# set of domains need this capability, including device-specific domains.
neverallow {
domain
-apexd
@@ -369,6 +417,7 @@
-zygote
} { fs_type
-sdcard_type
+ -fusefs_type
}:filesystem { mount remount relabelfrom relabelto };
enforce_debugfs_restriction(`
@@ -386,7 +435,6 @@
-init
-recovery
-ueventd
- -healthd
-uncrypt
-tee
-hal_bootctl_server
@@ -396,6 +444,7 @@
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
+ -fsck
-init
-installd
-zygote
@@ -429,6 +478,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel
+ userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
@@ -450,6 +500,7 @@
-init
-tombstoned # linker to tombstoned
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced')
userdebug_or_eng(`-traced_perf')
});
')
@@ -461,6 +512,7 @@
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
+ -crosvm # loads vendor-specific disk images
-init # starts vendor executables
-iorap_inode2filename
-iorap_prefetcherd
@@ -468,6 +520,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
+ userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
@@ -487,6 +540,7 @@
-vendor_public_framework_file
-vendor_public_lib_file
-vendor_task_profiles_file
+ -vendor_uuid_mapping_config_file
-vndk_sp_file
}:file *;
')
@@ -518,6 +572,7 @@
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
+ userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
@@ -539,3 +594,40 @@
-tracefs_type
}:file no_rw_file_perms;
')
+
+# Restrict write access to etm sysfs interface.
+neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
+
+# Restrict write access to shell owned files. The /data/local/tmp directory is
+# untrustworthy, and non-allowed domains should not be trusting any content in
+# those directories. We allow shell files to be passed around by file
+# descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-virtualizationservice')
+ userdebug_or_eng(`-crosvm')
+} shell_data_file:file open;
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain # finer-grained rules for appdomain are listed below
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+ -iorap_inode2filename
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+ sdk_sandbox
+} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 4fad585..149d389 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -6,6 +6,10 @@
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
+# Create tmpfs files for using memfd descriptors to get output from child
+# processes.
+tmpfs_domain(dumpstate)
+
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
@@ -116,3 +120,6 @@
# /dev/null.
allow perfetto dumpstate_tmpfs:file rw_file_perms;
allow perfetto dumpstate:fd use;
+
+# system_dlkm_file for /system_dlkm partition
+allow dumpstate system_dlkm_file:dir getattr;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e004891..3b916e2 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -17,7 +17,7 @@
app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
@@ -87,8 +87,8 @@
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
diff --git a/private/evsmanagerd.te b/private/evsmanagerd.te
new file mode 100644
index 0000000..3772628
--- /dev/null
+++ b/private/evsmanagerd.te
@@ -0,0 +1,39 @@
+# evsmanager
+typeattribute evsmanagerd coredomain;
+typeattribute evsmanagerd evsmanager_service_server;
+
+type evsmanagerd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(evsmanagerd);
+
+# Declares as a binder service
+binder_service(evsmanagerd)
+
+# Allows to add a service to service_manager
+add_service(evsmanagerd, evsmanagerd_service)
+
+# Allows to use the binder IPC
+binder_use(evsmanagerd)
+
+# Allows binder IPCs to the various system services
+binder_call(evsmanagerd, system_server)
+
+# Allows to use EVS HAL implementations
+hal_client_domain(evsmanagerd, hal_evs)
+
+# Allows to write messages to the shell
+allow evsmanagerd shell:fd use;
+allow evsmanagerd shell:fifo_file write;
+
+# Allows to use the graphics allocator
+allow evsmanagerd hal_graphics_allocator:fd use;
+
+# Allows to use a bootstrap statsd
+allow evsmanagerd statsbootstrap_service:service_manager find;
+
+# Allows binder IPCs to the CarService
+binder_call(evsmanagerd, appdomain)
+
+# For HIDL evs manager implementation
+allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
+allow evsmanagerd hidl_base_hwservice:hwservice_manager add;
diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
new file mode 100644
index 0000000..af3088b
--- /dev/null
+++ b/private/extra_free_kbytes.te
@@ -0,0 +1,3 @@
+typeattribute extra_free_kbytes coredomain;
+
+init_daemon_domain(extra_free_kbytes)
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 40b3945..2c65281 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -22,6 +22,7 @@
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
+ get_prop(fastbootd, snapuserd_prop)
# Needed for TCP protocol
allow fastbootd node:tcp_socket node_bind;
diff --git a/private/file.te b/private/file.te
index a024600..1afa50f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,6 +19,9 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
+type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
@@ -30,6 +33,9 @@
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_ce/checkin for checkin apps.
+type checkin_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
@@ -43,22 +49,60 @@
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/apexdata/com.android.art
-type apex_art_data_file, file_type, data_file_type, core_data_file_type;
+type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/misc/apexdata/com.android.art/staging
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/apexdata/com.android.compos
+type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
+# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
+# for backward compatibility b/217581286
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dmesgd
+type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/odrefresh
type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/odsign_metrics
+type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/virtualizationservice
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
+# /data/bootanim
+type bootanim_data_file, file_type, data_file_type, core_data_file_type;
+
# /dev/kvm
type kvm_device, dev_type;
+
+# /apex/com.android.virt/bin/fd_server
+type fd_server_exec, system_file_type, exec_type, file_type;
+
+# /apex/com.android.compos/bin/compsvc
+type compos_exec, exec_type, file_type, system_file_type;
+# /apex/com.android.compos/bin/compos_key_helper
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
+# /metadata/sepolicy
+type sepolicy_metadata_file, file_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index e4d4b70..0c45a88 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -19,6 +19,7 @@
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
+/system_dlkm(/.*)? u:object_r:system_dlkm_file:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
@@ -48,29 +49,21 @@
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
-/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/product_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
-/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/product_property_contexts u:object_r:property_contexts_file:s0
-/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-# Use nonplat_service_contexts_file to allow servicemanager to read it
-# on non full-treble devices.
-/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
@@ -162,6 +155,7 @@
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
+/dev/socket/snapuserd_proxy u:object_r:snapuserd_proxy_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
@@ -177,6 +171,7 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/sys/block/by-name/rootdisk(/.*)? u:object_r:rootdisk_sysdev:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
@@ -203,6 +198,15 @@
# Linker configuration
#
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+
+# Apex sepoolicy files.
+/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
+/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
+/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
+/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
+/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
#############################
# System files
#
@@ -221,6 +225,7 @@
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
@@ -276,6 +281,7 @@
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
+/system/bin/diced u:object_r:diced_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
@@ -283,15 +289,15 @@
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
+/system/bin/remount u:object_r:remount_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
+/system/bin/dmesgd u:object_r:dmesgd_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
@@ -356,13 +362,12 @@
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
-/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
+/system/bin/btfloader u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
@@ -373,6 +378,9 @@
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
+/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
+/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
+/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
#############################
# Vendor files
@@ -404,8 +412,6 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
#############################
@@ -422,6 +428,10 @@
/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
+# secure-element service: vendor uuid mapping config file
+/(odm|vendor/odm|vendor|system/vendor)/etc/hal_uuid_map_(.*)?\.xml u:object_r:vendor_uuid_mapping_config_file:s0
+
+
# Input configuration
/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
@@ -449,7 +459,7 @@
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/etc/group u:object_r:system_group_file:s0
/(product|system/product)/etc/passwd u:object_r:system_passwd_file:s0
-/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(product|system/product)/overlay(/.*)? u:object_r:system_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
@@ -478,8 +488,10 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
-/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
@@ -488,12 +500,14 @@
# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
#
/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
+/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
#############################
# OdmDlkm files
# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
#
/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
+/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
#############################
# Vendor files from /(product|system/product)/vendor_overlay
@@ -513,6 +527,7 @@
/data/(.*)? u:object_r:system_data_file:s0
/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
+/data/system/game_mode_intervention\.list u:object_r:game_mode_intervention_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
@@ -548,7 +563,8 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/media(/.*)? u:object_r:media_rw_data_file:s0
+/data/media u:object_r:media_userdir_file:s0
+/data/media/.* u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
@@ -565,15 +581,24 @@
/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
/data/fonts/files(/.*)? u:object_r:font_data_file:s0
+/data/misc_ce u:object_r:system_userdir_file:s0
+/data/misc_de u:object_r:system_userdir_file:s0
+/data/system_ce u:object_r:system_userdir_file:s0
+/data/system_de u:object_r:system_userdir_file:s0
+/data/user u:object_r:system_userdir_file:s0
+/data/user_de u:object_r:system_userdir_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
-/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
+/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
@@ -591,6 +616,7 @@
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dmesgd(/.*)? u:object_r:dmesgd_data_file:s0
/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
@@ -605,6 +631,7 @@
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
+/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
@@ -623,6 +650,7 @@
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
+/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
@@ -644,13 +672,18 @@
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
-/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
-/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce u:object_r:vendor_userdir_file:s0
+/data/vendor_ce/.* u:object_r:vendor_data_file:s0
+/data/vendor_de u:object_r:vendor_userdir_file:s0
+/data/vendor_de/.* u:object_r:vendor_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+# checkin data files
+/data/misc_ce/[0-9]+/checkin(/.*)? u:object_r:checkin_data_file:s0
+
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
@@ -674,11 +707,13 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0
-/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -690,11 +725,22 @@
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
+# Boot animation data
+/data/bootanim(/.*)? u:object_r:bootanim_data_file:s0
#############################
# Expanded data files
#
-/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand u:object_r:mnt_expand_file:s0
+# CAREFUL: the two system_data_file patterns below can't be replaced with one
+# pattern "/mnt/expand/[^/]+(/.*)?", since SELinux would prioritize that over
+# "/mnt/expand/[^/]+/user". This is because when a path is matched by two
+# patterns that contain regex meta-characters, SELinux just chooses the longer
+# pattern (or the later pattern if the patterns are the same length), rather
+# than the pattern containing fewer regex meta-characters. Splitting the
+# pattern into "/mnt/expand/[^/]+" and "/mnt/expand/[^/]+/.*" works around this
+# problem, except for 1-character filenames which we aren't using.
+/mnt/expand/[^/]+ u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/.* u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
@@ -702,8 +748,13 @@
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/media u:object_r:media_userdir_file:s0
+/mnt/expand/[^/]+/media/.* u:object_r:media_rw_data_file:s0
/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/mnt/expand/[^/]+/misc_ce u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/misc_de u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/user u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/user_de u:object_r:system_userdir_file:s0
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
@@ -779,6 +830,7 @@
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
+/metadata/sepolicy(/.*)? u:object_r:sepolicy_metadata_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 6b15a35..54ecd45 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -9,8 +9,10 @@
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_lmkd_native_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_nnapi_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_mglru_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
set_prop(flags_health_check, device_config_statsd_native_prop)
set_prop(flags_health_check, device_config_statsd_native_boot_prop)
@@ -20,6 +22,9 @@
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
+set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 42d142f..e069233 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -6,9 +6,8 @@
# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit fsverity_init init:key view;
-dontaudit fsverity_init vold:key view;
+# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
+dontaudit fsverity_init domain:key view;
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
diff --git a/private/fwk_bufferhub.te b/private/fwk_bufferhub.te
index 6b69cca..5286f3e 100644
--- a/private/fwk_bufferhub.te
+++ b/private/fwk_bufferhub.te
@@ -4,5 +4,4 @@
hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
allow fwk_bufferhub ion_device:chr_file r_file_perms;
-hal_server_domain(fwk_bufferhub, hal_bufferhub)
init_daemon_domain(fwk_bufferhub)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 13bfb46..1c604fc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -7,6 +7,7 @@
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
@@ -43,6 +44,7 @@
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
@@ -73,8 +75,10 @@
genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
@@ -86,6 +90,8 @@
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
+genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -117,7 +123,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/block u:object_r:sysfs_block:s0
+genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -143,6 +149,7 @@
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/fuse/bpf_prog_type_fuse u:object_r:sysfs_fs_fuse_bpf:s0
genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
@@ -156,6 +163,7 @@
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
@@ -227,6 +235,12 @@
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /synthetic_events u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/synthetic_events u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
+
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
@@ -250,6 +264,7 @@
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@@ -314,6 +329,7 @@
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@@ -363,6 +379,7 @@
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
@@ -379,3 +396,4 @@
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
+genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 571d155..114c184 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -5,6 +5,11 @@
app_domain(gmscore_app)
+# TODO(b/217368496): remove this.
+perfetto_producer(gmscore_app)
+can_profile_heap(gmscore_app)
+can_profile_perf(gmscore_app)
+
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(gmscore_app, sysfs_net)
@@ -31,6 +36,12 @@
# Allow GMS core to communicate with statsd.
binder_call(gmscore_app, statsd)
+# Allow GMS core to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into its private directory
+# for reporting when network and battery conditions are appropriate.
+allow gmscore_app perfetto:fd use;
+allow gmscore_app perfetto_traces_data_file:file { read getattr };
+
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
@@ -118,9 +129,13 @@
allow gmscore_app cache_file:lnk_file r_file_perms;
# Write to /data/ota_package for OTA packages.
-allow gmscore_app ota_package_file:dir rw_dir_perms;
+allow gmscore_app ota_package_file:dir create_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
+# Write the checkin metadata to /data/misc_ce/<userid>/checkin
+allow gmscore_app checkin_data_file:dir rw_dir_perms;
+allow gmscore_app checkin_data_file:file create_file_perms;
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 2e4254c..76a2370 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,7 @@
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
@@ -51,11 +53,11 @@
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
-allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
+# Write is needed to open read/write bpf maps.
+allow gpuservice fs_bpf:file { read write };
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
+# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
+allow gpuservice bpfloader:bpf { map_read map_write prog_run };
# Needed for getting a prop to ensure bpf programs loaded.
get_prop(gpuservice, bpf_progs_loaded_prop)
diff --git a/private/gsid.te b/private/gsid.te
index 8a13cb1..e795cea 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -48,15 +48,22 @@
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
-allow gsid proc_cmdline:file r_file_perms;
+read_fstab(gsid)
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
allow gsid sysfs_dt_firmware_android:file r_file_perms;
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
+# Allow querying the size of super_block_device_type.
+allow gsid super_block_device_type:blk_file r_file_perms;
+
# liblp queries these block alignment properties.
-allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
+allowxperm gsid {
+ userdata_block_device
+ sdcard_block_device
+ super_block_device_type
+}:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
@@ -84,7 +91,7 @@
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
allow gsid { shell su }:fifo_file r_file_perms;
# Allow installing images from /storage/emulated/...
- allow gsid sdcard_type:file r_file_perms;
+ allow gsid { sdcard_type fuse }:file r_file_perms;
')
neverallow {
diff --git a/private/healthd.te b/private/healthd.te
index 93bc3d8..cf422ed 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -1,12 +1 @@
typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow healthd to serve health HAL
-hal_server_domain(healthd, hal_health)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 5b6e79d..4a44dc5 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -41,6 +41,7 @@
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.tests.lazy::ILazy u:object_r:hal_lazy_test_hwservice:s0
+android.hardware.tests.lazy_cb::ILazyCb u:object_r:hal_lazy_test_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index 918ffda..c1314a8 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -150,6 +150,9 @@
dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
+# Allow incidentd to read /apex/apex-info-list.xml
+allow incidentd apex_info_file:file r_file_perms;
+
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
diff --git a/private/init.te b/private/init.te
index 200780d..997a184 100644
--- a/private/init.te
+++ b/private/init.te
@@ -3,7 +3,6 @@
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
@@ -14,8 +13,10 @@
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
+ domain_trans(init, rootfs, hal_health_server)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
+ domain_trans(init, rootfs, servicemanager)
domain_trans(init, rootfs, snapuserd)
')
domain_trans(init, shell_exec, shell)
@@ -43,10 +44,10 @@
allow init sysfs_loop:file rw_file_perms;
# Allow init to examine the properties of block devices.
-allow init sysfs_block_type:file { getattr read };
-# Allow init access /dev/block
-allow init bdev_type:dir r_dir_perms;
-allow init bdev_type:blk_file getattr;
+allow init sysfs_type:file { getattr read };
+# Allow init get the attributes of block devices in /dev/block.
+allow init dev_type:dir r_dir_perms;
+allow init dev_type:blk_file getattr;
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
@@ -107,6 +108,11 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
+# attempt to write a non exisiting 'synthetic_events' file, when setting
+# up synthetic events. This is a no-op in tracefs.
+dontaudit init debugfs_tracing_debug:dir { write add_name };
+
# chown/chmod on devices.
allow init {
dev_type
diff --git a/private/installd.te b/private/installd.te
index 726e5aa..251a14f 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -46,3 +46,5 @@
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
+
+allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 71749c0..828ffb1 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
@@ -33,7 +33,7 @@
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -72,7 +72,7 @@
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
@@ -110,10 +110,10 @@
# Do not allow isolated_app to access external storage, except for files passed
# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
@@ -136,7 +136,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
+neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/kernel.te b/private/kernel.te
index 5341163..6775b3b 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -31,3 +31,19 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;
diff --git a/private/keys.conf b/private/keys.conf
index 362e73d..30739f9 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -11,6 +11,9 @@
[@PLATFORM]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+[@SDK_SANDBOX]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem
+
[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
diff --git a/private/keystore.te b/private/keystore.te
index 8842224..78c0198 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -17,6 +17,9 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+# Allow keystore to check if the system is rkp only.
+get_prop(keystore, remote_prov_prop)
+
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
@@ -25,10 +28,9 @@
get_prop(keystore, keystore_listen_prop)
-# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# Keystore needs to transfer binder references to vold so that it
# can call keystore methods on those references.
allow keystore vold:binder transfer;
-allow keystore wait_for_keymaster:binder transfer;
# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
# system property, an exception is added for init as well.
diff --git a/private/llkd.te b/private/llkd.te
index f218dec..8512e85 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -23,6 +23,7 @@
allow llkd {
domain
-apexd
+ -diced
-kernel
-keystore
-init
@@ -41,7 +42,7 @@
# live lock watchdog process allowed to dump process trace and
# reboot because orderly shutdown may not be possible.
-allow llkd proc_sysrq:file w_file_perms;
+allow llkd proc_sysrq:file rw_file_perms;
allow llkd kmsg_device:chr_file w_file_perms;
### neverallow rules
diff --git a/private/lmkd.te b/private/lmkd.te
index aee1b7f..51d6204 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,4 +1,5 @@
typeattribute lmkd coredomain;
+typeattribute lmkd bpfdomain;
init_daemon_domain(lmkd)
@@ -11,7 +12,6 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
-allow lmkd fs_bpf:dir search;
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
diff --git a/private/logd.te b/private/logd.te
index 7112c4f..62d4196 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -10,6 +10,8 @@
neverallow logd {
file_type
-runtime_event_log_tags_file
+ # shell_data_file access is needed to dump bugreports
+ -shell_data_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
@@ -39,3 +41,11 @@
userdebug_or_eng(`-su')
-system_app
} runtime_event_log_tags_file:file no_rw_file_perms;
+
+# Only binder communication between logd and system_server is allowed
+binder_use(logd)
+binder_service(logd)
+binder_call(logd, system_server)
+
+add_service(logd, logd_service)
+allow logd logcat_service:service_manager find;
diff --git a/private/logpersist.te b/private/logpersist.te
index ab2c9c6..e151810 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -15,6 +15,7 @@
control_logd(logpersist)
unix_socket_connect(logpersist, logdr, logd)
+ get_prop(logpersist, logd_prop)
read_runtime_log_tags(logpersist)
')
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 7fc37c1..ec3df0f 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -51,6 +51,11 @@
<seinfo value="platform" />
</signer>
+ <!-- Sdk Sandbox key -->
+ <signer signature="@SDK_SANDBOX" >
+ <seinfo value="sdk_sandbox" />
+ </signer>
+
<!-- Media key in AOSP -->
<signer signature="@MEDIA" >
<seinfo value="media" />
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 78bbdb0..545d9ea 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -39,6 +39,7 @@
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
+allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_ALLOC;
# MtpServer sets sys.usb.ffs.mtp.ready
get_prop(mediaprovider, ffs_config_prop)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 742da1f..dc6882b 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -1,7 +1,7 @@
###
### A domain for further sandboxing the MediaProvider mainline module.
###
-type mediaprovider_app, domain, coredomain;
+type mediaprovider_app, domain, coredomain, bpfdomain;
app_domain(mediaprovider_app)
@@ -12,6 +12,7 @@
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
# Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_userdir_file:dir r_dir_perms;
allow mediaprovider_app media_rw_data_file:file create_file_perms;
allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
@@ -21,6 +22,9 @@
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
+# Talk to the AudioServer service
+allow mediaprovider_app audioserver_service:service_manager find;
+
# Talk to the MediaCodec APIs that log media metrics
allow mediaprovider_app mediametrics_service:service_manager find;
@@ -56,6 +60,12 @@
get_prop(mediaprovider_app, drm_service_config_prop)
-allow mediaprovider_app gpu_device:dir search;
+allow mediaprovider_app gpu_device:chr_file rw_file_perms;
+allow mediaprovider_app gpu_device:dir r_dir_perms;
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
+dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
+
+# bpfprog access for FUSE BPF
+allow mediaprovider_app fs_bpf:file read;
+allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 073e81d..829d948 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -1,5 +1,4 @@
# mediatranscoding - daemon for transcoding video and image.
-type mediatranscoding, domain;
type mediatranscoding_exec, system_file_type, exec_type, file_type;
type mediatranscoding_tmpfs, file_type;
typeattribute mediatranscoding coredomain;
@@ -43,7 +42,8 @@
# Allow mediatranscoding to access the DMA-BUF system heap
allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediatranscoding gpu_device:dir search;
+allow mediatranscoding gpu_device:chr_file rw_file_perms;
+allow mediatranscoding gpu_device:dir r_dir_perms;
# Allow mediatranscoding service to access media-related system properties
get_prop(mediatranscoding, media_config_prop)
@@ -62,4 +62,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
+neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/private/mtectrl.te b/private/mtectrl.te
index a89edda..436dcae 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -1,4 +1,5 @@
# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl, domain, coredomain;
type mtectrl_exec, system_file_type, exec_type, file_type;
init_daemon_domain(mtectrl)
diff --git a/private/net.te b/private/net.te
new file mode 100644
index 0000000..25bd538
--- /dev/null
+++ b/private/net.te
@@ -0,0 +1,17 @@
+# Bind to ports.
+allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
+
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -sdk_sandbox
+ -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/netd.te b/private/netd.te
index 670a4bf..30dcd08 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,20 +1,18 @@
typeattribute netd coredomain;
+typeattribute netd bpfdomain;
init_daemon_domain(netd)
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-# Allow netd to start clatd in its own domain and kill it
-domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
-
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
set_prop(netd, ctl_mdnsd_prop)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ca3b515..af0360f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -1,4 +1,5 @@
typeattribute netutils_wrapper coredomain;
+typeattribute netutils_wrapper bpfdomain;
r_dir_file(netutils_wrapper, system_file);
@@ -17,13 +18,13 @@
# For netutils (ndc) to be able to talk to netd
allow netutils_wrapper netd_service:service_manager find;
allow netutils_wrapper dnsresolver_service:service_manager find;
+allow netutils_wrapper mdns_service:service_manager find;
binder_use(netutils_wrapper);
binder_call(netutils_wrapper, netd);
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
allow netutils_wrapper fs_bpf:file { read write };
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/network_stack.te b/private/network_stack.te
index 09a98b5..b105938 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,7 @@
# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
+typeattribute network_stack coredomain;
+typeattribute network_stack mlstrustedsubject;
+typeattribute network_stack bpfdomain;
app_domain(network_stack);
net_domain(network_stack);
@@ -22,6 +24,7 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
+allow network_stack mdns_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3db1ae8..d716309 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -34,27 +34,27 @@
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
-# Do not audit unused resources from parent processes (adb, shell, su).
-# These appear to be unnecessary for odrefresh.
-dontaudit odrefresh { adbd shell }:fd use;
-dontaudit odrefresh devpts:chr_file rw_file_perms;
-dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-
# Allow odrefresh to read /apex/apex-info-list.xml to determine
# whether current apex is in /system or /data.
allow odrefresh apex_info_file:file r_file_perms;
-# No other processes should be creating files in the staging area.
-neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
-
-# No processes other than init, odrefresh and system_server access
-# odrefresh_data_files.
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
# Allow updating boot animation status.
set_prop(odrefresh, bootanim_system_prop)
# Allow query ART device config properties
get_prop(odrefresh, device_config_runtime_native_prop)
get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Do not audit unused resources from parent processes (adb, shell, su).
+# These appear to be unnecessary for odrefresh.
+dontaudit odrefresh { adbd shell }:fd use;
+dontaudit odrefresh devpts:chr_file rw_file_perms;
+dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
+
+# No other processes should be creating files in the staging area.
+neverallow { domain -init -odrefresh -compos_fd_server } apex_art_staging_data_file:file open;
+
+# No processes other than init, odrefresh and system_server access
+# odrefresh_data_files.
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
diff --git a/private/odsign.te b/private/odsign.te
index c6c7808..f06795c 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -13,6 +13,10 @@
allow odsign odsign_data_file:dir create_dir_perms;
allow odsign odsign_data_file:file create_file_perms;
+# Allow using persistent storage in /data/odsign/metrics - to add metrics related files
+allow odsign odsign_metrics_file:dir rw_dir_perms;
+allow odsign odsign_metrics_file:file create_file_perms;
+
# Create and use pty created by android_fork_execvp().
create_pty(odsign)
@@ -41,7 +45,7 @@
# For ART apex data dir access
allow odsign apex_module_data_file:dir { getattr search };
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
# Run odrefresh to refresh ART artifacts
@@ -50,6 +54,9 @@
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+# Run compos_verify to verify CompOs signatures
+domain_auto_trans(odsign, compos_verify_exec, compos_verify)
+
# only odsign can set odsign sysprop
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
@@ -58,5 +65,5 @@
set_prop(odsign, ctl_odsign_prop)
# Neverallows
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
diff --git a/private/perfetto.te b/private/perfetto.te
index f9693da..0904a67 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -8,6 +8,9 @@
tmpfs_domain(perfetto);
+# Allow init to start a trace (for perfetto_boottrace).
+init_daemon_domain(perfetto)
+
# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)
@@ -19,10 +22,10 @@
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
-# Allow to access binder to pass the traces to Dropbox.
+# Allow perfetto to access the proxy service for reporting traces.
+allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
@@ -49,6 +52,7 @@
allow perfetto devpts:chr_file rw_file_perms;
# Allow perfetto to ask incidentd to start a report.
+# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
@@ -65,7 +69,31 @@
###
### Neverallow rules
###
-### perfetto should NEVER do any of this
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -dumpstate # For attaching traces to bugreports.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+ -priv_app # For stating traces for bug-report UI.
+} perfetto_traces_data_file:dir *;
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
@@ -82,6 +110,9 @@
data_file_type
-system_data_file
-system_data_root_file
+ -media_userdir_file
+ -system_userdir_file
+ -vendor_userdir_file
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
diff --git a/private/platform_app.te b/private/platform_app.te
index f746f1c..b723633 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -39,6 +39,11 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
+get_prop(platform_app, radio_cdma_ecm_prop)
+userdebug_or_eng(`
+ set_prop(platform_app, persist_wm_debug_prop)
+')
+neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
@@ -71,6 +76,12 @@
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
+# Allow platform applications to find and call artd for testing
+userdebug_or_eng(`
+ allow platform_app artd_service:service_manager find;
+ binder_call(platform_app, artd)
+')
+
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
@@ -102,6 +113,13 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
+# TODO(b/217368496): remove this.
+can_profile_heap(platform_app)
+can_profile_perf(platform_app)
+
+# Allow platform apps to create VMs
+virtualizationservice_use(platform_app)
+
###
### Neverallow rules
###
diff --git a/private/priv_app.te b/private/priv_app.te
index 3ceb7a3..c7d6ab1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -79,11 +79,20 @@
# usual bugreport .zip file). This is used by the bug reporting UI to tell if
# the bugreport will contain a system trace or not while the bugreport is still
# in progress.
+allow priv_app wm_trace_data_file:dir r_dir_perms;
+allow priv_app wm_trace_data_file:file getattr;
allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
# Required to traverse the parent dir (/data/misc/perfetto-traces).
allow priv_app perfetto_traces_data_file:dir { search };
+# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
+# the framework (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow priv_app perfetto:fd use;
+allow priv_app perfetto_traces_data_file:file { read getattr };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
@@ -260,3 +269,6 @@
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Allow reporting off body events to keystore.
+allow priv_app keystore:keystore2 report_off_body;
diff --git a/private/profcollectd.te b/private/profcollectd.te
index efde321..f83d4a8 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -23,7 +23,7 @@
allow profcollectd vendor_file:dir r_dir_perms;
allow profcollectd vendor_kernel_modules:file r_file_perms;
- # Allow profcollectd to read system bootstrap libs.
+ # Allow profcollectd to read (but not execute) system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
@@ -48,8 +48,13 @@
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
+ # Allow profcollectd to call callbacks registered by system_server when ETM is ready.
+ binder_call(profcollectd, system_server)
add_service(profcollectd, profcollectd_service)
+ # Allow profcollectd to request wakelock from system-suspend.
+ wakelock_use(profcollectd)
+
# Allow to temporarily lift the kptr_restrict setting and get kernel start address
# by reading /proc/kallsyms, get module start address by reading /proc/modules.
set_prop(profcollectd, lower_kptr_restrict_prop)
diff --git a/private/property.te b/private/property.te
index 77e1a7d..2a88cbf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,7 +1,9 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
+system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
@@ -11,6 +13,7 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(dmesgd_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
@@ -29,8 +32,10 @@
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
+system_internal_prop(remote_prov_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
+system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
@@ -39,6 +44,10 @@
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
+system_internal_prop(virtualizationservice_prop)
+
+# Properties which can't be written outside system
+system_restricted_prop(device_config_virtualization_framework_native_prop)
###
### Neverallow rules
@@ -370,6 +379,15 @@
}:property_service set;
neverallow {
+ # Only allow init to set apexd_payload_metadata_prop
+ domain
+ -init
+} {
+ apexd_payload_metadata_prop
+}:property_service set;
+
+
+neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
domain
-init
@@ -394,9 +412,9 @@
libc_debug_prop
}:property_service set;
-# Allow the shell to set MTE props, so that non-root users with adb shell
-# access can control the settings on their device.
-# Allow system apps to set MTE props, so Developer Options can set them.
+# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb
+# shell access can control the settings on their device. Allow system apps to
+# set MTE props, so Developer Options can set them.
neverallow {
domain
-init
@@ -404,6 +422,7 @@
-system_app
} {
arm64_memtag_prop
+ gwp_asan_prop
}:property_service set;
neverallow {
@@ -542,6 +561,7 @@
domain
-init
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
@@ -594,6 +614,13 @@
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
+ # Only init and the remote provisioner can set the ro.remote_provisioning.* props
+ domain
+ -init
+ -remote_prov_app
+} remote_prov_prop:property_service set;
+
+neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index f235b35..b45cd0f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -44,6 +44,8 @@
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
@@ -52,8 +54,10 @@
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc. u:object_r:nfc_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
+persist.debug.user_mode_emulation u:object_r:system_user_mode_emulation_prop:s0
logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
@@ -67,8 +71,10 @@
persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.tap_gesture u:object_r:gesture_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
+dynamic_system.data_transfer.shared_memory.size u:object_r:dynamic_system_prop:s0 exact uint
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0
@@ -98,6 +104,7 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+persist.wm.debug. u:object_r:persist_wm_debug_prop:s0
# Suspend service properties
suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
@@ -240,15 +247,25 @@
persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.nnapi_native. u:object_r:device_config_nnapi_native_prop:s0
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+# F2FS smart idle maint prop
+persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
+
+# MGLRU experiment prop
+persist.device_config.mglru_native.lru_gen_config u:object_r:device_config_mglru_native_prop:s0 exact enum none core core_and_mm_walk core_and_nonleaf_young all
+
# MM Events config props
persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
@@ -259,8 +276,10 @@
apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
+persist.vendor.apex. u:object_r:apexd_select_prop:s0
+ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
-bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
+bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 exact bool
gsid. u:object_r:gsid_prop:s0
ro.gsid. u:object_r:gsid_prop:s0
@@ -281,10 +300,17 @@
sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
-# Virtual A/B properties
+# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.test.io_uring.force_disable u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
@@ -326,11 +352,15 @@
# Boolean property used in AudioService to configure whether
# spatializer functionality should be initialized
ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioService to configure whether
+# to enable head tracking for spatial audio
+ro.audio.headtracking_enabled u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
+camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
@@ -367,7 +397,6 @@
dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-updatable-bcp-packages-file u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
@@ -432,6 +461,7 @@
media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
+media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
@@ -446,8 +476,56 @@
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
+
+bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+
+bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+
+bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
+bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
+
+bluetooth.profile.a2dp.sink.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.a2dp.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.asha.central.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.target.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.assist.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.unicast.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bas.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bass.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.ccp.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.csip.set_coordinator.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.gatt.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.ag.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.hf.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.device.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.host.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.mcp.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.opp.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.nap.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
+persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
+persist.radio.allow_mock_modem u:object_r:radio_control_prop:s0 exact bool
persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
@@ -516,6 +594,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
@@ -530,12 +609,14 @@
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.stall_limit_critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.use_new_strategy u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
lmkd.reinit u:object_r:lmkd_prop:s0 exact int
@@ -589,8 +670,11 @@
vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
+
odsign.key.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.success u:object_r:odsign_prop:s0 exact bool
@@ -645,8 +729,14 @@
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+# GWP-ASan props. Separate from other libc.debug.* props, because we want users
+# to be able to set them from `adb shell` even on release devices.
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
+persist.arm64.memtag.app_default u:object_r:arm64_memtag_prop:s0 exact string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
@@ -676,7 +766,9 @@
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
+ro.boot.hypervisor.protected_vm.supported u:object_r:hypervisor_prop:s0 exact bool
ro.boot.hypervisor.version u:object_r:hypervisor_prop:s0 exact string
+ro.boot.hypervisor.vm.supported u:object_r:hypervisor_prop:s0 exact bool
# These ro.X properties are set to values of ro.boot.X by property_service.
ro.baseband u:object_r:bootloader_prop:s0 exact string
@@ -851,6 +943,7 @@
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.fingerprint_has_digest u:object_r:build_vendor_prop:s0 exact bool
ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
@@ -881,6 +974,7 @@
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
@@ -904,7 +998,7 @@
ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
-ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
+ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file managed none
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
@@ -970,6 +1064,7 @@
ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl_legacy u:object_r:graphics_config_prop:s0 exact string
ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
@@ -1169,6 +1264,10 @@
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+# Allows a device to run without batch attestation keys
+remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
@@ -1179,11 +1278,19 @@
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
partition.product.verified u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified u:object_r:verity_status_prop:s0 exact string
+# Properties that holds the hashtree information for verity partitions.
partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.system.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.product.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
@@ -1229,3 +1336,40 @@
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+# virtualization service properties
+virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
+
+# properties for the virtual Face HAL
+persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.lockout u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
+
+# properties for the virtual Fingerprint HAL
+persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
diff --git a/private/recovery.te b/private/recovery.te
index bba2a0d..2dba93b 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -38,6 +38,7 @@
allow recovery snapuserd_socket:sock_file write;
allow recovery snapuserd:unix_stream_socket connectto;
allow recovery dm_user_device:dir r_dir_perms;
+ get_prop(recovery, snapuserd_prop)
# Set fastbootd protocol property
set_prop(recovery, fastbootd_protocol_prop)
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 010c9bc..43b69d2 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,6 +4,7 @@
app_domain(remote_prov_app)
net_domain(remote_prov_app)
+set_prop(remote_prov_app, remote_prov_prop)
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
diff --git a/private/remount.te b/private/remount.te
new file mode 100644
index 0000000..4dd94a5
--- /dev/null
+++ b/private/remount.te
@@ -0,0 +1,15 @@
+type remount, domain, coredomain;
+type remount_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # Allow init to run clean_scratch_files and do auto domain transfer.
+ init_daemon_domain(remount)
+
+ # Allow talking to gsid.
+ binder_use(remount)
+ allow remount gsi_service:service_manager find;
+ binder_call(remount, gsid)
+
+ # Allow searching for /metadata/gsi/remount/lp_metadata.
+ allow remount { metadata_file gsi_metadata_file_type }:dir search;
+')
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
new file mode 100644
index 0000000..d30d3d9
--- /dev/null
+++ b/private/sdk_sandbox.te
@@ -0,0 +1,156 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes.
+
+type sdk_sandbox, domain;
+
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+# Audit the access to signal that we are still investigating whether sdk_sandbox
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow sdk_sandbox audio_service:service_manager find;
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(sdk_sandbox)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(sdk_sandbox)
+can_profile_perf(sdk_sandbox)
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow access to sdksandbox data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1d38fd9..78a98e1 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -5,11 +5,9 @@
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
-# isOwner (boolean)
# user (string)
# seinfo (string)
# name (string)
-# path (string)
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
@@ -17,7 +15,7 @@
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
# value.
-# A user, name, or path string selector that ends in * will perform a prefix
+# A user, or name string selector that ends in * will perform a prefix
# match.
# String matching is case-insensitive.
# See external/selinux/libselinux/src/android/android_platform.c,
@@ -26,16 +24,15 @@
# isSystemServer=true only matches the system server.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
-# isOwner=true will only match for the owner/primary user.
# user=_app will match any regular app process.
# user=_isolated will match any isolated service process.
+# user=_sdksandbox will match sdk sandbox process for an app.
# Other values of user are matched against the name associated with the process
# UID.
# seinfo= matches aginst the seinfo tag for the app, determined from
# mac_permissions.xml files.
# The ':' character is reserved and may not be used in seinfo.
# name= matches against the package name of the app.
-# path= matches against the directory path when labeling app directories.
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
# minTargetSdkVersion will match applications with a targetSdkVersion
@@ -50,19 +47,16 @@
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
# boolean.
-# (3) Specified isOwner= before unspecified isOwner= boolean.
-# (4) Specified user= string before unspecified user= string;
+# (3) Specified user= string before unspecified user= string;
# more specific user= string before less specific user= string.
-# (5) Specified seinfo= string before unspecified seinfo= string.
-# (6) Specified name= string before unspecified name= string;
+# (4) Specified seinfo= string before unspecified seinfo= string.
+# (5) Specified name= string before unspecified name= string;
# more specific name= string before less specific name= string.
-# (7) Specified path= string before unspecified path= string.
-# more specific name= string before less specific name= string.
-# (8) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (9) Higher value of minTargetSdkVersion= before lower value of
+# (6) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (7) Higher value of minTargetSdkVersion= before lower value of
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified.
-# (10) fromRunAs=true before fromRunAs=false.
+# (8) fromRunAs=true before fromRunAs=false.
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -106,9 +100,11 @@
# inputs are matched on a key value rule line.
#
-# only the system server can be in system_server domain
+# only the system server can be assigned the system_server domains
neverallow isSystemServer=false domain=system_server
+neverallow isSystemServer=false domain=system_server_startup
neverallow isSystemServer="" domain=system_server
+neverallow isSystemServer="" domain=system_server_startup
# system domains should never be assigned outside of system uid
neverallow user=((?!system).)* domain=system_app
@@ -142,7 +138,10 @@
isSystemServer=true domain=system_server_startup
-user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+# sdksandbox must run in the sdksandbox domain
+neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
+
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
@@ -154,6 +153,7 @@
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
+user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
@@ -168,7 +168,8 @@
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/secure_element.te b/private/secure_element.te
index 57f512b..fd3b688 100644
--- a/private/secure_element.te
+++ b/private/secure_element.te
@@ -12,3 +12,5 @@
# the secure element process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow secure_element shell_data_file:file read;
+
+allow secure_element vendor_uuid_mapping_config_file:file r_file_perms;
diff --git a/private/security_classes b/private/security_classes
index 200b030..0d3cc80 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -163,5 +163,8 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
+# Diced permissions
+class diced # userspace
+
class drmservice # userspace
# FLASK
diff --git a/private/service.te b/private/service.te
index 7f692f3..cd2cec6 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,12 +1,19 @@
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
+type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
-type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
+type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
+type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
+type statsbootstrap_service, system_server_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
+type transparency_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 3fd342b..0869b0f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,57 +1,118 @@
+android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
+android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+# The instance here is internal/0 following naming convention for ICameraProvider.
+# It advertises internal camera devices.
+android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
+android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
+android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
+android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
+android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
+android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
+android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
+android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
+android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
+android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
+android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
+android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
+android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
+android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
+adservices_manager u:object_r:adservices_manager_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
+aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+android.system.composd u:object_r:compos_service:s0
+android.system.virtualizationservice u:object_r:virtualization_service:s0
+ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
+attestation_verification u:object_r:attestation_verification_service:s0
blob_store u:object_r:blob_store_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
+artd u:object_r:artd_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
@@ -70,12 +131,14 @@
cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
+cloudsearch u:object_r:cloudsearch_service:s0
+cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtmanager u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
+connectivity_native u:object_r:connectivity_native_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
@@ -152,11 +215,15 @@
launcherapps u:object_r:launcherapps_service:s0
legacy_permission u:object_r:legacy_permission_service:s0
lights u:object_r:light_service:s0
+locale u:object_r:locale_service:s0
location u:object_r:location_service:s0
location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
+logcat u:object_r:logcat_service:s0
+logd u:object_r:logd_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
+mdns u:object_r:mdns_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
@@ -183,6 +250,7 @@
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
music_recognition u:object_r:music_recognition_service:s0
+nearby u:object_r:nearby_service:s0
netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
@@ -222,17 +290,21 @@
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
resolver u:object_r:resolver_service:s0
+resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
runtime u:object_r:runtime_service:s0
+safety_center u:object_r:safety_center_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
+sdk_sandbox u:object_r:sdk_sandbox_service:s0
search u:object_r:search_service:s0
search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+selection_toolbar u:object_r:selection_toolbar_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
serial u:object_r:serial_service:s0
@@ -248,6 +320,7 @@
smartspace u:object_r:smartspace_service:s0
speech_recognition u:object_r:speech_recognition_service:s0
stats u:object_r:stats_service:s0
+statsbootstrap u:object_r:statsbootstrap_service:s0
statscompanion u:object_r:statscompanion_service:s0
statsmanager u:object_r:statsmanager_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
@@ -257,11 +330,13 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
+tare u:object_r:tare_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
@@ -276,8 +351,10 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
+translation u:object_r:translation_service:s0
+transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
+tv_interactive_app u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
uce u:object_r:uce_service:s0
@@ -291,14 +368,14 @@
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
+virtualdevice u:object_r:virtual_device_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
vpn_management u:object_r:vpn_management_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
+wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/shell.te b/private/shell.te
index ba9e972..c20e612 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -85,6 +85,7 @@
# Allow (host-driven) ART run-tests to execute dex2oat, in order to
# check ART's compiler.
allow shell dex2oat_exec:file rx_file_perms;
+allow shell dex2oat_exec:lnk_file read;
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
@@ -94,6 +95,9 @@
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
+# Allow shell to set this property to disable charging.
+set_prop(shell, power_debug_prop)
+
# Allow shell to set this property used for rollback tests
set_prop(shell, rollback_test_prop)
@@ -127,6 +131,10 @@
allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms;
+# Allow shell to read updated APEXes under /data/apex
+allow shell apex_data_file:dir search;
+allow shell staging_data_file:file r_file_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
@@ -179,6 +187,9 @@
# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)
+# Allow shell to read odsign verification properties
+get_prop(shell, odsign_prop)
+
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
@@ -187,6 +198,11 @@
# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
allow shell shell_key:keystore2_key { delete rebind use get_info update };
+# Allow shell to open and execute memfd files for minijail unit tests.
+userdebug_or_eng(`
+ allow shell appdomain_tmpfs:file { open execute_no_trans };
+')
+
# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
set_prop(shell, sqlite_log_prop)
@@ -208,3 +224,13 @@
# Allow shell read access to /apex/apex-info-list.xml for CTS.
allow shell apex_info_file:file r_file_perms;
+
+# Let the shell user call virtualizationservice (and
+# virtualizationservice call back to shell) for debugging.
+virtualizationservice_use(shell)
+
+# Allow shell to set persist.wm.debug properties
+userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
+
+# Allow shell to write GWP-ASan properties even on user builds.
+set_prop(shell, gwp_asan_prop)
diff --git a/private/simpleperf.te b/private/simpleperf.te
index 0639c11..9c70060 100644
--- a/private/simpleperf.te
+++ b/private/simpleperf.te
@@ -5,7 +5,16 @@
typeattribute simpleperf coredomain;
type simpleperf_exec, system_file_type, exec_type, file_type;
-domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
+define(`simpleperf_profileable_apps', `{
+ ephemeral_app
+ isolated_app
+ platform_app
+ priv_app
+ untrusted_app_all
+}')
+
+domain_auto_trans({ simpleperf_profileable_apps -runas_app }, simpleperf_exec, simpleperf)
# When running in this domain, simpleperf is scoped to profiling an individual
# app. The necessary MAC permissions for profiling are more maintainable and
@@ -16,14 +25,19 @@
# Allow ptrace attach to the target app, for reading JIT debug info (using
# process_vm_readv) during unwinding and symbolization.
-allow simpleperf untrusted_app_all:process ptrace;
+allow simpleperf simpleperf_profileable_apps:process ptrace;
# Allow using perf_event_open syscall for profiling the target app.
allow simpleperf self:perf_event { open read write kernel };
# Allow /proc/<pid> access for the target app (for example, when trying to
# discover it by cmdline).
-r_dir_file(simpleperf, untrusted_app_all)
+r_dir_file(simpleperf, simpleperf_profileable_apps)
+
+# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow simpleperf_profileable_apps simpleperf:process signal;
# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
index 8501826..184a80a 100644
--- a/private/simpleperf_app_runner.te
+++ b/private/simpleperf_app_runner.te
@@ -1,3 +1,45 @@
typeattribute simpleperf_app_runner coredomain;
domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+allow simpleperf_app_runner packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+# simpleperf_app_runner passes pipe fds.
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/private/simpleperf_boot.te b/private/simpleperf_boot.te
new file mode 100644
index 0000000..e71c492
--- /dev/null
+++ b/private/simpleperf_boot.te
@@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+ domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+ # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+ allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+ allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+ # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+ allow simpleperf_boot self:perf_event { cpu kernel open read write };
+ allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+ # Allow simpleperf_boot to scan through /proc/pid for all processes.
+ r_dir_file(simpleperf_boot, domain)
+
+ # Allow simpleperf_boot to read executable binaries.
+ allow simpleperf_boot system_file_type:file r_file_perms;
+ allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+ # Allow simpleperf_boot to search for and read kernel modules.
+ allow simpleperf_boot vendor_file:dir r_dir_perms;
+ allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read system bootstrap libs.
+ allow simpleperf_boot system_bootstrap_lib_file:dir search;
+ allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow simpleperf_boot to access tracefs.
+ allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+ allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+ allow simpleperf_boot proc_perf:file write;
+
+ # Allow simpleperf_boot to read process maps.
+ allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+ # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+ allow simpleperf_boot { system_server zygote }:process ptrace;
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+ allow simpleperf_boot proc_kallsyms:file r_file_perms;
+ allow simpleperf_boot proc_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read kernel build id.
+ allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+ dontaudit simpleperf_boot shell_data_file:dir search;
+')
diff --git a/private/snapuserd.te b/private/snapuserd.te
index d96b31e..2e2c473 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,6 +8,20 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
+allow snapuserd self:capability ipc_lock;
+
+# Allow snapuserd to reach block devices in /dev/block.
+allow snapuserd block_device:dir search;
+
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow snapuserd sysfs:dir { open read };
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and dynamic partitions.
+allow snapuserd sysfs_dm:dir { open read search };
+allow snapuserd sysfs_dm:file r_file_perms;
+
# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
allow snapuserd block_device:dir r_dir_perms;
allow snapuserd dm_device:chr_file rw_file_perms;
@@ -17,10 +31,25 @@
allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
-# Reading and writing to /dev/socket/snapuserd.
+# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+allow snapuserd snapuserd_proxy_socket:sock_file write;
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
allow snapuserd kernel:fd use;
+
+# snapuserd.* properties
+set_prop(snapuserd, snapuserd_prop)
+get_prop(snapuserd, virtual_ab_prop)
+
+# For inotify watching for /dev/socket/snapuserd_proxy to appear.
+allow snapuserd tmpfs:dir { read watch };
+
+# Forbid anything other than snapuserd and init setting snapuserd properties.
+neverallow {
+ domain
+ -snapuserd
+ -init
+} snapuserd_prop:property_service set;
diff --git a/private/statsd.te b/private/statsd.te
index 444d82e..59948ff 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -17,7 +17,10 @@
allow statsd incidentd:fifo_file write;
# Allow StatsCompanionService to pipe data to statsd.
-allow statsd system_server:fifo_file { read getattr };
+allow statsd system_server:fifo_file { read write getattr };
+
+# Allow Statsd to pipe data to privileged apps.
+allow statsd priv_app:fifo_file { read write getattr };
# Allow statsd to retrieve SF statistics over binder
binder_call(statsd, surfaceflinger);
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 7a92bd4..123fc69 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -19,7 +19,6 @@
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
-hal_client_domain(surfaceflinger, hal_bufferhub)
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
@@ -39,6 +38,8 @@
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
+allow surfaceflinger gpu_device:dir r_dir_perms;
+allow surfaceflinger sysfs_gpu:file r_file_perms;
# Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
@@ -61,6 +62,7 @@
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
+get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
@@ -72,9 +74,13 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Needed to register as a Perfetto producer.
+# Allow userspace tracing via perfetto.
perfetto_producer(surfaceflinger)
+# Allow to be profiled by performance tools.
+can_profile_heap(surfaceflinger)
+can_profile_perf(surfaceflinger)
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
@@ -90,8 +96,6 @@
#add_service(surfaceflinger, surfaceflinger_service)
allow surfaceflinger surfaceflinger_service:service_manager { add find };
-add_service(surfaceflinger, vrflinger_vsync_service)
-
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
@@ -127,6 +131,9 @@
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow to use files supplied by hal_evs
+allow surfaceflinger hal_evs:fd use;
+
# Allow pushing jank event atoms to statsd
userdebug_or_eng(`
unix_socket_send(surfaceflinger, statsdw, statsd)
@@ -142,7 +149,7 @@
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
+neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms;
# b/68864350
dontaudit surfaceflinger unlabeled:dir search;
diff --git a/private/system_app.te b/private/system_app.te
index 41fac62..01956f4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -43,6 +43,7 @@
set_prop(system_app, exported_bluetooth_prop)
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported3_system_prop)
+set_prop(system_app, gesture_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, usb_control_prop)
@@ -88,13 +89,13 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
-tracingproxy_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
@@ -103,10 +104,10 @@
dumpstate_service
installd_service
iorapd_service
+ mdns_service
netd_service
virtual_touchpad_service
vold_service
- vr_hwc_service
}:service_manager find;
# suppress denials caused by debugfs_tracing
@@ -158,6 +159,7 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
+allow system_app cgroup_v2:dir w_dir_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
@@ -174,6 +176,10 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
+# TODO(b/217368496): remove this.
+can_profile_heap(system_app)
+can_profile_perf(system_app)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 82b2a1f..e77ba5d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -8,19 +8,25 @@
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
+typeattribute system_server bpfdomain;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
userfaultfd_use(system_server)
+# TODO(b/217368496): remove this.
+perfetto_producer(system_server)
+can_profile_heap(system_server)
+can_profile_perf(system_server)
+
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
# Create a socket for connections from zygotes.
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
-allow system_server zygote_tmpfs:file read;
+allow system_server zygote_tmpfs:file { map read };
allow system_server appdomain_tmpfs:file { getattr map read write };
# For Incremental Service to check if incfs is available
@@ -70,6 +76,18 @@
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
+# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`.
+# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a
+# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks
+# system_server. It fails to be loaded when the jar is used as a shared library, which is expected.
+dontaudit system_server apex_art_data_file:file execute;
+
+# For release odex/vdex compress blocks
+allowxperm system_server dalvikcache_data_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
+};
+
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
@@ -91,7 +109,7 @@
crash_dump
webview_zygote
zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -203,6 +221,11 @@
allow system_server stats_data_file:dir { open read remove_name search write };
allow system_server stats_data_file:file unlink;
+# Read metric file & upload to statsd
+allow system_server odsign_data_file:dir search;
+allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
+allow system_server odsign_metrics_file:file { r_file_perms unlink };
+
# Read /sys/kernel/debug/wakeup_sources.
no_debugfs_restriction(`
allow system_server debugfs_wakeup_sources:file r_file_perms;
@@ -256,6 +279,7 @@
binder_use(system_server)
binder_call(system_server, appdomain)
binder_call(system_server, binderservicedomain)
+binder_call(system_server, composd)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
@@ -270,6 +294,7 @@
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
binder_call(system_server, vold)
+binder_call(system_server, logd)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
binder_service(system_server)
@@ -288,6 +313,7 @@
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
hal_client_domain(system_server, hal_input_classifier)
+hal_client_domain(system_server, hal_input_processor)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
@@ -304,6 +330,7 @@
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
hal_client_domain(system_server, hal_usb_gadget)
+hal_client_domain(system_server, hal_uwb)
hal_client_domain(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
@@ -368,8 +395,10 @@
hal_light_server
hal_neuralnetworks_server
hal_omx_server
+ hal_power_server
hal_power_stats_server
hal_sensors_server
+ hal_vibrator_server
hal_vr_server
system_suspend_server
}:process { signal };
@@ -393,12 +422,12 @@
# Check SELinux permissions.
selinux_check_access(system_server)
-allow system_server sysfs_type:dir search;
+allow system_server sysfs_type:dir r_dir_perms;
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
-allow system_server sysfs_extcon:dir r_dir_perms;
+r_dir_file(system_server, sysfs_extcon)
r_dir_file(system_server, sysfs_ipv4)
allow system_server sysfs_ipv4:file w_file_perms;
@@ -424,6 +453,8 @@
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server gpu_device:dir r_dir_perms;
+allow system_server sysfs_gpu:file r_file_perms;
allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms;
allow system_server tty_device:chr_file rw_file_perms;
@@ -433,6 +464,7 @@
allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
+allow system_server uhid_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
@@ -449,10 +481,15 @@
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
allow system_server packages_list_file:file create_file_perms;
+allow system_server game_mode_intervention_list_file:file create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
allow system_server keychain_data_file:lnk_file create_file_perms;
+# Read the user parent directories like /data/user. Don't allow write access,
+# as vold is responsible for creating and deleting the subdirectories.
+allow system_server system_userdir_file:dir r_dir_perms;
+
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
@@ -516,9 +553,9 @@
allow system_server prereboot_data_file:dir rw_dir_perms;
allow system_server prereboot_data_file:file create_file_perms;
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# Allow tracing proxy service to read traces. Only the fd is sent over
# binder.
-allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto_traces_data_file:file { read getattr };
allow system_server perfetto:fd use;
# Manage /data/backup.
@@ -682,7 +719,9 @@
set_prop(system_server, surfaceflinger_color_prop)
set_prop(system_server, provisioned_prop)
set_prop(system_server, retaildemo_prop)
+set_prop(system_server, dmesgd_start_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
# ctl interface
set_prop(system_server, ctl_default_prop)
@@ -695,11 +734,13 @@
# server configurable flags properties
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
+set_prop(system_server, device_config_nnapi_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_mglru_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
set_prop(system_server, device_config_statsd_native_boot_prop)
@@ -709,7 +750,10 @@
set_prop(system_server, device_config_window_manager_native_boot_prop)
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
-
+set_prop(system_server, device_config_surface_flinger_native_boot_prop)
+set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -770,6 +814,12 @@
# Read the net.464xlat.cellular.enabled property (written by init).
get_prop(system_server, net_464xlat_fromvendor_prop)
+# Read hypervisor capabilities ro.boot.hypervisor.*
+get_prop(system_server, hypervisor_prop)
+
+# Read persist.wm.debug. properties
+get_prop(system_server, persist_wm_debug_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -809,8 +859,8 @@
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
+allow system_server fscklogs:dir { write remove_name add_name };
+allow system_server fscklogs:file rename;
# logd access, system_server inherit logd write socket
# (urge is to deprecate this long term)
@@ -840,6 +890,7 @@
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
+allow system_server compos_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
@@ -856,6 +907,7 @@
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
+allow system_server mdns_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
@@ -870,6 +922,7 @@
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
+allow system_server logd_service:service_manager find;
userdebug_or_eng(`
allow system_server profcollectd_service:service_manager find;
')
@@ -904,7 +957,9 @@
clear_ns
clear_uid
get_state
+ list
lock
+ migrate_any_key
pull_metrics
reset
unlock
@@ -968,7 +1023,7 @@
# Allow statfs() on storage devices, which happens fast enough that
# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
+allow system_server { sdcard_type fuse }:dir { getattr search };
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
@@ -1024,6 +1079,10 @@
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
+allowxperm system_server system_file:file ioctl {
+ FS_IOC_MEASURE_VERITY
+};
+
# Postinstall
#
# For OTA dexopt, allow calls coming from postinstall.
@@ -1096,9 +1155,14 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+allow system_server self:key_socket create;
+
+# Allow system_server to start clatd in its own domain and kill it.
+domain_auto_trans(system_server, clatd_exec, clatd)
+allow system_server clatd:process signal;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -1162,8 +1226,8 @@
# Do not allow opening files from external storage as unsafe ejection
# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
+neverallow system_server { sdcard_type fuse }:dir { open read write };
+neverallow system_server { sdcard_type fuse }:file rw_file_perms;
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
@@ -1187,8 +1251,8 @@
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
+# transitioning to the crash_dump domain when a crash occurs or fork clatd.
+neverallow system_server { domain -clatd -crash_dump }:process transition;
neverallow system_server *:process dyntransition;
# Only allow crash_dump to connect to system_ndebug_socket.
@@ -1216,10 +1280,13 @@
device_config_input_native_boot_prop
device_config_lmkd_native_prop
device_config_netd_native_prop
+ device_config_nnapi_native_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
+ device_config_mglru_native_prop
device_config_storage_native_boot_prop
+ device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
device_config_swcodec_native_prop
device_config_window_manager_native_boot_prop
@@ -1236,10 +1303,13 @@
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
neverallow system_server data_file_type:file no_x_file_perms;
-# The only block device system_server should be accessing is
+# The only block device system_server should be writing to is
# the frp_block_device. This helps avoid a system_server to root
# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
+# The system_server may need to read from vd_device if it uses
+# block apexes.
+neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms;
+neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms;
# system_server should never use JIT functionality
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
@@ -1294,14 +1364,24 @@
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
-allow system_server apex_appsearch_data_file:dir create_dir_perms;
-allow system_server apex_appsearch_data_file:file create_file_perms;
-allow system_server apex_permission_data_file:dir create_dir_perms;
-allow system_server apex_permission_data_file:file create_file_perms;
-allow system_server apex_scheduling_data_file:dir create_dir_perms;
-allow system_server apex_scheduling_data_file:file create_file_perms;
-allow system_server apex_wifi_data_file:dir create_dir_perms;
-allow system_server apex_wifi_data_file:file create_file_perms;
+# These are modules where the code runs in system_server, so we need full access.
+allow system_server apex_system_server_data_file:dir create_dir_perms;
+allow system_server apex_system_server_data_file:file create_file_perms;
+# Legacy labels that we still need to support (b/217581286)
+allow system_server {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_tethering_data_file
+ apex_wifi_data_file
+}:dir create_dir_perms;
+allow system_server {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_tethering_data_file
+ apex_wifi_data_file
+}:file create_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
diff --git a/private/system_suspend.te b/private/system_suspend.te
index caf8955..d924187 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -7,6 +7,8 @@
binder_use(system_suspend)
add_service(system_suspend, system_suspend_control_service)
+add_service(system_suspend, hal_system_suspend_service)
+
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 9b3e3c6..fcd4fe7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,9 +20,9 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
@@ -59,11 +59,6 @@
(typeattribute untrusted_app_visible_halserver)
(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
-; Apps, except isolated apps, are clients of BufferHub HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
-
; Properties having both system_property_type and vendor_property_type are illegal
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
diff --git a/private/toolbox.te b/private/toolbox.te
index a2b958d..1e53d72 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,7 @@
typeattribute toolbox coredomain;
init_daemon_domain(toolbox)
+
+# rm -rf in /data/misc/virtualizationservice
+allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
+allow toolbox virtualizationservice_data_file:file { getattr unlink };
diff --git a/private/traced.te b/private/traced.te
index fc9a245..ec31a20 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -95,6 +95,9 @@
-perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
+ -media_userdir_file
+ -system_userdir_file
+ -vendor_userdir_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
@@ -118,4 +121,12 @@
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
-neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
+neverallow {
+ domain
+ -traced
+ -dumpstate
+ -traceur_app
+ -shell
+ -system_server
+ -perfetto
+} tracingproxy_service:service_manager find;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 730a45c..f2be14d 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -43,6 +43,9 @@
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
+# Allow to read game_mode_intervention.list file.
+allow traced_probes game_mode_intervention_list_file:file r_file_perms;
+
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
@@ -123,6 +126,9 @@
-dalvikcache_data_file
-system_data_file
-system_data_root_file
+ -media_userdir_file
+ -system_userdir_file
+ -vendor_userdir_file
-system_app_data_file
-backup_data_file
-bootstat_data_file
@@ -144,6 +150,7 @@
-zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
+ -game_mode_intervention_list_file
}:file *;
# Only init is allowed to enter the traced_probes domain via exec()
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 6e7a99c..56e44db 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -2,7 +2,7 @@
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 30.
+### targetSdkVersion >= 32.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
@@ -14,3 +14,10 @@
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app sdk_sandbox_data_file:fd use;
+allow untrusted_app sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };
\ No newline at end of file
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 41cabe8..4235d7e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,6 +49,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0993faa..c747af1 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -37,6 +37,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index c5652b1..6bb2606 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -15,6 +15,6 @@
net_domain(untrusted_app_29)
bluetooth_domain(untrusted_app_29)
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
new file mode 100644
index 0000000..e0a71ef
--- /dev/null
+++ b/private/untrusted_app_30.te
@@ -0,0 +1,22 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 29 < targetSdkVersion <= 31.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible
+###
+
+typeattribute untrusted_app_30 coredomain;
+
+app_domain(untrusted_app_30)
+untrusted_app_domain(untrusted_app_30)
+net_domain(untrusted_app_30)
+bluetooth_domain(untrusted_app_30)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6064c14..26077f3 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -171,7 +171,15 @@
allow untrusted_app_all self:lockdown integrity;
')
-# Allow signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow untrusted_app_all simpleperf:process signal;
+# Allow running a VM for test/demo purposes. Note that access the service is
+# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission. The protection level of the permission is `signature|development`
+# so that it can only be granted to either platform-key signed apps or
+# test-only apps having `android:testOnly="true"` in its manifest.
+virtualizationservice_use(untrusted_app_all)
+
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
diff --git a/private/update_engine.te b/private/update_engine.te
index d828e1f..c3f575f 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -24,6 +24,7 @@
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
+get_prop(update_engine, snapuserd_prop)
# Allow to communicate with apexd for calculating and reserving space for
# capex decompression
diff --git a/private/vehicle_binding_util.te b/private/vehicle_binding_util.te
index 76d0756..f527944 100644
--- a/private/vehicle_binding_util.te
+++ b/private/vehicle_binding_util.te
@@ -8,8 +8,10 @@
# allow writing to kmsg during boot
allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
-# allow reading the binding property from vhal
+# allow reading the binding property from HIDL VHAL.
hwbinder_use(vehicle_binding_util)
+# allow reading the binding property from AIDL VHAL.
+binder_use(vehicle_binding_util)
hal_client_domain(vehicle_binding_util, hal_vehicle)
# allow executing vdc
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 2e616f3..70b3ef9 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -9,6 +9,9 @@
# Let vendor_init set service.adb.tcp.port.
set_prop(vendor_init, adbd_config_prop)
+# Let vendor_init react to AVF device config changes
+get_prop(vendor_init, device_config_virtualization_framework_native_prop)
+
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
diff --git a/private/virtmanager.te b/private/virtmanager.te
deleted file mode 100644
index 467f7d4..0000000
--- a/private/virtmanager.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type virtmanager, domain, coredomain;
-type virtmanager_exec, system_file_type, exec_type, file_type;
-
-# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
-init_daemon_domain(virtmanager)
-
-# Let the virtmanager domain use Binder.
-binder_use(virtmanager)
-
-# Let the virtmanager domain register the virtualization_service with ServiceManager.
-add_service(virtmanager, virtualization_service)
-
-# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtmanager, crosvm_exec, crosvm)
-
-# Let virtmanager kill crosvm.
-allow virtmanager crosvm:process sigkill;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
new file mode 100644
index 0000000..c369a90
--- /dev/null
+++ b/private/virtualizationservice.te
@@ -0,0 +1,84 @@
+type virtualizationservice, domain, coredomain;
+type virtualizationservice_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with virtualizationservice_exec, run it in the
+# virtualizationservice domain.
+init_daemon_domain(virtualizationservice)
+
+# Let the virtualizationservice domain use Binder.
+binder_use(virtualizationservice)
+# ... and host a binder service
+binder_service(virtualizationservice)
+
+# Allow calling into the system server so that it can check permissions.
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to access "package_native" service for staged apex info.
+allow virtualizationservice package_native_service:service_manager find;
+
+# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
+add_service(virtualizationservice, virtualization_service)
+
+# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+
+# Let virtualizationservice kill crosvm.
+allow virtualizationservice crosvm:process sigkill;
+
+# Let virtualizationservice access its data directory.
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+
+# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
+# crosvm to the console
+allow virtualizationservice adbd:fd use;
+allow virtualizationservice adbd:unix_stream_socket { read write };
+
+# Let virtualizationservice read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationservice apk_data_file:file { getattr read };
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationservice {
+ app_data_file
+ apex_compos_data_file
+}:file { getattr read write };
+
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationservice shell_data_file:file { getattr read write };
+
+# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationservice apex_info_file:file r_file_perms;
+allow virtualizationservice apex_data_file:dir search;
+allow virtualizationservice staging_data_file:file r_file_perms;
+allow virtualizationservice staging_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow virtualizationservice derive_classpath_exec:file rx_file_perms;
+allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
+
+# Let virtualizationservice to accept vsock connection from the guest VMs
+allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
+set_prop(virtualizationservice, virtualizationservice_prop)
+
+# Allow virtualizationservice to inspect hypervisor capabilities.
+get_prop(virtualizationservice, hypervisor_prop)
+
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
+# Allow virtualization service to talk to tombstoned to push guest tombstones
+unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
+
+# Append to tombstone files passed as fds from tombstoned
+allow virtualizationservice tombstone_data_file:file { append getattr };
+allow virtualizationservice tombstoned:fd use;
+
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_prop:property_service set;
diff --git a/private/vold.te b/private/vold.te
index de0fde4..40c1a57 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -22,8 +22,8 @@
get_prop(vold, vold_config_prop)
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
+get_prop(vold, gsid_prop);
-set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
@@ -66,3 +66,31 @@
-apexd
-gsid
} vold_service:service_manager find;
+
+# Allow vold to create and delete per-user directories like /data/user/$userId.
+allow vold {
+ media_userdir_file
+ system_userdir_file
+ vendor_userdir_file
+}:dir {
+ add_name
+ remove_name
+ write
+};
+
+# Only vold should create (and delete) per-user directories like
+# /data/user/$userId. This is very important, as these directories need to be
+# encrypted with per-user keys, which only vold can do. Encryption can only be
+# set up on empty directories, so creation and encryption must happen together.
+neverallow {
+ domain
+ -vold
+} {
+ media_userdir_file
+ system_userdir_file
+ vendor_userdir_file
+}:dir {
+ add_name
+ remove_name
+ write
+};
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 956e94e..24007ed 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,36 +16,32 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
+ apex_data_file_type
apex_module_data_file
- apex_permission_data_file
apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
backup_data_file
+ checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
+ sdk_sandbox_data_file
storaged_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
+ apex_data_file_type
apex_art_staging_data_file
apex_module_data_file
- apex_permission_data_file
apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
backup_data_file
+ checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
+ sdk_sandbox_data_file
storaged_data_file
system_data_file
vold_data_file
@@ -54,6 +50,16 @@
allow vold_prepare_subdirs mnt_expand_file:dir search;
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+
+# Migrate legacy labels to apex_system_server_data_file (b/217581286)
+allow vold_prepare_subdirs {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_tethering_data_file
+ apex_wifi_data_file
+}:dir relabelfrom;
+
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index da98e2e..974a297 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -1,15 +1,5 @@
-# wait_for_keymaster service
+# wait_for_keymaster service. No longer used;
+# here only so that downstream code compiles.
type wait_for_keymaster, domain, coredomain;
type wait_for_keymaster_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(wait_for_keymaster)
-
-hal_client_domain(wait_for_keymaster, hal_keymaster)
-
-allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
-
-# wait_for_keymaster needs to find keystore and call methods with the returned
-# binder reference.
-binder_use(wait_for_keymaster)
-allow wait_for_keymaster keystore_service:service_manager find;
-binder_call(wait_for_keymaster, keystore)
diff --git a/private/zygote.te b/private/zygote.te
index 743647e..9368621 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -36,6 +36,9 @@
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
+# Get attributes of /mnt/expand, needed by cacheNonBootClasspathClassLoaders.
+allow zygote mnt_expand_file:dir getattr;
+
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
@@ -59,43 +62,52 @@
allow zygote apex_art_data_file:dir { getattr search };
allow zygote apex_art_data_file:file { r_file_perms execute };
-# Bind mount on /data/data and mounted volumes
-allow zygote { system_data_file mnt_expand_file }:dir mounton;
+# Mount tmpfs over various directories containing per-app directories, to hide
+# them for app data isolation. Also traverse these directories (via
+# /data_mirror) to find the allowlisted per-app directories to bind-mount in.
+allow zygote {
+ # /data/user{,_de}, /mnt/expand/$volume/user{,_de}
+ system_userdir_file
+ # /data/data
+ system_data_file
+ # /data/misc/profiles/cur
+ user_profile_root_file
+ # /data/misc/profiles/ref
+ user_profile_data_file
+ # /storage/emulated/$userId/Android/{data,obb}
+ media_rw_data_file
+}:dir { mounton search };
-# Relabel /data/user /data/user_de and /data/data
-allow zygote tmpfs:{ dir lnk_file } relabelfrom;
-allow zygote system_data_file:{ dir lnk_file } relabelto;
+# Traverse /data_mirror to get to the above directories while their normal paths
+# are hidden, in order to bind-mount allowlisted per-app directories.
+allow zygote mirror_data_file:dir search;
-# Zygote opens /mnt/expand to mount CE DE storage on each vol
-allow zygote mnt_expand_file:dir { open read search relabelto };
+# List /mnt/expand to find all /mnt/expand/$volume/user{,_de} directories that
+# need to be hidden by app data isolation, and traverse /mnt/expand to get to
+# any allowlisted per-app directories within these directories.
+allow zygote mnt_expand_file:dir { open read search };
-# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
-allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
+# Get the inode number of app CE data directories to find them by inode number
+# when CE storage is locked. Needed for app data isolation.
+allow zygote app_data_file_type:dir getattr;
-# Create and bind dirs on /data/data
+# Create dirs in the app data isolation tmpfs mounts and bind mount on them.
allow zygote tmpfs:dir { create_dir_perms mounton };
-# Goes into media directory and bind mount obb directory
-allow zygote media_rw_data_file:dir { getattr search };
+# Create the '/data/user/0 => /data/data' symlink in the /data/user tmpfs mount
+# when setting up app data isolation.
+allow zygote tmpfs:lnk_file create;
-# Bind mount on top of existing mounted obb and data directory
-allow zygote media_rw_data_file:dir { mounton };
+# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their
+# standard labels. Note: it seems that not all dirs are actually relabeled yet,
+# but it works anyway since all domains can search tmpfs:dir.
+allow zygote tmpfs:{ dir lnk_file } relabelfrom;
+allow zygote system_userdir_file:dir relabelto;
+allow zygote system_data_file:{ dir lnk_file } relabelto;
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
-# Create symlink for /data/user/0
-allow zygote tmpfs:lnk_file create;
-
-allow zygote mirror_data_file:dir r_dir_perms;
-
-# Get inode of directories for app data isolation
-allow zygote {
- app_data_file_type
- system_data_file
- mnt_expand_file
-}:dir getattr;
-
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
@@ -139,6 +151,7 @@
allow zygote tmpfs:filesystem { mount unmount };
allow zygote fuse:filesystem { unmount };
allow zygote sdcardfs:filesystem { unmount };
+allow zygote labeledfs:filesystem { unmount };
# Allow creating user-specific storage source if started before vold.
allow zygote mnt_user_file:dir { create_dir_perms mounton };
@@ -152,8 +165,8 @@
allow zygote storage_file:dir { search mounton };
# Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
+allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type fuse }:file { create_file_perms };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -229,6 +242,11 @@
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
+# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
+# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
+allow zygote vendor_apex_file:dir { getattr search };
+allow zygote vendor_apex_file:file { getattr };
+
###
### neverallow rules
###
diff --git a/public/app.te b/public/app.te
index 5527f99..da24012 100644
--- a/public/app.te
+++ b/public/app.te
@@ -8,375 +8,6 @@
###
type appdomain_tmpfs, file_type;
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# Receive and use open file descriptors inherited from app zygote.
-allow appdomain app_zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# For AppFuse.
-allow appdomain vold:fd use;
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
-allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-allow appdomain incidentd:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Allow apps to send dump information to incidentd
-allow appdomain incidentd:fd use;
-allow appdomain incidentd:fifo_file { write getattr };
-
-# Allow apps to send information to statsd socket.
-unix_socket_send(appdomain, statsdw, statsd)
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr map };
-allow appdomain cache_backup_file:file { read write getattr map };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read map };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-allow appdomain same_process_hal_file:file { execute read open getattr map };
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write map };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-# Read access to FDs from the DropboxManagerService.
-allow appdomain dropbox_data_file:file { getattr read };
-
-# Read tmpfs types from these processes.
-allow appdomain audioserver_tmpfs:file { getattr map read write };
-allow appdomain system_server_tmpfs:file { getattr map read write };
-allow appdomain zygote_tmpfs:file { map read };
-
###
### Neverallow rules
###
@@ -569,6 +200,12 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+# allow system_app to access Nfc-related system properties.
+set_prop(system_app, nfc_prop)
+
+# allow system_app to access radio_config system properties.
+set_prop(system_app, radio_control_prop)
+
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/attributes b/public/attributes
index b60c9cc..906dbcd 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,7 +7,7 @@
# in tools/checkfc.c
attribute dev_type;
-# Attribute for block devices.
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
# All types used for processes.
@@ -21,6 +21,12 @@
# All types used for context= mounts.
attribute contextmount_type;
+# All types referencing a FUSE filesystem.
+# When mounting a new FUSE filesystem, the fscontext= option should be used to
+# set a domain-specific type with this attribute. See app_fusefs for an
+# example.
+attribute fusefs_type;
+
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
@@ -45,6 +51,9 @@
# All types in /system
attribute system_file_type;
+# All types in /system_dlkm
+attribute system_dlkm_file_type;
+
# All types in /vendor
attribute vendor_file_type;
@@ -62,7 +71,7 @@
# All types used for sysfs files.
attribute sysfs_type;
-# Attribute for /sys/class/block files.
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute sysfs_block_type;
# All types use for debugfs files.
@@ -189,6 +198,8 @@
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
+# All services declared as part of an HAL
+attribute hal_service_type;
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
@@ -213,6 +224,10 @@
# All domains used for binder service domains.
attribute binderservicedomain;
+# All domains which have BPF access.
+attribute bpfdomain;
+expandattribute bpfdomain false;
+
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
@@ -318,7 +333,6 @@
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
-hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(can_bus);
@@ -328,6 +342,7 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
+hal_attribute(dice);
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);
@@ -341,6 +356,7 @@
hal_attribute(health_storage);
hal_attribute(identity);
hal_attribute(input_classifier);
+hal_attribute(input_processor);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(keymint);
@@ -349,6 +365,7 @@
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
+hal_attribute(nlinterceptor);
hal_attribute(oemlock);
hal_attribute(omx);
hal_attribute(power);
@@ -365,6 +382,9 @@
hal_attribute(usb);
hal_attribute(usb_gadget);
hal_attribute(uwb);
+# TODO(b/196225233): Remove this attribute and its usages elsewhere
+# once all chip vendors integrate to the new UWB stack.
+hal_attribute(uwb_vendor);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
@@ -383,6 +403,7 @@
attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
+attribute evsmanager_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
@@ -399,3 +420,14 @@
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
+
+# Types used for module-specific APEX data directories under
+# /data/{misc,misc_ce,misc_de}/apexdata.
+attribute apex_data_file_type;
+
+# Domains used for charger.
+# This is the common type for domains that executes charger's
+# functionalities, including setting and getting necessary properties,
+# permissions to maintain the health loop, writing to kernel log, handling
+# inputs and drawing screens, etc.
+attribute charger_type;
diff --git a/public/bootanim.te b/public/bootanim.te
index 88fe173..9c7a0ee 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -13,6 +13,8 @@
hwbinder_use(bootanim)
allow bootanim gpu_device:chr_file rw_file_perms;
+allow bootanim gpu_device:dir r_dir_perms;
+allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
allow bootanim oemfs:dir search;
diff --git a/public/bpfloader.te b/public/bpfloader.te
new file mode 100644
index 0000000..81c32ee
--- /dev/null
+++ b/public/bpfloader.te
@@ -0,0 +1 @@
+type bpfloader, domain, coredomain;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 7a29240..d41339a 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -28,12 +28,17 @@
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver package_native_service:service_manager find;
+allow cameraserver permission_checker_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
+allow cameraserver hal_camera_service:service_manager find;
+
+# Allow to talk with surfaceflinger through unix stream socket
+allow cameraserver surfaceflinger:unix_stream_socket { read write };
###
### neverallow rules
@@ -53,7 +58,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
diff --git a/public/charger.te b/public/charger.te
index 37359e3..418dff9 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -1,40 +1,5 @@
-type charger, domain;
+type charger, charger_type, domain;
type charger_exec, system_file_type, exec_type, file_type;
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
-
-# Allow to read /sys/class/power_supply directory
-allow charger sysfs_type:dir r_dir_perms;
-
-allow charger self:global_capability_class_set { sys_tty_config };
-allow charger self:global_capability_class_set sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Read/write to /sys/power/state
-allow charger sysfs_power:file rw_file_perms;
-
-r_dir_file(charger, sysfs_batteryinfo)
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
+# The system charger is a client of HIDL health HAL.
hal_client_domain(charger, hal_health)
diff --git a/public/charger_type.te b/public/charger_type.te
new file mode 100644
index 0000000..4241360
--- /dev/null
+++ b/public/charger_type.te
@@ -0,0 +1,37 @@
+# Write to /dev/kmsg
+allow charger_type kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger_type, rootfs)
+r_dir_file(charger_type, cgroup)
+r_dir_file(charger_type, cgroup_v2)
+
+# Allow to read /sys/class/power_supply directory
+allow charger_type sysfs_type:dir r_dir_perms;
+
+allow charger_type self:global_capability_class_set {
+ sys_boot
+ sys_tty_config
+};
+
+wakelock_use(charger_type)
+
+allow charger_type self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Read/write to /sys/power/state
+allow charger_type sysfs_power:file rw_file_perms;
+
+r_dir_file(charger_type, sysfs_batteryinfo)
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger_type pstorefs:dir r_dir_perms;
+allow charger_type pstorefs:file r_file_perms;
+
+allow charger_type graphics_device:dir r_dir_perms;
+allow charger_type graphics_device:chr_file rw_file_perms;
+allow charger_type input_device:dir r_dir_perms;
+allow charger_type input_device:chr_file r_file_perms;
+allow charger_type tty_device:chr_file rw_file_perms;
+allow charger_type proc_sysrq:file rw_file_perms;
diff --git a/public/charger_vendor.te b/public/charger_vendor.te
new file mode 100644
index 0000000..d8f3bb2
--- /dev/null
+++ b/public/charger_vendor.te
@@ -0,0 +1,6 @@
+# Context when health HAL runs charger mode
+
+type charger_vendor, charger_type, domain;
+hal_server_domain(charger_vendor, hal_health)
+
+typeattribute charger_vendor bpfdomain;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a6f0a94..45269c3 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -34,12 +34,18 @@
# Read APEX data directories.
allow crash_dump apex_module_data_file:dir { getattr search };
+# Read uptime
+allow crash_dump proc_uptime:file r_file_perms;
+
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
# Read all /vendor
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+# Read all /data/local/tests
+r_dir_file(crash_dump, shell_test_data_file)
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
@@ -65,10 +71,6 @@
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
###
### neverallow assertions
###
diff --git a/public/device.te b/public/device.te
index cc2ef57..1bb386f 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,16 +6,16 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
type camera_device, dev_type;
-type dm_device, dev_type, bdev_type;
-type dm_user_device, dev_type, bdev_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type, bdev_type;
+type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type, bdev_type;
+type ram_device, dev_type;
type rtc_device, dev_type;
type vd_device, dev_type;
type vold_device, dev_type;
@@ -73,51 +73,53 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type, bdev_type;
+type root_block_device, dev_type;
# factory reset protection block device
-type frp_block_device, dev_type, bdev_type;
+type frp_block_device, dev_type;
# System block device mounted on /system.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type, bdev_type;
+# Documented at https://source.android.com/devices/bootloader/partitions
+type system_block_device, dev_type;
# Recovery block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type, bdev_type;
+# Documented at https://source.android.com/devices/bootloader/partitions
+type recovery_block_device, dev_type;
# boot block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type, bdev_type;
+# Documented at https://source.android.com/devices/bootloader/partitions
+type boot_block_device, dev_type;
# Userdata block device mounted on /data.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type, bdev_type;
+# Documented at https://source.android.com/devices/bootloader/partitions
+type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type, bdev_type;
+# Documented at https://source.android.com/devices/bootloader/partitions
+type cache_block_device, dev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type, bdev_type;
+type swap_block_device, dev_type;
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type, bdev_type;
+# Metadata block device mounted on /metadata, used for encryption metadata and
+# various other purposes.
+# Documented at https://source.android.com/devices/bootloader/partitions
+type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type, bdev_type;
+# Documented at https://source.android.com/devices/bootloader/partitions
+type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type, bdev_type;
+type super_block_device, super_block_device_type, dev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type, bdev_type;
+type sdcard_block_device, dev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
+
+# Root disk file for disk tunables
+type rootdisk_sysdev, dev_type;
diff --git a/public/diced.te b/public/diced.te
new file mode 100644
index 0000000..0908936
--- /dev/null
+++ b/public/diced.te
@@ -0,0 +1,11 @@
+type diced, domain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+binder_use(diced)
+binder_service(diced)
+
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# Check SELinux permissions.
+selinux_check_access(diced)
diff --git a/public/domain.te b/public/domain.te
index 5c7c18c..bc3f373 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,6 +88,8 @@
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
+allow domain binderfs_features:dir search;
+allow domain binderfs_features:file r_file_perms;
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
@@ -100,7 +102,9 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
+get_prop(domain, apexd_select_prop)
get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
@@ -112,6 +116,7 @@
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
get_prop(domain, init_service_status_prop)
@@ -237,16 +242,30 @@
allow domain sysfs_transparent_hugepage:dir search;
allow domain sysfs_transparent_hugepage:file r_file_perms;
-# files under /data.
+# Allow search access, and sometimes getattr access, to various directories
+# under /data. We are fairly lenient in allowing search access to top-level
+# dirs that commonly need to be traversed to get access to the "real" files, as
+# this greatly simplifies the policy and doesn't open up much attack surface.
not_full_treble(`
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
+# Anything that accesses anything in /data needs search access to /data itself.
+# This includes vendor components, as they need to access /data/vendor.
allow domain system_data_root_file:dir { search getattr } ;
+# system_data_file is the default type for directories in /data. Anything
+# accessing data files with a more specific type often has to traverse a
+# system_data_file directory such as /data/misc to get there.
allow domain system_data_file:dir search;
+# Anything that accesses files in /data/user (and /data/user_de, etc.) needs
+# search access to these directories themselves. getattr access is sometimes
+# needed too.
+allow { coredomain appdomain } system_userdir_file:dir { search getattr };
+# Anything that accesses files in /data/media needs search access to /data/media
+# itself.
+allow { coredomain appdomain } media_userdir_file:dir search;
# TODO restrict this to non-coredomain
+allow domain vendor_userdir_file:dir { getattr search };
allow domain vendor_data_file:dir { getattr search };
# required by the dynamic linker
@@ -474,7 +493,7 @@
neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
@@ -610,26 +629,6 @@
-update_engine
} system_block_device:blk_file { write append };
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -fastbootd
- -hal_bootctl_server
- -init
- -uncrypt
- -update_engine
- -vendor_init
- -vendor_misc_writer
- -vold
- -recovery
- -ueventd
- -mtectrl
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
@@ -686,7 +685,6 @@
-nfc_service
-radio_service
-virtual_touchpad_service
- -vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
}:service_manager find;
@@ -869,6 +867,7 @@
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
-system_data_root_file
+ -vendor_userdir_file
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
@@ -881,6 +880,7 @@
-unencrypted_data_file
-system_data_file
-system_data_root_file
+ -vendor_userdir_file
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
@@ -1046,19 +1046,7 @@
neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { domain -system_server } app_zygote:sock_file write;
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -incidentd
- -system_server
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
+neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.
@@ -1148,24 +1136,6 @@
# to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
- -iorap_inode2filename
- -traced_probes # resolve inodes for i/o tracing.
- # only needs open and read, the rest is neverallow in
- # traced_probes.te.
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
@@ -1228,17 +1198,6 @@
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
@@ -1292,8 +1251,9 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
+# vendor, boot, and system_dlkm partitions.
+# TODO(b/218951883): Remove usage of system and rootfs as origin
+neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
# Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted.
@@ -1363,12 +1323,15 @@
-coredomain
} mnt_product_file:dir *;
-# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
+# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL
full_treble_only(`
neverallow {
coredomain
- -healthd
-shell
+ # For access to block device information under /sys/class/block.
+ -apexd
+ # Read sysfs block device information.
+ -init
# Generate uevents for health info
-ueventd
# Recovery uses health HAL passthrough implementation.
diff --git a/public/drmserver.te b/public/drmserver.te
index eede0fc..d515079 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -18,11 +18,11 @@
# Perform Binder IPC to mediaserver
binder_call(drmserver, mediaserver)
-allow drmserver sdcard_type:dir search;
+allow drmserver { sdcard_type fuse }:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver sdcard_type:file { read write getattr map };
+allow drmserver { sdcard_type fuse }:file { read write getattr map };
r_dir_file(drmserver, efs_file)
type drmserver_socket, file_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 85a5796..2c75f30 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -142,11 +142,13 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
+# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
dump_hal(hal_thermal)
dump_hal(hal_power)
dump_hal(hal_power_stats)
@@ -154,6 +156,8 @@
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -184,6 +188,7 @@
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
+allow dumpstate gpu_device:dir r_dir_perms;
# logd access
read_logd(dumpstate)
@@ -252,9 +257,9 @@
-apex_service
-dumpstate_service
-gatekeeper_service
+ -hal_service_type
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
@@ -262,9 +267,9 @@
apex_service
dumpstate_service
gatekeeper_service
+ hal_service_type
virtual_touchpad_service
vold_service
- vr_hwc_service
}:service_manager find;
# Most of these are neverallowed.
diff --git a/public/evsmanagerd.te b/public/evsmanagerd.te
new file mode 100644
index 0000000..cde0380
--- /dev/null
+++ b/public/evsmanagerd.te
@@ -0,0 +1,2 @@
+# evsmanager daemon
+type evsmanagerd, domain;
diff --git a/public/extra_free_kbytes.te b/public/extra_free_kbytes.te
new file mode 100644
index 0000000..ed0c935
--- /dev/null
+++ b/public/extra_free_kbytes.te
@@ -0,0 +1,13 @@
+# The extra_free_kbytes.sh script run by init.
+type extra_free_kbytes, domain;
+type extra_free_kbytes_exec, system_file_type, exec_type, file_type;
+
+# required permissions to run the script from init
+allow extra_free_kbytes shell_exec:file rx_file_perms;
+allow extra_free_kbytes system_file:file x_file_perms;
+allow extra_free_kbytes toolbox_exec:file rx_file_perms;
+
+# files used by the script
+allow extra_free_kbytes proc_extra_free_kbytes:file rw_file_perms;
+allow extra_free_kbytes proc_watermark_scale_factor:file rw_file_perms;
+allow extra_free_kbytes proc_zoneinfo:file r_file_perms;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index e167a5e..0c43a89 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -10,6 +10,10 @@
# fastbootd can only use HALs in passthrough mode
passthrough_hal_client_domain(fastbootd, hal_bootctl)
+ # fastbootd can use AIDL HALs in binder mode
+ binder_use(fastbootd)
+ hal_client_domain(fastbootd, hal_health)
+
# Access /dev/usb-ffs/fastbootd/ep0
allow fastbootd functionfs:dir search;
allow fastbootd functionfs:file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index dc788ac..009e86d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -7,12 +7,14 @@
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
+type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
type proc_overcommit_memory, fs_type, proc_type;
type proc_min_free_order_shift, fs_type, proc_type;
type proc_kpageflags, fs_type, proc_type;
+type proc_watermark_boost_factor, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -22,8 +24,10 @@
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
type proc_bootconfig, fs_type, proc_type;
+type proc_bpf, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
+type proc_cpu_alignment, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
@@ -76,6 +80,7 @@
type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
+type proc_watermark_scale_factor, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
@@ -86,7 +91,6 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
@@ -102,6 +106,7 @@
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
+type sysfs_gpu, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
@@ -111,11 +116,13 @@
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
+type sysfs_fs_fuse_bpf, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
type sysfs_vendor_sched, sysfs_type, fs_type;
@@ -124,6 +131,7 @@
')
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
+type fs_bpf_vendor, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
@@ -144,7 +152,7 @@
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
+type fuse, fusefs_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
@@ -166,7 +174,7 @@
type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
+type app_fusefs, fs_type, fusefs_type, contextmount_type;
# File types
type unlabeled, file_type;
@@ -246,6 +254,14 @@
type vendor_keychars_file, vendor_file_type, file_type;
type vendor_idc_file, vendor_file_type, file_type;
+# Type for vendor uuid mapping config file
+type vendor_uuid_mapping_config_file, vendor_file_type, file_type;
+
+# SoC-specific virtual machine disk files
+type vendor_vm_file, vendor_file_type, file_type;
+# SoC-specific virtual machine disk files that are mutable
+type vendor_vm_data_file, vendor_file_type, file_type;
+
# /metadata partition itself
type metadata_file, file_type;
# Vold files within /metadata
@@ -283,12 +299,20 @@
type system_data_root_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for directories containing per-user encrypted directories, such
+# as /data/user and /data/user_de.
+type system_userdir_file, file_type, data_file_type, core_data_file_type;
# Type for /data/system/packages.list.
# TODO(b/129332765): Narrow down permissions to this.
# Find out users of system_data_file that should be granted only this.
type packages_list_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data/vendor{_ce,_de}.
+type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything inside /data/vendor_{ce,de}.
type vendor_data_file, file_type, data_file_type;
+# Type for /data/vendor_{ce,de} themselves. This has core_data_file_type
+# because these directories themselves are platform-managed; only the files
+# *inside* them are vendor data. (Somewhat similar to system_data_root_file.)
+type vendor_userdir_file, file_type, data_file_type, core_data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# installd-create files in /data/misc/installd such as layout_version
@@ -391,13 +415,10 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
+type apex_system_server_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
-type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
-type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
-type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
@@ -413,6 +434,7 @@
type keystore_data_file, file_type, data_file_type, core_data_file_type;
type media_data_file, file_type, data_file_type, core_data_file_type;
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type media_userdir_file, file_type, data_file_type, core_data_file_type;
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
@@ -507,6 +529,7 @@
type rild_socket, file_type;
type rild_debug_socket, file_type;
type snapuserd_socket, file_type, coredomain_socket;
+type snapuserd_proxy_socket, file_type, coredomain_socket;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
@@ -560,9 +583,6 @@
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, vendor_file_type, file_type;
-
# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;
@@ -575,6 +595,9 @@
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
+# system_dlkm
+type system_dlkm_file, system_dlkm_file_type, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/public/fsck.te b/public/fsck.te
index 7a9fbee..1fb5d0d 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -14,7 +14,6 @@
allow fsck vold:fifo_file { read write getattr };
# Run fsck on certain block devices
-allow fsck block_device:dir search;
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
@@ -22,6 +21,12 @@
allow fsck system_block_device:blk_file rw_file_perms;
')
+# e2fsck performs a comprehensive search of /proc/mounts to check whether the
+# checked filesystem is currently mounted.
+allow fsck metadata_file:dir getattr;
+allow fsck block_device:dir search;
+allow fsck mirror_data_file:dir search;
+
# For the block devices where we have ioctl access,
# allow at a minimum the following common fsck ioctls.
allowxperm fsck dev_type:blk_file ioctl {
diff --git a/public/fwk_bufferhub.te b/public/fwk_bufferhub.te
deleted file mode 100644
index 03486bd..0000000
--- a/public/fwk_bufferhub.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_bufferhub_client, hal_bufferhub_server)
-binder_call(hal_bufferhub_server, hal_bufferhub_client)
-
-hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/public/hal_audio.te b/public/hal_audio.te
index d1970b9..52caa00 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -7,6 +7,8 @@
allow hal_audio ion_device:chr_file r_file_perms;
+binder_call(hal_audio_server, servicemanager)
+
r_dir_file(hal_audio, proc)
r_dir_file(hal_audio, proc_asound)
allow hal_audio_server audio_device:dir r_dir_perms;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 45fad56..df70ab6 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,11 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
+#binder IPC from client to service manager and callbacks
+binder_use(hal_camera_server)
+
hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
+hal_attribute_service(hal_camera, hal_camera_service)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
@@ -32,7 +36,7 @@
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index 34acb38..14c2dbc 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -2,4 +2,9 @@
binder_call(hal_contexthub_client, hal_contexthub_server)
binder_call(hal_contexthub_server, hal_contexthub_client)
+add_service(hal_contexthub_server, hal_contexthub_service)
+binder_call(hal_contexthub_server, servicemanager)
+
+allow hal_contexthub_client hal_contexthub_service:service_manager find;
+
hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/public/hal_dice.te b/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bb1bd91..72fa308 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
+binder_use(hal_drm_server)
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+hal_attribute_service(hal_drm, hal_drm_service)
allow hal_drm hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 9f854e3..aee283a 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -5,6 +5,9 @@
set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
+hal_attribute_service(hal_dumpstate, hal_dumpstate_service)
+
+binder_call(hal_dumpstate_server, servicemanager)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
diff --git a/public/hal_evs.te b/public/hal_evs.te
index 789333a..09a40d8 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -1,5 +1,15 @@
hwbinder_use(hal_evs_client)
hwbinder_use(hal_evs_server)
+
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+
+# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+# except it allows evsmanagerd to add hal_evs_hwservice.
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
+allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find };
+allow hal_evs_server hidl_base_hwservice:hwservice_manager add;
+neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add;
+
+# Allows to add a service
+hal_attribute_service(hal_evs, hal_evs_service)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 3ec6b96..7ef27113 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -7,8 +7,14 @@
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator gpu_device:dir r_dir_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
+
+# IAllocator stable-aidl
+hal_attribute_service(hal_graphics_allocator, hal_graphics_allocator_service)
+binder_call(hal_graphics_allocator_server, servicemanager)
+binder_call(hal_graphics_allocator_client, servicemanager)
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 1c69c99..e99d45f 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -15,6 +15,7 @@
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer gpu_device:dir r_dir_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
@@ -30,3 +31,12 @@
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:global_capability_class_set sys_nice;
+
+# allow surfaceflinger to use a pipe for dumpsys output
+allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write;
+
+
+binder_call(hal_graphics_composer_client, servicemanager)
+binder_call(hal_graphics_composer_server, servicemanager)
+
+hal_attribute_service(hal_graphics_composer, hal_graphics_composer_service)
diff --git a/public/hal_health.te b/public/hal_health.te
index dc7d083..5d7aff5 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -3,6 +3,7 @@
binder_call(hal_health_server, hal_health_client)
hal_attribute_hwservice(hal_health, hal_health_hwservice)
+hal_attribute_service(hal_health, hal_health_service)
# Common rules for a health service.
@@ -25,3 +26,8 @@
# Allow to use timerfd to wake itself up periodically to send health info.
allow hal_health_server self:capability2 wake_alarm;
+
+# Use bpf programs
+allow hal_health_server fs_bpf_vendor:dir search;
+allow hal_health_server fs_bpf_vendor:file read;
+allow hal_health_server bpfloader:bpf prog_run;
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
new file mode 100644
index 0000000..77d1d70
--- /dev/null
+++ b/public/hal_input_processor.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_processor_client, hal_input_processor_server)
+binder_call(hal_input_processor_server, servicemanager)
+
+hal_attribute_service(hal_input_processor, hal_input_processor_service)
diff --git a/public/hal_ir.te b/public/hal_ir.te
index 29555f7..452127a 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -2,4 +2,7 @@
binder_call(hal_ir_client, hal_ir_server)
binder_call(hal_ir_server, hal_ir_client)
+hal_attribute_service(hal_ir, hal_ir_service)
+binder_call(hal_ir_server, servicemanager)
+
hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 7497dec..04d0b59 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -28,6 +28,10 @@
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+
+# Allow NN HAL client to read device_config_nnapi_native_prop.
+get_prop(hal_neuralnetworks_client, device_config_nnapi_native_prop)
+
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 105689b..e77ea9d 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -9,6 +9,9 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_uwb_server
+ # TODO(b/196225233): Remove hal_uwb_vendor_server
+ -hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -27,15 +30,33 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_uwb_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
+ # TODO(b/196225233): Remove hal_uwb_vendor_server
+ -hal_uwb_vendor_server
+ -hal_nlinterceptor_server
+} domain:{ udp_socket rawip_socket } *;
+
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_can_controller_server
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+ -hal_nlinterceptor_server
+} {
+ domain
+ userdebug_or_eng(`-su')
+}:tcp_socket *;
# The UWB HAL is not actually a networking HAL but may need to bring up and down
# interfaces. Restrict it to only these networking operations.
-neverallow hal_uwb_server self:global_capability_class_set { net_raw };
+neverallow hal_uwb_vendor_server self:global_capability_class_set { net_raw };
# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
# udp_socket is required to use interface ioctls.
-neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 7cef4a1..3d0202b 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+binder_call(hal_nfc_server, servicemanager)
hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
+hal_attribute_service(hal_nfc, hal_nfc_service)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_nlinterceptor.te b/public/hal_nlinterceptor.te
new file mode 100644
index 0000000..1a738a5
--- /dev/null
+++ b/public/hal_nlinterceptor.te
@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_readpriv nlmsg_write };
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 8e74383..2611dcd 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -46,4 +46,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
+neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 06e76f1..f25a2ea 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -12,3 +12,8 @@
# allow to run with real-time scheduling policy
allow hal_sensors self:global_capability_class_set sys_nice;
+
+add_service(hal_sensors_server, hal_sensors_service)
+binder_call(hal_sensors_server, servicemanager)
+
+allow hal_sensors_client hal_sensors_service:service_manager find;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index f0cf075..e21796a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,6 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
@@ -42,3 +43,6 @@
# granting the ioctl permission for hal_telephony_server should be device specific
allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
+
+# Allow AIDL HAL shim to call HIDL HAL implementation
+binder_call(hal_telephony_server, hal_telephony_server)
diff --git a/public/hal_tv_tuner.te b/public/hal_tv_tuner.te
index 0da4ec7..4b7c030 100644
--- a/public/hal_tv_tuner.te
+++ b/public/hal_tv_tuner.te
@@ -2,3 +2,7 @@
binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
+hal_attribute_service(hal_tv_tuner, hal_tv_tuner_service)
+
+binder_call(hal_tv_tuner_server, servicemanager)
+binder_call(hal_tv_tuner_client, servicemanager)
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 38bc49a..45cafaa 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -2,6 +2,9 @@
binder_call(hal_usb_client, hal_usb_server)
binder_call(hal_usb_server, hal_usb_client)
+hal_attribute_service(hal_usb, hal_usb_service)
+binder_call(hal_usb_server, servicemanager)
+
hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
allow hal_usb self:netlink_kobject_uevent_socket create;
diff --git a/public/hal_uwb.te b/public/hal_uwb.te
new file mode 100644
index 0000000..dc334fc
--- /dev/null
+++ b/public/hal_uwb.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_uwb_client, hal_uwb_server)
+binder_call(hal_uwb_server, hal_uwb_client)
+
+hal_attribute_service(hal_uwb, hal_uwb_service)
+
+binder_call(hal_uwb_server, servicemanager)
+binder_call(hal_uwb_client, servicemanager)
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
index 6855d14..c9eff55 100644
--- a/public/hal_vehicle.te
+++ b/public/hal_vehicle.te
@@ -4,3 +4,4 @@
hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
+hal_attribute_service(hal_vehicle, hal_vehicle_service)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 12d72b6..eeb72ba 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -3,6 +3,11 @@
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
+hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
+
+binder_use(hal_wifi_hostapd_server)
+
+allow hal_wifi_hostapd_server dumpstate:fifo_file write;
allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
@@ -23,5 +28,5 @@
###
# hal_wifi_hostapd should not trust any data from sdcards
-neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_hostapd_server sdcard_type:file *;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 7361af1..b531a22 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -3,6 +3,7 @@
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
+hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
@@ -34,5 +35,5 @@
###
# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;
diff --git a/public/healthd.te b/public/healthd.te
index 05acb84..c5dcfb7 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -1,50 +1,4 @@
# healthd - battery/charger monitoring service daemon
+# healthd is removed. The type is kept for backwards compatibility.
+
type healthd, domain;
-type healthd_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-allow healthd sysfs_type:dir search;
-# Allow to read /sys/class/power_supply directory.
-allow healthd sysfs:dir r_dir_perms;
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
-
-allow healthd self:global_capability_class_set { sys_tty_config };
-allow healthd self:global_capability_class_set sys_boot;
-dontaudit healthd self:global_capability_class_set sys_resource;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-hal_client_domain(healthd, hal_health)
-
-# Read/write to /sys/power/state
-allow healthd sysfs_power:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-r_dir_file(healthd, sysfs_batteryinfo)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd proc_sysrq:file rw_file_perms;
diff --git a/public/init.te b/public/init.te
index ea5a979..cc28098 100644
--- a/public/init.te
+++ b/public/init.te
@@ -36,8 +36,9 @@
allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
@@ -98,6 +99,7 @@
mnt_user_file
system_data_file
system_data_root_file
+ system_dlkm_file
system_file
vendor_file
postinstall_mnt_dir
@@ -142,7 +144,7 @@
# /metadata
allow init metadata_file:dir mounton;
-# Use tmpfs as /data, used for booting when /data is encrypted
+# Run restorecon on /dev
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
@@ -156,6 +158,7 @@
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
allowxperm init dev_type:blk_file ioctl BLKROSET;
+allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
# Mounting filesystems.
# Only allow relabelto for types used in context= mount options,
@@ -201,6 +204,7 @@
-nativetest_data_file
-privapp_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
}:dir { create search getattr open read setattr ioctl };
@@ -208,17 +212,21 @@
allow init {
file_type
-app_data_file
+ -credstore_data_file
-exec_type
-iorapd_data_file
- -credstore_data_file
-keystore_data_file
+ -media_userdir_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
+ -system_userdir_file
-vendor_file_type
+ -vendor_userdir_file
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
@@ -237,6 +245,7 @@
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -245,6 +254,10 @@
allow init tracefs_type:file { create_file_perms relabelfrom };
+# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
+# subcontext for action/service defined in APEXes.
+allow init apex_info_file:file r_file_perms;
+
allow init {
file_type
-app_data_file
@@ -258,6 +271,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -277,6 +291,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -286,6 +301,7 @@
allow init {
file_type
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-exec_type
@@ -313,11 +329,12 @@
-keychord_device
-proc_type
-sdcard_type
+ -fusefs_type
-sysfs_type
-rootfs
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
+allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
allow init {
binder_device
@@ -370,6 +387,8 @@
allow init {
proc_abi
+ proc_bpf
+ proc_cpu_alignment
proc_dirty
proc_hostname
proc_hung_task
@@ -383,6 +402,7 @@
proc_perf
proc_sched
proc_sysrq
+ proc_watermark_boost_factor
}:file w_file_perms;
allow init {
@@ -411,6 +431,7 @@
sysfs_power
sysfs_fs_f2fs
sysfs_dm
+ sysfs_lru_gen_enabled
}:file w_file_perms;
allow init {
@@ -432,6 +453,7 @@
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_GET_STATUS
+ LOOP_SET_STATUS64
};
# Allow init to write to vibrator/trigger
@@ -585,6 +607,7 @@
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
+r_dir_file(init, system_dlkm_file_type)
r_dir_file(init, vendor_file_type)
allow init system_data_file:file { getattr read };
@@ -604,8 +627,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
@@ -613,6 +635,9 @@
# allow filesystem tuning
allow init userdata_sysdev:file create_file_perms;
+# allow disk tuning
+allow init rootdisk_sysdev:file create_file_perms;
+
###
### neverallow rules
###
@@ -648,7 +673,7 @@
neverallow init shell_data_file:dir { write add_name remove_name };
# Init should not access sysfs node that are not explicitly labeled.
-neverallow init sysfs:file { open read write };
+neverallow init sysfs:file { open write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
diff --git a/public/installd.te b/public/installd.te
index 08060e3..216704d 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, system_file_type, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
@@ -13,13 +13,6 @@
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
-# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
-# TODO(b/120629632): this path is deprecated, remove when possible.
-allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
@@ -49,13 +42,12 @@
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
+# Required to initially create subdirectories of /data/user/$userId
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
-# Also, allow read for lnk_file so that we can process /data/user/0 links when
-# optimizing application code.
+# Also, allow read for lnk_file so that we can process symlinks within
+# /data/user/$userId when optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
# Manage lower filesystem via pass_through mounts
@@ -69,15 +61,17 @@
allow installd media_rw_data_file:dir relabelto;
# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd media_userdir_file:dir r_dir_perms;
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
-allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
-allow installd sdcard_type:file { getattr unlink };
+allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
+allow installd { sdcard_type fuse }:file { getattr unlink };
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
allow installd mirror_data_file:dir { create_dir_perms mounton };
# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd system_userdir_file:dir r_dir_perms;
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
allow installd keychain_data_file:dir create_dir_perms;
@@ -115,6 +109,16 @@
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Allow setting extended attributes (for project quota IDs) on dirs and files
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
+# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
+allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
# Similar for the files under /data/misc/profiles/
allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
allow installd user_profile_data_file:dir { create_dir_perms relabelto };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 5ac4d94..11f7f3e 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,6 +132,7 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_GET_EXTENDED_ERROR', `0xc0486211')
define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
define(`BINDER_FREEZE', `0x400c620e')
define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
@@ -722,6 +723,7 @@
define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
+define(`F2FS_IOC_SHUTDOWN', `0x587d')
define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
@@ -841,6 +843,7 @@
define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_ENDPOINT_ALLOC', `0x000067e7')
define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 47a5157..64ee1b0 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -73,4 +73,5 @@
BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+BINDER_GET_EXTENDED_ERROR
}')
diff --git a/public/iorapd.te b/public/iorapd.te
index b970699..8fded0c 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -27,9 +27,6 @@
allow iorapd dumpstate:fd use;
allow iorapd dumpstate:fifo_file write;
-# talk to batteryservice
-binder_call(iorapd, healthd)
-
# TODO: does each of the service_manager allow finds above need the binder_call?
# iorapd temporarily changes its priority when running benchmarks
@@ -87,11 +84,11 @@
neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
neverallow iorapd {
domain
- -healthd
-servicemanager
-system_server
userdebug_or_eng(`-su')
}:binder call;
neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow iorapd domain:{ udp_socket rawip_socket } *;
+neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/kernel.te b/public/kernel.te
index 9aa40cc..09d2480 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -56,7 +56,7 @@
allow kernel self:security setcheckreqprot;
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
+allow kernel { sdcard_type fuse }:file { read write };
# f_mtp driver accesses files from kernel context.
allow kernel mediaprovider:fd use;
@@ -95,6 +95,11 @@
staging_data_file
vendor_apex_file
}:file read;
+# Also allow the kernel to read /data/local/tmp files via loop device
+# for ApexTestCases
+userdebug_or_eng(`
+ allow kernel shell_data_file:file read;
+')
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
diff --git a/public/keystore.te b/public/keystore.te
index b7d5090..e1c58a4 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
+add_service(keystore, remotelyprovisionedkeypool_service)
add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
@@ -43,3 +44,7 @@
# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+
+# The software KeyMint implementation used in km_compat needs
+# to read the vendor security patch level.
+get_prop(keystore, vendor_security_patch_level_prop);
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 06f7928..1315b8f 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -26,7 +26,7 @@
crash_dump_fallback(mediaextractor)
# allow mediaextractor read permissions for file sources
-allow mediaextractor sdcard_type:file { getattr read };
+allow mediaextractor { sdcard_type fuse }:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
@@ -59,7 +59,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 468c0d0..76f819e 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -42,4 +42,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index ad460e1..621b6d7 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -8,6 +8,7 @@
net_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, fuse)
r_dir_file(mediaserver, cgroup)
r_dir_file(mediaserver, cgroup_v2)
@@ -30,8 +31,9 @@
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver sdcard_type:file write;
+allow mediaserver { sdcard_type fuse }:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:dir r_dir_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 5726842..edbab03 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -25,3 +25,5 @@
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaswcodec gpu_device:chr_file rw_file_perms;
+allow mediaswcodec gpu_device:dir r_dir_perms;
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
new file mode 100644
index 0000000..420d038
--- /dev/null
+++ b/public/mediatranscoding.te
@@ -0,0 +1 @@
+type mediatranscoding, domain;
diff --git a/public/mtectrl.te b/public/mtectrl.te
deleted file mode 100644
index 2fb8a96..0000000
--- a/public/mtectrl.te
+++ /dev/null
@@ -1 +0,0 @@
-type mtectrl, domain, coredomain;
diff --git a/public/net.te b/public/net.te
index e90715e..31c9c45 100644
--- a/public/net.te
+++ b/public/net.te
@@ -13,21 +13,8 @@
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
-# to avoid app-compat breakage.
-allow {
- netdomain
- -ephemeral_app
- -mediaprovider
- -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..64b4c7d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,7 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
@@ -87,6 +86,7 @@
binder_use(netd)
add_service(netd, netd_service)
add_service(netd, dnsresolver_service)
+add_service(netd, mdns_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
@@ -150,6 +150,16 @@
-netutils_wrapper
} dnsresolver_service:service_manager find;
+# only system_server, dumpstate and network stack app may find mdns service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} mdns_service:service_manager find;
+
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
diff --git a/public/property.te b/public/property.te
index 2b2af6d..7de6540 100644
--- a/public/property.te
+++ b/public/property.te
@@ -16,7 +16,6 @@
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
system_internal_prop(boottime_prop)
- system_internal_prop(bpf_progs_loaded_prop)
system_internal_prop(charger_prop)
system_internal_prop(cold_boot_done_prop)
system_internal_prop(ctl_adbd_prop)
@@ -64,21 +63,26 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
-system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(device_config_surface_flinger_native_boot_prop)
+system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(fingerprint_prop)
+system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(persist_wm_debug_prop)
system_restricted_prop(power_debug_prop)
system_restricted_prop(property_service_version_prop)
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
system_restricted_prop(sqlite_log_prop)
system_restricted_prop(surfaceflinger_display_prop)
@@ -115,10 +119,12 @@
# Properties which can be written only by vendor_init
system_vendor_config_prop(apexd_config_prop)
+system_vendor_config_prop(apexd_select_prop)
system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(bootanim_config_prop)
+system_vendor_config_prop(bluetooth_config_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
@@ -179,6 +185,8 @@
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
+system_public_prop(bpf_progs_loaded_prop)
+system_public_prop(charger_status_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
@@ -191,6 +199,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
@@ -210,6 +219,7 @@
system_public_prop(serialno_prop)
system_public_prop(surfaceflinger_color_prop)
system_public_prop(system_prop)
+system_public_prop(system_user_mode_emulation_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
system_public_prop(vold_post_fs_data_prop)
@@ -224,6 +234,12 @@
# Properties used in default HAL implementations
vendor_internal_prop(rebootescrow_hal_prop)
+# Properties used in the default Face HAL implementations
+vendor_internal_prop(virtual_face_hal_prop)
+
+# Properties used in the default Fingerprint HAL implementations
+vendor_internal_prop(virtual_fingerprint_hal_prop)
+
vendor_public_prop(persist_vendor_debug_wifi_prop)
# Properties which are public for devices launching with Android O or earlier
@@ -231,7 +247,6 @@
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
system_public_prop(boottime_prop)
- system_public_prop(bpf_progs_loaded_prop)
system_public_prop(charger_prop)
system_public_prop(cold_boot_done_prop)
system_public_prop(ctl_adbd_prop)
diff --git a/public/recovery.te b/public/recovery.te
old mode 100644
new mode 100755
index 3649888..324320b
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -9,9 +9,13 @@
recovery_only(`
# Allow recovery to perform an update as update_engine would do.
typeattribute recovery update_engine_common;
- # Recovery can only use HALs in passthrough mode
+ # Recovery can use HIDL HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
+ # Recovery can use AIDL HALs in binder mode
+ binder_use(recovery)
+ hal_client_domain(recovery, hal_health)
+
allow recovery self:global_capability_class_set {
chown
dac_override
@@ -133,6 +137,10 @@
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
+
+ # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
+ allow recovery devpts:chr_file rw_file_perms;
+ allow recovery kmsg_device:chr_file { getattr w_file_perms };
')
###
diff --git a/public/rootdisk_sysdev.te b/public/rootdisk_sysdev.te
new file mode 100644
index 0000000..f92fd79
--- /dev/null
+++ b/public/rootdisk_sysdev.te
@@ -0,0 +1 @@
+allow rootdisk_sysdev sysfs:filesystem associate;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index bb1c919..220e7d0 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,11 +10,11 @@
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
+allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
+allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
+allow sdcardd { sdcard_type fuse }:file create_file_perms;
allow sdcardd media_rw_data_file:dir create_dir_perms;
allow sdcardd media_rw_data_file:file create_file_perms;
diff --git a/public/service.te b/public/service.te
index ba7837d..0fd2360 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,16 +1,21 @@
type aidl_lazy_test_service, service_manager_type;
type apc_service, service_manager_type;
type apex_service, service_manager_type;
+type artd_service, service_manager_type;
type audioserver_service, service_manager_type;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
+type evsmanagerd_service, service_manager_type;
type fingerprintd_service, service_manager_type;
+type fwk_automotive_display_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
@@ -24,6 +29,7 @@
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
+type mdns_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
@@ -32,6 +38,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type remotelyprovisionedkeypool_service, service_manager_type;
type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
@@ -54,15 +61,17 @@
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_api_service, system_server_service, service_manager_type;
+type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
-type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
+type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type attestation_verification_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type auth_service, app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -76,10 +85,12 @@
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type cloudsearch_service, app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -137,6 +148,7 @@
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type locale_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_time_zone_manager_service, system_server_service, service_manager_type;
type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
@@ -151,6 +163,7 @@
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type nearby_service, app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -178,6 +191,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
type rollback_service, app_api_service, system_server_service, service_manager_type;
@@ -185,9 +199,11 @@
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
+type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
@@ -203,6 +219,7 @@
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type tare_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -215,6 +232,7 @@
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -227,10 +245,12 @@
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type virtual_device_service, app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
@@ -247,27 +267,49 @@
### HAL Services
###
-type hal_audio_service, vendor_service, protected_service, service_manager_type;
-type hal_audiocontrol_service, vendor_service, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_face_service, vendor_service, protected_service, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, service_manager_type;
-type hal_light_service, vendor_service, protected_service, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
-type hal_power_service, vendor_service, protected_service, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
+type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_drm_service, vendor_service, hal_service_type, service_manager_type;
+type hal_dumpstate_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_evs_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_face_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_fingerprint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_gnss_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_allocator_service, vendor_service, hal_service_type, service_manager_type;
+type hal_graphics_composer_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_storage_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_identity_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_input_processor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_ir_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_keymint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_light_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_memtrack_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_neuralnetworks_service, vendor_service, hal_service_type, service_manager_type;
+type hal_nfc_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_oemlock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_stats_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_rebootescrow_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_sensors_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_secureclock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_sharedsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_tuner_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_uwb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_vehicle_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_vibrator_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_weaver_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_hostapd_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_supplicant_service, vendor_service, protected_service, hal_service_type, service_manager_type;
###
### Neverallow rules
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 63fc227..a812338 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -22,7 +22,7 @@
allow servicemanager vendor_service_contexts_file:file r_file_perms;
# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')
add_service(servicemanager, service_manager_service)
allow servicemanager dumpstate:fd use;
@@ -30,3 +30,11 @@
# Check SELinux permissions.
selinux_check_access(servicemanager)
+
+recovery_only(`
+ # In recovery, log to kmsg.
+ allow servicemanager kmsg_device:chr_file rw_file_perms;
+
+ # Read VINTF files.
+ r_dir_file(servicemanager, rootfs)
+')
diff --git a/public/shell.te b/public/shell.te
index 70a7fb4..4175c86 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -8,6 +8,7 @@
# logcat
read_logd(shell)
control_logd(shell)
+get_prop(shell, logd_prop)
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
@@ -84,12 +85,12 @@
-incident_service
-installd_service
-iorapd_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
@@ -158,9 +159,6 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
-# allow shell to list /sys/class/block/ to get storage type for CTS
-allow shell sysfs_block:dir r_dir_perms;
-
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index 2ed007e..3719d9f 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -1,44 +1,2 @@
type simpleperf_app_runner, domain, mlstrustedsubject;
type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
-
-# run simpleperf_app_runner in adb shell.
-allow simpleperf_app_runner adbd:fd use;
-allow simpleperf_app_runner shell:fd use;
-allow simpleperf_app_runner devpts:chr_file { read write ioctl };
-
-# simpleperf_app_runner reads package information.
-allow simpleperf_app_runner system_data_file:file r_file_perms;
-allow simpleperf_app_runner system_data_file:lnk_file getattr;
-allow simpleperf_app_runner packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow simpleperf_app_runner system_data_file:lnk_file read;
-
-# simpleperf_app_runner switches to the app UID/GID.
-allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
-
-# simpleperf_app_runner switches to the app security context.
-selinux_check_context(simpleperf_app_runner) # validate context
-allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
-
-# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
-
-# simpleperf_app_runner passes pipe fds.
-# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
-allow simpleperf_app_runner shell:fifo_file { read write };
-
-# simpleperf_app_runner checks shell data paths.
-# simpleperf_app_runner passes shell data fds.
-allow simpleperf_app_runner shell_data_file:dir { getattr search };
-allow simpleperf_app_runner shell_data_file:file { getattr write };
-
-###
-### neverallow rules
-###
-
-# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
-neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/public/statsd.te b/public/statsd.te
index 670f4c7..1a09586 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -25,7 +25,6 @@
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
-binder_call(statsd, healthd)
binder_call(statsd, incidentd)
binder_call(statsd, system_server)
diff --git a/public/su.te b/public/su.te
index 074ff2e..8328140 100644
--- a/public/su.te
+++ b/public/su.te
@@ -1,3 +1,6 @@
+# Domain used for su processes, as well as for adbd and adb shell
+# after performing an adb root command.
+
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
@@ -6,9 +9,6 @@
type su_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
typeattribute su mlstrustedsubject;
# Add su to various domains
@@ -22,6 +22,7 @@
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
+ dontaudit su domain:anon_inode *;
dontaudit su domain:{ process process2 } *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
diff --git a/public/system_server.te b/public/system_server.te
index edefadf..cb7f288 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -14,4 +14,5 @@
-init
-vendor_init
-system_server
+ -shell
} power_debug_prop:property_service set;
diff --git a/public/te_macros b/public/te_macros
index 7dc5062..58d04b4 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,12 +172,38 @@
type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
# Allow domain to create/use userfaultfd anon_inode.
allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Suppress errors generate during bugreport
+dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
# This domain may not use userfaultfd anon_inodes created by other domains.
neverallow $1 ~$1_userfaultfd:anon_inode *;
')
+####################################
+# virtualizationservice_use(domain)
+# Allow domain to create and communicate with a virtual machine using
+# virtualizationservice.
+define(`virtualizationservice_use', `
+allow $1 virtualization_service:service_manager find;
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let virtualizationservice call back to the client.
+binder_call(virtualizationservice, $1)
+# Let the client pass file descriptors to virtualizationservice and on
+# to crosvm
+allow { virtualizationservice crosvm } $1:fd use;
+# Allow piping console log to the client
+allow { virtualizationservice crosvm } $1:fifo_file write;
+# Allow client to read/write vsock created by virtualizationservice to
+# communicate with the VM that it created. Notice that we do not grant
+# permission to create a vsock; the client can only connect to VMs
+# that it owns.
+allow $1 virtualizationservice:vsock_socket { getattr read write };
+# Allow client to inspect hypervisor capabilities
+get_prop($1, hypervisor_prop)
+')
+
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
@@ -431,6 +457,9 @@
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
+# AIDL suspend hal permissions
+allow $1 hal_system_suspend_service:service_manager find;
+binder_use($1)
')
#####################################
@@ -670,6 +699,12 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+
+ # On debug builds with root, allow binder services to use binder over TCP.
+ # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
+ userdebug_or_eng(`
+ allow $1 su:tcp_socket { accept getopt read write };
+ ')
')
###########################################
@@ -990,4 +1025,13 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
+')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
diff --git a/public/toolbox.te b/public/toolbox.te
index 4c2cc3e..3705a92 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -1,5 +1,4 @@
# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
type toolbox_exec, system_file_type, exec_type, file_type;
@@ -23,16 +22,11 @@
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
-# rm -rf directories in /data
+# rm -rf /data/per_boot
allow toolbox system_data_root_file:dir { remove_name write };
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
allow toolbox system_data_file:file { getattr unlink };
-# chattr +F and chattr +P /data/media in init
-allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
-allowxperm toolbox media_rw_data_file:dir ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
+# chattr +F /data/media in init
+allow toolbox media_userdir_file:dir { r_dir_perms setattr };
+allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ce9b844..1ab150d 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -12,10 +12,10 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
diff --git a/public/ueventd.te b/public/ueventd.te
index d5d4301..4e3c7c2 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -60,8 +60,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 43fe19a..0a67614 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,9 +17,12 @@
###
# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 30.
+# targetSdkVersion >= 32.
type untrusted_app, domain;
# This file defines the rules for untrusted apps running with
+# 29 < targetSdkVersion <= 31.
+type untrusted_app_30, domain;
+# This file defines the rules for untrusted apps running with
# targetSdkVersion = 29.
type untrusted_app_29, domain;
# This file defines the rules for untrusted apps running with
diff --git a/public/vdc.te b/public/vdc.te
index e638e50..dfe6888 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -1,6 +1,6 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
+# vdc is a helper program for making Binder calls to vold. It is spawned from
+# init for various reasons, such as initializing file-based encryption and
+# metadata encryption, and managing userdata checkpointing.
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0999f48..bc6d3b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -50,6 +50,7 @@
file_type
-core_data_file_type
-exec_type
+ -system_dlkm_file_type
-system_file_type
-mnt_product_file
-password_slot_metadata_file
@@ -71,6 +72,7 @@
-password_slot_metadata_file
-ota_metadata_file
-runtime_event_log_tags_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -88,6 +90,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -104,6 +107,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -120,6 +124,7 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_metadata_file
@@ -140,6 +145,7 @@
-contextmount_type
-keychord_device
-sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
@@ -153,6 +159,7 @@
fs_type
-contextmount_type
-sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
@@ -189,8 +196,7 @@
allow vendor_init misc_block_device:blk_file w_file_perms;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# allow filesystem tuning
allow vendor_init userdata_sysdev:file create_file_perms;
@@ -218,6 +224,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, bluetooth_config_prop)
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
diff --git a/public/vold.te b/public/vold.te
index 7796ba8..07f0fd3 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -86,14 +86,12 @@
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir create_dir_perms;
@@ -101,8 +99,8 @@
# Allow mounting (lower filesystem) on parts of media for performance
allow vold media_rw_data_file:dir mounton;
-# Allow setting extended attributes (for project quota IDs) on files and dirs
-# and to enable project ID inheritance through FS_IOC_SETFLAGS
+# Allow setting project quota IDs and enabling project ID inheritance on
+# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
allowxperm vold media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
@@ -126,6 +124,10 @@
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
+allow vold system_userdir_file:dir { create getattr setattr };
+allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
+# Needed to set the casefold flag on /mnt/expand/$volume/media
+allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
@@ -170,17 +172,9 @@
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
+# Mount and unmount filesystems.
allow vold labeledfs:filesystem { mount unmount remount };
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold {
system_data_file
@@ -212,7 +206,7 @@
allow vold fusectlfs:file rw_file_perms;
allow vold fusectlfs:dir rw_dir_perms;
-# Handle wake locks (used for device encryption)
+# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
wakelock_use(vold)
# Allow vold to publish a binder service and make binder calls.
@@ -223,12 +217,6 @@
binder_call(vold, system_server)
allow vold permission_service:service_manager find;
-# talk to batteryservice
-binder_call(vold, healthd)
-
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
# talk to health storage HAL
hal_client_domain(vold, hal_health_storage)
@@ -277,7 +265,7 @@
allow vold app_fuse_file:dir rw_dir_perms;
allow vold app_fuse_file:file { read write open getattr append };
-# MoveTask.cpp executes cp and rm
+# MoveStorage.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
@@ -343,10 +331,8 @@
neverallow vold {
domain
-hal_health_storage_server
- -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
- -healthd
-hwservicemanager
-iorapd_service
-keystore
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
deleted file mode 100644
index c146887..0000000
--- a/public/vr_hwc.te
+++ /dev/null
@@ -1,33 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, system_file_type, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
-
-allow vr_hwc vrflinger_vsync_service:service_manager find;
diff --git a/public/wificond.te b/public/wificond.te
index 254fcbc..98db0d7 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,6 +7,7 @@
binder_call(wificond, keystore)
add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
deleted file mode 100644
index b33b820..0000000
--- a/seapp_contexts.mk
+++ /dev/null
@@ -1,142 +0,0 @@
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
-
-built_plat_sc := $(LOCAL_BUILT_MODULE)
-plat_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := system_ext_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-system_ext_sc_files := $(call build_policy, seapp_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(system_ext_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(system_ext_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-system_ext_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := product_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-product_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_vendor_sc := $(LOCAL_BUILT_MODULE)
-vendor_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := odm_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_odm_sc := $(LOCAL_BUILT_MODULE)
-odm_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- - $(hide) grep -ihe '^neverallow' $< > $@
-
-plat_sc_neverallow_files :=
diff --git a/tests/Android.bp b/tests/Android.bp
index 6a86188..8ca952d 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -11,6 +11,7 @@
srcs: ["sepol_wrap.cpp"],
cflags: ["-Wall", "-Werror",],
export_include_dirs: ["include"],
+ stl: "c++_static",
// libsepolwrap gets loaded from the system python, which does not have the
// ASAN runtime. So turn off sanitization for ourself, and use static
@@ -24,60 +25,55 @@
},
}
-python_defaults {
- name: "py2_only",
- version: {
- py2: {
- embedded_launcher: true,
- enabled: true,
- },
- py3: {
- enabled: false,
- },
- },
+python_library_host {
+ name: "mini_cil_parser",
+ srcs: ["mini_parser.py"],
+}
+
+python_library_host {
+ name: "pysepolwrap",
+ srcs: [
+ "fc_sort.py",
+ "policy.py",
+ ],
}
python_binary_host {
name: "treble_sepolicy_tests",
srcs: [
- "fc_sort.py",
- "mini_parser.py",
- "policy.py",
"treble_sepolicy_tests.py",
],
- required: ["libsepolwrap"],
- defaults: ["py2_only"],
+ libs: [
+ "mini_cil_parser",
+ "pysepolwrap",
+ ],
+ data: [":libsepolwrap"],
}
python_binary_host {
name: "sepolicy_tests",
srcs: [
- "fc_sort.py",
- "policy.py",
"sepolicy_tests.py",
],
- required: ["libsepolwrap"],
- defaults: ["py2_only"],
+ libs: ["pysepolwrap"],
+ data: [":libsepolwrap"],
}
python_binary_host {
name: "searchpolicy",
srcs: [
- "fc_sort.py",
- "policy.py",
"searchpolicy.py",
],
+ libs: ["pysepolwrap"],
required: ["libsepolwrap"],
- defaults: ["py2_only"],
}
python_binary_host {
name: "combine_maps",
srcs: [
"combine_maps.py",
- "mini_parser.py",
],
- defaults: ["py2_only"],
+ libs: ["mini_cil_parser"],
}
python_binary_host {
@@ -85,7 +81,17 @@
srcs: [
"fc_sort.py",
],
- defaults: ["py2_only"],
+}
+
+python_test_host {
+ name: "fc_sort_test",
+ srcs: [
+ "fc_sort.py",
+ "fc_sort_test.py",
+ ],
+ test_options: {
+ unit_test: true,
+ }
}
python_binary_host {
diff --git a/tests/fc_sort.py b/tests/fc_sort.py
old mode 100755
new mode 100644
index cbb0e5e..4def748
--- a/tests/fc_sort.py
+++ b/tests/fc_sort.py
@@ -1,142 +1,158 @@
-#!/usr/bin/env python
-import sys
-import os
+#!/usr/bin/env python3
+#
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
import argparse
+import os
+import sys
-class FileContextsNode:
- path = None
- fileType = None
- context = None
- Type = None
- meta = None
- stemLen = None
- strLen = None
- Type = None
- line = None
- def __init__(self, path, fileType, context, meta, stemLen, strLen, line):
- self.path = path
- self.fileType = fileType
- self.context = context
- self.meta = meta
- self.stemLen = stemLen
- self.strlen = strLen
- self.Type = context.split(":")[2]
- self.line = line
-metaChars = frozenset(['.', '^', '$', '?', '*', '+', '|', '[', '(', '{'])
-escapedMetaChars = frozenset(['\.', '\^', '\$', '\?', '\*', '\+', '\|', '\[', '\(', '\{'])
+META_CHARS = frozenset(['.', '^', '$', '?', '*', '+', '|', '[', '(', '{'])
+ESCAPED_META_CHARS = frozenset([ '\\{}'.format(c) for c in META_CHARS ])
-def getStemLen(path):
- global metaChars
- stemLen = 0
+
+def get_stem_len(path):
+ """Returns the length of the stem."""
+ stem_len = 0
i = 0
while i < len(path):
if path[i] == "\\":
i += 1
- elif path[i] in metaChars:
+ elif path[i] in META_CHARS:
break
- stemLen += 1
+ stem_len += 1
i += 1
- return stemLen
+ return stem_len
-def getIsMeta(path):
- global metaChars
- global escapedMetaChars
- metaCharsCount = 0
- escapedMetaCharsCount = 0
- for c in metaChars:
+def is_meta(path):
+ """Indicates if a path contains any metacharacter."""
+ meta_char_count = 0
+ escaped_meta_char_count = 0
+ for c in META_CHARS:
if c in path:
- metaCharsCount += 1
- for c in escapedMetaChars:
+ meta_char_count += 1
+ for c in ESCAPED_META_CHARS:
if c in path:
- escapedMetaCharsCount += 1
- return metaCharsCount > escapedMetaCharsCount
+ escaped_meta_char_count += 1
+ return meta_char_count > escaped_meta_char_count
-def CreateNode(line):
- global metaChars
- if (len(line) == 0) or (line[0] == '#'):
- return None
- split = line.split()
- path = split[0].strip()
- context = split[-1].strip()
- fileType = None
- if len(split) == 3:
- fileType = split[1].strip()
- meta = getIsMeta(path)
- stemLen = getStemLen(path)
- strLen = len(path.replace("\\", ""))
+class FileContextsNode(object):
+ """An entry in a file_context file."""
- return FileContextsNode(path, fileType, context, meta, stemLen, strLen, line)
+ def __init__(self, path, file_type, context, meta, stem_len, str_len, line):
+ self.path = path
+ self.file_type = file_type
+ self.context = context
+ self.meta = meta
+ self.stem_len = stem_len
+ self.str_len = str_len
+ self.type = context.split(":")[2]
+ self.line = line
-def ReadFileContexts(files):
- fc = []
- for f in files:
- fd = open(f)
- for line in fd:
- node = CreateNode(line.strip())
- if node != None:
- fc.append(node)
- return fc
+ @classmethod
+ def create(cls, line):
+ if (len(line) == 0) or (line[0] == '#'):
+ return None
-# Comparator function for list.sort() based off of fc_sort.c
-# Compares two FileContextNodes a and b and returns 1 if a is more
-# specific or -1 if b is more specific.
-def compare(a, b):
- # The regex without metachars is more specific
- if a.meta and not b.meta:
- return -1
- if b.meta and not a.meta:
- return 1
+ split = line.split()
+ path = split[0].strip()
+ context = split[-1].strip()
+ file_type = None
+ if len(split) == 3:
+ file_type = split[1].strip()
+ meta = is_meta(path)
+ stem_len = get_stem_len(path)
+ str_len = len(path.replace("\\", ""))
- # The regex with longer stemlen (regex before any meta characters) is more specific.
- if a.stemLen < b.stemLen:
- return -1
- if b.stemLen < a.stemLen:
- return 1
+ return cls(path, file_type, context, meta, stem_len, str_len, line)
- # The regex with longer string length is more specific
- if a.strLen < b.strLen:
- return -1
- if b.strLen < a.strLen:
- return 1
+ # Comparator function based off fc_sort.c
+ def __lt__(self, other):
+ # The regex without metachars is more specific.
+ if self.meta and not other.meta:
+ return True
+ if other.meta and not self.meta:
+ return False
- # A regex with a fileType defined (e.g. file, dir) is more specific.
- if a.fileType is None and b.fileType is not None:
- return -1
- if b.fileType is None and a.fileType is not None:
- return 1
+ # The regex with longer stem_len (regex before any meta characters) is
+ # more specific.
+ if self.stem_len < other.stem_len:
+ return True
+ if other.stem_len < self.stem_len:
+ return False
- # Regexes are equally specific.
- return 0
+ # The regex with longer string length is more specific
+ if self.str_len < other.str_len:
+ return True
+ if other.str_len < self.str_len:
+ return False
-def FcSort(files):
+ # A regex with a file_type defined (e.g. file, dir) is more specific.
+ if self.file_type is None and other.file_type is not None:
+ return True
+ if other.file_type is None and self.file_type is not None:
+ return False
+
+ return False
+
+
+def read_file_contexts(file_descriptor):
+ file_contexts = []
+ for line in file_descriptor:
+ node = FileContextsNode.create(line.strip())
+ if node is not None:
+ file_contexts.append(node)
+ return file_contexts
+
+
+def read_multiple_file_contexts(files):
+ file_contexts = []
+ for filename in files:
+ with open(filename) as fd:
+ file_contexts.extend(read_file_contexts(fd))
+ return file_contexts
+
+
+def sort(files):
for f in files:
if not os.path.exists(f):
sys.exit("Error: File_contexts file " + f + " does not exist\n")
+ file_contexts = read_multiple_file_contexts(files)
+ file_contexts.sort()
+ return file_contexts
- Fc = ReadFileContexts(files)
- Fc.sort(cmp=compare)
- return Fc
-
-def PrintFc(Fc, out):
+def print_fc(fc, out):
if not out:
f = sys.stdout
else:
f = open(out, "w")
- for node in Fc:
+ for node in fc:
f.write(node.line + "\n")
+
if __name__ == '__main__':
- parser = argparse.ArgumentParser(description="SELinux file_contexts sorting tool.")
- parser.add_argument("-i", dest="input", help="Path to the file_contexts file(s).", nargs="?", action='append')
- parser.add_argument("-o", dest="output", help="Path to the output file", nargs=1)
+ parser = argparse.ArgumentParser(
+ description="SELinux file_contexts sorting tool.")
+ parser.add_argument("-i", dest="input", nargs="*",
+ help="Path to the file_contexts file(s).")
+ parser.add_argument("-o", dest="output", help="Path to the output file.")
args = parser.parse_args()
if not args.input:
parser.error("Must include path to policy")
- if not not args.output:
- args.output = args.output[0]
- PrintFc(FcSort(args.input),args.output)
+ print_fc(sort(args.input), args.output)
diff --git a/tests/fc_sort_test.py b/tests/fc_sort_test.py
new file mode 100644
index 0000000..accd0a1
--- /dev/null
+++ b/tests/fc_sort_test.py
@@ -0,0 +1,59 @@
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import unittest
+
+import fc_sort
+
+class FcSortTest(unittest.TestCase):
+
+ def testGetStemLen(self):
+ self.assertEqual(fc_sort.get_stem_len("/data"), 5)
+ self.assertEqual(fc_sort.get_stem_len("/data/system"), 12)
+ self.assertEqual(fc_sort.get_stem_len("/data/(system)?"), 6)
+
+ def testIsMeta(self):
+ self.assertEqual(fc_sort.is_meta("/data"), False)
+ self.assertEqual(fc_sort.is_meta("/data$"), True)
+ self.assertEqual(fc_sort.is_meta(r"\$data"), False)
+
+ def testLesserThan(self):
+ n1 = fc_sort.FileContextsNode.create("/data u:object_r:rootfs:s0")
+ # shorter stem_len
+ n2 = fc_sort.FileContextsNode.create("/d u:object_r:rootfs:s0")
+ # is meta
+ n3 = fc_sort.FileContextsNode.create("/data/l(/.*)? u:object_r:log:s0")
+ # with file_type
+ n4 = fc_sort.FileContextsNode.create("/data -- u:object_r:rootfs:s0")
+ contexts = [n1, n2, n3, n4]
+ contexts.sort()
+ self.assertEqual(contexts, [n3, n2, n1, n4])
+
+ def testReadFileContexts(self):
+ content = """# comment
+/ u:object_r:rootfs:s0
+# another comment
+/adb_keys u:object_r:adb_keys_file:s0
+"""
+ fcs = fc_sort.read_file_contexts(content.splitlines())
+ self.assertEqual(len(fcs), 2)
+
+ self.assertEqual(fcs[0].path, "/")
+ self.assertEqual(fcs[0].type, "rootfs")
+
+ self.assertEqual(fcs[1].path, "/adb_keys")
+ self.assertEqual(fcs[1].type, "adb_keys_file")
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
diff --git a/tests/mini_parser.py b/tests/mini_parser.py
index cba9e39..25018a7 100644
--- a/tests/mini_parser.py
+++ b/tests/mini_parser.py
@@ -1,3 +1,17 @@
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
from os.path import basename
import re
import sys
@@ -6,8 +20,6 @@
# files and retrieve type and attribute information until proper support is
# built into libsepol
-# get the text in the next matching parens
-
class MiniCilParser:
def __init__(self, policyFile):
self.types = set() # types declared in mapping
diff --git a/tests/policy.py b/tests/policy.py
index 40229b8..60c6962 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -1,3 +1,17 @@
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
from ctypes import *
import re
import os
@@ -129,7 +143,7 @@
# all types associated with an attribute if IsAttr=True
def QueryTypeAttribute(self, Type, IsAttr):
TypeIterP = self.__libsepolwrap.init_type_iter(self.__policydbP,
- create_string_buffer(Type), IsAttr)
+ create_string_buffer(Type.encode("ascii")), IsAttr)
if (TypeIterP == None):
sys.exit("Failed to initialize type iterator")
buf = create_string_buffer(self.__BUFSIZE)
@@ -138,7 +152,7 @@
ret = self.__libsepolwrap.get_type(buf, self.__BUFSIZE,
self.__policydbP, TypeIterP)
if ret == 0:
- TypeAttr.add(buf.value)
+ TypeAttr.add(buf.value.decode("ascii"))
continue
if ret == 1:
break;
@@ -237,7 +251,7 @@
ret = self.__libsepolwrap.get_type(buf, self.__BUFSIZE,
self.__policydbP, TypeIterP)
if ret == 0:
- AllTypes.add(buf.value)
+ AllTypes.add(buf.value.decode("ascii"))
continue
if ret == 1:
break;
@@ -271,7 +285,7 @@
PathType = []
for i in range(index, len(self.__FcSorted)):
if MatchPathPrefix(self.__FcSorted[i].path, prefix):
- PathType.append((self.__FcSorted[i].path, self.__FcSorted[i].Type))
+ PathType.append((self.__FcSorted[i].path, self.__FcSorted[i].type))
return PathType
# Return types that match MatchPrefixes but do not match
@@ -302,7 +316,7 @@
ret = self.__libsepolwrap.get_allow_rule(buf, self.__BUFSIZE,
policydbP, avtabIterP)
if ret == 0:
- Rule = TERule(buf.value)
+ Rule = TERule(buf.value.decode("ascii"))
Rules.add(Rule)
continue
if ret == 1:
@@ -382,7 +396,8 @@
self.__libsepolwrap = lib
def __GenfsDictAdd(self, Dict, buf):
- fs, path, context = buf.split(" ")
+ fs, buf = buf.split(' ', 1)
+ path, context = buf.rsplit(' ', 1)
Type = context.split(":")[2]
if not fs in Dict:
Dict[fs] = {Type}
@@ -399,10 +414,10 @@
ret = self.__libsepolwrap.get_genfs(buf, self.__BUFSIZE,
self.__policydbP, GenfsIterP)
if ret == 0:
- self.__GenfsDictAdd(self.__GenfsDict, buf.value)
+ self.__GenfsDictAdd(self.__GenfsDict, buf.value.decode("ascii"))
continue
if ret == 1:
- self.__GenfsDictAdd(self.__GenfsDict, buf.value)
+ self.__GenfsDictAdd(self.__GenfsDict, buf.value.decode("ascii"))
break;
# We should never get here.
sys.exit("Failed to get genfs entries")
@@ -430,11 +445,11 @@
self.__FcDict[t] = [rec[0]]
except:
pass
- self.__FcSorted = fc_sort.FcSort(FcPaths)
+ self.__FcSorted = fc_sort.sort(FcPaths)
# load policy
def __InitPolicy(self, PolicyPath):
- cPolicyPath = create_string_buffer(PolicyPath)
+ cPolicyPath = create_string_buffer(PolicyPath.encode("ascii"))
self.__policydbP = self.__libsepolwrap.load_policy(cPolicyPath)
if (self.__policydbP is None):
sys.exit("Failed to load policy")
diff --git a/tests/searchpolicy.py b/tests/searchpolicy.py
index ff9318b..9d2c636 100644
--- a/tests/searchpolicy.py
+++ b/tests/searchpolicy.py
@@ -1,4 +1,18 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
+#
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
import argparse
import policy
@@ -70,4 +84,4 @@
" ".join(r.perms) + ";")
for r in sorted(rules):
- print r
+ print(r)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index edd1708..0a87a13 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -1,9 +1,24 @@
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
from optparse import OptionParser
from optparse import Option, OptionValueError
import os
import policy
import re
import sys
+import distutils.ccompiler
#############################################################
# Tests
@@ -40,11 +55,18 @@
def TestDebugfsTypeViolations(pol):
ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
- ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
return ret
+def TestTracefsTypeViolations(pol):
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
+ ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
+ ["/sys/kernel/debug/tracing"], "tracefs_type",
+ [])
+ return ret
+
def TestVendorTypeViolations(pol):
partitions = ["/vendor/", "/odm/"]
exceptions = [
@@ -111,6 +133,7 @@
"TestSysfsTypeViolations",
"TestSystemTypeViolators",
"TestDebugfsTypeViolations",
+ "TestTracefsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
"TestPropertyTypeViolations",
@@ -119,24 +142,21 @@
]
if __name__ == '__main__':
- usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
- usage += "-f vendor_file_contexts -f "
+ usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
- parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
parser.add_option("-t", "--test", dest="test", action="extend",
help="Test options include "+str(Tests))
(options, args) = parser.parse_args()
- if not options.libpath:
- sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
- if not os.path.exists(options.libpath):
- sys.exit("Error: library-path " + options.libpath + " does not exist\n"
- + parser.usage)
+ libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+ "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
@@ -151,7 +171,7 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ pol = policy.Policy(options.policy, options.file_contexts, libpath)
results = ""
# If an individual test is not specified, run all tests.
@@ -165,6 +185,8 @@
results += TestSystemTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
+ if options.test is None or "TestTracefsTypeViolations" in options.test:
+ results += TestTracefsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test:
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 9209b66..a3bf661 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -1,3 +1,17 @@
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
from optparse import OptionParser
from optparse import Option, OptionValueError
import os
@@ -6,6 +20,7 @@
from policy import MatchPathPrefix
import re
import sys
+import distutils.ccompiler
DEBUG=False
@@ -20,7 +35,6 @@
# TODO(b/152813275): need to avoid allowlist for rootdir
"modprobe",
"slideshow",
- "healthd",
}
class scontext:
@@ -37,17 +51,17 @@
def PrintScontexts():
for d in sorted(alldomains.keys()):
sctx = alldomains[d]
- print d
- print "\tcoredomain="+str(sctx.coredomain)
- print "\tappdomain="+str(sctx.appdomain)
- print "\tfromSystem="+str(sctx.fromSystem)
- print "\tfromVendor="+str(sctx.fromVendor)
- print "\tattributes="+str(sctx.attributes)
- print "\tentrypoints="+str(sctx.entrypoints)
- print "\tentrypointpaths="
+ print(d)
+ print("\tcoredomain="+str(sctx.coredomain))
+ print("\tappdomain="+str(sctx.appdomain))
+ print("\tfromSystem="+str(sctx.fromSystem))
+ print("\tfromVendor="+str(sctx.fromVendor))
+ print("\tattributes="+str(sctx.attributes))
+ print("\tentrypoints="+str(sctx.entrypoints))
+ print("\tentrypointpaths=")
if sctx.entrypointpaths is not None:
for path in sctx.entrypointpaths:
- print "\t\t"+str(path)
+ print("\t\t"+str(path))
alldomains = {}
coredomains = set()
@@ -328,7 +342,7 @@
"ViolatorAttributes": TestViolatorAttributes}
if __name__ == '__main__':
- usage = "treble_sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
+ usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
usage +="-m mapping file [--test test] [--help]"
@@ -338,7 +352,6 @@
metavar="FILE")
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
- parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
@@ -349,11 +362,6 @@
(options, args) = parser.parse_args()
- if not options.libpath:
- sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
- if not os.path.exists(options.libpath):
- sys.exit("Error: library-path " + options.libpath + " does not exist\n"
- + parser.usage)
if not options.policy:
sys.exit("Must specify current monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
@@ -366,9 +374,14 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
+ libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+ "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
- if options.tests is None or options.tests is "TrebleCompatMapping":
+ if options.tests is None or options.tests == "TrebleCompatMapping":
if not options.basepolicy:
sys.exit("Must specify the current platform-only policy file\n"
+ parser.usage)
@@ -381,8 +394,8 @@
if not options.base_pub_policy:
sys.exit("Must specify the current platform-only public policy "
+ ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, options.libpath)
- oldpol = policy.Policy(options.oldpolicy, None, options.libpath)
+ basepol = policy.Policy(options.basepolicy, None, libpath)
+ oldpol = policy.Policy(options.oldpolicy, None, libpath)
mapping = mini_parser.MiniCilParser(options.mapping)
pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
compatSetup(basepol, oldpol, mapping, pubpol.types)
@@ -390,7 +403,7 @@
if options.faketreble:
FakeTreble = True
- pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ pol = policy.Policy(options.policy, options.file_contexts, libpath)
setup(pol)
if DEBUG:
diff --git a/tools/Android.bp b/tools/Android.bp
index a6a15a5..fcf375d 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -59,8 +59,14 @@
srcs: ["version_policy.c"],
}
-cc_prebuilt_binary {
- name: "insertkeys.py",
+python_binary_host {
+ name: "insertkeys",
srcs: ["insertkeys.py"],
- host_supported: true,
+}
+
+python_binary_host {
+ name: "sepolicy_generate_compat",
+ srcs: ["sepolicy_generate_compat.py"],
+ libs: ["mini_cil_parser", "pysepolwrap"],
+ data: [":libsepolwrap"],
}
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 2b06c11..7795e3a 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -207,11 +207,9 @@
/*Inputs*/
{ .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isEphemeralApp", .dir = dir_in, .fn_validate = validate_bool },
- { .name = "isOwner", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "user", .dir = dir_in, },
{ .name = "seinfo", .dir = dir_in, },
{ .name = "name", .dir = dir_in, },
- { .name = "path", .dir = dir_in, },
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 9cbd912..83c631e 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -171,6 +171,12 @@
const char *type_name = sepol_context_get_type(ctx);
+ // Temporarily exempt hal_power_stats_vendor_service from the check.
+ // TODO(b/211953546): remove this
+ if (strcmp(type_name, "hal_power_stats_vendor_service") == 0) {
+ goto out;
+ }
+
uint32_t len = ebitmap_length(&global_state.assert.set);
if (len > 0) {
res = !is_type_of_attribute_set(global_state.sepolicy.pdb, type_name,
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
index 51b4ab6..24f0dac 100755
--- a/tools/insertkeys.py
+++ b/tools/insertkeys.py
@@ -1,8 +1,8 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
from xml.sax import saxutils, handler, make_parser
from optparse import OptionParser
-import ConfigParser
+import configparser
import logging
import base64
import sys
@@ -32,7 +32,7 @@
if not os.path.isfile(path):
sys.exit("Path " + path + " does not exist or is not a file!")
- pkFile = open(path, 'rb').readlines()
+ pkFile = open(path, 'r').readlines()
base64Key = ""
lineNo = 1
certNo = 1
@@ -66,7 +66,7 @@
self._base64Key.append(base64Key)
try:
# Pkgmanager and setool see hex strings with lowercase, lets be consistent
- self._base16Key.append(base64.b16encode(base64.b64decode(base64Key)).lower())
+ self._base16Key.append(base64.b16encode(base64.b64decode(base64Key)).decode('ascii').lower())
except TypeError:
sys.exit("Invalid certificate, certificate "+ str(certNo) + " found in file: "
+ path)
@@ -79,7 +79,7 @@
# If we haven't started the certificate, then we should not encounter any data
elif not inCert:
- if line is not "":
+ if line != "":
sys.exit("Detected erroneous line \""+ line + "\" on " + str(lineNo)
+ " in pem file: " + path)
@@ -107,7 +107,7 @@
def getBase64Keys(self):
return self._base64Key
-class ParseConfig(ConfigParser.ConfigParser):
+class ParseConfig(configparser.ConfigParser):
# This must be lowercase
OPTION_WILDCARD_TAG = "all"
@@ -160,15 +160,16 @@
XML_ENCODING_TAG = '<?xml version="1.0" encoding="iso-8859-1"?>'
def __init__(self, keyMap, out=sys.stdout):
-
handler.ContentHandler.__init__(self)
self._keyMap = keyMap
self._out = out
+
+ def prologue(self):
self._out.write(ReplaceTags.XML_ENCODING_TAG)
self._out.write("<!-- AUTOGENERATED FILE DO NOT MODIFY -->")
self._out.write("<policy>")
- def __del__(self):
+ def epilogue(self):
self._out.write("</policy>")
def startElement(self, tag, attrs):
@@ -210,8 +211,6 @@
if __name__ == "__main__":
- # Intentional double space to line up equls signs and opening " for
- # readability.
usage = "usage: %prog [options] CONFIG_FILE MAC_PERMISSIONS_FILE [MAC_PERMISSIONS_FILE...]\n"
usage += "This tool allows one to configure an automatic inclusion\n"
usage += "of signing keys into the mac_permision.xml file(s) from the\n"
@@ -262,6 +261,9 @@
logging.info(k + " : " + str(key_map[k]))
# Generate the XML file with markup replaced with keys
parser = make_parser()
- parser.setContentHandler(ReplaceTags(key_map, output_file))
+ handler = ReplaceTags(key_map, output_file)
+ parser.setContentHandler(handler)
+ handler.prologue()
for f in args[1:]:
parser.parse(f)
+ handler.epilogue()
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
new file mode 100644
index 0000000..17a4d75
--- /dev/null
+++ b/tools/sepolicy_generate_compat.py
@@ -0,0 +1,376 @@
+#!/usr/bin/env python3
+
+# Copyright 2022 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import distutils.ccompiler
+import glob
+import logging
+import mini_parser
+import os
+import policy
+import shutil
+import subprocess
+import sys
+import tempfile
+import zipfile
+"""This tool generates a mapping file for {ver} core sepolicy."""
+
+temp_dir = ''
+compat_cil_template = ";; This file can't be empty.\n"
+ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ %s
+ ))
+"""
+
+
+def check_run(cmd, cwd=None):
+ if cwd:
+ logging.debug('Running cmd at %s: %s' % (cwd, cmd))
+ else:
+ logging.debug('Running cmd: %s' % cmd)
+ subprocess.run(cmd, cwd=cwd, check=True)
+
+
+def check_output(cmd):
+ logging.debug('Running cmd: %s' % cmd)
+ return subprocess.run(cmd, check=True, stdout=subprocess.PIPE)
+
+
+def get_android_build_top():
+ ANDROID_BUILD_TOP = os.getenv('ANDROID_BUILD_TOP')
+ if not ANDROID_BUILD_TOP:
+ sys.exit(
+ 'Error: Missing ANDROID_BUILD_TOP env variable. Please run '
+ '\'. build/envsetup.sh; lunch <build target>\'. Exiting script.')
+ return ANDROID_BUILD_TOP
+
+
+def fetch_artifact(branch, build, pattern, destination='.'):
+ """Fetches build artifacts from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from
+ build: string, build ID or "latest"
+ pattern: string, pattern of build artifact file name
+ destination: string, destination to pull build artifact to
+ """
+ fetch_artifact_path = '/google/data/ro/projects/android/fetch_artifact'
+ cmd = [
+ fetch_artifact_path, '--branch', branch, '--target',
+ 'aosp_arm64-userdebug'
+ ]
+ if build == 'latest':
+ cmd.append('--latest')
+ else:
+ cmd.extend(['--bid', build])
+ cmd.extend([pattern, destination])
+ check_run(cmd)
+
+
+def extract_mapping_file_from_img(img_path, ver, destination='.'):
+ """ Extracts system/etc/selinux/mapping/{ver}.cil from system.img file.
+
+ Args:
+ img_path: string, path to system.img file
+ ver: string, version of designated mapping file
+ destination: string, destination to pull the mapping file to
+
+ Returns:
+ string, path to extracted mapping file
+ """
+
+ cmd = [
+ 'debugfs', '-R',
+ 'cat system/etc/selinux/mapping/10000.0.cil', img_path
+ ]
+ path = os.path.join(destination, '%s.cil' % ver)
+ with open(path, 'wb') as f:
+ logging.debug('Extracting %s.cil to %s' % (ver, destination))
+ f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0'))
+ return path
+
+
+def download_mapping_file(branch, build, ver, destination='.'):
+ """ Downloads system/etc/selinux/mapping/{ver}.cil from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from (e.g. "sc-v2-dev")
+ build: string, build ID or "latest"
+ ver: string, version of designated mapping file (e.g. "32.0")
+ destination: string, destination to pull build artifact to
+
+ Returns:
+ string, path to extracted mapping file
+ """
+ logging.info('Downloading %s mapping file from branch %s build %s...' %
+ (ver, branch, build))
+ artifact_pattern = 'aosp_arm64-img-*.zip'
+ fetch_artifact(branch, build, artifact_pattern, temp_dir)
+
+ # glob must succeed
+ zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0]
+ with zipfile.ZipFile(zip_path) as zip_file:
+ logging.debug('Extracting system.img to %s' % temp_dir)
+ zip_file.extract('system.img', temp_dir)
+
+ system_img_path = os.path.join(temp_dir, 'system.img')
+ return extract_mapping_file_from_img(system_img_path, ver, destination)
+
+
+def build_base_files(target_version):
+ """ Builds needed base policy files from the source code.
+
+ Args:
+ target_version: string, target version to gerenate the mapping file
+
+ Returns:
+ (string, string, string), paths to base policy, old policy, and pub policy
+ cil
+ """
+ logging.info('building base sepolicy files')
+ build_top = get_android_build_top()
+
+ cmd = [
+ 'build/soong/soong_ui.bash',
+ '--make-mode',
+ 'dist',
+ 'base-sepolicy-files-for-mapping',
+ 'TARGET_PRODUCT=aosp_arm64',
+ 'TARGET_BUILD_VARIANT=userdebug',
+ ]
+ check_run(cmd, cwd=build_top)
+
+ dist_dir = os.path.join(build_top, 'out', 'dist')
+ base_policy_path = os.path.join(dist_dir, 'base_plat_sepolicy')
+ old_policy_path = os.path.join(dist_dir,
+ '%s_plat_sepolicy' % target_version)
+ pub_policy_cil_path = os.path.join(dist_dir, 'base_plat_pub_policy.cil')
+
+ return base_policy_path, old_policy_path, pub_policy_cil_path
+
+
+def change_api_level(versioned_type, api_from, api_to):
+ """ Verifies the API version of versioned_type, and changes it to new API level.
+
+ For example, change_api_level("foo_32_0", "32.0", "31.0") will return
+ "foo_31_0".
+
+ Args:
+ versioned_type: string, type with version suffix
+ api_from: string, api version of versioned_type
+ api_to: string, new api version for versioned_type
+
+ Returns:
+ string, a new versioned type
+ """
+ old_suffix = api_from.replace('.', '_')
+ new_suffix = api_to.replace('.', '_')
+ if not versioned_type.endswith(old_suffix):
+ raise ValueError('Version of type %s is different from %s' %
+ (versioned_type, api_from))
+ return versioned_type.removesuffix(old_suffix) + new_suffix
+
+
+def get_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ '--branch',
+ required=True,
+ help='Branch to pull build from. e.g. "sc-v2-dev"')
+ parser.add_argument('--build', required=True, help='Build ID, or "latest"')
+ parser.add_argument(
+ '--target-version',
+ required=True,
+ help='Target version of designated mapping file. e.g. "32.0"')
+ parser.add_argument(
+ '--latest-version',
+ required=True,
+ help='Latest version for mapping of newer types. e.g. "31.0"')
+ parser.add_argument(
+ '-v',
+ '--verbose',
+ action='count',
+ default=0,
+ help='Increase output verbosity, e.g. "-v", "-vv".')
+ return parser.parse_args()
+
+
+def main():
+ args = get_args()
+
+ verbosity = min(args.verbose, 2)
+ logging.basicConfig(
+ format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s',
+ level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity])
+
+ global temp_dir
+ temp_dir = tempfile.mkdtemp()
+
+ try:
+ libpath = os.path.join(
+ os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' +
+ distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit(
+ 'Error: libsepolwrap does not exist. Is this binary corrupted?\n'
+ )
+
+ build_top = get_android_build_top()
+ sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
+
+ # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
+ mapping_file = download_mapping_file(
+ args.branch, args.build, args.target_version, destination=temp_dir)
+ mapping_file_cil = mini_parser.MiniCilParser(mapping_file)
+ mapping_file_cil.types = set()
+ mapping_file_cil.typeattributes = set()
+
+ # Step 2. Build base policy files and parse latest mapping files
+ base_policy_path, old_policy_path, pub_policy_cil_path = build_base_files(
+ args.target_version)
+ base_policy = policy.Policy(base_policy_path, None, libpath)
+ old_policy = policy.Policy(old_policy_path, None, libpath)
+ pub_policy_cil = mini_parser.MiniCilParser(pub_policy_cil_path)
+
+ all_types = base_policy.GetAllTypes(False)
+ old_all_types = old_policy.GetAllTypes(False)
+ pub_types = pub_policy_cil.types
+
+ # Step 3. Find new types and removed types
+ new_types = pub_types & (all_types - old_all_types)
+ removed_types = (mapping_file_cil.pubtypes - mapping_file_cil.types) & (
+ old_all_types - all_types)
+
+ logging.info('new types: %s' % new_types)
+ logging.info('removed types: %s' % removed_types)
+
+ # Step 4. Map new types and removed types appropriately, based on the latest mapping
+ latest_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.latest_version)
+ latest_mapping_cil = mini_parser.MiniCilParser(
+ os.path.join(latest_compat_path, args.latest_version + '.cil'))
+ latest_ignore_cil = mini_parser.MiniCilParser(
+ os.path.join(latest_compat_path,
+ args.latest_version + '.ignore.cil'))
+
+ latest_ignored_types = list(latest_ignore_cil.rTypeattributesets.keys())
+ latest_removed_types = latest_mapping_cil.types
+ logging.debug('types ignored in latest policy: %s' %
+ latest_ignored_types)
+ logging.debug('types removed in latest policy: %s' %
+ latest_removed_types)
+
+ target_ignored_types = set()
+ target_removed_types = set()
+ invalid_new_types = set()
+ invalid_mapping_types = set()
+ invalid_removed_types = set()
+
+ logging.info('starting mapping')
+ for new_type in new_types:
+ # Either each new type should be in latest_ignore_cil, or mapped to existing types
+ if new_type in latest_ignored_types:
+ logging.debug('adding %s to ignore' % new_type)
+ target_ignored_types.add(new_type)
+ elif new_type in latest_mapping_cil.rTypeattributesets:
+ latest_mapped_types = latest_mapping_cil.rTypeattributesets[
+ new_type]
+ target_mapped_types = {change_api_level(t, args.latest_version,
+ args.target_version)
+ for t in latest_mapped_types}
+ logging.debug('mapping %s to %s' %
+ (new_type, target_mapped_types))
+
+ for t in target_mapped_types:
+ if t not in mapping_file_cil.typeattributesets:
+ logging.error(
+ 'Cannot find desired type %s in mapping file' % t)
+ invalid_mapping_types.add(t)
+ continue
+ mapping_file_cil.typeattributesets[t].add(new_type)
+ else:
+ logging.error('no mapping information for new type %s' %
+ new_type)
+ invalid_new_types.add(new_type)
+
+ for removed_type in removed_types:
+ # Removed type should be in latest_mapping_cil
+ if removed_type in latest_removed_types:
+ logging.debug('adding %s to removed' % removed_type)
+ target_removed_types.add(removed_type)
+ else:
+ logging.error('no mapping information for removed type %s' %
+ removed_type)
+ invalid_removed_types.add(removed_type)
+
+ error_msg = ''
+
+ if invalid_new_types:
+ error_msg += ('The following new types were not in the latest '
+ 'mapping: %s\n') % sorted(invalid_new_types)
+ if invalid_mapping_types:
+ error_msg += (
+ 'The following existing types were not in the '
+ 'downloaded mapping file: %s\n') % sorted(invalid_mapping_types)
+ if invalid_removed_types:
+ error_msg += ('The following removed types were not in the latest '
+ 'mapping: %s\n') % sorted(invalid_removed_types)
+
+ if error_msg:
+ error_msg += '\n'
+ error_msg += ('Please make sure the source tree and the build ID is'
+ ' up to date.\n')
+ sys.exit(error_msg)
+
+ # Step 5. Write to system/sepolicy/private/compat
+ target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.target_version)
+ target_mapping_file = os.path.join(target_compat_path,
+ args.target_version + '.cil')
+ target_compat_file = os.path.join(target_compat_path,
+ args.target_version + '.compat.cil')
+ target_ignore_file = os.path.join(target_compat_path,
+ args.target_version + '.ignore.cil')
+
+ with open(target_mapping_file, 'w') as f:
+ logging.info('writing %s' % target_mapping_file)
+ if removed_types:
+ f.write(';; types removed from current policy\n')
+ f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types)))
+ f.write('\n\n')
+ f.write(mapping_file_cil.unparse())
+
+ with open(target_compat_file, 'w') as f:
+ logging.info('writing %s' % target_compat_file)
+ f.write(compat_cil_template)
+
+ with open(target_ignore_file, 'w') as f:
+ logging.info('writing %s' % target_ignore_file)
+ f.write(ignore_cil_template %
+ ('\n '.join(sorted(target_ignored_types))))
+ finally:
+ logging.info('Deleting temporary dir: {}'.format(temp_dir))
+ shutil.rmtree(temp_dir)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/tools/version_policy.c b/tools/version_policy.c
index 8bb422a..3f97268 100644
--- a/tools/version_policy.c
+++ b/tools/version_policy.c
@@ -9,7 +9,6 @@
#include <sys/stat.h>
#include <cil/android.h>
#include <cil/cil.h>
-#include <cil/cil_write_ast.h>
void __attribute__ ((noreturn)) static usage(char *prog) {
printf("Usage: %s [OPTION]...\n", prog);
@@ -90,6 +89,7 @@
char *num = NULL;
char *dot;
char *output = NULL;
+ FILE *output_file = NULL;
struct cil_db *base_db = NULL;
struct cil_db *out_db = NULL;
@@ -177,11 +177,21 @@
goto exit;
}
}
- rc = cil_write_ast(out_db, output);
- if (rc != SEPOL_OK) {
+
+ output_file = fopen(output, "we");
+ if (!output_file) {
+ fprintf(stderr, "Could not open file: %s\n", output);
goto exit;
}
+ rc = cil_write_build_ast(output_file, out_db);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to write AST\n");
+ goto build_err;
+ }
+
+build_err:
+ fclose(output_file);
exit:
free(base);
free(tgt_policy);
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 1f27727..c8d5b46 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -17,19 +17,11 @@
# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
# make file of the product partition.
PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
-# BOARD_PLAT_PUB_VERSIONED_POLICY - path_to_plat_pub_versioned_of_vendor
-# plat_pub_versioned.cil should be in
-# $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) dir.
-# plat_pub_versioned.cil should have platform, system_ext and product sepolicies
-# similar to system/sepolicy/prebuilts/api/$(version/plat_pub_verioned.cil file.
-# In order to enable treble sepolicy tests for platform, system_ext and product
-# sepolicies SYSTEM_EXT_PREBUILT_POLICY , PRODUCT_PREBUILT_POLICY and
-# BOARD_PLAT_PUB_VERSIONED_POLICY should be set.
IS_TREBLE_TEST_ENABLED_PARTNER := false
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
IS_TREBLE_TEST_ENABLED_PARTNER := true
-endif # (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -85,16 +77,16 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
+
+# TODO(b/214336258): move to Soong
+$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
+
$(version)_plat_policy.conf :=
-# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
-# targeting the $(version) SELinux release. This ensures that our policy will build
-# when used on a device that has non-platform policy targetting the $(version) release.
-$(version)_compat := $(intermediates)/$(version)_compat
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
-$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
$(version)_mapping.cil += \
@@ -108,32 +100,8 @@
$(version)_mapping.ignore.cil += \
$(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
endif # (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_prebuilts_dir := $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version)
endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
-# nonplat_sepolicy.cil.
-$(version)_nonplat := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
-$($(version)_prebuilts_dir)/plat_pub_versioned.cil
-ifeq (,$(wildcard $($(version)_nonplat)))
-$(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
-endif
-
-cil_files := $(built_plat_cil)
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)
-cil_files += $(built_system_ext_cil)
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)
-ifneq (,$(PRODUCT_PREBUILT_POLICY)
-cil_files += $(built_product_cil)
-endif # (,$(PRODUCT_PREBUILT_POLICY)
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-cil_files += $($(version)_mapping.cil) $($(version)_nonplat)
-$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
-$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
# $(version)_mapping.combined.cil - a combination of the mapping file used when
# combining the current platform policy with nonplatform policy based on the
# $(version) policy release and also a special ignored file that exists purely for
@@ -165,10 +133,9 @@
$(all_fc_files) $(built_sepolicy) \
$(built_sepolicy_files) \
$(public_cil_files) \
- $(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
+ $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
-u $(PRIVATE_PLAT_PUB_SEPOLICY) \
@@ -184,12 +151,9 @@
built_sepolicy_files :=
public_cil_files :=
cil_files :=
-$(version)_compat :=
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
$(version)_mapping.ignore.cil :=
-$(version)_nonplat :=
-$(version)_prebuilts_dir :=
built_$(version)_plat_sepolicy :=
version :=
version_under_treble_tests :=
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 12e5d9f..392a750 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,12 +4,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl.example u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -24,29 +26,38 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service.example u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health-service\.example u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.processor-service u:object_r:hal_input_processor_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.ir-service\.example u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service u:object_r:hal_keymaster_default_exec:s0
@@ -67,17 +78,24 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio-service\.compat u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service u:object_r:hal_uwb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 5bc4a61..b0912d4 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -9,3 +9,6 @@
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;
allow hal_camera_default dumpstate:fifo_file write;
+
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:dir r_dir_perms;
diff --git a/vendor/hal_dice_default.te b/vendor/hal_dice_default.te
new file mode 100644
index 0000000..832e717
--- /dev/null
+++ b/vendor/hal_dice_default.te
@@ -0,0 +1,5 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
new file mode 100644
index 0000000..ab474d6
--- /dev/null
+++ b/vendor/hal_drm_clearkey.te
@@ -0,0 +1,6 @@
+type hal_drm_clearkey_aidl, domain;
+type hal_drm_clearkey_aidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey_aidl)
+
+hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 57a0299..59d6c39 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -6,10 +6,26 @@
type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_evs_default)
-allow hal_evs_default hal_graphics_allocator_server:fd use;
-
-# allow to use surface flinger
-allow hal_evs_default automotive_display_service_server:fd use;
+# allow to use a graphic buffer
+hal_client_domain(hal_evs_default, hal_configstore)
+hal_client_domain(hal_evs_default, hal_graphics_allocator)
+hal_client_domain(hal_evs_default, hal_graphics_composer)
# allow to use automotive display service
+binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+allow hal_evs_default fwk_automotive_display_service:service_manager find;
+
+# allow to use hidl token service to retrieve HGBP object
+allow hal_evs_default hidl_token_hwservice:hwservice_manager find;
+
+# allow to access data from surfaceflinger
+allow hal_evs_default surfaceflinger:fd use;
+
+# allow to access EGL
+allow hal_evs_default gpu_device:chr_file rw_file_perms;
+allow hal_evs_default gpu_device:dir search;
+
+# allow to monitor uevents and access video devices
+allow hal_evs_default device:dir r_dir_perms;
+allow hal_evs_default video_device:chr_file rw_file_perms;
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 891d1f4..ddfa62e 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -3,3 +3,5 @@
type hal_face_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_face_default)
+
+set_prop(hal_face_default, virtual_face_hal_prop)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 638b603..812c528 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -3,3 +3,5 @@
type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
+
+set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index 9b2b921..8e118e9 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -1,6 +1,13 @@
# health info abstraction
type hal_health_default, domain;
+
+typeattribute hal_health_default bpfdomain;
+
hal_server_domain(hal_health_default, hal_health)
type hal_health_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_health_default)
+
+# When executing the service in offline-charging mode,
+# allow to transition to charger_vendor domain.
+domain_trans(init, hal_health_default_exec, charger_vendor)
diff --git a/vendor/hal_identity_default.te b/vendor/hal_identity_default.te
index 7f84687..550db95 100644
--- a/vendor/hal_identity_default.te
+++ b/vendor/hal_identity_default.te
@@ -3,3 +3,8 @@
type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_identity_default)
+
+# We need to get a handle to the IRemotelyProvisionedComponent, and it's hosted by
+# the keymint HAL.
+hal_client_domain(hal_identity_default, hal_keymint)
+
diff --git a/vendor/hal_input_processor_default.te b/vendor/hal_input_processor_default.te
new file mode 100644
index 0000000..33a5c41
--- /dev/null
+++ b/vendor/hal_input_processor_default.te
@@ -0,0 +1,5 @@
+type hal_input_processor_default, domain;
+hal_server_domain(hal_input_processor_default, hal_input_processor)
+
+type hal_input_processor_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_processor_default)
diff --git a/vendor/hal_uwb_default.te b/vendor/hal_uwb_default.te
new file mode 100644
index 0000000..cac8c44
--- /dev/null
+++ b/vendor/hal_uwb_default.te
@@ -0,0 +1,5 @@
+type hal_uwb_default, domain;
+hal_server_domain(hal_uwb_default, hal_uwb)
+
+type hal_uwb_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_uwb_default)
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index 56a47b7..52769dd 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -8,3 +8,6 @@
# communication with CAN bus HAL
hal_client_domain(hal_vehicle_default, hal_can_bus)
+
+# communicate with servicemanager
+binder_call(hal_vehicle_server, servicemanager)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index b6b9e09..7c08468 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -30,3 +30,6 @@
# policy. This is dontaudited here to avoid conditional
# device-specific behavior in wpa_supplicant.
dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
+
+# Allow wpa supplicant to access Netlink Interceptor
+hal_client_domain(hal_wifi_supplicant_default, hal_nlinterceptor)
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index f78b58f..84f2421 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -17,6 +17,7 @@
hal_client_domain(mediacodec, hal_graphics_allocator)
allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec gpu_device:dir r_dir_perms;
allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
@@ -34,5 +35,6 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediacodec domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/vendor/tee.te b/vendor/tee.te
index 4b2e6c7..323c7e8 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -6,7 +6,7 @@
allow tee self:global_capability_class_set { dac_override };
allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:dir create_dir_perms;
allow tee tee_data_file:file create_file_perms;
allow tee self:netlink_socket create_socket_perms_no_ioctl;
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
